CCNA General Security Concepts Questions

75 of 164 questions · Page 1/3 · General Security Concepts · Answers revealed

1
Matchingmedium

Match each scenario from a security design review to the principle it best demonstrates.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Least privilege

Need-to-know

Zero trust

Defense in depth

Availability

Why these pairings

Each scenario demonstrates a distinct security principle: encryption adds depth, MFA enforces least privilege, segmentation supports separation of duties, logging ensures accountability, combining IDS with firewalls provides layered security, and disabling services reduces the attack surface.

2
MCQmedium

A financial institution is implementing a new policy for all remote access to its payment processing system. The system will generate a unique digital signature for each administrative action, and all actions will be recorded in a tamper-evident audit log that is replicated to an immutable storage location. The primary objective of this policy is to ensure that administrators who perform sensitive operations cannot later deny having executed them. Which security goal is this policy primarily intended to enforce?

A.Authorization
B.Non-repudiation
C.Authentication
D.Availability
AnswerB

Non-repudiation provides proof of the origin and integrity of data, ensuring that an individual cannot falsely deny having taken an action. The use of digital signatures and tamper-evident logs directly supports this goal.

Why this answer

The policy's use of unique digital signatures for each administrative action, combined with a tamper-evident audit log replicated to immutable storage, directly enforces non-repudiation. Non-repudiation ensures that an administrator cannot deny having performed a specific action because the digital signature cryptographically binds the action to the administrator's identity, and the immutable log prevents any subsequent alteration or deletion of the record. This is the primary security goal when the objective is to prevent denial of responsibility for sensitive operations.

Exam trap

The trap here is that candidates often confuse authentication (proving identity at login) with non-repudiation (proving identity for a specific action after the fact), but the question's focus on digital signatures and tamper-evident logs clearly points to non-repudiation, not just authentication.

How to eliminate wrong answers

Option A is wrong because authorization determines what actions an authenticated user is permitted to perform (e.g., via access control lists or role-based permissions), but it does not provide cryptographic proof that a specific action was taken by a specific user. Option C is wrong because authentication verifies the identity of a user (e.g., via passwords, certificates, or biometrics) at the time of login, but it does not bind that identity to subsequent actions in a way that prevents later denial; non-repudiation requires additional mechanisms like digital signatures and audit logs.

3
MCQeasy

An administrator needs to send sensitive configuration details to a remote branch office so only the branch manager can read them. Which cryptographic method is most appropriate?

A.Hashing the file before sending it
B.Encrypting the file so only the intended recipient can decrypt it
C.Using a checksum printed in the email subject line
D.Appending the word confidential to the file name
AnswerB

Encryption protects confidentiality by making the file unreadable to anyone without the correct key. For sensitive configuration details, encryption is the right tool because the recipient can decrypt the file while unauthorized parties cannot read it in transit or at rest.

Why this answer

Option B is correct because encrypting the file with the branch manager's public key ensures that only the manager, possessing the corresponding private key, can decrypt and read the sensitive configuration details. This asymmetric encryption method directly addresses the requirement of confidentiality and targeted recipient access, unlike hashing or simple labeling.

Exam trap

The trap here is that candidates confuse integrity mechanisms (hashing, checksums) with confidentiality mechanisms (encryption), assuming any cryptographic operation provides secrecy, when only encryption with the intended recipient's key ensures exclusive readability.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way function that verifies data integrity, not confidentiality; it cannot be reversed to read the original file. Option C is wrong because a checksum only detects accidental or malicious changes to the file during transit, but it does not prevent anyone from reading the file contents. Option D is wrong because appending 'confidential' to the file name provides no cryptographic protection; it is merely a label that does not restrict access or encrypt the data.

4
MCQmedium

Based on the exhibit, what is the primary security concern with the current access assignments, and what concept is being violated?

A.The system is missing multifactor authentication for payroll users.
B.The configuration violates separation of duties by letting one person prepare and approve the same payroll activity.
C.The account should be converted to a shared group account for the finance team.
D.The permissions are acceptable because payroll users always need full access to related finance functions.
AnswerB

The same user can change payroll data, approve the release, and export the payment file. That concentration of authority creates a clear separation-of-duties failure because one person can both create and authorize a sensitive financial action.

Why this answer

The exhibit shows a single user account with permissions to both prepare and approve payroll transactions. This violates the security principle of separation of duties, which requires that no single individual has control over all phases of a critical process. The primary concern is that this configuration enables fraud or error without independent oversight, as the same person could create and authorize a fraudulent payroll entry.

Exam trap

CompTIA often tests the distinction between authentication mechanisms (like MFA) and authorization principles (like separation of duties), tempting candidates to select a plausible-sounding but irrelevant option about multifactor authentication when the core issue is conflicting access assignments.

How to eliminate wrong answers

Option A is wrong because the question focuses on access assignment conflicts, not authentication factors; multifactor authentication addresses identity verification, not the segregation of conflicting duties. Option C is wrong because converting the account to a shared group account would aggregate permissions further, making separation of duties worse and reducing audit trail granularity. Option D is wrong because it incorrectly assumes full access is always necessary; finance functions often require strict role-based access control to prevent conflicts like preparing and approving the same transaction.

5
Matchingeasy

Match each control type to the example that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

MFA is required before a user can open the email system.

File integrity monitoring alerts when a protected file changes.

A compromised laptop is reimaged from a standard build.

A login banner warns that activity is monitored and audited.

A procedure tells staff to report lost devices within one hour.

Extra logging is enabled while a missing patch is being scheduled.

Why these pairings

Preventive controls block incidents, detective controls identify them, corrective controls restore after incidents, deterrent controls discourage attacks, compensating controls provide alternative measures, and directive controls mandate behaviors.

6
Multi-Selecthard

A legacy payroll server has a critical patch available, but the business cannot reboot it for 45 days. The team isolates the server to only the payroll application subnet and requires written approval before any temporary firewall exception is made. Which two control types are present? Select two.

Select 2 answers
A.Compensating control, because the temporary network restriction offsets the delayed patch.
B.Directive control, because written approval tells administrators what must happen before changes are allowed.
C.Detective control, because a rule set later identifies malicious traffic.
D.Corrective control, because the control repairs the vulnerable software itself.
E.Deterrent control, because a warning banner discourages misuse of the server.
AnswersA, B

The isolation reduces exposure while the system remains unpatched, so it compensates for the known weakness.

Why this answer

Option A is correct because isolating the server to the payroll subnet is a compensating control that reduces risk by restricting network access, offsetting the inability to apply the critical patch immediately. This temporary measure provides an alternative security layer until the patch can be installed and the server rebooted.

Exam trap

The trap here is confusing compensating controls with corrective controls, as candidates may mistakenly think isolating the server 'corrects' the vulnerability, but corrective controls actually fix the root cause (e.g., applying the patch), while compensating controls provide an alternative safeguard.

7
MCQmedium

A finance application stores approval records for wire transfers. Auditors need to prove which employee approved each transfer, and employees must not be able to deny their approval later. Which security objective is best addressed by binding each approval to an individual identity and preserving immutable logs?

A.Confidentiality, because the approval records should be hidden from everyone except finance staff.
B.Nonrepudiation, because the organization needs proof that a specific person performed the approval.
C.Availability, because the approval system must remain online during business hours.
D.Integrity, because the record must never be changed after it is saved.
AnswerB

Correct. Nonrepudiation provides evidence that a specific user performed an action and later cannot reasonably deny it. Binding approvals to individual identities, using signed records, and keeping immutable logs all support that objective. This is especially important for financial workflows where auditors must trace accountability for every approval.

Why this answer

Nonrepudiation ensures that an action cannot be denied by the person who performed it. By binding each approval to a unique employee identity and preserving immutable logs, the organization can irrefutably prove who approved each wire transfer, preventing employees from later denying their approval. This directly addresses the requirement for accountability and proof of action.

Exam trap

The trap here is that candidates often confuse integrity with nonrepudiation, thinking that keeping a record unchanged (integrity) is sufficient to prove who performed an action, but nonrepudiation requires a cryptographic binding of identity to the action, not just data preservation.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized access to data, not on proving who performed an action; hiding approval records does not prevent an employee from denying their approval. Option C is wrong because availability ensures the system is accessible when needed, but it does not provide proof of identity or prevent denial of past actions. Option D is wrong because integrity ensures data is not altered, but even if a record remains unchanged, it does not prove which specific employee performed the approval without a binding identity.

8
MCQeasy

A company wants one document that tells employees what they are required to do when handling company systems and data. Which document type is the best fit?

A.Policy, because it states the required rules and expectations for everyone.
B.Procedure, because it always defines the highest-level mandatory rules.
C.Guideline, because it provides optional suggestions for best behavior.
D.Standard, because it contains only optional advice about security.
AnswerA

A policy is the top-level document that states mandatory rules and expectations. It is appropriate when the organization wants all employees to know the required behavior for handling systems and data. Policies are broad, approved by leadership, and intended to guide consistent decisions across the company.

Why this answer

A policy is the correct document type because it defines mandatory rules and expectations for all employees regarding the handling of company systems and data. Unlike guidelines or standards, a policy is enforceable and sets the required behavior, making it the best fit for a single document that tells employees what they must do.

Exam trap

The trap here is confusing 'policy' with 'procedure' or 'standard' because candidates often think procedures are the highest-level rules, but in CompTIA's framework, policies are the top-level mandatory directives, while procedures are subordinate implementation steps.

How to eliminate wrong answers

Option B is wrong because a procedure defines step-by-step instructions for performing a specific task, not the highest-level mandatory rules; policies are the highest-level mandatory rules. Option C is wrong because a guideline provides optional suggestions or best practices, not required actions, so it does not meet the need for a document that tells employees what they are required to do. Option D is wrong because a standard specifies mandatory technical requirements or configurations (e.g., minimum password length or encryption algorithms), not optional advice, and it is typically more technical than a policy.

9
MCQmedium

After an internal PKI was rebuilt, users now see certificate warnings when connecting to the company intranet portal. The portal certificate chains to a new CA, but endpoint trust stores do not recognize it yet. What should the administrator deploy?

A.The portal's private key so users can validate the certificate locally.
B.The root CA certificate for the new PKI to trusted endpoint stores.
C.A new certificate signing request on each endpoint.
D.A self-signed certificate on the portal to avoid future CA problems.
AnswerB

Correct. Endpoint trust stores need the trusted root certificate so they can validate the certificate chain presented by the intranet portal. Once the root CA is trusted, the browser can build a chain of trust from the portal certificate through any intermediate certificates back to the root. This resolves the warning without exposing private keys.

Why this answer

The correct answer is B because the root CA certificate must be distributed to all endpoint trust stores to establish trust in the new PKI. Without the root CA in the trusted root certification authorities store, the certificate chain is incomplete, causing browsers to display certificate warnings. Deploying the root CA certificate via Group Policy or MDM resolves this by allowing endpoints to validate the portal's certificate chain.

Exam trap

The trap here is that candidates may confuse distributing the root CA certificate with distributing the private key or generating a CSR, but the core concept is that trust is established by adding the root CA to the trusted store, not by modifying the portal or endpoints' certificates.

How to eliminate wrong answers

Option A is wrong because distributing the portal's private key would compromise the certificate's security, allowing anyone to impersonate the portal; private keys must never be shared. Option C is wrong because a new certificate signing request (CSR) on each endpoint is unnecessary and irrelevant—CSRs are used to request certificates from a CA, not to establish trust in an existing CA. Option D is wrong because a self-signed certificate would not be trusted by endpoints either (unless its root is manually added), and it would bypass the benefits of a proper PKI, such as revocation and centralized management.

10
Multi-Selecthard

After several unauthorized edits to firewall objects caused a production outage, a security team wants one control that will flag future configuration drift and another that will automatically restore the approved baseline before the next maintenance window. Which two controls best meet that goal? Select two.

Select 2 answers
A.File integrity monitoring on firewall configuration files and rule exports.
B.Automated configuration management to reapply the approved baseline after drift.
C.A login banner warning administrators that unauthorized changes are monitored.
D.Mandatory annual security awareness training for all IT staff.
E.Quarterly business impact reviews of the firewall change log.
AnswersA, B

Monitoring file hashes quickly reveals unauthorized firewall drift after changes are made.

