Threats, Vulnerabilities, and Mitigations practice questions
The Threats, Vulnerabilities & Mitigations domain of the SY0-701 exam is all about understanding the bad things that can happen to an organization's systems and data, and how to stop them. Think of it as the defensive playbook for cybersecurity. You'll learn about different types of attacks—like phishing, ransomware, and denial-of-service—and the weaknesses (vulnerabilities) they exploit, such as unpatched software or weak passwords. But it's not just about knowing the threats; you also need to know how to fix them. That's where mitigations come in—things like firewalls, encryption, access controls, and security policies. For example, if a company has a vulnerability in its web application, a mitigation might be to apply a patch or use a web application firewall. This domain is the core of what security professionals do every day: identify risks, protect assets, and respond to incidents.
Why is this domain so important in real-world IT and security work? Because threats are everywhere. In a typical day, a security analyst might deal with phishing emails, scan for unpatched systems, or configure a VPN to secure remote access. Cloud environments add complexity—misconfigured S3 buckets can expose sensitive data, and compromised API keys can lead to breaches. Understanding these threats and how to mitigate them is critical for roles like security analyst, network administrator, and cloud engineer. Even if you're not in a dedicated security role, knowing these concepts helps you protect your organization from costly incidents. For instance, a simple social engineering attack could trick an employee into revealing credentials, leading to a data breach that costs millions. The SY0-701 exam ensures you have the foundational knowledge to prevent such scenarios.
On the exam itself, this domain tests your ability to identify, analyze, and respond to security threats and vulnerabilities. You'll see questions about attack types (e.g., spear phishing vs. whaling), vulnerability scanning tools (like Nessus or OpenVAS), and mitigation techniques (e.g., patch management, network segmentation). You'll also need to understand indicators of compromise (IoCs) and how to interpret them. For example, a question might describe a sudden spike in outbound traffic and ask you to identify the likely attack (data exfiltration) and suggest a mitigation (egress filtering). The exam also covers emerging threats like supply chain attacks and AI-powered malware. You'll need to know not just the definitions, but how to apply them in scenarios—like choosing the best control to prevent a SQL injection attack (parameterized queries) or detecting a man-in-the-middle attack (certificate validation).
To study this domain effectively, start by understanding the threat landscape. Make flashcards for common attack types (phishing, ransomware, DDoS, etc.) and their characteristics. Then, focus on vulnerabilities—learn about CVEs, the Common Vulnerability Scoring System (CVSS), and how to prioritize patches. For mitigations, group them into categories: administrative (policies, training), technical (firewalls, IDS/IPS, encryption), and physical (locks, biometrics). Practice with scenario-based questions—many resources offer practice exams that mimic the SY0-701 style. Use the acronym STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to categorize threats, and remember the CIA triad (Confidentiality, Integrity, Availability) as a framework for mitigations. Finally, stay current—follow security news to see real-world examples of attacks and how they were mitigated. This domain is heavy, but with consistent study and hands-on practice (like using a home lab or online sandboxes), you can master it.
Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.
What to know about Threats, Vulnerabilities, and Mitigations
Threats, Vulnerabilities & Mitigations covers the identification of various attack types (e.g., phishing, ransomware), the weaknesses they exploit (vulnerabilities like unpatched software), and the controls (mitigations) to prevent or reduce damage, such as firewalls, encryption, and security policies.
Identifying and differentiating between types of social engineering attacks (e.g., spear phishing, vishing, tailgating)
A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?
Trap 1: LDAP injection
Incorrect. LDAP injection attacks target Lightweight Directory Access Protocol (LDAP) queries, not SQL databases. The patterns shown are SQL-specific, not LDAP filter syntax (e.g., `(&(uid=*)(userPassword=*))`).
Trap 2: Command injection
Incorrect. Command injection attempts to execute arbitrary operating system commands through a vulnerable application. The logs show SQL syntax, not shell metacharacters like `;`, `|`, or `&&` typically used in command injection.
Trap 3: Cross-site scripting (XSS)
Incorrect. XSS involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users. The log entries contain SQL code, not script tags or event handlers like `<script>alert(1)</script>`.
Correct. The log entries show SQL syntax such as `OR '1'='1'` and `DROP TABLE`, which are classic indicators of SQL injection attempts. This attack exploits improper input sanitization to manipulate database queries.
B
LDAP injection
Why wrong: Incorrect. LDAP injection attacks target Lightweight Directory Access Protocol (LDAP) queries, not SQL databases. The patterns shown are SQL-specific, not LDAP filter syntax (e.g., `(&(uid=*)(userPassword=*))`).
