Random Question 20 - 40

Question 1

Question 21:
A security analyst is reviewing the following firewall configuration snippet:
“*yaml
- action: allow
source: 192.168.1.0/24
destination: any
service: ssh
- action: deny
- source: any
- destination: 10.0.0.5
service: http
…

Which TWO of the following statements accurately describe the effects of this configuration?

A. SSH connections from the 192.168.1.0/24 network are permitted to any destination.

B. All HTTP traffic to the IP address 10.0.0.5 is blocked.

C. The firewall allows all incoming SSH connections.

D. HTTP connections from 10.0.0.5 are denied to any destination.

E. The configuration prevents all traffic to the 10.0.0.0/24 network.

Answer 1

Correct Answer: A, B

Explanation:

The first rule (A) allows SSH connections from the 192.168.1.0/24 network to any destination.

The second rule (B) denies all HTTP traffic to the specific IP 10.0.0.5. Options C, D, and E are incorrect interpretations of the given configuration.

Question 2

Question 22:

In the context of a Zero Trust security model, which of the following best describes the relationship between the Control Plane and the Data Plane?

A. The Control Plane manages user authentication, while the Data Plane handles data encryption.

B. The Control Plane defines security policies, while the Data Plane enforces those policies on network traffic.

C. The Control Plane is responsible for physical security, while the Data Plane manages digital assets.

D. The Control Plane handles north-south traffic, while the Data Plane manages east-west traffic.

Answer 2

Correct Answer: B

Explanation: In a Zero Trust model, the Control Plane is responsible for defining security policies and making access decisions, while the Data Plane enforces these policies on actual network traffic and data flow.

Question 3

Question 23:

An organization has implemented a comprehensive security awareness program. Despite this, they experience a successful whaling attack where the CFO is tricked into transferring a large sum of money to a fraudulent account. During the incident response, which of the following should be the FIRST step in the “Lessons Learned” phase?

A. Conduct a root cause analysis of the incident.

B. Update the security awareness training materials.

C. Implement stricter email filters and verification processes.

D. Discipline the CFO for falling for the attack.

Answer 3

** Correct Answer: A **
Explanation: The first step should be to conduct a root cause analysis. This helps understand how the attack succeeded despite existing measures, informing subsequent improvements to security processes and training.

01 - Conduct Root Cause Analysis

02 - Identify Vulnerbilities

03 - Update Security Processes

04 - Revise Training Programs

05 - Implmenet Improved Measures

Question 4

Question 24:

A security analyst is reviewing the following YAML configuration for a cloud-based security control:
*yaml
policy:
enforce: true
actions:
- encrypt_data
- log_access
conditions:
location: “!= internal_network”
data_type: “sensitive”

Which TWO of the following statements accurately describe the effects of this configuration?

A. The policy encrypts sensitive data when accessed from outside the internal network.

B. All data access is logged regardless of the user’s location.

C. The policy is applied only to data classified as sensitive.

D. Data encryption occurs for all access attempts, both internal and external.

E. The policy enforces encryption but does not log access for sensitive data.

Answer 4

**Correct Answer: A, C **

Explanation: The configuration enforces encryption and logging for sensitive data (C) when accessed from outside the internal network (A). It doesn’t apply to all data or all locations, and it does include logging, contrary to options B, D, and E.

Question 5

Question 25:

In the context of physical security measures, which of the following combinations would be most effective in preventing tailgating at a high-security facility’s main entrance?

A. Bollards and fencing

B. Access control vestibule and pressure sensors

C. Video surveillance and lighting

D. Security guard and access badges

Answer 5

Correct Answer: B

Explanation: An access control vestibule (mantrap) combine with pressure sensors is the most effective in preventing tailgating. The vestibule ensures only one person enters at time, while pressure sensors can detect if more than one person is present in the

Question 6

Question 26:

A company implements a new security awareness program focusing on social engineering threats. Which of the following metrics would be MOST effective in measuring the program’s impact on the organization’s security posture?

A. Number of employees who completed the training

B. Reduction in successful phishing attempts reported by the IT department

C. Increase in password complexity across user accounts

D. Frequency of security policy updates

Answer 6

Correct Answer: B

Explanation: The reduction in successful phishing attempts directly measures the effectiveness of the social engineering awareness program. It shows the practical application of the knowledge gained, unlike options A, C, and D, which don’t directly correlate with improved resilience against social engineering threats.

