CCNA Sscp Systems App Security Questions

74 questions · Sscp Systems App Security topic · All types, answers revealed

1
MCQmedium

A cloud security team wants to continuously monitor for misconfigured cloud resources that could expose data. Which tool category is specifically designed for this purpose?

A.Cloud Workload Protection Platform (CWPP)
B.Identity and Access Management (IAM)
C.Cloud Security Posture Management (CSPM)
D.Web Application Firewall (WAF)
AnswerC

CSPM automatically identifies cloud misconfigurations.

Why this answer

CSPM (Cloud Security Posture Management) tools detect misconfigurations like open storage buckets or overly permissive IAM roles. CWPP focuses on runtime workload protection. WAF protects web apps.

IAM manages identities, not configuration monitoring.

2
MCQeasy

A company is implementing application whitelisting on all endpoints. Which of the following is a primary consideration for maintaining operational efficiency?

A.Ensuring that all users have local administrator rights
B.Deploying a host-based firewall on each endpoint
C.Establishing a process to add approved applications to the whitelist
D.Disabling Windows Defender Antivirus to reduce resource usage
AnswerC

A change management process ensures new applications can be whitelisted without delay.

Why this answer

Application whitelisting requires a process for updating the whitelist when new legitimate software is needed; otherwise, users may be blocked from necessary applications.

3
MCQeasy

An organization uses Infrastructure as a Service (IaaS) in the public cloud. Which of the following security responsibilities is the customer responsible for?

A.Network infrastructure security
B.Hypervisor security and patching
C.Operating system security and patch management
D.Physical security of the data center
AnswerC

In IaaS, the customer manages the OS, including patching and hardening.

Why this answer

In the IaaS shared responsibility model, the cloud provider manages the physical infrastructure, while the customer is responsible for securing the operating system, applications, and data.

4
Multi-Selecteasy

A system administrator is applying CIS Benchmarks to a Windows server. Which TWO hardening measures are typically recommended by CIS? (Select TWO.)

Select 2 answers
A.Enable all Windows features by default
B.Disable audit logging
C.Enforce strong password policies
D.Disable unused services
E.Allow anonymous enumeration of SAM accounts
AnswersC, D

Password complexity and length.

Why this answer

CIS benchmarks recommend disabling unnecessary services and enforcing password policies.

5
MCQhard

An organization using PaaS (Platform as a Service) for application hosting wants to ensure the application code is secure. Which of the following is the customer's responsibility under the shared responsibility model?

A.Physical security of the data center
B.Patching the web server runtime
C.Patching the underlying operating system
D.Securing the application code from SQL injection
AnswerD

Application-level security is the customer's responsibility.

Why this answer

In PaaS, the provider manages the platform (OS, runtime), and the customer is responsible for the application code and data. Patching the runtime is the provider's duty. Database backup may be partially shared, but application code security is always the customer's.

6
MCQhard

An organization is migrating a legacy application to a PaaS cloud environment. According to the shared responsibility model, which security control is the organization still responsible for?

A.Configuring the network firewall at the cloud perimeter
B.Securing the application code against SQL injection
C.Patching the underlying operating system
D.Managing the hypervisor and virtualization layer
AnswerB

Application security, including code vulnerabilities, is the customer's responsibility.

Why this answer

In PaaS, the provider manages the runtime, middleware, and OS; the customer is responsible for application-level security, including code and data.

7
MCQhard

A cloud security team is using Cloud Security Posture Management (CSPM) to identify misconfigurations. Which of the following scenarios is MOST likely to be detected by CSPM?

A.An application running on a cloud VM has a memory leak causing performance degradation
B.A cloud storage bucket is configured with public read access
C.A cloud-based database is experiencing slow query response times
D.An employee's credentials were used from an unusual geographic location
AnswerB

Publicly accessible buckets are a common misconfiguration detected by CSPM.

Why this answer

CSPM tools scan cloud environments for misconfigurations like publicly accessible storage buckets, excessive permissions, etc. An open S3 bucket is a classic misconfiguration.

8
MCQeasy

Which Windows feature provides mandatory integrity controls and helps prevent unauthorized changes to system settings by requiring administrator approval?

A.Windows Defender Application Control
B.Security Audit Policy
C.User Account Control (UAC)
D.Group Policy
AnswerC

UAC prompts for approval for administrative actions.

Why this answer

User Account Control (UAC) prompts for consent or credentials before allowing actions that require administrative privileges, helping to prevent unauthorized changes.

9
MCQhard

A security analyst notices that a Linux server has an unusual number of failed login attempts for the root account. To strengthen authentication security while preserving administrative access, which of the following configurations would be most effective?

A.Configure SELinux to enforce mandatory access control on the /etc/shadow file
B.Implement account lockout via PAM module pam_tally2
C.Change the root password every 30 days
D.Disable root login entirely and require sudo for all administrative tasks
AnswerB

pam_tally2 locks the account after a configurable number of failed attempts, directly addressing brute-force attacks.

