CCNA Systems App Security Questions

75 of 76 questions · Page 1/2 · Systems App Security topic · Answers revealed

1
MCQmedium

A security administrator discovers that a web application is vulnerable to SQL injection. Which of the following is the most effective mitigation to implement at the application layer?

A.Implement input validation using a blacklist of SQL keywords.
B.Encrypt the database connection using TLS.
C.Use parameterized queries or prepared statements.
D.Encode all output sent to the browser.
E.Deploy a web application firewall (WAF) in front of the server.
AnswerC

Parameterized queries separate SQL logic from data, preventing injection.

Why this answer

Option B is correct because parameterized queries ensure user input is treated as data, not executable code, preventing SQL injection. Option A (input validation) is important but can be bypassed; C (output encoding) addresses XSS; D (WAF) is network-layer; E (encryption) does not prevent injection.

2
MCQhard

During a penetration test, an attacker was able to bypass input validation and execute commands on a web server. The server runs a PHP application. Which of the following is the MOST likely root cause?

A.The application uses unsanitized input in SQL queries.
B.The application reflects user input in HTTP responses without escaping.
C.The application passes user input to a shell command via exec() or system() functions.
D.The application uses hidden form fields to store session tokens.
AnswerC

Command injection allows arbitrary command execution on the server.

Why this answer

Option C is correct because the scenario describes command execution on the web server, which is a direct consequence of OS command injection. In PHP, passing unsanitized user input to functions like exec() or system() allows an attacker to execute arbitrary shell commands, bypassing input validation. This is the most likely root cause as it directly enables command execution, unlike other vulnerabilities that lead to different impacts.

Exam trap

The trap here is that candidates may confuse command injection with SQL injection or XSS, but the key differentiator is the ability to execute OS-level commands on the server, which only occurs through shell execution functions like exec() or system().

How to eliminate wrong answers

Option A is wrong because unsanitized input in SQL queries causes SQL injection, which manipulates the database, not executes OS commands on the server. Option B is wrong because reflecting user input in HTTP responses without escaping leads to cross-site scripting (XSS), which executes in the browser, not on the server. Option D is wrong because hidden form fields storing session tokens is a session management weakness, not a mechanism for command execution.

3
Multi-Selecteasy

Which THREE of the following are common types of malware?

Select 3 answers
A.Trojan horse
B.Virus
C.Worm
E.Patch
AnswersA, B, C

A trojan disguises itself as legitimate software.

Why this answer

Options A, C, and E are correct. Virus, worm, and trojan are classic malware types. Option B (patch) is a security update, not malware.

Option D (firewall) is a security device or software.

4
MCQhard

A BYOD policy allows personal devices to access corporate email. What is the best control to enforce device encryption and remote wipe?

A.Network Access Control (NAC)
B.Mobile Device Management (MDM) profile
C.Containerization app
D.Mandatory VPN connection
AnswerB

MDM can enforce encryption and remote wipe policies.

Why this answer

Mobile Device Management (MDM) can enforce encryption and remote wipe policies. VPN encrypts data in transit but not the device. Containerization isolates corporate data but may not enforce full device encryption.

NAC controls network access, not device settings.

5
Multi-Selecteasy

Which TWO of the following are common indicators of a ransomware attack?

Select 2 answers
A.Files with .encrypted extension appearing in directories.
B.Unusual outbound network traffic to unknown IPs.
C.Decreased network latency.
D.A ransom note text file in each affected folder.
E.System log entries showing failed login attempts.
AnswersA, D

Ransomware often appends a custom extension to encrypted files.

Why this answer

Options B and D are correct. Encrypted files with a new extension and the presence of a ransom note are classic signs of ransomware. Option A is incorrect because unusual outbound traffic may indicate command-and-control communication but is not specific to ransomware.

Option C is incorrect because failed login attempts suggest brute-force, not ransomware. Option E is incorrect because network latency typically increases during an attack, not decreases.

6
MCQmedium

An organization uses a central syslog server to collect logs from firewalls, servers, and network devices. Recently, the security team noticed that some critical events from the firewall are missing from the syslog server. The firewall configuration sends syslog messages using UDP to the syslog server. The syslog server administrator reports that the server is receiving a high volume of logs and occasionally drops packets due to buffer overflow. The team needs to ensure reliable delivery of all syslog messages without losing any. Which solution should the team implement?

A.Switch to TCP-based syslog with TLS.
B.Increase the UDP buffer size on the syslog server.
C.Implement log aggregation at each network segment.
D.Use a load balancer for syslog receivers.
AnswerA

TCP ensures all messages are received and acknowledged, eliminating drops.

Why this answer

Option B is correct because switching to TCP-based syslog with TLS provides reliable, connection-oriented delivery with encryption. Option A is incorrect because increasing the UDP buffer may reduce drops but does not guarantee reliability. Option C is incorrect because log aggregation at each segment does not address the transport reliability issue.

Option D is incorrect because a load balancer would distribute load but not prevent UDP packet loss.

7
Matchingmedium

Match each security control to its type (administrative, technical, physical).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Administrative

Technical

Physical

Technical

Why these pairings

Security controls are categorized into three types.

8
MCQeasy

Refer to the exhibit. A web server at 10.0.0.50 received the payload shown. What is the MOST likely impact if the web application is vulnerable?

A.Directory traversal to read sensitive files.
B.Remote code execution on the web server.
C.Authentication bypass via SQL injection.
D.Cross-site scripting (XSS) attack leading to session theft.
AnswerC

The payload modifies SQL query to always return true.

Why this answer

The payload shown is a classic SQL injection attempt, specifically targeting authentication logic by injecting a tautology (e.g., ' OR '1'='1) into a login field. If the web application is vulnerable, this bypasses authentication by making the SQL query always return true, granting unauthorized access without valid credentials.

Exam trap

ISC2 often tests the distinction between injection types by embedding payload syntax that mimics SQL (e.g., single quotes and OR clauses) to mislead candidates into choosing XSS or directory traversal, which use different characters and contexts.

How to eliminate wrong answers

Option A is wrong because directory traversal exploits path manipulation (e.g., ../) to read files outside the web root, not SQL injection syntax. Option B is wrong because remote code execution requires command injection or deserialization flaws, not SQL tautology injection. Option D is wrong because cross-site scripting (XSS) injects client-side scripts (e.g., JavaScript) into web pages, not SQL statements that alter database queries.

9
MCQeasy

An organization requires that all laptops used by employees be encrypted. Which type of encryption should be used to protect the entire hard drive?

A.File-level encryption
B.Full disk encryption (FDE)
C.Transport encryption (TLS)
D.Application-level encryption
E.Folder-level encryption
AnswerB

FDE encrypts the entire drive, ensuring all data is protected at rest.

Why this answer

Option A is correct because full disk encryption (FDE) encrypts the entire drive, including the OS and all files, protecting data if the laptop is lost or stolen. Option B (file-level) only encrypts individual files; C (folder-level) encrypts folders; D (transport) encrypts data in transit; E (application-level) encrypts data within an app.

10
Multi-Selecteasy

Which TWO of the following are effective measures to prevent buffer overflow attacks in a custom-developed application?

Select 2 answers
A.Input validation
B.Using unpatched third-party libraries
C.Running the application with least privilege
D.Disabling ASLR
E.Stack canaries
AnswersA, E

Validating input length and content can prevent buffer overflows by rejecting oversized or malformed data.

Why this answer

Input validation helps ensure data fits within buffer limits, and stack canaries detect and prevent stack-based buffer overflows. Using unpatched libraries increases vulnerability; disabling ASLR makes exploitation easier; running with least privilege limits damage but does not prevent the overflow itself.

11
MCQhard

An organization uses a cloud-based file synchronization service to share project files with external partners. The security team discovers that an unauthorized third party accessed sensitive documents by guessing weak passwords. Which additional control would most effectively mitigate this risk?

A.Enforcing multi-factor authentication for all external users.
B.Requiring all file transfers to use SFTP instead of HTTPS.
C.Implementing file-level encryption with keys stored on-premises.
D.Configuring the service to use a custom domain certificate.
AnswerA

MFA prevents login even if passwords are guessed, reducing the risk of unauthorized access.