C
Command injection
Why wrong: Incorrect. Command injection attempts to execute arbitrary operating system commands through a vulnerable application. The logs show SQL syntax, not shell metacharacters like `;`, `|`, or `&&` typically used in command injection.
D
Cross-site scripting (XSS)
Why wrong: Incorrect. XSS involves injecting client-side scripts (e.g., JavaScript) into web pages viewed by other users. The log entries contain SQL code, not script tags or event handlers like `<script>alert(1)</script>`.
A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?
Trap 1: Transport Layer Security (TLS)
Incorrect. TLS encrypts network traffic but does not protect against vulnerabilities in the application code itself, such as buffer overflows. It cannot prevent the exploitation of memory corruption bugs.
Trap 2: Code signing
Incorrect. Code signing verifies that the software has not been tampered with and identifies the publisher. It does not provide runtime protection against memory corruption exploits in the running application.
Trap 3: Data Execution Prevention (DEP)
Incorrect. DEP makes memory regions non-executable, which can prevent direct execution of injected shellcode. However, sophisticated attackers can bypass DEP using return-oriented programming (ROP). Stack canaries are generally more effective for detecting the overflow itself, even when DEP is present.
Correct. Stack canaries are placed before the return address on the stack. If a buffer overflow overwrites the canary, the program terminates, preventing control-flow hijacking. This is a highly effective runtime defense against stack-based buffer overflows.
B
Transport Layer Security (TLS)
Why wrong: Incorrect. TLS encrypts network traffic but does not protect against vulnerabilities in the application code itself, such as buffer overflows. It cannot prevent the exploitation of memory corruption bugs.
C
Code signing
Why wrong: Incorrect. Code signing verifies that the software has not been tampered with and identifies the publisher. It does not provide runtime protection against memory corruption exploits in the running application.
D
Data Execution Prevention (DEP)
Why wrong: Incorrect. DEP makes memory regions non-executable, which can prevent direct execution of injected shellcode. However, sophisticated attackers can bypass DEP using return-oriented programming (ROP). Stack canaries are generally more effective for detecting the overflow itself, even when DEP is present.
A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?
Trap 1: Deploying a stronger email spam filter that blocks all emails from…
Email filters may catch known malicious domains, but lookalike domains (e.g., 'cornpany.com') are often new or trusted by the filter, so this control is not consistently effective against CEO fraud.
Trap 2: Requiring multi-factor authentication (MFA) for all corporate email…
MFA protects against credential theft, but in this attack the CFO's account is not compromised; the attacker is impersonating the CEO via a spoofed email. MFA does not verify the authenticity of the sender's email address.
Trap 3: Enabling Transport Layer Security (TLS) encryption for all outgoing…
TLS encryption protects the confidentiality of email content in transit, but it does not authenticate the sender's identity or prevent spoofing, so it would not stop this attack.
Deploying a stronger email spam filter that blocks all emails from unrecognized domains
Why wrong: Email filters may catch known malicious domains, but lookalike domains (e.g., 'cornpany.com') are often new or trusted by the filter, so this control is not consistently effective against CEO fraud.
B
Requiring multi-factor authentication (MFA) for all corporate email accounts
Why wrong: MFA protects against credential theft, but in this attack the CFO's account is not compromised; the attacker is impersonating the CEO via a spoofed email. MFA does not verify the authenticity of the sender's email address.
C
Implementing a policy that all financial transfers over a certain threshold must be verbally verified via a known phone number before execution
An out-of-band verification procedure, such as calling the requester on a known phone number, directly addresses the impersonation risk by confirming the request through an independent communication channel.
D
Enabling Transport Layer Security (TLS) encryption for all outgoing email communications
Why wrong: TLS encryption protects the confidentiality of email content in transit, but it does not authenticate the sender's identity or prevent spoofing, so it would not stop this attack.
A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?
Trap 1: Spear phishing
Spear phishing is a targeted email attack that tricks the recipient into clicking a malicious link or opening an attachment. This question involves a phone call, not email.
Trap 2: Pretexting
Pretexting is the act of creating a fabricated scenario (pretext) to obtain information, and it can be used across different communication channels. While the attacker does use a pretext in this scenario, 'vishing' is the more specific term when the attack occurs via phone. In the context of CompTIA Security+, vishing is the best answer because it directly identifies the medium (voice).
Trap 3: Tailgating
Tailgating is a physical security attack where an unauthorized person follows an authorized person into a restricted area without proper credentials. This scenario involves a phone call, not physical access.
Why wrong: Spear phishing is a targeted email attack that tricks the recipient into clicking a malicious link or opening an attachment. This question involves a phone call, not email.
