CCNA General Security Concepts Questions

75 of 164 questions · Page 2/3 · General Security Concepts topic · Answers revealed

76
MCQhard

Based on the exhibit, which key management improvement best preserves recoverability if the primary backup server is lost?

A.Store the private key on the same backup server so recovery is faster.
B.Replace AES with hashing so the archive no longer needs a key.
C.Keep the private key in an HSM or secure escrow with tested recovery procedures.
D.Send the private key to backup operators by email so they can restore data quickly.
AnswerC

The private key must be protected separately from the primary backup server so the encrypted AES key can still be recovered if the server is lost. An HSM or secure escrow improves key protection while preserving recoverability, especially when paired with tested restoration procedures and restricted access controls.

Why this answer

Option C is correct because storing the private key in a Hardware Security Module (HSM) or secure escrow ensures it remains available even if the primary backup server is lost. HSMs provide tamper-resistant key storage and support tested recovery procedures, which is critical for decrypting backups and maintaining recoverability. This approach separates the key from the backup data, preventing a single point of failure.

Exam trap

The trap here is that candidates may assume storing the key with the backup data (Option A) is efficient, but they overlook that it destroys recoverability when the server is lost, which is the exact failure scenario the question describes.

How to eliminate wrong answers

Option A is wrong because storing the private key on the same backup server creates a single point of failure; if the server is lost, both the backup data and the key are gone, making recovery impossible. Option B is wrong because hashing is a one-way function that cannot be reversed to recover original data, so replacing AES with hashing would make the archive permanently unreadable and unrecoverable. Option D is wrong because sending the private key by email exposes it to interception, violates security best practices (e.g., NIST SP 800-57), and does not guarantee tested, reliable recovery procedures.

77
Multi-Selecteasy

Which two are common warning signs of phishing messages? Select two.

Select 2 answers
A.Urgent threat that the account will be locked in 15 minutes
B.Unexpected attachment from an unknown sender
C.Message sent from a trusted internal help desk portal
D.Correct spelling and matching domain name
E.Email signed with a known employee's regular signature block
AnswersA, B

Urgency and threats are classic pressure tactics used in phishing attempts.

Why this answer

Option A is correct because phishing messages often create a false sense of urgency, such as claiming an account will be locked in 15 minutes, to pressure the recipient into acting without verifying the source. This tactic exploits the human tendency to react quickly to threats, bypassing rational checks like inspecting the sender's email address or hovering over links.

Exam trap

The trap here is that candidates may confuse common phishing tactics (like urgency or unexpected attachments) with indicators of legitimacy (like correct spelling or a known signature block), leading them to select options that describe normal email behavior rather than warning signs.

78
MCQeasy

A company wants to make sure only approved administrators can view and rotate a shared encryption secret used by several applications. What is the best way to manage that secret?

A.Store it in a shared spreadsheet
B.Put it directly in application source code
C.Use a centralized secrets vault or key management system
D.Email the secret only to trusted administrators
AnswerC

A centralized secrets vault or key management system is the best choice because it stores sensitive keys in a controlled place with restricted access, auditing, and rotation support. That makes it easier to limit who can view the secret, track use, and update it safely across multiple applications. It is far more secure than embedding the secret in code or sharing it manually.

Why this answer

A centralized secrets vault or key management system (KMS) like HashiCorp Vault or AWS KMS provides role-based access control (RBAC), audit logging, and automatic rotation of secrets. This ensures only approved administrators can view and rotate the shared encryption secret, while applications retrieve it via secure APIs without exposing it in code or files.

Exam trap

The trap here is that candidates may think a spreadsheet or source code is acceptable for small teams, but CompTIA emphasizes that any secret shared across applications must be centrally managed with access controls and rotation capabilities to meet security best practices.

How to eliminate wrong answers

Option A is wrong because storing a shared encryption secret in a shared spreadsheet offers no access controls, no audit trail, and no rotation mechanism, making it vulnerable to unauthorized access and leakage. Option B is wrong because putting the secret directly in application source code exposes it to anyone with code access, violates the principle of least privilege, and makes rotation impossible without redeploying the application.

79
MCQmedium

A help desk receives an email from an employee asking to urgently reset MFA because they are traveling and locked out. The sender address matches the employee's name but uses a slightly different domain. What is the best action for the help desk agent?

A.Reset MFA immediately because the request appears to come from the employee.
B.Reply to the email and ask the employee to confirm the request in writing.
C.Use a separate, known-good contact method to verify the request before making any change.
D.Forward the message to everyone in IT so another technician can decide what to do.
AnswerC

The safest response is to verify the request through a trusted channel that is independent of the suspicious email, such as a known phone number or established ticketing workflow. This helps prevent account takeover through impersonation or domain spoofing. After verification, the help desk can follow normal reset procedures and record the event for accountability. This is a practical anti-social-engineering habit.

Why this answer

Option C is correct because the email's domain mismatch is a classic indicator of a phishing or social engineering attempt. The help desk must verify the request through a separate, known-good communication channel (e.g., a phone call to the employee's official number or an in-person verification) before resetting MFA, as MFA reset bypasses a critical authentication control. This aligns with the principle of out-of-band verification to prevent unauthorized account takeover.

Exam trap

The trap here is that candidates assume a matching display name and a plausible story (urgent travel) are sufficient for trust, overlooking the domain mismatch as the primary red flag that demands out-of-band verification.

How to eliminate wrong answers

Option A is wrong because resetting MFA immediately based on an email with a mismatched domain ignores the clear red flag of domain spoofing, which could allow an attacker to gain unauthorized access. Option B is wrong because replying to the same email thread does not provide independent verification; the attacker may control the compromised email account and could simply confirm the request, defeating the purpose of verification. Option D is wrong because forwarding the message to everyone in IT wastes time, creates confusion, and does not follow a proper verification procedure; it also risks spreading potentially malicious content or causing unnecessary panic.

80
MCQmedium

A defense contractor is deploying a new document management system that will store classified military intelligence. The security policy requires that user access to each document is strictly determined by the document's classification label (e.g., Confidential, Secret, Top Secret) and the user's verified security clearance level. Furthermore, system administrators must not be able to change these access rules or grant themselves access to documents above their clearance. Which access control model is best suited for this requirement?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerC

MAC is the correct model. It uses system-enforced security labels (clearance for users, classification for documents) and prevents any user, including administrators, from overriding the access rules.

Why this answer

Mandatory Access Control (MAC) is the correct choice because it enforces access decisions based on security labels (e.g., classification levels) and user clearances, which are centrally managed and cannot be overridden by users or administrators. In this scenario, the system must strictly enforce that a user's clearance level matches or exceeds the document's classification label, and administrators cannot modify these rules or elevate their own access—a core property of MAC systems like SELinux or those implementing Bell-LaPadula.

Exam trap

The trap here is that candidates often confuse RBAC with MAC because both use roles or labels, but RBAC lacks the mandatory, non-overridable enforcement of classification labels and administrator restrictions that MAC provides.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, which would permit administrators to change access rules or grant themselves access, violating the policy. Option B is wrong because Role-Based Access Control (RBAC) assigns permissions based on job roles, but it does not inherently enforce mandatory classification labels or prevent administrators from modifying role assignments or permissions. Option D is wrong because Attribute-Based Access Control (ABAC) evaluates attributes (e.g., user, resource, environment) to make access decisions, but it does not guarantee that administrators cannot alter the rules or grant themselves access unless specifically configured with mandatory enforcement, which is not a default property of ABAC.

81
MCQmedium

A security team downloads a software update package signed by the vendor. The team verifies the signature using the vendor's public key before approving deployment. What does this verification primarily confirm?

A.The package can only be decrypted by the vendor's private key
B.The package was likely created by the vendor and was not altered after signing
C.The package is encrypted with the vendor's public key
D.The vendor's certificate has not expired
AnswerB

Digital signature verification checks that the signed data matches what the signer produced and that the signer controlled the corresponding private key. This gives the team confidence in authenticity and integrity. If the file had been modified after signing, verification would fail. That is why signatures are commonly used for software updates and trusted releases.

Why this answer

Digital signature verification using the vendor's public key confirms that the package was signed with the vendor's private key, which only the vendor possesses. This provides authentication of the signer's identity and integrity of the data, ensuring the package has not been modified since signing. It does not provide confidentiality, as the package itself is not encrypted.

Exam trap

The trap here is confusing digital signatures with encryption: candidates often think the public key decrypts the package itself, when in fact it only decrypts the hash, and the package remains unencrypted.

How to eliminate wrong answers

Option A is wrong because digital signatures do not involve decryption of the package; the signature is verified, not the package content. The vendor's private key is used to create the signature, not to decrypt the package. Option C is wrong because the package is not encrypted with the vendor's public key; the signature is created with the vendor's private key, and verification uses the vendor's public key.

Encryption with a public key would provide confidentiality, which is not the purpose of a digital signature.

82
MCQeasy

A company launches a new HTTPS portal. Users should be able to confirm the site is really the company's portal and not a fake copy. Which control provides that trust?

A.A self-signed certificate installed only on user laptops
B.A TLS certificate issued by a trusted certificate authority
C.A SHA-256 checksum posted on the login page
D.A shared password embedded in the page source
AnswerB

A trusted CA-issued certificate lets browsers validate the site identity and build user trust securely.

Why this answer

A TLS certificate issued by a trusted certificate authority (CA) provides the trust needed because browsers and operating systems maintain a root store of trusted CAs. When a user visits the HTTPS portal, the server presents a certificate signed by that CA, and the browser cryptographically verifies the signature chain back to a trusted root. This ensures the public key belongs to the claimed domain, authenticating the server and preventing impersonation by a fake copy.

Exam trap

The trap here is that candidates confuse integrity checks (like SHA-256 checksums) with authentication mechanisms, or they think a self-signed certificate can be trusted if installed locally, but in practice, self-signed certificates lack the third-party validation needed to prevent man-in-the-middle attacks on a public-facing portal.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate is not trusted by default by browsers or operating systems; it would generate a security warning and does not provide any third-party validation of the server's identity, so users cannot reliably confirm the site is genuine. Option C is wrong because a SHA-256 checksum posted on the login page can be easily modified by an attacker who controls the fake site, and it provides no cryptographic binding to the server's identity or domain; checksums are used for file integrity, not server authentication.

83
MCQhard

Based on the exhibit, what best describes the additional measures applied to the legacy system?

A.Preventive controls, because they stop every possible compromise completely.
B.Compensating controls, because they reduce risk when the preferred security controls are not possible.
C.Corrective controls, because they repair the controller after an incident occurs.
D.Deterrent controls, because they mainly scare attackers away from trying.
AnswerB

Compensating controls are the best description because the system cannot support MFA or modern encryption, yet the organization still needs to reduce risk until replacement. The VLAN, ACLs, jump host, and session recording provide alternate safeguards that help offset the missing native controls.

Why this answer

The exhibit shows a legacy system that cannot support modern authentication protocols like Kerberos or NTLMv2. The additional measures—such as network segmentation, strict firewall rules, and an application-layer gateway—are compensating controls. They reduce risk by enforcing security in the network layer since the preferred control (upgrading the OS or application to support strong authentication) is not feasible.

Exam trap

CompTIA often tests the distinction between compensating controls and preventive controls by describing a scenario where the ideal control is impossible, and candidates mistakenly choose 'preventive' because the compensating control still blocks some attacks.

How to eliminate wrong answers

Option A is wrong because preventive controls aim to stop threats, but no control can 'stop every possible compromise completely'; the measures described are not absolute and are applied because the ideal preventive control (e.g., patching the legacy system) is unavailable. Option C is wrong because corrective controls operate after an incident to restore operations (e.g., restoring from backup), whereas the measures here are proactive and in place before any incident occurs. Option D is wrong because deterrent controls rely on psychological discouragement (e.g., warning banners), not on technical enforcement like segmentation and firewalls; the described measures actively block or restrict traffic, not merely scare attackers.

84
MCQmedium

A system administrator downloads a vendor patch package and a separate checksum file. After the download completes, the administrator runs a command that produces a SHA-256 value for the package and compares it to the vendor's published value. Which cryptographic primitive is being used for the comparison?

A.Hashing
B.Symmetric encryption
C.Digital signatures
D.Asymmetric encryption
AnswerA

Hashing creates a fixed-length digest from data so the receiver can compare values and detect changes. In this scenario, the administrator is generating a SHA-256 result and comparing it to the vendor's published value to confirm the package has not changed. That use case is about integrity verification rather than encryption or identity proof.

Why this answer

The administrator is using SHA-256 to compute a fixed-length digest of the downloaded package and comparing it to the vendor's published checksum. This is a classic application of a cryptographic hash function (hashing), which produces a unique, irreversible fingerprint of data. The comparison verifies integrity—ensuring the package has not been altered during transit—but does not provide authentication or non-repudiation.

Exam trap

The trap here is that candidates confuse integrity verification via hashing with authentication provided by digital signatures, especially when the question mentions a 'vendor' and 'comparison'—leading them to incorrectly choose digital signatures (Option C) even though no signature verification is performed.