Why this answer

Option B is correct because multi-factor authentication directly addresses credential guessing by requiring a second factor. Option A is incorrect because file-level encryption with on-premises keys does not prevent unauthorized access if the attacker already has valid credentials. Option C is incorrect because SFTP does not inherently provide stronger authentication than HTTPS.

Option D is incorrect because a custom domain certificate does not affect authentication strength.

12
MCQeasy

An IT administrator needs to ensure that all workstations receive security patches in a timely manner. Which process is MOST effective for this?

A.Use only operating systems that no longer require security patches
B.Assign a technician to manually patch each workstation monthly
C.Deploy a centralized patch management solution
D.Enable automatic updates on each workstation from the vendor
AnswerC

Automates patching, provides reporting, and ensures consistency.

Why this answer

Option C is correct because a centralized patch management system automates deployment and reporting. Option A is wrong because automatic updates from vendor can be unreliable and may not be centrally reported. Option B is wrong because manual patching is error-prone and not scalable.

Option D is wrong because using older OS versions is insecure and against best practice.

13
MCQmedium

A company deploys a new web application and wants to ensure that session tokens are not vulnerable to session hijacking. Which of the following controls is most effective?

A.Bind the session token to the user's IP address.
B.Set a short session timeout (e.g., 5 minutes).
C.Encrypt the session token using AES.
D.Regenerate the session ID after every request.
E.Set the Secure and HttpOnly flags on session cookies.
AnswerE

Secure flag forces HTTPS; HttpOnly prevents script access, mitigating XSS-based theft.

Why this answer

Option C is correct because setting the Secure and HttpOnly flags ensures cookies are only sent over HTTPS and not accessible via JavaScript, preventing interception and XSS-based theft. Option A (encrypting cookies) is redundant if HTTPS is used; B (short expiration) helps but not primary; D (using IP binding) can cause issues; E (regenerating session ID) is good after login, but not the most effective overall.

14
MCQeasy

A small business needs basic protection against malware. Which solution is MOST cost-effective and provides real-time protection?

A.Schedule weekly antivirus scans
B.Deploy an endpoint protection platform (EPP)
C.Install a host-based firewall on each computer
D.Use email encryption for all communications
AnswerB

Provides real-time protection and includes multiple security layers.

Why this answer

Option C is correct because endpoint protection platforms (EPP) provide antivirus, anti-malware, and often additional features like firewall and web protection. Option A is wrong because host-based firewalls alone do not protect against malware. Option B is wrong because periodic scans miss threats between scans.

Option D is wrong because email encryption does not protect against malware delivered via other vectors.

15
Multi-Selectmedium

Which TWO of the following are best practices for securing an application programming interface (API)?

Select 2 answers
A.Implement rate limiting to control the number of requests.
B.Validate and sanitize all input to the API.
C.Return detailed error messages to help clients debug.
D.Disable encryption to improve performance.
E.Use HTTP Basic Authentication without HTTPS.
AnswersA, B

Rate limiting mitigates brute-force and DoS attacks.

Why this answer

Options A and D are correct. Rate limiting prevents abuse and DoS; input validation prevents injection attacks. Option B (exposing detailed error messages) may leak information; C (using basic authentication without HTTPS) transmits credentials in plaintext; E (disabling encryption) is insecure.

16
MCQhard

A company uses a Cloud Workload Protection Platform (CWPP) to secure IaaS workloads. They discover that a virtual machine (VM) is communicating with a known command-and-control server. What is the FIRST action the security team should take?

A.Immediately isolate the VM by removing it from the network
B.Run an antivirus scan on the VM to remove the malware
C.Terminate the VM and create a new one from a clean image
D.Analyze the traffic logs to determine the scope of the compromise
AnswerA

Containment is the first priority to stop active threat.

Why this answer

Option B is correct because isolating the VM stops the malicious communication and prevents further spread. Option A is wrong because the infection is already active; waiting for analysis allows more damage. Option C is wrong because terminating the VM may be too aggressive and could cause data loss without investigation.

Option D is wrong because scanning does not stop ongoing communication.

17
MCQeasy

A company is deploying a new mobile application that handles sensitive customer data. Which practice BEST ensures data confidentiality on the device?

A.Require a strong screen lock passcode.
B.Disable cloud backups for the app.
C.Encrypt all sensitive data stored on the device using a key derived from the user's passcode.
D.Use app sandboxing to isolate app data from other apps.
AnswerC

Encryption at rest ensures data is unreadable without the key.

Why this answer

Option C is correct because encrypting sensitive data with a key derived from the user's passcode ensures that even if the device is lost or stolen, the data remains unreadable without the passcode. This approach leverages the user's secret to protect confidentiality at rest, which is a fundamental principle of mobile data protection. Technologies like iOS Data Protection and Android File-Based Encryption use similar key derivation from the lock screen credential to encrypt app-specific data.

Exam trap

ISC2 often tests the distinction between access control (screen lock) and data protection (encryption), leading candidates to choose a strong passcode as the best practice for confidentiality, when encryption with a derived key is the actual requirement.

How to eliminate wrong answers

Option A is wrong because a strong screen lock passcode only prevents unauthorized access to the device interface but does not protect data if the device is compromised via other means (e.g., forensic extraction or jailbreak). Option B is wrong because disabling cloud backups prevents data from being stored off-device but does not address confidentiality of data already on the device; backups themselves can be encrypted separately. Option D is wrong because app sandboxing isolates app data from other apps to prevent unauthorized inter-app access, but it does not protect against physical device access or OS-level attacks that bypass sandboxing.

18
MCQmedium

Refer to the exhibit. A security administrator is troubleshooting connectivity to a web server. Users report they can access the website via HTTP and HTTPS, but cannot establish new SSH connections. Which of the following best explains this issue?

A.The firewall is dropping SSH connections only when they are new, but established sessions may still be allowed.
B.The firewall policy is set to ACCEPT on the INPUT chain, so SSH should work.
C.The firewall is blocking all incoming traffic on port 22.
D.The firewall is configured to drop new SSH connections, which prevents users from initiating new SSH sessions.
AnswerD

The DROP rule for tcp dpt:22 with state NEW explicitly drops new SSH connection attempts, explaining the inability to SSH.

Why this answer

The firewall rule drops all new TCP connections to port 22 (SSH) using the state NEW module. Established SSH sessions, if any, would still be allowed, but new connections are blocked. Option A is incorrect because the rule does not block all traffic on port 22, only new connections.

Option B is a partial statement but does not capture the state-based filtering. Option D is incorrect because the INPUT chain policy is ACCEPT, but the drop rule overrides for new SSH traffic.

19
MCQmedium

An organization uses AWS IAM to manage access. Which best practice ensures least privilege?

A.Use a single shared admin account
B.Use root account for administrative tasks
C.Create individual users and assign only necessary permissions
D.Grant all users full access to S3 buckets
AnswerC

Individual users with minimal permissions enforce least privilege.

Why this answer

Creating individual users with only necessary permissions enforces least privilege. Using root account is dangerous. Shared accounts violate accountability.

Granting full S3 access is excessive.

20
MCQeasy

A university IT department manages a lab of 50 computers running Windows 10 that are used by students for coursework. The computers are joined to a domain and have Group Policy applied to restrict administrative access. Recently, several students were able to install unauthorized software by using the built-in Administrator account, which had the same password on all lab computers. The IT department wants to prevent this without affecting the students' ability to run required academic software. Which of the following is the most effective solution?

A.Configure the computers to only allow standard user accounts.
B.Disable the local Administrator account on all lab computers.
C.Use a tool to assign a unique, random password to the local Administrator account on each computer.
D.Implement Software Restriction Policies to block unauthorized executables.
AnswerC

Unique passwords prevent use of a known shared password across all machines.

Why this answer

Option C is correct because changing the local Administrator password to a unique, complex value for each machine prevents lateral movement and unauthorized use. Option A is incorrect because disabling the account might break functionality if it's relied upon. Option B is incorrect because while SRP helps, it does not prevent use of the Administrator account.

