CCNA General Security Concepts Questions

14 of 164 questions · Page 3/3 · General Security Concepts topic · Answers revealed

151
MCQhard

During routine checks, configuration management finds several branch firewalls drifted from the approved baseline because a contractor changed settings locally. An automation job now compares each device nightly and automatically reapplies the approved configuration without waiting for a human ticket. Which control type is the automation?

A.Directive control
B.Detective control
C.Corrective control
D.Deterrent control
AnswerC

The automation runs after drift is detected and restores the approved baseline, which means it is correcting the affected system back to a known-good state. It does more than report the problem; it remediates the configuration. That is why the best answer is corrective control rather than detective or preventive control.

Why this answer

The automation job corrects a detected drift by automatically reapplying the approved configuration, which is a classic corrective control. Corrective controls are designed to remediate or reverse an unwanted change or security event after it has been detected. In this scenario, the nightly comparison is detective, but the automatic reapplication is the corrective action.

Exam trap

The trap here is that candidates see 'compares each device nightly' and mistakenly classify the entire process as detective, ignoring that the automatic reapplication is the corrective action that distinguishes the control type.

How to eliminate wrong answers

Option A is wrong because directive controls are policies, standards, or guidelines that define acceptable behavior (e.g., 'firewalls must use the approved baseline'), not automated remediation actions. Option B is wrong because detective controls identify or log a deviation (e.g., the nightly comparison itself), but the automation goes further by actively fixing the drift. Option D is wrong because deterrent controls discourage unwanted behavior through fear of consequences (e.g., warning banners or audit trails), not by automatically correcting configuration changes.

152
MCQhard

Based on the exhibit, which principle should the organization enforce to reduce fraud risk while keeping the business process functional?

A.Least privilege, because each employee should only have the fewest permissions needed for the shared account.
B.Separation of duties, because no single user should be able to complete every high-risk finance step alone.
C.Need-to-know, because only employees with confidential financial data should see the workflow details.
D.Defense in depth, because the organization should add more security layers around the finance process.
AnswerB

Separation of duties is the best answer because the workflow shows one shared identity can create vendors, enter invoices, approve payments, and change bank details. That concentration enables fraud without a second set of eyes. Splitting those tasks across different roles prevents one person from controlling the entire transaction chain and creates accountability for each critical step.

Why this answer

Separation of duties (SoD) is the correct principle because it prevents any single employee from completing all steps in a high-risk financial transaction alone. By requiring at least two people to authorize and execute critical actions—such as initiating a payment and approving it—the organization reduces the risk of internal fraud without blocking the business workflow. This directly addresses the scenario where a single user could otherwise create, approve, and release a fraudulent payment.

Exam trap

The trap here is that candidates confuse least privilege (which limits permissions for a single user) with separation of duties (which splits a process across multiple users), even though the exhibit clearly shows a sequential workflow where a single user could perform all steps.

How to eliminate wrong answers

Option A is wrong because least privilege limits permissions for a shared account, but the core fraud risk here is not about excessive permissions on a shared account—it is about a single user being able to complete an entire high-risk process alone. Option C is wrong because need-to-know restricts access to confidential data based on job role, but the exhibit shows a workflow where the risk is sequential task completion, not data visibility. Option D is wrong because defense in depth adds multiple security layers (e.g., firewalls, IDS), but it does not specifically address the procedural control of splitting critical financial steps among different users.

153
MCQmedium

A help desk lead notices that several support technicians have broad administrator access across every department's systems so they can resolve tickets faster. After a phishing incident, management wants to reduce the damage if one technician account is compromised. What is the best security principle to apply when redesigning access?

A.Defense in depth
B.Least privilege
C.Need-to-know
D.Zero trust
AnswerB

Least privilege means each user receives only the access required to perform assigned duties. Reducing broad administrative rights lowers the impact of credential theft, malware, or accidental misuse. It is especially effective for support staff because their daily tasks usually need access to a limited set of systems rather than full administrative control across the environment.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. By applying least privilege, each technician would receive access only to the specific systems and resources required for their role, rather than broad administrator access across all departments. This containment directly limits the blast radius of a compromised account, preventing an attacker from moving laterally to other departmental systems.

Exam trap

CompTIA often tests the distinction between least privilege and need-to-know, where candidates mistakenly choose need-to-know because it sounds similar, but least privilege is the correct principle for limiting system-level access rights and permissions.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy that combines multiple controls (e.g., firewalls, antivirus, intrusion detection) to protect assets; it does not specifically address the reduction of individual user permissions. Option C is wrong because need-to-know is a principle for data classification and access based on the necessity of information for a specific task, but it is typically applied to information access rather than administrative system privileges; least privilege is the more precise principle for limiting system-level permissions.