How to eliminate wrong answers

Option B (Symmetric encryption) is wrong because it uses a shared secret key to encrypt and decrypt data, not to produce a fixed-length digest for integrity verification. Option C (Digital signatures) is wrong because they combine hashing with asymmetric encryption to provide authentication and non-repudiation, but the scenario only describes comparing a hash value, not verifying a signature with a public key. Option D (Asymmetric encryption) is wrong because it uses a public/private key pair for encryption or key exchange, not for generating a checksum to compare against a published value.

85
MCQeasy

A small company wants all employees to lock their screens after 10 minutes of inactivity, and the rule is included in the formal security policy. What type of control is this?

A.Detective control, because it discovers misuse after it happens.
B.Directive control, because it tells users what behavior is required.
C.Corrective control, because it repairs damage after an incident.
D.Compensating control, because it replaces a missing technical safeguard.
AnswerB

Directive controls guide or instruct behavior through policy, standards, or required procedures. A formal screen-lock requirement tells users and administrators what must be done, so it is a directive control.

Why this answer

A directive control is designed to guide or mandate user behavior through policies or procedures. In this case, the security policy explicitly requires employees to lock their screens after 10 minutes of inactivity, which is a directive that tells users what they must do. This is a procedural control, not a technical enforcement mechanism, so it falls under directive controls.

Exam trap

The trap here is confusing a directive control (policy-based) with a preventive control (technical enforcement); candidates often pick a wrong option because they assume the policy itself enforces the lock, but the question states the rule is 'included in the formal security policy,' not implemented via a technical mechanism.

How to eliminate wrong answers

Option A is wrong because a detective control identifies or logs misuse after it occurs (e.g., audit logs or intrusion detection), but the policy itself does not detect anything—it only states a required behavior. Option C is wrong because a corrective control is applied after an incident to restore normal operations (e.g., backup restoration or patching), not to prevent or mandate behavior. Option D is wrong because a compensating control is an alternative safeguard used when a primary control cannot be implemented (e.g., using multi-factor authentication when smart cards are unavailable), but here the policy is the primary control, not a replacement for a missing technical safeguard.

86
MCQeasy

A company uses an encryption key for a database backup process. The key is being replaced because the old one is near the end of its approved use period. What is this action called?

A.Key rotation, because an older key is replaced with a new one on schedule.
B.Key compression, because the key is made smaller before use.
C.Key translation, because the key is converted into another language.
D.Key formatting, because the key is stored in a different file type.
AnswerA

Key rotation is the planned replacement of cryptographic keys over time. Rotating keys reduces exposure if a key is mishandled, limits the amount of data protected by any one key, and supports good key lifecycle management.

Why this answer

Key rotation is the scheduled replacement of an older encryption key with a new one, typically performed before the end of the key's cryptoperiod to maintain security and compliance. In this scenario, the database backup key is being replaced because it is near the end of its approved use period, which directly matches the definition of key rotation. This practice limits the amount of data encrypted with a single key and reduces the impact of a potential key compromise.

Exam trap

The trap here is that candidates may confuse key rotation with other key management terms like key escrow or key archival, or incorrectly assume that 'rotation' implies a physical or mechanical action rather than a cryptographic lifecycle process.

How to eliminate wrong answers

Option B is wrong because key compression is not a standard cryptographic operation; keys are not compressed before use, and compression would not address the end of a key's approved use period. Option C is wrong because key translation refers to converting a key from one format or domain to another (e.g., in a key management system or HSM), not replacing an expiring key. Option D is wrong because key formatting is not a recognized term for key lifecycle management; changing a key's file type does not constitute a scheduled replacement.

87
MCQmedium

An HR department hires contractors for fixed 60-day engagements. Accounts should stop working automatically when the engagement ends, and any rehire should require fresh approval rather than restoring old access. What IAM control is the best fit?

A.Use one shared contractor account and rotate the password when people leave.
B.Configure an account expiration date and automatic deprovisioning tied to the approved role.
C.Disable the account after the contract ends but keep all group memberships unchanged.
D.Create a local workstation account so the contractor does not need centralized identity services.
AnswerB

Correct. Time-bound accounts with automatic deprovisioning are designed for contractors and other temporary users. They enforce least privilege over time, remove access when the engagement ends, and force a new approval process for any future engagement. This reduces the risk of forgotten accounts and prevents accidental restoration of access without review.

Why this answer

Option B is correct because configuring an account expiration date and automatic deprovisioning tied to the approved role directly enforces the 60-day limit and ensures that when the engagement ends, the account is automatically disabled or removed. This approach also supports the requirement that rehire requires fresh approval, as the old account is deprovisioned and cannot be simply re-enabled without going through the provisioning process again.

Exam trap

The trap here is that candidates may choose Option C thinking that disabling the account is sufficient, but they overlook the requirement that rehire must require fresh approval, which is violated if group memberships remain intact and could be restored without re-provisioning.

How to eliminate wrong answers

Option A is wrong because using a shared contractor account violates the principle of individual accountability and non-repudiation, and rotating the password when someone leaves does not automatically disable access at the end of the 60-day engagement. Option C is wrong because disabling the account after the contract ends but keeping all group memberships unchanged means that if the account is ever re-enabled (even accidentally), the contractor would immediately regain all previous permissions without fresh approval, violating the requirement for rehire requiring fresh approval. Option D is wrong because creating a local workstation account bypasses centralized identity management, making it impossible to enforce automatic expiration, deprovisioning, or role-based access control across the organization.

88
Multi-Selecteasy

Which two are detective controls? Select two.

Select 2 answers
A.Security camera monitoring an entrance
B.Log review in a SIEM
C.Locked server rack
D.Employee security awareness training
E.Disk encryption on a laptop
AnswersA, B

Cameras help observe and detect suspicious activity after it occurs.

Why this answer

Security camera monitoring an entrance is a detective control because it records events as they occur, providing evidence after the fact. It does not prevent unauthorized access but instead detects and documents incidents for review. This aligns with the detective control function of identifying and alerting on security events.

Exam trap

The trap here is confusing preventive controls (like locks or encryption) with detective controls, as candidates often misclassify physical security measures as detective rather than preventive.

89
MCQmedium

A company suspects the master encryption key used by a cloud storage service may have been exposed. The data must remain protected if someone later obtains a copy of the old key. What is the best next step?

A.Delete the stored files so the exposed key can no longer be used.
B.Rotate the key and re-encrypt or rewrap the protected data under the new key.
C.Change every user's password because that will also invalidate the exposed encryption key.
D.Increase file compression so the data becomes harder to read.
AnswerB

If a key may be compromised, the secure response is to replace it and move protected data to fresh key material. Rotating the key prevents the old key from being useful going forward, and re-encrypting or rewrapping ensures the data is actually protected by the new key. This reduces the risk that a future attacker can use the leaked key to access stored content.

Why this answer

Key rotation is the correct response because it invalidates the old master encryption key by generating a new one and re-encrypting or rewrapping the protected data under the new key. This ensures that even if an attacker later obtains a copy of the old key, the data remains protected because it is no longer encrypted with that key. In cloud storage services like AWS KMS or Azure Key Vault, this process is typically automated and does not require re-uploading the data.

Exam trap

The trap here is that candidates often confuse key rotation with password changes or data deletion, failing to recognize that encryption key management requires cryptographic operations to re-protect the data, not just administrative actions like deleting files or changing user credentials.

How to eliminate wrong answers

Option A is wrong because deleting the stored files does not address the exposure of the key itself; the data is lost, but the key exposure remains a risk for any future data encrypted with that key, and it is an extreme measure that disrupts business operations. Option C is wrong because user passwords are unrelated to the master encryption key; changing passwords affects authentication but does not change the cryptographic key used to encrypt the data. Option D is wrong because file compression does not alter the encryption key or the ciphertext; it only reduces file size and does not provide any security against an attacker who possesses the old key.

90
MCQmedium

During an incident, a server administrator needs elevated access to production logs for exactly two hours after manager approval. The organization does not want standing privileged accounts. Which solution is the best fit?

A.Add the administrator to a permanent domain admin group so access is always available.
B.Use just-in-time privileged access through a privileged access management workflow.
C.Create a shared administrator account for the incident team and change the password afterward.
D.Grant access by sending the administrator a VPN profile with broader network reach.
AnswerB

Just-in-time access is ideal when elevation should be temporary, approved, and tightly controlled. A privileged access management workflow can grant the needed permissions for a limited window, automatically revoke them when time expires, and preserve logs for accountability. This reduces the attack surface compared with always-on admin rights while still letting the team respond quickly during an incident.

Why this answer

Just-in-time (JIT) privileged access through a Privileged Access Management (PAM) workflow is the best fit because it grants the administrator elevated permissions for exactly two hours, then automatically revokes them. This aligns with the requirement for time-limited access without maintaining standing privileged accounts, reducing the attack surface and ensuring compliance with the principle of least privilege.

Exam trap

The trap here is that candidates may confuse network-level access (VPN) with privileged access management, or assume a shared account with password rotation is sufficient, overlooking the need for time-bound, auditable, and non-repudiable elevation without standing privileges.

How to eliminate wrong answers

Option A is wrong because adding the administrator to a permanent domain admin group creates a standing privileged account, which the organization explicitly wants to avoid, and provides continuous elevated access rather than time-limited access. Option C is wrong because creating a shared administrator account violates the principle of non-repudiation and auditability, as actions cannot be attributed to a specific individual, and changing the password afterward does not enforce a precise two-hour access window. Option D is wrong because sending a VPN profile with broader network reach only expands network-level access, not privileged access to production logs, and does not provide time-bound elevation or granular control over log permissions.

91
MCQhard

Based on the exhibit, which document type should be updated to make the approval and retention requirements mandatory across the organization?

A.Guideline, because it provides flexible advice without requiring enforcement.
B.Procedure, because it lists the exact steps the help desk follows.
C.Policy, because it sets mandatory rules that apply organization-wide.
D.Architecture diagram, because it shows where documents are stored.
AnswerC

A policy is the right choice because leadership wants the approval and retention expectations to be mandatory, consistent, and auditable across departments. The exhibit shows informal language such as 'should' and 'if time allows,' which is too weak for a control that must be enforced. Policy language establishes the required rule before procedures document how to follow it.

Why this answer

A policy document is the correct choice because it establishes mandatory rules that apply organization-wide, making approval and retention requirements enforceable across all departments. Unlike guidelines or procedures, policies are authoritative and require compliance, which is essential for standardizing security controls like data retention periods.

Exam trap

The trap here is confusing a policy (mandatory, organization-wide) with a guideline (advisory) or procedure (task-specific), leading candidates to pick a document type that lacks enforcement authority.

How to eliminate wrong answers

Option A is wrong because a guideline provides flexible advice or recommendations, not mandatory rules, so it cannot enforce approval or retention requirements. Option B is wrong because a procedure lists specific step-by-step instructions for a task (e.g., help desk ticket handling), but it does not set organization-wide mandatory policies. Option D is wrong because an architecture diagram visually represents system components and data flow, not enforceable rules or retention mandates.

92
MCQhard

A user database is stolen from a SaaS portal. Investigators discover the password column contains the same value for every user who chose "Summer2026!", and an attacker could use precomputed tables to crack weak passwords quickly. Which change best addresses both the repeated-value issue and rainbow-table risk?

A.Encrypt all stored passwords with AES and keep one shared key
B.Use SHA-256 without a salt
C.Store each password with a unique salt and an adaptive hash such as bcrypt or Argon2
D.Add a digital signature to each password record
AnswerC

A unique salt prevents two users with the same password from producing the same stored value, which makes identical passwords harder to spot. Salting also defeats rainbow-table attacks because precomputed hashes no longer match. An adaptive hash adds deliberate computational cost, slowing offline cracking after a breach. Together, these are the standard protections for password storage.

Why this answer

Option C is correct because using a unique salt per password ensures that even if two users choose the same password (e.g., 'Summer2026!'), their stored hashes will differ, eliminating the repeated-value issue. Additionally, adaptive hash functions like bcrypt or Argon2 are computationally expensive, making precomputed rainbow tables infeasible even if the salts were known, as each guess requires re-hashing with the specific salt.

Exam trap

CompTIA often tests the misconception that encryption (A) or a stronger hash like SHA-256 (B) is sufficient for password storage, but the trap is that encryption is reversible and unsalted hashes are still vulnerable to rainbow tables, whereas the correct answer requires both salting and an adaptive, slow hash function.

How to eliminate wrong answers

Option A is wrong because encrypting passwords with AES and a shared key does not prevent identical passwords from producing identical ciphertexts (the repeated-value issue remains), and if the key is compromised, all passwords are exposed; encryption is reversible, unlike hashing. Option B is wrong because SHA-256 without a salt produces the same hash for the same password, directly causing the repeated-value issue, and unsalted hashes are trivially vulnerable to rainbow-table attacks. Option D is wrong because adding a digital signature to each password record does nothing to address identical password hashes or rainbow-table risks; signatures verify integrity/authenticity, not protect against precomputation attacks.

93
MCQhard

Based on the exhibit, which improvement best addresses the biggest cryptographic risk? TLS inventory: - edge-vpn01 and edge-vpn02 present the same certificate and private key - private key file stored in a shared SMB folder - admins copy the key manually during maintenance - compromise of either gateway would expose the file path to the same share

A.Place the private key in an HSM or cloud key vault and issue unique keys or certificates per gateway.
B.Increase the certificate expiration to five years to reduce renewal work.
C.Keep copying the same key everywhere so failover is easier to manage.
D.Disable certificate validation to avoid user-facing outages.
AnswerA

An HSM or vault protects the key from export, and unique keys reduce the impact if one gateway is compromised.