Why this answer

File integrity monitoring (FIM) on firewall configuration files and rule exports (Option A) detects unauthorized changes by computing cryptographic hashes of baseline files and alerting on any deviation. This directly flags configuration drift, meeting the first requirement. Automated configuration management (Option B) can reapply the approved baseline from a version-controlled repository, restoring the correct state before the next maintenance window, satisfying the second requirement.

Exam trap

The trap here is that candidates may confuse passive controls like banners or training with active detection and remediation, or mistakenly think that a quarterly review meets the requirement for automatic restoration before the next maintenance window.

11
MCQeasy

After a user signs in, a file server checks whether they can edit a shared folder. Which AAA concept is being applied?

A.Authentication
B.Authorization
C.Accounting
D.Encryption
AnswerB

Authorization determines what actions an authenticated user is allowed to perform. In this case, the server is checking whether the user has permission to edit the shared folder, not whether they are who they claim to be. This is a common access-control decision made after successful login.

Why this answer

The file server is checking whether the authenticated user has the specific permission to edit the shared folder. This is the definition of authorization: determining what an authenticated user is allowed to do. Authentication (A) only verifies identity, not rights; accounting (C) tracks usage; encryption (D) protects data in transit or at rest.

Exam trap

The trap here is confusing authentication with authorization: candidates often pick 'Authentication' because they think 'signing in' is the entire security process, but the question explicitly states the check happens after sign-in and is about editing rights, which is authorization.

How to eliminate wrong answers

Option A is wrong because authentication only verifies the user's identity (e.g., via password or certificate), not whether they can edit a folder. Option C is wrong because accounting logs and audits user actions (e.g., login times, file accesses) but does not enforce permissions. Option D is wrong because encryption (e.g., TLS or BitLocker) protects data confidentiality but does not control access rights.

12
Matchingeasy

Match each control type to the most fitting example in a branch office.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Secure boot refuses to start untrusted boot code.

A log review process shows when an administrator changed a firewall rule.

A damaged endpoint is restored from a known-good image.

A camera above the server rack makes misuse less likely.

A written standard tells staff how to handle removable media.

A restricted jump box is used until direct admin access is approved again.

Why these pairings

Preventive controls block incidents; detective controls identify them; corrective controls restore operations; deterrent controls discourage attacks; compensating controls provide alternative protection; physical controls secure physical access.

13
MCQmedium

A legal team must send a confidential contract to a partner so only the intended recipient can read it, and the partner also needs assurance the file really came from your company. Which approach best meets both needs?

A.Hash the contract and email the hash value separately.
B.Encrypt the file with the recipient's public key and sign it with the sender's private key.
C.Use a shared symmetric key and send the key in the same email message.
D.Compress the file and password-protect the archive with a simple passphrase.
AnswerB

Using the recipient's public key ensures only the intended recipient can decrypt the file, which provides confidentiality. Adding a digital signature with the sender's private key gives the partner a way to verify the file came from your company and has not been altered. Together, these controls address both privacy and authenticity, which is exactly what the scenario requires.

Why this answer

Option B is correct because it uses asymmetric encryption to ensure confidentiality (encrypting with the recipient's public key ensures only the intended recipient can decrypt it with their private key) and digital signing (signing with the sender's private key provides non-repudiation and authenticity, proving the file came from the sender). This combination directly addresses both requirements: only the partner can read the contract, and the partner can verify the sender's identity.

Exam trap

The trap here is that candidates often confuse hashing with encryption or think that password-protecting a zip file provides strong security and sender authentication, when in fact only a proper public-key infrastructure (PKI) with encryption and digital signatures meets both confidentiality and non-repudiation requirements.

How to eliminate wrong answers

Option A is wrong because hashing the contract and emailing the hash separately only provides integrity verification (detecting tampering) but does not encrypt the contract or authenticate the sender; anyone can read the contract in the email, and the hash alone does not prove the sender's identity. Option C is wrong because using a shared symmetric key and sending it in the same email message completely defeats confidentiality; if an attacker intercepts the email, they have both the encrypted file and the key, allowing them to decrypt it immediately. Option D is wrong because compressing and password-protecting the archive with a simple passphrase is weak encryption that can be easily brute-forced or guessed, and it provides no cryptographic proof of the sender's identity; the recipient has no assurance the file truly came from your company.

14
MCQeasy

A company requires MFA, endpoint protection, and network filtering so that if one control misses a threat, another control still helps stop it. Which security principle is this?

A.Single sign-on
B.Defense in depth
C.Nonrepudiation
D.Data masking
AnswerB

Defense in depth uses multiple overlapping controls so a single failure does not expose the organization.

Why this answer

Defense in depth is a layered security strategy where multiple, independent controls (e.g., MFA, endpoint protection, network filtering) are deployed so that if one layer fails, another still provides protection. This ensures no single point of failure can compromise the entire system, directly matching the scenario where overlapping controls compensate for each other's gaps.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'single sign-on' because both involve multiple systems, but SSO is about convenience and identity federation, not layered security controls.

How to eliminate wrong answers

Option A is wrong because single sign-on (SSO) is an authentication mechanism that allows users to log in once and access multiple systems, not a layered security approach; it does not provide overlapping controls to catch missed threats. Option C is wrong because nonrepudiation ensures that a party cannot deny an action (e.g., via digital signatures or audit logs), but it does not involve multiple defensive layers to stop threats. Option D is wrong because data masking obscures sensitive data (e.g., replacing real credit card numbers with tokens) for privacy or testing, not to provide layered protection against threats.

15
MCQmedium

A software vendor distributes critical security updates for its application through a public download website. The vendor wants to allow customers to verify that each update originated from the vendor and has not been modified in transit. Which of the following cryptographic techniques should the vendor apply to the update files before posting them for download?

A.Digital signature
B.Cryptographic hash
C.Antivirus scan report
D.TLS certificate
AnswerA

Correct. A digital signature uses the vendor's private key to sign the update, and customers can verify it with the vendor's public key. This provides both source authentication and integrity.

Why this answer

A digital signature provides both authentication (proving the update originated from the vendor) and integrity (detecting any modification in transit). The vendor signs the file with their private key, and customers verify the signature using the vendor's public key, ensuring the file has not been altered since signing.

Exam trap

The trap here is that candidates confuse a cryptographic hash (which only ensures integrity) with a digital signature (which ensures both integrity and non-repudiation/authentication), or they mistakenly think TLS certificates alone can verify the file's origin after download.

How to eliminate wrong answers

Option B is wrong because a cryptographic hash (e.g., SHA-256) provides integrity but not authentication; an attacker could replace both the file and its hash, and the customer would have no way to verify the source. Option C is wrong because an antivirus scan report only indicates the file was malware-free at the time of scanning, but it does not cryptographically bind the file to the vendor or prevent tampering. Option D is wrong because a TLS certificate secures the communication channel (e.g., HTTPS) between the client and server, but it does not provide a verifiable signature on the file itself; once downloaded, the file's origin and integrity cannot be independently verified without a digital signature.

16
Multi-Selecteasy

Which two statements describe authorization? Select two.

Select 2 answers
A.It determines what a user can access after sign-in
B.It usually happens after authentication
C.It proves a user is who they claim to be
D.It records every packet a device sends
E.It replaces the need for authentication
AnswersA, B

Authorization defines access rights after a user has been authenticated. It uses permissions, roles, group membership, or policy rules to decide which resources, functions, or data the user may use.

Why this answer

Authorization determines the resources and actions a user can access after successful authentication. It enforces access control policies, such as those defined by RBAC or ACLs, ensuring users only interact with permitted data or systems. This aligns with the NIST definition of authorization as the process of granting or denying rights to a user.

Exam trap

The trap here is confusing authorization with authentication, as many candidates mistakenly think proving identity (authentication) also grants access rights, but authorization is a distinct step that occurs after authentication.

17
MCQmedium

Your company is syncing design files to a cloud object store. The security team wants to reduce risk if the storage account is stolen and also protect the files while they travel across the internet. Which approach is the best fit?

A.Password-protect each archive and upload it over plain HTTP.
B.Encrypt data in transit with TLS and enable encryption at rest with managed keys.
C.Rename the files before upload so attackers cannot identify them.
D.Place the storage service on a private IP address and skip encryption.
AnswerB

Correct. TLS protects the files while they move across the network, and encryption at rest protects stored objects if the storage account or media is exposed. Using managed keys also reduces key-handling mistakes and keeps the protection aligned with standard cloud security practices. This combination addresses both major exposure points in the scenario.

Why this answer

Option B is correct because it addresses both risks: TLS (Transport Layer Security) encrypts data in transit, preventing interception or tampering during upload, while managed keys for encryption at rest protect the files if the storage account credentials are compromised. This dual-layer approach aligns with defense-in-depth and is a standard best practice for cloud object stores like Amazon S3 or Azure Blob Storage.

Exam trap

The trap here is that candidates may think renaming files (Option C) or using a private IP (Option D) provides security, but these measures do not address encryption requirements for data at rest or in transit as specified in the scenario.

How to eliminate wrong answers

Option A is wrong because password-protecting archives does not encrypt the data in transit over plain HTTP, leaving it vulnerable to eavesdropping and man-in-the-middle attacks; also, password protection is weaker than full encryption and can be brute-forced. Option C is wrong because renaming files provides no cryptographic protection; attackers who gain access to the storage account can still read the file contents regardless of the name. Option D is wrong because placing the storage service on a private IP address does not protect data in transit across the internet (it would still traverse public networks unless using a VPN or dedicated link), and skipping encryption leaves data at rest exposed if the account is stolen.

18
MCQeasy

A restricted server room opens only with a badge, and an alarm sounds if the door is left open too long. Which control type is the alarm?

A.Preventive control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerB

A door alarm is a detective control because it alerts staff after a condition occurs, such as the door being left open too long or forced open. It helps security personnel notice a problem quickly so they can respond. In this scenario, the badge controls access, while the alarm detects an abnormal state and signals that action is needed.

Why this answer

The alarm is a detective control because it detects and alerts when a door is left open too long, indicating a potential security breach. It does not prevent the door from being opened or correct the situation; it simply notifies personnel of an ongoing or past violation.

Exam trap

CompTIA often tests the distinction between detective and corrective controls, and the trap here is that candidates mistakenly think the alarm 'corrects' the situation by alerting, but corrective controls actually take action to restore security, such as automatically closing the door.

How to eliminate wrong answers

Option A is wrong because a preventive control would stop the door from being opened or prevent the alarm condition, such as a magnetic lock that keeps the door closed. Option C is wrong because a corrective control would actively remediate the issue after detection, like automatically closing and relocking the door. Option D is wrong because a deterrent control discourages unauthorized access before it occurs, such as a visible security camera or warning sign, not an alarm that triggers after the door is left open.

19
Drag & Dropmedium

Drag and drop the steps for a typical digital forensics investigation process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital forensics follows a structured process: identification, preservation, collection, examination, analysis, and reporting.

20
MCQhard

Based on the exhibit, what should be implemented to reduce the blast radius if a backup server is compromised later? Backup job configuration: algorithm=AES-256-GCM key_file=/opt/backup/key.bin rotation=disabled same_key_for_all_sites=true backup_media copied to an offsite vault each night

A.Use envelope encryption with unique data encryption keys protected by a KMS-managed key encryption key.
B.Store the same key in a password-protected ZIP archive on the backup server.
C.Replace AES with SHA-256 so the files cannot be opened directly.
D.Keep one key forever and increase the backup frequency.
AnswerA

Envelope encryption limits exposure because each backup can use a distinct data key protected by a stronger key hierarchy.

Why this answer

Envelope encryption with unique data encryption keys (DEKs) protected by a KMS-managed key encryption key (KEK) ensures that even if the backup server is compromised, the attacker cannot decrypt all backups because each backup uses a different DEK, and the KEK is stored externally in a KMS. This limits the blast radius to only the data encrypted with the compromised DEK, rather than exposing all historical backups encrypted with a single static key.

Exam trap

CompTIA often tests the distinction between encryption and hashing, and the trap here is that candidates may confuse SHA-256 (a hash) with AES (an encryption algorithm), or assume that storing the key in a password-protected archive provides adequate security, ignoring that the key is still co-located with the data on the compromised server.

