CompTIA Security + Mock

Question 1

Physical Security Controls

Answer 1

1. Lighting
2. Fencing/Bollards/Barricades
3. Access control vestibules
4. Security guards

Question 2

Detective Security Controls

Answer 2

1. Log monitoring
2. Security audits
3. Vulnerability scanning
4. CCTV
5. IDS

Question 3

Compensating Security Controls

Answer 3

1. Backup power systems
2. Application sandboxing
3. MFA
4. Network segmentation

Question 4

Non-Repudiation

Answer 4

“The term ‘non-repudiation’ describes the inability to deny responsibility for performing a specific action. In the context of data security, non-repudiation provides proof of data origin and integrity, ensuring that a sender cannot later deny having sent a message or taken an action. However, it does not directly ensure data confidentiality—that is the role of encryption.”

Question 5

2 components within the AAA Functionality

Answer 5

1. TACACS+
2. RADIUS

Question 6

Which of the answers listed below refers to a Zero Trust Control Plane security approach that takes into account user identity, device security, network conditions, and other contextual information to enable dynamic access decisions?

Implicit trust, Adaptive identity or Monitoring and logging ?

Answer 6

Adaptive Identity

A security approach that adjusts authentication requirements (like passwords or multi-factor checks) based on risk factors such as user behaviour, location, or device. It provides stronger security for suspicious logins while reducing friction for normal access.

Analogy: Adaptive Identity is like a bouncer who only checks your ID if you act suspicious—otherwise, you walk right in.

Question 7

A hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates is known as:

PKI, CA or RA ?

Answer 7

PKI (Public Key Infrastructure)

A system that manages digital certificates and public-key encryption to securely exchange data over networks. It verifies identities (like websites or users) and ensures encrypted communication.

Analogy: PKI is like a digital passport office—it issues IDs (certificates) and checks them to confirm who’s trustworthy.

Question 8

What is the typical use of a public key?

Data decryption, User/device authentication or Data encryption ?

Answer 8

Data Encryption

The process of converting readable data (plaintext) into scrambled code (cipher-text) to protect it from unauthorised access, ensuring only those with the correct key can decrypt and read it.

Analogy: Data encryption is like a secret language only people with the right “decoder ring” (key) can understand the message.

Question 9

Key Escrow

Answer 9

Key Escrow

A system where encryption keys are securely stored with a trusted third party (like a government or company) to allow authorised recovery of encrypted data if needed, such as for legal investigations.
Analogy: Key escrow is like leaving your house keys with a trusted neighbour—only used in emergencies when you can’t access your home (data) yourself.

Question 10

EFS

Answer 10

EFS (Encrypting File System)

A Windows feature that provides file-level encryption to protect sensitive data on NTFS drives, allowing only authorised users to access the encrypted files.

Analogy: EFS is like a personal safe built into your desk—only you have the key to open and view its contents, even if someone gains access to your computer.

Question 11

Which of the following software application tools are specifically designed for implementing encryption algorithms to secure data communication and storage? (Select 2 answers)

VPN, GPG, SSH, IPsec or PGP ?

Answer 11

GPG (GNU Privacy Guard)

A free and open-source encryption tool that uses public-key cryptography to secure emails, files, and digital signatures, ensuring privacy and authenticity. It’s the open-source version of PGP, following the same standards.

Analogy: GPG is like a community-built lockbox—anyone can use it for free, and it works just as well as the brand-name version (PGP).

PGP (Pretty Good Privacy)

A widely-used encryption program for securing emails and files by combining symmetric and asymmetric encryption, along with digital signatures for verification. Originally proprietary, now owned by Symantec.

Analogy: PGP is like the original patented lockbox—it set the standard, but you might pay for extra features.

Question 12

Which of the answers listed below refers to a deprecated TLS-based method for secure transmission of email messages?

S/MIME, STARTTLS, DKIM or SMTPS ?

Answer 12

SMTPS (Simple Mail Transfer Protocol Secure)

A secure version of SMTP that encrypts email transmissions using SSL/TLS, preventing eavesdropping or tampering during delivery. It ensures emails are sent safely over the internet.

Analogy: SMTPS is like sending a letter in a locked armored truck instead of a clear envelope—no one can peek at it in transit.

Question 13

Which of the following answers refers to an obsolete protocol used for secure data transfer over the web?

SMTPS, SRTP, SHTTP, S/MIME ?

