Security Operations 1 Flashcards
A company implements a secure baseline across its network but finds that some systems are slowly drifting from the baseline configuration due to ad hoc changes by administrators. What is the BEST way to ensure continuous compliance?
A) Manually audit each system monthly
B) Implement a configuration management tool to monitor and enforce baselines
C) Require administrators to manually reapply security settings weekly
D) Deploy a zero-trust model to restrict administrator access
Answer: B) Implement a configuration management tool to monitor and enforce baselines
Explanation: Configuration management tools automate the enforcement of security baselines, ensuring that systems do not drift from approved configurations.
A cybersecurity team is tasked with implementing a layered security approach to protect an enterprise network. They decide to enforce strong user authentication, segment the network, apply endpoint protections, and monitor network traffic. Which security concept are they applying?
A) Zero trust architecture
B) Principle of least privilege
C) Role-based access control (RBAC)
D) Defense in depth (DiD)
✅ Correct Answer: D. Defense in depth (DiD)
Explanation: Defense in depth (DiD) is a layered security strategy that includes multiple security controls, such as authentication, network segmentation, endpoint protection, and monitoring, to protect against threats at different levels.
❌ Incorrect Answers:
A. Zero trust architecture (ZTA) focuses on strict access control and assumes no implicit trust, but DiD is broader and includes multiple layers of security.
B. Least privilege limits user permissions but does not encompass network segmentation, endpoint security, or traffic monitoring.
C. RBAC manages permissions based on user roles but is not a full security layering strategy.
A company has a bring-your-own-device (BYOD) policy that allows employees to use personal smartphones for work-related tasks. The security team is concerned about the risks associated with personal mobile devices connecting to the corporate network. Which of the following BEST mitigates these risks?
A) Require employees to use company-provided mobile devices
B) Implement a Mobile Device Management (MDM) solution
C) Disable wireless connectivity on personal devices
D) Restrict all personal devices from the network
Answer: B) Implement a Mobile Device Management (MDM) solution
Explanation: MDM solutions enforce security policies on mobile devices, ensuring compliance through encryption, remote wipe, patch management, and controlled network access.
A network administrator is setting up a wireless network for a corporate office. Before deploying access points, they conduct a thorough assessment of the building to identify potential interference and signal coverage issues. What is this process called?
A) Heat mapping
B) Wireless penetration testing
C) Site surveying
D) Frequency hopping
Answer: C) Site surveying
Explanation: Site surveys help identify physical obstacles, existing networks, and optimal placement for wireless access points (APs) before deployment.
A healthcare organization allows doctors to use their personal mobile devices to access patient records while working remotely. The IT department is concerned about securing sensitive data while ensuring device compatibility with the hospital’s network. Which solution BEST addresses this concern?
A) Require all employees to use corporate-owned devices
B) Implement a Mobile Device Management (MDM) solution to enforce security policies
C) Restrict mobile access to only Wi-Fi networks within the hospital
D) Disable mobile device access and require the use of desktop computers
Answer: B) Implement a Mobile Device Management (MDM) solution to enforce security policies
Explanation: MDM solutions allow organizations to apply security controls, such as device encryption, remote wipe capabilities, and access policies, while maintaining compatibility with BYOD devices.
A security engineer is configuring the wireless security settings for an enterprise network. The goal is to ensure that even if an attacker captures encrypted Wi-Fi traffic, they will not be able to decrypt past communications if the network password is compromised. Which security feature should be implemented?
A) WPA2-PSK with AES
B) WPA3-Personal with Simultaneous Authentication of Equals (SAE)
C) WEP with Open Authentication
D) WPA2-Enterprise with Pre-Shared Keys (PSKs)
Answer: B) WPA3-Personal with Simultaneous Authentication of Equals (SAE)
Explanation: WPA3-Personal uses SAE, which replaces pre-shared keys (PSK) and ensures perfect forward secrecy, preventing past communications from being decrypted even if credentials are stolen.