154
Multi-Selecteasy

Which two uses are appropriate for encryption in transit? Select two.

Select 2 answers
A.Protecting web login traffic with TLS
B.Secure remote administration with SSH
C.Storing a password as a hash
D.Comparing file integrity with a checksum
E.Sharing a symmetric key by email
AnswersA, B

TLS encrypts data while it travels between the browser and the server.

Why this answer

TLS (Transport Layer Security) encrypts web login traffic between a client and server, protecting credentials and session data from eavesdropping or tampering during transmission. This is a classic use of encryption in transit, as TLS operates at the transport layer to secure data moving across a network.

Exam trap

The trap here is that candidates confuse encryption in transit with data protection techniques used at rest (like hashing or checksums) or with key management practices, rather than focusing on protocols that actively encrypt data while it moves across a network.

155
Matchingeasy

Match each PKI term to what it does.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Issues and signs digital certificates.

Binds an identity to a public key.

Can be shared with others to encrypt data or verify signatures.

Must be kept secret and is used to decrypt or sign.

Removes trust from a certificate that should no longer be used.

Why these pairings

CA issues certificates, RA verifies identities, CRL lists revoked certificates, public key encrypts, private key decrypts, digital signature provides integrity and non-repudiation.

156
Multi-Selecthard

A network team wants no single person to both approve and deploy a production firewall rule, and they also want the approval path to be defensible during an investigation. Which two control concepts best address the stated risk? Select two.

Select 2 answers
A.Separation of duties between the person requesting the change and the person implementing it.
B.Dual control requiring a second person to approve the rule.
C.Least privilege for the production change account.
D.Job rotation for every engineer each quarter.
E.Risk transference to the firewall vendor.
AnswersA, B

Separation of duties prevents one person from controlling every stage of a sensitive change. That reduces fraud risk and limits the chance that a single administrator can hide an unauthorized firewall rule.

Why this answer

Separation of duties ensures that no single person has the authority to both approve and deploy a production firewall rule, directly addressing the risk of unauthorized or fraudulent changes. By requiring different individuals for the request/approval and implementation steps, the organization creates a clear, auditable chain of accountability that can be defended during an investigation.

Exam trap

The trap here is that candidates often confuse dual control (Option B) with separation of duties, but dual control specifically requires two people to perform the same action (e.g., both enter a key), whereas separation of duties splits the approval and implementation into distinct steps, which is the more precise fit for the stated risk.

157
MCQeasy

A security manager wants to require that all company laptops use at least a 14-character password and lock after 10 minutes of inactivity. Which document should define these mandatory settings?

A.Policy, because it is the broad statement of security intent only.
B.Standard, because it defines specific required technical values the company must follow.
C.Guideline, because it gives optional recommendations for device security.
D.Memo, because it is the normal formal document for security baselines.
AnswerB

A standard is the right document when the organization wants specific, mandatory technical requirements. Password length and screen-lock timeout are measurable settings, so they belong in a standard rather than a general policy. Standards make implementation consistent across systems and help administrators configure devices to the same baseline.

Why this answer

Option B is correct because a standard is the document type that defines mandatory, specific technical requirements, such as a minimum 14-character password length and a 10-minute inactivity lock. Policies are high-level statements of intent, while standards provide the enforceable, measurable parameters that implement that intent. In this scenario, the security manager needs a binding baseline, which is precisely the role of a standard.

Exam trap

The trap here is confusing a policy (broad intent) with a standard (specific, mandatory technical values), leading candidates to choose Option A because they think all security rules are policies, when in fact standards define the enforceable numbers.

How to eliminate wrong answers

Option A is wrong because a policy is a broad statement of security intent and does not include specific technical values like password length or lockout timers; it would reference a standard for those details. Option C is wrong because a guideline offers optional recommendations, not mandatory settings, so it cannot enforce a required 14-character password or 10-minute lock. Option D is wrong because a memo is an informal communication tool, not a formal document type for defining security baselines; it lacks the authority and structure of a standard.

158
MCQhard

Based on the exhibit, which security principle does the organization appear to be using most clearly?