Answer 13

SHTTP (Secure Hypertext Transfer Protocol)

An older protocol designed to encrypt HTTP web traffic individually for each page or transaction, unlike HTTPS which secures the entire connection. It provided granular security but is now obsolete.

Analogy: SHTTP is like sealing only specific letters in an envelope—while HTTPS wraps the entire package in tamper-proof tape.

Question 14

Which protocol enables secure, real-time delivery of audio and video over an IP network?

S/MIME, RTP, SIP or SRTP ?

Answer 14

SRTP (Secure Real-time Transport Protocol)

A security extension for RTP (Real-time Transport Protocol) that encrypts voice/video data (e.g., VoIP calls) to prevent eavesdropping, tampering, or replay attacks.

Analogy: SRTP is like a scrambled satellite feed—only authorised receivers (with the right decryption key) can watch the broadcast clearly.

Question 15

A security protocol designed to improve the security of existing WEP implementations is known as:

WPA2, RC4, CCMP or TKIP ?

Answer 15

TKIP (Temporal Key Integrity Protocol)

A security protocol created to replace WEP encryption in Wi-Fi networks, providing stronger encryption (via dynamic keys) and protection against attacks like packet forgery.

Analogy: TKIP is like a constantly changing lock on your Wi-Fi door—hackers can’t pick it because the key resets every few minutes.

Question 16

Which of the following answers refer(s) to deprecated/insecure encryption protocols and cryptographic hash functions? (Select all that apply)

DES, AES-256, MD5, ECC, SHA-1, SSL or RC4 ?

Answer 16

1. DES (Data Encryption Standard)
2. MD5 (Message Digest Algorithm 5)
3. SHA1 (Secure Hash Algorithm 1)
4. SSL (Secure Sockets Layer)
5. RC4 (Rivest Cipher 4)

Question 17

Symmetric Ciphers

Answer 17

AES (Advanced Encryption Standard)

DES (Data Encryption Standard)

IDEA (International Data Encryption Algorithm)

RC4 (Rivest Cipher 4)

Question 18

Asymmetric Encryption

Answer 18

DHE (Diffie-Hellman Ephemeral)

ECC (Elliptic Curve Cryptography)

RSA (Rivest-Shamir-Adleman)

Question 19

Which of the answers listed below refers to a shared secret authentication method used in WPA, WPA2, and EAP?

PSK, 802.1X, SAE or TKIP ?

Answer 19

PSK (Pre-Shared Key)

A symmetric encryption method where a secret key is shared between parties in advance to authenticate and secure communications (e.g., Wi-Fi passwords, VPNs). Simple but lacks forward secrecy.

Analogy: PSK is like a secret club password—everyone uses the same one, and if it leaks, the whole group is compromised.

Question 20

Which of the answers listed below refers to a solution designed to strengthen the security of session keys?

ECB, PFS, EFS or PFX ?

Answer 20

PFS (Perfect Forward Secrecy)

A security feature that ensures session keys are temporary and not derived from a long-term master key, so even if a server’s private key is compromised, past communications remain secure.

Analogy: PFS is like using self-destructing messages—each conversation has its own unique lock, and throwing away the key afterward means no one can decrypt old chats, even if they hack you later.

Question 21

Which of the following answers refers to a public-key cryptosystem used for digital signatures, secure key exchange, and encryption?

ECC, RSA, PKI, or DSA ?

Answer 21

RSA (Rivest-Shamir-Adleman)

A widely-used public-key cryptosystem for encryption and digital signatures, relying on the mathematical difficulty of factoring large prime numbers. It’s the backbone of SSL/TLS, SSH, and PGP.

Analogy: RSA is like a heavyweight safe—it’s trusted and durable, but requires more muscle (computing power) to lock/unlock compared to modern alternatives.

Question 22

Which of the cryptographic algorithms listed below is the least vulnerable to attacks?

AES, DES, RC4, or 3DES ?

Answer 22

AES (Advanced Encryption Standard)

A symmetric encryption algorithm adopted by the U.S. government and used worldwide to secure classified and sensitive data. It operates on fixed block sizes (128 bits) and supports key lengths of 128, 192, or 256 bits.

Analogy: AES is like a bank vault—virtually impenetrable when properly configured, trusted by everyone from corporations to governments.

Question 23

Which of the answers listed below refers to a deprecated stream cipher used in some legacy applications, such as WEP?

RSA, DES, SSL or RC4 ?