Why this answer

PAM (Pluggable Authentication Modules) can enforce account lockout after a number of failed attempts. This mitigates brute-force attacks while allowing legitimate administrators to unlock accounts if needed.

10
MCQmedium

A company uses virtualization extensively. The security team discovers that developers have created many unmanaged virtual machines that are not tracked in the configuration management database (CMDB). Which risk is MOST directly associated with this situation?

A.VM escape
B.VM sprawl
C.Snapshot vulnerability reintroduction
D.Insecure hypervisor configuration
AnswerB

Unmanaged VMs accumulating is known as VM sprawl.

Why this answer

VM sprawl refers to the proliferation of unmanaged VMs, increasing attack surface and management complexity.

11
MCQmedium

A system administrator is configuring a Linux server to ensure that only authorized users can execute commands with superuser privileges. Which file should be edited to control sudo access?

A./etc/shadow
B./etc/passwd
C./etc/group
D./etc/sudoers
AnswerD

Controls sudo permissions.

Why this answer

The /etc/sudoers file defines which users can run commands with elevated privileges.

12
MCQmedium

A system administrator is hardening a Linux server. After installing the OS, which of the following steps should be taken to ensure that only authorized users can execute commands with elevated privileges?

A.Edit the /etc/sudoers file to restrict sudo access
B.Enable auditd to log all commands
C.Configure PAM to enforce password complexity
D.Set the setuid bit on critical binaries
AnswerA

Restricting sudo access ensures only authorized users can elevate privileges.

Why this answer

The /etc/sudoers file controls which users can run commands as root via sudo. Proper configuration is essential for privilege escalation control.

13
MCQmedium

A Linux server is being hardened. The security team wants to enforce mandatory access control policies that confine processes to limited access to files and resources. Which technology should be implemented?

A.SELinux
B.PAM
C.iptables
D.auditd
AnswerA

SELinux provides mandatory access control.

Why this answer

SELinux enforces mandatory access control (MAC) policies, confining processes.

14
MCQmedium

A company deploys a web application and wants to protect against SQL injection and XSS attacks. Which security control is specifically designed to inspect HTTP traffic and block such attacks?

A.Intrusion Detection System (IDS)
B.Network segmentation
C.Web Application Firewall (WAF)
D.Host-based firewall
AnswerC

WAF inspects application-layer traffic and blocks malicious requests.

Why this answer

A Web Application Firewall (WAF) filters and monitors HTTP traffic between a web application and the Internet, commonly used to block OWASP Top 10 attacks like SQL injection and XSS.

15
MCQmedium

A Linux administrator needs to configure access controls so that a specific user can run certain commands with root privileges without entering a password. Which configuration file should be modified?

A./etc/shadow
B./etc/passwd
C./etc/sudoers
D./etc/security/limits.conf
AnswerC

sudoers defines sudo permissions.

Why this answer

The /etc/sudoers file controls sudo permissions. By adding an appropriate entry, the administrator can grant passwordless sudo access to specific commands.

16
MCQmedium

An organization is experiencing VM sprawl, with many unmanaged virtual machines running in the environment. Which of the following is the most significant security risk associated with VM sprawl?

A.Unpatched and misconfigured VMs
B.License compliance violations
C.Increased power consumption and cooling costs
D.VM escape attacks from older hypervisors
AnswerA

Unmanaged VMs are often forgotten, leading to security gaps.

Why this answer

Unmanaged VMs often lack proper patching and configuration management, leading to unpatched vulnerabilities that can be exploited.

17
MCQhard

A security architect is reviewing cloud security for a SaaS application used by the company. According to the shared responsibility model, which security controls are PRIMARILY the customer's responsibility?

A.Data classification and user access management
B.Network infrastructure security
C.Physical security of data centers
D.Operating system patching
AnswerA

Customer manages data and who accesses it.

Why this answer

In SaaS, the customer is responsible for data classification and managing user access (IAM).

18
Multi-Selectmedium

A company is migrating to the cloud and wants to understand the shared responsibility model. For an IaaS deployment, which THREE are customer responsibilities? (Select THREE.)

Select 3 answers
A.Managing application security (e.g., patching web app code)
B.Configuring the host-based firewall on VMs
C.Patching the guest operating system
D.Physical security of the data center
E.Securing the hypervisor
AnswersA, B, C

Customer manages applications.

Why this answer

In IaaS, customer manages OS, applications, and network traffic controls (guest OS firewall).

19
MCQhard

An organization using AWS IAM wants to grant an EC2 instance permissions to access an S3 bucket without storing long-term credentials on the instance. Which IAM feature should be used?

A.IAM role for EC2
B.Service control policies (SCPs)
C.IAM user access keys
D.Resource-based policies on S3
AnswerA

Roles provide temporary credentials via instance metadata.

Why this answer

IAM roles for EC2 instances allow the instance to assume a role and obtain temporary credentials from STS, avoiding the need for long-term keys.

20
MCQmedium

To prevent VM escape attacks in a virtualized environment, which of the following is the most critical security measure?