A.Zero trust, because all access is denied until a user proves identity again.
B.Defense in depth, because several different controls stop or limit the attack at different stages.
C.Least privilege, because the attachment was blocked from having administrator rights.
D.Need-to-know, because only the security team should be aware of the incident.
AnswerB

Defense in depth is demonstrated by multiple layers: email filtering, application control, EDR containment, MFA, and backup recovery. The attack is not stopped by one control alone. Instead, each layer provides a separate barrier or recovery path, reducing the chance that a single failure becomes a full compromise.

Why this answer

The exhibit shows multiple security controls—an email filter blocking the attachment, a web filter blocking the download link, and an endpoint detection and response (EDR) tool blocking execution—each acting at a different stage of the attack chain. This layered approach, where no single control is relied upon to stop the threat, is the hallmark of defense in depth. The correct answer is B because the scenario clearly demonstrates overlapping controls that provide redundancy and mitigate risk at various points.

Exam trap

The trap here is that candidates often confuse defense in depth with zero trust because both involve multiple controls, but zero trust specifically requires explicit verification for every access request, whereas defense in depth focuses on layered, independent safeguards without necessarily re-verifying identity at each layer.

How to eliminate wrong answers

Option A is wrong because zero trust requires continuous verification of identity and device posture for every access request, not just a one-time re-authentication; the exhibit shows no evidence of such per-request validation. Option C is wrong because least privilege restricts user permissions to the minimum necessary for their role, but the attachment was blocked by an email filter before any user could execute it, not by limiting the attachment's administrator rights. Option D is wrong because need-to-know restricts information access to only those who require it for their duties, but the exhibit focuses on technical controls blocking the attack, not on who is informed about the incident.

159
Multi-Selecthard

After employees transfer departments, they keep access to old SaaS applications because app-specific accounts are removed only after a manual cleanup ticket. Which two changes best close the lifecycle gap? Select two.

Select 2 answers
A.Use automated provisioning and deprovisioning tied to HR events through SCIM or an equivalent interface.
B.Keep app accounts manually managed so each app owner can decide independently.
C.Map entitlements to IdP groups or roles based on job function.
D.Share a generic help desk password for quick access restoration.
E.Require password changes every 30 days for all users.
AnswersA, C

Automated lifecycle integration reduces delay and human error when employees change roles or leave. When HR events drive account updates, access can be removed or adjusted promptly across connected applications.

Why this answer

Option A is correct because automating provisioning and deprovisioning via SCIM (System for Cross-domain Identity Management) ties account lifecycle directly to HR events (e.g., termination, transfer). This eliminates the manual cleanup ticket gap by instantly removing or modifying access when an employee changes departments, ensuring no stale SaaS accounts remain.

Exam trap

The trap here is that candidates confuse password policies (Option E) with account lifecycle management, failing to recognize that frequent password changes do not remove orphaned accounts or close the provisioning gap.

160
MCQmedium

A financial institution updates its access control policy to require that two different system administrators must approve and execute any changes to the core transaction processing database. Which security principle is this practice primarily designed to enforce?

A.Defense in depth
B.Separation of duties
C.Least privilege
D.Need to know
AnswerB

Correct. Separation of duties ensures that no single person has exclusive authority over critical functions. By splitting approval and execution between two administrators, the risk of unauthorized or malicious changes is significantly reduced.

Why this answer

Requiring two different system administrators to approve and execute changes to the core transaction processing database enforces separation of duties. This principle ensures that no single individual has the authority to perform both the approval and execution steps, reducing the risk of fraud, error, or unauthorized modifications. In a financial institution, this is critical for maintaining the integrity of transaction data and complying with regulatory standards like SOX or PCI DSS.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege focuses on limiting permissions per role, while separation of duties divides a critical process across multiple roles to prevent conflicts of interest.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a dual-approval workflow for a specific action. Option C is wrong because least privilege restricts users to the minimum permissions needed for their role, but the scenario focuses on splitting a critical task between two admins, not limiting their baseline access. Option D is wrong because need to know limits access to information based on job necessity, whereas the question describes a process control over changes, not data access restrictions.

161
Multi-Selecthard

An internal audit found that a procurement team uses the shared account procure-approve to approve emergency purchases. The log only shows the shared account name, and managers say they cannot prove which person approved each request. Which two changes best improve accountability and nonrepudiation? Select two.

Select 2 answers
A.Replace the shared account with named user accounts and unique credentials.
B.Write approvals to an append-only, tamper-evident log with timestamps.
C.Require a longer password on the shared account.
D.Store screenshots of approval screens in a shared folder.
E.Encrypt the approval database at rest.
AnswersA, B

Named accounts make each approval attributable to one person, which is essential for accountability and later investigations. Unique credentials also prevent the common operational problem where a group can deny who actually performed an action.