How to eliminate wrong answers

Option B is wrong because storing the same key in a password-protected ZIP archive on the backup server does not reduce the blast radius; if the backup server is compromised, the attacker can access the ZIP file and attempt to crack the password, potentially exposing all backups. Option C is wrong because SHA-256 is a hashing algorithm, not an encryption algorithm; it cannot be used to encrypt files, and replacing AES with SHA-256 would make the data irreversible, not securely encrypted. Option D is wrong because keeping one key forever and increasing backup frequency actually increases the blast radius; if that single key is compromised, all backups (past and future) are exposed, and more frequent backups mean more data at risk.

21
MCQhard

Based on the exhibit, what is the best fix so role changes are reflected promptly in the application? Token and directory data: 09:10 Token issued for user jdoe groups=[Finance_Approver, Expense_Reviewer] auth_time=09:10 exp=17:10 09:15 HR updated directory: jdoe moved to Sales 11:00 The application still accepts the original token and allows expense approval 11:01 Identity provider logs show no token revocation event

A.Increase the token lifetime so users reauthenticate less often.
B.Shorten token and session lifetime and revoke active tokens when the directory role changes.
C.Move the application to a different subnet to isolate it from HR systems.
D.Disable group-based authorization and let any authenticated user approve expenses.
AnswerB

Shorter lifetimes reduce stale access, and revocation ensures authorization changes take effect quickly after role updates.

Why this answer

Option B is correct because the token's long lifetime (issued at 09:10, expires at 17:10) allows the application to continue accepting the original token even after the user's directory role changes at 09:15. Shortening the token lifetime forces more frequent reauthentication, and revoking active tokens when the directory role changes ensures that the application immediately reflects the updated authorization. This aligns with the principle of dynamic access control and token lifecycle management.

Exam trap

The trap here is that candidates may think increasing token lifetime improves user experience, but the question specifically asks for the best fix to reflect role changes promptly, which requires shorter lifetimes and revocation, not longer ones.

How to eliminate wrong answers

Option A is wrong because increasing the token lifetime would make the problem worse, as the stale token would remain valid even longer, delaying role change reflection. Option C is wrong because moving the application to a different subnet does not address the token validity or directory synchronization issue; it is a network isolation measure unrelated to authorization updates. Option D is wrong because disabling group-based authorization removes the security control entirely, allowing any authenticated user to approve expenses, which violates the principle of least privilege and could lead to unauthorized actions.

22
Matchingeasy

Match each security principle to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventing unauthorized disclosure of information.

Ensuring data is not altered without authorization.

Keeping systems and data accessible when needed.

Giving a user only the permissions required to do the job.

Limiting access to information that a person specifically needs for their role.

Why these pairings

These pairings match the CIA triad plus additional principles: confidentiality restricts access, integrity prevents unauthorized changes, availability ensures uptime, non-repudiation provides proof of actions, authentication verifies identity, and authorization defines permissions.

23
Matchingeasy

Match the security need to the best cryptographic solution.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use a hash value.

Use symmetric encryption.

Use asymmetric encryption.

Use a digital signature.

Why these pairings

Confidentiality uses encryption; integrity uses hashes; authentication uses certificates; non-repudiation uses signatures; access control uses PKI; availability uses redundancy.

24
MCQhard

Based on the exhibit, what change would best protect the password database against precomputed attacks and make identical passwords less obvious?

A.Encrypt each password with the same server key before storing it in the database.
B.Add a unique salt to each password before hashing it.
C.Use a digital signature on each password record so the database can verify authenticity.
D.Store the password hashes in uppercase so attackers cannot compare them easily.
AnswerB

Salting is the best fix because it adds unique random data to each password before hashing, so identical passwords no longer produce the same stored value. That defeats rainbow tables and makes precomputed attacks far less useful. It also means attackers cannot easily compare two users' hashes to confirm they chose the same password, which improves both security and privacy.

Why this answer

Adding a unique salt to each password before hashing ensures that even if two users have the same password, their hashes will differ. This defeats precomputed attacks like rainbow tables because the attacker would need to compute a separate table for each salt value, which is computationally infeasible. Salting is a standard defense recommended by NIST SP 800-63B and implemented in modern systems like bcrypt, scrypt, and PBKDF2.

Exam trap

The trap here is that candidates often confuse encryption with hashing or think that obfuscation techniques like case changes provide security, when in fact only salting with a unique random value prevents precomputed attacks and hides password equality.

How to eliminate wrong answers

Option A is wrong because encrypting passwords with a server key still allows identical passwords to produce identical ciphertexts, making them obvious to an attacker who obtains the encrypted database; encryption is reversible if the key is compromised, whereas hashing with salt is one-way. Option C is wrong because a digital signature verifies the integrity and authenticity of the password record but does not prevent precomputed attacks or mask identical passwords; it addresses tampering, not password storage security. Option D is wrong because converting hashes to uppercase is a trivial transformation that does not change the underlying hash value; an attacker can simply convert their rainbow table hashes to uppercase and still match identical passwords.

25
MCQhard

Based on the exhibit, what control type is the file integrity monitor providing?

A.Preventive control, because the file monitor stopped the change from occurring.
B.Detective control, because the tool identifies the unauthorized change and alerts the SOC.
C.Corrective control, because the monitor automatically fixed the configuration after the change.
D.Directive control, because the alert tells administrators what they should review next.
AnswerB

Detective control is correct because the tool notices that a protected file changed and notifies the security team. It does not stop the change or restore the original configuration automatically. That means its role is to discover suspicious activity so analysts can investigate and respond. The recorded hashes and alert timing clearly show post-event detection.

Why this answer

A file integrity monitor (FIM) operates by comparing current file hashes against a known good baseline. When it detects a hash mismatch, it generates an alert to the Security Operations Center (SOC). This is a detective control because it identifies and reports the unauthorized change after it has occurred, rather than preventing or automatically correcting it.

Exam trap

The trap here is that candidates confuse the alerting mechanism of a detective control with the action of a preventive or corrective control, mistakenly thinking that because the tool 'monitors' it must be preventing or fixing changes.

How to eliminate wrong answers

Option A is wrong because a file integrity monitor does not stop changes from occurring; it only detects changes after they happen, making it a detective control, not a preventive one. Option C is wrong because corrective controls automatically remediate issues, but a standard FIM does not automatically fix configuration changes; it only alerts. Option D is wrong because directive controls are policies or guidelines that define acceptable behavior, not tools that generate alerts; the alert is a detective function, not a directive one.

26
MCQhard

Based on the exhibit, which change best improves accountability while still allowing emergency access? A finance team uses the following shared account on a jump host: 07:55:12 Account=FIN-ADMIN Action=ApproveInvoice Host=JUMP-02 IP=10.30.8.21 07:56:03 Account=FIN-ADMIN Action=ChangeVendorBank Host=JUMP-02 IP=10.30.8.21 07:57:44 Account=FIN-ADMIN Action=ExportReport Host=JUMP-02 IP=10.30.8.21 Note: FIN-ADMIN is used by three finance managers during after-hours support.

A.Require the shared account password to be changed every 24 hours.
B.Replace the shared account with named user accounts, role-based access, and a separate break-glass account for rare emergencies.
C.Enable automatic account lockout after five failed logons.
D.Restrict the jump host by MAC address and subnet only.
AnswerB

Named accounts preserve accountability, role-based access supports least privilege, and break-glass access preserves emergency availability.

Why this answer

Option B is correct because replacing the shared account with named user accounts ensures individual accountability through unique credentials and audit trails, while a separate break-glass account provides emergency access without compromising security. This aligns with the principle of least privilege and non-repudiation, as each finance manager's actions are logged under their own identity, and the break-glass account can be tightly controlled and monitored for rare use.

Exam trap

The trap here is that candidates often choose password rotation (Option A) thinking it improves security, but it fails to address the core issue of non-repudiation and accountability required for audit trails.

How to eliminate wrong answers

Option A is wrong because changing the shared password every 24 hours does not eliminate the lack of individual accountability; multiple users still share the same credentials, so logs cannot distinguish which manager performed which action. Option C is wrong because account lockout after five failed logons addresses brute-force prevention, not accountability or emergency access; it does not solve the shared account issue. Option D is wrong because restricting by MAC address and subnet only controls network-level access, not user identity; it still allows multiple users to share the same FIN-ADMIN account without individual audit trails.

27
MCQhard

Based on the exhibit, which security principle is the proposed access model most aligned with?

A.Least privilege, because users are being limited to only the finance application they need.
B.Zero trust, because access is continuously evaluated instead of trusted just because the device is on the VPN.
C.Defense in depth, because the company is adding multiple security layers around the finance app.
D.Need-to-know, because users should only see the finance data required for their jobs.
AnswerB

Zero trust is the best answer because the proposal removes implicit trust based on VPN membership or internal network location. Instead, access is evaluated repeatedly using device posture, MFA, and transaction context. That means the environment assumes every request may be risky until verified, which is the core idea behind zero trust architecture and conditional access.

Why this answer

The proposed access model aligns with Zero Trust because it continuously evaluates access based on real-time conditions (e.g., device posture, user identity) rather than implicitly trusting the VPN connection. In Zero Trust, network location alone is insufficient for granting access; every request is authenticated and authorized regardless of the source. This contrasts with traditional perimeter-based models where VPN access implies trust.

Exam trap

The trap here is that candidates confuse Zero Trust with least privilege or need-to-know, but Zero Trust specifically addresses the assumption of implicit trust based on network location (e.g., VPN), which is the key differentiator in this scenario.

How to eliminate wrong answers

Option A is wrong because least privilege restricts users to only the permissions necessary for their role, but the exhibit focuses on continuous evaluation of access rather than limiting permissions to a specific application. Option C is wrong because defense in depth involves multiple overlapping security layers (e.g., firewall, IDS, encryption), whereas the exhibit describes a single access control mechanism that evaluates trust continuously. Option D is wrong because need-to-know restricts data access based on job requirements, but the exhibit emphasizes dynamic access decisions based on device and user context, not static data classification.

28
MCQhard

An analyst on the HR application team needs access to a production database replica only long enough to verify a column-mapping issue. The analyst should not be able to browse salary fields, export tables, or keep access after the task ends. Which principle best matches the desired access model?

A.Least privilege
B.Need-to-know
C.Separation of duties
D.Defense in depth
AnswerB

The analyst only needs a narrow slice of information for a specific task and should not be able to see unrelated sensitive fields. That is need-to-know. It focuses on limiting data visibility to what is required for the assignment. Least privilege is related, but the clue about salary fields and specific data exposure makes need-to-know the best answer.

Why this answer

The need-to-know principle restricts access to only the information required to perform a specific task. In this scenario, the analyst needs access to verify a column-mapping issue but must not see salary fields, export tables, or retain access afterward. Need-to-know ensures access is limited to the exact data and duration necessary, which aligns with granting temporary, scoped access to a production database replica without broader data exposure.

Exam trap

The trap here is confusing least privilege with need-to-know: least privilege limits permissions (e.g., read-only vs. write), while need-to-know limits the specific data content (e.g., excluding salary fields) and duration, which is the precise requirement in this question.

How to eliminate wrong answers

Option A is wrong because least privilege limits access rights to the minimum necessary to perform a job function, but it does not inherently restrict access to specific data fields (like salary) or enforce time-bound access; it focuses on permissions, not data scope. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error, but this scenario involves a single analyst needing temporary access, not splitting responsibilities. Option D is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, encryption, IDS), not a model for granular, task-specific data access.

29
Multi-Selectmedium

Which three of the following are commonly used to enforce separation of duties? (Choose three.)

Select 3 answers
.Requiring two different people to authorize a financial transaction
.Splitting the ability to create user accounts and assign privileges to different roles
.Using a dual-control process where two keys are needed to access a safe
.Allowing a single administrator to both approve and implement system changes
.Giving one person full responsibility for both IT security audits and daily operations
.Configuring a single user to manage both backup and restoration of data

Why this answer

Separation of duties is a security principle that prevents any single individual from having excessive control over critical processes. Requiring two different people to authorize a financial transaction ensures that no one person can both initiate and approve a payment, reducing fraud risk. Splitting the ability to create user accounts and assign privileges to different roles ensures that a single administrator cannot grant themselves unauthorized access.

