CCNA Security Operations Questions

75 of 291 questions · Page 1/4 · Security Operations topic · Answers revealed

1
MCQmedium

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

A.Capture a full memory dump of the server
B.Shut down the server to prevent further damage
C.Create a forensic disk image of the hard drive
D.Run a full antivirus scan on the system
AnswerA

Correct. Memory is the most volatile data and should be captured first to preserve evidence such as running processes, network connections, and malware in memory. Any delay or system shutdown may cause this data to be lost.

Why this answer

The order of volatility dictates that the most volatile data (memory) must be captured first because it contains critical evidence like running processes, network connections, and encryption keys that will be lost when the system is powered off. A full memory dump preserves this volatile data before any other actions that could alter the system state.

Exam trap

The trap here is that candidates often think shutting down the server is the safest first step to contain damage, but CompTIA tests the forensic principle that volatile data must be preserved before any containment or remediation actions.

How to eliminate wrong answers

Option B is wrong because shutting down the server destroys volatile memory data and may trigger ransomware encryption routines or anti-forensic mechanisms. Option C is wrong because creating a forensic disk image is a lower-priority step that should occur after capturing memory, as disk data is less volatile. Option D is wrong because running a full antivirus scan modifies file access times, writes logs, and can alter the very evidence you are trying to preserve, violating forensic integrity.

2
MCQmedium

During malware response on a finance workstation, the system is still powered on and connected. The manager asks whether you can just reboot it to stop the issue. What is the best next step?

A.Reboot immediately to prevent any further damage from the suspected malware.
B.Capture volatile evidence and document the system state before containment actions.
C.Copy suspicious files to a shared drive and continue normal operations.
D.Run a full disk cleanup to remove temporary files and reduce risk.
AnswerB

This is the correct next step because evidence preservation comes before intrusive remediation when a system is still live. Memory, running processes, active network connections, and logged-on sessions may reveal malware behavior and scope. Documenting the time, state, and actions taken also supports the incident response process and helps preserve the integrity of later findings if the case requires internal review or legal action.

Why this answer

Option B is correct because in incident response, the first priority when a system is still powered on is to capture volatile evidence (e.g., memory contents, running processes, network connections) before any containment actions like rebooting. Rebooting would destroy this critical data, which may be essential for forensic analysis and understanding the malware's behavior. The order of volatility (RFC 3227) dictates that volatile data must be collected first to preserve evidence integrity.

Exam trap

The trap here is that candidates may think rebooting is a quick fix to stop malware, but CompTIA emphasizes that preserving volatile evidence is the critical first step before any containment action, as rebooting destroys that evidence.

How to eliminate wrong answers

Option A is wrong because rebooting immediately destroys volatile evidence (e.g., RAM contents, active network connections, running processes) that could be crucial for forensic analysis and determining the malware's origin and impact. Option C is wrong because copying suspicious files to a shared drive could spread the malware to other systems on the network, violating containment principles and increasing risk. Option D is wrong because running a full disk cleanup would delete temporary files that might contain malware artifacts or evidence, and it does nothing to stop the active malware or preserve forensic data.

3
MCQmedium

An organization's file server contains sensitive HR data. The security team discovers that permissions on a confidential folder have been altered. Which of the following security controls would MOST likely help determine the account responsible for this change?

A.Data loss prevention (DLP) system
B.Mandatory access control (MAC)
C.Audit logging
D.Host-based intrusion prevention system (HIPS)
AnswerC

Audit logging records user actions such as file access, modification, and permission changes. It provides a detailed trail that can be reviewed to identify the account responsible for altering permissions and the exact time of the change.

Why this answer

Audit logging is the correct answer because it records detailed information about who made changes to files and folders, including the account name, timestamp, and the specific permission alteration. By reviewing audit logs, the security team can trace the unauthorized permission change back to the responsible user account. This is a detective control that directly supports accountability and forensic investigation.

Exam trap

The trap here is that candidates often confuse a preventive control like MAC or HIPS with a detective control like audit logging, failing to recognize that only audit logs provide the specific account attribution needed for this scenario.

How to eliminate wrong answers

Option A is wrong because a Data Loss Prevention (DLP) system is designed to monitor and prevent unauthorized data exfiltration, not to track permission changes on a file server. Option B is wrong because Mandatory Access Control (MAC) enforces access policies based on labels and clearances, but it does not inherently log or identify the account that altered permissions. Option D is wrong because a Host-based Intrusion Prevention System (HIPS) focuses on detecting and blocking malicious activity such as malware or exploits, not on recording file permission modifications.

4
Multi-Selecteasy

A Linux administrator must run a weekly maintenance script on 40 servers without giving technicians interactive root access. Which two practices best support secure administration? Select two.

Select 2 answers
A.Use a dedicated service account with only the required commands.
B.Run the job through a scheduler or automation tool instead of manually logging in.
C.Share one root password across the whole team.
D.Embed the account password directly in the script.
E.Disable logging so the maintenance job runs faster.
AnswersA, B

A dedicated service account limits access to only the tasks the script needs.

Why this answer

Option A is correct because a dedicated service account with only the required commands implements the principle of least privilege. By using sudo or RBAC to restrict the account to exactly the commands needed for the maintenance script, the administrator avoids granting full root access while still allowing the script to execute with elevated privileges. This minimizes the attack surface and prevents unauthorized actions.

Exam trap

The trap here is that candidates may think sharing a root password is acceptable for team efficiency, but CompTIA emphasizes that shared credentials break accountability and violate security best practices, especially when interactive root access must be avoided.

5
MCQeasy

A SIEM correlation rule alerts when a single user account fails to authenticate 20 times in 5 minutes and then succeeds from the same source IP. What is the most likely reason the team should investigate this event?

A.The account was probably being used normally because the password was changed
B.The pattern may indicate password guessing or credential stuffing
C.The SIEM is misconfigured because all failed logons are false positives
D.The account is definitely malicious and should be deleted immediately
AnswerB

Repeated failures followed by a success can show automated guessing, and it is worth investigating for compromise.

Why this answer

The pattern of 20 rapid failed authentication attempts followed by a successful authentication from the same source IP is a classic indicator of a password guessing or credential stuffing attack. The attacker likely used a list of common passwords or previously compromised credentials, and the final success suggests they found a valid password. SIEM correlation rules are designed to detect such brute-force or spraying behaviors, and this event warrants immediate investigation to determine if the account is compromised.

Exam trap

The trap here is that candidates may dismiss the alert as a false positive due to a user forgetting their password, but the specific combination of rapid failures followed by success from the same IP is a textbook sign of a successful brute-force or credential stuffing attack, not normal user behavior.

How to eliminate wrong answers

Option A is wrong because a password change would not cause 20 rapid failures followed by a success from the same IP; normal usage does not exhibit this pattern, and password changes typically generate a single failure if the old password is used, not a burst of failures. Option C is wrong because failed logons are not inherently false positives; they are legitimate security events that can indicate attacks, and a properly configured SIEM should alert on such patterns to detect credential abuse.

6
MCQmedium

Based on the exhibit, which improvement best aligns the current backup design with the stated recovery targets?

A.Keep the same design but extend backup retention from 30 days to 90 days.
B.Switch to frequent incremental or snapshot backups stored in a separate, immutable location with routine restore tests.
C.Share the backup administrator password in a team chat so any engineer can restore data during an outage.
D.Remove backup encryption so restores run faster during an emergency.
AnswerB

The business needs a much smaller RPO and a faster RTO than the current design can deliver. More frequent backups reduce the amount of data lost, while a separate immutable repository improves resilience against ransomware and storage failures. Regular restore tests confirm that the chosen method actually meets the recovery objective in practice, not just on paper.

Why this answer

Option B is correct because the current backup design lacks off-site, immutable storage and routine restore testing, which are critical to meet recovery point and time objectives (RPO/RTO). Frequent incremental or snapshot backups in a separate, immutable location protect against ransomware and ensure data integrity, while routine restore tests verify that backups are actually recoverable when needed.

Exam trap

CompTIA often tests the misconception that simply extending retention or making backups faster (e.g., removing encryption) improves recovery, when in reality the key gaps are off-site immutability and restore testing to ensure recoverability against ransomware and operational errors.

How to eliminate wrong answers

Option A is wrong because extending retention to 90 days does not address the lack of off-site or immutable storage, nor does it improve recovery speed or reliability; it only keeps more data in the same vulnerable location. Option C is wrong because sharing the backup administrator password in a team chat violates the principle of least privilege and introduces a massive security risk, potentially allowing unauthorized access to backup systems. Option D is wrong because removing backup encryption would expose sensitive data in transit and at rest, violating confidentiality requirements and potentially compliance mandates, while any performance gain is negligible compared to the security loss.

7
MCQmedium

After a suspicious laptop is imaged with a write blocker, the original drive is sealed and stored. Before a second analyst examines the image, what is the most important next step to preserve admissibility?

A.Mount the image read/write so the analyst can browse faster.
B.Copy the image to a USB drive for easier transport.
C.Document the transfer in the chain-of-custody log and verify the image hash still matches the acquisition value.
D.Rename the evidence file to match the case number.
AnswerC

Chain-of-custody documentation shows who handled the evidence, when it changed hands, and why. Verifying the image hash against the acquisition hash proves the data has not changed since collection. Together, these steps support integrity and admissibility in administrative, HR, or legal reviews. A well-maintained log plus matching hashes is the standard way to show the evidence remained untampered during transfer and analysis.

Why this answer

Option C is correct because before a second analyst accesses the image, the most critical step is to update the chain-of-custody log to document the transfer of custody and to verify the integrity of the image by comparing its current hash value against the original acquisition hash. This ensures that the evidence has not been altered or corrupted since it was first imaged, which is essential for maintaining admissibility in legal proceedings under rules such as the Federal Rules of Evidence.

Exam trap

CompTIA often tests the misconception that renaming or copying evidence is a valid step for preservation, when in fact the core legal requirement is maintaining integrity verification and chain-of-custody documentation before any further handling.

How to eliminate wrong answers

Option A is wrong because mounting the image read/write would modify the file system metadata (e.g., last access timestamps) and potentially alter the image, breaking the hash integrity and rendering the evidence inadmissible. Option B is wrong because copying the image to a USB drive without first verifying the hash and documenting the transfer in the chain-of-custody log introduces a gap in the custody trail and risks integrity loss; the copy must be verified against the original hash, not just moved. Option D is wrong because renaming the evidence file to match the case number is a procedural convenience but does not address the legal requirements of chain-of-custody documentation or hash verification, and could cause confusion if the original filename is needed for forensic tool compatibility.

8
MCQmedium

A server room is located next to a chilled-water pipe, and facilities staff want the earliest possible warning if moisture starts leaking under the raised floor. Which control is the best fit?

A.Install water leak sensors tied into the environmental monitoring system.
B.Replace the badge reader with a biometric lock.
C.Add a security camera pointing at the server racks.
D.Move the servers onto a separate VLAN.
AnswerA

Water leak sensors provide early detection and alerting so staff can respond before equipment damage becomes severe.

Why this answer

Water leak sensors are specifically designed to detect the presence of moisture, and when integrated into an environmental monitoring system, they provide immediate alerts (e.g., SNMP traps or email notifications) at the earliest sign of a leak. This allows facilities staff to respond before water damages server equipment under the raised floor, meeting the requirement for earliest possible warning.

Exam trap

The trap here is that candidates may confuse physical security controls (like cameras or biometric locks) with environmental monitoring controls, failing to recognize that only a dedicated moisture sensor provides the earliest automated detection of a water leak.

How to eliminate wrong answers

Option B is wrong because a biometric lock controls physical access to the server room but does not detect moisture or provide any warning about water leaks. Option C is wrong because a security camera pointed at server racks can visually confirm a leak only after it has occurred and become visible, which is not the earliest possible warning and lacks automated alerting.

9
Multi-Selecthard

An email security team receives a macro-enabled spreadsheet from a known supplier. The file must be analyzed before users open it, and if it proves malicious, the organization wants to stop the same attachment from reaching other inboxes. Which two tools are the best fit? Select two.

Select 2 answers
A.Sandboxing the attachment in an isolated environment.
B.Using a secure email gateway with attachment detonation and quarantine.
C.Network access control to verify the supplier's laptop posture.
D.Data loss prevention to block outbound customer records.
E.Intrusion detection system signatures on the mail server.
AnswersA, B

Sandboxing safely detonates the file so analysts can observe behavior without risking an endpoint or user workstation.

Why this answer

Sandboxing (A) is correct because it allows the file to be executed in an isolated, controlled environment to observe its behavior (e.g., network connections, file modifications) without risk to the production network. This is the standard method for analyzing suspicious attachments for zero-day or macro-based malware.

Exam trap

The trap here is that candidates may confuse network-based controls (NAC, IDS) with email-specific attachment analysis tools, forgetting that macro-enabled files require execution in a sandbox to detect malicious behavior, not just signature matching or endpoint posture checks.

10
MCQmedium

A security analyst notices repeated failed login attempts to a critical database server from a single external IP address over the past hour. The analyst reviews the authentication logs and sees that the account name used in each attempt is 'admin'. Which of the following security controls should the analyst recommend to mitigate this type of attack with minimal impact on legitimate users?

A.Configure an account lockout policy to lock the 'admin' account after three failed attempts.
B.Implement a temporary block rule on the perimeter firewall for the source IP address.
C.Disable the 'admin' account until the source IP can be investigated.
D.Require multi-factor authentication on the 'admin' account for all remote logins.
AnswerB

Blocking the attacking IP at the firewall immediately halts the malicious traffic without affecting other users or accounts. This is a quick, low-impact containment measure that can be reversed if false positive, making it the best immediate response.

Why this answer

Option B is correct because implementing a temporary block rule on the perimeter firewall for the source IP address directly stops the attack at the network boundary, preventing further authentication attempts without affecting legitimate users who are not using that IP. This approach is a form of dynamic IP blocking, which is a common mitigation for brute-force attacks targeting a single account from a specific external source.

Exam trap

The trap here is that candidates often choose account lockout policies (Option A) because they seem like a direct countermeasure to failed logins, but they fail to recognize that locking a critical shared account like 'admin' can cause a denial of service for legitimate users, whereas blocking the source IP is a more targeted and less disruptive control.