B
Vishing
Vishing (voice phishing) is a social engineering attack conducted over the phone. The attacker impersonates a trusted entity to trick the victim into revealing sensitive information such as passwords and MFA codes.
C
Pretexting
Why wrong: Pretexting is the act of creating a fabricated scenario (pretext) to obtain information, and it can be used across different communication channels. While the attacker does use a pretext in this scenario, 'vishing' is the more specific term when the attack occurs via phone. In the context of CompTIA Security+, vishing is the best answer because it directly identifies the medium (voice).
D
Tailgating
Why wrong: Tailgating is a physical security attack where an unauthorized person follows an authorized person into a restricted area without proper credentials. This scenario involves a phone call, not physical access.
A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?
Trap 1: Brute-force attack
A brute-force attack attempts every possible combination of characters, which is computationally expensive and does not leverage timing variations. While an attacker could eventually guess the password, the timing vulnerability specifically enables a more efficient attack.
Trap 2: Dictionary attack
A dictionary attack uses a precomputed list of common passwords or phrases, and does not utilize execution time measurements. It relies on the likelihood that users choose weak passwords, not on side-channel information like timing.
Trap 3: Replay attack
A replay attack involves intercepting a valid authentication token (such as a session cookie or hashed password) and retransmitting it to impersonate the user. It does not involve manipulating or measuring execution time of a comparison function.
Why wrong: A brute-force attack attempts every possible combination of characters, which is computationally expensive and does not leverage timing variations. While an attacker could eventually guess the password, the timing vulnerability specifically enables a more efficient attack.
B
Dictionary attack
Why wrong: A dictionary attack uses a precomputed list of common passwords or phrases, and does not utilize execution time measurements. It relies on the likelihood that users choose weak passwords, not on side-channel information like timing.
C
Replay attack
Why wrong: A replay attack involves intercepting a valid authentication token (such as a session cookie or hashed password) and retransmitting it to impersonate the user. It does not involve manipulating or measuring execution time of a comparison function.
D
Timing attack
A timing attack exploits measurable variations in the time it takes to execute a cryptographic operation. In this case, the early-exit comparison enables an attacker to deduce the correct secret byte by byte, making it the correct classification.
A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?
Trap 1: Implement a web application firewall (WAF) rule to block suspicious…
A WAF is a compensating control that can detect and block some SQL injection payloads, but it does not fix the underlying vulnerable code. Attackers can often bypass WAF rules using encoding, obfuscation, or logic differences. This is not a permanent fix and should not be the primary recommendation.
Trap 2: Sanitize user input by escaping single quotes and other special…
Input sanitization via escaping can reduce risk but is not foolproof. Different databases have different escape characters and contexts (e.g., numeric fields, like clauses) where escaping may fail. It is possible to bypass escaping with techniques such as second-order SQL injection or using database functions. Parameterized queries are more robust.
Trap 3: Encode all user input using HTML entity encoding before database…
HTML entity encoding is designed to neutralize special characters in output that is rendered in a web browser, preventing cross-site scripting (XSS). It has no effect on SQL queries because the encoding does not change how the string is interpreted by the database. This would not prevent SQL injection.
Implement a web application firewall (WAF) rule to block suspicious SQL keywords in search parameters.
Why wrong: A WAF is a compensating control that can detect and block some SQL injection payloads, but it does not fix the underlying vulnerable code. Attackers can often bypass WAF rules using encoding, obfuscation, or logic differences. This is not a permanent fix and should not be the primary recommendation.
B
Sanitize user input by escaping single quotes and other special characters before concatenation.
Why wrong: Input sanitization via escaping can reduce risk but is not foolproof. Different databases have different escape characters and contexts (e.g., numeric fields, like clauses) where escaping may fail. It is possible to bypass escaping with techniques such as second-order SQL injection or using database functions. Parameterized queries are more robust.
C
Replace dynamic SQL queries with parameterized prepared statements.
Parameterized prepared statements ensure that user input is always treated as data, not executable code. The database compiles the SQL statement with parameter placeholders, and the actual values are bound separately. This completely prevents SQL injection because the input cannot alter the query structure. This is the industry-standard permanent fix.
D
Encode all user input using HTML entity encoding before database operations.
Why wrong: HTML entity encoding is designed to neutralize special characters in output that is rendered in a web browser, preventing cross-site scripting (XSS). It has no effect on SQL queries because the encoding does not change how the string is interpreted by the database. This would not prevent SQL injection.
A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed login attempts over the past hour. Each attempt uses a different username, but all attempts use the same password 'Spring2024!'. The source IP addresses are widely distributed across several different geographic regions. Which type of attack is the analyst most likely observing?
Trap 1: Brute-force attack
A brute-force attack typically targets a single username and attempts many different passwords against it. The observed pattern shows many usernames with a single password, which does not match this definition.