Using a dual-control process where two keys are needed to access a safe physically enforces that two people must be present, preventing unilateral access to sensitive assets.

Exam trap

The trap here is that candidates may confuse separation of duties with least privilege or fail to recognize that combining authorization and implementation in one role is a direct violation, even if it seems efficient.

30
MCQmedium

A help desk analyst can reset passwords in the ticketing portal but cannot view payroll records, edit user profiles, or access other HR functions. Which security principle is the organization applying?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust
AnswerA

The analyst is given only the permissions needed to perform password resets and nothing beyond that task.

Why this answer

The help desk analyst is granted only the permissions necessary to perform their job function—resetting passwords—while all other HR functions are explicitly denied. This is the core definition of least privilege: each user or system component receives the minimum set of access rights needed to complete their tasks. By restricting the analyst’s account to password reset operations only, the organization reduces the attack surface and limits potential damage from compromised credentials or insider misuse.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'separation of duties' because both involve restricting access, but separation of duties specifically requires dividing a single sensitive process among multiple people, whereas least privilege simply limits the scope of permissions for any one person or process.

How to eliminate wrong answers

Option B (Defense in depth) is wrong because that principle involves layering multiple independent security controls (e.g., firewall, IDS, encryption) to protect assets, not restricting individual user permissions. Option C (Separation of duties) is wrong because that principle requires splitting critical tasks among multiple people to prevent fraud (e.g., one person requests a purchase, another approves it), whereas this scenario is about limiting a single user’s access scope. Option D (Zero trust) is wrong because zero trust is a broader architectural model that assumes no implicit trust and continuously verifies every request regardless of origin, not simply a policy of assigning minimal permissions to a help desk role.

31
MCQeasy

A security team stores employee passwords in a database. Which method best protects the passwords if the database is stolen?

A.Store the passwords in plain text so users can recover them easily.
B.Hash the passwords with a unique salt for each account.
C.Encrypt the passwords and keep the decryption key in the same database.
D.Compress the passwords before storing them to make them smaller.
AnswerB

Hashing with a unique salt makes password data much harder to reuse or crack at scale. If the database is stolen, the attacker cannot directly read the passwords, and identical passwords will not produce the same stored value when salts differ.

Why this answer

Option B is correct because hashing with a unique salt per account ensures that even if two users have the same password, their hashes will differ, and precomputed rainbow table attacks are rendered ineffective. The salt is stored alongside the hash, but the one-way nature of the hash function means an attacker cannot reverse the hash to recover the original password without performing an expensive brute-force search for each salted hash individually.

Exam trap

The trap here is that candidates may confuse encryption with hashing, thinking that encrypting passwords is sufficient, but they overlook that reversible encryption with the key stored alongside the data provides no real protection in a database theft scenario.

How to eliminate wrong answers

Option A is wrong because storing passwords in plain text violates fundamental security principles; if the database is stolen, all passwords are immediately exposed, compromising every user account. Option C is wrong because encryption is a reversible process, and keeping the decryption key in the same database means that if the database is stolen, the attacker also has the key, making the encryption useless. Option D is wrong because compression is not a security measure; it merely reduces storage size and can be easily reversed by an attacker, providing no protection against password disclosure.

32
MCQmedium

A security auditor is reviewing the access controls for a payroll application. The auditor discovers that a single user, the payroll manager, has permissions to both create new employee records and then approve and process salary payments for those records. The company's security policy requires that no single individual should be able to execute both the creation and the approval of a payment for the same employee. Which of the following security principles is the company's policy attempting to enforce?

A.Least privilege
B.Separation of duties
C.Defense in depth
D.Mandatory access control
AnswerB

Separation of duties ensures that no single individual has control over all phases of a critical transaction, reducing the risk of fraud or error.

Why this answer

The company's policy prohibits a single user from both creating employee records and approving payments for them, which is a classic application of separation of duties. This principle ensures that no single individual has the authority to execute two conflicting or sensitive tasks that could lead to fraud or error, such as creating a fictitious employee and then approving a salary payment to that employee. In the context of a payroll application, separation of duties requires distinct roles or users for record creation and payment approval to enforce checks and balances.

Exam trap

The trap here is that candidates often confuse separation of duties with least privilege, but the key distinction is that separation of duties focuses on dividing conflicting tasks among multiple users to prevent fraud, while least privilege focuses on limiting permissions to the minimum needed for a single user's role.

How to eliminate wrong answers

Option A is wrong because least privilege restricts users to only the permissions necessary for their job function, but it does not prevent a single user from having both create and approve permissions if those are required for their role; the policy here is specifically about splitting conflicting tasks, not minimizing permissions. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a principle that governs how tasks are divided among users to prevent fraud.

33
MCQeasy

A user downloads a company software update and wants to verify it really came from the vendor and was not changed in transit. Which cryptographic feature should they check?

A.A digital signature from the vendor
B.A longer filename with the vendor name in it
C.A larger file size than the previous update
D.A password protected ZIP file
AnswerA

A digital signature lets the user verify both the source and the integrity of the update. If the signature is valid, the file was signed by the expected private key holder and has not been altered since signing.

Why this answer

A digital signature from the vendor provides cryptographic proof of both authenticity (the file originated from the claimed vendor) and integrity (the file has not been altered in transit). The vendor signs the file with their private key, and the user verifies the signature using the vendor's public key; if the signature is valid, the file is genuine and unchanged.

Exam trap

The trap here is that candidates confuse file properties (name, size) or simple access controls (password protection) with cryptographic verification, overlooking that only a digital signature provides non-repudiation and tamper evidence.

How to eliminate wrong answers

Option B is wrong because a longer filename containing the vendor name is trivial to forge and provides no cryptographic assurance of origin or integrity. Option C is wrong because a larger file size does not prove authenticity; an attacker can easily modify the update and increase its size. Option D is wrong because a password-protected ZIP file only restricts access via the password; it does not cryptographically bind the file to a specific vendor or protect against tampering in transit.

34
MCQhard

To reduce fraud, a finance system requires one user to create a payment batch, a different user to approve it, and a third role to release it to the bank. An audit recommends adding a "super-user" who can perform all three steps to speed month-end close. Which principle would that recommendation most directly weaken?

A.Least privilege
B.Separation of duties
C.Need-to-know
D.Defense in depth
AnswerB

Keeping creation, approval, and release in different roles reduces the chance that one compromised account or one dishonest employee can move money without oversight. The recommended super-user would concentrate those powers into one role and remove the control that forces independent review. That is a direct violation of separation of duties, which is designed to reduce fraud and abuse.

Why this answer

The recommendation to create a super-user who can create, approve, and release payment batches directly violates the separation of duties principle. This principle requires that critical tasks be divided among multiple individuals to prevent any single person from having the ability to commit fraud without collusion. By allowing one user to perform all three steps, the system loses the fraud-prevention control that requires independent actors for each stage of the payment lifecycle.

Exam trap

The trap here is that candidates may confuse least privilege with separation of duties, because both involve limiting access, but separation of duties specifically addresses the division of conflicting tasks to prevent fraud, while least privilege focuses on minimizing permissions for a single role.

How to eliminate wrong answers

Option A is wrong because least privilege is about granting only the minimum permissions necessary to perform a job function, not about dividing tasks among multiple users; the super-user would actually violate least privilege by having excessive permissions, but the question asks which principle is most directly weakened by the recommendation. Option C is wrong because need-to-know controls access to specific data based on job requirements, not the sequence of operational steps; the super-user would still need to know payment details to perform the steps, so this principle is not directly impacted. Option D is wrong because defense in depth is a layered security strategy using multiple controls, and while adding a super-user reduces one layer, the core principle being undermined is the division of critical functions, not the layering of defenses.

35
MCQmedium

Based on the exhibit, which change best reduces the risk of lateral movement if a user workstation is compromised?

A.Add more workstations to VLAN 10 so authentication requests are faster.
B.Require administrative access through a hardened bastion host and restrict direct management from user devices.
C.Disable logging on the servers so attackers leave fewer traces if they connect.
D.Move all servers into the same VLAN as the workstations for easier access control.
AnswerB

A bastion host creates a controlled management path instead of allowing every workstation to talk directly to servers. Restricting direct SSH and RDP from the user VLAN reduces attack surface and supports a zero-trust-style approach to administration.

Why this answer

Requiring administrative access through a hardened bastion host enforces a jump-box architecture, which eliminates direct RDP, SSH, or WinRM from user workstations to servers. This segmentation prevents an attacker who compromises a user workstation from using stolen credentials or tools to laterally move to sensitive servers, as all management traffic must pass through a controlled, monitored, and often multi-factor-authenticated bastion host.

Exam trap

CompTIA often tests the misconception that adding more resources to a VLAN or disabling logging improves security, when in fact these actions weaken segmentation and reduce visibility, respectively.

How to eliminate wrong answers

Option A is wrong because adding more workstations to VLAN 10 does not reduce lateral movement risk; it increases the attack surface and does not address the need for network segmentation or access control between user devices and servers. Option C is wrong because disabling logging on servers removes the audit trail that is critical for detecting and investigating lateral movement, directly violating security best practices and compliance requirements. Option D is wrong because moving all servers into the same VLAN as workstations collapses the security boundary, allowing any compromised workstation to directly reach servers without any network-level controls, thereby increasing lateral movement risk.

36
Multi-Selectmedium

Which three of the following are core principles of the CIA triad in information security? (Choose three.)

Select 3 answers
.Confidentiality
.Integrity
.Availability
.Authentication
.Non-repudiation
.Authorization

Why this answer

The CIA triad is the foundational model for information security, consisting of Confidentiality, Integrity, and Availability. Confidentiality ensures data is accessible only to authorized users, often enforced through encryption (e.g., AES-256) and access controls. Integrity guarantees data has not been tampered with, using mechanisms like hashing (SHA-256) or digital signatures.

Availability ensures systems and data are accessible when needed, supported by redundancy (RAID, failover clusters) and DDoS mitigation.

Exam trap

Cisco often tests the distinction between the CIA triad and other security objectives like AAA (Authentication, Authorization, Accounting), leading candidates to mistakenly include Authentication or Authorization as core CIA principles.

37
MCQhard

Based on the exhibit, which additional control is the best fit to prevent employees from copying sensitive reports to removable media?

A.Block all internet access on finance laptops except for the accounting website.
B.Implement endpoint device control or DLP rules to restrict removable media use.
C.Increase the password complexity requirements for finance users.
D.Add more antivirus signatures to the endpoint protection platform.
AnswerB

This is the best control because the incident involves data being copied to USB devices. Awareness and encryption do not stop a user from transferring files to removable media. Endpoint device control or DLP can block, log, or limit USB storage use, directly reducing the exfiltration path while preserving normal internet and email access.

Why this answer

Endpoint device control or DLP (Data Loss Prevention) rules are specifically designed to monitor, block, or restrict the use of removable media such as USB drives. By implementing such controls, an organization can enforce policies that prevent sensitive data from being copied to unauthorized external storage devices, directly addressing the threat of data exfiltration via removable media.

Exam trap

The trap here is that candidates often confuse network-based controls (like web filtering) with physical data exfiltration controls, or they mistakenly believe that stronger authentication or antivirus updates can prevent intentional data copying to removable media.

How to eliminate wrong answers

Option A is wrong because blocking all internet access except for the accounting website does not prevent copying data to removable media; it only restricts network-based data exfiltration, leaving the physical USB vector unaddressed. Option C is wrong because increasing password complexity requirements only strengthens authentication, but does not control what users do with data after they are authenticated, so it has no effect on copying files to removable media. Option D is wrong because adding more antivirus signatures improves detection of known malware but does not enforce policies on data transfer to removable media; it is a reactive security measure, not a preventive control for data loss.

38
Matchingeasy

Match each security principle to the best workplace example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A help desk technician can reset passwords but cannot open payroll records.

A customer portal uses MFA, endpoint protection, and network filtering together.

The system rechecks trust before each sensitive action, even from a managed device.