Question 7

Question 27:

A security team is implementing a new intrusion detection system (IDS) in their network. They want to ensure it can detect both known and unknown threats while minimizing false positives. Which TWO of the following configurations would be most effective in achieving this goal?

A. Implement signature-based detection for known threats.

B. Enable anomaly-based detection for identifying unusual network behavior.

C. Configure the IDS to block all traffic from external networks.

D. Set up honeypots within the network to attract and study potential attackers.

E. Disable all alerts for internal network traffic.

Answer 7

Correct Answer: A, B

Explanation: Signature-based detection (A) effectively identifies known threats, while anomaly-based detection

(B) can catch unknown or zero-day threats by identifying unusual behavior. This combination provides comprehensive coverage while minimizing false positives

Question 8

Question 28:

An organization is implementing a Zero-Trust architecture. Which of the following best describes how the principle of least privilege should be applied in this context?

A. Grant users full access to all resources and monitor their activities closely.

B. Provide access to all resources but require multi-factor authentication for each access attempt.

C. Grant minimal access rights necessary for users to perform their job functions and regularly review these permissions.

D. Deny all access requests by default and manually approve each request as needed.

Answer 8

Correct Answer: C

Explanation: In a Zero Trust model, the principle of least privilege means granting users only the minimum access rights needed for their roles (C). This approach reduces the attack surface while still allowing necessary functionality, unlike the other options which are either too permissive or

Question 9

Question 9:
A security analyst is reviewing the following log entry from a web application firewall:

‘json
“timestamp”: “2024-12-21T15:30:22Z”,
“source_ip”: “203.0.113.15”,
“request _uri”: “/admin/config.php?action=view&id=1 OR 1=1”
“user _agent”: “Mozilla/5.0”,
“status_code”: 403

What type of attack was likely attempted, and what was the outcome?

A. Cross-Site Scripting (XSS) attack, successfully blocked

B. SQL Injection attempt, successfully blocked

C. Directory Traversal attack, the attack succeeded

D. Buffer Overflow exploit, attack

Answer 9

Correct Answer: B

Explanation: The log shows an SQL Injection attempt (“OR 1=1” in the URI) which was blocked by the firewall (status code 403 indicates “Forbidden”). This demonstrates successful mitigation of a common web application

Question 10

Question 20:
A security analyst is reviewing the following YAML configuration for a cloud-based access control policy:
*yaml
policy:
name: “Sensitive_Data_Access”
rules:
- condition:
user _group: “executives” time: “business_hours”
allow: true
- condition:
data_classification: “confidential”
location: “!= office_network”
allow: false
…

Which TWO of the following allow: false .

A. Executives can access sensitive data only during business hours.
B. All users are denied access to confidential data from outside the office network.
C. The policy allows unrestricted access to sensitive data for executives.
D. Non-executive users can access confidential data from the office network.
E. The policy prevents all remote access to company data.

Answer 10

**Correct Answer: A, B **

Explanation: The configuration allows executives to access sensitive data during business hours (A) and denies access to confidential data from outside the office network for all users (B).

It doesn’t grant unrestricted access to executives doesn’t specifically allow non-executives to access confidential data on-site, and doesn’t prevent all remote

Question 11

Question 21:

An organization is implementing a comprehensive third-party risk management program. Which of the following actions would be MOST effective in continuously monitoring and mitigating risks associated with third-party vendors?

A. Conducting annual security audits of all third-party vendors.

B. Implementing real-time monitoring of third-party access to internal systems.

C. Requiring vendors to sign a yearly compliance statement.

D. Limiting all third-party access to non-critical systems only.

Answer 11

**Correct Answer: B **

Explanation: Real-time monitoring of third-party access provides continuous visibility into potential risks and allows for immediate response to suspicious activities.

This approach is more effective than periodic audits, compliance statements, or blanket access restrictions in managing ongoing third-party risks.

Question 12

Question 22:

In the context of deception and disruption technologies, which of the following best describes the primary difference between a honeypot and a honeytoken?