Why this answer

Option A is correct because the biggest cryptographic risk is the shared private key stored in an SMB share, which violates the principle of least privilege and creates a single point of compromise. Using a Hardware Security Module (HSM) or cloud key vault ensures the private key is never exposed in plaintext, and issuing unique keys per gateway eliminates the risk that compromising one gateway exposes the key for all others. This directly addresses the core issue of key confidentiality and isolation.

Exam trap

The trap here is that candidates may think certificate expiration or failover convenience are the primary concerns, when the real risk is the shared private key's exposure and lack of isolation, which undermines the entire TLS trust model.

How to eliminate wrong answers

Option B is wrong because increasing certificate expiration to five years does not address the fundamental risk of a shared, exposed private key; it actually increases the window of exposure if the key is compromised. Option C is wrong because continuing to copy the same key everywhere perpetuates the insecure practice of key sharing, making failover easier at the cost of catastrophic security failure if any gateway is breached. Option D is wrong because disabling certificate validation removes the entire security benefit of TLS, allowing man-in-the-middle attacks and completely undermining confidentiality and integrity.

94
MCQmedium

Employees authenticate once to a corporate portal and then open the help desk, payroll, and documentation apps without logging in again. The apps rely on tokens from the company's identity provider instead of storing separate passwords. What is being implemented?

A.Password synchronization between every application in the suite.
B.Federated single sign-on using the corporate identity provider.
C.Shared guest accounts for all employees on the portal.
D.Split tunneling through a VPN to speed up application access.
AnswerB

Correct. Federated SSO lets the identity provider authenticate the user once and then issue tokens or assertions that other trusted applications accept. This improves usability while reducing password sprawl and lowering the number of credentials stored by individual services. It is a standard enterprise pattern for accessing multiple apps with one login session.

Why this answer

The scenario describes single sign-on (SSO) where the corporate identity provider (IdP) issues tokens (e.g., SAML assertions, OIDC ID tokens) after initial authentication. The help desk, payroll, and documentation apps are configured as service providers that trust the IdP, so they accept the token instead of requiring separate credentials. This is federated SSO because the apps rely on a central identity provider rather than sharing password databases or synchronizing passwords.

Exam trap

The trap here is that candidates confuse 'federated single sign-on' with 'password synchronization' (Option A), because both reduce the number of logins, but federation uses tokens and trust relationships, not shared or synced passwords.

How to eliminate wrong answers

Option A is wrong because password synchronization would replicate the same password across each application's local credential store, which is not what occurs—the apps never receive or store the user's password; they rely on tokens from the IdP. Option C is wrong because shared guest accounts would violate individual accountability and audit trails, and the scenario describes employees authenticating individually, not using a common account. Option D is wrong because split tunneling is a VPN routing technique that allows some traffic to bypass the VPN tunnel for performance; it has nothing to do with authentication or token-based access to applications.

95
MCQhard

Based on the exhibit, what is the best fix so role changes take effect promptly without waiting for token expiration?

A.Increase the token lifetime so users reauthenticate less often during the workday.
B.Perform authorization checks against current directory data on each privileged request.
C.Store the JWT in a browser cookie so it refreshes automatically when roles change.
D.Disable MFA and rely only on the role claim inside the token.
AnswerB

This is the best fix because the problem is stale authorization, not failed authentication. The app is trusting a role claim that was correct at sign-in but became outdated after the HR change. Checking current directory data, or re-evaluating authorization on each sensitive action, ensures access follows the user's current status instead of an old token snapshot.

Why this answer

Option B is correct because performing authorization checks against current directory data (e.g., via LDAP or a policy decision point) on each privileged request ensures that role changes are enforced immediately, regardless of JWT token lifetime. This decouples authentication (token validity) from authorization (current role membership), allowing dynamic updates without waiting for token expiration or reauthentication.

Exam trap

The trap here is that candidates assume storing a JWT in a cookie or increasing token lifetime will somehow make role changes take effect, when in fact neither alters the static nature of the token's claims without a reissue or runtime authorization check.

How to eliminate wrong answers

Option A is wrong because increasing token lifetime would delay the effect of role changes even further, as users would hold stale tokens for longer periods. Option C is wrong because storing a JWT in a browser cookie does not automatically refresh its claims when roles change; the token itself remains unchanged until a new one is issued, and cookies do not trigger reauthorization. Option D is wrong because disabling MFA weakens security and does not address the core issue of stale role claims; the role claim inside the token would still be static until the token expires or is refreshed.

96
Multi-Selecteasy

Which two actions are examples of accounting in AAA? Select two.

Select 2 answers
A.Recording successful logons in a security log
B.Checking a username and password before access
C.Tracking which files a user opened during a session
D.Granting access to the finance folder
E.Requiring a fingerprint and a password
AnswersA, C

Logging logons creates an audit trail, which is a core accounting function.

Why this answer

Option A is correct because accounting in AAA involves recording user activities, such as successful logons, in a security log. This provides an audit trail for monitoring and compliance. Option C is correct because tracking which files a user opened during a session is a form of accounting that logs resource access for accountability and usage analysis.

Exam trap

CompTIA often tests the distinction between authentication (verifying identity), authorization (granting permissions), and accounting (logging actions), so the trap here is confusing authorization actions (like granting folder access) or authentication methods (like multifactor) with accounting, which only records events after they occur.

97
MCQeasy

Which action is the best example of accounting in AAA?

A.The system checks a password and a one-time code before allowing access.
B.The system records the username, timestamp, and files opened during the session.
C.The system grants access to the finance folder after the user is approved.
D.The system forces the user to change their password after 90 days.
AnswerB

Accounting is the tracking and logging part of AAA. Recording the username, timestamp, and accessed files creates an audit trail that can be reviewed later for investigations, compliance, or troubleshooting. Good accounting data helps organizations understand who did what, when it happened, and what resources were affected.

Why this answer

Accounting in AAA (Authentication, Authorization, and Accounting) focuses on tracking user activities and resource usage. Option B correctly describes this by specifying the recording of username, timestamp, and files accessed, which are typical audit log entries used for monitoring and compliance.

Exam trap

The trap here is that candidates confuse Accounting with Authentication or Authorization, especially when options involve access control or credential management, but Accounting is strictly about logging and tracking usage, not granting or verifying access.

How to eliminate wrong answers

Option A is wrong because checking a password and one-time code is a multi-factor authentication process, which falls under Authentication, not Accounting. Option C is wrong because granting access to a folder after approval is Authorization, which determines what resources a user can access. Option D is wrong because forcing a password change after 90 days is a password policy enforcement mechanism, which relates to Authentication or security policy, not Accounting.

98
MCQhard

Based on the exhibit, which security principle is the proposed workflow most directly enforcing?

A.Least privilege, because each person gets only the minimum access needed for the task.
B.Defense in depth, because multiple layers of security are added around firewall changes.
C.Separation of duties, because no single person can create, approve, and implement the same production change.
D.Need-to-know, because the ticket is visible only to assigned people.
AnswerC

This is the correct principle because the redesign intentionally splits the workflow among different roles. One person drafts the change, another approves it, and a third implements it. That reduces fraud and mistakes by preventing one individual from controlling every step. The limited ticket visibility also supports the same idea, but the central security principle is separation of duties.

Why this answer

The proposed workflow enforces separation of duties by requiring three distinct roles—requester, approver, and implementer—to complete a single firewall change. No single person can both create and approve the change, nor can they implement it without prior approval. This directly prevents any one individual from having end-to-end control over a production change, which is the core of separation of duties.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege because both involve limiting actions, but separation of duties specifically divides a process across multiple people, whereas least privilege limits the scope of permissions per person.

How to eliminate wrong answers

Option A is wrong because least privilege focuses on granting only the minimum permissions needed for a role, not on dividing a process into multiple roles; the workflow does not specify access levels or permissions. Option B is wrong because defense in depth involves multiple overlapping security controls (e.g., firewall, IDS, encryption), not a procedural separation of tasks within a single change process.

99
MCQmedium

After a successful phishing attempt, the security team adds MFA, email sandboxing, endpoint isolation, and immutable backups so that one failed safeguard does not expose the company. Which principle does this best illustrate?

A.Defense in depth
B.Need-to-know
C.Availability
D.Compensating control
AnswerA

Multiple layered controls are added so that if one control fails, other controls still reduce the risk.

Why this answer

Defense in depth is the best fit because the organization is using several independent safeguards across different layers: user authentication, email inspection, endpoint containment, and backup recovery. The idea is that a single compromise, such as one successful phishing email, should not lead directly to full compromise. Security+ expects you to recognize layered protection as a strategy, not just list individual tools.

Why others are wrong: Need-to-know concerns restricting information to only those who require it for their job. Availability is one of the CIA triad objectives, but it is not a layered security strategy. Compensating control refers to an alternative measure used because the preferred control is unavailable or impractical; here the organization is not replacing one missing control, but strengthening multiple defenses at once.

100
MCQeasy

A development team needs a centralized service to store, rotate, and control access to encryption keys for applications. Which solution best fits?

A.Key management service, because it centralizes key storage and rotation controls.
B.Port forwarding rule, because it allows applications to reach the encryption system.
C.Load balancer, because it distributes encryption requests across servers.
D.Web application firewall, because it protects the keys from injection attacks.
AnswerA

A key management service is designed to store, manage, rotate, and control access to cryptographic keys. It helps reduce the risk of hardcoded or poorly protected keys and gives administrators a central place to enforce lifecycle management. This is the best fit when multiple applications need secure, organized key handling.

Why this answer

A key management service (KMS) centralizes the lifecycle of cryptographic keys, including secure storage, automated rotation, and fine-grained access control via IAM policies. This directly meets the requirement for a centralized service to store, rotate, and control access to encryption keys for applications, as KMS is purpose-built for these tasks.

Exam trap

The trap here is that candidates may confuse a general security appliance (like a WAF or load balancer) with a specialized cryptographic service, or mistakenly think network-level controls (port forwarding) can manage key lifecycles, when only a dedicated key management service provides centralized storage, rotation, and access control for encryption keys.

How to eliminate wrong answers

Option B is wrong because a port forwarding rule is a network address translation (NAT) mechanism that redirects traffic from one IP/port to another; it does not store, rotate, or control access to encryption keys. Option C is wrong because a load balancer distributes incoming network traffic across multiple servers to ensure availability and performance; it has no capability to manage cryptographic key lifecycles or enforce access policies on keys. Option D is wrong because a web application firewall (WAF) inspects and filters HTTP/HTTPS traffic to block web-based attacks like SQL injection or XSS; it does not provide centralized key storage, rotation, or access control for encryption keys.

101
MCQmedium

A sysadmin is preparing a dedicated database server for production. The server will not host web services, print services, or file sharing. Which action best follows least privilege and secure defaults?

A.Enable every management service so support can connect easily.
B.Use the domain admin account to run the database service.
C.Disable unused services and run the database under a dedicated least-privilege service account.
D.Share the same account with backup software to simplify troubleshooting.
AnswerC

Correct. Removing unnecessary services reduces the attack surface, and a dedicated service account limits the damage if the database process is compromised. This is a direct application of least privilege and secure defaults. It also supports cleaner auditing because the service activity is separated from administrator activity and unrelated functions are not exposed.

Why this answer

Option C is correct because disabling unused services reduces the attack surface, and running the database under a dedicated least-privilege service account ensures the account has only the permissions necessary for the database to function. This aligns with the principles of least privilege and secure defaults, as the server is dedicated to database services and should not have extraneous services or overly permissive accounts.

Exam trap

The trap here is that candidates may think using a domain admin account is acceptable for a database server to simplify management, but CompTIA tests the understanding that least privilege requires a dedicated service account with minimal permissions, not a highly privileged account.

How to eliminate wrong answers

Option A is wrong because enabling every management service violates least privilege by increasing the attack surface and potential for unauthorized access; a dedicated database server should only have necessary management interfaces enabled. Option B is wrong because using the domain admin account to run the database service violates least privilege by granting excessive privileges; if the database is compromised, an attacker could gain domain-wide control. Option D is wrong because sharing the same account with backup software violates least privilege by coupling database and backup permissions, increasing the risk of lateral movement if either service is compromised.

102
MCQeasy

A security team configures the SIEM to alert when a user account has several failed logins followed by a successful login from a new location. What type of control is this?

A.Preventive control, because it blocks the login attempt before it occurs.
B.Detective control, because it identifies suspicious activity after the event has started.
C.Corrective control, because it automatically fixes the account after the login succeeds.
D.Deterrent control, because it discourages attackers from trying to sign in.
AnswerB

This is a detective control because the SIEM is observing activity and generating an alert when a suspicious pattern appears. It does not stop the login by itself, but it helps security staff notice possible compromise quickly. Detection is important for investigation and response, especially when an attacker has already obtained valid credentials.

Why this answer

This is a detective control because the SIEM is configured to monitor and analyze log data after events have occurred, specifically identifying a pattern of several failed logins followed by a successful login from a new location. The alert does not prevent or block the login; it only notifies the security team of potentially suspicious activity that has already taken place, allowing them to investigate further.