A.Disable unnecessary VM guest tools
B.Apply the latest patches to the hypervisor
C.Use VLAN segmentation for VM networks
D.Use snapshots for quick recovery
AnswerB

Patching fixes known vulnerabilities that could be used for VM escape.

Why this answer

VM escape exploits vulnerabilities in the hypervisor to break isolation. Regularly patching the hypervisor addresses known vulnerabilities. Disabling guest tools reduces attack surface but may impact functionality.

VLAN segmentation and snapshots do not prevent escape.

21
Multi-Selectmedium

A security engineer is hardening a Windows server. Which TWO actions should be taken to reduce the attack surface? (Select TWO.)

Select 2 answers
A.Increase the number of active user accounts for auditing
B.Enable auto-run for removable media to improve user convenience
C.Disable unnecessary services and accounts
D.Apply the latest security patches
E.Install additional third-party software for monitoring
AnswersC, D

Reducing the number of services and accounts minimizes potential entry points.

Why this answer

Removing unnecessary accounts and services, and applying patches are core hardening steps. Disabling auto-run prevents malware from executing automatically.

22
MCQmedium

During a security assessment, it is discovered that a Linux server has unnecessary services running, including Telnet and FTP. The server is also missing critical security patches. Which of the following is the MOST effective approach to harden this server according to industry best practices?

A.Move the server to a more secure network segment and implement network access controls.
B.Enable SELinux and configure a host-based firewall using iptables.
C.Install a host-based intrusion detection system (HIDS) to monitor for attacks.
D.Disable Telnet and FTP services, and apply all critical security patches.
AnswerD

Disabling unnecessary services and patching are fundamental hardening steps.

Why this answer

System hardening involves removing unnecessary services, applying patches, and following benchmarks like CIS or DISA STIGs. Disabling Telnet and FTP and applying all critical patches directly addresses the discovered issues.

23
MCQeasy

In Linux, which command is used to change file permissions to restrict access so that only the owner can read and write, and the group and others have no access?

A.chmod 600 file.txt
B.chown 600 file.txt
C.umask 077 file.txt
D.setfacl -m u::rw file.txt
AnswerA

chmod 600 sets owner rw, group and others nothing.

Why this answer

The chmod command changes file permissions. The octal mode 600 sets read/write for owner, no permissions for group and others.

24
MCQeasy

Which of the following OWASP Top 10 vulnerabilities involves an attacker sending malicious data to an interpreter as part of a command or query?

A.Security Misconfiguration
B.Injection
C.Broken Authentication
D.Cross-Site Scripting (XSS)
AnswerB

Injection includes SQL, OS, and LDAP injection attacks.

Why this answer

Injection attacks, such as SQL injection, occur when untrusted data is sent to an interpreter. Broken Authentication refers to flaws in auth mechanisms. XSS injects scripts into web pages.

Security misconfiguration involves improper setup.

25
MCQhard

During a vulnerability scan, a security team discovers that several virtual machine snapshots contain outdated software with known vulnerabilities. Which risk is most directly associated with this scenario?

A.Resource exhaustion
B.VM sprawl
C.Vulnerability reintroduction
D.VM escape
AnswerC

Outdated snapshots can reintroduce old vulnerabilities when deployed.

Why this answer

VM snapshots, if left inactive and not patched, can reintroduce vulnerabilities when the snapshot is used to provision new VMs, as the software is outdated.

26
Multi-Selectmedium

An organization is hardening a Linux server. Which TWO of the following are effective steps to reduce the attack surface?

Select 2 answers
A.Disable SELinux for better performance
B.Install all available packages to ensure compatibility
C.Remove unnecessary services and software packages
D.Set file permissions using chmod and chown to restrict access
E.Enable the root account for direct login
AnswersC, D

This reduces the number of potential vulnerabilities.

Why this answer

Removing unnecessary services and software reduces potential vulnerabilities. Proper file permissions using chmod and chown enforce least privilege.

27
MCQmedium

A cloud security team is implementing a Cloud Security Posture Management (CSPM) tool. What is the primary purpose of a CSPM solution?

A.Manage user identities and access
B.Protect workloads from runtime threats
C.Encrypt data at rest
D.Detect and remediate cloud misconfigurations
AnswerD

CSPM focuses on configuration and compliance.

Why this answer

CSPM tools automate the detection of misconfigurations and compliance violations in cloud environments.

28
Multi-Selecthard

A company is migrating to a PaaS cloud environment. According to the shared responsibility model, which THREE security responsibilities remain with the customer? (Select THREE.)

Select 3 answers
A.Patch management of the underlying OS
B.User access and identity management
C.Data classification and encryption
D.Security of the application code
E.Physical security of the data center
AnswersB, C, D

Customers manage their own users and identities.

Why this answer

In PaaS, the customer manages access policies, application-level security, and data protection, while the provider manages the runtime, OS, and infrastructure.

29
Multi-Selecteasy

A Linux administrator is hardening a server. Which TWO commands are used to manage file permissions? (Select TWO.)