Option D is incorrect because standard user accounts do not have installation rights, but if students know the Admin password, they can still use it.

21
MCQeasy

Refer to the exhibit. An AWS S3 bucket policy is defined as shown. Which statement about this policy is TRUE?

A.The company-public bucket objects are completely private
B.The Deny statement prevents all access to both buckets
C.Any user can read objects in the company-public bucket
D.The policy applies to all buckets in the account
AnswerC

Principal '*' and Action 's3:GetObject' allows public read access.

Why this answer

Option B is correct because the first statement allows anyone to read objects in the company-public bucket. Option A is wrong because the policy does not affect other buckets. Option C is wrong because the company-public bucket is explicitly allowed for GetObject.

Option D is wrong because the Deny statement is effective, but it only denies access to company-private bucket, not company-public.

22
Multi-Selecthard

Which THREE of the following are best practices for securely managing cryptographic keys in an enterprise environment?

Select 3 answers
A.Use the same key for encryption and decryption (symmetric) and also for signing.
B.Share keys via email encrypted with the recipient's public key.
C.Implement key escrow to allow recovery of encrypted data.
D.Rotate keys on a regular schedule or upon compromise.
E.Store keys in a hardware security module (HSM).
AnswersC, D, E

Key escrow ensures that encrypted data can be recovered if keys are lost or unavailable.

Why this answer

Options A, C, and E are correct. HSMs provide tamper-resistant key storage. Key rotation limits exposure from compromised keys.

Key escrow allows recovery when keys are lost. Option B is incorrect because email is not a secure channel for key distribution. Option D is incorrect because using the same key for multiple purposes (e.g., encryption and signing) violates key separation principles.

23
Multi-Selectmedium

Which THREE of the following are valid methods for authenticating users in a web application? (Choose three.)

Select 3 answers
A.IP address whitelisting
B.SAML
C.OAuth 2.0
D.HTTP Basic Authentication
E.LDAP
AnswersB, C, D

SAML enables single sign-on across domains.

Why this answer

SAML (Security Assertion Markup Language) is a valid method for authenticating users in a web application because it is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). It enables single sign-on (SSO) by allowing the SP to trust the IdP's assertion of the user's identity, making it a widely adopted federated authentication protocol.

Exam trap

ISC2 often tests the distinction between authentication and authorization or access control, leading candidates to mistakenly select IP whitelisting (a network-layer access control) as an authentication method, or LDAP (a directory protocol) as a direct authentication protocol rather than a backend service.

24
MCQeasy

A small business uses a single Windows Server 2016 machine that also acts as a domain controller, file server, and runs a custom application for inventory management. The server recently exhibited slow performance and frequent crashes. The system administrator runs antivirus and finds no malware. The event log shows several 'Event ID 7000' errors from the Service Control Manager, indicating certain services failed to start. The administrator also notices that the server has not been restarted in 180 days and has several pending updates. What is the most likely cause of the performance issues?

A.A rootkit infection that the antivirus failed to detect.
B.The server has not been restarted for an extended period and has pending updates.
C.A heavily fragmented hard drive.
D.A memory leak in the custom application.
AnswerB

Lack of restarts can lead to resource exhaustion, and pending updates may address performance bugs.

Why this answer

Option D is correct because pending updates often include bug fixes and performance improvements; the lack of restarts may lead to memory leaks or resource exhaustion. Option A is incorrect because there is no indication of resource exhaustion from a specific service. Option B is incorrect because the antivirus found no malware.

Option C is incorrect because a fragmented hard drive would not cause service start failures.

25
MCQhard

During a code review, you discover that an application stores passwords in plaintext. What is the most secure remediation?

A.Hash passwords with MD5
B.Use bcrypt with a unique salt per password
C.Use AES encryption of passwords
D.Store passwords in a database with restricted access
AnswerB

Bcrypt is slow and salted, making brute force impractical.

Why this answer

Bcrypt with a unique salt is designed for password storage; it is slow and resistant to brute force. MD5 is fast and weak. AES encryption is reversible if the key is compromised.

Database access control does not protect if the database is breached.

26
MCQhard

A company runs containerized applications in a Kubernetes cluster. They need to ensure that containers run with the least privilege and cannot escalate privileges. Which configuration change is MOST effective?

A.Set the container to run as non-root user
B.Drop all Linux capabilities from the container
C.Mount the container root filesystem as read-only
D.Enable SELinux enforcing mode on the host
AnswerC

Prevents writing to the container's filesystem, limiting impact of a compromise.

Why this answer

Option D is correct because setting a read-only root filesystem prevents container from writing to its own filesystem, limiting damage from compromise. Option A is wrong because running as non-root is important but does not prevent privilege escalation if capabilities allow. Option B is wrong because dropping all capabilities reduces risk but does not prevent writes to root filesystem.

Option C is wrong because SELinux enforcing mode adds a layer but is not directly about privilege escalation in containers.

27
Drag & Dropmedium

Drag and drop the steps for setting up a certificate authority (CA) in Windows Server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Windows CA setup: install role, configure CA type, set storage, install, test.

28
MCQmedium

A developer wants to ensure that a web application is protected against cross-site request forgery (CSRF). Which mitigation technique is most commonly recommended?

A.Implement a Content Security Policy (CSP).
B.Enable HTTP Strict Transport Security (HSTS).
C.Sanitize all user input.
D.Use anti-CSRF tokens in forms.
E.Implement Cross-Origin Resource Sharing (CORS) headers.
AnswerD

Anti-CSRF tokens are validated by the server to ensure request legitimacy.

Why this answer

Option C is correct because anti-CSRF tokens are unique per session and validated on state-changing requests, ensuring the request originated from the legitimate site. Option A (CORS) controls cross-origin reads; B (input validation) is for injection; D (HSTS) enforces HTTPS; E (Content Security Policy) mitigates XSS, not CSRF.

29
Multi-Selecteasy

Which THREE of the following are data loss prevention (DLP) controls that can be implemented to protect sensitive data?

Select 3 answers
A.Require strong passwords for all user accounts
B.Encrypt sensitive data both at rest and in transit
C.Deploy endpoint DLP agents to monitor and block unauthorized data transfers
D.Classify data based on sensitivity and apply appropriate labels
E.Implement network firewalls to block all outbound traffic
AnswersB, C, D

Encryption renders data unreadable if leaked.

Why this answer

Options A, D, and E are correct. Data classification labels guide handling, encryption protects data in transit/rest, and endpoint DLP agents can block unauthorized transfers. Option B is wrong because firewalls control network traffic but do not inspect data content.

Option C is wrong because strong passwords are authentication, not data loss prevention.

30
MCQeasy

A company is implementing a new file-sharing application for employees. Which of the following is the most important security control to prevent unauthorized access to shared files?

A.Schedule regular backups.
B.Implement access control lists (ACLs) on shared folders.
C.Install antivirus software on all endpoints.
D.Enable detailed audit logging.
E.Encrypt files with AES-256.
AnswerB

ACLs enforce permissions, restricting access only to authorized users.

Why this answer

Option A is correct because access control lists (ACLs) explicitly define who can access resources. Option B (encryption) protects data at rest but does not manage permissions; C (logging) is detective; D (antivirus) prevents malware; E (backup) ensures availability, not confidentiality.

31
Drag & Dropmedium

Drag and drop the steps for conducting a security incident response under the NIST framework into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NIST incident response follows: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity, and Reporting.

32
MCQmedium

An organization allows employees to use personal smartphones to access corporate email and data. Which control is MOST important to protect corporate data if a device is lost or stolen?

A.Require device encryption
B.Require strong passwords with complexity requirements
C.Implement remote wipe capability
D.Enforce a screen lock timeout of 1 minute
AnswerC

Allows administrator to erase corporate data remotely when device is lost.

Why this answer

Option D is correct because remote wipe can erase corporate data from a lost device. Option A is wrong because encryption protects data at rest but does not prevent access if device is unlocked. Option B is wrong because screen lock can be bypassed with brute force.

Option C is wrong because strong passwords help but if device is already compromised, remote wipe is the best response.