Answer 23

RC4 (Rivest Cipher 4)

A stream cipher once widely used in WEP (Wi-Fi), SSL/TLS, and Microsoft products, now deprecated due to critical vulnerabilities that leak plaintext data.

Analogy: RC4 is like a broken faucet—no matter how you adjust it, secrets drip out.

Question 24

Which of the following answers refers to an embedded microcontroller used for secure boot, disk encryption, and system integrity verification?

TPM, SoC, UEFI or HSM ?

Answer 24

TPM (Trusted Platform Module)

A dedicated hardware chip (or firmware) that securely stores cryptographic keys, passwords, and certificates to verify system integrity and enable features like disk encryption (BitLocker) or secure boot.

Analogy: TPM is like a vault built into your computer’s motherboard—only it can unlock critical security features, making theft or tampering futile.

Question 25

Which of the following combines a cryptographic hash function with a secret key to provide a means of verifying both the authenticity and integrity of a message or data? MD5, DSA, HMAC or DES ?

Answer 25

HMAC (Hash-based Message Authentication Code) A cryptographic technique that combines a secret key with a hash function (like SHA-256) to verify both data integrity and authenticity—ensuring a message wasn’t altered and came from a trusted source. Analogy: HMAC is like a wax seal with a hidden signature—if the seal is broken or the signature doesn’t match, you know the message was tampered with.

Question 26

Which of the answers listed below refers to a non-cryptographic hash function often used for error-checking purposes? MD5, CRC, SHA or RIPEMD ?

Answer 26

CRC (Cyclic Redundancy Check) A simple error-detection code used to catch accidental changes in raw data (e.g., file transfers, network packets, storage), but not designed for security against intentional tampering. Analogy: CRC is like a typo-checker in a text message—it can spot a random error but can’t stop someone maliciously editing the words.

Question 27

DSA ?

Answer 27

DSA (Digital Signature Algorithm) A U.S. government standard for digital signatures (FIPS 186-4) that uses modular exponentiation to verify authenticity/integrity of messages. Slower than ECDSA and requires exact hash length matching. Analogy: DSA is like a notary stamping paper documents—proves who signed it and that it’s unaltered, but slower than modern e-signatures. 1. Asymmetric algorithm. 2. Provides authentication, integrity, and non-repudiation. 3. Specifically designed for creating and verifying digital signatures.

Question 28

RSA

Answer 28

RSA (Rivest-Shamir-Adleman) A foundational public-key cryptosystem used for encryption, digital signatures, and key exchange. Relies on the mathematical difficulty of factoring large prime numbers. Analogy: RSA is like a heavyweight bank vault—extremely secure if built correctly, but slower and bulkier than modern alternatives. 1. Asymmetric encryption algorithm. 2. A public key used for encryption and a private key used for decryption. 3. Used for secure communications, digital signatures, and key exchange

Question 29

Given the computational limitations of IoT devices, smartcards, and mobile devices, which of the following digital signature algorithms would be the most efficient choice due to its smaller key size and lower processing requirements? RSA, ECDHE, DSA, ECDSA or ECC ?

Answer 29

ECDSA (Elliptic Curve Digital Signature Algorithm) A modern digital signature scheme using elliptic curve cryptography (ECC) to provide stronger security with smaller keys than RSA or DSA. Analogy: ECDSA is like a high-tech wax seal—tiny but impossible to forge, using math magic (elliptic curves) instead of bulky traditional locks.

Question 30

Which of the following is an example of a key stretching algorithm? RIPEMD, SHA, HMAC or PBKDF2 ?

Answer 30

PBKDF2 (Password-Based Key Derivation Function 2) A key-stretching algorithm that strengthens weak passwords by applying a hash function (like SHA-256) thousands of times, adding "salt" to thwart rainbow table attacks. Analogy: PBKDF2 is like a chef repeatedly folding dough (hashing) with secret spices (salt)—making it harder to reverse-engineer the original recipe (password).

Question 31

Blockchain technology is an example of: A. Online payment gateway B. Centralised database C. Open public ledger D. Cloud storage system

Answer 31

Open Public Ledger A decentralised, transparent record-keeping system (like blockchain) where transactions/data are visible to everyone and verified by consensus, not a central authority. Analogy: An open public ledger is like a shared Google Doc—everyone can see the edits (transactions), but no single person controls it, and tampering is obvious.