A developer is implementing input validation on a web application to prevent injection attacks. Which of the following is the MOST secure method of input validation?
A) Allowing special characters but limiting their frequency
B) Client-side validation only
C) Input deny listing
D) Input allow listing
✅ Correct Answer: D. Input allow listing
Explanation: Input allow listing is the most secure method because it defines explicitly permitted inputs while blocking all others, reducing the risk of SQL injection, XSS, and command injection attacks.
❌ Incorrect Answers:
A. Allowing special characters but limiting their frequency does not fully prevent injection attacks.
B. Client-side validation alone is insufficient because attackers can bypass it by modifying requests.
C. Input deny listing is weaker because attackers can find ways around blacklisted inputs.
A cybersecurity team is testing a new application update for vulnerabilities before deploying it to production. They want to ensure the update does not negatively impact existing systems. Which technique should they use?
A) Continuous monitoring
B) Sandboxing
C) Dynamic analysis
D) Code obfuscation
Answer: B) Sandboxing
✔ Correct Explanation: Sandboxing isolates applications in a controlled environment, allowing teams to safely test updates, patches, or new software before deployment.
✘ Incorrect Answers:
A) Continuous monitoring – This detects vulnerabilities over time but does not isolate applications before deployment.
C) Dynamic analysis – This tests software during runtime but does not necessarily isolate it from affecting production systems.
D) Code obfuscation – This is used to make source code harder to analyze, not to test applications in an isolated environment.
A company is acquiring a new third-party software application to manage sensitive customer data. To ensure security during the procurement process, which of the following should be the FIRST step?
A) Require all employees to sign a non-disclosure agreement (NDA) before using the application
B) Deploy the application in a test environment before a security review
C) Install the application on production servers and monitor for potential vulnerabilities
D) Review the vendor’s security policies, certifications, and compliance with industry regulations
✅ Correct Answer: D. Review the vendor’s security policies, certifications, and compliance with industry regulations
Explanation: Before deploying third-party software, the first step in procurement security is to evaluate the vendor’s security policies, certifications, and regulatory compliance to ensure the software meets security standards.
❌ Incorrect Answers:
A. NDAs protect sensitive discussions but do not assess software security.
B. Testing the application is important but should be done after reviewing vendor security practices.
C. Installing software on production servers before evaluation is risky and could expose customer data to vulnerabilities.
A security analyst is responsible for securely decommissioning outdated file servers that contain sensitive financial data. What is the FIRST step that should be performed before disposal?
A) Format the hard drives and reinstall the operating system
B) Perform data sanitization to ensure no residual data remains
C) Physically remove the servers from the data center
D) Shred the hard drives without verifying stored data
Answer: B) Perform data sanitization to ensure no residual data remains
✔ Correct Explanation: Data sanitization ensures that all sensitive data is irreversibly removed before the servers are decommissioned and disposed of, preventing unauthorized recovery.
✘ Incorrect Answers:
A) Format the hard drives – Formatting does not permanently remove data; data can still be recovered.
C) Physically remove the servers – Moving the servers does not address data security.
D) Shred the hard drives without verifying stored data – Data should be sanitized first to prevent unnecessary loss or destruction of important records.
A security analyst needs to assess a company’s internal network for vulnerabilities without disrupting normal business operations. The scan should provide an in-depth view of potential weaknesses while minimizing network impact. Which of the following is the BEST type of scan to perform?
A) Non-credentialed, intrusive scan
B) Credentialed, non-intrusive scan
C) Non-credentialed, non-intrusive scan
D) Credentialed, intrusive scan
Answer: B) Credentialed, non-intrusive scan
✔ Correct Explanation: A credentialed, non-intrusive scan allows deep insight into vulnerabilities while minimizing disruption to business operations.
✘ Incorrect Answers:
A) Non-credentialed, intrusive scan – This is aggressive and may miss internal vulnerabilities since it lacks credentials.
C) Non-credentialed, non-intrusive scan – Limited to publicly accessible information, missing internal security gaps.