33
MCQmedium

An organization is implementing a secure software development lifecycle (SDLC). Which activity should be performed during the design phase to minimize security flaws?

A.Perform threat modeling to identify potential attack vectors.
B.Run dynamic application security testing (DAST) tools.
C.Apply security patches to the development environment.
D.Conduct a code review for security vulnerabilities.
AnswerA

Threat modeling in design phase identifies risks before coding.

Why this answer

Threat modeling is a proactive security activity performed during the design phase to identify potential attack vectors, trust boundaries, and threats before any code is written. By analyzing the system architecture and data flows, teams can mitigate security flaws early, reducing the cost and effort of fixing vulnerabilities later in the SDLC.

Exam trap

ISC2 often tests the distinction between design-phase activities (like threat modeling) and implementation or testing-phase activities (like code review or DAST), so the trap is assuming that any security testing or patching belongs in the design phase.

How to eliminate wrong answers

Option B is wrong because dynamic application security testing (DAST) is a runtime testing activity performed after the application is built, not during the design phase. Option C is wrong because applying security patches to the development environment is an operational security task that maintains the integrity of the development infrastructure, not a design-phase activity to minimize flaws in the application itself. Option D is wrong because code review for security vulnerabilities is performed during the implementation phase, after code has been written, not during the design phase.

34
MCQmedium

A system administrator needs to ensure that a Linux server is hardened against common attacks. Which configuration change is MOST effective in preventing privilege escalation via SUID binaries?

A.Enable auditd to log all SUID executions.
B.Set the umask to 077 for all users.
C.Mount the /tmp and /var partitions with the 'nosuid' option.
D.Remove all SUID binaries from the system.
AnswerC

Prevents execution of SUID binaries on those partitions.

Why this answer

Mounting partitions like /tmp and /var with the 'nosuid' option prevents SUID and SGID bits from taking effect on files stored there. Since attackers often place malicious SUID binaries in world-writable directories to escalate privileges, this configuration blocks the execution of such binaries regardless of their permissions. This is more effective than logging or removing all SUID binaries, as it proactively neutralizes a common attack vector without breaking system functionality.

Exam trap

The trap here is that candidates may think logging (auditd) or removing all SUID binaries is a viable solution, but the exam tests the understanding that 'nosuid' is a practical, targeted control that prevents exploitation without breaking legitimate system functionality.

How to eliminate wrong answers

Option A is wrong because enabling auditd to log all SUID executions only provides visibility into when SUID binaries are run; it does not prevent privilege escalation, as the binaries still execute with elevated privileges. Option B is wrong because setting the umask to 077 for all users restricts default file permissions for new files but does not affect existing SUID binaries or prevent their execution, nor does it remove the SUID bit from files already present. Option D is wrong because removing all SUID binaries from the system is impractical and often breaks essential system utilities (e.g., sudo, passwd, ping) that legitimately require the SUID bit to function; a more targeted approach like using 'nosuid' on specific partitions is preferred.

35
Multi-Selecteasy

Which two of the following measures ensure the integrity of backup data? (Choose two.)

Select 2 answers
A.Keeping backups offline and immutable
B.Storing backups on the same drive as original data
C.Using encryption for backup media
D.Regular backup testing
E.Setting backups to overwrite each month
AnswersA, D

Offline/immutable backups prevent modification.

Why this answer

Regular backup testing verifies that backups are restorable. Keeping backups offline and immutable prevents tampering. Storing on the same drive risks loss.

Encryption protects confidentiality, not necessarily integrity.

36
MCQhard

Refer to the exhibit. A web server log shows two requests from the same IP. What type of attack is being attempted, and which mitigation is MOST effective?

A.SQL injection; use parameterized queries
B.Cross-site scripting (XSS); encode all output
C.Cross-site request forgery (CSRF); use anti-CSRF tokens
D.Command injection; implement input validation
AnswerA

The log shows SQL injection attempts; parameterized queries prevent them.

Why this answer

Option A is correct because the requests contain SQL injection patterns (OR 1=1 and DROP TABLE). Parameterized queries prevent SQL injection. Option B is wrong because XSS would involve script tags.

Option C is wrong because command injection would involve shell commands. Option D is wrong because CSRF would involve a different method and referrer.

37
MCQeasy

A company is migrating its on-premises applications to a public cloud. Which security control is MOST important to implement to protect data in transit?

A.Enable server-side encryption for cloud storage.
B.Implement data classification labels.
C.Use IPsec VPNs for all cloud connections.
D.Ensure all data transmissions use TLS 1.2 or higher.
AnswerD

TLS encrypts data in transit and is widely supported.

Why this answer

TLS 1.2 or higher is the standard protocol for encrypting data in transit over public networks, ensuring confidentiality and integrity between client and server. It is the most critical control because it directly protects data as it moves across the internet to the cloud, which is the primary risk in a migration scenario.

Exam trap

The trap here is that candidates often confuse IPsec VPNs (which protect network-layer traffic) with the application-layer encryption provided by TLS, assuming VPNs are always superior for cloud connections, but TLS is the standard and most practical control for protecting data in transit to public cloud services.

How to eliminate wrong answers

Option A is wrong because server-side encryption protects data at rest in cloud storage, not data in transit. Option B is wrong because data classification labels help manage access and handling policies but do not encrypt or protect data during transmission. Option C is wrong because IPsec VPNs secure site-to-site connections but are not the most important for all cloud connections; many cloud services use HTTPS/TLS natively, and forcing all traffic through a VPN can introduce latency and complexity without providing better protection than TLS for application-layer data.

38
MCQmedium

Refer to the exhibit. A security analyst observes this event on a workstation. What is the MOST likely explanation?

A.Microsoft Office is performing an automatic update.
B.A scheduled task triggered the command.
C.A user ran a legitimate command from the Start menu.
D.A malicious macro in a Word document executed the command.
AnswerD

Macros can execute shell commands; this is a common attack vector.

Why this answer

The event shows a command prompt launching with a base64-encoded PowerShell command, which is a common technique used by malicious macros to download and execute payloads. Microsoft Office macros can invoke cmd.exe or PowerShell to bypass security controls, and the encoded command suggests obfuscation typical of malware, not legitimate software updates or user actions.

Exam trap

ISC2 often tests the distinction between legitimate system processes and obfuscated command execution, where candidates mistake encoded PowerShell commands for normal update or task operations instead of recognizing them as indicators of macro-based malware.

How to eliminate wrong answers

Option A is wrong because Microsoft Office automatic updates are managed by the Office Click-to-Run service or Windows Update, not by launching a base64-encoded PowerShell command from cmd.exe. Option B is wrong because scheduled tasks typically run with a clear task name and path in the command line, not with obfuscated PowerShell commands that hide the actual execution. Option C is wrong because a user running a legitimate command from the Start menu would not involve a base64-encoded PowerShell command; such encoding is used to conceal malicious intent, not for normal user operations.

39
MCQeasy

A help desk technician receives multiple reports that users cannot access a critical web application. The application's error log shows repeated '403 Forbidden' errors. Which of the following is the most likely cause?

A.The web application firewall is blocking legitimate traffic.
B.The SSL certificate has expired.
C.The application's database connection pool is exhausted.
D.The web server's IP address has changed.
AnswerA

WAFs often return 403 Forbidden when security rules trigger on legitimate traffic.

Why this answer

Option C is correct because a 403 Forbidden error typically indicates that the web application firewall (WAF) is blocking requests, often due to false positives. Option A is incorrect because an IP change would result in connection errors, not HTTP 403. Option B is incorrect because a database connection pool exhaustion would cause 500-type errors.

Option D is incorrect because an expired SSL certificate would cause SSL handshake errors, not 403.

40
Multi-Selectmedium

Which TWO of the following are effective measures to prevent cross-site scripting (XSS) vulnerabilities in a web application?

Select 2 answers
A.Implement a Content Security Policy (CSP).
B.Use a web application firewall (WAF) to block known XSS payloads.
C.Replace GET requests with POST for all form submissions.
D.Encode all user input before displaying it in HTTP responses.
E.Use HTTPS for all communications.
AnswersA, D

CSP restricts sources of executable scripts, mitigating XSS even if injection occurs.