How to eliminate wrong answers

Option A is wrong because locking the 'admin' account after three failed attempts would deny service to legitimate administrators who may need to use that account, and it does not prevent the attacker from simply switching to another account or continuing from a different IP. Option C is wrong because disabling the 'admin' account permanently until investigation would disrupt all administrative access to the database server, causing significant operational impact, and it does not address the source of the attack (the external IP).

11
MCQmedium

A security analyst detects unusual outbound traffic from a workstation that appears to be communicating with a known malicious IP address. The analyst immediately isolates the workstation from the network. Which of the following is the NEXT step in the incident response process according to NIST SP 800-61?

A.Eradication
B.Recovery
C.Containment
D.Lessons Learned
AnswerA

Eradication is the correct next step. After containment, the incident response team must remove the threat's root cause (e.g., malware, backdoors) to prevent recurrence. This logically follows isolation of the affected system.

Why this answer

According to NIST SP 800-61, the incident response process follows a sequence: Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Lessons Learned. Since the analyst has already performed containment by isolating the workstation, the next step is Eradication, which involves removing the threat (e.g., malware, backdoors) from the affected system. This ensures the root cause is eliminated before moving to recovery.

Exam trap

The trap here is that candidates often confuse 'Containment' with the final isolation step, forgetting that NIST mandates a separate Eradication phase to eliminate the threat before recovery.

How to eliminate wrong answers

Option B is wrong because Recovery occurs after Eradication, focusing on restoring the system to normal operations, not removing the threat. Option C is wrong because Containment is the step already performed (isolating the workstation), so it cannot be the next step. Option D is wrong because Lessons Learned is the final step after Recovery, where the team reviews the incident to improve future response, not an immediate next step.

12
MCQmedium

A privileged account is used on a jump box at 02:15, and the SIEM shows multiple interactive logons from the same account to different servers within 10 minutes. The administrator says they used a password vault for the session. Which log source best confirms whether the access was authorized?

A.Privileged access management or password vault audit logs
B.DHCP lease logs from the jump box subnet
C.Printer server logs for the operations department
D.Web proxy logs for outbound browsing activity
AnswerA

PAM logs show who checked out credentials and whether the privileged session was approved and tracked.

Why this answer

The privileged access management (PAM) or password vault audit logs are the definitive source because they record exactly when a password was checked out, which user performed the checkout, and the specific session ID or ticket associated with the jump box use. Since the administrator claims the password vault was used, these logs will show the checkout event at 02:15 and the subsequent interactive logons, confirming whether the vault authorized the session. No other log source can tie the authentication to the vault's approval process.

Exam trap

The trap here is that candidates assume DHCP logs or generic server logs can validate authentication authorization, when in fact only the PAM audit trail provides the cryptographic proof of vault-mediated access.

How to eliminate wrong answers

Option B is wrong because DHCP lease logs only record IP address assignments and timestamps for devices on the subnet; they do not capture authentication events, user identity, or whether a password vault was used, so they cannot confirm authorization. Option C is wrong because printer server logs only track print jobs and printer-related activity, which are irrelevant to interactive logons or privileged access management; they provide no data about authentication or vault usage.

13
Matchinghard

Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once. 1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Containment

Eradication

Lessons learned

Preparation

Identification

Why these pairings

Activities 1 and 2 both fall under Containment, Eradication, and Recovery as they involve immediate response and remediation. Activity 3 is Post-Incident Activity, focusing on lessons learned. Activity 4 is Preparation, done before an incident.

Activity 5 is Detection and Analysis, confirming an incident.

14
MCQmedium

After confirming malicious activity on a workstation, the incident lead wants the system cleaned up quickly. The analyst has not yet collected any volatile data. What should the analyst do before remediation begins?

A.Capture volatile evidence such as memory and running process information before changing the system.
B.Immediately uninstall every suspicious application and delete related files.
C.Restore the workstation from backup before documenting the incident.
D.Close the incident because the malicious activity has already been confirmed.
AnswerA

Volatile data disappears quickly and often contains the best clues about active malicious behavior, injected code, network connections, and open sessions. Capturing memory and process state before cleanup preserves that evidence for later analysis. Once remediation begins, many of those artifacts are lost or altered. In an incident response workflow, evidence collection should happen before eradication whenever the system is still available and safe to examine.

Why this answer

Option A is correct because volatile data (e.g., memory contents, running processes, network connections) is lost when the system is powered off or changed. The analyst must capture this evidence first to preserve forensic artifacts that can identify the root cause, scope, and indicators of compromise (IOCs) before remediation alters the system state.

Exam trap

The trap here is that candidates may prioritize speed of remediation over proper forensic procedure, forgetting that volatile data is the most time-sensitive evidence and must be collected before any system changes occur.

How to eliminate wrong answers

Option B is wrong because immediately uninstalling applications and deleting files destroys volatile evidence and may trigger anti-forensic mechanisms, preventing full analysis of the attack. Option C is wrong because restoring from backup overwrites the current system state, erasing all volatile and non-volatile evidence needed for investigation and legal proceedings. Option D is wrong because confirming malicious activity does not complete the incident response process; the analyst must still collect evidence, contain the threat, and perform root cause analysis before closure.

15
MCQhard

Based on the exhibit, what is the most likely SOC conclusion and next action? A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.

A.Treat the activity as confirmed command-and-control traffic and isolate the server immediately.
B.Classify the alert as a likely false positive, verify it against the maintenance record, and tune the rule.
C.Assume DNS poisoning is occurring and immediately flush the DNS cache on every endpoint.
D.Open a credential theft incident and reset all administrator passwords across the environment.
AnswerB

The logs show a signed, approved patch agent on a server explicitly assigned to patch management, connecting to the vendor update host on a predictable schedule. That pattern matches normal operations rather than covert beaconing. The best SOC action is to validate the asset and change context, document the finding, and tune the detection logic or allowlist the known-good behavior.

Why this answer

The scheduled alert firing at fixed intervals to a known vendor update site strongly suggests a legitimate update or heartbeat mechanism, not malicious C2 traffic. Option B correctly directs the analyst to verify against maintenance records (confirming the pattern is expected) and then tune the rule to reduce future false positives, which is the standard SOC workflow for benign scheduled activity.

Exam trap

The trap here is that candidates see 'scheduled alert' and 'fixed intervals' and immediately think of C2 beaconing, but the key differentiator is the destination being a known vendor update site, which points to a false positive rather than a threat.

How to eliminate wrong answers

Option A is wrong because isolating the server immediately for confirmed C2 traffic is premature; the traffic is to a known vendor update site at fixed intervals, which is the opposite of typical C2 behavior (which uses irregular patterns and often non-standard ports). Option C is wrong because DNS poisoning would cause traffic to unexpected IPs, not a known vendor site, and flushing DNS cache on every endpoint is an extreme, unnecessary action for a single scheduled alert. Option D is wrong because credential theft incidents involve unauthorized access or lateral movement, not a server making outbound connections to a vendor site; resetting all admin passwords would be a massive overreaction and disrupt operations without evidence.

16
MCQeasy

An office loses power several times each month, causing servers to shut down without warning. Which control best helps keep the systems running long enough for a safe shutdown?

A.A UPS sized to support the equipment for a short period.
B.A better wallpaper design in the server room.
C.A stronger password for the power strip.
D.More user awareness training about turning monitors off.
AnswerA

A UPS is the best control because it provides temporary battery power during outages, giving systems time to continue running briefly or shut down cleanly. This reduces the chance of data loss and hardware damage. It is a common environmental safeguard for servers and other critical devices that must survive short power interruptions.

Why this answer

A UPS (Uninterruptible Power Supply) provides battery backup power to connected equipment, allowing servers to continue running for a short duration after a power loss. This gives administrators enough time to perform a safe, orderly shutdown, preventing data corruption and hardware damage from abrupt power loss.

Exam trap

The trap here is that candidates may confuse a UPS with a surge protector or power strip, thinking that any power-related device provides backup runtime, when only a UPS with battery storage can keep systems running after a power failure.

How to eliminate wrong answers

Option B is wrong because wallpaper design has no impact on power continuity or safe shutdown procedures; it is purely cosmetic. Option C is wrong because a stronger password for the power strip does not provide backup power or enable graceful shutdown; power strips do not manage power loss events. Option D is wrong because user awareness training about turning monitors off does not address the need for servers to remain powered during an outage; it focuses on energy savings, not uptime or safe shutdown.

17
Multi-Selecthard

A finance workstation begins encrypting local files, and the EDR console shows the process is also enumerating SMB shares on adjacent hosts. The user reports no suspicious email and is still logged in. Management wants the fastest containment step that minimizes spread and the best follow-up action to preserve useful evidence. Which two actions should the SOC take first? Select two.

Select 2 answers
A.Isolate the affected endpoint from the network using EDR or NAC.
B.Power the system off immediately to stop encryption and preserve nothing else.
C.Capture volatile evidence such as memory, running processes, and active connections before wiping the host.
D.Begin restoring files from backup on the same workstation before containment is finished.
E.Reenable the user's mapped drives so they can verify which files are affected.
AnswersA, C

Removing the host from the network immediately limits lateral movement and command-and-control communication while preserving the running system for analysis.

Why this answer

Isolating the affected endpoint from the network using EDR or NAC (Option A) is the fastest containment step because it immediately stops the ransomware from encrypting SMB shares on adjacent hosts, preventing lateral spread. This action preserves the system's state for forensic analysis, unlike powering off which destroys volatile evidence.

Exam trap

The trap here is that candidates may confuse 'fastest containment' with 'immediate power-off' (Option B), failing to recognize that isolation via EDR/NAC stops lateral movement without destroying volatile evidence, which is essential for attribution and recovery.

18
MCQmedium

After restoring a virtualized file server from backup, users can log in but the accounting application returns database consistency errors. What should you do next?

A.Declare the restore successful because the virtual machine boots and users can sign in.
B.Verify the restore in an isolated environment and confirm application-level integrity and permissions.
C.Increase the backup retention period and wait for the next scheduled full backup.
D.Delete the backup set to prevent confusion with the restored data.
AnswerB

This is the best next step because a restore is only useful if the data and application work as expected. Testing in an isolated environment lets you confirm database consistency, file permissions, application dependencies, and any version mismatches without risking production impact. That approach also helps determine whether the backup itself is valid or whether a separate application or storage issue is causing the errors.

Why this answer

Option B is correct because the restore process must be validated beyond basic boot and login functionality. Database consistency errors indicate that the application-level data integrity was compromised during the restore, likely due to missing or inconsistent database files, permissions, or transaction logs. Verifying the restore in an isolated environment allows you to test application-specific integrity checks (e.g., DBCC CHECKDB for SQL Server) and confirm that file permissions and security descriptors are intact before returning the server to production.

Exam trap

The trap here is that candidates assume a successful VM boot and user login equate to a complete restore, overlooking the need to validate application-level data integrity and permissions in an isolated test environment.

How to eliminate wrong answers

Option A is wrong because declaring success based solely on VM boot and user login ignores the critical application-level integrity failure; database consistency errors mean the restore is incomplete or corrupted. Option C is wrong because increasing backup retention and waiting for the next full backup does not address the current data integrity issue and delays resolution. Option D is wrong because deleting the backup set would destroy the only source for a potential re-restore or forensic analysis, and it does not fix the consistency errors.

19
MCQmedium

A web application was updated at 10:00. At 10:05, the SIEM reports a sharp rise in HTTP 500 errors and WAF blocks from the same source range. The application owner says customers are seeing failures only on the new checkout page. What is the best next step?

A.Close the incident because the WAF is blocking the suspicious traffic.
B.Correlate deployment, WAF, and application logs to determine whether the release or an attack caused the failures.
C.Disable all customer accounts until the failures disappear from the dashboard.
D.Increase the server's disk space and memory thresholds immediately.
AnswerB

This is the best next step because the timing strongly suggests either a bad deployment or an exploit attempt against the new checkout page. Correlating release records with WAF events and application logs helps determine whether the errors are caused by a coding defect, an input validation issue, or hostile traffic. That analysis lets the team respond appropriately instead of assuming the WAF alone has solved the problem.

Why this answer

Option B is correct because the temporal correlation between the deployment at 10:00 and the spike in HTTP 500 errors and WAF blocks at 10:05 strongly suggests a causal relationship. The best next step is to correlate deployment logs, WAF logs, and application logs to determine whether the new checkout page code introduced a bug (causing 500 errors) or whether an attacker is exploiting a vulnerability in the new code (triggering WAF blocks). This diagnostic step avoids premature conclusions and ensures the root cause is identified before any remediation.

Exam trap

The trap here is that candidates may assume WAF blocks always indicate an attack and choose Option A, failing to recognize that a recent deployment could introduce bugs that cause both 500 errors and false positive WAF triggers.

How to eliminate wrong answers

Option A is wrong because closing the incident while customers are actively experiencing failures on the new checkout page ignores the business impact and the possibility that the WAF blocks are a symptom of a misconfigured release, not a successful defense. Option C is wrong because disabling all customer accounts is an extreme, disruptive action that would cause massive business harm without any evidence that accounts are compromised; the issue is isolated to a single page and likely a code or configuration problem. Option D is wrong because increasing disk space and memory thresholds does not address HTTP 500 errors or WAF blocks; these are application-layer or security-layer issues, not resource exhaustion problems.

20
Multi-Selectmedium

EDR flags a word processor that launched encoded PowerShell and then made an outbound HTTPS connection to a rare domain. Which two actions should the analyst take first from the EDR console? Select two.

Select 2 answers
A.Isolate the endpoint from the network to stop further communication and lateral movement.
B.Collect a live response package or volatile data from the host before remediation begins.
C.Uninstall the word processor immediately because it is the process that launched PowerShell.
D.Reboot the laptop right away to clear the encoded PowerShell process from memory.
E.Whitelist the rare domain temporarily to see whether the connection is business-related.
AnswersA, B

This is the primary containment action because the host shows behavior consistent with active compromise and command execution. Network isolation limits attacker reach, preserves the current state, and reduces the chance of credential theft or lateral movement. EDR-based isolation is fast, reversible, and appropriate before more invasive remediation steps.