Trap 2: Credential stuffing attack
Credential stuffing uses lists of known username-password pairs from previous breaches. The logs show a single password repeated across all attempts, not unique passwords paired with specific usernames.
Trap 3: Dictionary attack
A dictionary attack typically tries many common passwords against a single user account. The log shows the opposite: one password being tried against many users.
Why wrong: A brute-force attack typically targets a single username and attempts many different passwords against it. The observed pattern shows many usernames with a single password, which does not match this definition.
B
Password spraying attack
Password spraying involves using a small number of common passwords against a large number of user accounts. This matches the log pattern: different usernames, same password, many attempts.
C
Credential stuffing attack
Why wrong: Credential stuffing uses lists of known username-password pairs from previous breaches. The logs show a single password repeated across all attempts, not unique passwords paired with specific usernames.
D
Dictionary attack
Why wrong: A dictionary attack typically tries many common passwords against a single user account. The log shows the opposite: one password being tried against many users.
A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when they view a product review page on the company's e-commerce site, their browser automatically redirects to a malicious website. The analyst examines the database and finds that a product review submitted by a user contains a <script> tag that loads a JavaScript file from an external domain. Which type of attack has occurred?
Trap 1: Cross-site request forgery (CSRF)
CSRF attacks trick a user's browser into making an unwanted request to a web application in which the user is authenticated, often resulting in actions like changing a password or making a transaction. The described scenario involves script injection and automatic redirects, not unauthorized action requests.
Trap 2: SQL injection
SQL injection targets the database layer by manipulating SQL queries through user input. While it could be used to insert malicious scripts, the symptom described (automatic browser redirect from a web page) is directly caused by client-side script execution, not database manipulation.
Trap 3: Reflected cross-site scripting (XSS)
Reflected XSS involves malicious script reflected from the web server, typically via a URL parameter or form input, and it is not stored permanently. In this case, the script was found in the database and affects all users visiting the page, which indicates stored XSS.
Why wrong: CSRF attacks trick a user's browser into making an unwanted request to a web application in which the user is authenticated, often resulting in actions like changing a password or making a transaction. The described scenario involves script injection and automatic redirects, not unauthorized action requests.
B
Stored cross-site scripting (XSS)
This is correct. The injected script is permanently stored in the database (in the product review) and executes when other users view the page, which is the defining characteristic of stored (persistent) XSS.
C
SQL injection
Why wrong: SQL injection targets the database layer by manipulating SQL queries through user input. While it could be used to insert malicious scripts, the symptom described (automatic browser redirect from a web page) is directly caused by client-side script execution, not database manipulation.
D
Reflected cross-site scripting (XSS)
Why wrong: Reflected XSS involves malicious script reflected from the web server, typically via a URL parameter or form input, and it is not stored permanently. In this case, the script was found in the database and affects all users visiting the page, which indicates stored XSS.
A security analyst is reviewing the session management implementation of a web application. The application generates session tokens by computing the MD5 hash of the concatenation of the username and the current server timestamp rounded to the nearest hour. An attacker has obtained a valid session token for her own account and discovers that she can forge tokens for other users by simply substituting the username in the hash calculation with a known target username. Which type of attack is the web application most vulnerable to?
Trap 1: Session hijacking via cross-site scripting (XSS)
Session hijacking via XSS requires an attacker to inject malicious script that steals the victim's session token. This scenario does not involve injecting script; it involves predicting the token without stealing it.
Trap 2: Session replay attack
A session replay attack involves capturing a valid token and reusing it later to impersonate the same user. The vulnerability described allows the attacker to create a token for a different user, not replay a captured one.
Trap 3: Session fixation
Session fixation occurs when an attacker forces a victim to use a session token that the attacker knows. Here, the attacker is able to compute a token for the victim without any interaction, so it is prediction, not fixation.
Why wrong: Session hijacking via XSS requires an attacker to inject malicious script that steals the victim's session token. This scenario does not involve injecting script; it involves predicting the token without stealing it.
B
Session replay attack
Why wrong: A session replay attack involves capturing a valid token and reusing it later to impersonate the same user. The vulnerability described allows the attacker to create a token for a different user, not replay a captured one.
C
Session prediction
The session token is generated using the username and a timestamp with low granularity, making it possible for an attacker who knows the algorithm to calculate valid tokens for any user. This is a classic session prediction vulnerability.
D
Session fixation
Why wrong: Session fixation occurs when an attacker forces a victim to use a session token that the attacker knows. Here, the attacker is able to compute a token for the victim without any interaction, so it is prediction, not fixation.