Select 2 answers
A.usermod
B.passwd
C.groupadd
D.chmod
E.chown
AnswersD, E

Modifies file permissions.

Why this answer

chmod changes permissions (read/write/execute); chown changes ownership.

30
MCQmedium

A security analyst is reviewing Linux server logs after a suspected breach. Which auditing tool should be used to examine detailed records of system calls and file access events?

A.SELinux
B.PAM
C.auditd
D.iptables
AnswerC

auditd logs security-relevant events like system calls and file accesses.

Why this answer

auditd is the Linux audit daemon that logs system calls, file access, and security events. PAM manages authentication, iptables is a firewall, and SELinux enforces MAC policies but does not log all system calls.

31
MCQhard

A company uses Infrastructure as a Service (IaaS) for its production workloads. According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A.Patching the hypervisor
B.Physical security of data centers
C.Securing the network infrastructure
D.Patching the guest operating system
AnswerD

The customer manages OS patches on their VMs.

Why this answer

In IaaS, the provider secures the physical infrastructure and hypervisor, while the customer secures the operating system, applications, and data. The customer is responsible for OS patch management. The provider handles physical security, hypervisor patching, and network infrastructure.

32
MCQhard

An organization uses VMware ESXi in a production environment. Which of the following is the most effective mitigation against VM escape attacks?

A.Using VM snapshots for quick recovery
B.Implementing network segmentation between VMs
C.Regularly patching the ESXi hypervisor
D.Disabling unnecessary guest tools within VMs
AnswerC

Patching addresses vulnerabilities that could be exploited for VM escape.

Why this answer

VM escape attacks exploit hypervisor vulnerabilities. Keeping the hypervisor patched is the primary defense, as it closes known vulnerabilities that could be used for escape.

33
MCQeasy

Which of the following is a primary security concern when using VM snapshots in a virtualized environment?

A.Snapshots can be used to bypass authentication
B.Snapshots may contain unpatched vulnerabilities if not regularly updated
C.Snapshots can be exported and stolen
D.Snapshots consume excessive storage space
AnswerB

Reverting to an old snapshot can re-expose the system to known vulnerabilities.

Why this answer

VM snapshots capture the state at a point in time. If the snapshot is not updated with patches, reverting to it can reintroduce vulnerabilities that were previously fixed.

34
Multi-Selectmedium

A security engineer is hardening a Linux server. Which TWO actions are recommended to reduce the attack surface? (Select TWO.)

Select 2 answers
A.Remove unnecessary services and daemons
B.Disable unused user accounts
C.Install a web server for management
D.Set umask to 000
E.Enable IPv6 routing
AnswersA, B

Reduces attack surface by eliminating unused services.

Why this answer

Removing unnecessary services and disabling unused accounts reduce the number of potential entry points for attackers.

35
MCQeasy

An organization is hardening a new Windows server for production use. Which of the following is the most effective method to ensure that only approved applications can run?

A.Enable BitLocker drive encryption
B.Enable User Account Control (UAC)
C.Configure AppLocker or Windows Defender Application Control
D.Install Windows Defender Antivirus
AnswerC

AppLocker and WDAC enforce whitelisting of approved applications.

Why this answer

AppLocker or Windows Defender Application Control (WDAC) provide application whitelisting, ensuring only approved executables, scripts, and installers run. UAC controls privilege elevation, not execution. Windows Defender Antivirus detects malware but does not enforce whitelisting.

BitLocker provides full-disk encryption, not application control.

36
MCQeasy

A security analyst is hardening a new Windows server. Which configuration would MOST effectively reduce the attack surface by limiting the software that can execute?

A.Enable Windows Defender Antivirus
B.Disable AutoPlay
C.Enable User Account Control (UAC)
D.Configure AppLocker rules
AnswerD

AppLocker provides application whitelisting to control execution.

Why this answer

AppLocker is a whitelisting technology that restricts which applications can run, reducing the attack surface.

37
Multi-Selecthard

A security engineer is evaluating cloud security tools. Which TWO of the following are primarily used to protect cloud workloads? (Select two.)

Select 2 answers
A.Identity and Access Management (IAM)
B.Cloud Workload Protection Platform (CWPP)
C.Web Application Firewall (WAF)
D.Cloud Security Posture Management (CSPM)
E.Security Information and Event Management (SIEM)
AnswersB, C

CWPP offers runtime protection for cloud workloads.

Why this answer

CWPP provides runtime security for cloud VMs and containers. WAF protects web applications from attacks like SQL injection and XSS. CSPM focuses on misconfiguration detection, not workload runtime.

IAM manages identities. SIEM aggregates logs but is not workload-specific.

38
MCQeasy

An organization is hardening its Windows servers. Which built-in Windows feature can be used to enforce application whitelisting, ensuring only approved executables run?

A.BitLocker
B.Windows Defender Antivirus
C.AppLocker
D.User Account Control (UAC)
AnswerC

AppLocker is specifically designed for application whitelisting.

Why this answer

AppLocker provides application whitelisting capabilities in Windows, allowing administrators to control which applications can run based on rules.