Why this answer

Option A is correct because isolating the endpoint from the network immediately stops the outbound HTTPS connection to the rare domain, preventing data exfiltration and blocking potential lateral movement. This is a critical first step in containment, as the encoded PowerShell and rare domain strongly suggest a malicious payload or C2 communication.

Exam trap

The trap here is that candidates may prioritize remediation (uninstalling or rebooting) over containment and evidence preservation, failing to recognize that isolation and data collection are the mandated first steps in incident response according to NIST SP 800-61.

21
MCQmedium

A SIEM analyst reviews authentication logs and sees the following pattern over 15 minutes: 68 different user accounts each had one failed login attempt from the same source IP, followed by no lockouts, and then one of the accounts successfully authenticated from that same IP using a valid password. What is the most likely explanation?

A.A brute-force attack against a single account using many password guesses.
B.A password spraying attack using common passwords across many accounts.
C.A replay attack using captured authentication traffic.
D.A successful SSO federation event after a directory sync delay.
AnswerB

This pattern matches password spraying because the attacker tests a small number of common guesses against many accounts to avoid lockouts.

Why this answer

The pattern of 68 different user accounts each experiencing a single failed login attempt from the same source IP, followed by one successful authentication from that IP using a valid password, is the classic signature of a password spraying attack. In password spraying, the attacker tries a small number of common passwords (often just one) against many accounts to avoid triggering account lockout policies, which typically lock an account after a small number of consecutive failures (e.g., 3–5 attempts). The single success indicates the attacker found an account using a weak or common password.

Exam trap

CompTIA often tests the distinction between brute-force (many passwords, one account) and password spraying (one password, many accounts), and the trap here is that candidates see 'failed login attempts' and immediately assume brute-force without noticing the unique pattern of one failure per account.

How to eliminate wrong answers

Option A is wrong because a brute-force attack against a single account would show many failed attempts for that one account (e.g., dozens or hundreds), not one failure each across 68 different accounts. Option C is wrong because a replay attack would involve capturing and retransmitting valid authentication traffic (e.g., Kerberos tickets or NTLM hashes), not a pattern of failed logins followed by a single success; replay attacks do not generate failed login events from the attacker's perspective. Option D is wrong because an SSO federation event after a directory sync delay would not produce 68 failed logins from the same IP; SSO events typically show a single successful authentication via a token or assertion (e.g., SAML response), not a spray of failures.

22
MCQmedium

Security receives a company laptop used in an insider theft investigation. A manager wants the device moved to another office for review by legal staff. Which action best supports chain of custody?

A.Power on the laptop to confirm the user profile and recent activity before transport.
B.Place it in a labeled evidence bag, record the collector, time, location, and condition, and require signatures for each transfer.
C.Remove the drive and clone it without documenting the collection process.
D.Email a photo of the laptop to legal and leave the original on a desk.
AnswerB

Chain of custody depends on proving who handled the evidence, when, where, and in what condition. Documenting the device at collection, sealing it appropriately, and recording every transfer creates a defensible record that supports legal review. This approach reduces the risk of tampering claims and helps establish that the laptop was preserved from the moment it was seized until it reaches legal or forensic personnel.

Why this answer

Option B is correct because it follows the formal chain of custody process required for evidence handling. Placing the laptop in a labeled evidence bag with documented collector, time, location, and condition, along with requiring signatures for each transfer, ensures the integrity and admissibility of evidence by creating an unbroken audit trail. This aligns with NIST SP 800-86 and forensic best practices for maintaining custody of digital evidence.

Exam trap

CompTIA often tests the misconception that simply securing the device or performing preliminary analysis is sufficient, but the trap here is that any action altering the device state or lacking formal documentation breaks the chain of custody, even if the intent is to preserve evidence.

How to eliminate wrong answers

Option A is wrong because powering on the laptop alters system state, modifies timestamps, and can trigger encryption or anti-forensic mechanisms, thereby breaking the chain of custody and potentially destroying volatile evidence. Option C is wrong because removing the drive and cloning it without documenting the collection process violates chain of custody requirements; proper documentation of each step, including drive removal and cloning, is essential for evidence integrity. Option D is wrong because emailing a photo and leaving the original on a desk fails to secure the device, does not document transfer or condition, and provides no chain of custody, making the evidence inadmissible.

23
MCQeasy

A user reports a suspicious pop-up on a workstation and the SOC suspects malware. Which action should the responder take first to contain the threat?

A.Disconnect the workstation from the network
B.Wipe the workstation immediately
C.Return the workstation to the user after restarting it
D.Wait until the next patch cycle to see if the issue disappears
AnswerA

Isolating the host quickly limits the malware's ability to spread or communicate outward.

Why this answer

Disconnecting the workstation from the network immediately isolates the suspected malware, preventing it from communicating with command-and-control (C2) servers, spreading laterally to other hosts, or exfiltrating data. This is the first step in the NIST incident response containment phase, as it stops network-based propagation without destroying forensic evidence.

Exam trap

CompTIA often tests the misconception that immediate eradication (wiping) is the first step, but the correct order is containment first to stop the spread, then eradication and recovery.

How to eliminate wrong answers

Option B is wrong because wiping the workstation destroys volatile data and forensic artifacts (e.g., memory dumps, logs, malware binaries) that are critical for analysis and attribution. Option C is wrong because restarting the workstation may allow malware to execute persistence mechanisms or trigger destructive payloads, and returning it to the user risks further compromise. Option D is wrong because waiting for the next patch cycle leaves the threat active, allowing the malware to spread, escalate privileges, or cause data loss, violating the principle of timely containment.

24
Matchinghard

Match each SOC alert artifact to the most useful investigation pivot. Each pivot should help determine whether the alert is a true incident, a false positive, or part of a broader campaign.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Check whether the pattern matches password spraying across accounts rather than a brute-force attempt on one user.

Pivot to parent-child process trees and script-block telemetry on the endpoint.

Compare the query pattern and periodicity for possible DNS tunneling or beaconing.

Correlate with scheduled tasks, recent file creation, and account activity for staging or exfiltration.

Review token/session logs and conditional-access telemetry to see whether a hijacked session or relay attack occurred.

Why these pairings

Each artifact is matched to a pivot that directly aids in verifying the alert's validity, whether by checking reputation, correlating with threat intelligence, or comparing against normal behavior.

25
MCQmedium

A security analyst receives an alert that a user's workstation is communicating with a known malicious IP address during off-hours. The analyst reviews the firewall logs and confirms the connection was established. Which of the following should the analyst perform NEXT to contain the threat?

A.Disable the user's account immediately.
B.Isolate the workstation from the network.
C.Run a full antivirus scan on the workstation.
D.Notify the user's manager of the policy violation.
AnswerB

Isolating the workstation stops all network communication, including the connection to the malicious IP. This is a direct containment action that prevents further exfiltration, command-and-control activity, or lateral spread.

Why this answer

Isolating the workstation from the network (Option B) is the immediate containment step because it stops the active communication with the known malicious IP address, preventing further data exfiltration, lateral movement, or command-and-control (C2) activity. This aligns with the NIST incident response framework's containment phase, which prioritizes stopping the threat before investigation or remediation. Disabling the user account (A) does not stop the network-level communication if the malware is running as a service or using cached credentials, and running a scan (C) or notifying management (D) are post-containment actions.

Exam trap

CompTIA often tests the distinction between containment and remediation, trapping candidates who choose to run an antivirus scan (Option C) first, when the correct incident response order is to isolate the host to stop the active threat before any scanning or notification.

How to eliminate wrong answers

Option A is wrong because disabling the user account stops interactive logins but does not block network traffic from a compromised workstation that may be running malware under a system account or using stored credentials; the malicious communication continues at the network layer. Option C is wrong because running a full antivirus scan is a remediation step that should occur after containment (isolation) to avoid alerting the malware or allowing it to spread during the scan; it does not stop the active C2 traffic. Option D is wrong because notifying the user's manager is an administrative notification step that does not contain the technical threat; the immediate priority is to sever the network connection to the malicious IP.

26
MCQmedium

A security analyst in a SOC receives an alert indicating that a large volume of data was transferred from a user's workstation to an external IP address at 2:00 AM. The analyst suspects a data exfiltration attack. According to incident response best practices, what should the analyst do FIRST?

A.Block the external IP address at the firewall.
B.Review the user's login and activity logs.
C.Contact the user to inquire about the transfer.
D.Restore the workstation from a known good backup.
AnswerB

Reviewing logs is the correct first step. It allows the analyst to verify the alert, see if the user was logged in, identify the process responsible for the transfer, and gather details necessary for informed decision-making.

Why this answer

Option B is correct because, in incident response, the first step is to gather evidence and understand the scope of the incident. Reviewing the user's login and activity logs (e.g., Windows Event Logs, authentication logs, and process creation logs) allows the analyst to verify if the user was actually logged in at 2:00 AM, identify any anomalous behavior (e.g., use of unauthorized tools or unusual file access patterns), and determine whether the data transfer was initiated by the user or by malware. This aligns with the NIST SP 800-61 incident response lifecycle, specifically the identification and analysis phase, where initial triage focuses on log review before taking containment actions.

Exam trap

The trap here is that candidates often jump to immediate containment (blocking the IP) or recovery (restoring from backup) without first verifying the alert through log analysis, which is a fundamental incident response principle emphasized in the SY0-701 exam.

How to eliminate wrong answers

Option A is wrong because blocking the external IP address at the firewall is a containment action that should be taken only after confirming the alert is a true positive and understanding the full scope of the exfiltration; premature blocking could destroy evidence (e.g., the connection may still be active for forensic capture) and may disrupt legitimate traffic if the IP is shared or dynamic. Option C is wrong because contacting the user directly risks alerting a potential insider threat, could lead to evidence tampering, and is not a reliable method for initial verification—logs provide objective, timestamped data. Option D is wrong because restoring the workstation from a known good backup is a recovery step that destroys volatile evidence (e.g., memory, recent logs, and malware artifacts) and should only be performed after thorough forensic analysis and containment.

27
Matchinghard

Match each detection pattern to the most likely security issue. Each item has one best match.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Living-off-the-land or fileless malware execution

DNS tunneling or command-and-control beaconing

Password spraying or credential stuffing that succeeded

Compromised privileged credentials with persistence and post-exploitation activity

Why these pairings

Repeated login failures indicate brute-force; Outbound connections to malicious IPs suggest C2; Large data transfers at odd hours indicate exfiltration; Random DNS subdomains are typical of tunneling; Conflicting ARP replies show spoofing; Multiple ICMP requests from many sources indicate DDoS.

28
MCQmedium

After a ransomware incident, management learns the attacker's stolen domain admin credentials were used to delete recent online backups from the same backup network. Which backup strategy would have most reduced the chance of permanent backup loss?

A.Nightly incremental backups stored on the same file server as production data.
B.Immutable backups stored in a separate repository or offline location.
C.Hypervisor snapshots only, because they are always safer than backups.
D.Longer retention on the same backup share to keep more versions available.
AnswerB

Immutable or offline backups reduce the chance that stolen administrative credentials can alter or delete recovery data.

Why this answer

Immutable backups stored in a separate repository or offline location prevent deletion or modification by an attacker, even with domain admin credentials. This is because immutability enforces a write-once-read-many (WORM) policy, often implemented via object lock (e.g., S3 Object Lock) or a physical air gap, ensuring that backups cannot be altered or deleted before their retention period expires. In this scenario, the attacker's ability to delete online backups from the same network is mitigated because the immutable repository is isolated and resistant to credential-based tampering.

Exam trap

The trap here is that candidates may assume longer retention or same-server backups are sufficient, but the key is that immutability and isolation (air gap) are required to prevent an attacker with elevated credentials from deleting backups, which is a core concept tested in SY0-701 Domain 3.0 (Security Operations).

How to eliminate wrong answers

Option A is wrong because nightly incremental backups stored on the same file server as production data are vulnerable to the same ransomware attack and credential compromise, as the attacker can delete or encrypt them using the same domain admin credentials. Option C is wrong because hypervisor snapshots are not always safer than backups; they are typically stored on the same storage array as the VMs and can be deleted by an attacker with administrative access to the hypervisor, and they lack the isolation and immutability features of dedicated backup solutions. Option D is wrong because longer retention on the same backup share does not protect against deletion; the attacker can still delete all versions from the same share using the stolen credentials, as retention policies do not enforce immutability or separation.

29
MCQmedium

An ERP database is backed up nightly to a NAS that remains online and is managed with the same admin group as production servers. After a ransomware incident, management wants the most effective change to improve recovery assurance without redesigning the whole environment. What should be implemented?

A.Increase the NAS capacity so more backup jobs can be stored.
B.Add another full backup each night to create more copies on the same NAS.
C.Use an offline or immutable backup copy and perform regular restore tests.
D.Compress the backup files to reduce network usage during the nightly job.
AnswerC

An offline or immutable backup reduces the chance that ransomware can encrypt or delete recovery data, and restore testing proves that the backups actually work. This combination improves resilience more effectively than simply storing more data on the same always-online system.

Why this answer

Option C is correct because an offline or immutable backup copy ensures that ransomware cannot encrypt or delete the backup data, and regular restore tests verify that the backups are actually recoverable. This directly addresses the core requirement of improving recovery assurance without redesigning the environment, as it protects the backup from the same attack vector that compromised the production servers and the NAS managed by the same admin group.

Exam trap

The trap here is that candidates often assume more copies or more storage (options A and B) improve recovery assurance, but they fail to recognize that all copies on the same online, writable NAS are equally vulnerable to ransomware encryption or deletion, making isolation and immutability the key differentiators.

How to eliminate wrong answers

Option A is wrong because increasing NAS capacity only stores more backup jobs but does not protect existing backups from being encrypted or deleted by ransomware if the NAS remains online and accessible to the same admin group. Option B is wrong because adding another full backup to the same NAS creates more copies that are all equally vulnerable to the same ransomware attack, offering no isolation or protection. Option D is wrong because compressing backup files reduces network usage but does not improve recovery assurance; compressed files on the same online NAS are still susceptible to encryption or deletion by ransomware.

