CompTIA Security+ SY0-701 Practice Exam1 Flashcards
Which of the following types of factors could be used to describe a fingerprint-based method of logging in and authenticating to a touchscreen device?
Something you are.
Something you have.
Something you know.
Something you do.
** Answer: Something you are. **
In a vulnerability scan, a reported vulnerability that is not a vulnerability is known as which of the following?
False negative
False positive
Negative positive
Vulnerability assessment
** Answer: False positive **
“False positive” is correct. A reported vulnerability that is not a real vulnerability is known as a false positive.
You get an indicator for something, but that indicator is wrong and should not have been reported.
Which of the following statements about bug bounty programs are true? (Select two choices)
They are usually open to the public.
Companies pay people to find vulnerabilities in their software.
They are not used by reputable companies.
Discovered bugs are worth very little.
** Answer: a, b **
“Companies pay people to find vulnerabilities in their software” and “They are usually open to the public” are correct. Bug bounty programs are mechanisms where companies pay hackers to reveal the details of vulnerabilities discovered in software and/or hardware products, providing the company an opportunity to correct an issue before it is exploited for malicious purposes. Also, bug bounty programs are usually open to the public, as companies like to have as many people testing their software as possible.
When information is converted to an unreadable state using cryptography, in what form is the information?
Plaintext
Hash
Ciphertext
Message digest
** Answer: Ciphertext **
Ciphertext is a result of the encryption process; it is encrypted text.
Travis just got promoted to network administrator after the previous administrator left rather abruptly. Three new hires need onboarding with user accounts. When Travis looks at all the existing account names, he notices there is no common naming system. Where should he look to try to give the new hires user accounts with proper naming conventions?
The Sarbanes-Oxley regulation
Microsoft best practices
The company’s account policy
The most pertinent FIPS documentation
** Answer: The company’s account policy **
The company’s account policy will guide how to deal with naming systems for new user accounts.
Which of the following allows for the mixing of business and personal matters?
Segmentation
Biometrics
Authentication
Containerization
** Answer: Containerization **
Containerization divides a device into containers holding company information, and the other holding personal information.
You are asked to prepare a brief for senior management about insider threats. You detail the use of data loss prevention (DLP) as a major factor in identifying and protecting against insider threats. What is the primary reason DLP can protect against these threats?
Avoiding data leakage through malware
Prevention of critical data not being backup up properly
Prevention of sensitive data being transferred in an unauthorized manner
Prevention of access to confidential data by unauthorized personnel
** Answer:
Prevention of sensitive data being transferred in an unauthorized manner
**
DLP is designed to prevent sensitive data from being moved into storage that could allow it to be transferred outside an organization, or to prevent sensitive data from being sent via email or other network-based transfers.
Which of the following concepts should be the most important consideration when determining how to budget properly for security controls?
Qualitative costs
Asset identification
Threat of natural disasters
Risk likelihood and impact
** Answer: Risk likelihood and impact **
“Risk likelihood and impact” is correct. The risk likelihood and impact should directly determine how much you budget for controls to prevent the occurrence of
Which is not a specific type of recovery site?
Hot site
Warm site
Cold site
Geographic site
** Answer: Geographic site **
Geographic site is not a specific type of recovery site.
What is one major disadvantage external actors have when compared to internal actors?
External actors never obtain root/administrator access.
External actors have to establish access to the systems they want to attack.
External actors have little to no funding.
External actors do not have access to zero day attacks.
** Answer:
External actors have to establish access to the systems they want to attack.
**
External actors have to establish access to the systems they want to attack. Internal actors are often employees or even administrators of the organization; they already have access into the organization and systems being attacked.
Your organization wants you to create and implement a policy that will detail proper use of its information systems during work hours. Which of the following is the best choice?
Due care
Acceptable-use policy
Service level agreement
Access control policies
** Answer: AUP (Acceptable-use policy) **
An acceptable-use policy details what is (and is not) acceptable for users to do during their working hours, including personal use and unacceptable activities on the company network, such as gambling and pornography.
You have received reports that several hosts in your company’s internal network are sluggish and unresponsive. After troubleshooting other items, you decide to use a sniffer to examine the network traffic coming into the host. You see that massive amounts of ICMP broadcasts are being sent on the network. The switch is having trouble processing all of this traffic, due to repeated ICMP replies, causing it to slow down. Which of the following is the most likely explanation for this?
Man-in-the-middle attack
Flood attack
Malware attack
Phishing attack
** Answer: Flood attack **
A flood is a type of network attack based upon confusing a switch with ICMP traffic.
What resides on network devices and filters traffic coming into and out of the device?
SNMP
Syslog
SMTP
ACL
** Answer: ACL **
An access control list (ACL) resides on network devices and filters traffic coming into and out of the device.
Why is time synchronization an important function for a SIEM system to perform?
All systems rely on UTC to record time.
It’s important to compare events in both local time for local events and UTC.
Rules and implementation of daylight saving time are stable and consistent.
Most companies are geographically centralized in a global market.
** Answer:
It’s important to compare events in both local time for local events and UTC.
**
SIEM systems can simplify the maintenance and correlation of local events to UTC.