A security analyst is reviewing the source code of a custom web application. The application receives JSON data from users, which includes a 'type' field. The application uses the 'type' field to determine which Java class to instantiate, and then calls a method on that object. The application does not validate or sanitize the 'type' field. An attacker sends a crafted JSON payload that causes the application to instantiate an unexpected class, leading to remote code execution. Which type of vulnerability does this example describe?
Trap 1: SQL injection
SQL injection involves injecting malicious SQL code into queries via user input. The scenario does not involve any database interactions or SQL commands; it involves instantiating arbitrary classes from user-supplied data, which is characteristic of insecure deserialization, not SQL injection.
Trap 2: Cross-site scripting (XSS)
Cross-site scripting (XSS) is a client-side vulnerability where an attacker injects malicious scripts into web pages viewed by other users. This scenario involves server-side code execution through unsafe class instantiation, not injection of scripts into a web page, so XSS is not the correct classification.
Trap 3: Directory traversal
Directory traversal is an attack that exploits insufficient input validation to access files outside the web root directory. This scenario does not involve file path manipulation; it involves the insecure instantiation of arbitrary classes from untrusted data, which is a deserialization issue.
Why wrong: SQL injection involves injecting malicious SQL code into queries via user input. The scenario does not involve any database interactions or SQL commands; it involves instantiating arbitrary classes from user-supplied data, which is characteristic of insecure deserialization, not SQL injection.
B
Cross-site scripting (XSS)
Why wrong: Cross-site scripting (XSS) is a client-side vulnerability where an attacker injects malicious scripts into web pages viewed by other users. This scenario involves server-side code execution through unsafe class instantiation, not injection of scripts into a web page, so XSS is not the correct classification.
C
Insecure deserialization
Correct. Insecure deserialization occurs when an application deserializes untrusted data, allowing an attacker to control serialized objects or, as in this case, the class name to be instantiated. This can lead to remote code execution, denial of service, or privilege escalation.
D
Directory traversal
Why wrong: Directory traversal is an attack that exploits insufficient input validation to access files outside the web root directory. This scenario does not involve file path manipulation; it involves the insecure instantiation of arbitrary classes from untrusted data, which is a deserialization issue.
A security analyst is investigating a phishing campaign that specifically targets senior executives in a company. The emails appear to come from the CEO and request urgent wire transfers to a fraudulent account. Which of the following best describes this type of attack?
Trap 1: Spear phishing
Incorrect. Spear phishing is a targeted phishing attack aimed at a specific individual or group, but it does not necessarily focus on executives. The attack in the question is specifically directed at senior executives, making whaling a more accurate term.
Trap 2: Vishing
Incorrect. Vishing (voice phishing) uses phone calls or voicemail to deceive victims. The described attack uses email, not voice communication.
Trap 3: Pharming
Incorrect. Pharming redirects users from legitimate websites to fraudulent ones, typically by exploiting DNS vulnerabilities or installing malware. The attack in the question relies on deceptive emails, not website redirection.
Correct. Whaling specifically targets senior executives or high-value individuals within an organization, often using urgent or authoritative requests to trick them into transferring money or revealing sensitive information.
B
Spear phishing
Why wrong: Incorrect. Spear phishing is a targeted phishing attack aimed at a specific individual or group, but it does not necessarily focus on executives. The attack in the question is specifically directed at senior executives, making whaling a more accurate term.
C
Vishing
Why wrong: Incorrect. Vishing (voice phishing) uses phone calls or voicemail to deceive victims. The described attack uses email, not voice communication.
D
Pharming
Why wrong: Incorrect. Pharming redirects users from legitimate websites to fraudulent ones, typically by exploiting DNS vulnerabilities or installing malware. The attack in the question relies on deceptive emails, not website redirection.
A security analyst discovers that an organization's web application is vulnerable to SQL injection. The application uses a legacy database driver that does not support parameterized queries. Which of the following is the BEST mitigation to prevent this vulnerability?
Trap 1: Implement a web application firewall (WAF) to filter malicious…
A WAF can provide some protection by detecting and blocking common SQL injection patterns, but it is a compensating control and can be bypassed. It does not fix the underlying vulnerability in the application code.
Trap 2: Encode all user input using HTML encoding.
HTML encoding is effective against cross-site scripting (XSS) attacks, but it does not prevent SQL injection because it does not alter how the input is interpreted by the database.
Trap 3: Disable error messages that reveal database schema.
Disabling detailed error messages makes it harder for an attacker to gather information about the database, but it does not prevent the SQL injection attack itself.
Implement a web application firewall (WAF) to filter malicious input.