30
MCQmedium

A security analyst observes a pattern where an account exhibits multiple failed login attempts from an IP address in a foreign country, followed by a successful login from the same account but from a different IP address in another foreign country minutes later. The analyst wants to deploy a control that can automatically detect and alert on this type of anomalous user behavior, even if the individual login events are not blocked by existing rules. Which of the following security controls is BEST suited for this task?

A.Geofencing
B.Account lockout policy
C.User Behavior Analytics (UBA)
D.SIEM correlation rules
AnswerC

UBA establishes baselines of normal user activity and uses analytics to detect anomalies such as a series of failed logins followed by a successful login from a new geographic region. It is designed to identify suspicious behavioral patterns that other controls might miss.

Why this answer

User Behavior Analytics (UBA) is the best control because it uses machine learning to establish a baseline of normal user behavior (e.g., typical login locations, times, and IP ranges) and then detects anomalies such as a rapid sequence of failed logins from one foreign country followed by a successful login from another foreign country. Unlike static rules, UBA can identify this pattern as suspicious even if each individual login event is not blocked by existing rules, triggering an alert for further investigation.

Exam trap

The trap here is that candidates often choose geofencing because they focus on the 'foreign country' aspect, but they miss that the question requires detection of a behavioral pattern (failed then successful logins from different locations), not just location-based blocking.

How to eliminate wrong answers

Option A is wrong because geofencing blocks or allows access based on geographic location rules, but it cannot detect the anomalous pattern of failed logins followed by a successful login from a different foreign country—it would simply block or permit each login attempt independently based on the user's current location, missing the behavioral sequence. Option B is wrong because an account lockout policy only triggers after a predefined number of consecutive failed attempts (e.g., 5 failures within 15 minutes), but it does not analyze the geographic disparity or the temporal relationship between failed and successful logins, and it would not alert on the successful login from a different foreign IP.

31
MCQmedium

After restoring a virtual file server from last night’s backup, users can browse shares, but finance reports that several spreadsheet edits from yesterday are missing. What should the administrator verify next before declaring the restore successful?

A.Whether the backup job used the correct restore point and included the needed transaction logs.
B.Whether the file server antivirus signatures are fully up to date.
C.Whether the share permissions were tightened during the restore.
D.Whether the virtual machine has enough CPU and memory allocated.
AnswerA

This is the best next verification because the missing spreadsheet edits suggest the restore point may be older than the required recovery window, or application-related log data may not have been captured. Confirming the exact backup set, restore timestamp, and transaction log coverage helps determine whether the restore actually meets the business recovery objective. It also shows whether the issue is incomplete backup scope or simple user expectation mismatch.

Why this answer

Option A is correct because the missing spreadsheet edits indicate that the backup may have been taken before those changes were committed. The administrator must verify that the restore point includes the necessary transaction logs (e.g., from a VSS-aware backup or application-consistent snapshot) to recover the most recent data. Without these logs, any edits made after the last full backup are lost, so confirming the correct restore point and log inclusion is the next logical step before declaring success.

Exam trap

The trap here is that candidates assume a successful restore of shares means all data is intact, overlooking the critical distinction between crash-consistent and application-consistent backups and the role of transaction logs in recovering recent changes.

How to eliminate wrong answers

Option B is wrong because antivirus signature updates are unrelated to data loss from a backup restore; they address malware protection, not file version recovery. Option C is wrong because share permissions control access rights, not the content or version of files; tightening permissions during restore would not cause missing edits. Option D is wrong because CPU and memory allocation affect performance, not the integrity or completeness of restored data; insufficient resources might slow access but cannot cause specific edits to vanish.

32
MCQmedium

The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signature-based detection, but the team wants to observe its behavior in a safe environment before delivery to users. What tool best fits this requirement?

A.Sandboxing the attachment in an isolated analysis environment
B.Network access control for unmanaged devices
C.A data loss prevention rule on outbound email
D.An intrusion prevention system placed on the Wi-Fi network
AnswerA

Sandboxing is the best fit because it detonates the attachment in a controlled environment and reveals malicious behavior before users receive it.

Why this answer

A sandbox provides an isolated, controlled environment where the suspicious attachment can be executed and monitored for malicious behavior without risking the production network. This allows the security team to observe dynamic indicators such as file system changes, registry modifications, or outbound connections that signature-based detection might miss. The goal is to analyze the attachment's true intent before deciding whether to deliver it to users.

Exam trap

The trap here is that candidates may confuse signature-based detection with behavioral analysis, thinking that a signature-based tool (like an IPS or antivirus) can analyze unknown threats, when in fact only a sandbox can safely execute and observe the behavior of a suspicious file.

How to eliminate wrong answers

Option B is wrong because Network Access Control (NAC) is used to enforce security policies on devices attempting to connect to the network, not to analyze the behavior of email attachments. Option C is wrong because a Data Loss Prevention (DLP) rule on outbound email is designed to prevent sensitive data from leaving the organization, not to observe the behavior of an incoming attachment. Option D is wrong because an Intrusion Prevention System (IPS) on the Wi-Fi network monitors and blocks malicious network traffic in real time, but it cannot execute or sandbox an email attachment to observe its behavior.

33
Multi-Selectmedium

A firewall rule was changed in production to allow a new vendor IP range, and payroll users immediately lost access to an internal service. Which two change-management practices would have reduced the risk of this outage? Select two.

Select 2 answers
A.Test the rule in a staging environment with representative traffic before production deployment.
B.Require a rollback or backout plan that can quickly restore the previous rule set.
C.Make the change during the busiest business hour so the team can observe the effect immediately.
D.Remove logging on the firewall so only the new rule is visible during troubleshooting.
E.Skip approval because the vendor was already known to the organization.
AnswersA, B

Staging validation helps reveal rule-order problems, unintended blocks, and missing dependencies before users are affected. A representative test environment is especially important for firewall changes because small syntax or sequencing errors can have large business impacts. Testing reduces the chance that a production change will break unrelated services.

Why this answer

Option A is correct because testing the firewall rule in a staging environment with representative traffic allows you to validate that the new vendor IP range does not inadvertently block or conflict with existing rules before impacting production. This practice catches misconfigurations—such as an overly broad permit that shadows a deny rule for payroll users—without risking service disruption. Staging mirrors production ACL logic, so you can verify that the rule order and match criteria (e.g., source IP, destination port) behave as intended.

Exam trap

The trap here is that candidates often think testing in staging is unnecessary if the change seems small, or they confuse 'testing' with 'monitoring in production'—but the question specifically asks for practices that reduce risk before the outage occurs.

34
MCQmedium

A nightly patch script restarts services on 40 Linux servers. Security does not want an administrator to log in interactively, and the script should only have the permissions needed to install approved patches and restart those services. What is the best design?

A.Run the script with a dedicated automation account that has only the required sudo permissions
B.Use the root account for every scheduled execution to avoid permission errors
C.Hard-code the administrator password in the script so it never prompts
D.Ask each server owner to manually patch their system during the maintenance window
AnswerA

This satisfies least privilege while allowing unattended execution. A dedicated automation account can be limited to patching and service restart actions only.

Why this answer

Option A is correct because it follows the principle of least privilege by using a dedicated automation account with only the specific sudo permissions needed to install approved patches and restart services. This prevents interactive login (as the account is configured for non-interactive use) and ensures the script cannot perform unauthorized actions, aligning with security best practices for automated tasks.

Exam trap

The trap here is that candidates may assume root is necessary for scheduled tasks to avoid permission errors, overlooking that dedicated accounts with specific sudo rules can achieve the same goal with far less risk.

How to eliminate wrong answers

Option B is wrong because using the root account for every scheduled execution violates the principle of least privilege, granting full system access to the script, which increases the risk of accidental or malicious damage. Option C is wrong because hard-coding the administrator password in the script is a severe security risk; it exposes credentials in plaintext, allowing anyone with file read access to compromise the account, and it does not address the requirement to prevent interactive login.

35
MCQeasy

Based on the exhibit, which control should be installed or expanded to provide the earliest warning of this hazard?

A.Install or expand water-leak sensors under the raised floor and near the pipe path.
B.Add badge readers to every rack so the servers can be tracked physically.
C.Replace the cameras with motion detectors to improve environmental safety.
D.Increase automatic screen lock timeouts on all administrative workstations.
AnswerA

Water-leak sensors provide early warning when moisture reaches vulnerable areas near equipment. The exhibit shows condensation and an increasing humidity condition, so additional leak detection under the raised floor and along the pipe path would alert staff before water damages systems. This is an appropriate environmental-monitoring control for a server or data room.

Why this answer

Water-leak sensors provide the earliest possible warning of a liquid hazard by detecting moisture before it reaches equipment or causes electrical shorts. In a data center with raised floors and pipe paths, these sensors can be placed directly in the path of potential leaks, triggering alerts immediately upon contact with water. This proactive monitoring is critical for preventing costly downtime and equipment damage.

Exam trap

The trap here is that candidates confuse physical security controls (badge readers, cameras) with environmental monitoring controls, failing to recognize that water-leak sensors are the only option that directly detects the specific hazard described.

How to eliminate wrong answers

Option B is wrong because badge readers on racks track physical access to servers, not environmental hazards like water leaks; they address security, not safety. Option C is wrong because motion detectors detect movement, not water or environmental changes; replacing cameras with them would reduce visibility of the actual hazard. Option D is wrong because increasing automatic screen lock timeouts on workstations addresses unauthorized access risks, not environmental monitoring or early warning of water leaks.

36
MCQmedium

An internal finance application has an RTO of 2 hours and an RPO of 30 minutes. Current backups restore in about 6 hours because the team must rebuild the server from scratch. Which change best aligns the recovery design to the business requirement?

A.Add a warm standby or replicated recovery system that can be brought online within the RTO
B.Keep the same design and simply increase backup retention
C.Switch to weekly full backups only
D.Reduce logging on the application server to improve restore speed
AnswerA

A standby or replicated system shortens recovery time and better matches the business need for fast restoration after an outage.

Why this answer

The business requires an RTO of 2 hours and an RPO of 30 minutes, but current backups take 6 hours to restore because the server must be rebuilt from scratch. Adding a warm standby or replicated recovery system allows the application to be brought online within the RTO by maintaining a pre-configured, partially synchronized environment that can be activated quickly, reducing recovery time from hours to minutes. This aligns the recovery design with the business continuity requirements by meeting both the RTO and RPO targets.

Exam trap

The trap here is that candidates may think increasing backup frequency or retention solves the RTO problem, but RTO is about recovery time, not data loss tolerance (RPO), and only a pre-staged recovery system like a warm standby can reduce the time to bring the application online.

How to eliminate wrong answers

Option B is wrong because increasing backup retention only extends the history of backups, not the speed of recovery; it does nothing to address the 6-hour restore time that violates the 2-hour RTO. Option C is wrong because switching to weekly full backups only increases the RPO to up to 7 days, far exceeding the required 30-minute RPO, and does not improve restore speed. Option D is wrong because reducing logging on the application server may slightly decrease backup size but does not eliminate the need to rebuild the server from scratch, and it can compromise audit trails and security monitoring.

37
MCQeasy

An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be used?

A.A simple file copy of the user folder
B.A full forensic image taken with a write blocker
C.A compressed archive of the desktop contents
D.The original drive mounted normally on the investigator machine
AnswerB

This is the best answer because a forensic image creates a bit-for-bit copy of the drive while a write blocker prevents accidental changes to the original media. That combination preserves evidentiary integrity and allows the investigator to analyze the copy safely. It is the standard approach when the original disk may later be needed in court or for formal review.

Why this answer

A full forensic image taken with a write blocker is the correct method because it creates a bit-for-bit copy of the entire drive, including all partitions, unallocated space, and metadata, without altering the original media. The write blocker hardware or software ensures that no write commands reach the suspect drive, preserving its integrity for legal and evidentiary purposes. This approach is required by forensic standards such as NIST SP 800-86 and ensures the copy is admissible as evidence.

Exam trap

The trap here is that candidates confuse a simple file copy or archive with a forensically sound image, overlooking the need for a bit-for-bit copy and write protection to preserve evidence integrity.

How to eliminate wrong answers

Option A is wrong because a simple file copy of the user folder only captures visible files, not deleted data, file system metadata, or unallocated space, and it does not prevent writes to the original drive. Option C is wrong because a compressed archive of the desktop contents similarly omits critical forensic artifacts like slack space, partition tables, and hidden data, and it does not use a write blocker to protect the original media. Option D is wrong because mounting the original drive normally on the investigator machine allows the operating system to write to the drive (e.g., updating timestamps, logs, or file system metadata), which alters the evidence and violates forensic best practices.

38
MCQeasy

Employees in a server room often prop the door open while carrying equipment. What control best helps detect and prevent this behavior?

A.Install a door-ajar alarm and use a self-closing door mechanism.
B.Add more desk chairs outside the server room for convenience.
C.Increase the screen brightness on the monitoring workstation.
D.Move backup tapes to a nearby shelf for easier access.
AnswerA

A door-ajar alarm combined with a self-closing mechanism directly addresses the problem by alerting staff when the door is left open and reducing the chance that it stays open. This is a practical physical security control because it supports both detection and prevention. It helps protect restricted areas without relying only on user behavior.

Why this answer

A door-ajar alarm provides immediate notification when the door is left open, while a self-closing door mechanism physically ensures the door closes automatically after each use. Together, they directly address the behavior of propping the door open by both detecting the violation and preventing it from remaining open, which is critical for maintaining physical security controls in a server room.

Exam trap

The trap here is that candidates may choose a convenience-based option (like adding chairs or moving tapes) thinking it addresses the root cause, but the question specifically asks for a control that both detects and prevents the behavior, which only a combination of a door-ajar alarm and a self-closing mechanism achieves.

How to eliminate wrong answers

Option B is wrong because adding more desk chairs outside the server room does not detect or prevent the door from being propped open; it only addresses convenience, not security. Option C is wrong because increasing screen brightness on the monitoring workstation has no effect on door position or access control; it is a display setting unrelated to physical security. Option D is wrong because moving backup tapes to a nearby shelf does not prevent or detect the door being propped open; it only changes storage location and could even increase risk by placing sensitive media outside the secure area.