D) Credentialed, intrusive scan – Can identify deep vulnerabilities but may cause system instability during execution.
A penetration tester is hired to evaluate a web application’s security. The tester is required to analyze the application’s source code to detect potential flaws without executing it. Which method should they use?
A) Static analysis
B) Dynamic analysis
C) Package monitoring
D) Threat feed monitoring
Answer: A) Static analysis
✔ Correct Explanation: Static analysis reviews source code for vulnerabilities without execution, allowing early detection of security flaws.
✘ Incorrect Answers:
B) Dynamic analysis – Executes the code and observes runtime vulnerabilities, but does not inspect the source code directly.
C) Package monitoring – Analyzes network traffic, not application code.
D) Threat feed monitoring – Provides external threat intelligence, not application-specific vulnerability detection.
A penetration tester is hired to assess an organization’s network security. The tester is provided with some internal documentation about the network architecture and system configurations but is not given full administrative access. Which type of test is being performed?
A) Black-box testing
B) White-box testing
C) Gray-box testing
D) Vulnerability scanning
Answer: C) Gray-box testing
✔ Correct Explanation: Gray-box testing provides the tester with partial knowledge of the system while still requiring them to identify vulnerabilities as an external attacker would.
✘ Incorrect Answers:
A) Black-box testing – The tester has no prior knowledge of the system.
B) White-box testing – The tester has full knowledge and access to the system.
D) Vulnerability scanning – This identifies vulnerabilities but does not involve active exploitation like penetration testing.
A software development company is analyzing application source code before deployment to identify vulnerabilities such as buffer overflows and SQL injection flaws. What technique is the company using?
A) Input deny listing
B) Code obfuscation
C) Dynamic code analysis
D) Static code analysis
✅ Correct Answer: D. Static code analysis
Explanation: Static code analysis examines source code without executing it to detect vulnerabilities such as buffer overflows, SQL injection, and insecure coding practices before deployment.
❌ Incorrect Answers:
A. Input deny listing blocks specific inputs but does not analyze source code.
B. Code obfuscation makes code harder to read but does not identify vulnerabilities.
C. Dynamic code analysis tests applications while running, but this question specifies before deployment.
An organization wants to allow employees to use personal devices for work but needs to enforce security controls such as encryption, remote wipe capabilities, and app restrictions. Which deployment model is the organization using?
A) Corporate-Owned, Personally Enabled (COPE)
B) Bring Your Own Device (BYOD)
C) Choose Your Own Device (CYOD)
D) Corporate-Owned, Restricted Use
Answer: B) Bring Your Own Device (BYOD)
Explanation: BYOD allows employees to use personal devices for work while MDM solutions enforce security measures to mitigate risks.
A new security analyst has been assigned to a government contract requiring strict compliance with NIST guidelines. The analyst is tasked with establishing a secure baseline for all newly deployed systems. What should be the FIRST step in this process?
A) Deploy the baseline across all systems
B) Apply vendor security patches to all existing devices
C) Review industry and regulatory standards to define the baseline
D) Perform vulnerability scanning to detect deviations
Answer: C) Review industry and regulatory standards to define the baseline
Explanation: Establishing a secure baseline starts with referencing industry standards (e.g., NIST, CIS benchmarks) to ensure compliance before deployment.
A security consultant is analyzing a company’s wireless infrastructure and notices that access points are placed in areas with high levels of interference. Employees report weak signal strength and frequent disconnections. What should the consultant recommend FIRST?
A) Reduce the number of access points to limit interference
B) Increase the power output of all access points
C) Disable encryption to improve network performance
D) Relocate access points based on a heat map analysis
✅ Correct Answer: D. Relocate access points based on a heat map analysis
Explanation: A heat map analysis helps identify signal strength and interference areas, allowing optimal placement of access points to improve connectivity and reduce interference.
❌ Incorrect Answers:
A. Reducing the number of access points could make coverage worse, not better.
B. Increasing power output may cause overlapping interference, worsening the issue.
C. Disabling encryption does not improve signal strength and introduces security risks.
An administrator wants to harden workstations to reduce the attack surface. Which of the following measures should be implemented?