Exam trap

The trap here is that candidates confuse the SIEM's alerting capability with a preventive action, mistakenly thinking that because the alert is configured 'before' the successful login in the rule logic, it somehow blocks the event, when in fact the SIEM only detects and reports on completed events.

How to eliminate wrong answers

Option A is wrong because a preventive control would actively block the login attempt before it occurs (e.g., account lockout policy or conditional access rule), whereas the SIEM alert only detects the pattern after the successful login. Option C is wrong because a corrective control would automatically remediate the issue after detection (e.g., disabling the account or resetting the password), but the SIEM alert does not perform any automated fix; it simply generates an alert. Option D is wrong because a deterrent control is designed to discourage attackers from attempting an action (e.g., warning banners or visible surveillance), not to detect or alert on activity that has already happened.

103
MCQmedium

A company is enhancing its network security posture. The security team deploys a system that passively monitors network traffic, analyzes packets for signs of malicious activity, and generates alerts when suspicious patterns are detected. This system does not actively block or modify any traffic. Which type of security control does this system BEST represent?

A.Preventive control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerB

Correct. A detective control identifies and logs security events after they happen or in real time. The described system passively monitors and generates alerts, which is the hallmark of a detective control like an IDS.

Why this answer

This system is a detective control because it passively monitors network traffic, analyzes packets for signs of malicious activity, and generates alerts without actively blocking or modifying traffic. Detective controls are designed to identify and report security incidents after they occur or as they happen, which aligns with the described behavior of an Intrusion Detection System (IDS). Unlike preventive controls, it does not enforce policy or stop threats in real time.

Exam trap

The trap here is that candidates often confuse an Intrusion Detection System (IDS) with an Intrusion Prevention System (IPS), mistakenly selecting 'preventive control' because they think any security tool that detects threats also blocks them, but the question explicitly states the system does not block or modify traffic.

How to eliminate wrong answers

Option A is wrong because preventive controls actively block or mitigate threats (e.g., a firewall denying traffic based on rules), whereas this system only monitors and alerts. Option C is wrong because corrective controls are applied after an incident to restore normal operations (e.g., patching a vulnerability or restoring from backup), not to passively monitor traffic. Option D is wrong because deterrent controls aim to discourage malicious behavior through visible warnings or threats of consequences (e.g., security cameras or warning banners), not through passive packet analysis and alerting.

104
Multi-Selecthard

A hybrid cloud portal first checks device health at the identity provider, then requires MFA, then enforces a per-application authorization decision before each sensitive action. Network access is also limited by a gateway, and a WAF sits in front of the app. Which two principles are best demonstrated? Select two.

Select 2 answers
A.Zero trust, because access is continuously verified instead of assumed after one login.
B.Defense in depth, because several independent layers protect the workload from different angles.
C.Least privilege, because users are granted no access at all until the app is offline.
D.Separation of duties, because administrators and users must approve each other's actions.
E.Need-to-know, because the system hides all information until the user requests it.
AnswersA, B

The portal keeps re-evaluating trust through identity, device, and application-layer checks.

Why this answer

Option A is correct because the scenario describes continuous verification of device health, MFA, and per-application authorization before each sensitive action, which aligns with the Zero Trust principle of 'never trust, always verify.' Unlike traditional perimeter-based security, Zero Trust assumes no implicit trust after initial authentication and requires ongoing validation at every access attempt.

Exam trap

CompTIA often tests the distinction between Zero Trust (continuous verification) and Defense in depth (layered controls), and the trap here is confusing 'least privilege' with 'continuous verification' or assuming that any multi-step authentication automatically implies separation of duties.

105
MCQmedium

A security architect is designing the network security posture for a new branch office. The plan includes a next-generation firewall at the perimeter, an intrusion prevention system on the internal network, mandatory multi-factor authentication for all remote access, and quarterly security awareness training for employees. The architect explains that these controls are independent of each other so that a failure in any single control does not leave the entire network unprotected. Which security concept is the architect primarily implementing?

A.Least privilege
B.Defense in depth
C.Zero trust
D.Separation of duties
AnswerB

Defense in depth uses multiple overlapping and independent security controls to protect an environment, ensuring that if one control fails, others continue to provide protection. The architect's design directly implements this principle.

Why this answer

The architect is implementing defense in depth by layering multiple independent security controls—a next-generation firewall (NGFW) at the perimeter, an intrusion prevention system (IPS) on the internal network, mandatory multi-factor authentication (MFA) for remote access, and quarterly security awareness training. The key phrase 'independent of each other so that a failure in any single control does not leave the entire network unprotected' directly describes the principle of layered defenses, where no single point of failure compromises overall security. This approach ensures that if an attacker bypasses the NGFW, the IPS or MFA may still prevent or detect the breach.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'zero trust' because both involve multiple controls, but zero trust specifically requires continuous authentication and micro-segmentation, not just independent layers.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user and process access to only what is necessary for their role, which is not about layering independent controls but about minimizing permissions. Option C is wrong because zero trust assumes no implicit trust and requires continuous verification of every request, often using micro-segmentation and identity-based policies, whereas the described controls are independent layers without explicit per-request verification. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud or error, not to create redundant technical security layers.

106
MCQmedium

A legal department sends a confidential contract to an outside partner without first exchanging a shared secret. The sender encrypts the document with the partner's public key so that only the partner can decrypt it with the matching private key. Which cryptographic approach is being used?

A.Symmetric encryption
B.Asymmetric encryption
C.Hashing
D.Digital signatures
AnswerB

Asymmetric encryption uses a public key to encrypt data and a corresponding private key to decrypt it. That makes it ideal when two parties have not yet shared a secret. In this scenario, the sender uses the partner's public key so only the partner's private key can open the contract, preserving confidentiality across an untrusted network.

Why this answer

B is correct because the scenario describes encrypting a document with the recipient's public key, which can only be decrypted by the recipient's private key. This is the defining characteristic of asymmetric encryption (also known as public-key cryptography), where two different but mathematically related keys are used for encryption and decryption.

Exam trap

The trap here is that candidates may confuse the use of a public key for encryption with a digital signature, which uses the private key for signing, or mistakenly think that any use of a key pair is symmetric encryption.

How to eliminate wrong answers

Option A is wrong because symmetric encryption uses a single shared secret key for both encryption and decryption, but the scenario explicitly states that no shared secret was exchanged beforehand. Option C is wrong because hashing is a one-way function that produces a fixed-size digest for integrity verification, not for encryption or decryption of data. Option D is wrong because digital signatures use the sender's private key to sign a message for non-repudiation and integrity, not the recipient's public key to encrypt a document.

107
Multi-Selectmedium

A security architect is designing a defense-in-depth strategy for a corporate network. Which of the following are fundamental principles or concepts that should be incorporated into this strategy? (Choose four.)

Select 4 answers
.Layered security controls to provide redundancy and prevent a single point of failure
.The principle of least privilege to limit user and system access to only what is necessary
.Defining a separation of duties to prevent any single individual from having excessive control
.Implementing a zero-trust model that assumes no implicit trust and requires continuous verification
.Using a single, comprehensive security solution to minimize complexity and management overhead
.Disabling all logging and monitoring to reduce system resource consumption

Why this answer

Defense-in-depth relies on layered security controls to ensure that if one control fails, others continue to protect the asset. This redundancy prevents a single point of failure, which is a core principle of the strategy.

Exam trap

The trap here is that candidates may confuse defense-in-depth with simplicity or efficiency, mistakenly choosing a single comprehensive solution because it reduces management overhead, but the exam expects recognition that redundancy through multiple layers is the defining characteristic.

108
MCQeasy

A manager wants files on a stolen laptop to remain unreadable even if the drive is removed and connected to another computer. Which control should be implemented?

A.File compression
B.Full-disk encryption
C.Packet filtering
D.Digital signing
AnswerB

Full-disk encryption protects data stored on the laptop by making the contents unreadable without the proper key or passphrase. If the drive is removed and attached to another computer, the data still remains protected because it is encrypted at rest. This is a common and effective control for portable devices that may be lost or stolen.

Why this answer

Full-disk encryption (FDE) encrypts the entire storage volume, including the operating system, applications, and all user data. When the drive is removed and connected to another computer, the encrypted data remains inaccessible without the correct decryption key or passphrase, ensuring files stay unreadable. This directly addresses the manager's requirement for data confidentiality even after physical theft.

Exam trap

The trap here is that candidates confuse file compression with encryption, thinking that compressing files makes them unreadable, but compression is a reversible encoding process with no security properties.

How to eliminate wrong answers

Option A is wrong because file compression only reduces file size and does not provide any encryption or access control; compressed files can be read by any system with decompression software. Option C is wrong because packet filtering is a network security mechanism that controls traffic based on IP addresses, ports, or protocols; it has no effect on data at rest on a local drive.

109
MCQmedium

A cloud support team is changing the way employees access an internal finance portal. Instead of trusting the user's initial login for the rest of the session, the portal now checks identity, device posture, and request context again before allowing access to payroll data or download actions. Which security concept is being implemented?

A.Defense in depth
B.Zero trust
C.Need-to-know
D.Least privilege
AnswerB

Zero trust assumes that no user, device, or network path should be trusted by default, even after initial authentication. Each access request is evaluated using identity, device health, and context before the action is allowed. That approach fits the scenario because sensitive actions are rechecked instead of relying on a one-time login event.

Why this answer

The scenario describes a shift from implicit trust (trusting the initial login for the entire session) to continuous verification of identity, device posture, and request context before granting access to sensitive actions. This is the core principle of Zero Trust, specifically the 'never trust, always verify' model, which treats every access request as if it originates from an untrusted network. The portal is enforcing a policy that re-evaluates trust at each sensitive operation, not just at session start.

Exam trap

The trap here is that candidates confuse Zero Trust with defense in depth, thinking that multiple security layers automatically mean continuous verification, but Zero Trust specifically requires re-authentication and re-authorization at each access request, not just layered controls.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewall, antivirus, IDS) to protect assets, but it does not inherently require re-verification of identity and device posture for each request within a session. Option C is wrong because need-to-know is an access control principle that restricts data access to users who require it for their job functions, but it does not address continuous verification of device posture or request context. Option D is wrong because least privilege limits user permissions to the minimum necessary, but it does not involve re-checking identity or device posture during an active session; it is a static permission model.

110
MCQmedium

A legacy reporting application cannot be modified this quarter, but users still need access from the corporate network. Security adds a hardened jump server, tighter monitoring, and manual approval for each session because MFA cannot be built into the app yet. What type of control is this?

A.Compensating control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerA

The organization uses alternate safeguards because the preferred MFA control cannot be implemented yet.

Why this answer

A compensating control is an alternative security measure implemented when the primary control cannot be applied due to technical or operational constraints. In this scenario, the legacy application cannot be modified to support MFA, so the organization deploys a hardened jump server, enhanced monitoring, and manual session approval as compensating controls to reduce risk. These controls do not eliminate the vulnerability but provide an equivalent level of protection until the application can be updated.

Exam trap

The trap here is that candidates often confuse compensating controls with detective controls because monitoring is involved, but the primary purpose of compensating controls is to provide an alternative security function, not just to detect events.

How to eliminate wrong answers

Option B is wrong because detective controls are designed to identify and log security events after they occur (e.g., audit logs, IDS alerts), whereas the described controls (jump server, monitoring, manual approval) are proactive measures that enforce access restrictions and prevent unauthorized sessions. Option C is wrong because corrective controls are applied after an incident to restore normal operations (e.g., patching, system recovery), not to mitigate an existing vulnerability before an incident occurs. Option D is wrong because deterrent controls aim to discourage malicious behavior through fear of consequences (e.g., warning banners, guards), not to provide an alternative technical mechanism for secure access when a primary control is unavailable.

111
MCQeasy

A company uses MFA, endpoint protection, firewalls, and network segmentation together to protect a customer portal. Which security principle does this best illustrate?

A.Need-to-know, because users only see the data assigned to them.
B.Separation of duties, because no single person performs every security task.
C.Defense in depth, because multiple layers protect the same asset.
D.Zero trust, because the portal is hosted in the cloud.
AnswerC

Defense in depth uses several different safeguards so one failure does not expose the asset. MFA, endpoint protection, firewalls, and segmentation are layered controls that work together to reduce risk if one layer fails.

Why this answer

Defense in depth is the correct principle because the company is deploying multiple, overlapping security controls—MFA, endpoint protection, firewalls, and network segmentation—to protect the same customer portal. This layered approach ensures that if one control fails (e.g., a firewall rule is misconfigured), other controls (e.g., endpoint detection or segmentation) still provide protection, reducing the overall risk of a single point of compromise.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'zero trust' because both involve multiple controls, but zero trust specifically requires continuous verification and least-privilege access for every request, whereas defense in depth is simply the layering of independent controls without necessarily requiring per-request verification.

How to eliminate wrong answers

Option A is wrong because need-to-know is an access control principle that restricts data access based on job function, not a strategy for layering multiple security technologies; the scenario describes multiple controls, not data access restrictions. Option B is wrong because separation of duties divides critical tasks among different people to prevent fraud or error, whereas the question lists technologies, not roles or personnel assignments. Option D is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification for every request, regardless of location; the scenario does not mention cloud hosting as a factor, and simply hosting a portal in the cloud does not automatically implement zero-trust principles like micro-segmentation or continuous authentication.