39
Multi-Selectmedium

A SIEM alert shows five failed logins to a SaaS admin portal from one IP, followed by a successful login from a new city three minutes later. Which two actions are the best next steps for the analyst to validate the event before containment? Select two.

Select 2 answers
A.Review the identity provider and MFA logs to confirm the successful login came from the same account and device context.
B.Correlate the source IP with corporate VPN, CASB, or known cloud egress ranges.
C.Immediately disable the SaaS platform for every user until the investigation is finished.
D.Reimage the user’s laptop immediately to remove any possible malware.
E.Delete the failed login records to reduce noise in the SIEM.
AnswersA, B

This is the best first validation step because identity provider logs can confirm whether the login sequence used the expected MFA method, device, and authentication path. It helps distinguish suspicious access from legitimate use, such as a new browser session or a reauthentication event. Correlating the alert with authoritative identity logs also reduces reliance on a single SIEM record and improves triage accuracy.

Why this answer

Option A is correct because reviewing the identity provider (IdP) and MFA logs allows the analyst to verify whether the successful login originated from the same user account and device context as the failed attempts. This step is critical to determine if the successful login was an attacker who bypassed MFA or a legitimate user who eventually succeeded, providing evidence of account compromise or a false positive.

Exam trap

The trap here is that candidates may rush to containment (Option C) without first performing validation steps, failing to recognize that the question specifically asks for actions to 'validate the event before containment'.

40
MCQmedium

An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and legal review. Which action best preserves admissibility?

A.Boot the laptop normally and browse the user's files for clues
B.Create a forensic image through a write blocker and record hashes before and after acquisition
C.Copy the user's documents to a USB drive and continue the investigation later
D.Take screenshots of the desktop and delete the original drive contents afterward
AnswerB

This is the correct preservation method because it avoids altering the original disk and creates verifiable integrity checks. Using a write blocker prevents writes to the source media, and hashes document that the image matches the evidence. Detailed chain-of-custody records then support admissibility in HR, disciplinary, or legal proceedings.

Why this answer

Option B is correct because creating a forensic image through a write blocker ensures the original evidence is not altered, preserving its integrity for admissibility in HR and legal proceedings. Recording hashes before and after acquisition allows verification that the image is an exact, unmodified copy, which is critical for chain of custody and meeting legal standards such as Daubert or Federal Rules of Evidence.

Exam trap

The trap here is that candidates may think booting normally or copying files is sufficient for evidence collection, but the exam emphasizes that any action that modifies the original media breaks the chain of custody and makes evidence inadmissible in legal proceedings.

How to eliminate wrong answers

Option A is wrong because booting the laptop normally modifies the system (e.g., writes to the page file, updates timestamps, and alters registry keys), which can destroy volatile evidence and render the data inadmissible due to lack of integrity. Option C is wrong because copying user documents to a USB drive without using a write blocker or imaging tool alters file metadata (e.g., last access times) and does not capture deleted files or slack space, breaking the forensic soundness required for legal review. Option D is wrong because taking screenshots only captures a superficial view and does not preserve the full disk state, while deleting the original drive contents destroys the primary evidence, making it impossible to verify or challenge the screenshots later.

41
MCQmedium

During morning SIEM review, an analyst sees 37 failed SSH logins followed by a successful login to a Linux server from a jump host. The account belongs to a configuration-management service account, and the activity occurred inside the normal maintenance window. What should the analyst do next to determine whether the alert is a true positive or a false positive?

A.Immediately isolate the Linux server from the network and begin recovery.
B.Correlate the event with the approved maintenance ticket and automation job logs.
C.Reset the service account password before reviewing any additional evidence.
D.Disable SSH on the server until the next patch cycle is complete.
AnswerB

Matching the authentication pattern to a change ticket and automation logs is the best validation step. It confirms whether the repeated failures and successful login were produced by an approved task rather than malicious activity. This is the most efficient way to distinguish a true positive from an expected operational event without disrupting a legitimate maintenance process.

Why this answer

Option B is correct because the analyst should correlate the failed SSH logins with the approved maintenance ticket and automation job logs to verify if the activity is expected. The failed logins followed by a successful login from a jump host during a maintenance window are consistent with a configuration-management tool (e.g., Ansible, Puppet) retrying authentication. This correlation confirms whether the alert is a true positive (unauthorized access) or a false positive (routine automation).

Exam trap

The trap here is that candidates assume any failed logins followed by a success indicate a brute-force attack, but the context of a maintenance window and a service account points to legitimate automation retries, not malicious activity.

How to eliminate wrong answers

Option A is wrong because immediately isolating the Linux server is premature and disruptive; the activity occurred during a maintenance window and may be legitimate automation, so isolation should only occur after confirming malicious intent. Option C is wrong because resetting the service account password without reviewing evidence could break legitimate automation jobs and does not address the need to determine if the alert is a true or false positive. Option D is wrong because disabling SSH on the server is an overreaction that would block all remote administration, including legitimate maintenance, and is not a diagnostic step.

42
MCQmedium

A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?

A.The macro embedded in the PDF attachment
B.The misspelled sender domain in the email headers
C.The alert generated by the user clicking the link
D.The email appeared to be from a known vendor
AnswerB

This is the strongest indicator because it directly shows the email's origin is fraudulent. Attackers register domains that are visually similar to legitimate ones to trick users. The domain mismatch confirms the email is not from the vendor.

Why this answer

The misspelled sender domain in the email headers is the most direct indicator of a phishing attempt because it reveals the attacker's use of domain spoofing or a lookalike domain to impersonate a trusted vendor. This is a classic social engineering technique that bypasses the user's visual inspection, and since the user did not run the macro, the macro itself is not an active threat. The email headers provide forensic evidence of the domain mismatch, which is a definitive sign of phishing regardless of user actions.

Exam trap

CompTIA often tests the distinction between a potential threat (like an unexecuted macro) and an actual indicator of an attack (like a spoofed domain in headers), trapping candidates who focus on the payload rather than the evidence of impersonation.

How to eliminate wrong answers

Option A is wrong because the macro was not executed by the user, so it posed no active risk and is not a direct indicator of phishing—it is merely a potential payload that could have been triggered. Option C is wrong because the alert was generated by the user clicking the link, which is a reactive event; the alert itself does not indicate phishing—it only indicates that an action occurred, and the link could be benign or malicious. Option D is wrong because the email only appeared to be from a known vendor; appearance alone is not an indicator of phishing—attackers often forge the display name or use social engineering to make emails look legitimate, but the true indicator is the domain mismatch in the headers.

43
MCQeasy

A workstation is suspected of malware infection, and it is still powered on and connected to the network. Which action best preserves volatile evidence before the system is shut down?

A.Immediately power off the workstation to stop any malicious activity.
B.Capture memory and note running processes before taking further action.
C.Run a full antivirus scan before documenting anything.
D.Delete temporary files to reduce the chance of reinfection.
AnswerB

Volatile data such as memory, active network connections, and running processes can disappear if the system is powered down. Capturing that information first preserves evidence that may show malware behavior, injected code, or command-and-control activity. This is a core incident-response practice when the system is still live.

Why this answer

Option B is correct because volatile evidence, such as the contents of RAM (running processes, network connections, open files), is lost when the system is powered off. Capturing a memory dump and recording running processes preserves this critical data for forensic analysis, allowing investigators to identify malware artifacts (e.g., injected code, hidden processes) that exist only in memory. This aligns with the NIST SP 800-86 forensic procedure of prioritizing volatile data collection before system shutdown.

Exam trap

CompTIA often tests the misconception that immediate shutdown stops malware activity, but the trap here is that volatile evidence is lost on power-off, and the correct forensic priority is to capture memory and process data first.

How to eliminate wrong answers

Option A is wrong because immediately powering off the workstation destroys volatile evidence (RAM contents, network state, running processes) and may cause malware to lose its in-memory footprint, hindering forensic analysis. Option C is wrong because running a full antivirus scan modifies the system state (e.g., quarantining files, altering file timestamps) and can overwrite or destroy volatile evidence before it is captured. Option D is wrong because deleting temporary files actively destroys potential evidence (e.g., malware droppers, logs) and does not preserve volatile data like memory or process lists.

44
Multi-Selectmedium

After isolating an infected endpoint and collecting volatile memory, the team identifies a malicious browser extension and a scheduled task used for persistence. Which two actions belong in the eradication phase before returning the system to service? Select two.

Select 2 answers
A.Remove the malicious extension and delete the persistence mechanism.
B.Reimage the host from a trusted gold image after evidence collection.
C.Restore user files from the most recent backup and reconnect the host immediately.
D.Announce the incident to users without changing the host configuration.
E.Leave the browser extension in place and only change the user password.
AnswersA, B

Correct because eradication requires eliminating the malware components that let the attacker survive reboots or user logoff. Removing the extension and scheduled task directly breaks persistence.

Why this answer

Option A is correct because removing the malicious browser extension and deleting the scheduled task directly eliminates the identified persistence mechanism and the active threat vector. In the eradication phase, the goal is to remove all traces of the malware from the system, which includes disabling or deleting scheduled tasks and uninstalling malicious extensions. This ensures the attacker cannot regain access through these specific footholds before the system is returned to service.

Exam trap

CompTIA often tests the distinction between eradication and recovery, where candidates mistakenly choose backup restoration (Option C) as an eradication step, but eradication must occur before any recovery actions like reimaging or restoring data.

45
MCQmedium

A SIEM alert shows 300 failed logins against the same VPN account from one source IP over 12 minutes, followed by a successful login from that same IP and a spike in mailbox access. The user says they did not initiate the session. What is the most likely cause?

A.A brute-force attack that eventually guessed the correct password
B.A password-spraying attempt against many different accounts
C.A normal VPN reconnect after a brief network outage
D.A false positive caused by email synchronization
AnswerA

This pattern fits repeated attempts against one account from one source, followed by success and suspicious post-login activity. The mailbox spike strengthens the case for compromised credentials.

Why this answer

The sequence of 300 failed logins from a single source IP against one VPN account, followed by a successful login and abnormal mailbox access, is the classic pattern of a brute-force attack. The attacker systematically tried many passwords until they guessed the correct one, then used the compromised credentials to access the user's mailbox. The user's denial confirms the session was unauthorized, ruling out legitimate reconnection or synchronization.

Exam trap

The trap here is that candidates may confuse a brute-force attack with password spraying, but the key differentiator is the single target account versus many accounts, and the high volume of failures against that one account.

How to eliminate wrong answers

Option B is wrong because password spraying targets many different accounts with a few common passwords, not 300 attempts against a single account. Option C is wrong because a normal VPN reconnect after a brief network outage would not generate 300 failed logins; it would typically succeed on the first or second attempt after the outage resolves. Option D is wrong because email synchronization does not cause failed logins against a VPN account; it uses existing authenticated sessions and would not produce a spike in mailbox access from a new IP.

46
Multi-Selectmedium

After restoring a virtual file server from backup, users can log in and browse shares, but finance says the last day's edits are missing. Which two steps should the administrator take before declaring recovery complete? Select two.

Select 2 answers
A.Verify the restore point meets the required recovery point objective and the business expects the data loss window.
B.Check whether application transaction logs or application-consistent snapshots need to be replayed.
C.Rebuild the server from scratch without checking the backup timestamp.
D.Disable all backup jobs until the next maintenance window.
E.Change the DNS records so users point to a different server name.
AnswersA, B

This is important because a restore can technically succeed while still missing more data than the business can tolerate. The RPO defines how much data loss is acceptable. Confirming the restore point against that expectation helps determine whether the backup strategy met recovery requirements or whether additional recovery work is needed.

Why this answer

Option A is correct because the Recovery Point Objective (RPO) defines the maximum acceptable data loss. If the restore point is from before the last day's edits, the administrator must confirm that this data loss window is acceptable to the business. Option B is correct because application-consistent backups often require replaying transaction logs (e.g., SQL Server VSS writer logs) to bring the database to the latest committed state; skipping this step leaves the data incomplete.

Exam trap

The trap here is that candidates may assume a successful file-level restore is complete, overlooking the need to verify RPO alignment and replay application-specific transaction logs for consistency.

47
MCQmedium

A monthly scan finds a critical remote-code-execution vulnerability on an internet-facing VPN appliance. The vendor has not released a patch for six weeks, but the service must stay online. Which short-term action is the best risk treatment?

A.Accept the risk and wait for the next scheduled scan cycle.
B.Apply compensating controls such as strict access filtering, MFA, enhanced logging, and alerting.
C.Disable all logging so the appliance performs better under load.
D.Ignore the issue until the vendor confirms the vulnerability is being actively exploited.
AnswerB

When a patch is unavailable, the best short-term treatment is to reduce exposure and add monitoring. Tight access control, MFA, and logging do not remove the vulnerability, but they can meaningfully lower the likelihood of exploitation and improve detection. This is the correct operational response when the service must remain online and a permanent fix is not yet available.

Why this answer

Option B is correct because when a patch is unavailable for a critical vulnerability, compensating controls reduce risk without taking the service offline. For an internet-facing VPN appliance, strict access filtering (e.g., limiting source IPs via ACLs), enforcing MFA, and enabling enhanced logging/alerting can mitigate exploitation attempts while maintaining availability. This aligns with the risk treatment strategy of risk reduction through controls rather than acceptance, avoidance, or transfer.

Exam trap

The trap here is that candidates may think accepting risk (Option A) is acceptable for a critical vulnerability, but CompTIA expects you to recognize that compensating controls are the appropriate short-term treatment when a patch is unavailable and the service must remain online.

How to eliminate wrong answers

Option A is wrong because accepting the risk and waiting for the next scan cycle leaves the organization exposed to active exploitation of a critical RCE vulnerability, which is unacceptable for an internet-facing service. Option C is wrong because disabling logging removes visibility into potential attacks, hindering incident detection and response, and does not address the vulnerability itself. Option D is wrong because ignoring the issue until active exploitation is confirmed violates the principle of proactive security; waiting for proof of exploitation increases the likelihood of a breach and potential damage.