One employee creates a payment batch and a different employee approves it.

An analyst sees only the case files assigned to that investigation.

Why these pairings

Each workplace example illustrates a security principle: least privilege grants minimal access, separation of duties divides tasks, defense in depth uses multiple controls, fail safe defaults to safe state, need to know restricts data access, and accountability tracks user actions.

39
Multi-Selecthard

A cloud backup service uses envelope encryption. The key-encryption key is nearing the end of its approved lifetime, but the business cannot decrypt and re-encrypt every backup object this week. Which two statements best describe the correct rotation approach? Select two.

Select 2 answers
A.Generate a new key-encryption key and use it for future backups.
B.Rewrap the existing data-encryption keys with the new key-encryption key.
C.Decrypt and re-encrypt every backup object immediately with a new data key.
D.Destroy the old key before the rewrapping process finishes.
E.Replace the hashing algorithm used for file integrity checks.
AnswersA, B

A new wrapping key can be introduced without changing the underlying encrypted backup data immediately.

Why this answer

Option A is correct because envelope encryption allows the key-encryption key (KEK) to be rotated without touching the underlying data. Generating a new KEK and using it for future backups ensures that new data-encryption keys (DEKs) are wrapped with the fresh KEK, maintaining security without requiring immediate decryption and re-encryption of all existing backup objects.

Exam trap

The trap here is that candidates often assume key rotation requires re-encrypting all data, missing the core advantage of envelope encryption where only the key-encryption key needs to be rotated and DEKs can be rewrapped independently.

40
MCQmedium

An operations manager is worried a single network administrator could quietly push an unauthorized firewall rule. The manager wants every rule change reviewed by a second person and documented before implementation. Which control best addresses this concern?

A.Enable detailed firewall logging so each packet match is written to disk.
B.Require a documented change-management workflow with two approvers before any firewall rule is applied.
C.Move the firewall appliance into a locked equipment rack.
D.Encrypt the firewall configuration backup with a strong key.
AnswerB

Correct. A documented change-management process with dual approval is an administrative control that reduces insider risk and improves accountability. It creates separation of duties, adds review before implementation, and leaves an auditable trail. That combination directly addresses the manager's concern about a single administrator making hidden changes.

Why this answer

Option B is correct because a documented change-management workflow with two approvers directly enforces separation of duties, ensuring that no single administrator can implement a firewall rule change without peer review and documented approval. This control addresses the manager's concern about unauthorized changes by requiring a second person to review and approve before the rule is applied, which is a fundamental principle of access control and change management.

Exam trap

The trap here is that candidates may confuse detective controls (like logging) or physical controls (like locked racks) with preventive administrative controls, failing to recognize that only a documented approval workflow with two approvers directly enforces the required separation of duties to prevent unauthorized rule changes.

How to eliminate wrong answers

Option A is wrong because enabling detailed firewall logging records traffic matches after the fact, but it does not prevent a single administrator from pushing an unauthorized rule; it only provides forensic evidence. Option C is wrong because moving the firewall into a locked equipment rack provides physical security against tampering with the hardware, but it does not prevent a network administrator from remotely pushing unauthorized rule changes via the management interface. Option D is wrong because encrypting the firewall configuration backup protects the backup file from unauthorized access, but it does not control or review live rule changes made by an administrator.

41
Multi-Selecthard

In the finance workflow, one employee can create a payment batch but cannot approve it, and the same person also cannot view employee records that are unrelated to the task. Which two principles are being enforced? Select two.

Select 2 answers
A.Separation of duties, because creation and approval are split between different roles.
B.Need-to-know, because the employee sees only records relevant to the assigned finance task.
C.Least privilege, because every user should have no more than one permission overall.
D.Defense in depth, because multiple security technologies are layered around the finance system.
E.Zero trust, because the employee must always be treated as untrusted by the network.
AnswersA, B

Splitting initiation and approval reduces the chance that one person can commit fraud alone.

Why this answer

Option A is correct because separation of duties is enforced by splitting the payment creation and approval functions between different roles, preventing a single employee from committing fraud by creating and approving a payment without oversight. This principle reduces the risk of unauthorized or malicious actions by requiring collusion for abuse.

Exam trap

The trap here is confusing 'need-to-know' with 'least privilege' — need-to-know limits access to specific data based on job necessity, while least privilege limits the overall permissions (e.g., read vs. write) a user has, and candidates often pick least privilege when the scenario describes data restriction rather than permission minimization.

42
MCQhard

Based on the exhibit, which control type best describes the jump host requirement?

A.Preventive control, because the jump host blocks unauthorized access before it reaches the payroll server.
B.Detective control, because session recording helps the team discover misuse after the fact.
C.Compensating control, because the jump host provides an alternate safeguard when the application cannot enforce MFA directly.
D.Directive control, because the administrators are being instructed to use a specific access path.
AnswerC

The jump host is a compensating control because it reduces risk by providing an alternate security measure when the original control cannot be implemented on the legacy payroll application. MFA, logging, and session recording on the jump host help offset the application's limitation without requiring a risky replacement. The goal is risk reduction through a substitute safeguard.

Why this answer

The jump host is implemented as a compensating control because the payroll server's application cannot natively enforce multi-factor authentication (MFA). Instead of leaving the server unprotected, the jump host provides an alternative security layer by requiring MFA at the jump host level, thereby compensating for the application's limitation. This aligns with the NIST definition of compensating controls as alternative safeguards that mitigate risks when primary controls are infeasible.

Exam trap

The trap here is that candidates confuse the jump host's session recording (a detective feature) with the primary reason for its deployment, which is to compensate for the lack of MFA on the payroll server.

How to eliminate wrong answers

Option A is wrong because a jump host does not block unauthorized access directly; it enforces authentication and session control, but it is not a preventive control like a firewall ACL or network segmentation that denies traffic before it reaches the target. Option B is wrong because session recording is a detective control, but the question asks about the jump host requirement itself, not the recording feature; the jump host's primary purpose is to enforce MFA, not to discover misuse after the fact. Option D is wrong because a directive control is a policy or instruction (e.g., a written security policy), not a technical mechanism; the jump host is a technical implementation, not a written directive.

43
MCQeasy

Which document tells all employees what they are allowed and not allowed to do when using company systems?

A.Policy
B.Procedure
C.Standard
D.Guideline
AnswerA

A policy states the organization’s high-level rules and expectations for behavior. It tells employees what is permitted, prohibited, or required when using company systems, such as acceptable use, data handling, or password rules. Policies are approved by management and guide the rest of the security program.

Why this answer

A policy is a high-level document that defines mandatory rules and expectations for employee behavior when using company systems. It specifies what is allowed and prohibited, such as acceptable use of email, internet browsing, and data handling, and is enforceable with consequences for non-compliance.

Exam trap

The trap here is that candidates confuse 'policy' with 'procedure' or 'guideline,' thinking that step-by-step instructions or recommendations define allowed versus prohibited actions, but only a policy sets mandatory, enforceable rules for employee conduct.

How to eliminate wrong answers

Option B is wrong because a procedure provides step-by-step instructions for completing a specific task, not a broad set of rules about allowed and disallowed actions. Option C is wrong because a standard defines mandatory technical specifications or configurations (e.g., requiring AES-256 encryption), not behavioral rules for employees. Option D is wrong because a guideline offers recommendations or best practices that are not mandatory, whereas a policy is enforceable and binding.

44
MCQhard

A vendor distributes a Linux package through multiple mirrors. Security wants to verify that the package really came from the vendor and was not altered after publication, even if a mirror or CDN is compromised. Which cryptographic mechanism should be checked?

A.A hash value published on the mirror site alone
B.A digital signature created with the vendor's private key
C.Symmetric encryption of the package with a shared secret
D.Key stretching with a slow password algorithm
AnswerB

A digital signature provides authenticity and integrity. If the package was signed with the vendor's private key, anyone with the matching public certificate can verify that the package came from the vendor and has not been altered since signing. This works even if the download is mirrored or relayed by an untrusted CDN, because verification does not depend on trusting the transport path.

Why this answer

A digital signature created with the vendor's private key provides both authentication (proving the package came from the vendor) and integrity (detecting any alteration after signing). Even if a mirror or CDN is compromised, the signature verification will fail if the package has been tampered with, because only the vendor's corresponding public key can validate the signature. This is the standard mechanism used by package managers like APT (with signed Release files) and RPM (with GPG signatures).

Exam trap

The trap here is that candidates confuse a simple hash (which provides integrity only if the hash source is trusted) with a digital signature (which provides both integrity and authentication even when the distribution channel is untrusted).

How to eliminate wrong answers

Option A is wrong because a hash value published on the mirror site alone provides integrity only if the hash itself is trusted; if the mirror is compromised, an attacker can replace both the package and its hash, making the verification useless. Option C is wrong because symmetric encryption with a shared secret protects confidentiality but does not provide non-repudiation or integrity verification against a compromised mirror; the shared secret would need to be distributed securely, and any party with the key could modify the package undetected. Option D is wrong because key stretching (e.g., PBKDF2, bcrypt) is a technique to slow down brute-force attacks on passwords, not a mechanism for verifying package authenticity or integrity.

45
Multi-Selecthard

A baseline review found that standard developer accounts are local administrators, unsigned tools can run from user profile folders, and reimaged systems still end up with unauthorized persistence. Which two changes best improve hardening while preserving developer work? Select two.

Select 2 answers
A.Remove local administrator rights from standard user accounts.
B.Enforce application allowlisting for approved executables and scripts.
C.Turn off logging to preserve disk space.
D.Allow unrestricted browser extension installs.
E.Merge all developer and production systems into one VLAN.
AnswersA, B

Removing local admin rights blocks many common persistence and privilege escalation paths. It also reduces the damage a user mistake or malicious script can do on an otherwise managed workstation.

Why this answer

Option A is correct because removing local administrator rights from standard developer accounts enforces the principle of least privilege (PoLP). This prevents developers from making unauthorized system-wide changes, such as installing unsigned tools or creating persistence mechanisms, while still allowing them to perform their work with standard user permissions. This directly addresses the baseline review finding that standard developer accounts are local administrators, which is a common security misconfiguration.

Exam trap

The trap here is that candidates may think removing admin rights alone is sufficient, but the question requires two changes that best improve hardening while preserving developer work, and application allowlisting (Option B) is the second critical control to block unsigned tools from running in user profile folders, which removal of admin rights alone does not address.

46
MCQmedium

A security analyst at a hospital is reviewing user permissions in the electronic health record (EHR) system. The analyst discovers that all nursing staff accounts are members of the 'Administrators' group, which grants full read and write access to all patient records, as well as the ability to modify system configuration settings. The nursing staff's job responsibilities only require viewing and updating records for patients currently assigned to them. Which security principle is most directly violated by this configuration?

A.Defense in depth
B.Least privilege
C.Non-repudiation
D.Availability
AnswerB

The principle of least privilege dictates that users should have only the minimum permissions needed to perform their duties. Granting nursing staff full administrative rights violates this principle because the staff only need limited, role-specific access to patient records.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. In this case, nursing staff only need read and write access to records of currently assigned patients, but membership in the 'Administrators' group grants full read/write access to all patient records and the ability to modify system configuration settings, which far exceeds their job requirements. This directly violates least privilege by providing excessive, unnecessary privileges that increase the risk of unauthorized access or accidental misconfiguration.

Exam trap

The trap here is that candidates may confuse 'least privilege' with 'defense in depth' because both are security principles, but defense in depth is about multiple layers of protection, not about limiting user permissions to the minimum necessary.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets; it is not directly about user permission levels. Option C is wrong because non-repudiation ensures that a user cannot deny an action, typically through digital signatures or audit logs; it does not address the scope of permissions granted. Option D is wrong because availability ensures that systems and data are accessible when needed, often through redundancy and fault tolerance; while excessive permissions could indirectly affect availability (e.g., accidental misconfiguration), the core violation here is about privilege scope, not uptime or access reliability.

47
MCQmedium

A legacy payroll application cannot support multifactor authentication yet, but the business still needs to reduce risk while the application is being modernized. The security team limits access to a hardened jump host, requires manager approval for access requests, and adds extra logging until the application can be upgraded. What type of control is this?