112
Multi-Selecthard

A developer installed an unknown root CA on a laptop. The browser now accepts a proxy certificate for intranet.apps.example without warnings. Which two controls most directly reduce the chance that this endpoint trusts a malicious interception certificate? Select two.

Select 2 answers
A.Enforce certificate pinning in the application for the expected server certificate.
B.Allow employees to add any root CA as long as the certificate is password-protected.
C.Prevent local administrators from modifying the trusted root store through endpoint policy.
D.Rely on HTTPS alone because any certificate over TLS is safe.
E.Disable DNS because certificate trust does not depend on hostnames.
AnswersA, C

Certificate pinning reduces the chance that a malicious trusted root on the endpoint can impersonate the server. The app checks for a known certificate or public key, not just any certificate signed by a trusted CA.

Why this answer

Option A is correct because certificate pinning hard-codes the expected server certificate or public key into the application, so even if a malicious root CA is trusted by the OS, the application will reject any proxy certificate that does not match the pinned certificate. This directly prevents the browser from accepting the proxy certificate without warnings, as the pinning check occurs at the application layer before the TLS handshake completes.

Exam trap

The trap here is that candidates may think password protection on a certificate adds security against interception, but it only protects the private key file, not the trust decision, and the real risk is the unauthorized addition of a root CA to the trusted store.

113
MCQeasy

A finance application records each approval with the manager's unique user ID and a digital signature. Auditors want proof that the manager cannot later deny approving the transaction. Which security objective is most directly being addressed?

A.Availability
B.Nonrepudiation
C.Confidentiality
D.Accountability
AnswerB

Nonrepudiation provides strong proof of who performed an action, making later denial difficult or impossible.

Why this answer

Nonrepudiation ensures that a party cannot deny having performed a specific action. By recording the manager's unique user ID and a digital signature, the system provides cryptographic proof that the manager approved the transaction, making it impossible for them to later deny it. This directly addresses the audit requirement for undeniable evidence of approval.

Exam trap

CompTIA often tests the distinction between accountability (logging who did what) and nonrepudiation (cryptographic proof that prevents denial), so candidates may pick 'Accountability' because they see user IDs and logs, missing that the digital signature is the key element for nonrepudiation.

How to eliminate wrong answers

Option A is wrong because availability ensures systems and data are accessible when needed, not that actions cannot be denied. Option C is wrong because confidentiality protects data from unauthorized disclosure, not from denial of actions. Option D is wrong because accountability tracks who performed an action (via user IDs and logs), but without a digital signature, it does not provide cryptographic proof that prevents the manager from repudiating the action; nonrepudiation is the stronger objective that includes accountability plus irrefutable evidence.

114
MCQmedium

Based on the exhibit, which access model best fits the business requirement without creating many custom roles?

A.RBAC, because every user can be placed into a fixed role that never changes.
B.ABAC, because access can be evaluated using user, resource, and environment attributes together.
C.DAC, because each file owner can decide access individually without any central rule engine.
D.MAC, because users should manually grant access to themselves when needed.
AnswerB

The exhibit requires decisions based on attributes such as department, clearance, project tags, and business unit. ABAC is built for that kind of dynamic rule set and avoids creating a separate role for every possible combination.

Why this answer

B is correct because Attribute-Based Access Control (ABAC) evaluates multiple attributes (user, resource, environment) to dynamically determine access, which fits a business requirement that needs flexible, context-aware permissions without creating many custom roles. Unlike RBAC, ABAC avoids role explosion by using policies that combine attributes, making it ideal for environments where access decisions depend on factors like time, location, or data sensitivity.

Exam trap

The trap here is that candidates often default to RBAC as the simplest model, but the question explicitly requires avoiding many custom roles, which RBAC would necessitate if the business needs are complex or dynamic, whereas ABAC provides attribute-based flexibility without role explosion.

How to eliminate wrong answers

Option A is wrong because RBAC requires predefined roles that are static; if the business needs change frequently, RBAC would require creating many custom roles to accommodate new access patterns, contradicting the requirement to avoid custom roles. Option C is wrong because DAC allows file owners to set permissions individually, which lacks centralized control and cannot efficiently enforce business-wide access policies without custom configurations per resource. Option D is wrong because MAC enforces access based on fixed labels (e.g., security clearances) and does not allow users to grant access to themselves; it is rigid and not suitable for dynamic, attribute-driven requirements.

115
Multi-Selectmedium

Which three of the following are examples of defense-in-depth security controls? (Choose three.)

Select 3 answers
.A firewall at the network perimeter
.Mandatory access controls on sensitive files
.Regular security awareness training for employees
.A single password policy for all users
.Using only one antivirus solution for all endpoints
.Disabling all logging to save storage space

Why this answer

Defense-in-depth is a layered security strategy that uses multiple, independent controls to protect assets. A firewall at the network perimeter provides network-level filtering (e.g., stateful inspection, ACLs) as the first line of defense. Mandatory access controls (MAC) on sensitive files enforce system-enforced restrictions based on labels (e.g., Bell-LaPadula model), adding a host-level layer.

Regular security awareness training addresses the human factor, reducing social engineering and phishing risks, which is a critical administrative control.

Exam trap

The trap here is that candidates often confuse 'multiple controls' with 'multiple instances of the same control' (e.g., using two firewalls or one AV everywhere), but defense-in-depth requires diverse, independent layers across different domains (network, host, administrative).

116
MCQmedium

Based on the exhibit, which authentication method best meets the stated remote-admin requirement?

A.SMS one-time code, because it is widely supported and easy for users to adopt.
B.Email one-time link, because it can be delivered to any mailbox quickly.
C.Authenticator app TOTP code, because it adds a second factor without special hardware.
D.FIDO2 hardware security key, because it resists phishing and does not depend on SMS or email delivery.
AnswerD

The requirement explicitly calls for a phishing-resistant factor that does not depend on text messages or email. A FIDO2 hardware security key meets that need and is well suited for privileged administrator authentication because it strongly binds the login to the legitimate site.

Why this answer

The remote-admin requirement emphasizes phishing resistance and independence from SMS or email delivery, which are vulnerable to interception or social engineering. FIDO2 hardware security keys use public-key cryptography and origin-bound credentials, making them phishing-resistant and eliminating reliance on potentially compromised communication channels. This aligns with the stated requirement better than the other options.

Exam trap

The trap here is that candidates often choose TOTP (Option C) because it is a common second factor, but they overlook that the question specifically requires phishing resistance, which TOTP does not provide against modern adversary-in-the-middle attacks, whereas FIDO2 does.

How to eliminate wrong answers

Option A is wrong because SMS one-time codes are susceptible to SIM swapping, SS7 attacks, and phishing, and they rely on the mobile carrier network, which does not meet a requirement for phishing resistance. Option B is wrong because email one-time links can be intercepted via mailbox compromise or man-in-the-middle attacks, and they depend on email delivery, which is not phishing-resistant. Option C is wrong because authenticator app TOTP codes, while more secure than SMS, are still vulnerable to real-time phishing attacks (e.g., adversary-in-the-middle) where the user is tricked into entering the code on a fake site, and they do not provide the same level of phishing resistance as FIDO2.

117
Multi-Selecteasy

Which two documents are typically mandatory and organization-wide rather than optional guidance? Select two.

Select 2 answers
A.Security policy
B.Standard
C.Guideline
D.Personal preference note
E.Architecture diagram
AnswersA, B

Policies set mandatory organization-wide direction and expectations for behavior.

Why this answer

Security policies are mandatory, high-level documents that define management's intent and direction for security, establishing rules that all employees must follow. They are organization-wide and enforceable, unlike guidelines which are optional. Standards are also mandatory and specify uniform technical controls or configurations (e.g., requiring AES-256 encryption) that must be implemented across the organization to comply with the security policy.

Exam trap

The trap here is that candidates often confuse 'guidelines' with 'standards' because both provide technical details, but guidelines are optional while standards are mandatory, and the exam expects you to distinguish between enforceable documents (policy/standard) and advisory ones (guideline).

118
MCQhard

Based on the exhibit, which additional control best reduces the risk of tailgating at the entrance while preserving normal employee flow?

A.Post a security guard at the entrance during business hours.
B.Install a mantrap or anti-passback turnstile that admits one person per badge authorization.
C.Add more CCTV cameras in the lobby and at the parking lot entrance.
D.Send quarterly emails reminding employees not to hold doors open.
AnswerB

This is the best fit because the current controls detect the problem but do not stop it. A mantrap or turnstile is a preventive physical control that enforces single-person entry and directly addresses tailgating while keeping normal employee movement efficient. It reduces reliance on people noticing and reacting in real time.

Why this answer

A mantrap or anti-passback turnstile enforces one-person-per-badge authorization, physically preventing tailgating by only allowing a single individual to pass per valid credential. This preserves normal employee flow because authorized users can enter quickly without manual intervention, unlike guards or awareness campaigns that rely on human compliance.

Exam trap

CompTIA often tests the distinction between preventive controls (mantraps/turnstiles) and detective or administrative controls (CCTV, emails, guards), leading candidates to choose a familiar but ineffective option like CCTV or security guards.

How to eliminate wrong answers

Option A is wrong because posting a security guard is a deterrent, not a technical control; guards can be bypassed or overwhelmed during peak hours and do not scale to maintain normal flow without causing bottlenecks. Option C is wrong because CCTV cameras are detective controls that record incidents after they occur, not preventive controls that stop tailgating in real time. Option D is wrong because quarterly email reminders are administrative controls that rely on employee behavior change; they are ineffective against intentional tailgating and do not enforce physical access restrictions.

119
MCQhard

Based on the exhibit, which awareness control best addresses the observed failure pattern?

A.Replace the phone-call simulation with longer monthly policy newsletters.
B.Run targeted vishing exercises and teach a callback verification procedure.
C.Disable MFA so users are not asked for one-time codes.
D.Tell users to ignore all requests from anyone outside the company.
AnswerB

This is the best fit because the failures occurred during a phone-based social engineering attack that asked for one-time codes. Targeted vishing drills train users to recognize voice-based pressure tactics, and a callback verification procedure gives them a safe way to confirm legitimacy without relying on the caller. That directly addresses the observed failure pattern.

Why this answer

The exhibit shows a pattern where users are falling for phone-based social engineering (vishing), not email or general phishing. Option B directly addresses this by running targeted vishing exercises to simulate the real threat and teaching a callback verification procedure, which is a specific technical control to verify the identity of callers before taking action. This is the most effective awareness control because it trains users to recognize and respond to the exact attack vector observed.

Exam trap

The trap here is that candidates may choose Option A (longer newsletters) because they think more information is always better, but the question specifically tests the ability to match the awareness control to the observed attack vector (vishing), not general security awareness.

How to eliminate wrong answers

Option A is wrong because replacing phone-call simulations with longer monthly policy newsletters does not address the specific vishing failure pattern; newsletters are passive and less effective for hands-on behavioral change. Option C is wrong because disabling MFA would actually increase security risk by removing a critical authentication layer, and it does not address the social engineering vector at all. Option D is wrong because telling users to ignore all requests from anyone outside the company is impractical and overly broad; legitimate external communications (e.g., from vendors, customers) would be disrupted, and it does not teach a verifiable procedure.

120
MCQeasy

The help desk needs a document that describes the exact steps for verifying a caller and resetting a password. What type of document should they use?

A.Policy
B.Procedure
C.Standard
D.Guideline
AnswerB

A procedure is the correct document because it gives step-by-step instructions for completing a task in a consistent way. In this case, the help desk needs a repeatable method for identity verification, password reset, and ticket documentation. Procedures help reduce errors and ensure staff follow the same approved process each time.

Why this answer

A procedure provides the exact, step-by-step instructions needed for a specific task, such as verifying a caller's identity and resetting a password. This is distinct from a policy, which states high-level rules, or a standard, which defines mandatory technical requirements. The help desk needs a documented sequence of actions, which is the definition of a procedure.

Exam trap

The trap here is confusing a procedure (the 'how') with a policy (the 'what'), as candidates often think a policy document contains step-by-step instructions, but policies only set the rules, not the exact steps.

How to eliminate wrong answers

Option A is wrong because a policy is a high-level statement of management intent (e.g., 'passwords must be reset securely'), not a step-by-step guide. Option C is wrong because a standard defines mandatory technical specifications (e.g., 'passwords must be at least 12 characters'), not the exact steps to perform a task. Option D is wrong because a guideline offers general advice or recommendations (e.g., 'consider using multi-factor authentication'), not the precise, mandatory steps required for a consistent process.

121
MCQmedium

Based on the exhibit, users report that the new payment portal opens only after they bypass a browser warning. Which remediation best restores secure access without weakening certificate validation?

A.Install the same certificate on every client so the browser warning is suppressed.
B.Reissue the server certificate so the subject or SAN matches pay.example.net and chain it to the trusted CA.
C.Disable certificate name checking in the browser until the certificate expires.
D.Replace TLS with a shared symmetric key configured on the web server and all users.
AnswerB

A valid server certificate must match the hostname users are connecting to, and it must chain to a trusted issuing authority. Reissuing the certificate for pay.example.net resolves the mismatch shown in the exhibit while preserving proper certificate validation.