A. A honeypot is a physical decoy system, while a honeytoken is a virtual decoy.

B. A honeypot contains real data, while a honeytoken contains fake data.

C. A honeypot is a network of decoy systems, while a honeytoken is a single decoy file or resource.

D. A honeypot is used for external threats, while a honeytoken is used for internal threats only.

Answer 12

Correct Answer: C

Explanation: A honeypot is typically a decoy system or network designed to attract attackers, while a honeytoken is a specific piece of fake data (like a database entry or file) used to detect unauthorized access or data breaches. The key difference is in their scope and implementation.

Question 13

Question 23:

A security analyst is reviewing the following intrusion detection system (IDS)
rule:

’’’
alert tcp any any -> 192.168.1.0/24 80 (msg:”Potential SQL Injection”;
content:”%27”; sid: 1000001;)
‘’’

Which TWO of the following statements accurately describe the functionality of this rule?

A. It generates an alert for all HTTP traffic to the 192.168.1.0/24 network.

B. The rule detects potential SQL injection attempts containing a single quote (%27).

C. It blocks all traffic containing the string “%27” to port 80.

D. The rule applies to both incoming and outgoing traffic on the network.

E. It only alerts on TCP traffic destined for port 80 on the specified network.

Answer 13

Correct Answer: B, E

Explanation: The rule detects potential SQL injection attempts by looking for the encoded single quote (%27) in TCP traffic (B) specifically destined for port 80 on the 192.168.1.0/24 network (E). It doesn’t block traffic or apply to all HTTP traffic, and it’s not bidirectional.

Question 14

Question 24:

In the context of cloud security and shared responsibility models, which of the following is typically the cloud service provider’s responsibility in a Platform as a Service (PaaS) deployment?

A. Configuring application-level access controls.

B. Patching and updating the underlying operating system.

C. Encrypting data at rest within the application.

D. Managing user authentication for custom applications.

Answer 14

Correct Answer: B

Explanation: In a PaaS model, the cloud service provider is typically responsible for maintaining and patching the underlying infrastructure, including the operating system.

The customer is responsible for the applications and data, including access controls, encryption, and user

Question 15

Question 25:

An organization is implementing a new security awareness training program. Which of the following metrics would be MOST effective in measuring the long-term impact of the program on the organization’s security posture?

A. Number of employees who completed the training modules

B. Average score on post-training quizzes

C. Reduction in successful social engineering attacks over time

D. Increase in reported security incidents by employees

Answer 15

**Correct Answer: C **

Explanation: A reduction in successful social engineering attacks over time directly demonstrates the effectiveness of the awareness program in improving the organization’s security posture. This metric shows practical application of knowledge, unlike completion rates or quiz scores, and is more indicative of positive change than an increase in reported incidents.

Question 16

Question 26:

Your organization is implementing a zero trust architecture. You’re tasked with configuring the control plane for a critical application. Which two of the following JSON configurations would best align with zero trust principles? (Choose two)
{
“authentication”: “multi-factor”,
“authorization”: “least-privilege”
“data_encryption”: “end-to-end”,
“network_segmentation”: “micro-segmentation”,
“monitoring”: “continuous”
}

Options:

A. “authentication”: “multi-factor” and “authorization”: “role-based”

B. “data_encryption”: “end-to-end” and “network_segmentation”: “micro-segmentation”.

C. “authentication”: “single-factor” and “monitoring”: “periodic”.

D. “authorization”: “least-privilege” and “monitoring”: “continuous”.

E. “network_segmentation”: “perimeter-based” and “data _encryption”: “at-rest-only”.

Answer 16

Correct Answer: B, D

Explanation: In a zero trust model, end-to-end encryption (B) ensures data security throughout its lifecycle, while micro-segmentation (B) minimizes the attack surface. Least-privilege authorization (D) and continuous monitoring (D) are also crucial zero trust principles, providing strict access control and real-time threat detection.

Question 17

Question 27:

During a security audit, you discover that a critical business application is vulnerable to SQL injection attacks. Which of the following represents the most effective corrective control to address this vulnerability?

A. Implement a web application firewall (WAF).

B. Conduct regular penetration testing.

C. Use prepared statements and parameterized queries in the application code.

D. Encrypt the database.

Answer 17

Correct Answer: C

Explanation: Using prepared statements and parameterized queries is the most effective way to prevent SQL injection attacks by separating SQL logic from user input, making it impossible for malicious input to alter the query’s intent.