Question 32

Which digital certificate type allows to secure multiple domain names or subdomains with a single certificate? A. Extended Validation (EV) certificate B. Wildcard certificate C. Subject Alternative Name (SAN) certificate D. Root signing certificate

Answer 32

Subject Alternative Name (SAN) Certificate A type of SSL/TLS certificate that secures multiple domain names (e.g., example.com, mail.example.com, *.example.net) under a single certificate by listing them in the SAN field. Analogy: A SAN certificate is like a master key that opens multiple doors (domains)—instead of carrying separate keys for each lock.

Question 33

Which of the following terms is used to describe sophisticated and prolonged cyberattacks often carried out by well-funded and organised groups, such as nation-states? MitM, APT, XSRF or DDoS ?

Answer 33

APT (Advanced Persistent Threat) A stealthy, long-term cyberattack by highly skilled hackers (often nation-states) targeting specific organizations to steal data or disrupt operations. APTs use custom malware, zero-day exploits, and social engineering to evade detection. Analogy: An APT is like a spy infiltrating a company—gathering intel for years while hiding in plain sight.

Question 34

Client-based software threat vectors

Answer 34

1. Drive-by download via web browser 2. Malicious macro 3. USB-based attack 4. Infected executable file 5. Malicious attachment in email application

Question 35

Agentless software threat vectors

Answer 35

1. Network protocol vulnerability 2. Packet sniffing

Question 36

Exploiting known vulnerability is a common threat vector for: A. Legacy systems/apps B. Unsupported systems/apps C. Newly released systems/apps D. Systems/apps with zero-day vulnerability

Answer 36

Unsupported systems/apps

Question 37

A solution that simplifies configuration of new wireless networks by allowing non-technical users to easily configure network security settings and add new devices to an existing network is called: WPA, WPS, WEP or WAP ?

Answer 37

WPS (Wi-Fi Protected Setup) A network security standard designed to simplify Wi-Fi connections for home users, but notoriously vulnerable to brute-force attacks due to flawed design. Analogy: WPS is like a shortcut button on your router—convenient but so poorly designed that burglars can guess the code in hours.

Question 38

Wireless technologies that are considered potential threat vectors and should be avoided due to their known vulnerabilities

Answer 38

WPS (Wi-Fi Protected Setup) A convenience feature for easy Wi-Fi connections (via PIN or button press), but critically flawed—PINs can be brute-forced in hours. Analogy: WPS is like a weak luggage lock—convenient but easily picked, leaving your network exposed. WPA (Wi-Fi Protected Access) The replacement for WEP, introducing TKIP encryption and dynamic keys. Better than WEP but now obsolete due to vulnerabilities. Analogy: WPA is like upgrading from a screen door to a wooden one—stronger, but still kickable. WPA2 The long-time security standard (2004–2018) using AES-CCMP encryption. Secure if configured properly, but vulnerable to KRACK attacks (2017). Analogy: WPA2 is like a solid deadbolt—reliable for years, but pickable with advanced tools. WEP (Wired Equivalent Privacy) The original (1997) and catastrophically broken Wi-Fi encryption. Crackable in minutes with tools like Aircrack-ng. Analogy: WEP is like a padlock with a keyhole on both sides—useless against even amateur hackers. | Protocol | Encryption | Status | Key Flaw |

Question 39

Common threat vectors that apply to MSPs, vendors, and suppliers in the supply chain

Answer 39

1. Propagation of malware 2. Social engineering techniques

Question 40

BEC (Business Email Compromise) Attack A sophisticated scam where attackers impersonate executives, vendors, or trusted partners to trick employees into wiring money, sharing sensitive data, or changing payment details—costing businesses billions annually. Analogy: BEC is like a con artist forging a CEO’s signature on a fake invoice—no malware needed, just psychological manipulation. A BEC attack is an example of:

Answer 40

1. Phishing 2. Pharming

Question 41

A type of exploit in which an application overwrites the contents of a memory area it should not have access to is called: A. DLL injection B. Buffer overflow C. Memory leak D. Privilege escalation

Answer 41

Buffer Overflow Attack A cyberattack where hackers exploit poorly coded programs by flooding a memory buffer with more data than it can hold, overwriting adjacent memory to crash systems or execute malicious code. Analogy: A buffer overflow is like pouring a gallon of water into a cup—the excess spills into nearby areas (memory), damaging whatever’s there or triggering unintended actions.