Which of the following involves the use of rules and analytical engines to identify predetermined patterns and react to them?
Event deduplication
NAC
Standalone
Automated alerting
** Answer: Automated alerting **
Automated alerting uses rules and analytical engines to identify predetermined patterns and issue alerts or react to them.
Which of the following formal management efforts is a formalized process that involves both long-term and short-term infrastructure changes?
Patch management
Account management
Upgrade management
Change management
** Answer: Change management **
Change management is a formalized process that involves both long-term and short-term infrastructure changes, as well as configuration changes to hosts and networks.
Which of these items are considered “unsecure” protocols? (Select three choices)
HTTP
SSH
Telnet
FTP
** Answer: HTTP, Telnet, FTP **
HTTP, or Hypertext Transfer Protocol, is an unencrypted web protocol.
Because it is unencrypted, anyone with the ability to view/capture HTTP traffic can see everything sent and received in an HTTP session. FTP, or File Transfer Protocol, is an unencrypted file transfer protocol. Because it is unencrypted, anyone with the ability to view/capture the FTP session can see everything sent and received in that FTP session, including the files transferred and the contents of those files. Finally, Telnet is an unencrypted application protocol used to provide bidirectional, interactive, text-oriented communication between a client and a server. Anyone with the ability to sniff the traffic could see everything passed in the Telnet session, including passwords.
Your web application developers come to you and request affinity scheduling from the load balancers. Why does a web application benefit from affinity scheduling?
a. Affinity scheduling helps web servers know the source of the traffic.
b. Affinity scheduling reduces the total number of connections to the web application by offloading the TLS operations.
c. Affinity scheduling can allow a user to stay logged in to a session instead of opening a new session each time they are sent to a new server host.
d. Affinity scheduling allows the load balancer to move traffic to the closest server, reducing overall latency.
** Answer: C **
Affinity scheduling sends each subsequent request to the same web server, allowing the server to track the session state even though HTTP/HTTPS is a stateless protocol.
Which of the following terms indicates the length of time a device is expected to last in operation, and only a single, definitive failure will occur and will require that the device be replaced rather than repaired?
Mean time between failures
Mean time to recovery
Mean time to failure
Mean time to replace
** Answer: MTTF (Mean time to failure) **
The mean time to failure (MTTF) is the length of time a device is expected to last in operation. In MTTF, only a single, definitive failure will occur and will require that the device be replaced rather than repaired.
Which of the following is a software or a hardware appliance responsible for balancing user requests and network traffic among several different physical or virtualized hosts?
Host operating system
Hypervisor
Guest operating system
Load balancer
** Answer: Load balancer**
A load balancer is a piece of application software
You are conducting a penetration test for a vehicle repair shop. The environment consists of a guest Wi-Fi network requiring a security code, which is printed on a piece of paper in the guest waiting area. The employee computers are connected to a separate wired network in the office. After posing as a legitimate customer, you wait in the guest lounge connect to the Wi-Fi network, and capture network traffic using a network protocol analyzer program. After analyzing captured traffic, you realize that the Wi-Fi router appears to be using vulnerable network protocols.
To which penetration testing phase does this activity apply?
Scanning
Gaining access
Maintaining access
Reconnaissance
** Answer: Reconnaissance **
Reconnaissance means learning as much as possible about attack targets. Capturing network traffic is considered passive; there is no reaching out and scanning of some or all hosts and devices on the network.
Which of the following refers to the collecting of information in a central place, in a common format, to facilitate analysis and decision making?
Time synchronization
Aggregation
USB blocking
Controller-based
** Answer: Aggregation **
Aggregation is the collecting of information in a central place, in a common format, to facilitate analysis and decision-making.
For which of the following should employees receive training to establish how they are to treat information of differing sensitivity levels?
Information classification
Clean desk policies
Protection of personally identifiable information on social media
Data Disposal
** Answer: Information classification **
An organization’s information classification policy not only outlines what level of security protection certain data receives, but also serves to instruct employees on how to treat sensitive data.
Which of the following is a list of known vulnerabilities in software systems?
Common Vulnerabilities and Exposures
Intelligence Fusion
Vulnerability Scoring System
Credentialed Scan
** Answer: Common Vulnerabilities and Exposures **
The Common Vulnerabilities and Exposures (CVE) enumeration is a list of known vulnerabilities in software systems. Each vulnerability in the list has an identification number, a description, and reference.
Which of the following is a form of intentional interference with a wireless network?
MAC spoofing
Jamming
Evil twin
SSID cloaking
** Answer: Jamming **
correct. Jamming is an intentional interference with the signal of a wireless network. It is often part of a
DoS attack.
Which of the following correctly defines a combination of hardware and software that classify and analyze data from numerous sources?
DLP
NAC
SIEM
LOG
** Answer: SIEM **
Security information and event management (SIEM) systems consist of a combination of hardware and software that classify and analyze data from numerous sources.
Your company has deployed Linux virtual machines in the public cloud. After recent attempts at SSH brute-forcing against the Linux hosts were detected, you decided to mitigate the possibility of attacks initiated from the Internet while allowing secured remote management connections over the Internet. What should you configure?