Question 18

Question 28:

Your incident response team has detected a potential data breach. Upon investigation, they discover the following log entry:

…
2023-05-15 02:34:18 UTC [192.168.1.100] POST /api/data HTTP/1.1 200 {“action”:”exfiltrate”, “destination” “10.20.30.40”, “size”:”1.5GB”}
…

Which of the following best describes the next step in the incident response process?

A. Eradication: Remove the malicious actor from the system

B. Recovery: Restore affected systems to normal operation

C. Containment: Isolate the affected systems and block the destination IP

D. Lessons Learned: Document the incident for future reference

Answer 18

Correct Answer: C

Explanation: The log shows active data exfiltration. The immediate next step should be containment, isolating affected systems. and blocking the destination IP (10.20.30.40) to prevent further data loss, aligning with the incident response process.

Question 19

Question 29:

Your organization is implementing a new cloud-based security information and event management (SIEM) system. Which two of the following configurations would best align with both zero trust principles and effective security monitoring? (Choose two)

“*yaml
siem_config:
data _ingestion:
sources: [“network_logs”, “application_logs”, “auth _logs”]
authentication:
method: “multi i_factor”
access_control:
model: “least_privilege”
encryption:
data_at_rest: “AES-256”
data_in_transit: “TLS 1.3”
alert_mechanism: type: “real-time”

Options:

A. data_ingestion sources and real_time alert mechanism

B. multi_factor authentication and least_privilege access control

C. AES-256 encryption for data at rest and TLS 1.3 for data in transit

D. network_logs as the sole data source and periodic alert mechanism

E. single_factor authentication and role-based access control

Answer 19

Correct Answer: A, B

Explanation: Comprehensive data ingestion (A) enables effective security monitoring, while real-time alerts (A) allow for quick threat response.

Multi-factor authentication (B) and least-privilege access control (B) are core zero trust principles, enhancing security in the cloud environment.

Question 20

Question 30:

During a security assessment, you discover that an employee’s access badge was used to enter a restricted area outside of normal business hours. Upon further investigation, you find that the employee was on vacation at the time. Which of the following best describes this situation in terms of security controls and potential threats?

A. A failure of a detective control, indicating a possible insider threat

B. A successful implementation of a corrective control, mitigating a social engineering attack

C. An example of a compensating control, addressing a physical security vulnerability

D. A breakdown of a preventive control, suggesting a potential tailgating incident

Answer 20

Correct Answer: A

Explanation: This scenario demonstrates a failure of a detective control (access logs). The unauthorized use of the badge during the employee’s absence indicates a possible insider threat or stolen credentials, which the system detected but did not prevent.

Question 21

Question 31:

Your organization is developing a new web application and wants to ensure secure coding practices. Which of the following represents the most effective approach to prevent cross-site scripting (XSS) attacks?

A. Implement strong encryption for all data transmissions

B. Use prepared statements for database queries

C. Apply input validation and output encoding

D. Enable HTTP Strict Transport Security (HSTS)

Answer 21

Correct Answer: C

Explanation: Input validation and output encoding are the most effective methods to prevent XSS attacks. They ensure that user input is properly sanitized before processing and that any output to the browser is properly encoded to prevent script

Question 22

Question 32:

Your organization is implementing a new security awareness training program. You want to assess its effectiveness using metrics. Which two of the following metrics would best indicate the program’s success in improving the organization’s security posture? (Choose two)

Options:

A. Number of employees who completed the training

B. Reduction in successful phishing attempts

C. Increase in reported suspicious emails

D. Number of security policy violations

E. Time taken to complete the training modules

Answer 22

Correct Answer: B, C

Explanation: A reduction in successful phishing attempts
(B) directly shows improved employee vigilance. An increase in reported suspicious emails (C) indicates heightened awareness and proactive security behavior.
Both metrics demonstrate the practical application of the training, unlike completion rates or time spent, which don’t necessarily reflect improved security practices.

Question 23

Question 23:

You’re reviewing the following YAML configuration for a cloud-based application:

*yaml
security:
authentication:
method: “OAuth2.0”
mfa: true
authorization:
type: “RBAC”
data_protection:
encryption: “AES-256”
key_management: “HSM”

Which security principle does this configuration best exemplify?