Why this answer

Options B and C are correct because output encoding prevents XSS by neutralizing script payloads, and Content Security Policy (CSP) provides a browser-level defense that restricts script execution. Option A is incorrect because HTTPS only encrypts data in transit, not preventing XSS. Option D is incorrect because WAFs can block some XSS attempts but are not a prevention measure at the application level.

Option E is incorrect because HTTP method does not affect XSS.

41
Multi-Selecthard

Which THREE of the following are common indicators of a cross-site scripting (XSS) attack? (Choose three.)

Select 3 answers
A.Unusual cookie values or multiple cookies
B.JavaScript execution in the browser's developer console that was not initiated by the user
C.Presence of script tags in the page source that are not part of the original application
D.Unexpected pop-up windows in the browser
E.Unusual network traffic to external IP addresses
AnswersB, C, D

XSS payloads often execute script automatically.

Why this answer

Option B is correct because XSS attacks often inject malicious JavaScript that executes in the victim's browser without user initiation. Observing unexpected script execution in the developer console indicates that an attacker's payload has run, which is a direct sign of a successful XSS exploit.

Exam trap

ISC2 often tests the distinction between direct indicators of an attack (like unexpected script execution or script tags) and secondary consequences (like unusual network traffic or cookie anomalies), causing candidates to select options that are results of an attack rather than the attack itself.

42
MCQmedium

A security analyst needs to ensure that a legacy application running on an unsupported operating system remains secure until it can be replaced. Which strategy provides the most effective risk reduction?

A.Move the application to a sandboxed virtual machine and isolate it from the network.
B.Apply all available security patches from third-party sources.
C.Upgrade the application to the latest version with vendor support.
D.Implement application whitelisting to allow only approved executables.
AnswerA

Sandboxing and network isolation contain the application and reduce exposure.

Why this answer

Option D is correct because isolating the application in a sandboxed virtual machine with network restrictions minimizes the attack surface. Option A is incorrect because application whitelisting does not protect against OS-level vulnerabilities. Option B is incorrect because upgrading the application is not feasible if it runs on an unsupported OS.

Option C is incorrect because third-party patches may introduce instability or conflicts.

43
MCQeasy

A company wants to prevent unauthorized applications from running on employee workstations. Which of the following is the most effective control?

A.User training
B.Regular antivirus updates
D.Application whitelisting
AnswerD

Whitelisting blocks unapproved applications from running.

Why this answer

Application whitelisting allows only approved executables to run, effectively preventing unauthorized applications. Host-based intrusion detection can detect but not prevent. Antivirus relies on signatures and may miss unknown malware.

User training is important but not a technical control.

44
MCQhard

During a security audit, an analyst finds that a server's audit log shows repeated failed login attempts from a single IP, followed by a successful login from the same IP five minutes later. What is the most likely type of attack that occurred?

A.Dictionary attack
B.Man-in-the-middle attack
C.Brute-force attack
D.Replay attack
E.Password spraying attack
AnswerC

Brute-force tries all possible combinations until success, matching the log pattern.

Why this answer

Option D is correct because a brute-force attack involves repeated attempts until success. Option A (replay) requires capturing and reusing credentials; B (man-in-the-middle) intercepts traffic; C (dictionary) uses a list of likely passwords, but the description matches brute-force due to time; E (spray) targets multiple accounts with few passwords.

45
MCQmedium

Refer to the exhibit. A security analyst reviews a Windows Security event log entry showing multiple logon failures for user 'admin' from IP 10.0.0.100 within 5 minutes. What type of attack is most likely occurring?

A.Brute force attack
B.Kerberos ticket replay
C.Pass-the-hash attack
D.Privilege escalation
AnswerA

Repeated logon attempts suggest brute force.

Why this answer

Multiple logon failures from a single IP indicate a brute force attack. Pass-the-hash uses captured hashes, not repeated failures. Kerberos ticket replay is different.

Privilege escalation is not indicated.

46
Multi-Selectmedium

Which TWO of the following are effective controls to prevent buffer overflow attacks? (Choose two.)

Select 2 answers
A.Input validation to reject long inputs
B.Address Space Layout Randomization (ASLR)
C.Code obfuscation
D.Non-executable stack (NX bit)
E.Stack canaries
AnswersB, D

ASLR randomizes memory addresses, making it harder to predict target addresses.

Why this answer

Address Space Layout Randomization (ASLR) is a memory protection technique that randomizes the base addresses of executable modules, heap, and stack regions. This makes it significantly harder for an attacker to predict the memory addresses needed to inject and execute shellcode, thereby mitigating many buffer overflow exploits that rely on fixed address references.

Exam trap

ISC2 often tests the misconception that input validation alone is sufficient to prevent buffer overflows, or that stack canaries are a primary control rather than a detection mechanism, leading candidates to select them instead of the memory protection controls ASLR and NX bit.

47
MCQmedium

A database administrator notices unusual queries that seem to be trying to extract data via SQL injection. The application uses parameterized queries for most queries, but some dynamic queries are built using string concatenation. What is the BEST remediation?

A.Restrict database user permissions to only necessary tables
B.Implement strict input validation for all user inputs
C.Deploy a web application firewall (WAF) in front of the application
D.Rewrite all dynamic queries to use parameterized queries
AnswerD

Parameterized queries prevent interpretation of user input as SQL code.

Why this answer

Option A is correct because converting all dynamic queries to use parameterized queries eliminates the possibility of SQL injection. Option B is wrong because input validation alone is insufficient if concatenation is used. Option C is wrong because WAF is a detection/blocking control but not a code-level fix.

Option D is wrong because least privilege reduces impact but does not prevent injection.

48
MCQhard

A financial services organization deploys a new web application that allows customers to check account balances and transfer funds. The application uses a RESTful API with JSON payloads. Shortly after deployment, the security team notices unusual traffic patterns: many requests contain excessively long JSON strings in the 'amount' field, and some of these requests return 500 Internal Server Errors. The application logs show that these requests cause high CPU usage on the application server. The developers confirm that the input validation only checks for negative numbers and characters. Which type of attack is most likely occurring, and what is the best immediate mitigation?

A.The attack is a brute-force attempt on the amount field; implement rate limiting.
B.The attack is cross-site scripting; sanitize output.
C.The attack is a Denial of Service using large payloads; implement input size limits and validation.
D.The attack is SQL injection; use parameterized queries.
AnswerC

Large JSON payloads can exhaust server resources; validation should restrict field sizes.

Why this answer

Option B is correct because the symptoms indicate a Denial of Service attack via large payloads that consume server resources. Input validation should reject oversized inputs. Option A is incorrect because brute force would not cause high CPU from large payloads.

Option C is incorrect because SQL injection would likely return specific error messages rather than 500s from CPU exhaustion. Option D is incorrect because XSS targets browser execution, not server CPU.

49
MCQhard

An organization experiences malware that injects code into legitimate processes. Which security feature should be enabled to prevent code execution in memory pages?

A.Encrypted File System (EFS)
B.Address Space Layout Randomization (ASLR)
C.Mandatory Access Control (MAC)
D.Data Execution Prevention (DEP)
AnswerD

DEP prevents execution from non-executable memory regions.

Why this answer

Data Execution Prevention (DEP) is a hardware and software security feature that marks memory pages as non-executable unless they explicitly contain executable code. By preventing code execution in data-only memory regions (such as the heap and stack), DEP stops malware that attempts to inject and run shellcode within legitimate processes, even if the process is compromised.

Exam trap

The trap here is that candidates often confuse ASLR with DEP, thinking randomization alone prevents code execution, but ASLR only makes addresses unpredictable while DEP actively blocks execution from non-executable pages.