A) Disable unused services and ports, enforce screen locks, and install host-based firewalls
B) Enable all network services for compatibility, increase administrator privileges, and disable logging
C) Configure weak passwords for user convenience, install anti-virus software, and disable firewalls
D) Implement a guest network for workstation access, reduce password complexity, and allow USB device access
Answer: A) Disable unused services and ports, enforce screen locks, and install host-based firewalls
Explanation: Hardening workstations involves reducing attack surfaces by disabling unnecessary services, enforcing strong authentication, and applying host-based firewalls and IDS/IPS.
A financial institution wants to install a secure wireless network in its headquarters. The security team is concerned about unauthorized access and eavesdropping. Which of the following actions should be taken to enhance wireless security?
A) Disable SSID broadcast, enable WPA3 encryption, and use strong authentication protocols
B) Use WEP encryption, increase the signal strength, and allow open guest access
C) Deploy access points without encryption but monitor traffic for anomalies
D) Rely on MAC address filtering alone to prevent unauthorized access
Answer: A) Disable SSID broadcast, enable WPA3 encryption, and use strong authentication protocols
Explanation: WPA3 encryption provides the highest security, disabling SSID broadcast reduces visibility to attackers, and strong authentication (e.g., 802.1X) ensures only authorized users gain access.
A university wants to allow students from different institutions to seamlessly authenticate to its Wi-Fi network using credentials from their home institutions. Which authentication system should be implemented?
A) MAC address filtering
B) WPA3-Enterprise
C) Wi-Fi Protected Setup (WPS)
D) RADIUS federation
✅ Correct Answer: D. RADIUS federation
Explanation: RADIUS federation allows users to authenticate across multiple institutions using their home institution’s credentials. This is commonly used in eduroam, a global education roaming network.
❌ Incorrect Answers:
A. MAC address filtering is not an authentication system and can be easily bypassed.
B. WPA3-Enterprise improves security but does not provide cross-institution authentication.
C. WPS is insecure and does not handle authentication for multiple institutions.
A cybersecurity analyst is testing a web application and notices that it does not validate user input. What type of attack is the application MOST vulnerable to?
A) DNS poisoning
B) Man-in-the-middle (MITM)
C) Denial-of-service (DoS)
D) Cross-site scripting (XSS)
✅ Correct Answer: D. Cross-site scripting (XSS)
Explanation: XSS attacks occur when user input is not properly validated, allowing attackers to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, credential theft, and unauthorized actions.
❌ Incorrect Answers:
A. DNS poisoning manipulates DNS cache entries but is not directly related to user input validation.
B. MITM attacks intercept network communications but do not require input validation flaws.
C. DoS attacks overwhelm a system with excessive traffic but are not caused by improper input validation.
A security analyst is responsible for identifying and mitigating vulnerabilities in a critical business application throughout its entire lifecycle. Which technique should they implement?
A) Sandboxing
B) Continuous monitoring
C) Penetration testing
D) Input allow listing
Answer: B) Continuous monitoring
✔ Correct Explanation: Continuous monitoring tracks application behavior, vulnerabilities, and potential security flaws from development through end-of-life, ensuring long-term security.
✘ Incorrect Answers:
A) Sandboxing – This isolates applications for testing but does not continuously track vulnerabilities over time.
C) Penetration testing – This assesses security at a single point in time, rather than continuously monitoring for issues.
D) Input allow listing – This prevents malicious inputs but does not provide ongoing monitoring of security risks.
A security analyst is tasked with tracking and maintaining accountability for all IT assets. Which process ensures that each asset is properly assigned and secured?
A) Ownership assignment
B) Asset classification
C) Assignment and accounting
D) Inventory management
Answer: C) Assignment and accounting
✔ Correct Explanation: Assignment identifies security classification, while accounting ensures responsibility for securing assets, making them critical for asset tracking.