Why wrong: A WAF can provide some protection by detecting and blocking common SQL injection patterns, but it is a compensating control and can be bypassed. It does not fix the underlying vulnerability in the application code.
B
Update the database driver to a version that supports parameterized queries.
Parameterized queries ensure that user input is treated as data, not executable code, which is the definitive prevention for SQL injection. Updating the driver to support this is the best long-term mitigation.
C
Encode all user input using HTML encoding.
Why wrong: HTML encoding is effective against cross-site scripting (XSS) attacks, but it does not prevent SQL injection because it does not alter how the input is interpreted by the database.
D
Disable error messages that reveal database schema.
Why wrong: Disabling detailed error messages makes it harder for an attacker to gather information about the database, but it does not prevent the SQL injection attack itself.
A security analyst reviews authentication logs and discovers hundreds of failed login attempts from a single external IP address within a five-minute window. All attempts target the same username 'jsmith' but use different passwords. Which type of password attack does this pattern most likely indicate?
Trap 1: Password spraying
Incorrect. Password spraying attempts a single common password against many usernames to avoid lockouts. This scenario targets one username with many passwords.
Trap 2: Credential stuffing
Incorrect. Credential stuffing uses stolen username/password pairs from previous breaches to log in automatically. The attempts here show varying passwords, not reused known credentials.
Trap 3: Dictionary attack
Incorrect. While a dictionary attack also uses a list of likely passwords, it is a subset of brute force. The broader category 'brute force' is more accurate given the large volume and systematic nature of the attempts.
Why wrong: Incorrect. Password spraying attempts a single common password against many usernames to avoid lockouts. This scenario targets one username with many passwords.
B
Brute force
Correct. A brute force attack systematically tries many passwords against a single account. The log pattern of hundreds of different passwords for the same username matches this method.
C
Credential stuffing
Why wrong: Incorrect. Credential stuffing uses stolen username/password pairs from previous breaches to log in automatically. The attempts here show varying passwords, not reused known credentials.
D
Dictionary attack
Why wrong: Incorrect. While a dictionary attack also uses a list of likely passwords, it is a subset of brute force. The broader category 'brute force' is more accurate given the large volume and systematic nature of the attempts.
A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?
Trap 1: Insider threat
While insider threats can cause long‑term damage, they originate from individuals with legitimate access (e.g., employees or contractors). The scenario describes an external attacker moving laterally, not an insider abusing granted privileges. Therefore, this option is incorrect.
Trap 2: Zero‑day exploit
A zero‑day exploit refers to an attack that takes advantage of an unknown vulnerability before a patch is available. While an APT might use a zero‑day exploit as part of its toolkit, the scenario describes the overall campaign (persistence, lateral movement, exfiltration), not a single exploit. Thus, this option is too narrow.
Trap 3: Denial of service (DoS) attack
A DoS attack aims to disrupt service by overwhelming a system with traffic, making resources unavailable. The scenario involves stealthy data theft and long‑term access, not service disruption. Therefore, this option does not apply.
Why wrong: While insider threats can cause long‑term damage, they originate from individuals with legitimate access (e.g., employees or contractors). The scenario describes an external attacker moving laterally, not an insider abusing granted privileges. Therefore, this option is incorrect.
B
Advanced persistent threat (APT)
APT correctly describes a threat actor that establishes a long‑term presence, uses custom malware, and conducts lateral movement and data exfiltration—all of which are present in the scenario. APTs are designed to remain undetected while achieving strategic goals over months or years.
C
Zero‑day exploit
Why wrong: A zero‑day exploit refers to an attack that takes advantage of an unknown vulnerability before a patch is available. While an APT might use a zero‑day exploit as part of its toolkit, the scenario describes the overall campaign (persistence, lateral movement, exfiltration), not a single exploit. Thus, this option is too narrow.
D
Denial of service (DoS) attack
Why wrong: A DoS attack aims to disrupt service by overwhelming a system with traffic, making resources unavailable. The scenario involves stealthy data theft and long‑term access, not service disruption. Therefore, this option does not apply.
A security analyst reviews authentication logs and notices multiple failed login attempts using various usernames from a single IP address over several hours. Eventually, a successful login occurs using a username that had many failed attempts. The organization requires multi-factor authentication (MFA). Which type of attack is most likely indicated by this pattern?
Trap 1: Brute-force attack
Incorrect. A brute-force attack typically targets a single account with many password guesses. The logs show attempts across multiple usernames, not multiple passwords for one user.
Trap 2: Password spraying
Incorrect. Password spraying uses a few common passwords against many accounts. The pattern here shows many failed attempts for the same username before a success, which is more indicative of credential testing rather than spraying a single password.