How to eliminate wrong answers

Option A is wrong because Encrypted File System (EFS) protects data at rest by encrypting files on NTFS volumes, but it does not control memory execution permissions or prevent code injection into running processes. Option B is wrong because Address Space Layout Randomization (ASLR) randomizes the memory addresses of process components to make exploitation harder, but it does not enforce non-execution of memory pages; it works alongside DEP but is not a direct prevention mechanism against code execution in memory. Option C is wrong because Mandatory Access Control (MAC) enforces system-wide security policies based on labels and subjects, but it does not manage memory page execution permissions at the hardware or kernel level.

50
MCQmedium

A healthcare organization uses an electronic health records (EHR) system that stores patient data in a relational database. The system is accessed by doctors and nurses via tablet devices on a wireless network. The security team has detected that some patient records were accessed outside of normal business hours from an IP address not belonging to the organization. The database logs show that the queries originated from the application server. The application logs indicate that the access was performed using a legitimate user account that had been disabled due to employee departure two weeks earlier. Which of the following is the most effective step to prevent recurrence?

A.Require multi-factor authentication for all remote access.
B.Enable audit logging on all database transactions.
C.Implement a process to disable user accounts within one hour of employee termination.
D.Segregate the wireless network from the internal network.
AnswerC

A timely account disable process prevents use of former employees' credentials.

Why this answer

Option A is correct because disabling the account should have been immediate upon employee departure; this is a failure of the account management process. Option B is incorrect while useful, does not address the root cause of the account still being active. Option C is incorrect because network segmentation would not prevent use of a valid account.

Option D is incorrect because MFA helps but if the account is still active, the attacker could have bypassed MFA if not enforced.

51
Multi-Selecthard

Which TWO of the following are effective measures to prevent buffer overflow attacks in software development?

Select 2 answers
A.Validate all input to ensure it meets length constraints
B.Implement stack canaries
C.Obfuscate the code to make exploitation harder
D.Enable Address Space Layout Randomization (ASLR)
E.Use functions that perform bounds checking (e.g., strncpy instead of strcpy)
AnswersB, E

Stack canaries detect if a buffer overflow has occurred by checking a known value.

Why this answer

Options B and D are correct. Option B (using bounds-checking functions) like strncpy instead of strcpy prevents overflows. Option D (stack canaries) detect buffer overflows before they overwrite return addresses.

Option A (ASLR) randomizes memory addresses but does not prevent overflow; it makes exploitation harder. Option C (input validation) helps but is not specific to buffer overflow; E (code obfuscation) does not prevent the vulnerability.

52
Multi-Selecteasy

Which TWO of the following are best practices for securing a wireless network? (Choose two.)

Select 2 answers
A.Disable SSID broadcast
B.Set a short, simple pre-shared key for convenience
C.Use WEP encryption
D.Enable MAC address filtering
E.Use WPA3 encryption
AnswersA, E

Hiding SSID reduces visibility to casual scanners.

Why this answer

Disabling SSID broadcast prevents the access point from including the network name in beacon frames, making the network less visible to casual scanning tools. However, it is not a security measure because the SSID is still transmitted in probe requests and responses, and can be easily discovered using packet capture tools like Wireshark or airodump-ng. It is considered a best practice only as a minor obscurity layer, not a replacement for strong encryption.

Exam trap

ISC2 often tests the misconception that disabling SSID broadcast is a strong security measure, when in reality it is only a minor obscurity technique that does not prevent determined attackers from discovering the network.

53
MCQhard

An organization is implementing a jump server architecture for managing critical servers. Which additional control BEST reduces the risk of lateral movement if the jump server is compromised?

A.Enable verbose logging on all target servers.
B.Require multi-factor authentication for all jump server logins.
C.Implement SSH key-based authentication with agent forwarding restricted to specific target hosts.
D.Use a separate VLAN for management traffic.
AnswerC

Restricts which hosts can be accessed from the jump server, reducing lateral movement.

Why this answer

Option C is correct because restricting SSH agent forwarding to specific target hosts prevents an attacker who compromises the jump server from using forwarded credentials to authenticate to arbitrary internal systems. This containment limits lateral movement by ensuring that even if the jump server is breached, the attacker cannot reuse SSH keys to pivot to non-approved targets.

Exam trap

The trap here is that candidates often choose multi-factor authentication (Option B) thinking it prevents all post-compromise risks, but MFA only protects the initial login, not lateral movement after the jump server is already compromised.

How to eliminate wrong answers

Option A is wrong because verbose logging on target servers is a detective control that records activity after the fact; it does not prevent an attacker from moving laterally from a compromised jump server. Option B is wrong because multi-factor authentication for jump server logins protects the initial access to the jump server but does not restrict lateral movement once an attacker has already compromised that server. Option D is wrong because a separate VLAN for management traffic segments network traffic but does not prevent an attacker who already controls the jump server from using its SSH agent or credentials to reach other hosts within that VLAN.

54
MCQeasy

An organization is migrating its on-premises applications to a cloud provider. Which of the following security controls should be implemented to protect data at rest in the cloud?

A.Implement multi-factor authentication for all users.
B.Configure network segmentation using VPCs.
C.Use access keys for API authentication.
D.Enable CloudTrail or equivalent audit logging.
E.Enable server-side encryption on storage services.
AnswerE

Server-side encryption encrypts data at rest automatically.

Why this answer

Option B is correct because enabling server-side encryption (SSE) ensures data is encrypted when stored by the cloud provider. Option A (network segmentation) protects in transit; C (access keys) are for authentication; D (MFA) is for user identity; E (audit logs) are detective.

55
MCQeasy

An organization wants to protect endpoints from ransomware that encrypts files and demands payment. Which control should be implemented FIRST?

A.Deploy email spam filtering
B.Implement application whitelisting
C.Conduct user security awareness training
D.Enable file-level backup to a separate location
AnswerB

Blocks unauthorized executables from running.

Why this answer

Option B is correct because application whitelisting blocks unauthorized executables, including ransomware, from running. Option A is wrong because email filtering can reduce but not block all ransomware delivery. Option C is wrong because user training is important but not a technical control that immediately prevents execution.

Option D is wrong because backups help recovery but do not prevent infection.

56
Matchingmedium

Match each cryptography term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encryption and decryption

Key pair: public and private

One-way function producing fixed output

Ensures authenticity and non-repudiation

Why these pairings

These are fundamental cryptography concepts.

57
MCQhard

A security analyst is reviewing a script that performs automated backups. The script uses a hardcoded password to connect to the database. What is the most secure alternative?

A.Change the password manually every week.
B.Store the password in an environment variable.
C.Replace the password with SSH key authentication.
D.Retrieve the password from a secrets management service at runtime.
E.Use a more complex password.
AnswerD

Secrets management (e.g., HashiCorp Vault) provides secure, audited access to credentials.

Why this answer

Option D is correct because using a secrets management solution centrally stores and rotates credentials, avoiding hardcoding. Option A (complex password) is still hardcoded; B (SSH keys) work for remote servers, not DB authentication; C (changing password manually) is not automated; E (using environment variables) is better but still exposed in process memory.

58
MCQmedium

A company uses virtual machines for development. To ensure isolation between VMs on the same host, which control is most important?

A.Antivirus on each VM
B.Hypervisor patching
C.Strong passwords for VM consoles
D.Virtual network segmentation
AnswerD

Network segmentation isolates traffic between VMs.

Why this answer

Virtual network segmentation prevents VM-to-VM attacks by isolating traffic. Hypervisor patching is important for security but does not directly provide isolation. Strong passwords protect console access but not network traffic.

Antivirus protects within each VM but not between them.

59
MCQeasy

An employee receives an email with an attachment claiming to be an invoice but contains a macro virus. What control would have blocked this?

A.User awareness training
B.Email attachment scanning
C.Spam filter
D.Macro security settings in Office
AnswerD

Macro settings can disable or restrict macro execution.

Why this answer

Macro security settings in Office can disable macros or require signed macros, preventing execution. Spam filter may not detect targeted phishing. Attachment scanning may miss zero-day variants.

User training reduces risk but does not technically block.

60
MCQhard

A security engineer needs to select a hashing algorithm for storing user passwords in a database. Which of the following is the most secure choice?

A.SHA-256
B.MD5
C.bcrypt
D.SHA-1
E.PBKDF2
AnswerC

bcrypt is designed for password hashing, includes salt, and is deliberately slow.