A. Least privilege

B. Defense in depth

C. Separation of duties

D. Non-repudiation

Answer 23

Correct Answer: B

Explanation: This configuration demonstrates defense in depth by implementing multiple layers of security.
It includes strong authentication (Auth2.0 with MFA), authorization (RBAC), and data protection (encryption with secure key management), creating a multi-layered security approach.

Question 24

Question 34:

During a security audit, you discover that a critical business application is vulnerable to SQL injection attacks. The development team suggests implementing input validation as a solution. Which of the following represents a potential limitation of this approach?

A. It may introduce significant performance overhead

B. It could lead to false positives, blocking legitimate queries

C. It doesn’t address the root cause of the vulnerability

D. It requires constant updates to the validation rules

Answer 24

** Correct Answer: C **

Explanation: While input validation is beneficial, it doesn’t address the root cause of SQL injection vulnerabilities, which is the improper handling of user input in SQL queries. A more comprehensive solution would involve using parameterized queries or prepared statements to fundamentally prevent SQL

Question 25

Question 35:

Your organization is implementing a new security architecture. You’re reviewing the following JSON configuration for a critical system:
“json
{
“network”: {
“segmentation”: “micro”,
“encryption”: “end-to-end”
},
“access”: {
“authentication”: “mfa”,
“authorization”: “just-in-time”
},
“monitoring”: “continuous”
}
‘’’’
Which two principles of zero trust are best represented by this configuration? (Choose two)

A. Assume breach

B. Verify explicitly

C. Use least privilege access

D. Implement defense in depth

E. Trust but verify

Answer 25

Correct Answer: A, B

Explanation: The configuration exemplifies “Assume breach” (A) through micro-segmentation and continuous monitoring, preparing for potential compromises.

“Verify explicitly” (B) is demonstrated by multi-factor authentication and just-in-time authorization, ensuring thorough verification before granting access.

Question 26

Question 36:

During a security assessment, you discover an employee using a
deception technology that creates fake network shares containing seemingly sensitive information. Which of the following best describes this technology and its primary purpose?

A. Honeypot - to detect and analyze potential insider threats.

B. Honeytoken - to track unauthorized access attempts.

C. Honeynet - to simulate a complete network environment.

D. Honeyfile - to identify and alert on potential data exfiltration.

Answer 26

Correct Answer: D

Explanation: This scenario describes a honeyfile, which is a fake file or document planted to attract attention and trigger alerts when accessed. Its primary purpose is identifying potential data exfiltration attempts or unauthorized access to sensitive information.

Question 27

Question 37:

Your organization is developing its incident response plan. The CEO insists on immediately shutting down all systems at the first sign of a breach. As the security lead, which of the following responses best addresses this approach while aligning with incident response best practices?

A. Agree with the CEO, as shutting down systems quickly prevents further damage.

B. Suggest a staged shutdown process to maintain some operational capacity.

C. Recommend against immediate shutdown, proposing instead to isolate and investigate affected systems first.

D. Advise creating multiple plans for different scenarios, each with predefined shutdown criteria.

Answer 27

Correct Answer: C

Explanation: Immediate shutdown can destroy valuable evidence and disrupt business operations unnecessarily.
Best practices involve isolating affected systems, preserving evidence, and conducting a thorough investigation to understand the breach’s scope and nature before taking drastic measures like complete shutdown.

Question 28

Question 38:
Your organization is implementing a new physical security system. You’re reviewing the following YAML configuration:

“yaml
entrance:
primary:
- access_control_vestibule
- badge_reader
secondary:
- biometric_scanner
perimeter:
- bollards
- fencing
- infrared_sensors
monitoring:
- CCTV
- security_guards
Which two physical security principles are best exemplified by this configuration?
(Choose two)

A. Defense in depth

B. Principle of least privilege

C. Separation of duties

D. Deterrence

E. Non-repudiation

Answer 28

Correct Answer: A, D

Explanation: Immediate shutdown can destroy valuable evidence and disrupt business operations unnecessarily.
Best practices involve first isolating affected systems, preserving evidence, and conducting a thorough investigation to understand the breach’s scope and nature before taking drastic measures like complete shutdown.

Question 29

Question 39:

During a third-party risk assessment, you discover that a critical vendor has recently suffered a data breach. The vendor claims they’ve addressed the issue, but you’re concerned about potential ongoing risks. Which of the following actions would be most appropriate in this situation?