Trap 3: Shoulder surfing
Incorrect. Shoulder surfing is an in-person observation technique that would not produce remote login logs from a single IP address. It also would not generate failed attempts.
Correct. Credential stuffing leverages lists of known username/password pairs from previous breaches. The analyst observed many failed attempts from one source IP, then a successful login, which matches an attacker testing stolen credentials. Even with MFA, the attack may succeed if the attacker has obtained session tokens or uses other techniques.
B
Brute-force attack
Why wrong: Incorrect. A brute-force attack typically targets a single account with many password guesses. The logs show attempts across multiple usernames, not multiple passwords for one user.
C
Password spraying
Why wrong: Incorrect. Password spraying uses a few common passwords against many accounts. The pattern here shows many failed attempts for the same username before a success, which is more indicative of credential testing rather than spraying a single password.
D
Shoulder surfing
Why wrong: Incorrect. Shoulder surfing is an in-person observation technique that would not produce remote login logs from a single IP address. It also would not generate failed attempts.
A security analyst receives an alert from the email security gateway about a message sent to an employee. The email has an attachment named 'Invoice_Q4_2024.exe'. The employee claims they did not open the attachment, and the email appears to come from a known vendor's domain but the sender address has a slight typo. Which type of attack is most likely being attempted?
Trap 1: Spear phishing
Spear phishing is a targeted version of phishing aimed at a specific individual or organization. While the email is sent to an employee, the question does not provide evidence of tailored content or reconnaissance, so the broader category 'phishing' is more appropriate.
Trap 2: Smishing
Smishing (SMS phishing) uses text messages rather than email. Since the attack vector is email, smishing does not apply.
Trap 3: Vishing
Vishing (voice phishing) uses phone calls or voicemail messages. The attack described involves an email attachment, so vishing is not correct.
Why wrong: Spear phishing is a targeted version of phishing aimed at a specific individual or organization. While the email is sent to an employee, the question does not provide evidence of tailored content or reconnaissance, so the broader category 'phishing' is more appropriate.
B
Phishing
Phishing is a social engineering attack that uses deceptive emails and malicious attachments to trick recipients into executing malware or revealing sensitive information. The typo-squatted sender address and executable attachment are classic indicators of a phishing attempt.
C
Smishing
Why wrong: Smishing (SMS phishing) uses text messages rather than email. Since the attack vector is email, smishing does not apply.
D
Vishing
Why wrong: Vishing (voice phishing) uses phone calls or voicemail messages. The attack described involves an email attachment, so vishing is not correct.
A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset Required'. The email contains a link to a website that mimics the company's internal login portal. The email was sent from an external domain and addresses recipients by 'Dear Employee' rather than their actual names. Which type of social engineering attack is being described?
Trap 1: Spear phishing
Spear phishing is a targeted form of phishing that uses personalized information (e.g., the recipient's name) to increase credibility. The email in the scenario uses a generic greeting, indicating it is not tailored to specific individuals.
Trap 2: Vishing
Vishing (voice phishing) is conducted via phone calls or voicemail, not email. The attack described uses email as the vector.
Trap 3: Tailgating
Tailgating is a physical security breach where an attacker follows an authorized person into a restricted area without proper authentication. This scenario involves digital deception, not physical access.
Why wrong: Spear phishing is a targeted form of phishing that uses personalized information (e.g., the recipient's name) to increase credibility. The email in the scenario uses a generic greeting, indicating it is not tailored to specific individuals.
B
Phishing
Phishing is a broad social engineering technique that uses mass emails to trick users into divulging credentials or clicking malicious links. The generic greeting and external sender domain are consistent with a typical phishing attempt.
C
Vishing
Why wrong: Vishing (voice phishing) is conducted via phone calls or voicemail, not email. The attack described uses email as the vector.
D
Tailgating
Why wrong: Tailgating is a physical security breach where an attacker follows an authorized person into a restricted area without proper authentication. This scenario involves digital deception, not physical access.
A security analyst receives an alert about a user account attempting to access multiple network shares in rapid succession within a short time frame. The analyst reviews the logs and sees that the IP address originates from the internal network, but the user is currently on leave. Which type of attack is most likely occurring?
Trap 1: Pass-the-hash attack
Pass-the-hash attacks reuse captured password hashes to authenticate to other systems, but the described behavior of rapidly accessing multiple network shares suggests active probing after access is already obtained, not the reuse of hashes.
Trap 2: Brute-force attack
Brute-force attacks involve repeated attempts to guess a password. In this scenario, the account is already authenticated, and the activity is post-authentication, not password guessing.
Trap 3: Credential stuffing attack
Credential stuffing uses lists of stolen usernames and passwords from other breaches to gain access. While it could result in account compromise, the rapid share enumeration after access indicates a different phase of attack.