Why this answer

The browser warning indicates a hostname mismatch or untrusted CA. Reissuing the server certificate with the correct subject or SAN (Subject Alternative Name) matching pay.example.net and chaining it to a trusted CA resolves the warning while maintaining full certificate validation. This ensures the browser can verify both the identity and trustworthiness of the server without weakening security.

Exam trap

The trap here is that candidates may think installing the same certificate on clients (Option A) is a valid fix, but this violates certificate security by exposing the private key and does not address the root cause of the hostname mismatch.

How to eliminate wrong answers

Option A is wrong because installing the same certificate on every client does not fix the server-side hostname mismatch; it would also require distributing the private key, which breaks certificate security and is not a valid remediation. Option C is wrong because disabling certificate name checking in the browser bypasses a critical security validation, leaving the connection vulnerable to man-in-the-middle attacks and does not restore secure access. Option D is wrong because replacing TLS with a shared symmetric key eliminates certificate-based authentication entirely, removing identity verification and introducing key distribution and management risks, which weakens security rather than restoring it.

122
Multi-Selecthard

A web server should accept traffic only from a load balancer and a management jump host. The current host firewall allows all inbound ports, and the web service runs as a domain administrator. Which two changes most improve hardening without breaking the required access pattern? Select two.

Select 2 answers
A.Restrict host firewall rules to required source addresses and ports.
B.Run the service under a dedicated nonadministrative service account.
C.Leave SSH open to every subnet and rely on strong passwords.
D.Give the service account local administrator rights so it can restart itself.
E.Disable patching during business hours permanently.
AnswersA, B

Restricting the firewall to only the needed sources and ports reduces the attack surface immediately. It enforces the trust boundary around the server and prevents unnecessary inbound exposure from other networks.

Why this answer

Option A is correct because restricting host firewall rules to only the load balancer and management jump host's source IP addresses and required ports (e.g., HTTP/HTTPS for the load balancer, SSH/RDP for the jump host) enforces the principle of least privilege. This eliminates the risk of exposing unnecessary services to the entire network, which is a common attack vector. The current 'allow all inbound ports' configuration violates basic network segmentation and access control best practices.

Exam trap

The trap here is that candidates often focus on password strength or patching schedules while ignoring the critical need for network segmentation and least-privilege service accounts, which are the foundational controls tested in this question.

123
MCQmedium

A systems administrator downloads a patch and a SHA-256 checksum file from the vendor. The administrator hashes the patch locally and the values match. What does the matching hash primarily confirm?

A.The file has not been altered since the vendor published the checksum.
B.The file remains confidential during transmission.
C.The vendor's private key was used to encrypt the patch.
D.The patch will definitely install successfully on every system.
AnswerA

A matching hash strongly indicates the file's contents stayed unchanged from the vendor's published version.

Why this answer

A SHA-256 checksum is a cryptographic hash that acts as a fingerprint for the file. When the locally computed hash matches the vendor-published checksum, it confirms the file's integrity — that the patch has not been modified or corrupted since the vendor generated the checksum. This does not verify confidentiality, authenticity of the signer, or installation success.

Exam trap

The trap here is that candidates confuse integrity (hash matching) with authenticity (digital signature) or confidentiality (encryption), leading them to incorrectly select options about private keys or secure transmission.

How to eliminate wrong answers

Option B is wrong because a hash match confirms integrity, not confidentiality; the file could have been transmitted in plaintext and still produce the same hash. Option C is wrong because the hash is computed from the file content, not from a private key; the vendor's private key would be used for a digital signature, not for a checksum. Option D is wrong because a matching hash only verifies the file is unchanged, not that it will install correctly on every system — installation depends on hardware, OS version, dependencies, and other factors.

124
Multi-Selecthard

A company stores application passwords in a database that could be stolen during a breach. The team wants to prevent attackers from using precomputed tables and also make identical passwords produce different stored values. Which two changes should be implemented? Select two.

Select 2 answers
A.Use a unique random salt for every password before hashing.
B.Use a slow one-way password hash such as Argon2, bcrypt, or scrypt.
C.Encrypt each password with a single symmetric key and store the key in the database.
D.Add a digital signature to each stored password so users can verify it.
E.Hash all passwords with the same unsalted SHA-256 value.
AnswersA, B

Unique salts defeat rainbow tables and ensure matching passwords do not produce identical outputs.

Why this answer

A unique random salt ensures that even if two users have the same password, their stored hashes differ because the salt is combined with the password before hashing. This prevents attackers from using precomputed rainbow tables, as each salt forces a separate table to be generated. Salting does not slow down the hash itself, but it eliminates the efficiency of precomputed attacks.

Exam trap

The trap here is that candidates often think encryption (Option C) is sufficient for password storage, but encryption with a stored key is reversible and vulnerable if the key is compromised, whereas hashing with a salt is one-way and specifically designed to resist precomputed attacks.

125
MCQeasy

An employee receives an email that appears to be from the CEO and asks for an urgent wire transfer. The sender address is slightly different from the real company address. What is the best first action?

A.Complete the transfer because it came from an executive
B.Reply to the email asking if it is real
C.Verify the request using a separate trusted method
D.Forward it to the whole department for awareness
AnswerC

The safest first action is to verify the request through a separate trusted channel, such as calling the CEO using a known internal number or checking with a supervisor. This helps confirm whether the message is legitimate without relying on the suspicious email itself. Urgent money requests are a common social engineering tactic, so independent verification is essential.

Why this answer

Option C is correct because the email exhibits classic signs of a business email compromise (BEC) attack, where the sender address is spoofed or slightly altered. Verifying the request through a separate, trusted method—such as calling the CEO directly or using a known internal communication channel—bypasses any compromised email system and confirms the legitimacy of the request. This aligns with the principle of out-of-band verification, which is a key defense against phishing and social engineering.

Exam trap

CompTIA often tests the concept that verifying through the same compromised channel (e.g., replying to the email) is insufficient, and the trap here is that candidates may think replying to ask for confirmation is a safe step, when in fact it only engages with the attacker.

How to eliminate wrong answers

Option A is wrong because it assumes the email is legitimate based solely on the display name or role, ignoring the fact that attackers can easily spoof sender addresses and exploit authority to bypass security controls. Option B is wrong because replying to the email sends the response to the attacker-controlled address, confirming the employee's availability and potentially exposing sensitive information; the attacker may also intercept or manipulate the reply. Option D is wrong because forwarding the email to the entire department spreads the phishing attempt, increasing the risk that other employees might fall for the attack or that the malicious content could trigger additional security incidents.

126
MCQeasy

A help desk technician needs temporary access to read one shared folder to troubleshoot a printer issue. Which access choice best follows least privilege?

A.Grant the technician full control of the entire file server for one day.
B.Give the technician read-only access to the single shared folder needed for the ticket.
C.Add the technician to the domain admins group until the issue is resolved.
D.Allow the technician to use any account in the department for convenience.
AnswerB

Least privilege means granting only the minimum access needed to complete the task. Read-only access to one specific folder supports troubleshooting without exposing unrelated files or administrative functions.

Why this answer

Option B is correct because it grants the technician only the minimum permissions (read-only) to the specific resource (single shared folder) required to troubleshoot the printer issue. This adheres to the principle of least privilege by limiting access scope and duration, reducing the risk of unauthorized changes or data exposure.

Exam trap

The trap here is that candidates often confuse 'temporary access' with 'elevated privileges' (like Domain Admins) instead of recognizing that the least privilege principle requires the minimal permission (read-only) to the minimal resource (single folder), not broad administrative roles.

How to eliminate wrong answers

Option A is wrong because granting full control of the entire file server provides far more access than needed, violating least privilege and exposing all files to potential accidental modification or deletion. Option C is wrong because adding the technician to the Domain Admins group grants unrestricted administrative access to the entire domain, which is excessive and introduces significant security risk. Option D is wrong because allowing the technician to use any department account bypasses accountability and audit trails, as actions cannot be tied to the specific technician, and may expose credentials or sensitive data.

127
MCQhard

Based on the exhibit, what control type is the automated reapplication of the baseline?

A.Preventive control, because the system prevented the user from changing the firewall profile at all.
B.Corrective control, because the MDM agent restores the approved baseline after the unauthorized change is found.
C.Detective control, because the help desk can review the event later.
D.Deterrent control, because the policy baseline discourages users from making changes.
AnswerB

Corrective control is the best answer because the system repairs the deviation after it has already happened. The user altered the firewall profile, and then the management platform reapplied the approved baseline at the next check-in. This restores the device to the desired secure state, which is exactly what a corrective control is designed to do.

Why this answer

The automatic reapplication of the approved firewall baseline is a corrective control because it fixes a configuration that drifted away from the secure standard. The user was able to make the change, so the control was not preventive. The MDM system then returned the device to its approved state, which is the defining behavior of correction rather than simple detection or deterrence.

Why others are wrong: The user change was already allowed to happen, so the control was not preventive. The log shows an automatic restoration, not just an alert, so it is more than detective. A deterrent would merely discourage changes through warnings or visibility. The key evidence is the platform's automatic rollback to the approved baseline after the deviation was found.

128
MCQhard

A records application displays a mandatory notice before login that tells employees exactly which data types they may open, when to lock their screens, and that only assigned work may be processed. The notice is meant to shape behavior before misuse occurs, but it does not technically block any action. Which control type is this notice?

A.Directive control
B.Preventive control
C.Deterrent control
D.Detective control
AnswerA

The notice provides required guidance and expectations before users access the system. It tells them what behavior is allowed and how they should act, but it does not enforce the rule technically. That makes it a directive control because it directs user behavior through instructions and stated requirements rather than by blocking actions.

Why this answer

A directive control is designed to guide or mandate behavior through policies, procedures, or notices without enforcing technical restrictions. This notice explicitly tells employees which data types they may open, when to lock screens, and that only assigned work may be processed, shaping behavior before misuse occurs without blocking any action. It aligns with the definition of a directive control as it provides rules and expectations rather than preventing or deterring actions through technical means.

Exam trap

The trap here is that candidates confuse a directive control with a deterrent control because both involve warnings, but a deterrent control explicitly threatens consequences or punishment to discourage action, whereas a directive control simply instructs on proper behavior without implying enforcement or penalties.

How to eliminate wrong answers

Option B is wrong because a preventive control would technically block unauthorized actions, such as using access control lists (ACLs) or file permissions to prevent opening restricted data types, whereas this notice only advises without enforcing any technical barrier. Option C is wrong because a deterrent control aims to discourage misuse through the threat of consequences or penalties, such as warning banners that imply monitoring or disciplinary action, but this notice simply states allowed behaviors without threatening punishment or creating fear of repercussions.

129
MCQeasy

After an employee successfully signs in to a file-sharing portal, the portal checks whether the employee can upload files to a specific project folder. Which AAA concept is being used?

A.Authentication, because the user proved their identity with credentials.
B.Authorization, because the system is deciding what the signed-in user is allowed to do.
C.Accounting, because the portal is recording the folder permissions for later review.
D.Nonrepudiation, because the portal proves the user cannot deny uploading a file.
AnswerB

Authorization is the process of determining permissions after identity has been confirmed. In this case, the portal is checking whether the authenticated user may upload files to a particular folder. That is a classic authorization decision because it controls access to a resource based on assigned rights, roles, or group membership.

Why this answer

After the user successfully signs in (authentication), the portal checks permissions to determine if they can upload files to a specific project folder. This is the definition of authorization: verifying what an authenticated user is allowed to do. The system is enforcing access control based on the user's identity and the folder's permissions.

Exam trap

The trap here is that candidates confuse the initial login (authentication) with the subsequent permission check (authorization), often selecting 'Authentication' because they see 'signs in' and assume the entire process is about identity verification.

How to eliminate wrong answers

Option A is wrong because authentication is the process of verifying identity (e.g., with a password or MFA), which has already occurred before the portal checks upload permissions; the question describes a post-login permission check, not identity verification. Option C is wrong because accounting involves logging and tracking user activities (e.g., upload events, timestamps) for auditing or billing, not checking permissions against a folder. Option D is wrong because nonrepudiation ensures a user cannot deny an action (e.g., via digital signatures or audit logs), but the scenario is about a pre-action permission check, not proving an action occurred.

130
MCQmedium

A payroll application allows the same user to create a vendor and approve a payment. The security team wants to reduce fraud without adding unnecessary complexity. Which principle should they apply?

A.Separation of duties, so no single person can complete the entire high-risk workflow.
B.Job rotation, so employees periodically switch responsibilities to learn each other’s tasks.
C.Defense in depth, so multiple technical tools inspect every payment form.
D.Least privilege, so the payroll user can create and approve only this one vendor payment.
AnswerA

Separation of duties is the best control when one person should not be able to create and approve the same payment. By splitting responsibilities across different roles or approvals, the organization reduces the chance of fraud, abuse, or accidental misuse. This principle is common in finance and payroll workflows because it provides meaningful risk reduction without requiring a complicated technical redesign of the entire application.

Why this answer

Separation of duties (option A) is the correct principle because it prevents a single user from both creating a vendor and approving a payment, which would allow that user to commit fraud by setting up a fake vendor and authorizing a payment to it. By splitting these high-risk tasks between two or more people, the organization enforces a dual-control mechanism that reduces the risk of internal fraud without adding complex technical controls. This aligns with the security team's goal of reducing fraud while avoiding unnecessary complexity.