Load balancer
Jump server
Forward proxy server
Intrusion detection system
** Answer: Jump server **
A jump server allows secured and authenticated connections from a public network such as the Internet, and it serves as a launching pad from which remote service management, including Linux SSH remote management, is possible using only private IP addresses. The use of only private IP addresses for cloud-based virtual machines means they are not even visible from the Internet.
Which of the following statements about EOSL items is true?’
An EOSL item is only sold to current customers.
An EOSL item uses older hardware but current software.
An EOSL item is no longer supported by the OEM.
An EOSL item has no maintenance options.
** Answer: An EOSL item is no longer supported by the OEM. **
“An EOSL Iem is no longer supported by the OEM” is correct. An EOSL (End Of Service Life) item is something that it no longer supported by the original equipment manufacturer (EOM).
“An EOSL item is only sold to current customers” is incorrect. EOSL items are no longer marketed, supported, or sold by the OEM.
“An EOSL item uses older hardware but current software” is incorrect. EOSL items are no longer marketed, supported, or sold by the OEM. They will typically be older hardware, but there are no patches or software updates available for them, as the manufacturer no longer supports them.
“An EOSL item has no maintenance options” is incorrect. Maintenance for EOSL items is sometimes available from third-party vendors, even after the manufacturer has discontinued support for the item.
What are the IPSec modes of connection? (Select three choices)
Host to server
Server to server
Server to network
Host to host
** Answer: Host to server, Server to Network, Host to Host **
“Host to server”’, “Server to server”’, and “Host to host” are correct. IPSec can establish tunnels between different
networks by using servers as endpoints and establishing a server-to-server connection, or it perform transport between
You have been tasked with conducting a security assessment of hosts on an IP subnet. The subnet hosts run a variety of services including HTTP and SQL databases. When configuring the vulnerability scan, you enter a number of sets of valid credentials that will be used when probing hosts. After running the scan and reviewing the results, a colleague suggested the scan results were useless since the credentials were known.
Which IT security concept validates the scan results?
Zero-day
Zero trust
Principle of least privilege
Non-repudiation
** Answer: Zero trust **
The zero trust concept requires security experts to consider the “insider threat;”; and not to trust users and IT systems behind firewalls on internal networks. The benefit of this strategy is that it allows technicians to gauge what might happen if an internal user account or device is compromised, or if there is a rogue employee abusing their privileges.
Which of the following is the biggest risk involved in cloud computing?
Lack of availability
Lack of accountability
Lack of control
Lack of responsibility
** Answer: Lack of control **
Lack of control over data and the infrastructure is probably the greatest risk to cloud computing.
Which of the following is an older form of attack where a malicious/compromised website places invisible controls on a page, giving users the impression they are clicking some safe item that actually is an active control for something malicious?
Clickjacking
Man-in-the-browser
Header manipulation
Buffer overflow
** Answer: Clickjacking **
Clickjacking is almost never seen anymore as it’s easy to detect this type of attack.
What is the largest advantage host-based firewalls have over network-based firewalls?
Host-based firewalls do not need rulesets like network-based firewalls require, due to being directly on the host and able to run heuristic traffic analysis.
Host-based firewalls can coordinate with other endpoints’ host-based firewalls to perform a unified attack response.
Host-based firewalls can control outbound traffic before it reaches the network and sets off intrusion detection alarms.
Host-based firewalls have knowledge of the functions of the endpoint and can tune the traffic management to match.
** Answer: d **
“Host-based firewalls have knowledge of the functions of the endpoint and can tune the traffic management to match” is correct. Host-based firewalls can be tuned to the specific applications on the endpoint and the normal traffic on the endpoint.
Which type of cloud service is usually operated by a third-party provider that sells or rents
“pieces” of the cloud to different entities, such as small businesses or large corporations, to use as they need?
External
Community
Private
Public
** Answer: Public **
A public cloud is operated by a third-party provider who leases space in the cloud to anyone who needs it.
Which type of assessment looks at events that could exploit vulnerabilities?
Risk assessment
Threat assessment
Vulnerability assessment
Penetration test
** Answer: Threat assessment **
Which of the following provides the capability to capture and analyze traffic passing through a network?
NAC
Syslog
DNS
Protocol Analyzer
** Answer: Protocol Analyzer **
A protocol analyzer provides the capability to capture and analyze traffic passing over a communications channel, such as a network.
You are preparing to begin an IT technical penetration test of a web application server. Which tasks relate to the reconnaissance phase of the testing?
Perform a port scan.
Identify the web server administrator.
Install a backdoor.
Clear log entries.
** Answer: Identify the web server administrator. **
“Identify the web server administrator” is correct. The reconnaissance phase of penetration testing focuses on learning as much as possible about the target, such as who the web server administrator is. This can lead attackers to scour the web for anything related to that person, such as their email address, social media posts related to work, etc.
An organization is implementing a comprehensive third-party risk management program. Which of the following actions would be MOST effective in continuously monitoring and mitigating risks associated with third-party vendors?