48
MCQeasy

A SOC analyst notices that log timestamps from different servers do not line up during an investigation. What should be implemented to improve event correlation?

A.A more aggressive password policy for all users.
B.Network Time Protocol time synchronization across systems.
C.Longer user account names to make records easier to read.
D.Disabling centralized logging to reduce duplication.
AnswerB

Time synchronization is essential for reliable logging because incident responders need events to appear in the correct order. If servers use different clocks, correlations can become misleading and slow the investigation. NTP keeps system time aligned so SIEM alerts, authentication records, and host logs can be compared accurately across multiple systems.

Why this answer

Network Time Protocol (NTP) synchronizes clocks across systems to a common time source, ensuring log timestamps align for accurate event correlation. Without NTP, timestamps from different servers can drift, making it impossible to reconstruct the sequence of events during an investigation. This is a foundational requirement for effective security monitoring and incident response.

Exam trap

The trap here is that candidates may confuse operational security controls (like password policies or naming conventions) with the technical infrastructure needed for accurate log correlation, overlooking NTP as a fundamental prerequisite for time-based analysis.

How to eliminate wrong answers

Option A is wrong because a more aggressive password policy (e.g., complexity, expiration) addresses authentication security, not time synchronization or log correlation. Option C is wrong because longer user account names improve readability but have no effect on timestamp alignment or event correlation. Option D is wrong because disabling centralized logging would eliminate the single repository where logs are aggregated, making correlation even harder and increasing duplication of analysis effort.

49
MCQeasy

Based on the exhibit, which change best improves secure administration for the scheduled task?

A.Keep the Administrator account and leave the task running only when a user is logged on.
B.Move the script to the desktop so it is easier for technicians to monitor manually.
C.Use a dedicated service account with only the required permissions and allow the task to run whether or not anyone is logged on.
D.Disable the task and have staff run the script manually whenever they remember to do it.
AnswerC

A dedicated service account with least privilege reduces the risk of credential misuse and limits what the task can access if it is abused. Allowing the task to run whether a user is logged on or not makes the automation reliable for scheduled maintenance. This is a common secure-administration improvement for repeatable scripts.

Why this answer

Option C is correct because using a dedicated service account with minimal required permissions follows the principle of least privilege, reducing the attack surface. Allowing the task to run whether or not anyone is logged on ensures the scheduled task executes reliably without depending on a user session, which is essential for automated administrative tasks. This approach also avoids the security risks of using the built-in Administrator account, which has excessive privileges and is a common target for attackers.

Exam trap

The trap here is that candidates may think making the script easier to access (Option B) or using the built-in Administrator account (Option A) are acceptable, but CompTIA tests the principle of least privilege and the importance of dedicated service accounts for automated tasks to avoid credential theft and ensure reliable execution.

How to eliminate wrong answers

Option A is wrong because keeping the Administrator account violates least privilege and leaving the task to run only when a user is logged on introduces a dependency on an interactive session, which can cause the task to fail if no user is logged in at the scheduled time. Option B is wrong because moving the script to the desktop does not improve security; it actually increases risk by placing the script in a user-accessible location where it could be modified or executed by unauthorized users, and it does not address the need for secure, automated execution. Option D is wrong because disabling the task and relying on manual execution defeats the purpose of automation, introduces human error, and increases the likelihood of missed or delayed administrative actions, which is not a secure or reliable administration practice.

50
MCQmedium

A firewall ACL must be modified in production to allow a vendor update server. The team wants to minimize the chance of accidentally blocking payroll traffic. Which change-management step is best before applying the rule?

A.Apply the rule immediately and monitor the help desk for complaints.
B.Test the proposed rule in a staged policy set and keep a rollback plan ready.
C.Remove all deny rules temporarily so the vendor traffic can pass cleanly.
D.Disable logging during the change to avoid slowing down the firewall.
AnswerB

Testing the rule in a staged or cloned policy set helps confirm that the ACL logic, rule order, and source and destination matching behave as intended before production exposure. A rollback plan provides a fast recovery path if the change still causes an unexpected impact. Together, these practices reduce the likelihood of disrupting payroll traffic and align with safe, controlled change management in operational environments.

Why this answer

Option B is correct because testing the proposed rule in a staged policy set allows the team to verify that the new ACL entry does not inadvertently match and drop payroll traffic before it is applied to the production firewall. Keeping a rollback plan ready ensures that if the rule causes unexpected blocking, the previous ACL can be restored immediately, minimizing downtime. This aligns with the change-management principle of validating changes in a controlled environment to prevent service disruption.

Exam trap

Cisco often tests the misconception that immediate application with monitoring is sufficient, but the trap is that this reactive approach ignores the risk of silently blocking critical traffic until complaints arise, which is unacceptable in a production environment.

How to eliminate wrong answers

Option A is wrong because applying the rule immediately without prior testing or rollback planning violates change-management best practices and risks accidentally blocking payroll traffic if the ACL logic is flawed; monitoring the help desk is reactive, not proactive. Option C is wrong because removing all deny rules temporarily would expose the network to unauthorized traffic, defeating the purpose of the firewall and violating the principle of least privilege; it does not address the specific need to allow vendor traffic while protecting payroll.

51
MCQmedium

A billing application has an RTO of 2 hours and an RPO of 30 minutes. The current recovery method requires rebuilding the VM from scratch and then restoring last night's backup, which takes over six hours. Which solution best meets the stated recovery objectives?

A.Keep the current backup schedule and shorten the documentation for the restore procedure.
B.Switch to weekly full backups and manually verify them after business hours.
C.Store backups on the same production host so restores are faster.
D.Use a warm standby replica with frequent log shipping or near-continuous replication.
AnswerD

A warm standby with frequent log shipping is the best fit because it reduces both data loss and restoration time. The standby already has the operating system and application environment in place, so failover is much faster than rebuilding from scratch. Frequent log shipping narrows the recovery point to within the required 30 minutes, making the design aligned with both business objectives.

Why this answer

Option D is correct because a warm standby replica with frequent log shipping or near-continuous replication can achieve an RPO of 30 minutes or less by minimizing data loss, and an RTO of 2 hours by allowing rapid failover to the replica. This directly addresses the current recovery method's failure to meet the RTO (6+ hours vs. 2 hours) and RPO (last night's backup vs. 30 minutes). Technologies like SQL Server log shipping or VMware vSphere replication provide near-continuous data synchronization, enabling recovery within the stated objectives.

Exam trap

The trap here is that candidates may think faster backups or better documentation (Option A or C) can solve the RTO/RPO gap, but they fail to recognize that the core issue is the recovery method itself—rebuilding from scratch—which cannot be fixed by incremental improvements to backup speed or storage location.

How to eliminate wrong answers

Option A is wrong because shortening documentation does not reduce the actual time to rebuild the VM and restore the backup, so it cannot meet the 2-hour RTO. Option B is wrong because weekly full backups increase the RPO to up to 7 days, far exceeding the required 30 minutes, and manual verification after hours does not improve recovery speed. Option C is wrong because storing backups on the same production host creates a single point of failure and does not address the fundamental issue of slow rebuild and restore times; it also violates the 3-2-1 backup rule.

52
Multi-Selectmedium

A weekly vulnerability scan returns five findings across different systems. Which three should be remediated first? Select three.

Select 3 answers
A.A critical remote-code-execution flaw on an internet-facing VPN appliance with active exploitation reported.
B.A medium-severity missing patch on an offline lab VM with no network connectivity.
C.Default administrator credentials on an internet-facing management portal.
D.A high-severity remote-code-execution vulnerability on a public customer portal that stores account records.
E.A low-severity TLS configuration warning on a public site that does not handle sensitive information.
AnswersA, C, D

Correct because the issue is both highly exploitable and externally exposed. Active exploitation and internet reachability make this the highest-priority risk in the list.

Why this answer

Option A is correct because a critical remote-code-execution (RCE) vulnerability on an internet-facing VPN appliance with active exploitation reported represents the highest risk: it is exposed to the internet, allows full system compromise, and is actively being exploited in the wild, making immediate remediation essential to prevent a breach.

Exam trap

The trap here is that candidates might prioritize based solely on CVSS severity without considering the system's exposure, active exploitation status, or the presence of default credentials, leading them to incorrectly select a low-risk offline system or a low-severity warning over the truly critical findings.

53
MCQmedium

A SIEM correlates VPN authentication logs and sees 14 different user accounts receive one failed login attempt each from the same source IP during a 5-minute window. A few minutes later, one of those accounts successfully authenticates from that same IP. Which attack is most likely?

A.Brute-force attack against a single account using many passwords.
B.Password spraying using a common password against many accounts.
C.Replay attack using previously captured authentication traffic.
D.ARP poisoning used to intercept local network traffic.
AnswerB

This pattern matches a low-and-slow attempt across multiple accounts to avoid lockouts, with one account eventually succeeding.

Why this answer

The SIEM observed 14 different user accounts each receiving a single failed login attempt from the same source IP within a 5-minute window, followed by one account successfully authenticating. This pattern is characteristic of password spraying, where an attacker tries a common password (e.g., 'Password123') against many accounts to avoid triggering account lockouts, then leverages a successful guess. The single failure per account avoids the threshold for brute-force detection, and the eventual success confirms a guessed credential.

Exam trap

The trap here is that candidates confuse password spraying with brute-force attacks, failing to recognize that the key differentiator is the number of accounts targeted versus the number of passwords attempted per account.

How to eliminate wrong answers

Option A is wrong because a brute-force attack targets a single account with many password attempts, not multiple accounts with one attempt each. Option C is wrong because a replay attack requires capturing and retransmitting valid authentication traffic (e.g., a Kerberos TGT or NTLM hash), which would not produce failed login attempts from the same IP. Option D is wrong because ARP poisoning is a Layer 2 attack used to intercept local traffic on a switched network, not to generate VPN authentication logs with failed and successful logins from a single source IP.

54
Multi-Selectmedium

A Windows server is still running after suspected compromise. Before it is powered down, which two volatile data sources should be collected first? Select two.

Select 2 answers
A.A memory capture or RAM image from the live system.
B.A snapshot of active network connections and listening ports.
C.A full disk image from the powered-off server.
D.A hardware inventory report from the asset management database.
E.A screenshot of the server’s desktop wallpaper for reference.
AnswersA, B

A memory capture is one of the most important volatile data sources because it can reveal running malware, injected code, encryption keys, live network sessions, and command history not stored on disk. Once the system is powered off, this information is lost. Capturing RAM early gives investigators the best chance to reconstruct the attacker’s activity.

Why this answer

A memory capture (RAM image) preserves volatile data that is lost on power-down, including running processes, open network connections, encryption keys, and malware that exists only in memory. This is critical for forensic analysis of a live system suspected of compromise, as it captures the system state at the time of collection.

Exam trap

The trap here is that candidates often confuse the order of volatility and select a disk image (Option C) as a first step, not realizing that volatile data like RAM and network connections must be collected before powering down the system.

55
MCQmedium

A security analyst receives multiple alerts indicating that several users in the finance department clicked a malicious link in an email. The analyst has confirmed the email subject line and sender address. Which of the following is the BEST first step to contain the incident?

A.Block the sender's email address at the email gateway.
B.Disable the users' accounts.
C.Perform a forensic analysis of the emails.
D.Delete the emails from the users' mailboxes.
AnswerA

This is correct because blocking the sender at the email gateway prevents any further malicious emails from that source from reaching users, effectively containing the threat at its entry point.

Why this answer

Blocking the sender's email address at the email gateway is the best first step because it immediately prevents further malicious emails from that sender from reaching any users, containing the incident at the perimeter. This action stops the spread of the attack without disrupting user productivity or requiring time-consuming analysis, aligning with the priority of containment in incident response.

Exam trap

The trap here is that candidates confuse containment with eradication or investigation, choosing to delete emails (Option D) or analyze them (Option C) first, when the immediate priority is to stop the attack vector at the gateway to prevent further compromise.

How to eliminate wrong answers

Option B is wrong because disabling users' accounts is an overly aggressive containment step that disrupts legitimate work and is typically reserved for compromised accounts or active credential misuse, not for users who merely clicked a link. Option C is wrong because performing forensic analysis of the emails is a post-containment investigation step; it delays immediate containment and should be done after blocking the threat. Option D is wrong because deleting emails from users' mailboxes only removes the current messages but does not prevent the sender from sending new malicious emails, leaving the organization vulnerable to further attacks.

56
MCQmedium

During a restore test, a technician brings back a file server successfully, but the application team discovers that the database is missing the last 12 hours of transactions. Management says the business can tolerate only one hour of data loss. What should be changed first?

A.Reduce the restore point objective by storing more copies of the same backup.
B.Implement application-consistent backups or transaction log backups more frequently.
C.Extend the retention period so the full backup is kept for 90 days.
D.Shorten the recovery time objective by using faster storage for the server.
AnswerB

A one-hour data-loss target requires more frequent capture of changed database state. Application-consistent backups or transaction log backups reduce the gap between backups and allow recovery closer to the required recovery point objective.

Why this answer

The core issue is that the database is missing 12 hours of transactions, which exceeds the business's tolerance of one hour of data loss. This indicates that the Recovery Point Objective (RPO) is not being met. Implementing application-consistent backups or more frequent transaction log backups ensures that the database state can be recovered to a point within the acceptable loss window, directly addressing the RPO gap.

Exam trap

The trap here is confusing Recovery Point Objective (RPO) with Recovery Time Objective (RTO), leading candidates to select options that improve restore speed (RTO) or backup retention rather than addressing the frequency of backups needed to limit data loss.

How to eliminate wrong answers

Option A is wrong because reducing the Restore Point Objective (RPO) by storing more copies of the same backup does not change the frequency of backups; it only increases redundancy, which does not reduce data loss. Option C is wrong because extending the retention period (e.g., keeping full backups for 90 days) addresses how long backups are kept, not how recent the recoverable data is, so it does not solve the RPO issue. Option D is wrong because shortening the Recovery Time Objective (RTO) by using faster storage focuses on how quickly the server can be restored, not on minimizing data loss, which is an RPO concern.