Why this answer

Option D is correct because bcrypt is specifically designed for password hashing with a cost factor to resist brute-force. Option A (MD5) is broken; B (SHA-1) is weak; C (SHA-256) is fast and suitable for integrity, not passwords; E (PBKDF2) is also good, but bcrypt is often preferred due to built-in salt and adaptive cost.

61
MCQmedium

Refer to the exhibit. A security analyst reviews the firewall configuration for a Windows workstation on a private network. What is the MOST significant weakness?

A.Inbound connections are set to Block by default
B.Default outbound connections are set to Allow, potentially allowing malware to communicate out
C.The rule 'RDP (UDP-In)' is set to Block and enabled, which blocks legitimate RDP traffic
D.The rule 'File and Printer Sharing (Echo Req)' is disabled, preventing network discovery
AnswerB

Allowing all outbound by default is a security weakness.

Why this answer

Option B is correct because Remote Desktop (TCP-In) rule is disabled (Enabled: No), so RDP is not allowed in, which might be intended but the issue is that the rule 'RDP (UDP-In)' is set to Block and Enabled: Yes, which blocks UDP RDP traffic. However, the question asks for 'most significant weakness'. The configuration shows inbound connections are blocked by default, but the RDP (UDP-In) rule is blocking UDP RDP.

This could be a problem if RDP is needed. But option B points out that the rule for UDP RDP is blocking, which might block legitimate traffic if RDP uses UDP. Actually, the exhibit shows 'RDP (UDP-In) Block Yes' meaning it is blocking UDP RDP.

Option A is incorrect because the default inbound is block, which is good. Option C is correct? Wait, let's analyze: The weakness is that outbound connections are allowed by default, which is typical but could be a weakness if not controlled. Option D is incorrect because File and Printer Sharing rule is disabled, which is good for security.

The most significant weakness is allowing all outbound connections by default, which could allow malware to communicate out. Option C says 'Default outbound connections are set to Allow, potentially allowing malware to communicate out.' That is a common weakness. Option B is also plausible but blocking UDP RDP might be intentional.

However, many organizations block UDP RDP to prevent vulnerabilities. But outbound allow is a bigger concern. So I'll go with C.

But to align with typical exam, outbound allow default is a common weakness. So option C is correct.

62
MCQmedium

A security analyst notices that a web application is vulnerable to SQL injection. The application uses parameterized queries for most inputs but concatenates user input directly into a query for a legacy module. Which is the BEST immediate remediation?

A.Disable the legacy module until a full rewrite is completed.
B.Rewrite the legacy module to use parameterized queries.
C.Deploy a web application firewall (WAF) to block SQL injection patterns.
D.Implement input validation to reject special characters.
AnswerB

Parameterized queries prevent SQL injection by separating code from data.

Why this answer

Option B is correct because parameterized queries (prepared statements) are the definitive defense against SQL injection, as they separate SQL logic from user data by design. Rewriting the legacy module to use parameterized queries eliminates the root cause of the vulnerability at the code level, ensuring that user input is never concatenated into the SQL statement. This is the most secure and permanent fix, as it directly addresses the injection point in the application layer.

Exam trap

ISC2 often tests the misconception that a WAF or input validation is sufficient to prevent SQL injection, but the trap here is that only parameterized queries (or stored procedures with parameterized calls) eliminate the vulnerability at the code level, making them the best immediate remediation over compensating controls.

How to eliminate wrong answers

Option A is wrong because disabling the legacy module is a reactive, temporary workaround that disrupts business functionality and does not fix the underlying insecure coding practice; it should only be considered if the module cannot be secured immediately, but the question asks for the 'best immediate remediation,' which is a permanent code fix. Option C is wrong because a WAF is a compensating control that can be bypassed with advanced SQL injection techniques (e.g., encoding, out-of-band attacks) and does not address the root cause; it should be used as a defense-in-depth layer, not as a primary remediation. Option D is wrong because input validation (e.g., rejecting special characters) is unreliable and can be circumvented by attackers using alternative injection vectors (e.g., numeric fields, second-order injection) and may break legitimate input; it is not a substitute for parameterized queries.

63
Multi-Selectmedium

Which TWO of the following are essential components of a secure configuration baseline for a new server deployment?

Select 2 answers
A.Disable all unnecessary services and ports
B.Apply the latest security patches to the operating system
C.Enable only error logging, not audit logging
D.Assign the same strong password to all local accounts
E.Use default passwords for all service accounts
AnswersA, B

Reduces attack surface.

Why this answer

Options B and D are correct. Disabling unused services reduces attack surface, and applying the latest patches closes known vulnerabilities. Option A is wrong because default passwords are insecure and should be changed.

Option C is wrong because logging can be disabled but it is often needed for monitoring; keeping logs is generally recommended. Option E is wrong because using a single password for all accounts violates least privilege.

64
MCQhard

A company runs a critical web application on an internal server that authenticates users against a Microsoft SQL Server database. The application was developed by a vendor that is no longer in business, and the source code is unavailable. The current authentication process stores user passwords using reversible encryption. The security team has identified this as a high-risk vulnerability. They propose implementing a database-level trigger that hashes the password column during INSERT and UPDATE operations, and modifying the application's stored procedures to compare hashed values during login. However, after implementation, users report that they cannot log in. The authentication logs show that the password comparison always fails. The database administrator confirms that the trigger is working and that new user registrations store the SHA-256 hash. What is the most likely cause of the login failures?

A.The trigger does not hash the password during UPDATE operations that are performed by the same user.
B.The application is using a different hashing algorithm than the trigger.
C.The stored procedure for login is still comparing the plain-text password with the hash.
D.The trigger hashes the password only if the password column is part of a specific set of columns.
AnswerC

The stored procedure likely was not modified to hash the input before comparison, resulting in failure.

Why this answer

Option C is correct because the stored procedure for login likely still expects a plain-text password and compares it directly to the stored hash, causing failure. Option A is incorrect because the trigger should fire on all updates, including those by the same user. Option B is incorrect because the trigger uses SHA-256 and the stored procedure should use the same algorithm.

Option D is incorrect because the trigger should be defined on the password column.

65
Multi-Selectmedium

A system administrator is hardening a Windows server. Which two of the following are effective hardening measures? (Choose two.)

Select 2 answers
A.Disable unnecessary services
B.Set file permissions to Everyone: Full Control
C.Remove administrative shares
D.Enable guest account with strong password
E.Use Telnet for remote management
AnswersA, C

Reduces potential attack vectors.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for malware or unauthorized access. On Windows Server, services like Print Spooler or Windows Search may be disabled if not needed, as they have historically been exploited (e.g., PrintNightmare). This aligns with the principle of least functionality.

Exam trap

The trap here is that candidates may think removing administrative shares breaks legitimate management tasks, but in reality, modern tools like PowerShell Remoting or Group Policy do not rely on hidden shares, making this a safe and effective hardening step.

66
MCQmedium

A web application processes user-supplied data in SQL queries. Which practice best prevents SQL injection?

A.Parameterized queries
B.Escaping all user input
C.Using stored procedures exclusively
D.Input length validation
AnswerA

Parameterized queries ensure user input is treated as data, not code.

Why this answer

Parameterized queries (also known as prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:name` in PDO). The database engine treats the user input strictly as data, never as executable SQL code, which inherently prevents SQL injection regardless of the input content.

Exam trap

ISC2 often tests the misconception that stored procedures are inherently safe, but the trap is that they only prevent injection if they avoid dynamic SQL construction within the procedure body.

How to eliminate wrong answers

Option B is wrong because escaping all user input is error-prone and context-dependent; for example, escaping for MySQL with `mysql_real_escape_string()` can still be bypassed if the character set is mismatched (e.g., GBK encoding leading to multibyte injection). Option C is wrong because stored procedures alone do not prevent SQL injection if dynamic SQL is constructed within the procedure using concatenated user input (e.g., `EXEC('SELECT * FROM Users WHERE id = ' + @input)`). Option D is wrong because input length validation only restricts the size of input, not its malicious content; a short SQL injection payload like `' OR 1=1 --` can easily pass length checks.