A. Conducting annual security audits of all third-party vendors.
B. Implementing real-time monitoring of third-party access to internal systems.
C. Requiring vendors to sign a yearly compliance statement.
D. Limiting all third-party access to non-critical systems only.
**Correct Answer: B **
Explanation: Real-time monitoring of third-party access provides continuous visibility into potential risks and allows for immediate response to suspicious activities. This approach is more effective than periodic audits, compliance statements, or blanket access restrictions in managing ongoing third-party risks.
In the context of deception and disruption technologies, which of the following best describes the primary difference between a honeypot and a honeytoken?
A. A honeypot is a physical decoy system, while a honeytoken is a virtual decoy.
B. A honeypot contains real data, while a honeytoken contains fake data.
C. A honeypot is a network of decoy systems, while a honeytoken is a single decoy file or resource.
D. A honeypot is used for external threats, while a honeytoken is used for internal threats only.
**Correct Answer: C **
Explanation: A honeypot is typically a decoy system or network designed to attract attackers, while a honeytoken is a specific piece of fake data (like a database entry or file) used to detect unauthorized access or data breaches. The key difference is in their scope and implementation.
A security analyst is reviewing the following intrusion detection system (IDS)
rule:
**
alert tep any any -> 192.168.1.0/24 80 (msg:”Potential SQL Injection”;
content:”%27”; sid: 1000001;)
**
Which TWO of the following statements accurately describe the functionality of this rule?
A. It generates an alert for all HTTP traffic to the 192.168.1.0/24 network.
B. The rule detects potential SQL injection attempts containing a single quote (%27).
C. It blocks all traffic containing the string “%27” to port 80.
D. The rule applies to both incoming and outgoing traffic on the network.
E. It only alerts on TCP traffic destined for port 80 on the specified network.
**Correct Answer: B, E **
Explanation: The rule detects potential SQL injection attempts by looking for the encoded single quote (%27) in TCP traffic (B) specifically destined for port 80 on the 192.168.1.0/24 network (E). It doesn’t block traffic or apply to all HTTP traffic, and it’s not bidirectional.
In the context of cloud security and shared responsibility models, which of the following is typically the cloud service provider’s responsibility in a Platform as a Service (PaaS) deployment?
A. Configuring application-level access controls.
B. Patching and updating the underlying operating system.
C. Encrypting data at rest within the application.
D. Managing user authentication for custom applications.
** Correct Answer: B **
Explanation: In a PaaS model, the cloud service provider is typically responsible for maintaining and patching the underlying infrastructure, including the operating system.
The customer is responsible for the applications and data, including access controls, encryption, and user authentication.
An organization is implementing a new security awareness training program. Which of the following metrics would be MOST effective in measuring the long-term impact of the program on the organization’s security posture?
A. Number of employees who completed the training modules
B. Average score on post-training quizzes
C. Reduction in successful social engineering attacks over time
D. Increase in reported security incidents by employees
** Correct Answer: C **
Explanation: A reduction in successful social engineering attacks over time directly demonstrates the effectiveness of the awareness program in improving the organization’s security posture. This metric shows practical application of knowledge, unlike completion rates or quiz scores, and is more indicative of positive change than an increase in reported incidents.
Your organization is implementing a zero-trust architecture. You’re tasked with configuring the control plane for a critical application. Which two of the following JSON configurations would best align with zero trust principles? (Choose two)
**
“authentication”: “multi-factor”,
“authorization”: “least-privilege”
“data_encryption”: “end-to-end”,
“network_segmentation”: “micro-segmentation”,
“monitoring”: “continuous”
**
Options:
A. “authentication”: “multi-factor” and “authorization”: “role-based”
B. “data_encryption”: “end-to-end” and “network_segmentation”: “micro-
segmentation”.
C. “authentication”: “single-factor” and “monitoring”: “periodic”.
D. “authorization”: “least-privilege” and “monitoring”: “continuous”.
E. “network_segmentation”: “perimeter-based” and “data _encryption”: “at-rest-only”.
** Correct Answer: B, D **
Explanation: In a zero trust model, end-to-end encryption (B) ensures data security throughout its lifecycle, while micro-segmentation (B) minimizes the attack surface. Least-privilege authorization (D) and continuous monitoring (D) are also crucial zero-trust principles, providing strict access control and real-time threat detection.
During a security audit, you discover that a critical business application is vulnerable to SQL injection attacks. Which of the following represents the most effective corrective control to address this vulnerability?
A. Implement a web application firewall (WAF).
B. Conduct regular penetration testing.
C. Use prepared statements and parameterized queries in the application code.
D. Encrypt the database.
** Correct Answer: C **
Explanation: Using prepared statements and parameterized queries is the most effective way to prevent SQL injection attacks by separating SQL logic from user input, making it impossible for malicious input to alter the query’s intent.
Your incident response team has detected a potential data breach. Upon investigation, they discover the following log entry:
**
‘’’
2023-05-15 02:34:18 UTC [192.168.1.100] POST /api/data HTTP/1.1 200 {“action”:”exfiltrate”, “destination” “10.20.30.40”, “size”:”1.5GB”}
‘’’
**
Which of the following best describes the next step in the incident response process?