✘ Incorrect Answers:
A) Ownership assignment – Determines who is responsible for the asset but does not track security classification.
B) Asset classification – Defines sensitivity levels but does not include ownership and responsibility.
D) Inventory management – Involves tracking assets, but does not assign security responsibility.
An organization is replacing its old hard drives and needs to ensure that no sensitive data can be recovered after disposal. Which of the following methods provides the MOST effective security?
A) Cryptographic erasure followed by physical destruction
B) Formatting the hard drives using a disk management tool
C) Deleting all files from the operating system and emptying the recycle bin
D) Storing the hard drives in a secure location indefinitely
Answer: A) Cryptographic erasure followed by physical destruction
✔ Correct Explanation: Cryptographic erasure ensures that encrypted data is unrecoverable, and physical destruction (e.g., shredding or degaussing) completely eliminates any possibility of data recovery.
✘ Incorrect Answers:
B) Formatting the hard drives – Data can still be recovered even after formatting.
C) Deleting files and emptying the recycle bin – Deleted files remain on the disk and can be restored.
D) Storing drives in a secure location – This only delays disposal and does not eliminate the risk of unauthorized access.
A researcher discovers a critical zero-day vulnerability in a company’s web application. The researcher wants to report the issue but is concerned about legal consequences. What is the BEST way to report the vulnerability?
A) Disclose the vulnerability on social media to force a response
B) Submit the details through the company’s Responsible Disclosure Program
C) Exploit the vulnerability and contact the company afterward
D) Sell the exploit to a third party for financial gain
Answer: B) Submit the details through the company’s Responsible Disclosure Program
✔ Correct Explanation: A Responsible Disclosure Program allows security researchers to safely report vulnerabilities without fear of legal repercussions.
✘ Incorrect Answers:
A) Disclosing on social media – May lead to misuse by malicious actors before the company can patch it.
C) Exploiting the vulnerability – Could be illegal and unethical without permission.
D) Selling the exploit – Violates ethical and legal standards and could be used for malicious purposes.
A security consultant is conducting a penetration test and is instructed to avoid disrupting business operations while identifying vulnerabilities. What type of test should they perform?
A) Bug bounty program
B) System audit
C) Non-intrusive penetration test
D) Red team exercise
Answer: C) Non-intrusive penetration test
✔ Correct Explanation: A non-intrusive penetration test identifies vulnerabilities without actively exploiting them, ensuring business operations remain unaffected.
✘ Incorrect Answers:
A) Bug bounty program – Involves external researchers, not an in-house penetration test.
B) System audit – Reviews security compliance, not exploitable vulnerabilities.
D) Red team exercise – Simulates real attacks and could disrupt operations.
A company launches a bug bounty program and offers financial rewards to external researchers who discover vulnerabilities. What is the PRIMARY benefit of this approach?
A) It ensures all vulnerabilities are patched before release
B) It allows external security professionals to continuously test the system
C) It replaces the need for internal security teams
D) It provides full security coverage without requiring additional resources
Answer: B) It allows external security professionals to continuously test the system
✔ Correct Explanation: Bug bounty programs engage external researchers to identify vulnerabilities continuously, increasing security coverage beyond internal testing.
✘ Incorrect Answers:
A) Ensuring all vulnerabilities are patched – Bug bounties help find issues but do not guarantee all vulnerabilities are eliminated.
C) Replacing internal security teams – Internal teams are still needed for patching and security management.
D) Full security coverage without additional resources – Bug bounty programs require oversight and resource management.
A security team is reviewing vulnerabilities in an application and wants to analyze its behavior while it is actively running. Which of the following methods should they use?
A) Static analysis
B) Dynamic analysis
C) OSINT
D) Threat feed monitoring
Answer: B) Dynamic analysis
✔ Correct Explanation: Dynamic analysis evaluates an application’s runtime behavior, detecting exploitable vulnerabilities during execution.
✘ Incorrect Answers:
A) Static analysis – Only examines source code without execution.
C) OSINT – Gathers external intelligence but does not test the application itself.