A.Corrective control
B.Compensating control
C.Deterrent control
D.Preventive control
AnswerB

A compensating control is an alternative safeguard used when the preferred or required control cannot be implemented yet. Here, MFA is not supported by the legacy application, so the team reduces risk using a hardened jump host, approval workflow, and enhanced logging. Those measures do not replace MFA completely, but they provide a reasonable temporary risk reduction until the system is upgraded.

Why this answer

Compensating controls are alternative security measures implemented when primary controls (like MFA) cannot be applied due to technical limitations. In this scenario, the jump host restriction, manager approval, and enhanced logging serve as compensating controls to reduce risk until the legacy payroll application can be modernized to support MFA.

Exam trap

The trap here is that candidates may confuse compensating controls with preventive controls, mistakenly thinking that the jump host and approval process are directly preventing unauthorized access, when in fact they are alternative measures compensating for the missing MFA capability.

How to eliminate wrong answers

Option A is wrong because corrective controls are designed to remediate or reverse the effects of an incident after it has occurred (e.g., restoring from backup), not to reduce risk proactively while awaiting modernization. Option C is wrong because deterrent controls aim to discourage potential attackers through visible warnings or threats (e.g., security cameras, warning banners), not to provide alternative access restrictions and logging. Option D is wrong because preventive controls are intended to block security violations outright (e.g., firewalls, access control lists), but here the legacy application cannot support MFA, so a direct preventive control is not feasible; compensating controls are used instead.

48
MCQhard

Based on the exhibit, which cryptographic mechanism provides proof that the update came from the vendor and was not altered?

A.Hashing, because matching SHA-256 values alone prove the file came from the vendor.
B.Symmetric encryption, because only the vendor and the customer share the secret key.
C.Digital signature, because only the vendor's private key can produce the verified signature.
D.Salting, because adding random data makes the update file easier to trust.
AnswerC

Digital signature is correct because the signature check proves both integrity and authenticity. The vendor signs the update with a private key, and anyone with the matching public key can verify that the file has not changed and that the signer possessed the private key. That is exactly the proof of origin the audit note is asking for.

Why this answer

Option C is correct because a digital signature uses the vendor's private key to sign the update, and the customer verifies it using the vendor's public key. This asymmetric cryptographic mechanism ensures both authenticity (the update came from the vendor) and integrity (the update was not altered), as only the vendor's private key can produce a signature that validates with the corresponding public key.

Exam trap

The trap here is that candidates confuse hashing with digital signatures, thinking that a hash match alone proves the source, when in fact hashing only verifies integrity, not authenticity or non-repudiation.

How to eliminate wrong answers

Option A is wrong because hashing alone provides integrity (detecting changes) but does not prove the source; an attacker could replace both the file and its hash, and SHA-256 values matching only show the file hasn't changed, not that it came from the vendor. Option B is wrong because symmetric encryption uses a shared secret key, which does not provide non-repudiation or proof of origin; both the vendor and customer possess the same key, so the customer cannot prove the update came specifically from the vendor. Option D is wrong because salting adds random data to passwords or hashes to prevent rainbow table attacks, but it does not provide any mechanism for authentication or integrity verification of an update file.

49
Matchingeasy

Match each security control type to the best example in a small office environment.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A firewall blocks inbound remote desktop traffic from the internet.

A SIEM alert notifies analysts after multiple failed logins occur.

A clean backup is restored after malware is removed from a laptop.

A visible warning sign says the area is under video surveillance.

A policy requires users to lock their screens when stepping away.

A jump host is used temporarily until direct administration is safely allowed.

Why these pairings

These matches classify security controls by type: administrative involves policies, technical uses technology, physical secures premises, deterrent discourages violations, preventive stops incidents, and detective identifies occurrences.

50
MCQeasy

A sales manager's laptop is often taken home and may contain customer pricing spreadsheets and contract drafts. Which control best protects the files if the laptop is stolen?

A.Hashing the files
B.Full-disk encryption
C.Using TLS on the office Wi-Fi
D.File compression
AnswerB

Full-disk encryption protects data at rest, so stolen storage is unreadable without the correct key.

Why this answer

Full-disk encryption (FDE) protects all data on the laptop's storage drive by encrypting the entire volume, including the operating system, applications, and files. If the laptop is stolen, the thief cannot access the customer pricing spreadsheets and contract drafts without the decryption key (e.g., a pre-boot PIN or TPM-based key). This renders the data unreadable even if the drive is removed and attached to another system, directly addressing the risk of physical theft.

Exam trap

The trap here is that candidates confuse confidentiality controls (encryption) with integrity controls (hashing) or network protection (TLS), mistakenly thinking hashing or TLS can protect data at rest on a stolen device.

How to eliminate wrong answers

Option A is wrong because hashing is a one-way cryptographic function used for integrity verification (e.g., detecting file tampering), not for confidentiality; it does not prevent an attacker from reading the files. Option C is wrong because TLS (Transport Layer Security) protects data in transit over the office Wi-Fi, but once the laptop is stolen, the files are at rest on the local drive and TLS offers no protection against offline access. Option D is wrong because file compression (e.g., ZIP) only reduces file size and optionally adds a weak password, but it does not provide strong encryption; modern compression tools are not designed to resist forensic attacks on a stolen device.

51
MCQmedium

Based on the exhibit, which change would most improve the security of the stored password data?

A.Store the passwords in encrypted form so they can be recovered later if needed.
B.Add a unique salt per password and use a slow password hashing algorithm.
C.Replace the hash with a plain SHA-256 digest because it is modern and widely supported.
D.Append the application name to each password before hashing to make the hashes unique.
AnswerB

A unique salt defeats precomputed rainbow tables and ensures identical passwords do not produce identical stored values. Using a slow, purpose-built password hashing algorithm also increases the cost of offline cracking attempts.

Why this answer

Option B is correct because adding a unique salt per password prevents precomputed rainbow table attacks, and using a slow password hashing algorithm (like bcrypt, PBKDF2, or Argon2) increases the computational cost of brute-force attacks. This combination ensures that even if the password hashes are compromised, attackers cannot efficiently crack them. Salting also ensures that identical passwords produce different hashes, eliminating the ability to detect shared passwords across accounts.

Exam trap

The trap here is that candidates often confuse hashing with encryption or assume that a 'modern' hash like SHA-256 is sufficient for password storage, overlooking the critical need for salting and key stretching to defend against brute-force and rainbow table attacks.

How to eliminate wrong answers

Option A is wrong because storing passwords in encrypted form (reversible) violates the fundamental security principle that passwords should never be recoverable; encryption keys can be compromised, exposing all passwords. Option C is wrong because plain SHA-256 is a fast, general-purpose hash designed for integrity checks, not password storage; it lacks salting and is vulnerable to GPU-accelerated brute-force attacks. Option D is wrong because appending the application name is a weak, predictable form of salting that does not provide per-password uniqueness and does not slow down hashing; it offers minimal protection against rainbow tables or targeted attacks.

52
MCQmedium

A security architect proposes adding endpoint protection, network segmentation, multifactor authentication, email filtering, and immutable backups so that one failed safeguard does not expose the entire organization. What security strategy is being described?

A.Defense in depth
B.Least privilege
C.Need-to-know
D.Zero trust
AnswerA

Defense in depth uses multiple independent controls so that if one layer fails, others still reduce the chance of compromise or limit the damage. The mix of endpoint, network, identity, email, and recovery controls in the scenario is a textbook layered approach. It is especially useful because attackers rarely defeat every safeguard at once.

Why this answer

Defense in depth is a layered security strategy where multiple, independent controls (endpoint protection, network segmentation, MFA, email filtering, immutable backups) are deployed so that if one safeguard fails, others continue to protect the organization. This approach ensures no single point of failure can compromise the entire environment, aligning directly with the scenario described.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'least privilege' because both involve multiple controls, but defense in depth specifically requires overlapping, independent layers rather than just restricting permissions.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on restricting user permissions to the minimum necessary for their role, not on deploying multiple overlapping safeguards. Option C (Need-to-know) is wrong because it is a subset of least privilege that limits access to data based on job necessity, not a strategy for layering protective controls.

53
MCQhard

Based on the exhibit, which security principle should the team strengthen to reduce the chance that stolen credentials alone provide access to sensitive data?

A.Least privilege, because the user should only have the minimum file permissions needed.
B.Zero trust, because every request should be re-evaluated instead of relying on the earlier VPN login.
C.Need-to-know, because all finance data should be hidden from anyone outside the department.
D.Defense in depth, because multiple layers are always better than one control.
AnswerB

Zero trust fits the exhibit because access is being allowed based on an earlier authentication event and network location alone. A zero-trust design would re-evaluate each request using factors such as device health, identity, and context instead of assuming the session is safe for 12 hours.

Why this answer

The exhibit shows a scenario where a VPN session grants persistent access to sensitive data without re-authentication. Zero trust is correct because it mandates continuous verification of every request, not just the initial VPN login, so stolen credentials alone would not provide ongoing access to sensitive data. This principle enforces micro-segmentation and per-request authorization, directly addressing the vulnerability of credential theft.

Exam trap

The trap here is that candidates confuse zero trust with defense in depth, assuming multiple security layers automatically verify every request, when in fact defense in depth can still rely on a single persistent trust decision (like a VPN session) that stolen credentials can exploit.

How to eliminate wrong answers

Option A is wrong because least privilege limits the scope of access (e.g., file permissions) but does not prevent a stolen credential from being reused across sessions; it reduces blast radius but not the risk of credential reuse. Option C is wrong because need-to-know restricts data access based on role, but it still relies on the initial authentication and does not require re-evaluation of each request, so stolen credentials would still grant access to permitted data. Option D is wrong because defense in depth adds multiple controls (e.g., firewalls, IDS), but without a zero-trust architecture, a single stolen credential can bypass all layers if the VPN session remains trusted; it does not specifically address the re-evaluation gap.

54
MCQmedium

A security engineer writes a script that computes SHA-256 hashes of critical server configuration files every night and sends an alert if any hash value has changed since the previous night. Which security goal is this control primarily designed to protect?

A.Confidentiality
B.Integrity
C.Availability
D.Authentication
AnswerB

Integrity ensures that data has not been tampered with or altered by unauthorized parties. Comparing hashes allows the engineer to detect any unauthorized changes to the configuration files, directly supporting the integrity goal. This is the correct answer.

Why this answer

The script computes SHA-256 hashes of configuration files and compares them nightly to detect any unauthorized or accidental changes. This directly protects the integrity of the files by ensuring they have not been modified, which is the core security goal of integrity. Confidentiality and availability are not addressed by hash comparison.

Exam trap

The trap here is confusing integrity with confidentiality because hashing involves cryptographic algorithms, leading candidates to mistakenly think it protects secrecy rather than detecting unauthorized modification.

How to eliminate wrong answers

Option A is wrong because confidentiality is about preventing unauthorized disclosure of data, not detecting changes; hashing does not encrypt or hide the file contents. Option C is wrong because availability ensures systems and data are accessible when needed, whereas hash monitoring does not prevent denial of service or ensure uptime.

55
MCQhard

Based on the exhibit, what is the best conclusion about the signed document?

A.The invoice is confidential because the signature encrypts the document contents.
B.The invoice was not changed after signing and the signer’s certificate chain validated correctly.
C.The invoice can be edited if the timestamp is still within business hours.
D.The sender’s private key is now public because the certificate verified successfully.
AnswerB

A valid digital signature confirms that the document digest still matches the signed value and that the certificate chain was trusted by the verifier. That means the invoice has not been altered since signing, and the signature can be associated with the trusted certificate identity shown in the exhibit.

Why this answer

Option B is correct because a valid digital signature provides both integrity (the document was not altered after signing) and authentication (the signer's certificate chain validates to a trusted root). The exhibit shows a successful signature validation, which cryptographically proves that the invoice has not been modified since signing and that the signing certificate is trusted.

Exam trap

The trap here is confusing digital signatures with encryption — candidates often think signing encrypts the document, but signing only provides integrity and non-repudiation, not confidentiality.