Exam trap

The trap here is that candidates often confuse separation of duties with job rotation or defense in depth, mistakenly thinking that rotating employees or adding more technical controls will prevent internal fraud, when in fact only splitting conflicting responsibilities directly addresses the risk of a single user completing a high-risk workflow.

How to eliminate wrong answers

Option B is wrong because job rotation involves periodically rotating employees through different roles to cross-train and detect irregularities, but it does not prevent a single user from completing the entire vendor creation and payment approval workflow at any given time; fraud could still occur during the current assignment. Option C is wrong because defense in depth is a layered security strategy that uses multiple technical controls (e.g., firewalls, IDS, encryption) to protect against external threats, but it does not address the internal segregation of conflicting duties; adding more technical tools to inspect payment forms would increase complexity without directly preventing the same user from performing both actions.

131
MCQmedium

A contractor is assigned to a single merger project. The manager approves access to only the project share and the project chat space, even though the contractor technically could use other collaboration tools. Which principle is most directly reflected?

A.Need-to-know
B.Least privilege
C.Integrity
D.Zero trust
AnswerA

The contractor is given access only to information and resources required for the assigned project work.

Why this answer

The correct answer is A, need-to-know, because the manager restricts the contractor's access to only the project share and project chat space, even though the contractor could technically use other collaboration tools. Need-to-know is a principle that limits access to information or resources strictly required for an individual's job duties, regardless of their clearance or technical capability. In this scenario, the contractor is given access only to the specific resources necessary for the merger project, directly reflecting the need-to-know principle.

Exam trap

Cisco often tests the distinction between need-to-know and least privilege by presenting a scenario where access is limited to specific resources (need-to-know) rather than limiting permissions within a resource (least privilege), causing candidates to confuse the two principles.

How to eliminate wrong answers

Option B (Least privilege) is wrong because least privilege focuses on granting the minimum permissions or rights (e.g., read-only vs. write) to perform a task, not on limiting access to specific resources based on job role. Here, the contractor is denied access to entire tools, not just reduced permissions within them. Option C (Integrity) is wrong because integrity refers to the assurance that data has not been altered or destroyed in an unauthorized manner, typically enforced via hashing (e.g., SHA-256) or access controls like write permissions, not by restricting access to specific collaboration tools.

Option D (Zero trust) is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request (e.g., via multifactor authentication and micro-segmentation), not simply limiting access to a project share and chat space based on a single project assignment.

132
MCQhard

Based on the exhibit, which action is required to keep the backups restorable after the key-encryption key rotation?

A.Delete vault-kek-v1 immediately so only the newest key remains active.
B.Rewrap or keep access to the old KEK version until existing DEKs are migrated.
C.Re-encrypt the entire backup repository with a single shared password.
D.Export vault-kek-v2 into the backup files so each object stores the new key directly.
AnswerB

This is correct because the backups still depend on the old key-encryption key to unwrap their data-encryption keys. During key rotation, the organization must either keep the old KEK available or rewrap the DEKs with the new KEK before retiring the old one. That preserves restore capability without forcing a full mass re-encryption of the backup data.

Why this answer

When a key-encryption key (KEK) is rotated, existing data-encryption keys (DEKs) that were wrapped with the old KEK version become unreadable unless the old KEK is retained or the DEKs are re-wrapped with the new KEK. Option B ensures that backups remain restorable by either keeping the old KEK version accessible or migrating DEKs to the new KEK, maintaining the chain of trust for decryption.

Exam trap

The trap here is that candidates assume deleting the old key immediately is a best practice for key hygiene, but they overlook that existing encrypted data depends on the old key for decryption until re-wrapping occurs.

How to eliminate wrong answers

Option A is wrong because deleting vault-kek-v1 immediately would render all existing DEKs that were encrypted with that key permanently unrecoverable, breaking backup restorability. Option C is wrong because re-encrypting the entire backup repository with a single shared password violates the principle of key separation and introduces a single point of failure, as a password compromise would expose all backups. Option D is wrong because exporting vault-kek-v2 into backup files defeats the purpose of key management by storing the key alongside the data, eliminating the security benefit of a separate key hierarchy.

133
MCQhard

Based on the exhibit, which control would most effectively reduce the remaining successful attacks? Phishing awareness results: Team A: click rate 8%, report rate 6%, median report time 52 min Team B: click rate 7%, report rate 18%, median report time 14 min Team C: click rate 12%, report rate 21%, median report time 10 min Incident summary: Team C had one mailbox takeover after a user approved an MFA push while traveling.

A.Continue generic awareness posters without changing technical controls.
B.Replace push-based MFA with phishing-resistant MFA and reinforce verification for unusual login prompts.
C.Disable MFA on mobile devices so users can log in faster.
D.Allow employees to approve prompts from any device to reduce help desk calls.
AnswerB

Phishing-resistant MFA blocks prompt abuse, and verification steps help users resist social engineering during abnormal sign-in events.

Why this answer

Team C's successful attack was a mailbox takeover resulting from a user approving an MFA push notification while traveling. This indicates that push-based MFA is vulnerable to MFA fatigue attacks, where an attacker bombards the user with prompts until they approve. Replacing push-based MFA with phishing-resistant MFA (e.g., FIDO2/WebAuthn or hardware tokens) eliminates the possibility of approving a prompt from an untrusted device, and reinforcing verification for unusual login prompts adds a critical user behavior layer to detect anomalies.

Exam trap

CompTIA often tests the misconception that any MFA is equally secure; the trap here is that candidates may think push-based MFA is sufficient because it is 'multi-factor,' but the exam expects you to recognize that push-based MFA is vulnerable to fatigue attacks and that phishing-resistant MFA is the appropriate technical control to prevent such successful attacks.

How to eliminate wrong answers

Option A is wrong because generic awareness posters do not address the specific technical vulnerability of push-based MFA being susceptible to fatigue attacks; they are too vague and have already proven ineffective given Team C's high click rate and the successful attack. Option C is wrong because disabling MFA on mobile devices would remove the only authentication factor for mobile users, drastically increasing the risk of account compromise from stolen credentials or session hijacking. Option D is wrong because allowing employees to approve prompts from any device would exacerbate MFA fatigue by removing location/device context, making it easier for attackers to trick users into approving malicious requests.

134
Matchingeasy

Match each cryptographic concept to its best purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Makes data unreadable to anyone who does not have the correct key.

Creates a fixed-size fingerprint to detect whether data changed.

Adds random data before hashing passwords so identical passwords look different.

Lets others verify who signed the file and that it was not altered.

Replaces an encryption key before its approved lifetime ends.

Why these pairings

Confidentiality protects secrecy, integrity prevents tampering, authentication confirms identity, non-repudiation ensures proof of origin, availability ensures uptime, and accountability enables audit trails.

135
Matchingeasy

Match each control category to the best example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A firewall blocks unauthorized inbound traffic.

A written policy requires manager approval before access is granted.

A badge reader controls entry to a server room.

A SIEM alert notifies the SOC about a failed login pattern.

Restoring a system from a known-good backup after a failure.

Why these pairings

Control categories are matched to examples: preventive controls block, detective controls identify, corrective controls fix, deterrent controls discourage, compensating controls provide alternatives, and directive controls set rules.

136
MCQhard

Based on the exhibit, which access change best follows least privilege while still allowing the help desk to complete the task?

A.Add helpdesk_27 to Domain_Admin for seven days, since the request is urgent and time-limited.
B.Use a shared administrator password so the technician can finish the ticket without changing group memberships.
C.Grant helpdesk_27 the Helpdesk_Admin role for the ticket and remove it after completion.
D.Ask the user's manager to perform the reset manually so the help desk does not need additional access.
AnswerC

Granting the narrower Helpdesk_Admin role is the best least-privilege choice because it gives the technician only the permissions needed to unlock the account and reset MFA. The role is specific to the job function and can be removed after the ticket is complete. That limits exposure while still allowing the work to be finished efficiently.

Why this answer

Option C is correct because it implements Role-Based Access Control (RBAC) by granting the help desk technician a temporary, ticket-specific role (Helpdesk_Admin) that provides just enough privileges to perform the password reset without granting broader administrative rights. This follows the principle of least privilege by limiting the elevated access to the exact scope and duration needed, and the role can be automatically revoked after the ticket is closed, minimizing the attack surface.

Exam trap

The trap here is that candidates may choose Option A because it appears to limit the duration of elevated access, but they overlook that Domain_Admin membership provides far more privileges than needed for a single password reset, violating the core principle of least privilege.

How to eliminate wrong answers

Option A is wrong because adding helpdesk_27 to Domain_Admin grants full domain administrative privileges, which far exceed what is needed for a single password reset and violates least privilege by providing persistent, overly broad access even if time-limited. Option B is wrong because using a shared administrator password violates the principle of non-repudiation (no individual accountability) and introduces a shared credential security risk, as all actions would be attributed to the shared account rather than the specific technician. Option D is wrong because it bypasses the help desk's role entirely and places an operational burden on the user's manager, which is inefficient, not scalable, and does not address the need for the help desk to have appropriate access to perform their job function.

137
Multi-Selecthard

A microservices team stores service private keys inside container images and renews certificates manually once a year. Security wants to reduce damage if a node is compromised and keep certificate trust manageable at scale. Which two changes are the best fit? Select two.

Select 2 answers
A.Store private keys in an HSM-backed secrets manager or equivalent key vault.
B.Embed private keys in the container image so redeployments are simpler.
C.Use an internal CA and automate short-lived certificate renewal.
D.Replace the CA with a self-signed certificate on every node.
E.Convert the key file to base64 before storing it in the image.
AnswersA, C

Keeping private keys out of the image and out of the filesystem reduces the chance that a node compromise exposes long-term secrets. A managed key vault or HSM-backed store is much harder to copy than a baked-in file.

Why this answer

Option A is correct because storing private keys in an HSM-backed secrets manager (e.g., AWS KMS, Azure Key Vault, or HashiCorp Vault with an HSM module) ensures that keys never leave the secure boundary of the HSM. This prevents an attacker who compromises a container or node from extracting the private key material, as the key is used for cryptographic operations via API calls rather than being stored in the filesystem. This directly reduces the blast radius of a node compromise.

Exam trap

The trap here is that candidates often think embedding keys in images is acceptable for simplicity, but the exam tests the principle that private keys must never be stored in the same artifact as the application, and that manual renewal is not scalable for microservices.

138
Multi-Selecthard

Before installing a vendor patch package on hundreds of endpoints, the security team wants to confirm the file was published by the vendor and was not altered during download. Which two verification steps should the team perform? Select two.

Select 2 answers
A.Verify the package signature with the vendor's public key.
B.Compare the downloaded package hash to the hash in the signed manifest.
C.Decrypt the package with the vendor's private key before installation.
D.Rotate the organization's internal encryption key before downloading.
E.Check only the file timestamp and size on disk.
AnswersA, B

A valid signature proves the package came from the holder of the vendor's private key.

Why this answer

Option A is correct because verifying the package signature with the vendor's public key confirms the package was cryptographically signed by the vendor, proving its authenticity and integrity. This process uses asymmetric cryptography where the vendor signs the package with their private key, and the security team uses the corresponding public key to validate that signature. It ensures the file was not tampered with after signing and that it originated from the claimed vendor.

Exam trap

The trap here is that candidates confuse signature verification with encryption/decryption roles, mistakenly thinking the vendor's private key is used to decrypt the package, when in fact the private key is used to sign and the public key to verify.

139
MCQmedium

A legal department needs a contract file that can later prove who signed it and whether the content changed after signing. Which cryptographic mechanism should be used?

A.Digital signature
B.Symmetric encryption
C.Hashing
D.Tokenization
AnswerA

Digital signatures provide tamper detection and signer validation using asymmetric cryptography.

Why this answer

A digital signature provides non-repudiation, ensuring the signer cannot deny signing the document, and integrity, detecting any changes after signing. It uses asymmetric cryptography where the signer's private key creates the signature, and the public key verifies it, making it the correct choice for proving both identity and content integrity.

Exam trap

The trap here is that candidates confuse hashing (which provides integrity) with digital signatures (which provide both integrity and non-repudiation), leading them to pick hashing when the question explicitly requires proof of who signed it.

How to eliminate wrong answers

Option B is wrong because symmetric encryption only provides confidentiality (secrecy) of the contract file, not proof of who signed it or integrity verification; it uses a shared key that cannot uniquely tie a signature to an individual. Option C is wrong because hashing only provides integrity by producing a fixed-size hash of the content, but it does not prove who signed it or offer non-repudiation; anyone can compute the same hash. Option D is wrong because tokenization replaces sensitive data with a non-sensitive placeholder (token) for data protection, typically for payment or PII, and does not provide signing proof or integrity verification.

140
MCQhard

Based on the exhibit, what is the best improvement to reduce the impact if one backup server is compromised?

A.Keep the same key file but rename it so attackers cannot find it easily.
B.Replace AES with SHA-256 so the backups are harder to read.
C.Store encryption keys in a centralized KMS or HSM and use distinct keys with rotation.
D.Email the key file to backup operators so they can restore data quickly.
AnswerC

This is the best improvement because the current design places the same key on every backup server, creating a large blast radius if one host is compromised. Centralized key management through a KMS or HSM improves control, auditing, rotation, and separation of duties. Distinct keys also limit how much data exposure results from one server compromise.