Question 42

A malfunction in a preprogrammed sequential access to a shared resource is described as: A. Race condition B. Concurrency error C. Multithreading D. Synchronisation error

Answer 42

Race Condition Attack A vulnerability where a system’s output depends on the unpredictable timing of events (e.g., two threads/processes accessing shared resources simultaneously), allowing attackers to exploit delays and manipulate outcomes. Analogy: A race condition is like two people trying to withdraw cash from the same bank account at the same time—the system might let both succeed, overdrawing the account.

Question 43

Cross-site scripting attack

Answer 43

A. Exploits the trust a user's web browser has in a website B. A malicious script is injected into a trusted website C. User's browser executes attacker's script

Question 44

Bloatware

Answer 44

A. Pre-installed on a device by the device manufacturer or retailer. B. Generally considered undesirable due to negative impact on system performance. C. Installed without user consent.

Question 45

Computer Virus

Answer 45

A. A self-replicating computer program containing malicious segment. B. Malware that typically requires its host application to be run to make the virus active. C. Malicious code that typically attaches itself to an application program or other executable component.

Question 46

Remapping a domain name to a rogue IP address is an example of what kind of exploit? A. URL hijacking B. DNS cache poisoning C. Domain hijacking D. ARP poisoning

Answer 46

DNS Cache Poisoning (DNS Spoofing) A cyberattack where hackers corrupt a DNS server’s cache with fake records, redirecting users to malicious sites (e.g., phishing pages) instead of legitimate ones. Analogy: DNS cache poisoning is like tampering with a phonebook—when you look up a business, you’re given a fake number that sends you to a scammer.

Question 47

A wireless disassociation attack is a type of:

Answer 47

Deauthentication Attack (Deauth Attack) A wireless attack that forcibly disconnects devices from a Wi-Fi network by flooding them with fake "deauth" frames, exploiting a design flaw in the 802.11 (Wi-Fi) protocol. Analogy: A deauth attack is like jamming a walkie-talkie channel with static—legitimate users get kicked off and can’t communicate. DoS (Denial of Service) Attack A cyberattack that overwhelms a target system (server, network, or device) with excessive traffic or requests, rendering it unavailable to legitimate users. Analogy: A DoS attack is like a mob flooding a store’s entrance—real customers can’t get in, and business grinds to a halt.

Question 48

Characteristic features of a session ID ?

Answer 48

1. Enables the server to identify the session and retrieve the corresponding session data. 2. A unique identifier assigned by the website to a specific user. 3. A piece of data that can be stored in a cookie, or embedded as a URL parameter. 4. Stored on the client side (in the user's browser) and sent to the server with each request.

Question 49

CSRF/XSRF Attack

Answer 49

1. Exploits the trust a website has in the user's web browser. 2. A user is tricked by an attacker into submitting unauthorised web requests. 3. Website executes attacker's requests.

Question 50

A dot-dot-slash attack is also referred to as: A. Disassociation attack B. On-path attack C. Directory traversal attack D. Downgrade attack

Answer 50

Directory Traversal Attack (Path Traversal) A web attack where hackers exploit poor input validation to access files/directories outside the server’s intended root folder (e.g., /etc/passwd, C:\Windows\system.ini). Analogy: Directory traversal is like tricking a librarian into fetching books from the "staff only" archive—using sneaky path tricks (../).

Question 51

Hash Collision

Answer 51

Hash Collision Attack A cryptographic attack where two different inputs produce the same hash output, allowing attackers to forge data, break authentication, or compromise digital signatures. Analogy: A hash collision is like two different keys opening the same lock—defeating the purpose of unique identifiers.

Question 52

Which cryptographic attack relies on the concepts of probability theory? A. Brute-force B. KPA C. Dictionary D. Birthday

Answer 52

Birthday Attack A cryptographic attack that exploits the birthday paradox to find hash collisions faster than brute force. It reduces the effort needed to create two different inputs with the same hash output (e.g., for forged signatures or malicious files). Analogy: A birthday attack is like searching a crowded room for two people with the same birthday—it’s surprisingly easier than checking every pair individually.

Question 53

A type of forensic evidence that can be used to detect unauthorised access attempts or other malicious activities is called: A. CVE B. IoC C. AIS D. OSINT

Answer 53

IoC (Indicators of Compromise) Clues or evidence that a system may have been breached, such as unusual network traffic, suspicious files, or abnormal login attempts. These "digital footprints" help detect and investigate cyberattacks. Analogy: IoCs are like crime scene evidence—strange fingerprints (log entries), broken locks (vulnerabilities), or stolen items (data exfiltration) that signal an intruder was present.