A. Eradication: Remove the malicious actor from the system
B. Recovery: Restore affected systems to normal operation
C. Containment: Isolate the affected systems and block the destination IP
D. Lessons Learned: Document the incident for future reference
** Correct Answer: C **
Explanation: The log shows active data exfiltration. The immediate next step should be containment, isolating affected systems, and blocking the destination IP (10.20.30.40) to prevent further data loss, aligning with the incident response process.
Your organization is implementing a new cloud-based security information and event management (SIEM) system. Which two of the following configurations would best align with both zero trust principles and effective security monitoring? (Choose two)
‘’’
yaml
siem_config:
data _ingestion:
sources: [“network_logs”, “application_logs”, “auth _logs”]
authentication:
method: “multi i_factor”
access_control:
model: “least_privilege”
encryption:
data_at_rest: “AES-256”
data_in_transit: “TLS 1.3”
alert_mechanism:
type: “real_time”
‘’’
Options:
A. data_ingestion sources and real_time alert mechanism
B. multi_factor authentication and least_privilege access control
C. AES-256 encryption for data at rest and TLS 1.3 for data in transit
D. network_logs as the sole data source and periodic alert mechanism
E. single_factor authentication and role-based access control
A security analyst is reviewing the following firewall configuration snippet:
‘’’
yaml
- action: allow
source: 192.168.1.0/24
destination: any
service: ssh
- action: deny
source: any
destination: 10.0.0.5
service: http
‘’’
Which TWO of the following statements accurately describe the effects of this configuration?
A. SSH connections from the 192.168.1.0/24 network are permitted to any destination.
B. All HTTP traffic to the IP address 10.0.0.5 is blocked.
C. The firewall allows all incoming SSH connections.
D. HTTP connections from 10.0.0.5 are denied to any destination.
E. The configuration prevents all traffic to the 10.0.0.0/24 network.
** Correct Answer: A, B **
Explanation: Comprehensive data ingestion (A) enables effective security monitoring, while real-time alerts (A) allow for quick threat response. Multi-factor authentication (B) and least-privilege access control (B) are core zero trust principles, enhancing security in the cloud environment.
In the context of a Zero Trust security model, which of the following best describes the relationship between the Control Plane and the Data Plane?
A. The Control Plane manages user authentication, while the Data Plane handles data encryption.
B. The Control Plane defines security policies, while the Data Plane enforces those policies on network traffic.
C. The Control Plane is responsible for physical security, while the Data Plane manages digital assets.
D. The Control Plane handles north-south traffic, while the Data Plane manages east-west
** Correct Answer: B **
Explanation: In a Zero Trust model, the Control Plane is responsible for defining security policies and making access decisions, while the Data Plane enforces these policies on actual network traffic and data flow.
How to effectively implement security in a Zero Trust model?
**Control Plane **
- Defines policies and makes access decisions
** Data Plane **
- Enforces policies on network traffic
Your organization is developing a new web application and wants to ensure secure coding practices. Which of the following represents the most effective approach to prevent cross-site scripting (XSS) attacks?
A. Implement strong encryption for all data transmissions
B. Use prepared statements for database queries
C. Apply input validation and output encoding
D. Enable HTTP Strict Transport Security (HSTS)
** Correct Answer: C **
Explanation: Input validation and output encoding are the most effective methods to prevent XSS attacks. They ensure that user input is properly sanitized before processing and that any output to the browser is properly encoded to prevent script execution.
** Input Validation **
- Ensures user input is sanitized before processing
** Output Encoding **
- Encodes output to prevent script execution
Your organization is implementing a new security awareness training program. You want to assess its effectiveness using metrics. Which two of the following metrics would best indicate the program’s success in improving the organization’s security posture? (Choose two)
Options:
A. Number of employees who completed the training
B. Reduction in successful phishing attempts
C. Increase in reported suspicious emails
D. Number of security policy violations
E. Time taken to complete the training modules
** Correct Answer: B, C **
Explanation: A reduction in successful phishing attempts
(B) directly shows improved employee vigilance. An increase in reported suspicious emails (C) indicates heightened awareness and proactive security behavior.
Both metrics demonstrate the practical application of the training, unlike completion rates or time spent, which don’t necessarily reflect improved security practices.
You’re reviewing the following YAML configuration for a cloud-based application:
‘’’
yaml
security:
authentication:
method: “OAuth2.0”
mfa: true
authorization:
type: “RBAC”
data_protection:
encryption: “AES-256”
key_management: “HSM”
‘’’
Which security principle does this configuration best exemplify?
A. Least privilege
B. Defense in depth
C. Separation of duties
D. Non-repudiation
** Correct Answer: B **
Explanation: This configuration demonstrates defense in depth by implementing multiple layers of security. It includes strong authentication (Auth2.0 with MFA), authorization (RBAC), and data protection (encryption with secure key management), creating a multi-layered security approach.
Authentication
OAuth2.0
Multi-Factor Authentication
Data Protection
Encryption
Secure Key Management
Authorization
Role-Based Access Control
During a security audit, you discover that a critical business application is vulnerable to SQL injection attacks. The development team suggests implementing input validation as a solution. Which of the following represents a potential limitation of this approach?