Why this answer

Option C is correct because using a centralized Key Management System (KMS) or Hardware Security Module (HSM) with distinct, rotated keys ensures that compromising one backup server does not expose the encryption keys for all backups. This isolates the impact to only the data encrypted with that specific key, and key rotation further limits the window of exposure. In contrast, sharing a single key file across servers creates a single point of failure, as compromising one server reveals the key for all backups.

Exam trap

The trap here is that candidates may think renaming or hiding the key file (Option A) is a valid security measure, but CompTIA tests the principle that security through obscurity (hiding files) is not a substitute for proper key management and isolation.

How to eliminate wrong answers

Option A is wrong because renaming the key file does not change the underlying cryptographic material; an attacker who compromises the server can still locate and use the key file regardless of its name, as file enumeration or registry searches can find it. Option B is wrong because SHA-256 is a hashing algorithm, not an encryption algorithm; it is one-way and cannot be used to encrypt or decrypt backups, making backups unrecoverable. Option D is wrong because emailing the key file to backup operators exposes the key in transit and at rest in email systems, violating security best practices and increasing the risk of interception or unauthorized access.

141
MCQhard

Based on the exhibit, what should the administrator do next?

A.Install the update because a longer hash means the file is newer.
B.Re-download the update from the trusted source and verify the hash again.
C.Rename the file to match the vendor’s naming convention and retry installation.
D.Disable SHA-256 verification because patch files often change after download.
AnswerB

A hash mismatch means the local file does not match the vendor-published value. The safest next step is to obtain a fresh copy from a trusted source and compare the hash again. That helps determine whether the original download was corrupted in transit or tampered with before deployment.

Why this answer

Option B is correct because if the hash of a downloaded file does not match the vendor-published hash, the file is likely corrupted or tampered with. The administrator should delete the corrupted file, re-download it from the trusted source, and recompute the hash to ensure integrity before installation. This follows the principle of verifying file integrity via cryptographic hashing (e.g., SHA-256) before applying updates.

Exam trap

The trap here is confusing hash length or file naming with file integrity, leading candidates to think a longer hash means a newer file or that renaming fixes hash mismatches, when in fact only re-downloading and re-verifying the hash ensures the file is authentic and uncorrupted.

How to eliminate wrong answers

Option A is wrong because hash length (e.g., SHA-256 vs SHA-512) is unrelated to file version or freshness; a longer hash does not indicate a newer file. Option C is wrong because renaming a file does not change its content or hash, so it will not resolve a hash mismatch. Option D is wrong because disabling SHA-256 verification would bypass integrity checks, allowing potentially malicious or corrupted files to be installed, which violates security best practices.

142
Multi-Selecteasy

A company wants controls that rely on people and documented direction rather than technology. Which two are administrative controls? Select two.

Select 2 answers
A.Security awareness training program
B.Badge reader at the server room door
C.Password policy requiring minimum length
D.Host-based firewall on laptops
E.Encryption of data on the hard drive
AnswersA, C

This is an administrative control because it teaches users expected behavior and security responsibilities.

Why this answer

Security awareness training program (A) is an administrative control because it relies on people following documented procedures and policies rather than technology. It educates employees on security risks and expected behaviors, such as recognizing phishing attempts, which is a directive-based measure without hardware or software enforcement.

Exam trap

The trap here is that candidates confuse physical controls (like badge readers) or technical controls (like firewalls and encryption) with administrative controls, because they involve human action (swiping a badge) or are documented in policies, but the key distinction is whether the control relies on technology enforcement or human compliance with documented direction.

143
Matchingeasy

Match each principle to the scenario that best illustrates it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A database account can update records but cannot approve purchases.

A contractor can view only the log source tied to the assigned ticket.

One person prepares a wire transfer and another authorizes it.

The portal checks the device and user again before each sensitive action.

The application is protected by MFA, filtering, and endpoint controls.

Why these pairings

Least privilege limits access rights; separation of duties divides critical tasks; defense in depth uses multiple security layers; need to know restricts data access; accountability tracks actions; fail safe ensures security on failure.

144
MCQeasy

A company wants to reduce the chance that a stolen password can be used to access employee email. Which control is the best fit?

A.Password complexity requirements only
C.Daily backup verification
D.Security awareness posters
AnswerB

Multi-factor authentication adds another verification step beyond the password, so an attacker who steals only a password still cannot easily log in. It is a practical preventive control for reducing account takeover risk, especially for email and other internet-facing services where passwords may be phished, reused, or exposed in breaches.

Why this answer

Multi-factor authentication (MFA) requires at least two different authentication factors (e.g., something you know like a password and something you have like a time-based one-time password from an authenticator app). Even if an attacker steals the password, they cannot access the email without the second factor, directly reducing the risk of credential theft leading to account compromise.

Exam trap

The trap here is that candidates often choose password complexity (A) thinking stronger passwords prevent theft, but the question explicitly states the password is already stolen, so only a second factor like MFA can block its use.

How to eliminate wrong answers

Option A is wrong because password complexity requirements only make passwords harder to guess or crack, but they do nothing to prevent a stolen password from being reused by an attacker who already possesses it. Option C is wrong because daily backup verification ensures data recoverability in case of loss or ransomware, but it does not prevent unauthorized access to email accounts. Option D is wrong because security awareness posters educate users about threats but provide no technical enforcement to block an attacker using a stolen password.

145
MCQeasy

An employee receives a phone call from someone claiming to be IT and asking for a one-time verification code to "fix" the employee's account. What is the best response?

A.Provide the code quickly so the support call can be completed without delay.
B.Refuse to share the code and report the call through the company's security process.
C.Reply to the caller by email with the code and ask them to confirm receipt.
D.Change the password immediately and then tell the caller the new password.
AnswerB

The safest response is to refuse the request and report it through the organization’s approved security process. One-time codes should never be shared because they can be used to bypass MFA and hijack the account. Reporting the call helps the security team warn others, investigate the attempt, and reduce the chance of a successful attack.

Why this answer

Option B is correct because it follows the principle of never sharing authentication factors, especially one-time verification codes, with anyone over the phone. This scenario is a classic social engineering attack (vishing) where the attacker attempts to bypass multi-factor authentication (MFA) by tricking the employee into revealing a time-based one-time password (TOTP) or similar code. Reporting the call through the company's security process allows the incident to be investigated and mitigates further risk.

Exam trap

The trap here is that candidates may think providing the code is harmless because it is 'one-time' or that changing the password is a proactive security measure, but both actions directly hand over authentication secrets to an unverified caller.

How to eliminate wrong answers

Option A is wrong because providing the code directly enables the attacker to authenticate as the employee, compromising the account and any MFA-protected resources. Option C is wrong because replying by email with the code still shares the secret with an unverified caller, and email is not a secure channel for transmitting authentication factors; it also does not verify the caller's identity. Option D is wrong because changing the password and then telling the caller the new password gives the attacker direct access to the account, bypassing any security controls; the employee should never share credentials with anyone.

146
MCQeasy

A finance manager can view only the reports needed for monthly budgeting and cannot see payroll details. Which principle is being applied?

A.Need-to-know, because access is limited to information required for the job.
B.Zero trust, because the manager uses a password to sign in.
C.Separation of duties, because the manager is part of finance.
D.Defense in depth, because only one report system is being used.
AnswerA

Need-to-know limits access to information based on business need. The finance manager can view budgeting reports, but payroll details are withheld because they are not required for the role.

Why this answer

The principle of need-to-know restricts access to only the information necessary for an individual to perform their job duties. In this scenario, the finance manager can view only monthly budgeting reports and is explicitly blocked from payroll details, which aligns directly with need-to-know. This is typically enforced through access control lists (ACLs) or role-based access control (RBAC) policies that limit data visibility based on job function.

Exam trap

The trap here is confusing need-to-know with least privilege, as both limit access, but need-to-know specifically restricts data visibility rather than system permissions or actions.

How to eliminate wrong answers

Option B is wrong because zero trust is a security model that assumes no implicit trust and requires continuous verification of every access request, not simply using a password to sign in. Option C is wrong because separation of duties divides critical tasks among multiple people to prevent fraud or error, not to limit data visibility based on job role. Option D is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption), not restricting access to a single report system.

147
Matchingeasy

Match each control type to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stops a threat before it succeeds.

Identifies an event after or while it is happening.

Fixes a problem after it has occurred.

Discourages an attacker from trying.

Provides an alternate safeguard when the preferred control is not possible.

Why these pairings

Control types are categorized by nature: administrative involves rules, technical involves technology, physical involves tangible barriers, logical involves software-based access, operational involves processes, and legal/regulatory involves compliance.

148
Multi-Selectmedium

A company wants to detect unauthorized changes to production server configurations before users notice an outage. Which two controls best fit this goal? Select two.

Select 2 answers
A.File integrity monitoring on critical system files
B.Centralized alerting on configuration-change events from the SIEM
C.Full-disk encryption on the server volumes
D.Multifactor authentication for remote administrators
E.Network segmentation between user VLANs and server VLANs
AnswersA, B

This detects unexpected changes to protected files and configuration artifacts after they occur.

Why this answer

File integrity monitoring (FIM) on critical system files is correct because it detects unauthorized changes by comparing current file hashes against a known-good baseline. When a change occurs, FIM generates an alert, enabling the security team to investigate before users notice an outage. This directly addresses the goal of detecting configuration tampering proactively.

Exam trap

The trap here is that candidates often confuse preventive controls (like encryption or MFA) with detective controls (like FIM and SIEM alerting), leading them to select options that prevent access but do not detect changes after they happen.

149
MCQmedium

An organization is redesigning access for a finance application. Employees should be able to approve expense reports only within their assigned job roles, and every approval must be traceable to the individual user who performed it. Which access model best fits this requirement?

A.Mandatory access control, because a central authority labels each expense report by sensitivity.
B.Role-based access control, because permissions are assigned by job function and tied to named users.
C.Discretionary access control, because individual employees decide who can approve expenses.
D.Rule-based access control, because approval rights are determined only by the time of day.
AnswerB

RBAC matches a finance workflow where users inherit permissions based on job roles such as approver, reviewer, or auditor. It is easy to administer, supports least privilege, and works well when access should be consistent for groups with similar duties. The requirement to trace approvals to individuals is also satisfied when each person uses a unique account and actions are logged.

Why this answer

Role-based access control (RBAC) is the correct choice because it assigns permissions based on job functions (e.g., 'Finance Approver') and links those permissions to named user accounts. This ensures that only employees in the appropriate role can approve expense reports, and each approval action is logged against the specific user, providing non-repudiation and traceability.

Exam trap

The trap here is that candidates often confuse 'rule-based access control' (which uses condition-based rules like time-of-day) with 'role-based access control' (which uses job functions), leading them to select option D despite the question's clear focus on job roles and user traceability.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) uses system-enforced labels (e.g., classification levels) to control access, not job roles, and it does not inherently tie approvals to named users for traceability. Option C is wrong because discretionary access control (DAC) allows individual data owners to set permissions, which would violate the requirement that approvals be restricted to assigned job roles and would not guarantee centralized traceability. Option D is wrong because rule-based access control (RBAC is often confused with rule-based, but here the option describes time-of-day rules only, which is a specific attribute-based condition, not a model that assigns permissions by job function or ensures user-level traceability.

150
MCQmedium

After imaging laptops, the security team wants to ensure screen-lock timeouts, local admin restrictions, and USB storage controls remain consistent on every device even after users make changes. What is the best approach?

A.Rely on users to follow the build sheet during setup and avoid future changes.
B.Enforce a hardened baseline with configuration management and compliance checks.
C.Increase antivirus scan frequency so policy settings do not change.
D.Apply full disk encryption only, since it covers all endpoint hardening needs.
AnswerB

Correct. A hardened baseline defines the approved secure settings, and configuration management helps enforce those settings consistently across all laptops. Compliance checks detect drift after deployment, which is important when users or software might change security-related options. This approach directly supports secure configuration and repeatability at scale.

Why this answer

Option B is correct because configuration management tools (e.g., Microsoft Intune, Group Policy, or Ansible) can enforce a hardened baseline by applying settings like screen-lock timeouts, local admin restrictions, and USB storage controls. These tools also perform compliance checks to detect and remediate any drift caused by user changes, ensuring consistency across all devices.

Exam trap

The trap here is that candidates may confuse security controls like antivirus or encryption with configuration management, thinking they can prevent or revert policy changes, when in fact only a dedicated configuration management and compliance solution can enforce and remediate baseline settings.

How to eliminate wrong answers

Option A is wrong because relying on users to follow a build sheet is not enforceable; users can intentionally or accidentally change settings, leading to configuration drift and security gaps. Option C is wrong because increasing antivirus scan frequency does not prevent or revert changes to screen-lock, admin, or USB policies; antivirus focuses on malware detection, not configuration enforcement. Option D is wrong because full disk encryption protects data at rest but does not enforce screen-lock timeouts, local admin restrictions, or USB storage controls; it addresses only one aspect of endpoint hardening.

← PreviousPage 2 of 3 · 164 questions totalNext →

Ready to test yourself?

Try a timed practice session using only General Security Concepts questions.