67
MCQhard

A DevOps team implements a CI/CD pipeline for a web application. Which security control is BEST to ensure that only properly reviewed code reaches production?

A.Run static application security testing (SAST) in the pipeline
B.Require a manual approval gate before deployment
C.Run automated unit tests and integration tests
D.Implement code signing for all artifacts
AnswerB

Ensures human review of code changes, catching issues automation might miss.

Why this answer

Option B is correct because requiring manual approval in the pipeline ensures a human has reviewed the code before it proceeds. Option A is wrong because automated tests are important but may miss logic flaws. Option C is wrong because code signing ensures integrity but not review.

Option D is wrong because static analysis is automated and may produce false positives; it does not replace human review.

68
MCQhard

A security analyst reviews logs and finds that an attacker exploited a vulnerability in a web application to read arbitrary files from the server. The application runs on Apache with mod_php. Which of the following is the MOST likely vulnerability?

A.XML External Entity (XXE) vulnerability.
B.Remote File Inclusion (RFI) vulnerability.
C.Server-Side Request Forgery (SSRF) vulnerability.
D.Local File Inclusion (LFI) vulnerability in a PHP include statement.
AnswerD

LFI allows reading local files via path traversal.

Why this answer

The correct answer is D because the scenario describes reading arbitrary files from the server, which is the hallmark of a Local File Inclusion (LFI) vulnerability. In a PHP application using include statements, an attacker can manipulate a file path parameter (e.g., `?page=../../etc/passwd`) to include and read local files, exploiting the server's filesystem access. Apache with mod_php is particularly susceptible to LFI when user input is not sanitized before being passed to functions like `include()` or `require()`.

Exam trap

The trap here is that candidates confuse LFI with RFI because both involve file inclusion, but the key distinction is that LFI reads local files from the server, while RFI requires remote file inclusion, which is less common and often blocked by default PHP settings.

How to eliminate wrong answers

Option A is wrong because XML External Entity (XXE) exploits XML parsers to read files or perform SSRF, but the scenario does not mention XML processing or a parser; it focuses on a PHP include statement, making XXE an unlikely vector. Option B is wrong because Remote File Inclusion (RFI) involves including remote files from external servers (e.g., via HTTP), which requires `allow_url_include` to be enabled—a rare configuration—and the question specifies reading arbitrary files from the server, not remote hosts. Option C is wrong because Server-Side Request Forgery (SSRF) forces the server to make requests to internal or external resources, but it does not directly read arbitrary files via PHP include; it is more about accessing internal services or performing port scans.

69
MCQmedium

A software development team is implementing input validation for a web application that accepts user email addresses. Which approach BEST prevents email injection attacks?

A.Whitelist allowed characters: alphanumeric, @, ., -, _
B.Blacklist known malicious email patterns
C.Set maximum email length to 100 characters
D.Rely on client-side JavaScript validation only
AnswerA

Whitelisting only safe characters prevents injection.

Why this answer

Option C is correct because whitelisting valid characters (alphanumeric, @, ., -, _) restricts input to safe characters, preventing injection of special characters used in email injection. Option A is wrong because blacklisting known malicious patterns is easily bypassed. Option B is wrong because client-side validation only is insufficient as it can be bypassed.

Option D is wrong because length limits do not prevent injection.

70
MCQhard

A medium-sized financial services company has recently deployed a new web application that processes sensitive customer data, including Social Security numbers and account balances. The security team implemented network segmentation, a web application firewall (WAF) from a reputable vendor, and quarterly vulnerability scans. The developers assert that they use parameterized queries for all database calls in the main application code. During a recent penetration test, testers successfully exploited a SQL injection vulnerability, extracting the entire customer database. Further investigation reveals that the main application indeed uses parameterized queries, but a third-party reporting module, integrated to generate compliance reports, constructs SQL queries by concatenating user-supplied date range inputs directly into SQL strings. The WAF is configured with a generic rule set and has not been tuned to the application's specific traffic patterns. What is the most effective course of action to remediate this vulnerability and prevent future occurrences?

A.Replace the third-party reporting module with an alternative that uses parameterized queries.
B.Implement strict input validation to sanitize user-supplied date inputs.
C.Increase the frequency of vulnerability scans from quarterly to monthly.
D.Configure the WAF to block SQL injection patterns with custom rules.
AnswerA

This directly removes the vulnerable coding practice (concatenation) and replaces it with a secure method, permanently fixing the SQL injection flaw.

Why this answer

The root cause is the third-party module's insecure query construction. Replacing it with a module that uses parameterized queries directly eliminates the vulnerability at its source. Input validation (A) is a defense-in-depth measure but not sufficient if concatenation is still used.

Increasing scan frequency (C) does not fix the underlying issue. Configuring the WAF (D) provides a layer of defense but can be bypassed and is not as reliable as eliminating the vulnerable code.

71
MCQeasy

Refer to the exhibit. An IAM policy includes the following statement: 'Effect': 'Allow', 'Action': ['s3:ListBucket','s3:GetObject'], 'Resource': 'arn:aws:s3:::example-bucket/*'. What does this policy allow?

A.List objects and read objects in example-bucket
B.Full access to all S3 buckets
C.Delete objects from example-bucket
D.Write objects to example-bucket
AnswerA

ListBucket and GetObject provide list and read.

Why this answer

ListBucket allows listing objects, GetObject allows reading objects. It does not allow write or delete. The resource is specific to example-bucket.

72
Multi-Selecthard

Which THREE of the following are types of application security testing that should be included in a secure SDLC?

Select 3 answers
A.Static application security testing (SAST)
B.Penetration testing
C.User acceptance testing (UAT)
D.Dynamic application security testing (DAST)
E.Load testing
AnswersA, B, D

Analyzes source code for vulnerabilities.

Why this answer

Options A, C, and E are correct. SAST (Static Application Security Testing) analyzes source code, DAST (Dynamic Application Security Testing) tests running applications, and penetration testing simulates real attacks. Option B is wrong because UAT is for functional validation, not security.

Option D is wrong because load testing is for performance, not security.

73
Multi-Selecthard

Which three of the following are best practices for securing a database? (Choose three.)

Select 3 answers
A.Encrypt sensitive data at rest
B.Use default passwords for database accounts
C.Implement row-level security
D.Apply the principle of least privilege for database users
E.Enable public access to the database
AnswersA, C, D

Protects data if storage is compromised.

Why this answer

Encrypting sensitive data at rest protects confidentiality. Row-level security restricts access to specific rows. Least privilege limits user permissions.

Default passwords are insecure. Public access exposes the database.

74
MCQmedium

A company deploys a web application that processes credit card payments. The development team uses parameterized queries for all database interactions. However, during a penetration test, the tester successfully injects malicious code into a search field and retrieves sensitive customer data. Which of the following is the most likely cause?

A.The application uses dynamic SQL despite parameterized queries for some fields.
B.The web server is misconfigured to allow directory traversal.
C.The database server has weak permissions allowing direct query execution.
D.The search field output is not sanitized, allowing stored XSS.
AnswerA

Dynamic SQL in the search field bypasses the parameterized queries used elsewhere, allowing injection.

Why this answer

Option A is correct because the use of parameterized queries prevents SQL injection, but if dynamic SQL is constructed elsewhere in the application (e.g., for the search field), it can still be vulnerable. Option B is incorrect because XSS affects client-side execution, not direct data retrieval from the database. Option C is incorrect because direct query execution would require explicit permissions beyond the application's context.

Option D is incorrect because directory traversal exploits file system access, not database query injection.

75
MCQeasy

A critical vulnerability is discovered in an application currently in use. What should be done first?

A.Notify users to stop using the application
B.Disable the application until patch is ready
C.Deploy the patch immediately to all systems
D.Test the patch in a non-production environment
AnswerD

Testing verifies patch stability before production rollout.

Why this answer

Testing the patch in a non-production environment ensures it does not break functionality before deployment. Immediate deployment risks downtime. Disabling the application or notifying users are reactive steps, not the first.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Systems App Security questions.