A. It may introduce significant performance overhead
B. It could lead to false positives, blocking legitimate queries
C. It doesn’t address the root cause of the vulnerability
D. It requires constant updates to the validation rules
** Correct Answer: C **
Explanation: While input validation is beneficial, it doesn’t address the root cause of SQL injection vulnerabilities, which is the improper handling of user input in SQL queries. A more comprehensive solution would involve using parameterized queries or prepared statements to fundamentally prevent SQL.
Addressing SQL Injection Vulnerabilities.
** Prepared Statements **
Implementing prepared statements to ensure secure database interactions.
** Parameterized Queries **
Using parameterized queries to safely handle user input and prevent SQL injection.
An organization has implemented a comprehensive security awareness program. Despite this, they experience a successful whaling attack where the CFO is tricked into transferring a large sum of money to a fraudulent account. During the incident response, which of the following should be the FIRST step in the “Lessons Learned” phase?
A. Conduct a root cause analysis of the incident.
B. Update the security awareness training materials.
C. Implement stricter email filters and verification processes.
D. Discipline the CFO for falling for the attack.
** Correct Answer: A **
Explanation: The first step should be to conduct a root cause analysis. This helps to understand how the attack succeeded.
Steps to Enhance Security Post-Attack
05 - Implement Improved Measures
04 - Revise Training Programs
03 - Update Security Processes
02 - Identify Vulnerabilities
01 - Conduct Root Cause Analysis
During a security assessment, you discover that an employee’s access badge was used to enter a restricted area outside of normal business hours.
Upon further investigation, you find that the employee was on vacation at the time. Which of the following best describes this situation in terms of security controls and potential threats?
A. A failure of a detective control, indicating a possible insider threat
B. A successful implementation of a corrective control, mitigating a social engineering attack
C. An example of a compensating control, addressing a physical security vulnerability
D. A breakdown
** Correct Answer: A **
Explanation: This scenario demonstrates a failure of detective control (access logs). The unauthorized use of the badge during the employee’s absence indicates a possible insider threat or stolen credentials, which the system detected but did not prevent.
Your organization is implementing a new security architecture. You’re reviewing the following JSON configuration for a critical system:
‘’’
json
{
“network”: {
“segmentation”: “micro”,
“encryption”: “end-to-end”
},
{
“access”: {
“authentication”: “mfa”,
“authorization”: “just-in-time”
},
“monitoring”: “continuous”
}
‘’’’
Which two principles of zero trust are best represented by this configuration? (Choose two)
A. Assume breach
B. Verify explicitly
C. Use least privilege access
D. Implement defense in depth
E. Trust but verify
** Correct Answer: A, B **
Explanation: The configuration exemplifies “Assume breach”
(A) through micro-segmentation and continuous monitoring, preparing for potential compromises. “Verify explicitly” (B) is demonstrated by multi-factor authentication and just-in-time authorization, ensuring thorough verification before granting access.
Security Strategy Breakdown
** Assume Breach **
Focuses on micro-segmentation and continuous monitoring to prepare for breaches.
** Verify Explicitly **
Involves multi-factor authentication and just-in-time authorization for access control.
A security analyst is reviewing the following YAML configuration for a cloud-based security control:
‘’’ yaml
policy:
enforce: true
actions:
- encrypt_data
- log_access
conditions:
location: “I= internal_network”
data_type: “sensitive”
‘’’
Which TWO of the following statements accurately describe the effects of this configuration?
A. The policy encrypts sensitive data when accessed from outside the internal network.
B. All data access is logged regardless of the user’s location.
C. The policy is applied only to data classified as sensitive.
D. Data encryption occurs for all access attempts, both internal and external.
E. The policy enforces encryption but does not log access for sensitive data.
** Correct Answer: A, C **
Explanation: The configuration enforces encryption and logging for sensitive data (C) when accessed from outside the internal network (A). It doesn’t apply to all data or all locations, and it does include logging, contrary to options B, D, and E.
In the context of physical security measures, which of the following combinations would be most effective in preventing tailgating at a high-security facility’s main entrance?
A. Bollards and fencing
B. Access control vestibule and pressure sensors
C. Video surveillance and lighting
D. Security guard and access badges
** Correct Answer: B **
Explanation: An access control vestibule (mantrap) combined with pressure sensors is the most effective in preventing tailgating. The vestibule ensures only one person enters at a time, while pressure sensors can detect if more than one person is present in the vestibule.
** Preventing Tailgating in Security Access **
Multiple Entrants
– Single Entry
– Pressure Detection
– Access Denied
A company implements a new security awareness program focusing on social engineering threats. Which of the following metrics would be MOST effective in measuring the program’s impact on the organization’s security posture?
A. Number of employees who completed the training
B. Reduction in successful phishing attempts reported by the IT department
C. Increase in password complexity across user accounts
D. Frequency of security policy updates
** Correct Answer: B **
Explanation: The reduction in successful phishing attempts directly measures the effectiveness of the social engineering awareness program. It shows a practical application of the knowledge gained, unlike options A, C, and D, which don’t directly correlate with improved resilience against social engineering threats.