Why this answer

Option A is correct because replacing the shared account with named user accounts and unique credentials ensures that each approval action is tied to a specific individual. This directly addresses the lack of accountability and nonrepudiation, as each user's unique credentials create a verifiable link between the person and the action, preventing repudiation of the approval.

Exam trap

The trap here is that candidates may think encryption (Option E) or stronger passwords (Option C) solve accountability issues, but these controls address confidentiality and authentication strength, not the fundamental need for individual identification and tamper-proof audit trails.

162
MCQhard

Based on the exhibit, what additional control is the best fit? Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00 Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.

A.Add file access auditing with alert thresholds forwarded to the SIEM.
B.Increase the backup schedule from nightly to hourly.
C.Rename the share to a less obvious name.
D.Disable SMB signing so the file transfer runs faster.
AnswerA

Auditing is a detective control that can identify abnormal bulk reads quickly and trigger timely response.

Why this answer

File access auditing with alert thresholds forwarded to the SIEM directly addresses the goal of detecting unauthorized bulk access quickly. By monitoring for abnormal file access patterns—such as 40,000 files in 8 minutes—the SIEM can trigger an alert before exfiltration completes, enabling rapid response. This control complements the existing weekly access review by providing real-time detection.

Exam trap

The trap here is that candidates may confuse backup frequency (a recovery control) with detection controls, or think that obscuring the share name provides meaningful security, when the question specifically asks for a control to detect unauthorized bulk access quickly.

How to eliminate wrong answers

Option B is wrong because increasing backup frequency from nightly to hourly does not detect or prevent unauthorized bulk access; backups are a recovery control, not a detection control. Option C is wrong because renaming the share to a less obvious name is a form of security through obscurity that does not detect or alert on anomalous access patterns. Option D is wrong because disabling SMB signing would actually reduce security by removing integrity verification of SMB traffic, and it does not provide any detection capability for bulk file access.

163
Matchingeasy

Match each principle to the workplace scenario.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

A user must be verified each time they request access, even from inside the network.

The organization uses layered controls such as MFA, filtering, and endpoint protection.

A contractor can view only the project files required for assigned tasks.

A support technician receives only the minimum permissions needed to close tickets.

A website stays online after one server fails because another takes over.

Why these pairings

Least privilege restricts access to necessary functions; separation of duties prevents fraud; defense in depth layers security; need to know limits data access; accountability ties actions to individuals; fail safe maintains security during failures.

164
MCQhard

Based on the exhibit, what is the best change to improve accountability without removing emergency access?

A.Keep the shared account and add more logging of the shared password.
B.Require named accounts with role-based elevation through a privileged access workflow.
C.Remove all command logging to protect administrator privacy.
D.Use a single shared account with a longer password and monthly rotation.
AnswerB

This is the best answer because the issue is accountability. Shared accounts prevent the organization from knowing which person performed the actions in the log. Named accounts plus privileged elevation preserve break-glass access while ensuring each command is tied to an individual identity. That improves accounting and auditability without removing the operational ability to maintain the system.

Why this answer

Option B is correct because implementing named accounts with role-based elevation through a privileged access workflow (PAW) ensures each administrator has a unique identity for auditing, while still allowing temporary privilege escalation for emergency tasks. This directly improves accountability by tying actions to specific users, unlike shared accounts which obscure individual responsibility. The workflow maintains emergency access by granting time-limited elevated permissions through an approval process, avoiding permanent standing privileges.

Exam trap

The trap here is that candidates may think improving logging (Option A) or password rotation (Option D) is sufficient for accountability, but CompTIA emphasizes that shared accounts inherently lack individual attribution, regardless of how much logging or rotation is applied.

How to eliminate wrong answers

Option A is wrong because simply adding more logging to a shared account does not solve the core accountability problem—multiple users still share the same credentials, making it impossible to attribute actions to a specific individual, and logging a shared password is irrelevant to user identification. Option C is wrong because removing command logging destroys the audit trail needed for accountability and incident investigation, violating the principle of non-repudiation and security best practices. Option D is wrong because using a single shared account with a longer password and monthly rotation still lacks individual accountability; password changes do not tie actions to specific users, and emergency access remains unmanaged without a privileged access workflow.

← PreviousPage 3 of 3 · 164 questions total

Ready to test yourself?

Try a timed practice session using only General Security Concepts questions.