Why wrong: Pass-the-hash attacks reuse captured password hashes to authenticate to other systems, but the described behavior of rapidly accessing multiple network shares suggests active probing after access is already obtained, not the reuse of hashes.
B
Brute-force attack
Why wrong: Brute-force attacks involve repeated attempts to guess a password. In this scenario, the account is already authenticated, and the activity is post-authentication, not password guessing.
C
Credential stuffing attack
Why wrong: Credential stuffing uses lists of stolen usernames and passwords from other breaches to gain access. While it could result in account compromise, the rapid share enumeration after access indicates a different phase of attack.
D
Internal reconnaissance
Internal reconnaissance involves an attacker who has already compromised a system and is now scanning internal resources to identify valuable data or further targets. The rapid access to multiple network shares aligns with this activity.
A security analyst receives a phone call from an individual claiming to be a member of the IT help desk. The caller states that an emergency security update requires the analyst's password immediately, and the request sounds urgent. The analyst notices the caller's voice is unfamiliar and the background noise is inconsistent with an office environment. Which type of social engineering attack is being attempted?
Trap 1: Phishing
Phishing is a social engineering technique carried out via email, text, or malicious websites, not over voice calls. This attack uses a phone call, so it is not phishing.
Trap 2: Spear phishing
Spear phishing is a targeted email attack directed at a specific individual or organization, often using personal details. This scenario involves a phone call, not email, so it is not spear phishing.
Trap 3: Pretexting
Pretexting involves creating a fabricated scenario (pretext) to obtain information, but it is a broader category that can be carried out via phone, email, or in person. However, when the attack is specifically conducted through a voice call, vishing is the more precise term used in cybersecurity. Pretexting is not incorrect in theory, but vishing is the standard classification for voice-based social engineering.
Why wrong: Phishing is a social engineering technique carried out via email, text, or malicious websites, not over voice calls. This attack uses a phone call, so it is not phishing.
B
Vishing
Vishing (voice phishing) is the correct answer because the attack uses a phone call to impersonate a legitimate entity and trick the victim into providing sensitive information, such as a password. The urgency and caller ID spoofing are common vishing tactics.
C
Spear phishing
Why wrong: Spear phishing is a targeted email attack directed at a specific individual or organization, often using personal details. This scenario involves a phone call, not email, so it is not spear phishing.
D
Pretexting
Why wrong: Pretexting involves creating a fabricated scenario (pretext) to obtain information, but it is a broader category that can be carried out via phone, email, or in person. However, when the attack is specifically conducted through a voice call, vishing is the more precise term used in cybersecurity. Pretexting is not incorrect in theory, but vishing is the standard classification for voice-based social engineering.
A security analyst is investigating a web application that allows users to input a filename to view its contents. The application passes the user input directly to a system command without sanitization. An attacker submits the input 'file.txt; cat /etc/passwd' and successfully retrieves the contents of the password file. Which type of attack occurred?
Trap 1: Cross-site scripting (XSS)
Cross-site scripting involves injecting malicious scripts into a web application that execute in a victim's browser. It does not allow direct execution of system commands on the server.
Trap 2: SQL injection
SQL injection targets database queries by inserting malicious SQL statements. The scenario involves system command execution, not database manipulation.
Trap 3: Directory traversal
Directory traversal attacks exploit insufficient path sanitation to access files outside the intended directory. While it deals with file access, it does not involve executing system commands or chaining multiple commands.
Why wrong: Cross-site scripting involves injecting malicious scripts into a web application that execute in a victim's browser. It does not allow direct execution of system commands on the server.
B
SQL injection
Why wrong: SQL injection targets database queries by inserting malicious SQL statements. The scenario involves system command execution, not database manipulation.
C
Command injection
Command injection allows an attacker to execute arbitrary system commands by exploiting unsanitized input passed to system calls. The use of a semicolon to chain commands is a classic indicator of this attack.
D
Directory traversal
Why wrong: Directory traversal attacks exploit insufficient path sanitation to access files outside the intended directory. While it deals with file access, it does not involve executing system commands or chaining multiple commands.
What does the SY0-701 exam test about Threats, Vulnerabilities, and Mitigations?
Threats, Vulnerabilities & Mitigations covers the identification of various attack types (e.g., phishing, ransomware), the weaknesses they exploit (vulnerabilities like unpatched software), and the controls (mitigations) to prevent or reduce damage, such as firewalls, encryption, and security policies.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Threats, Vulnerabilities, and Mitigations questions in a focused session?
Yes — the session launcher on this page draws every question from the Threats, Vulnerabilities, and Mitigations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SY0-701 topics?
Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.