A. Immediately terminate the contract with the vendor.

B. Require the vendor to undergo an independent security audit.

C. Increase monitoring of the vendor’s access to your systems.

D. Accept the vendor’s assurance and continue business as usual.

Answer 29

Correct Answer: B

Explanation: Requiring an independent security audit is the most appropriate action. It provides an objective assessment of the vendor’s security posture post-breach, helping to verify their claims and identify any remaining vulnerabilities or risks that could affect your organization.

Question 30

Question 40:

You’re analyzing a recent security incident where an attacker gained unauthorized access to sensitive data. The investigation reveals that the attacker exploited a vulnerability in an outdated software component. Which of the following best describes the control that failed in this scenario?

A. Detective control

B. Corrective control

C. Compensating control

D. Preventive control

Answer 30

Correct Answer: D

Explanation: This scenario indicates a failure of a preventive control. Keeping software up-to-date and patching known vulnerabilities are preventive measures designed to stop unauthorized access before it occurs. The exploitation of an outdated software component suggests that this preventive control was not properly implemented or maintained

Question 31

Question 41:

Your organization is implementing a new cloud-based security solution. You’re reviewing the following JSON configuration:
‘'’json
“data_protection”: {
“encryption”: “AES-256”,
“key_management”: “BYOK”
},
“access_control”: {
“authentication”: “MFA”
“authorization”: “ABAC”
},
“monitoring”: {
“log_analysis”; “Al-powered”
“alert_mechanism”: “real-time”
}
‘’’’
Which two security principles are best exemplified by this configuration? (Choose two)

A. Principle of least privilege

B. Defense in depth

C. Separation of duties

D. Zero trust

E. Non-repudiation

Answer 31

Correct Answer: B, D

Explanation:

This scenario indicates a failure of a preventive control. Keeping software up-to-date and patching known vulnerabilities are preventive measures designed to stop unauthorized access before it occurs. The exploitation of an outdated software component suggests that this preventive control was not properly implemented or maintained.

Question 32

Question 42:

During a security assessment, you discover that an employee fell victim to a sophisticated phishing attack that mimicked a trusted partner’s email. The attacker gained access to sensitive data by exploiting the trust relationship.
Which of the following best describes this type of attack?

A. Whaling
B. Vishing
C. Spear phishing
D. Business Email Compromise

Answer 32

Correct Answer: D

Explanation: This scenario describes a Business Email Compromise (BEC) attack. BEC attacks typically involve impersonating a trusted partner or executive to exploit established business relationships and processes, often leading to unauthorized access to sensitive data or fraudulent
financial transactions.

Question 33

Question 43:

Your organization is developing a new web application and wants to ensure secure coding practices. Which of the following represents the most effective approach to prevent Server-Side Request Forgery (SSRF) attacks?

A. Implement input validation on all user-supplied URLs

B. Use prepared statements for all database queries

C. Enable Content Security Policy (CSP) headers

D. Implement Auth 2.0 for authentication

Answer 33

Correct Answer: A

Explanation: To prevent SSRF attacks, implementing strict input validation on all user-supplied URLs is crucial.
This includes validating and sanitizing any user input that could be used to make server-side requests, ensuring that only intended and safe URLs are processed by the server.

Question 34

Question 44:

A security analyst is reviewing the following YAML configuration snippet from a Zero Trust implementation:

’'’yaml
control_plane:
authentication:
mfa_required: true
session _timeout: 1800
data_access:
default_deny: true
just in_time: enabled
‘’’
Which TWO of the following accurately describe the security implications of this configuration? (Choose TWO)
Options:

A. The configuration enforces a 30-minute session timeout for authenticated users.

B. All data access requests are denied by default unless explicitly permitted.

C. Multi-factor authentication is optional for high-privilege accounts.

D. Just-in-time access provisioning is disabled for resource requests.

E. The control plane operates in a legacy trust-but-verify model.

Answer 34

Correct Answer: A, B

Explanation: The configuration shows MFA requirement (true), session timeout of 1800 seconds (30 minutes), and default deny with JIT access enabled. Options A and B directly correspond to these settings - 1800 seconds equals 30 minutes timeout, and default_deny: true implements zero-trust’s principle of denying all access by default.