39
MCQeasy

Which Windows feature allows an administrator to define security policies such as password complexity and account lockout across multiple systems in a domain?

A.Local Security Policy
B.Security Audit Policies
C.Group Policy
D.User Account Control (UAC)
AnswerC

Group Policy centrally manages security settings for multiple systems.

Why this answer

Group Policy enforces security settings across Active Directory domain-joined systems. Local Security Policy only affects the local machine. UAC controls elevation.

Security Audit Policies are part of Group Policy but not the overarching feature.

40
MCQmedium

A security auditor discovers that a Linux server has a user who can execute any command as root via sudo without a password. Which file should be reviewed to verify this configuration?

A./etc/shadow
B./etc/group
C./etc/sudoers
D./etc/passwd
AnswerC

sudoers defines which users can run which commands as which users, including NOPASSWD option.

Why this answer

The /etc/sudoers file controls sudo privileges. It can be edited with visudo. A NOPASSWD entry would allow passwordless sudo.

41
MCQeasy

During a security assessment, you discover that a Windows server has the Telnet service running. Which of the following is the BEST action to harden the server against this finding?

A.Configure a host-based firewall to allow Telnet only from specific IPs
B.Enable encryption on Telnet
C.Remove the Telnet service and use SSH instead
D.Audit Telnet connections in Event Viewer
AnswerC

This removes an insecure service and replaces it with a secure alternative (SSH), which is a best practice for system hardening.

Why this answer

Telnet is an unencrypted protocol that transmits credentials in cleartext. Removing unnecessary services reduces the attack surface; disabling Telnet eliminates a known vulnerability.

42
MCQhard

A forensic analyst needs to review security events from multiple Windows servers. To ensure that logs are centrally collected and resistant to tampering, which of the following should be implemented?

A.Use Windows Event Forwarding to a central event collector
B.Store logs only on the local server and back them up weekly
C.Configure Event Viewer on each server to overwrite events as needed
D.Enable auditing of account logon events
AnswerA

This centralizes logs and can be configured to forward even when the server is compromised, preserving evidence.

Why this answer

Centralized logging with a SIEM (or similar) aggregates logs from multiple sources. Forwarding events to a central collector ensures logs are preserved even if a server is compromised.

43
Multi-Selectmedium

During a virtualized environment security assessment, which THREE of the following are considered risks associated with virtual machine snapshots? (Select three.)

Select 3 answers
A.Snapshots may contain unpatched vulnerabilities
B.Sensitive data may persist in snapshots
C.Snapshots cause VM sprawl
D.Snapshots can be used to roll back security configurations
E.Snapshots can be used as an attack vector for VM escape
AnswersA, B, D

Snapshots are static and may lack the latest patches.

Why this answer

Snapshots can reintroduce vulnerabilities because they are not patched (A), and they may contain sensitive data that could be exposed if not secured (C). Also, snapshots can be used to roll back security controls (D). Snapshots do not cause VM escape (B) or VM sprawl (E).

44
MCQeasy

According to the shared responsibility model in cloud computing, which security responsibility belongs to the customer in a SaaS deployment?

A.Physical security of data centers
B.Securing the application code
C.Data classification and access controls
D.Managing the underlying operating system
AnswerC

Data security is a customer responsibility in all cloud models.

Why this answer

In SaaS, the customer is responsible for securing their data, including classification, access controls, and encryption of data at rest and in transit.

45
Multi-Selecthard

A security analyst is reviewing Linux audit logs with auditd. Which TWO events would be of greatest concern for a server that should not have interactive logins? (Select TWO.)

Select 2 answers
A.Successful root login via SSH
B.System reboot logs
C.Multiple failed su attempts
D.Successful cron job execution
E.File permission changes by a non-root user
AnswersA, C

Unauthorized interactive login.

Why this answer

Failed login attempts indicate brute force; successful root login indicates unauthorized access.

46
Multi-Selecthard

A company is deploying a web application and wants to protect against OWASP Top 10 attacks. Which THREE controls should be implemented? (Select THREE.)

Select 3 answers
A.Disable auto-run on user workstations
B.Web Application Firewall (WAF)
C.Input validation and parameterized queries
D.Code signing for application binaries
E.Use a host-based intrusion detection system on the database server
AnswersB, C, D

WAF can detect and block OWASP attacks such as SQL injection and XSS.

Why this answer

Web Application Firewall (WAF) blocks common attacks like injection and XSS. Input validation prevents injection. Code signing ensures software integrity.

Disabling auto-run is unrelated.

47
Multi-Selectmedium

A security engineer is hardening a Windows workstation. Which TWO configurations reduce the attack surface by limiting execution of unauthorized code? (Select TWO.)

Select 2 answers
A.Configure AppLocker rules
B.Enable Windows Firewall with Advanced Security
C.Enable BitLocker full-disk encryption
D.Enable Windows Defender Application Control (WDAC)
E.Disable AutoPlay
AnswersA, D

AppLocker restricts which applications can run.