D) Threat feed monitoring – Provides threat intelligence but does not actively analyze code behavior.
A company wants to ensure that users only install verified and untampered applications on their devices. What security measure should be implemented?
A) Code obfuscation
B) Code signing
C) Secure cookies
D) Static code analysis
Answer: B) Code signing
Explanation: Code signing verifies the integrity and authenticity of software by using digital signatures, ensuring that applications haven’t been altered after deployment.
A penetration tester is evaluating the security of a corporate wireless network. The tester notices that the network uses WPA2 but is vulnerable to offline dictionary attacks against the pre-shared key (PSK). Which wireless security improvement should be recommended?
A) Enable Wi-Fi Protected Setup (WPS) for faster authentication
B) Implement WEP with a longer key
C) Use WPA2-TKIP instead of WPA2-AES
D) Switch to WPA3-Personal with SAE
✅ Correct Answer: D. Switch to WPA3-Personal with SAE
Explanation: WPA3-Personal replaces WPA2-PSK with Simultaneous Authentication of Equals (SAE), which prevents offline dictionary attacks by using a more secure key exchange method.
❌ Incorrect Answers:
A. Enabling WPS introduces serious security vulnerabilities, making brute-force attacks easier.
B. WEP is highly insecure, even with a longer key, as it can be cracked within minutes.
C. WPA2-TKIP is less secure than WPA2-AES and does not protect against dictionary attacks.
A company wants to ensure that employees have mobile devices that are both secure and meet company standards, but also allow users some level of control. Which deployment model BEST aligns with this requirement?
A) Open Access Model
B) Bring Your Own Device (BYOD)
C) Choose Your Own Device (CYOD)
D) Corporate-Owned, Personally Enabled (COPE)
✅ Correct Answer: D. Corporate-Owned, Personally Enabled (COPE)
Explanation: COPE allows a company to own and manage the devices while also permitting employees to use them for personal purposes, striking a balance between security and user control.
❌ Incorrect Answers:
A. Open Access Model does not enforce security standards and would be a high-risk approach.
B. BYOD allows employees to use personal devices, which limits company control and security enforcement.
C. CYOD allows employees to select a device from an approved list, but COPE provides more personal flexibility while maintaining company security.
A hospital administrator needs to determine the appropriate classification level for patient health records. Which factor is the MOST important when determining classification?
A) The storage location of the data
B) The likelihood of exposure and regulatory requirements
C) The number of users accessing the data
D) The cost of the database storing the records
Answer: B) The likelihood of exposure and regulatory requirements
✔ Correct Explanation: Data classification considers sensitivity, potential exposure risks, and regulatory requirements, especially in healthcare settings (e.g., HIPAA).
✘ Incorrect Answers:
A) Storage location – Location matters, but classification is based on data sensitivity.
C) Number of users – Access control matters, but classification is based on data risk.
D) Cost of storage – Financial considerations do not define security classification.
A company is disposing of paper documents containing sensitive client information. Which destruction method would BEST prevent unauthorized access?
A) Shredding followed by pulping
B) Storing documents in a locked file cabinet
C) Deleting the electronic versions of the documents
D) Cross-cut shredding without further disposal steps
Answer: A) Shredding followed by pulping
✔ Correct Explanation: Shredding and pulping destroy the paper fibers, making it impossible to reconstruct the original documents.
✘ Incorrect Answers:
B) Storing documents in a locked file cabinet – This does not destroy the documents and leaves them vulnerable to unauthorized access.
C) Deleting electronic versions – This does not address the disposal of physical documents.
D) Cross-cut shredding only – Additional measures like pulping or incineration further reduce the risk of data reconstruction.
A cybersecurity analyst is investigating suspicious activity on the company’s network after noticing irregular outbound traffic to an unknown external IP address. The analyst suspects that sensitive data is being exfiltrated, but needs to confirm the contents and source of the traffic.
Which of the following tools would be the MOST effective in identifying the specific data being transmitted?