** Measuring Social Engineering Awareness Effectiveness **
– Resilience Against Threats
– Reduction in Phishing Attempts
– Practical Application of Knowledge
A security team is implementing a new intrusion detection system (IDS) in their network. They want to ensure it can detect both known and unknown threats while minimizing false positives. Which TWO of the following configurations would be most effective in achieving this goal?
A. Implement signature-based detection for known threats.
B. Enable anomaly-based detection for identifying unusual network behavior.
C. Configure the IDS to block all traffic from external networks.
D. Set up honeypots within the network to attract and study potential attackers.
E. Disable all alerts for internal network traffic.
** Correct Answer: A, B **
Explanation:
Signature-based detection (A) effectively identifies known threats, while anomaly-based detection (B) can catch unknown or zero-day threats by identifying unusual behavior. This combination provides comprehensive coverage while minimizing false positives.
Signature-based Detection
- Lower False Positives
- Known Threat Identification
Anomaly-based Detection
- Higher False Positives
- Unknown Threat Detection
A security analyst is reviewing the following log entry from a web application firewall:
‘'’json
{
“timestamp”: “2024-12-21T15:30:22Z”,
“source_ip”: “203.0.113.15”,
“request _uri”: “/admin/config.php?action=view&id=1 OR 1=1”
“user _agent”: “Mozilla/5.0”,
“status_code”: 403
}
‘’’
What type of attack was likely attempted, and what was the outcome?
A. Cross-Site Scripting (XSS) attack, successfully blocked
B. SQL Injection attempt, successfully blocked
C. Directory Traversal attack, attack succeeded
D. Buffer Overflow exploit, attack succeeded
** Correct Answer: B **
Explanation: The log shows an SQL Injection attempt (“OR 1=1” in the URI) which was blocked by the firewall (status code 403 indicates “Forbidden”). This demonstrates successful mitigation of a common web application attack.
An organization is implementing a Zero Trust architecture. Which of the following best describes how the principle of least privilege should be applied in this context?
A. Grant users full access to all resources and monitor their activities closely.
B. Provide access to all resources but require multi-factor authentication for each access attempt.
C. Grant minimal access rights necessary for users to perform their job functions and regularly review these permissions.
D. Deny all access requests by default and manually approve each request as needed.
** Correct Answer: C **
Explanation: In a Zero Trust model, the principle of least privilege means granting users only the minimum access rights needed for their roles (C). This approach reduces the attack surface while still allowing necessary functionality, unlike the other options which are either too permissive or impractical.
During a security assessment, you discover an employee using deception technology that creates fake network shares containing seemingly sensitive information. Which of the following best describes this technology and its primary purpose?
A. Honeypot - to detect and analyze potential insider threats.
B. Honeytoken - to track unauthorized access attempts.
C. Honeynet - to simulate a complete network environment.
D. Honeyfile - to identify and alert on potential data exfiltration.
** Correct Answer: D **
Explanation: This scenario describes a honeyfile, which is a fake file or document planted to attract attention and trigger alerts when accessed. Its primary purpose is to identify potential data exfiltration attempts or unauthorized access to sensitive information.
Detecting Data Exfiltration with Honeyfiles.
Access Attempt
- Unauthorized access triggers honeyfile
Alert Generation
- System alerts on honeyfile access
Your organization is developing its incident response plan. The CEO insists on immediately shutting down all systems at the first sign of a breach. As the security lead, which of the following responses best addresses this approach while aligning with incident response best practices?
A. Agree with the CEO, as shutting down systems quickly prevents further damage.
B. Suggest a staged shutdown process to maintain some operational capacity.
C. Recommend against immediate shutdown, proposing instead to isolate and investigate affected systems first.
D. Advise creating multiple plans for different scenarios, each with predefined shutdown criteria.
** Correct Answer: C **
Explanation: Immediate shutdown can destroy valuable evidence and disrupt business operations unnecessarily.
Best practices involve first isolating affected systems, preserving evidence, and conducting a thorough investigation to understand the breach’s scope and nature before taking drastic measures like complete shutdown.
Your organization is implementing a new physical security system. You’re reviewing the following YAML configuration:
‘'’yaml
entrance:
primary:
- access_control_vestibule
- badge_reader
secondary:
- biometric_scanner
perimeter:
- bollards
- fencing
- infrared_sensors
monitoring:
- CCTV
- security_guards
‘’’
Which two physical security principles are best exemplified by this configuration? (Choose two)
A. Defense in depth
B. Principle of least privilege
C. Separation of duties
D. Deterrence
E. Non-repudiation
** Correct Answer: A, D **
Explanation: Immediate shutdown can destroy valuable evidence and disrupt business operations unnecessarily.
Best practices involve first isolating affected systems, preserving evidence, and conducting a thorough investigation to understand the breach’s scope and nature before taking drastic measures like complete shutdown.
During a third-party risk assessment, you discover that a critical vendor has recently suffered a data breach. The vendor claims they’ve addressed the issue, but you’re concerned about potential ongoing risks. Which of the following actions would be most appropriate in this situation?