Why this answer

AppLocker whitelists allowed applications; Windows Defender Application Control blocks unsigned drivers and applications.

48
Multi-Selectmedium

An organization is implementing system hardening. Which TWO of the following actions are recommended by CIS Benchmarks? (Select two.)

Select 2 answers
A.Remove unnecessary services and accounts
B.Enable DHCP for all network interfaces
C.Disable autorun and autoplay features
D.Enable User Account Control (UAC)
E.Disable the host-based firewall
AnswersA, C

Reducing the attack surface is a key hardening step.

Why this answer

CIS Benchmarks recommend removing unnecessary services and accounts to reduce attack surface, and disabling autorun/autoplay to prevent malware from spreading via removable media. Enabling UAC is a Windows security control but not specifically a CIS Benchmark recommendation. Using DHCP is not a hardening measure.

Disabling the firewall weakens security.

49
MCQhard

A cloud security team is deploying a new web application on an IaaS platform. According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A.Network infrastructure security such as DDoS protection at the provider edge
B.Hypervisor security and vulnerability management
C.Patching the guest operating system and web server software
D.Physical security of the data center hosting the servers
AnswerC

The customer manages the OS and applications in IaaS, including patching.

Why this answer

In IaaS, the customer is responsible for securing the operating system, applications, and data, while the provider secures the physical infrastructure.

50
MCQmedium

A company uses multiple virtual machines on a single hypervisor. To prevent a VM from escaping its virtualized environment and compromising the hypervisor, which of the following should be implemented?

A.Use a separate network for VM management traffic
B.Apply hypervisor security patches and disable unnecessary VM guest tools
C.Deploy a host-based firewall on each VM
D.Enable VM snapshots to restore in case of compromise
AnswerB

Patching hypervisor and minimizing guest tools reduce the risk of VM escape.

Why this answer

VM escape attacks exploit vulnerabilities in the hypervisor. Keeping the hypervisor patched and disabling unnecessary VM guest tools reduces attack surface.

51
Multi-Selectmedium

A security analyst is reviewing application security and identifies risks related to the OWASP Top 10. Which THREE are examples of OWASP Top 10 vulnerabilities? (Select THREE.)

Select 3 answers
A.Security Misconfiguration
B.Injection
C.Man-in-the-Middle (MitM)
D.Cross-Site Scripting (XSS)
E.Buffer overflow
AnswersA, B, D

Misconfiguration is a widespread issue in the OWASP Top 10.

Why this answer

Injection, XSS, and Security Misconfiguration are classic OWASP Top 10 categories.

52
MCQmedium

A Linux system administrator needs to restrict network traffic to a server, allowing only HTTP and HTTPS from the internet. Which tool should be used to configure packet filtering rules?

A.PAM
B.SELinux
C.auditd
D.iptables
AnswerD

iptables is a packet filter firewall utility.

Why this answer

iptables or nftables are Linux firewall tools for packet filtering. PAM handles authentication. SELinux enforces MAC. auditd logs events.

They do not filter network traffic.

53
MCQeasy

A web application is vulnerable to SQL injection. Which security control would be MOST effective at detecting and blocking such attacks at the network perimeter?

A.Intrusion Detection System (IDS)
B.Web Application Firewall (WAF)
C.Application whitelisting
D.Host-based firewall
AnswerB

WAF specifically inspects HTTP/HTTPS traffic and blocks OWASP Top 10 attacks.

Why this answer

A Web Application Firewall (WAF) inspects HTTP traffic and can block injection attacks.

54
MCQmedium

A security administrator is configuring a Linux server to enforce mandatory access control (MAC). Which of the following tools provides MAC on Linux?

A.PAM
B.iptables
C.chmod
D.SELinux
AnswerD

SELinux provides mandatory access control.

Why this answer

SELinux and AppArmor are Linux security modules that implement mandatory access control policies beyond traditional discretionary access control.

55
Multi-Selectmedium

A cloud security architect is designing a solution to protect workloads running in a public cloud. Which THREE of the following are key security controls that should be implemented?

Select 3 answers
A.Store encryption keys in the same cloud region as the data
B.Deploy a Cloud Security Posture Management (CSPM) tool
C.Disable multi-factor authentication for service accounts
D.Use a Cloud Workload Protection Platform (CWPP)
E.Implement IAM roles with least privilege
AnswersB, D, E

CSPM identifies and remediates misconfigurations.

Why this answer

IAM roles control permissions for cloud resources. CSPM detects misconfigurations. CWPP provides runtime protection for workloads.

56
Multi-Selectmedium

A cloud security team is implementing CSPM (Cloud Security Posture Management) for their IaaS environment. Which THREE issues is CSPM MOST likely to detect? (Select THREE.)

Select 3 answers
A.IAM roles with overly permissive policies
B.Open security groups allowing unrestricted inbound access
C.Outdated OS patches on cloud VMs
D.Unencrypted S3 buckets
E.Runtime malware in a virtual machine
AnswersA, B, D

CSPM identifies privilege risks.