Question 54

Which of the following provides granular control over user access to specific network segments and resources based on their assigned roles and permissions? A. EDR B. IAM C. AAA D. IPS

Answer 54

IAM (Identity and Access Management) A security framework that ensures the right users (people, devices, or applications) have the right access to the right resources at the right time—while keeping unauthorised entities out. Analogy: IAM is like a high-tech bouncer—it checks IDs (authentication), decides who gets into which rooms (authorisation), and revokes access when the party’s over.

Question 55

Which of the following acronyms refers to a set of rules that specify which users or system processes are granted access to objects as well as what operations are allowed on a given object? A. ACL B. MFA C. NAC D. AUP

Answer 55

ACL (Access Control List) A security mechanism that explicitly defines which users, systems, or processes can access specific resources (files, networks, devices) and what operations they can perform. Analogy: An ACL is like a bouncer with a detailed checklist—it checks your ID (identity) against strict rules before letting you enter (access).

Question 56

A rule-based access control mechanism implemented on routers, switches, and firewalls is referred to as: A. MAC B. AUP C. DAC D. ACL

Answer 56

ACL (Access Control List) A security mechanism that explicitly defines which users, systems, or processes can access specific resources (files, networks, devices) and what operations they can perform. Analogy: An ACL is like a bouncer with a detailed checklist—it checks your ID (identity) against strict rules before letting you enter (access).

Question 57

Which of the following policies applies to any requests that fall outside the criteria defined in an ACL? A. Fair access policy B. Implicit deny policy C. Transitive trust D. Context-aware authentication

Answer 57

Implicit Deny Policy A security principle where access to a resource is automatically denied unless explicitly allowed by a rule. It acts as a final "catch-all" to block unauthorized access by default. Analogy: Implicit deny is like a high-security building—all doors are locked by default, and you only get in if your keycard (permission) is pre-approved.

Question 58

Which of the following answers does not refer to the concept of system/application isolation? A. Virtualisation B. Containerisation C. Sandboxing D. Data encryption

Answer 58

Data Encryption The process of converting plaintext (readable data) into cipher-text (scrambled data) using cryptographic algorithms and keys to protect confidentiality. Only authorised parties with the correct key can decrypt and access the original data. Analogy: Encryption is like a secret language—only those with the right "decoder ring" (key) can understand the message.

Question 59

Concept of data isolation?

Answer 59

1. DLP (Data Loss Prevention) A security strategy and tools designed to prevent unauthorised access, leakage, or theft of sensitive data (e.g., PII, financial records, intellectual property) by monitoring, detecting, and blocking risky data transfers. Analogy: DLP is like a bouncer + security scanner for your data—it checks what’s leaving the club (network) and stops VIPs (sensitive files) from sneaking out. 2. EFS (Encrypting File System) A built-in Windows feature that provides file-level encryption using symmetric (AES) and asymmetric (RSA) cryptography to protect sensitive data on NTFS drives. Analogy: EFS is like a personal safe inside your office—only you (or authorised users) have the key, even if someone steals the entire cabinet (hard drive).

Question 60

A type of document outlining the shared responsibilities between a CSP and its customers for securing and managing data and resources is known as: (Select best answer) A. Service Level Agreement B. Acceptable Use Policy C. Cloud Responsibility Matrix D. Master Service Agreement

Answer 60

Cloud Responsibility Matrix A framework that defines the division of security and operational responsibilities between a cloud provider (e.g., AWS, Azure, GCP) and the customer, based on the service model used (IaaS, PaaS, SaaS). Analogy: Renting a car vs. taking a taxi.

Question 61

Which of the terms listed below refers to a method for managing infrastructure resources through scripts and templates? IaaS, ML, IaC or SDN ?

Answer 61

IaC (Infrastructure as Code) A DevOps practice that automates the provisioning and management of infrastructure (servers, networks, cloud resources) using machine-readable definition files (code), rather than manual processes. Analogy: IaC is like baking with a recipe—instead of manually mixing ingredients each time, you write instructions (code) that a machine follows to consistently recreate the dish (infrastructure).

Question 62

Which of the following provides isolation from external computer networks? A. Network segmentation B. Air gap C. Hardware firewall D. Protected cable distribution

Answer 62

Air Gap A physical or logical isolation technique where a critical system or network is completely disconnected from unsecured environments (e.g., the internet, corporate LAN) to prevent cyberattacks. Analogy: An air gap is like keeping a priceless painting in a vault with no doors—hackers can’t touch it because there’s no path to reach it.