A. Immediately terminate the contract with the vendor.
B. Require the vendor to undergo an independent security audit.
C. Increase monitoring of the vendor’s access to your systems.
D. Accept the vendor’s assurance and continue business as usual.
** Correct Answer: B **
Explanation: Requiring an independent security audit is the most appropriate action. It provides an objective assessment of the vendor’s security posture post-breach, helping to verify their claims and identify any remaining vulnerabilities or risks that could affect your organization.
Vendor Security Audit Process
– Independent Audit Requirement
– Objetive Assessment
– Verification of Claims
– Identification of Vulnerabilities
You’re analyzing a recent security incident where an attacker gained unauthorized access to sensitive data. The investigation reveals that the attacker exploited a vulnerability in an outdated software component. Which of the following best describes the control that failed in this scenario?
A. Detective control
B. Corrective control
C. Compensating control
D. Preventive control
** Correct Answer: D **
Explanation: This scenario indicates a failure of preventive control. Keeping software up-to-date and patching known vulnerabilities are preventive measures designed to stop unauthorized access before it occurs. The exploitation of an outdated software component suggests that this preventive control was not properly implemented or maintained.
Preventive Control Failure
- Control Not Maintained
Implies neglect in updating security protocols.
- Software Exploitation
Indicates unauthorized access due to outdated software.
- Control Not Implemented
Suggests failure to establish preventive measures.
During a security assessment, you discover that an employee fell victim to a sophisticated phishing attack that mimicked a trusted partner’s email. The attacker gained access to sensitive data by exploiting the trust relationship.
Which of the following best describes this type of attack?
A. Whaling
B. Vishing
C. Spear phishing
D. Business Email Compromise (BEC)
** Correct Answer: D **
Explanation: This scenario describes a Business Email Compromise (BEC) attack. BEC attacks typically involve impersonating a trusted partner or executive to exploit established business relationships and processes, often leading to unauthorized access to sensitive data or fraudulent
financial transactions.
Your organization is implementing a new cloud-based security solution. You’re reviewing the following JSON configuration:
‘'’json
{
“data_protection”: {
“encryption”: “AES-256”,
“key_management”: “BYOK”
},
{
“access_control”: {
“authentication”: “MFA”
“authorization”: “ABAC”
},
{
“monitoring”: {
“log_analysis”; “Al-powered”
“alert_mechanism”: “real-time”
}
}
‘’’
Which two security principles are best exemplified by this configuration? (Choose two)
A. Principle of least privilege
B. Defense in depth
C. Separation of duties
D. Zero trust
E. Non-repudiation
** Correct Answer: B, D **
Explanation: This scenario indicates a failure of preventive control. Keeping software up-to-date and patching known vulnerabilities are preventive measures designed to stop unauthorized access before it occurs. The exploitation of an outdated software component suggests that this preventive control was not properly implemented or maintained.
** Security Framework **
ABAC
Grants access based on user attributes and policies, enhancing security.
Encryption
Protects data by converting it into a secure format that can only be read by authorized users.
MFA
Adds an extra layer of security by requiring multiple forms of verification.
Access Control
Regulates who can view or use resources in a computing environment.
Monitoring
Continuously observes systems for unusual activity to ensure security.
Your organization is developing a new web application and wants to ensure secure coding practices. Which of the following represents the most effective approach to prevent Server-Side Request Forgery (SSRF) attacks?
A. Implement input validation on all user-supplied URLs
B. Use prepared statements for all database queries
C. Enable Content Security Policy (CSP) headers
D. Implement Auth 2.0 for authentication
** Correct Answer: A **
Explanation: To prevent SSRF attacks, implementing strict input validation on all user-supplied URLs is crucial. This includes validating and sanitizing any user input that could be used to make server-side requests, ensuring that only intended and safe URLs are processed by the server.
Components of URL Security
Input Validation
Ensures only safe URLs are processed
Sanitization
Cleans user input to prevent threats
Server Protection
Guards the server from malicious requests
A security analyst is reviewing the following YAML configuration snippet from a Zero Trust implementation:
‘’’ yaml
control_plane: authentication:
mfa_required: true
session _timeout: 1800
data_access:
default_deny: true
just in_time: enabled
‘’’
Which TWO of the following accurately describe the security implications of this configuration? (Choose TWO) Options:
A. The configuration enforces a 30-minute session timeout for authenticated users.
B. All data access requests are denied by default unless explicitly permitted.
C. Multi-factor authentication is optional for high-privilege accounts.
D. Just-in-time access provisioning is disabled for resource requests.
E. The control plane operates in a legacy trust-but-verify model.
** Correct Answer: A, B **
Explanation: The configuration shows MFA requirement (true), session timeout of 1800 seconds (30 minutes), and default deny with JIT access enabled. Options A and B directly correspond to these settings - 1800 seconds equals 30 minutes timeout, and default_deny: true implements zero-trust’s principle of denying all access by default.
Security Configuration
Session Timeout
Enforces a 30-minute timeout for user sessions to enhance security.
Default Deny
Implements a zero-trust approach by denying all access by default.
MFA Requirement
Requires multi-factor authentication for added security verification.