Why this answer

CSPM detects misconfigurations such as open security groups, unencrypted storage, and excessive IAM permissions.

57
MCQmedium

A security analyst is reviewing security events on a Linux server and needs to ensure that all authentication attempts, including both successful and failed logins, are logged. Which configuration should be used?

A.Use PAM to log authentication events to /var/log/secure
B.Enable and configure auditd with rules to capture login events
C.Set up SELinux to audit login attempts
D.Configure syslog to monitor /var/log/auth.log
AnswerB

auditd is the Linux audit daemon; rules can be added to log all login attempts.

Why this answer

The auditd service is used for auditing in Linux, including authentication events. Configuring auditd rules for logins captures all attempts.

58
Multi-Selecthard

A security analyst is reviewing a web application for OWASP Top 10 vulnerabilities. Which THREE of the following are examples of injection flaws?

Select 3 answers
A.SQL injection
B.LDAP injection
C.Broken authentication
D.OS command injection
E.Cross-Site Scripting (XSS)
AnswersA, B, D

SQL injection is a type of injection flaw.

Why this answer

Injection flaws occur when untrusted data is sent to an interpreter. SQL, OS command, and LDAP injection are classic examples.

59
MCQmedium

A security administrator is reviewing Linux audit logs to detect unauthorized file access. Which Linux component is primarily responsible for generating these security audit logs?

A.systemd-journald
B.SELinux
C.PAM
D.auditd
AnswerD

auditd is the audit daemon that logs security events.

Why this answer

auditd is the userspace component of the Linux Audit system that writes audit records to disk.

60
Multi-Selectmedium

An organization uses Linux servers and wants to implement mandatory access control (MAC) to enhance security. Which TWO technologies can be used? (Select TWO.)

Select 2 answers
A.SELinux
B.iptables
C.AppArmor
D.auditd
E.PAM (Pluggable Authentication Modules)
AnswersA, C

SELinux enforces MAC policies based on labels.

Why this answer

SELinux and AppArmor are Linux security modules that provide MAC. iptables is a firewall, not MAC. PAM is for authentication. auditd is for auditing.

61
MCQhard

During a code review, a developer identifies that a web application directly concatenates user input into SQL queries without sanitization. This vulnerability is classified under which OWASP Top 10 category?

A.Cross-Site Scripting (XSS)
B.Security Misconfiguration
C.Broken Access Control
D.Injection
AnswerD

SQL injection is a type of injection attack, which is the correct OWASP category.

Why this answer

SQL injection occurs when untrusted data is sent to an interpreter as part of a command. It is a classic injection flaw, which is the top category in OWASP.

62
MCQmedium

Which of the following tools would best help a security team detect misconfigurations in a cloud environment, such as open storage buckets or overly permissive IAM roles?

A.Cloud Security Posture Management (CSPM)
B.Web Application Firewall (WAF)
C.Cloud Workload Protection Platform (CWPP)
D.Event Viewer
AnswerA

CSPM automates the detection and remediation of cloud misconfigurations.

Why this answer

CSPM tools are specifically designed to identify cloud misconfigurations, including storage bucket permissions and IAM roles, and often provide remediation guidance.

63
MCQmedium

An administrator wants to ensure that a Linux web server only allows the www-data user to run specific commands with elevated privileges. Which configuration file should be modified?

A./etc/sudoers
B./etc/pam.d/
C./etc/chmod.conf
D./etc/selinux/config
AnswerA

sudoers defines which users can run which commands with sudo.

Why this answer

sudoers file controls which users can run commands with sudo and limits commands. PAM handles authentication, not command authorization. SELinux policies control MAC, not sudo. chmod sets file permissions but does not grant specific command execution.

64
MCQmedium

A Windows system administrator needs to enforce a security policy that prevents users from installing unauthorized software. Which feature should be configured via Group Policy?

A.Windows Defender Firewall
B.User Account Control (UAC)
C.AppLocker
D.BitLocker Drive Encryption
AnswerC

AppLocker allows administrators to specify which applications are allowed to run.

Why this answer

AppLocker can be configured via Group Policy to allow or deny applications based on rules, preventing unauthorized software installation.

65
MCQmedium

An organization is implementing Windows Defender Application Control (WDAC) to prevent unauthorized applications from running on company workstations. Which of the following best describes the primary security benefit of this approach?

A.It prevents execution of any application not explicitly allowed
B.It encrypts application binaries at rest
C.It automatically updates applications from a trusted source
D.It ensures that all applications are digitally signed
AnswerA

Whitelisting blocks unapproved applications, which is the core security benefit of WDAC.

Why this answer

WDAC is a whitelisting technology that only allows approved applications to execute, effectively blocking malware and unauthorized software by default.

66
MCQeasy

An organization wants to prevent unauthorized applications from running on Windows workstations. Which Windows feature should be used to enforce application whitelisting?

A.User Account Control (UAC)
B.Windows Firewall with Advanced Security
C.Windows Defender Application Control (WDAC)
D.Windows Defender Antivirus
AnswerC

WDAC allows only approved applications to run, providing application whitelisting.