How to eliminate wrong answers

Option A is wrong because a digital signature does not encrypt the document; it only creates a hash signed with the private key, leaving the contents readable. Option C is wrong because a valid digital signature is independent of time of day; business hours have no effect on cryptographic validity. Option D is wrong because certificate validation proves the signer's identity, not that the private key is public; the private key remains secret and is never revealed by a successful verification.

56
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

57
MCQmedium

The security team configures the badge system so employees must present both a badge and a PIN before entering the data center. The access logs are reviewed weekly for failed attempts. Which pair of control types best describes these measures?

A.Preventive and detective, because one measure blocks access and the other identifies suspicious activity.
B.Corrective and recovery, because the logs can restore access after a badge failure.
C.Deterrent and compensating, because the PIN discourages attackers and the logs replace the badge reader.
D.Administrative and physical, because the weekly review and the badge reader are both physical measures.
AnswerA

Requiring a badge and PIN is preventive because it attempts to stop unauthorized entry before it happens. Reviewing access logs is detective because it helps identify misuse or attempted misuse after the fact. Together, these controls reduce the likelihood of unauthorized entry while also giving the security team visibility into failed or unusual access attempts. This is a practical layered approach.

Why this answer

Option A is correct because the badge and PIN requirement is a preventive control that blocks unauthorized access to the data center, while the weekly review of access logs is a detective control that identifies suspicious activity after the fact. Preventive controls stop incidents before they occur, and detective controls discover violations that have already happened, making this pair the best fit for the described measures.

Exam trap

The trap here is confusing detective controls (which identify past events) with corrective controls (which fix issues), or misclassifying administrative controls (like policy reviews) as physical controls, leading candidates to pick option D.

How to eliminate wrong answers

Option B is wrong because corrective and recovery controls are designed to fix or restore systems after an incident (e.g., restoring access after a badge failure), but the logs are used for review, not for restoration. Option C is wrong because deterrent controls discourage attackers (e.g., warning signs), not PINs that actively block access, and compensating controls provide alternative protection when a primary control fails, not logs that replace a badge reader. Option D is wrong because the weekly review is an administrative control (policy/procedure), not a physical measure, and the badge reader is a physical control, not an administrative one.

58
Multi-Selectmedium

Which three of the following are characteristics of the principle of least privilege? (Choose three.)

Select 3 answers
.Users are granted only the permissions necessary to perform their job functions
.Administrative accounts are used only for administrative tasks, not daily work
.Privileges are reviewed and revoked when no longer needed
.All users have equal access to all system resources
.Privileges are granted permanently once assigned
.Users are given full control over all shared folders

Why this answer

The principle of least privilege dictates that users should only have the minimum permissions necessary to complete their job functions, which reduces the attack surface and limits potential damage from compromised accounts. Administrative accounts should be reserved exclusively for administrative tasks to prevent accidental or malicious misuse of elevated privileges. Regularly reviewing and revoking privileges ensures that access rights remain aligned with current job requirements, preventing privilege creep.

Exam trap

The trap here is that candidates may confuse the principle of least privilege with the concept of 'zero trust' or mistakenly think that permanent privilege grants are acceptable if initially assigned correctly, ignoring the need for ongoing review and revocation.

59
Multi-Selecthard

A finance app uses the corporate IdP for authentication. A user who moved out of finance can still approve invoices until the browser session expires, and the app caches local roles. Which two changes best make access changes take effect faster without storing app passwords? Select two.

Select 2 answers
A.Shorten token and session lifetimes, and require reauthentication for high-risk actions.
B.Increase password complexity but keep session duration unchanged.
C.Use current IdP group claims for authorization instead of cached local roles.
D.Disable SSO and email one-time passwords for every login.
E.Keep long-lived sessions to reduce help desk tickets.
AnswersA, C

Shorter sessions reduce how long stale access remains usable after a role change. Step-up reauthentication for sensitive actions adds an extra check before invoice approval, which is appropriate for financial operations.

Why this answer

Option A is correct because shortening token and session lifetimes reduces the window during which stale permissions remain active, and requiring reauthentication for high-risk actions (like approving invoices) ensures that the user's current authorization status is verified before sensitive operations. This directly addresses the problem of cached roles persisting beyond the user's actual group membership changes.

Exam trap

The trap here is that candidates may think increasing password complexity or disabling SSO improves security, but the question specifically asks for changes that make access changes take effect faster without storing app passwords, so the focus must be on session/token lifetimes and authorization source, not authentication strength.

60
MCQmedium

A security architect is designing a defense strategy for a database containing sensitive customer records. The architect implements a network firewall to restrict inbound traffic to only the application server, enforces file-level encryption for the database files, requires multi-factor authentication for all administrative access, and deploys a database activity monitoring system to alert on unusual queries. Which security principle is the architect primarily applying?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Fail safe
AnswerB

This is correct. Defense in depth uses multiple independent layers of security controls (firewall, encryption, MFA, monitoring) so that if one layer fails, others still provide protection. The architect's strategy clearly exemplifies this principle.

Why this answer

The architect is applying defense in depth by layering multiple independent security controls: a network firewall, file-level encryption, multi-factor authentication, and database activity monitoring. This strategy ensures that if one control fails, others still provide protection, which is the core principle of defense in depth. Each layer addresses a different attack vector, making it significantly harder for an attacker to compromise the database.

Exam trap

The trap here is that candidates often confuse defense in depth with least privilege because both involve multiple controls, but defense in depth is about layering different types of controls, not just restricting permissions.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user permissions to the minimum necessary, but the scenario describes multiple layers of controls, not a specific access restriction. Option C is wrong because separation of duties divides critical tasks among different people to prevent fraud, whereas this scenario focuses on technical controls, not role-based task division. Option D is wrong because fail safe ensures a system defaults to a secure state on failure (e.g., a firewall denying all traffic if it crashes), but the scenario does not describe any failover or default behavior.

61
Matchingeasy

Match each cryptographic action to the most appropriate use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect the data if the laptop is stolen.

Check that the file was not changed during download.

Make identical passwords produce different hash values.

Confirm the file came from the expected sender and stayed intact.

Replace an encryption key on a planned schedule.

Why these pairings

Encryption ensures confidentiality, hashing ensures integrity, digital signatures provide authentication and non-repudiation, key exchange enables secure key distribution, certificate signing establishes trust, and random numbers are essential for key generation.

62
Matchingeasy

Match each cryptographic primitive to its main purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Producing a fixed-length value used to detect changes.

Using the same secret key to encrypt and decrypt data.

Using a public key and private key pair for encryption or decryption.

Proving who signed something and showing it was not changed.

Creating, storing, rotating, and retiring cryptographic keys safely.

Why these pairings

Symmetric encryption is efficient for large data, asymmetric encryption enables key exchange and signatures, hash functions ensure integrity, MACs combine integrity and authenticity, digital signatures add non-repudiation, and KDFs strengthen passwords for key use.

63
Multi-Selecthard

A contractor is brought in to investigate a single alert on an ERP system. The contractor gets read-only access to one log source through a jump host, cannot see user payroll records, and the account expires automatically at shift end. Which two principles are being applied? Select two.

Select 2 answers
A.Least privilege, because the contractor receives only the access needed for one investigation.
B.Need-to-know, because the contractor sees only the log source required for the job.
C.Separation of duties, because one person cannot both request and approve the access.
D.Defense in depth, because multiple layers of security tools are deployed around the server.
E.Zero trust, because every request is automatically denied until proven safe.
AnswersA, B

The account is restricted to the minimum permissions needed to complete the assigned task.

Why this answer

Least privilege is applied because the contractor's access is strictly limited to what is necessary for the single investigation: read-only access to one log source via a jump host, with the account expiring automatically at shift end. This ensures the contractor cannot perform any actions beyond the scope of the task, minimizing the attack surface and potential for accidental or malicious changes.

Exam trap

The trap here is that candidates confuse 'need-to-know' with 'least privilege' or incorrectly apply 'separation of duties' when the scenario only describes access restrictions for a single individual, not a division of responsibilities between multiple people.

64
MCQmedium

A security analyst is investigating a data integrity incident where an attacker exploited a vulnerability in a web application to alter customer account balance records in the database. The analyst identifies the exact records that were modified and restores those records from a verified read-only backup taken prior to the attack. Which security goal is the analyst primarily addressing by restoring the records from backup?

A.Confidentiality
B.Integrity
C.Availability
D.Non-repudiation
AnswerB

Integrity ensures data is accurate and has not been improperly altered. By restoring the database to a state before the unauthorized modifications, the analyst is directly correcting a breach of integrity.

Why this answer

Restoring the altered customer account balance records from a verified read-only backup directly addresses the integrity security goal. Integrity ensures that data is accurate and has not been modified by unauthorized parties. By reverting the records to their pre-attack state, the analyst is correcting the unauthorized modifications, thereby restoring the trustworthiness of the data.

Exam trap

The trap here is that candidates may confuse restoring data from backup with ensuring availability, but the primary goal in this scenario is to correct unauthorized modifications, which is a core integrity function.

How to eliminate wrong answers

Option A is wrong because confidentiality focuses on preventing unauthorized disclosure of data, not on correcting unauthorized modifications. Option C is wrong because availability ensures that systems and data are accessible when needed, which is not the primary concern when restoring altered records. Option D is wrong because non-repudiation provides proof of the origin or authenticity of data or actions, typically through digital signatures or logs, and is not achieved by restoring data from a backup.

65
MCQhard

Based on the exhibit, what is the best governance improvement? Data handling procedure: - Managers may approve external sharing exceptions verbally. - Staff record exceptions in email threads. - No retention period is defined for exception evidence. Audit note: multiple exceptions could not be traced to an approver.

A.Replace verbal and email exceptions with a documented approval workflow and retained exception records.
B.Allow each team to decide its own exception format to increase flexibility.
C.Remove exception handling entirely so no external sharing can ever occur.
D.Keep the procedure unchanged and rely on additional awareness training alone.
AnswerA

A formal workflow creates traceable approvals, preserves evidence, and makes exception handling auditable later.

Why this answer

Option A is correct because the current procedure lacks a documented approval workflow and retention policy, which directly caused the audit finding that exceptions could not be traced to an approver. Implementing a formal, auditable process ensures non-repudiation and compliance with data handling governance, addressing the root cause rather than relying on informal verbal or email-based approvals.

Exam trap

The trap here is that candidates may think training alone (Option D) can fix a procedural gap, but the SY0-701 exam emphasizes that governance improvements require enforceable controls, not just awareness, to ensure accountability and auditability.

How to eliminate wrong answers

Option B is wrong because allowing each team to decide its own exception format would increase inconsistency and make auditing even more difficult, violating the principle of standardized governance. Option C is wrong because removing exception handling entirely is an extreme, impractical measure that would disrupt legitimate business needs for external sharing, and it does not address the governance gap in a balanced way. Option D is wrong because additional awareness training alone cannot fix the lack of a documented, auditable workflow; without a formal process, staff will continue using informal methods that fail to provide traceability.

66
Matchingeasy

Match each access principle to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Give the user only the permissions needed to do the job.

Share only the information required for the assigned task.

Split important steps so one person cannot complete everything alone.

Verify each request instead of trusting a user just because they are internal.

Use multiple protective layers so one failure does not expose everything.

Why these pairings

Least privilege grants minimal permissions, separation of duties splits critical tasks, defense in depth uses multiple security layers, need-to-know restricts data access, RBAC assigns permissions by role, and accountability ensures traceability.

67
MCQmedium

A branch office needs to send a confidential design document to headquarters over an untrusted network. Headquarters already has the public/private key pair available for document exchange. Which method is most appropriate to keep the file confidential during transit without first sharing a secret key?

A.Encrypt the file with headquarters' public key
B.Publish a hash of the file for comparison
C.Sign the file with the branch office private key only
D.Compress the file before sending it
AnswerA

Only headquarters can decrypt the file with its matching private key, preserving confidentiality in transit.

Why this answer

Encrypting the file with headquarters' public key ensures that only headquarters, possessing the corresponding private key, can decrypt and read the file. This method provides confidentiality over an untrusted network without requiring a pre-shared secret key, as the public key can be freely distributed.

Exam trap

The trap here is that candidates confuse digital signatures (which provide authentication and integrity) with encryption (which provides confidentiality), leading them to choose signing the file instead of encrypting it.