Question 35

Question 45:

During a security audit, an analyst discovers that despite having standard security controls, sensitive data was exfiltrated. Upon investigation, it’s found that an attacker used a file that appeared legitimate but contained a beacon to track access. Which deception technology was likely deployed by the attacker, and what’s the MOST appropriate countermeasure?
Options:

A. Honeytoken; Implement file integrity monitoring

B. Honeypot; Deploy network segmentation

C. Honeyfile; Enable enhanced logging

D. Honeynet; Increase IDS sensitivity

Answer 35

Correct Answer: A

Explanation: A honeytoken is a tracked digital entity (like a file) used to detect unauthorized access. The scenario describes a honeytoken being used maliciously. File integrity monitoring would detect modifications and access to such files, making it the most effective

Question 36

Question 46:

An organization implements the following loC detection rule:
‘'’ison
{
“alert_type”: “high”,
“match”: {
“process_name”: “svchost.exe”,
“network_conn”: “*.onion”,
“parent_process”: “!”
}
}

Which of the following attacks is this rule MOST likely designed to detect?

Options:

A. DNS tunneling attack

B. Tor-based malware communication

C. SQL injection attempt

D. Pass-the-hash attack

Answer 36

Correct Answer: B

Explanation: The rule monitors schost.exe making connections to onion domains (Tor network) with an unusual parent process. This pattern typically indicates malware using Tor network for command and control communication, making option B correct.

Question 37

Question 47:

A security analyst is investigating multiple failed authentication attempts across different systems. The following pattern is observed in the logs:
‘’‘*json
{
“auth_type”: “basic”,
“attempts”: [“admin”, “root”, “system”],
“timing”: “0.5s_interval”
“source_ips”: [“rotating”]
}
‘’’

Which TWO of the following controls would be MOST effective in mitigating this attack? (Choose TWO)
Options:
A. Implement account lockout after three failed attempts

B. Enable password complexity requirements

C. Deploy adaptive multi-factor authentication

D. Configure SSL certificate validation

E. Enable verbose logging on all systems

Answer 37

Correct Answer: A, C

Explanation: The pattern shows automated password attacks using common admin accounts with rapid attempts from rotating IPs.

Account lockout (A) prevents brute force attempts, while adaptive MFA (C) adds an additional authentication layer that automated tools can’t easily bypass.

Question 38

Question 48:

During a physical security assessment of a data center, an auditor notices that the facility has implemented bollards, security guards, and microwave sensors, but employees frequently hold doors open for others. Which security control principle is being violated, and what type of control is MOST needed?
Options:

A. Defense in depth; Corrective control

B. Separation of duties; Detective control

C. Principle of least privilege; Preventive control

D. Zero trust; Directive control

Answer 38

Correct Answer: D

Explanation: The scenario shows a breakdown of zero trust principles where physical access is granted based on courtesy rather than verification. A Directive control (security policies and training) is needed to address the human behavior undermining existing security measures.

Question 39

Question 49:
A security team discovers unusual network traffic with the following characteristics:

’'’yaml
traffic:
destination: internal_servers
protocol: ICMP
size: oversized
frequency: periodic
content: encrypted
‘’’

What type of attack is MOST likely occurring?
Options:
A. DNS Cache Poisoning

B. ICMP Tunneling

C. ARP Spoofing

D. TCP SYN Flood

Answer 39

Correct Answer: B

Explanation: The traffic pattern shows oversized ICMP packets with encrypted content and periodic frequency, classic indicators of ICMP tunneling where ICMP protocol is misused to create a covert channel for data exfiltration.

Question 40

Question 40:
During a security incident, the following deception technology configuration was active:

’'’yaml
deception:
type: honeynet
services:
- ssh_emulation
- web_admin
logging: enhanced
alert_threshold: low
‘’’

Which TWO of the following accurately describe the purpose and effectiveness of this configuration? (Choose TWO)
Options:

A. It primarily prevents lateral movement within the network

B. It provides early warning of attacker techniques and tactics

C. It automatically blocks all suspicious connections

D. It ensures data integrity of production systems

E. It captures detailed information about attack patterns

Answer 40

Correct Answer: B, E

Explanation:

The honeynet configuration with enhanced logging and multiple emulated services is designed for early attack detection (B) and detailed attack pattern analysis (E).

The low alert threshold and service emulation focus on intelligence gathering rather than prevention or blocking.