Question 63

Which of the following answers refers to software technology designed to simplify network infrastructure management? SaaS, SDN, VDI or SNMP ?

Answer 63

SDN (Software-Defined Networking) A networking architecture that separates the control plane (decision-making) from the data plane (packet forwarding), enabling centralised, programmable management of network traffic via software (e.g., OpenFlow). Analogy: SDN is like a smart traffic control centre—instead of fixed stoplights (traditional routers), a central brain dynamically routes cars (data) based on real-time conditions.

Question 64

Which of the following answers refers to a solution that allows multiple OSs to work simultaneously on the same hardware? A. Clustering B. Hyper-threading C. Multitasking D. Virtualisation

Answer 64

Virtualisation A technology that creates multiple simulated (virtual) environments or resources—such as servers, storage, networks, or operating systems—from a single physical hardware system. Analogy: Virtualisation is like turning one physical apartment building (server) into multiple virtual apartments (VMs), each with its own isolated utilities and tenants.

Question 65

Which of the answers listed below refers to a network of interconnected devices equipped with sensors (such as wearable tech or home automation devices) that can interact with each other to perform various tasks and functions? ICS, PAN, IoT or SoC ?

Answer 65

IoT (Internet of Things) A network of physical devices (e.g., sensors, cameras, smart appliances) embedded with software and connectivity to collect, exchange, and act on data—often with minimal human intervention. Analogy: IoT is like giving everyday objects (thermostats, fridges, streetlights) a brain and internet connection—letting them chat, learn, and automate tasks.

Question 66

Which of the following refers to a broad term that encompasses various control and automation systems used in industrial settings to control and monitor physical processes and machinery? ICS, PLC, SCADA or HMI ?

Answer 66

ICS (Industrial Control System) A specialised network of hardware and software designed to monitor and control industrial processes in critical infrastructure (e.g., power plants, water treatment, manufacturing). Analogy: ICS is the brain of a factory—sensors are its nerves, actuators are its muscles, and SCADA is its command centre.

Question 67

Which of the answers listed below refers to a specific type of ICS? SoC, CMS, SCADA or RTOS ?

Answer 67

SCADA (Supervisory Control and Data Acquisition) A centralised industrial control system (ICS) that monitors and manages critical infrastructure (power grids, water treatment, oil pipelines) by collecting real-time data from field devices (PLCs, RTUs) and enabling remote control. Analogy: SCADA is like a mission control centre—sensors (eyes/ears) report back, operators make decisions, and commands are sent to actuators (hands) to adjust physical processes.

Question 68

Embedded Systems

Answer 68

1. Often designed to operate in real-time or with low latency. 2. Typically equipped with constrained computing resources and storage. 3. Designed to perform a single task or a few closely related tasks within a larger system. 4. Often integrated with hardware components like sensors and actuators.

Question 69

Which of the following terms can be used to describe a system designed to aim for minimised downtime and uninterrupted operation? ICS, HA, RTOS or SoC ?

Answer 69

HA (High Availability) A system design approach that ensures maximum uptime and continuous operation by eliminating single points of failure, using redundancy, failover mechanisms, and automated recovery. Analogy: HA is like having a backup generator for your home—if the main power fails, the backup kicks in instantly, so you never notice the outage.

Question 70

Which of the following answers refer to passive network monitoring techniques? (Select 2 answers) A. Network tap B. Trunk port C. Port mirroring D. SNMP trap E. Registered port

Answer 70

Port Mirroring (SPAN - Switched Port Analyser) A network monitoring technique that copies traffic from one or more source ports (or VLANs) to a designated mirror port for analysis, without disrupting the original data flow. Analogy: Port mirroring is like a security camera in a store—it duplicates all activity (packets) for review, while the actual shopping (network traffic) continues uninterrupted. Network TAP (Test Access Point) A hardware device that passively captures all network traffic (including errors) by physically splitting traffic between two points, ensuring 100% visibility without affecting the original data flow. Analogy: A network TAP is like a fiber-optic splitter—it silently duplicates every passing car (data packet) for inspection, while the highway (network) keeps running at full speed.

Question 71

A type of hardened server used as a secure gateway for remote administration of devices placed in a different security zone is called: A. C2 server B. Jump server C. UC server D. Proxy server

Answer 71

Jump Server (Jump Host/Bastion Host) A hardened server that acts as a secure gateway to access and manage devices in isolated or high-risk network zones (e.g., production environments, DMZs). All access to critical systems must pass through this controlled checkpoint. Analogy: A jump server is like a security checkpoint at a high-risk facility—you must pass through guarded gates (the jump host) to reach sensitive areas (internal servers), leaving a verified audit trail.