57
Multi-Selecthard

A security team receives a macro-enabled spreadsheet from a supplier. The file must be analyzed before any user opens it, and if the same payload later executes on an endpoint the organization wants the ability to contain it automatically. Which two tools best fit those requirements? Select two.

Select 2 answers
A.Use a sandbox to detonate the attachment in an isolated environment before delivery.
B.Use EDR so the endpoint can be quarantined or isolated if the payload executes.
C.Deploy a WAF in front of the mail gateway.
D.Create a DNS sinkhole entry only after the file is opened by a user.
E.Use DLP to stop the spreadsheet from containing macros.
AnswersA, B

Sandboxing lets analysts observe real behavior safely before the file reaches a user workstation.

Why this answer

Option A is correct because a sandbox detonates the macro-enabled spreadsheet in an isolated environment before delivery, allowing the security team to observe malicious behavior (e.g., payload extraction, network calls) without risk to production systems. This pre-delivery analysis ensures the file is safe before any user opens it, directly meeting the requirement to analyze the file before user access.

Exam trap

The trap here is that candidates may confuse a WAF (designed for web traffic) with an email security gateway or mistakenly think a DNS sinkhole can analyze file contents, when in fact it only blocks DNS resolution after a domain is flagged.

58
MCQmedium

A help desk ticket confirms that a user entered corporate credentials into a fake sign-in page. Minutes later, the security team finds a new mailbox forwarding rule and evidence that the attacker added backup MFA codes. After disabling the account, what should the team do next to support containment and recovery?

A.Wait for the user to confirm the behavior before taking any further steps.
B.Reimage the user's laptop before reviewing the account activity.
C.Revoke active sessions and reset the compromised credentials.
D.Close the ticket because MFA was enabled and should have prevented access.
AnswerC

After disabling the account, the next step is to cut off any valid sessions and reset the credential set so the attacker cannot continue using stolen access. Because the compromise includes mailbox changes and MFA backup code manipulation, session revocation and credential reset are essential containment and recovery tasks.

Why this answer

Option C is correct because after disabling a compromised account, the immediate next step is to revoke all active sessions and reset the credentials. This ensures the attacker cannot maintain access via existing tokens or session cookies, and the new password invalidates any cached or stolen credentials. This aligns with the NIST SP 800-61 incident response containment phase, which prioritizes cutting off active attacker access before further investigation.

Exam trap

The trap here is that candidates assume MFA is a silver bullet and overlook that attackers can register their own MFA devices or use session hijacking, making credential reset alone insufficient without session revocation.

How to eliminate wrong answers

Option A is wrong because waiting for user confirmation delays containment and allows the attacker to continue using the account, potentially exfiltrating data or moving laterally. Option B is wrong because reimaging the user's laptop is premature and unnecessary; the compromise is credential-based, not a local system infection, and reviewing account activity first is critical to understand the scope. Option D is wrong because MFA does not prevent credential theft or session hijacking; the attacker added backup MFA codes, bypassing the protection, and closing the ticket ignores the active threat.

59
Multi-Selectmedium

A company-owned laptop is being transferred from the incident site to the evidence locker for a theft investigation. Which two actions best support chain of custody during transport? Select two.

Select 2 answers
A.Place the device in a tamper-evident evidence bag or seal
B.Document the device serial number, date, time, collector, and each handoff
C.Leave the device unsealed so legal staff can inspect it quickly
D.Boot the laptop to confirm the user’s files are still present
E.Use a personal note app instead of formal transfer documentation
AnswersA, B

A tamper-evident seal helps prove whether the evidence package was opened or altered.

Why this answer

Option A is correct because placing the device in a tamper-evident evidence bag or seal provides a physical barrier that immediately reveals any unauthorized access during transport. This is a foundational chain-of-custody control that preserves the integrity of the evidence by making tampering detectable, which is critical for admissibility in legal proceedings.

Exam trap

The trap here is that candidates may think booting the laptop is necessary to verify data presence, but this action actually violates forensic preservation principles by altering the system state and potentially destroying evidence.

60
MCQmedium

After restoring a virtual file server from backup, users can browse folders, but an accounting application reports missing recent transactions. What should the administrator do next?

A.Mark the restore complete because the file server is reachable
B.Verify the restore in an isolated test environment and compare application data consistency
C.Immediately run a new full backup over the restored server
D.Disable the accounting application permanently to prevent further inconsistency
AnswerB

This confirms whether the backup is usable and whether application data and transaction state were recovered correctly.

Why this answer

The correct next step is to verify the restore in an isolated test environment and compare application data consistency. Although the file server is reachable and folders appear intact, the accounting application's missing recent transactions indicate that the restored data may be stale or incomplete. Testing in isolation ensures the application's database or transaction logs are consistent with the backup point before returning the server to production, preventing data corruption or loss.

Exam trap

The trap here is that candidates assume file server accessibility equals a successful restore, overlooking the critical distinction between file-level availability and application-level data consistency, which is a common focus in CompTIA SY0-701 Security Operations questions.

How to eliminate wrong answers

Option A is wrong because marking the restore complete based solely on file server reachability ignores application-level data integrity; the accounting application's missing transactions prove the restore is incomplete or inconsistent. Option C is wrong because immediately running a new full backup over the restored server would overwrite the current state without validating data consistency, potentially preserving corruption or missing data in the backup chain. Option D is wrong because disabling the accounting application permanently is an extreme, unnecessary action that does not address the root cause of data inconsistency and disrupts business operations.

61
Multi-Selectmedium

A firewall rule was added directly in production to allow a new vendor IP range, and an internal service stopped responding because the new rule was placed above an existing deny rule. Which two change-management practices would have reduced the risk? Select two.

Select 2 answers
A.Test the rule in a staging environment that mirrors production
B.Require peer review and approval with a documented rollback plan
C.Apply the change during peak business hours to notice problems quickly
D.Disable firewall logging during the change to reduce noise
E.Skip documentation because the rule only affects one vendor
AnswersA, B

Testing in a realistic environment helps catch rule-order and access-side effects before production deployment.

Why this answer

Option A is correct because testing the rule in a staging environment that mirrors production allows you to verify the rule's behavior—specifically its placement relative to existing deny rules—without risking service disruption. In a firewall rulebase, rules are processed top-down, and a new permit rule placed above a deny rule can inadvertently match and permit traffic that was previously denied, or conversely, block traffic if the rule is misordered. Staging testing would have revealed that the new rule's position caused the internal service to stop responding, enabling adjustment before production deployment.

Exam trap

The trap here is that candidates often focus only on testing the rule's content (e.g., IP addresses and ports) and overlook the critical importance of rule order and placement in a sequential firewall rulebase, leading them to choose options like disabling logging or skipping documentation instead of recognizing that peer review and staging testing directly address ordering risks.

62
MCQhard

Based on the exhibit, which temporary control best reduces risk until the patch is released?

A.Increase scan frequency to daily and leave the service exposed.
B.Place the service behind a reverse proxy or WAF and restrict access with source IP allow lists.
C.Disable TLS so the traffic can be inspected more easily.
D.Move administrative access to the same 443 listener as user traffic.
AnswerB

The service must stay online, but the patch is unavailable, so the best temporary measure is to reduce exposure. A reverse proxy or WAF can filter malicious requests, and source IP allow lists shrink the reachable attack surface. Together, those controls act as an effective compensating measure until the vendor fix is released and can be applied.

Why this answer

Option B is correct because placing the service behind a reverse proxy or Web Application Firewall (WAF) with source IP allow lists provides a temporary compensating control that reduces the attack surface until the vendor releases a patch. The reverse proxy or WAF can inspect and filter malicious traffic, while IP allow lists restrict access to trusted sources only, mitigating the risk of exploitation without removing the service entirely.

Exam trap

CompTIA often tests the misconception that increasing monitoring (scan frequency) is a sufficient compensating control, when in fact it does not prevent exploitation—only detection is improved.

How to eliminate wrong answers

Option A is wrong because increasing scan frequency does not reduce risk; it only detects potential issues sooner, leaving the vulnerable service exposed to active exploitation. Option C is wrong because disabling TLS removes encryption, exposing all traffic to interception and tampering, which violates confidentiality and integrity, and does not address the underlying vulnerability. Option D is wrong because moving administrative access to the same 443 listener as user traffic increases the attack surface by merging management and user channels, making it easier for an attacker to target administrative functions.

63
MCQmedium

An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically sound image while protecting the original media?

A.Mount the drive read-write so the investigator can browse it quickly.
B.Use a hardware write blocker and create a bit-by-bit forensic image with hashes.
C.Copy only the user profile folders with a file manager to save time.
D.Boot the laptop normally and use backup software to duplicate the disk.
AnswerB

This is the best practice because a hardware write blocker prevents any accidental writes to the source drive, and a bit-by-bit image captures the exact data structure for analysis. Hashing the source or image before and after acquisition provides integrity verification, which is essential when evidence may be challenged later. Together, these steps protect the original media and support chain of custody and courtroom admissibility.

Why this answer

Option B is correct because forensic best practice requires preserving the original media in an unaltered state. A hardware write blocker physically prevents any write commands from reaching the drive, ensuring the original evidence is not modified. Creating a bit-by-bit forensic image (e.g., with `dd` or FTK Imager) captures the entire drive, including slack space and unallocated sectors, and generating cryptographic hashes (SHA-256 or MD5) before and after imaging verifies the image's integrity for court admissibility.

Exam trap

The trap here is that candidates may think booting the laptop or using a file manager is acceptable for a quick preview, but any write access—even seemingly harmless metadata updates—renders the evidence inadmissible under Daubert or Frye standards.

How to eliminate wrong answers

Option A is wrong because mounting the drive read-write allows the operating system to write metadata (e.g., timestamps, directory entries) to the drive, altering the original evidence and breaking the chain of custody. Option C is wrong because copying only user profile folders with a file manager omits critical data such as deleted files, file system metadata, and unallocated space, which may contain evidence; it also modifies file access times. Option D is wrong because booting the laptop normally writes temporary files, logs, and registry changes to the drive, and backup software typically does not create a bit-for-bit copy, altering the original media and compromising forensic soundness.

64
Multi-Selecteasy

A network analyst reviews packet captures from a subnet where users intermittently lose access to the gateway. Which two findings would most strongly indicate ARP spoofing? Select two.

Select 2 answers
A.Repeated unsolicited ARP replies map the gateway IP to a different MAC address.
B.Several hosts suddenly send gateway traffic to the same unexpected MAC address.
C.Extra DNS traffic appears during the lunch hour.
D.A switch port negotiates a slower speed than usual.
E.The wireless network name appears in a site survey.
AnswersA, B

Repeated unsolicited ARP replies are a classic sign of spoofing on a LAN.

Why this answer

ARP spoofing involves an attacker sending forged ARP replies to associate the gateway's IP address with the attacker's MAC address. Repeated unsolicited ARP replies mapping the gateway IP to a different MAC address is a classic indicator, as legitimate ARP replies are normally solicited by requests. This causes traffic intended for the gateway to be redirected to the attacker, enabling interception or disruption.

Exam trap

CompTIA often tests the distinction between ARP spoofing (unsolicited ARP replies) and ARP cache poisoning (where the attacker responds faster than the legitimate host), and candidates may confuse extra DNS traffic or physical issues with ARP-based attacks.

65
MCQmedium

A security analyst at a financial firm notices a significant increase in DNS queries from an internal server to a rarely visited external domain. The queries are for unusual subdomain names that contain encoded data. The server is not a DNS server and does not typically generate outbound traffic. Which of the following is the MOST appropriate immediate action for the analyst to take?

A.Block all outbound DNS traffic from the server immediately.
B.Isolate the server from the network to prevent further data loss.
C.Create a firewall rule to log all further DNS queries from the server.
D.Run an antivirus scan on the server.
AnswerB

Isolation effectively stops the ongoing DNS tunneling by severing the server’s network connectivity. This contains the incident, prevents additional data exfiltration, and provides a controlled environment for further forensic analysis. It aligns with standard incident response procedures.

Why this answer

The server is exhibiting signs of a DNS data exfiltration attack, where encoded data is being tunneled through DNS queries to an external domain. Isolating the server immediately stops the data loss and prevents further compromise, which is the most critical first step in incident response. Blocking traffic or scanning alone would not halt the active exfiltration, and logging without action allows continued data theft.

Exam trap

The trap here is that candidates choose to log or scan first, mistaking detection for containment, but the SY0-701 emphasizes immediate isolation to stop data loss in active exfiltration scenarios.

How to eliminate wrong answers

Option A is wrong because blocking all outbound DNS traffic from the server could disrupt legitimate services and does not address the root cause; the attacker may switch to another protocol. Option C is wrong because creating a firewall rule to log further queries only monitors the ongoing exfiltration without stopping it, violating the principle of immediate containment. Option D is wrong because running an antivirus scan is a secondary step that assumes a known malware signature, whereas DNS exfiltration often uses custom scripts or living-off-the-land binaries that may evade signature-based detection.

66
Multi-Selecthard

A Linux operations team must run a nightly maintenance script on 70 servers to rotate logs and restart one service. Security will not allow interactive SSH logins, and the script should only have the permissions required for those two commands. Which two configuration choices best meet the requirement? Select two.

Select 2 answers
A.Create a dedicated automation account and restrict it in sudoers to the exact commands needed.
B.Place the automation account in the root group so it can restart services everywhere.
C.Use SSH key authentication with a restricted shell or forced command for the automation account.
D.Copy the administrator's personal password into the script so the job can log in unattended.
E.Approve the job through email one time, then allow the script to run with no restrictions forever.
AnswersA, C

A dedicated account makes auditing clear, and sudoers restrictions enforce least privilege for only the approved commands.

Why this answer

Option A is correct because creating a dedicated automation account and restricting it in sudoers to the exact commands needed (e.g., `/usr/sbin/logrotate` and `/usr/bin/systemctl restart <service>`) enforces the principle of least privilege. This ensures the account can only execute the specific maintenance tasks without granting interactive SSH access or unnecessary permissions.

Exam trap

The trap here is that candidates often assume placing an account in a privileged group (like root) is acceptable for automation, but CompTIA tests the principle of least privilege, requiring exact command restriction rather than broad group membership.