How to eliminate wrong answers

Option B is wrong because publishing a hash of the file allows integrity verification but does not provide confidentiality; the file itself remains readable in transit. Option C is wrong because signing with the branch office's private key provides authentication and non-repudiation, not confidentiality; the file is still sent in plaintext. Option D is wrong because compression reduces file size but does not provide any cryptographic protection; the compressed data can still be read by anyone intercepting it.

68
Multi-Selecteasy

Which two practices help protect encryption keys? Select two.

Select 2 answers
A.Store keys in a hardware security module
B.Rotate keys on a defined schedule
C.Put keys in an unencrypted text file on a server
D.Reuse the same key across many systems forever
E.Send keys through a public chat room
AnswersA, B

An HSM helps protect keys by keeping them isolated from direct exposure.

Why this answer

A hardware security module (HSM) is a dedicated, tamper-resistant hardware device designed to securely generate, store, and manage cryptographic keys. By keeping keys inside the HSM, they never exist in plaintext in system memory or on disk, and operations like signing or decryption occur within the HSM's secure boundary, preventing extraction even if the host is compromised.

Exam trap

The trap here is that candidates may think storing keys in a file with restricted permissions (e.g., chmod 600) is sufficient, but the SY0-701 exam expects you to recognize that only hardware-based isolation (HSM) and scheduled rotation are proper key protection practices.

69
MCQmedium

A backup server encrypts large nightly database exports before sending them to an offsite storage system. The organization has already arranged a secure way to share the secret key between the systems, and performance is a concern because the files are very large. Which encryption approach is the best fit?

A.Asymmetric encryption
B.Symmetric encryption
C.Hashing
D.Digital signatures
AnswerB

Symmetric encryption is the best fit for bulk data because it is fast and efficient. When both sides can securely share the same secret key, large backup files can be encrypted and decrypted with much less overhead than with public-key methods. That makes it the standard choice for protecting high-volume data at rest or in transit.

Why this answer

Symmetric encryption (e.g., AES-256) is the best fit because it uses a single shared secret key for both encryption and decryption, offering significantly higher throughput than asymmetric methods. For large files like nightly database exports, symmetric ciphers are hardware-accelerated (e.g., AES-NI) and introduce minimal performance overhead, while the secure key exchange is already handled separately.

Exam trap

The trap here is that candidates often choose asymmetric encryption because they associate it with 'secure key sharing,' forgetting that the scenario explicitly states the key exchange is already handled, so the focus should be on performance for large data volumes.

How to eliminate wrong answers

Option A is wrong because asymmetric encryption (e.g., RSA, ECC) is computationally expensive—typically 100–1000× slower than symmetric encryption—making it impractical for bulk encrypting large files; it is better suited for key exchange or small payloads. Option C is wrong because hashing is a one-way function (e.g., SHA-256) that produces a fixed-size digest and cannot be reversed to recover the original data, so it is used for integrity verification, not confidentiality.

70
Multi-Selecthard

A development team signs branch-router firmware before deployment. The same code-signing private key is stored on two build servers, and a compromise of either server would let an attacker sign malicious updates that look legitimate. Which two changes best reduce the cryptographic risk while preserving the ability to sign trusted releases? Select two.

Select 2 answers
A.Move the signing private key into a non-exportable hardware security module or managed key service.
B.Use separate signing keys for each product line or release environment to limit blast radius.
C.Encrypt the build server disks with full-disk encryption so the private key stays protected.
D.Store the private key in a read-only artifact repository so all build agents can access it.
E.Replace the signing process with file hashes and checksums to verify release integrity.
AnswersA, B

Keeping the signing key in an HSM or managed key service prevents attackers from copying it off the server. If the build host is compromised, the attacker still cannot easily extract the private key. That preserves trusted signing while materially reducing the chance of key theft and unauthorized firmware signing.

Why this answer

Option A is correct because moving the private key into a non-exportable hardware security module (HSM) or managed key service ensures the key material never resides on the build servers in a form that can be extracted. Even if a build server is compromised, the attacker cannot steal the private key to sign malicious firmware. This directly addresses the risk of key exposure from server compromise while preserving the ability to sign trusted releases through secure API calls to the HSM.

Exam trap

CompTIA often tests the misconception that full-disk encryption (Option C) is sufficient to protect keys in use, when in reality it only protects data at rest and does nothing to prevent key extraction from a compromised running system.

71
MCQhard

A web portal for customer refunds checks device health at sign-in, then re-checks the device and user context before each refund over a threshold. A session that started on a managed laptop is blocked when the laptop later fails posture checks, even though the password remains valid. Which principle is best illustrated?

A.Defense in depth
B.Zero trust
C.Least privilege
D.Need-to-know
AnswerB

The portal does not trust the session simply because the user authenticated once. It repeatedly evaluates device posture and context before granting sensitive actions, and it can deny access when risk changes. That is the core of zero trust: verify explicitly, assume no persistent trust, and re-evaluate access continuously instead of relying on an initial login event.

Why this answer

The scenario describes a system that continuously verifies trust—checking device health at sign-in and re-evaluating both device and user context before each high-value action—and blocks access even when the password is valid. This is the core of Zero Trust: 'never trust, always verify,' where authentication and authorization are re-assessed at every transaction, not just at session start. The policy enforces access decisions based on real-time posture (e.g., device compliance, user behavior) rather than relying solely on a static credential.

Exam trap

The trap here is that candidates confuse 'Zero Trust' with 'defense in depth' because both involve multiple security layers, but Zero Trust specifically mandates continuous re-validation of trust for each access request, not just layered static controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewall + antivirus + IDS) that does not specifically require continuous re-verification of device health within a single session; this scenario is about dynamic trust decisions, not multiple independent controls. Option C is wrong because least privilege limits user permissions to the minimum needed for their role (e.g., read-only access), but it does not address re-checking device posture or blocking a session mid-stream based on health changes. Option D is wrong because need-to-know restricts access to data based on a user's specific job requirement, not on device compliance or continuous authentication; it is about data classification, not session-level trust revocation.

72
MCQhard

Based on the exhibit, which document should be created or updated to make these settings mandatory and measurable? Endpoint baseline draft: - Full-disk encryption should be enabled on all corporate laptops. - Screen lock should activate after 15 minutes of inactivity. - Users should choose strong passwords. Related documents: Policy: Acceptable Use Policy Standard: none Procedure: Laptop imaging steps Guideline: Suggested hardening tips

A.Update the policy because policies are always the most detailed technical documents.
B.Create or update a standard because it defines mandatory, specific minimum requirements.
C.Update the procedure because procedures are the best place for corporate requirements.
D.Update the guideline because guidelines are the strongest way to enforce compliance.
AnswerB

A standard turns high-level intent into enforceable baseline requirements that can be tested and audited consistently.

Why this answer

A standard defines mandatory, specific minimum requirements that must be met, such as 'full-disk encryption enabled' and 'screen lock after 15 minutes.' Unlike policies (high-level intent) or guidelines (suggestions), a standard provides measurable criteria that can be audited and enforced. Creating or updating a standard makes the endpoint baseline settings mandatory and measurable.

Exam trap

The trap here is confusing the role of a policy (broad intent) with a standard (specific, mandatory requirements), leading candidates to choose 'Update the policy' because they assume policies are the most authoritative document for technical settings.

How to eliminate wrong answers

Option A is wrong because policies are high-level statements of intent, not detailed technical requirements; they lack the specificity needed for measurable enforcement. Option C is wrong because procedures describe step-by-step instructions for tasks (e.g., laptop imaging), not mandatory requirements that apply to all endpoints. Option D is wrong because guidelines are advisory recommendations, not enforceable mandates, and thus cannot make settings mandatory or measurable.

73
Multi-Selectmedium

An organization is updating its security policies to align with modern threats and compliance requirements. Which of the following are key security concepts that should be explicitly addressed in these updated policies? (Choose four.)

Select 4 answers
.Data classification and handling procedures to protect sensitive information
.Incident response procedures to ensure a structured approach to security events
.Change management processes to control modifications to systems and configurations
.Password complexity and rotation requirements for all user accounts
.Requiring all employees to use the same shared administrative account for efficiency
.Allowing unrestricted personal device usage on the corporate network without controls

Why this answer

Data classification and handling procedures are correct because they define how sensitive information is identified, labeled, and protected throughout its lifecycle, which is essential for compliance with regulations like GDPR or HIPAA. Incident response procedures are correct because they provide a structured, repeatable process (e.g., NIST SP 800-61) to detect, contain, eradicate, and recover from security events, minimizing damage. Change management processes are correct because they ensure that all system and configuration changes are reviewed, approved, and documented, reducing the risk of unauthorized or misconfigured changes that could introduce vulnerabilities.

Password complexity and rotation requirements are correct because they enforce strong authentication practices, mitigating brute-force and credential-stuffing attacks, though modern guidance (NIST SP 800-63B) emphasizes length and complexity over arbitrary rotation.

Exam trap

Cisco often tests the misconception that password rotation is always required, but modern standards (NIST SP 800-63B) recommend rotation only when compromise is suspected, focusing instead on password length and multi-factor authentication, so candidates must recognize that rotation is still a valid policy element for many compliance frameworks.

74
MCQmedium

To discourage unauthorized entry into a records room, facilities installs a large warning sign, a visible camera over the door, and a turnstile staffed by a guard during business hours. Which control category is the warning sign intended to support most directly?

A.Deterrent
B.Detective
C.Preventive
D.Corrective
AnswerA

The sign is meant to discourage people from attempting unauthorized entry in the first place.

Why this answer

The warning sign is a physical security control designed to discourage unauthorized entry by making potential intruders aware of the risks and consequences. This directly supports the deterrent control category, which aims to reduce the likelihood of a security incident by influencing behavior through fear of detection or punishment. Unlike detective controls that identify incidents after they occur, or preventive controls that physically block access, the sign's primary function is psychological deterrence.

Exam trap

The trap here is that candidates confuse the warning sign's purpose with a preventive control, mistakenly thinking that any security measure that stops entry must be preventive, when in fact the sign only discourages rather than physically or logically blocks access.

How to eliminate wrong answers

Option B is wrong because detective controls, such as motion sensors or audit logs, are designed to identify and record security events after they happen, not to discourage entry beforehand. Option C is wrong because preventive controls, like locks or access control systems, physically or logically block unauthorized access, whereas a sign only warns without enforcing a barrier. Option D is wrong because corrective controls, such as backup restoration or incident response procedures, are applied after a security incident to mitigate damage or restore operations, not to prevent or deter initial unauthorized entry.

75
MCQhard

Based on the exhibit, which principle is most directly being violated by the current share permissions?

A.Least privilege, because the broad Finance Dept access exceeds what many users require.
B.Need-to-know, because only the people working on valuation models should access them.
C.Zero trust, because the share should refuse access until every file request is reauthenticated.
D.Defense in depth, because the folder should have several separate layers of encryption.
AnswerB

Need-to-know applies because the exhibit says only three deal leads require the valuation models, while other finance staff only need unrelated invoice-tracking files. The principle focuses on restricting access to information based on necessity, even when users are part of a broader trusted group.

Why this answer

The exhibit shows share permissions granting 'Finance Dept' full control over a folder containing valuation models. The need-to-know principle restricts access to only those individuals who require the information to perform their job functions. Since not all Finance Dept members work on valuation models, granting the entire department access violates need-to-know, as only the specific users building those models should have access.

Exam trap

The trap here is confusing least privilege (which limits permission levels) with need-to-know (which limits data access based on job function), leading candidates to choose A when the real violation is granting access to users who have no business need for the data.

How to eliminate wrong answers

Option A is wrong because least privilege focuses on granting the minimum rights (e.g., Read vs. Full Control) to perform a task, not on restricting access based on job role necessity; the violation here is about who gets access, not the level of permissions. Option C is wrong because zero trust requires continuous verification of every access request, but the share permissions are static and do not involve reauthentication per file request; the question is about permission scope, not authentication architecture.

Option D is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, encryption, IDS), not the granularity of share permissions; the folder lacks encryption layers, but the core violation is unauthorized access to sensitive data, not insufficient encryption depth.

Page 1 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only General Security Concepts questions.