Question 72

A computer system or an application that acts as an intermediary between another computer and the Internet is commonly referred to as: A. Bridge B. Active hub C. Server D. Proxy

Answer 72

Proxy Server An intermediary server that acts as a gateway between users and the internet, forwarding requests while masking the client’s identity or enforcing security policies. Analogy: A proxy is like a concierge—you tell it what you want (e.g., a website), and it fetches it for you, hiding your room number (IP address) from outsiders.

Question 73

In active-passive mode, load balancers distribute network traffic across: A. All servers B. Servers marked as active C. Least utilised servers D. Servers marked as passive

Answer 73

Servers marked as active

Question 74

Which of the following EAP methods offers the highest level of security? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS

Answer 74

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) A highly secure authentication protocol used in wireless (Wi-Fi) and VPN networks, leveraging X.509 digital certificates for mutual authentication between clients and servers. Analogy: EAP-TLS is like a high-security ID check—both you (client) and the bouncer (server) present unforgeable government-issued IDs (certificates) before granting access.

Question 75

Layer 4 Firewall

Answer 75

A network security system that filters traffic based on transport-layer information—source/destination IP addresses, ports, and protocols (TCP/UDP)—without inspecting the actual content of the packets. Analogy: A Layer 4 firewall is like a stadium security guard who only checks your ticket (IP/port) but doesn’t care what’s in your bag (payload). A. Filters traffic based on source/destination IP addresses, ports, and protocol types (e.g., TCP/UDP) B. Offers basic (faster) traffic filtering. C. Operates at the transport layer of the OSI model.

Question 76

Layer 7 Firewall (Application Firewall)

Answer 76

A security system that filters and controls network traffic based on application-layer data (HTTP, DNS, FTP, etc.), unlike traditional firewalls that only inspect lower layers (IP/ports). It enforces granular policies by analysing content, user behaviour, and API calls. Analogy: A Layer 7 firewall is like a bouncer who checks not just your ID (IP/port) but also your social media (application behaviour) before letting you into the club. A. Offers complex (slower) traffic filtering B. Adds the ability to inspect the contents of data packets in addition to the header information. C. Operates at the application layer of the OSI model

Question 77

Examples of protocols typically used for implementing secure VPN tunnels include: (Select all that apply)

Answer 77

IPsec (Internet Protocol Security) A suite of protocols for securing IP communications by encrypting and authenticating each packet. Used in VPNs and site-to-site tunnels. Analogy: IPsec is like an armored truck for your data—everything inside is sealed and verified before delivery. SRTP (Secure Real-time Transport Protocol) Encrypts voice/video traffic (e.g., VoIP, WebRTC) to prevent eavesdropping or tampering. Analogy: SRTP is like a scrambled radio channel—only authorised receivers can decode the stream. TLS (Transport Layer Security) Encrypts data in transit (e.g., HTTPS, email, VPNs) using asymmetric + symmetric crypto. Analogy: TLS is like a sealed envelope—only the recipient can open it. L2TP (Layer 2 Tunneling Protocol) A VPN protocol that tunnels traffic between networks but requires IPsec for encryption. Analogy: L2TP is like a subway tunnel—IPsec adds the bulletproof walls.

Question 78

Which of the answers listed below refers to a hardware or software solution providing secure remote access to networks and resources? A. NAC B. RDP C. SSH D. RAS

Answer 78

RAS (Remote Access Service) A legacy Windows service that enabled dial-up and VPN connections to a network, primarily in older NT/2000 systems. Modern equivalents use DirectAccess or Always On VPN. Analogy: RAS is like an old phone line for remote workers—functional but outdated, replaced by high-speed internet (modern VPNs).

Question 79

Which of the following answers refers to a protocol designed to secure data transmitted over WLANs? A. SCP B. IPsec C. SSH D. WTLS

Answer 79

WTLS (Wireless Transport Layer Security) A security protocol designed for WAP (Wireless Application Protocol) networks, providing encryption, authentication, and data integrity for mobile devices in pre-4G eras (e.g., early cell phones). Now obsolete, replaced by modern TLS. Analogy: WTLS is like a rusty bike lock for old flip phones—it worked in its time, but wouldn’t stop today’s thieves.