67
MCQmedium

A system administrator must run a weekly maintenance script that stops and restarts two services on 50 Linux servers. Security says the job must not use an interactive login and should have only the permissions needed for that task. What is the best approach?

A.Use the root account for the scheduled job so it always succeeds.
B.Create a dedicated account with sudo rights limited to the required service commands.
C.Ask an administrator to log in manually each week and run the script.
D.Store the administrator password in the script so the task can authenticate automatically.
AnswerB

A restricted service account with narrowly scoped sudo permissions supports automation while limiting exposure if the job is abused.

Why this answer

Option B is correct because it follows the principle of least privilege by creating a dedicated service account with sudo rights restricted to only the specific service management commands (e.g., systemctl restart serviceA.service && systemctl restart serviceB.service). This avoids using the root account (which has unrestricted access) and eliminates the need for interactive logins or embedded credentials, while still allowing the scheduled job (e.g., via cron) to run non-interactively.

Exam trap

The trap here is that candidates may assume root is necessary for service management on Linux, but sudo with carefully scoped commands provides the same functionality without granting full root privileges.

How to eliminate wrong answers

Option A is wrong because using the root account for a scheduled job violates the principle of least privilege and unnecessarily exposes the entire system to potential compromise if the script is tampered with. Option C is wrong because requiring manual interactive login each week defeats automation, introduces human error risk, and does not scale to 50 servers. Option D is wrong because storing the administrator password in the script is a severe security risk (credential exposure) and violates the requirement to avoid interactive login, as the password would be visible in plaintext or easily reversible.

68
MCQmedium

An administrator pushed a firewall rule change to allow a new vendor IP range during business hours. Minutes later, payroll users lost access to an internal service. Which change management practice would have best reduced the impact?

A.Apply changes directly in production so they take effect as quickly as possible.
B.Test the change in a staging environment and include a rollback plan in the request.
C.Avoid documenting the change until after the maintenance window ends.
D.Use verbal approval from the payroll manager instead of the normal ticket process.
AnswerB

This is the best practice because staging validation can reveal unintended access impacts before production is touched. A rollback plan gives operators a fast, documented way to restore service if the change breaks something critical. Together, testing and rollback planning reduce outage duration and support safer operational hardening by making the change controlled, reviewable, and reversible.

Why this answer

Option B is correct because testing the change in a staging environment first would have revealed any unintended side effects, such as ACL conflicts that blocked payroll traffic. Including a rollback plan ensures that if the change causes issues in production, the administrator can quickly revert the firewall rule to restore service. This aligns with the change management process of minimizing impact through controlled testing and contingency planning.

Exam trap

The trap here is that candidates may think speed of implementation (Option A) is more important than safety, but CompTIA emphasizes that change management processes, including testing and rollback, are critical to prevent production outages.

How to eliminate wrong answers

Option A is wrong because applying changes directly in production without prior testing increases the risk of disrupting services, as seen when the new vendor IP range inadvertently blocked payroll users. Option C is wrong because avoiding documentation until after the maintenance window violates change management best practices and makes it difficult to identify or revert the change when an incident occurs. Option D is wrong because using verbal approval bypasses the formal change control process, leaving no audit trail and increasing the chance of unauthorized or uncoordinated changes that can cause outages.

69
MCQmedium

A public web application is seeing bursts of requests that contain SQL metacharacters, encoded script tags, and attempts to POST to administrative endpoints. The team wants a control that can inspect HTTP traffic and block the malicious requests before they reach the app. What should be deployed?

A.A web application firewall in front of the application
B.An endpoint detection and response agent on the web server only
C.A data loss prevention rule on the email gateway
D.A network access control system for user authentication
AnswerA

A WAF is designed to inspect HTTP/S traffic and block common web attacks such as SQL injection and cross-site scripting before they reach the application.

Why this answer

A web application firewall (WAF) is specifically designed to inspect HTTP/HTTPS traffic at the application layer (Layer 7), analyzing request payloads for SQL metacharacters, encoded script tags (XSS), and unauthorized POST attempts to administrative endpoints. By deploying a WAF in front of the web application, malicious traffic is filtered and blocked before it reaches the application server, providing a proactive security control against common web attacks such as SQL injection and cross-site scripting.

Exam trap

The trap here is that candidates may confuse a WAF with a network firewall or an IDS/IPS, but the question specifically mentions HTTP traffic inspection and blocking of application-layer attacks (SQLi, XSS), which is the precise domain of a WAF, not a general network firewall or host-based EDR.

How to eliminate wrong answers

Option B is wrong because an endpoint detection and response (EDR) agent on the web server only monitors and responds to threats at the host level (e.g., file changes, process anomalies) after traffic has already reached the server; it does not inspect or block incoming HTTP requests at the network perimeter. Option C is wrong because a data loss prevention (DLP) rule on the email gateway is designed to monitor and prevent the unauthorized transmission of sensitive data via email, not to inspect or block HTTP traffic targeting a web application.

70
MCQmedium

A help desk ticket reports that a user's Microsoft 365 mailbox sent hundreds of messages to external contacts, and the user says they are still receiving MFA prompts they did not start. The attacker may still have an active web session. What is the best first containment action?

A.Delete the suspicious sent messages and close the ticket.
B.Revoke the account's active sessions and reset the password immediately.
C.Wait until the end of the workday to avoid interrupting the user.
D.Reimage the user's laptop before touching the email account.
AnswerB

Ending active sessions cuts off any stolen cookies or tokens that may still be valid, and resetting the password prevents immediate reentry. In an email compromise, the attacker often keeps access through browser sessions even after credentials change. Fast containment should focus on terminating current access paths first, then investigating forwarding rules, OAuth grants, and sign-in history.

Why this answer

Option B is correct because the user is still receiving unsolicited MFA prompts, indicating an attacker likely has an active web session with a valid token. Revoking all active sessions immediately invalidates any existing tokens or cookies, while resetting the password ensures the attacker cannot re-authenticate. This is the fastest way to cut off the attacker's access and stop further abuse of the mailbox.

Exam trap

The trap here is that candidates may think deleting the sent messages is sufficient containment, failing to recognize that the attacker's active session must be terminated to stop ongoing compromise.

How to eliminate wrong answers

Option A is wrong because deleting the suspicious messages does not remove the attacker's access; they can continue sending more emails, and the root cause (compromised session) remains unaddressed. Option C is wrong because waiting until the end of the workday gives the attacker more time to exfiltrate data, send additional malicious emails, or escalate privileges, violating the principle of immediate containment.

71
MCQhard

Based on the exhibit, which change best moves the ERP recovery design toward meeting both recovery targets?

A.Increase the full backup frequency to every night and keep the same recovery process.
B.Add a warm standby database with 15-minute log shipping and scheduled failover tests.
C.Move backup media to the same server to reduce transfer time.
D.Eliminate differential backups and rely only on weekly full backups.
AnswerB

A warm standby reduces recovery time because the system is already provisioned and closer to operational readiness. Pairing it with 15-minute log shipping also improves the recovery point objective by limiting data loss. Scheduled failover tests validate that the process works in practice, which is critical when tight RTO and RPO targets must both be met.

Why this answer

Option B is correct because adding a warm standby database with 15-minute log shipping significantly reduces the recovery point objective (RPO) to near-zero and, combined with scheduled failover tests, ensures the recovery time objective (RTO) is met. This directly addresses the gap between the current backup-only approach and the required recovery targets, as log shipping provides near-continuous data protection and failover testing validates the recovery process.

Exam trap

The trap here is that candidates may think increasing backup frequency (Option A) is sufficient to meet recovery targets, but they overlook that backups alone do not reduce RTO and that a warm standby with log shipping is required for near-zero RPO and fast failover.

How to eliminate wrong answers

Option A is wrong because increasing full backup frequency to every night still leaves up to 24 hours of potential data loss, failing to meet a low RPO requirement, and does not improve recovery time. Option C is wrong because moving backup media to the same server eliminates off-site redundancy, increasing the risk of total data loss in a disaster, and does not reduce transfer time meaningfully if the network is the bottleneck. Option D is wrong because eliminating differential backups and relying only on weekly full backups increases both RPO (up to 7 days) and RTO (longer restore time), moving further from the recovery targets.

72
MCQeasy

A SIEM alert shows five failed logins to an administrator account, followed by a successful login from a new city three minutes later. The account owner says they did not sign in. What should the analyst do first?

A.Ignore the alert because the login eventually succeeded.
B.Temporarily disable the account and open an incident for investigation.
C.Reset the password only and close the alert.
D.Reboot the user's laptop to clear any malicious activity.
AnswerB

Disabling the account immediately limits further unauthorized access while the team investigates. Because the user denies the login and the activity is unusual, the account should be contained quickly and the event escalated for incident handling.

Why this answer

Option B is correct because the alert shows a classic indicator of account compromise: multiple failed logins followed by a successful authentication from an unusual location. The account owner's denial of the login confirms unauthorized access, so the immediate priority is to contain the threat by disabling the account and opening an incident for formal investigation. This aligns with the NIST SP 800-61 incident response process, specifically the containment phase before eradication or recovery.

Exam trap

The trap here is that candidates may focus on the 'successful login' as a resolution rather than recognizing it as the point of compromise, leading them to incorrectly choose A or C instead of prioritizing containment.

How to eliminate wrong answers

Option A is wrong because ignoring the alert ignores the clear evidence of a successful brute-force or credential-stuffing attack; the successful login from a new city indicates the attacker gained access, so the alert must be acted upon. Option C is wrong because resetting the password alone does not address the possibility that the attacker established persistence (e.g., a backdoor or session token) or that other accounts are compromised; closing the alert without investigation violates standard incident response procedures. Option D is wrong because rebooting the user's laptop does not remediate a server-side or cloud-based account compromise; the attacker likely authenticated from a remote system, not the local device, and rebooting would not remove any malicious activity on the server or directory service.

73
Multi-Selecthard

A privileged cloud administrator account shows two suspicious events: an API key was created from an unfamiliar IP address, and a mailbox forwarding rule was added five minutes later. The account is still active and may be in attacker control. Which two actions should the analyst take first to preserve evidence while limiting additional abuse? Select two.

Select 2 answers
A.Export the relevant identity and audit logs before making changes, so the original event trail is preserved.
B.Revoke the suspicious API key or active session token, so the attacker loses immediate access.
C.Delete the mailbox forwarding rule and empty the trash folder, so the attacker cannot read old messages.
D.Reimage the admin workstation immediately, because the issue must have started on the endpoint.
E.Disable all company email for every user until the account investigation is finished.
AnswersA, B

Preserving the logs first protects the original evidence before any containment actions change the environment. Identity, audit, and mailbox logs can later prove who created the key, when the forwarding rule was added, and from where the activity originated. Exporting them early reduces the chance that the response itself destroys useful evidence.

Why this answer

Option A is correct because exporting identity and audit logs before any changes preserves the original event trail, which is critical for forensic analysis and chain of custody. If logs are altered or rotated after the fact, evidence of the attacker's actions (e.g., API key creation from an unfamiliar IP) could be lost or overwritten, hindering the investigation.

Exam trap

The trap here is that candidates may prioritize immediate disruption (e.g., deleting the forwarding rule or disabling email) over evidence preservation, forgetting that logs are the primary source of truth for incident response and that revoking access tokens (Option B) is the correct way to stop abuse without destroying evidence.

74
MCQmedium

A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?

A.Disable the user account immediately to prevent further access
B.Contact the user to verify whether the authentication was legitimate
C.Continuously monitor the account for additional suspicious activity
D.Revoke all active sessions for the user account
AnswerB

Contacting the user is the appropriate next step in the incident response process. The analyst needs to confirm if the user performed the action. If the user denies it, the account is likely compromised, and the incident should be escalated. This step helps avoid false positives and ensures accurate incident handling.

Why this answer

The correct next step is to contact the user to verify whether the authentication was legitimate. Since the authentication was successful and the user has not reported suspicious activity, the analyst must first gather context from the user before taking any disruptive action. This aligns with the incident response process of validation and scoping before containment.

Exam trap

The trap here is that candidates often jump to containment (disabling the account) without first validating the alert, confusing the 'detection and analysis' phase with the 'containment, eradication, and recovery' phase of the incident response process.

How to eliminate wrong answers

Option A is wrong because immediately disabling the user account without verification could disrupt legitimate access and is premature; the analyst should first confirm the activity is unauthorized. Option C is wrong because continuous monitoring alone delays necessary action and does not address the immediate need to determine if the account is compromised; passive monitoring is insufficient when a successful authentication from an unusual location has already occurred.

75
MCQmedium

An investigator has just created a bit-for-bit image of a suspect's SSD using a write blocker. Before the drive is returned to evidence storage, what action most directly validates the integrity of both the original media and the image?

A.Defragment the original SSD to make later analysis faster.
B.Calculate cryptographic hashes of the source and the image and record them.
C.Compress the image file to reduce storage usage before documentation.
D.Wipe free space on the original SSD to remove deleted remnants.
AnswerB

Matching hashes provide a repeatable integrity check that shows the image accurately reflects the acquired source without alteration.

Why this answer

Option B is correct because cryptographic hashing (e.g., SHA-256 or MD5) generates a unique digital fingerprint of the original SSD and the forensic image. By comparing the hash values, the investigator can verify that the bit-for-bit copy is identical to the source, ensuring data integrity and admissibility in legal proceedings. This step directly validates that no data has been altered or omitted during acquisition.

Exam trap

The trap here is that candidates may confuse integrity validation with storage optimization or cleanup tasks, mistakenly thinking defragmentation or compression helps preserve evidence, when in fact they destroy the forensic integrity that hashing alone guarantees.

How to eliminate wrong answers

Option A is wrong because defragmenting an SSD alters the physical layout of data, which destroys the original evidence and violates forensic best practices; it also does not validate integrity. Option C is wrong because compressing the image file changes its binary representation, breaking the hash match with the original media and potentially corrupting evidence. Option D is wrong because wiping free space modifies the original drive, destroying potential evidence remnants and invalidating any integrity verification.

Page 1 of 4 · 291 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Operations questions.