Why this answer

Windows Defender Application Control (WDAC) and AppLocker are used for application whitelisting. WDAC provides more robust control.

67
MCQhard

A security administrator is configuring Windows Firewall with Advanced Security for a web server. The requirement is to allow inbound HTTPS traffic but block all other inbound traffic. Which of the following rule configurations best meets this requirement?

A.Create an inbound block rule for all ports and then exclude HTTPS
B.Create an inbound allow rule for HTTPS and set the firewall default action to block
C.Create an outbound allow rule for HTTPS only
D.Create an inbound allow rule for HTTPS and create a block rule for all other ports
AnswerD

This explicitly allows HTTPS and blocks everything else, meeting the requirement.

Why this answer

A specific allow rule for HTTPS (port 443) combined with a default block rule ensures only HTTPS is allowed. The default block rule enforces the principle of least privilege.

68
MCQhard

During a security assessment, an analyst finds that multiple snapshots of a critical virtual machine are stored on the hypervisor host. Some snapshots are several months old. Which risk is MOST likely?

A.VM escape via snapshot file corruption
B.Unauthorized access to snapshot data
C.Reintroduction of unpatched vulnerabilities
D.Hypervisor memory exhaustion
AnswerC

Old snapshots lack security patches.

Why this answer

Snapshots may contain outdated, unpatched software, reintroducing vulnerabilities when reverted.

69
MCQhard

During an application security review, a penetration tester discovers that a web application allows users to view other users' profiles by changing an ID parameter in the URL (e.g., /profile?id=123). Which OWASP Top 10 vulnerability does this represent?

A.Broken Authentication
B.Security Misconfiguration
C.Insecure Direct Object References (IDOR)
D.Injection
AnswerC

IDOR allows unauthorized access by manipulating object IDs.

Why this answer

Insecure Direct Object References (IDOR) occur when an application exposes internal object references without proper access control checks. Injection involves sending malicious data. Broken Authentication relates to authentication flaws.

Security Misconfiguration involves improper setup.

70
Multi-Selecthard

A security analyst is reviewing OWASP Top 10 vulnerabilities in a web application. Which TWO are injection-related attacks? (Select TWO.)

Select 2 answers
A.Security Misconfiguration
B.Cross-Site Scripting (XSS)
C.Cross-Site Request Forgery (CSRF)
D.Insecure Direct Object References (IDOR)
E.SQL injection
AnswersB, E

XSS injects malicious scripts into web pages.

Why this answer

SQL injection is a classic injection; Cross-Site Scripting (XSS) is also a form of injection (script injection).

71
MCQmedium

An application security team is reviewing code for vulnerabilities. They find that user input is directly concatenated into an SQL query without sanitization. This is an example of which OWASP Top 10 vulnerability?

A.Injection
B.Cross-Site Scripting (XSS)
C.Security Misconfiguration
D.Broken Access Control
AnswerA

SQL injection occurs when untrusted data is sent to an interpreter as part of a command or query.

Why this answer

Concatenating user input into SQL queries allows injection attacks. Injection is a top vulnerability.

72
MCQmedium

A company is deploying virtual machines (VMs) in a private cloud environment. To prevent VM escape attacks, which of the following is the most critical security control?

A.Using a separate management network for the hypervisor
B.Regularly patching the hypervisor software
C.Disabling unnecessary VM guest tools
D.Implementing a host-based firewall on each VM
AnswerB

Hypervisor vulnerabilities are a common vector for VM escape; patching reduces this risk significantly.

Why this answer

VM escape attacks exploit vulnerabilities in the hypervisor to break out of a VM. Keeping the hypervisor patched is the primary defense against known vulnerabilities.

73
MCQmedium

A security analyst is reviewing an OWASP Top 10 vulnerability report. Which vulnerability involves an attacker accessing unauthorized data by modifying URLs or API parameters?

A.Insecure Direct Object References (IDOR)
B.Cross-Site Scripting (XSS)
C.Injection
D.Security Misconfiguration
AnswerA

IDOR allows unauthorized access by manipulating object references.

Why this answer

Insecure Direct Object References (IDOR) occur when an application exposes internal object references without proper authorization checks, allowing attackers to manipulate parameters to access other objects.

74
MCQmedium

A company is concerned about VM sprawl in its data center. Which of the following is the most effective mitigation strategy?

A.Enable host-based firewalls on each VM
B.Implement a CMDB with lifecycle management policies
C.Apply patches to the hypervisor regularly
D.Use a centralized snapshot management system
AnswerB

CMDB tracks VM inventory and enforces lifecycle processes.

Why this answer

VM sprawl refers to unmanaged VMs accumulating. A Configuration Management Database (CMDB) with lifecycle management tracks VMs from creation to decommission. Hypervisor patching prevents escapes.

Snapshots are for recovery. Host-based firewalls protect individual VMs but do not manage sprawl.

Ready to test yourself?

Try a timed practice session using only Sscp Systems App Security questions.