A) Network intrusion detection system (NIDS)
B) Packet capture and analysis tool
C) Threat intelligence platform
D) SIEM (Security Information and Event Management) system
Answer: B) Packet capture and analysis tool
✔ Correct Explanation: A packet capture and analysis tool (e.g., Wireshark) allows the analyst to inspect individual packets, identify the contents of the transmitted data, determine if sensitive information is being exfiltrated, and analyze communication with the unknown external IP.
✘ Incorrect Answers:
A) NIDS (Network Intrusion Detection System) – Can detect unusual traffic patterns but does not capture full packet contents for detailed analysis.
C) Threat intelligence platform – Provides general information on known threats, but does not inspect live network traffic.
D) SIEM (Security Information and Event Management) – Aggregates logs and alerts but does not capture raw packet data for detailed forensic analysis.
A security administrator is tasked with identifying emerging threats that could impact the organization’s IT infrastructure. Which source would provide the MOST up-to-date intelligence on zero-day vulnerabilities?
A) Open-source intelligence (OSINT)
B) Proprietary threat intelligence
C) Dark web forums
D) Information-sharing organizations
Answer: B) Proprietary threat intelligence
✔ Correct Explanation: Proprietary threat intelligence (e.g., vendor reports, closed security groups) provides early access to zero-day vulnerabilities before they become publicly known.
✘ Incorrect Answers:
A) OSINT – Offers publicly available intelligence, but not always real-time for zero-days.
C) Dark web forums – May have malicious actors discussing exploits, but not a verified intelligence source.
D) Information-sharing organizations – Useful for known vulnerabilities but not as fast as proprietary feeds for zero-days.
A malware analyst wants to examine a suspicious file without risking infection to the corporate network. What is the BEST way to perform this analysis?
A) Run the file on a developer’s workstation
B) Execute the file in an isolated virtual sandbox
C) Upload the file to a cloud-based shared drive for inspection
D) Install the file on a test server within the production environment
Answer: B) Execute the file in an isolated virtual sandbox
✔ Correct Explanation: A sandbox isolates the file from the main system, allowing security teams to analyze its behavior safely without risking malware spreading to other systems.
✘ Incorrect Answers:
A) Run the file on a developer’s workstation – This could lead to system infection if the file contains malware.
C) Upload the file to a cloud-based shared drive – This does not provide a safe execution environment and could expose the file to other systems.
D) Install the file on a test server within the production environment – This risks compromising production systems if the file is malicious.
A security administrator is responsible for setting up new systems for a financial institution. To ensure consistency and compliance with industry standards, they must configure these systems with a predefined set of security settings before deployment. What security concept is being applied?
A) Zero trust architecture
B) Least privilege enforcement
C) Security hardening
D) Secure baselines
✅ Correct Answer: D. Secure baselines
Explanation: Secure baselines provide a predefined set of security configurations that ensure systems are hardened and compliant with industry standards before deployment, reducing security risks.
❌ Incorrect Answers:
A. Zero trust architecture enforces strict access controls but does not define predeployment system configurations.
B. Least privilege enforcement limits user permissions but does not configure system-wide security settings.
C. Security hardening is a broader concept that includes multiple security techniques, whereas a secure baseline provides standardized settings.
An organization wants to prevent unauthorized users from accessing its wireless network while ensuring legitimate users can connect with minimal friction. Which authentication method is BEST suited for this purpose?
A) Open authentication
B) Pre-shared key (PSK) authentication
C) IEEE 802.1X authentication with RADIUS
D) MAC address filtering
Answer: C) IEEE 802.1X authentication with RADIUS
Explanation: 802.1X with RADIUS enforces strong authentication through centralized identity verification, reducing the risk of unauthorized access compared to PSK or MAC filtering.
A security administrator is reviewing the network logs and notices an increase in unauthorized Bluetooth connections near the company’s headquarters. What security risk does this pose?
A) Cellular tower hijacking
B) Unauthorized device pairing and potential data exfiltration
C) Man-in-the-middle attacks on encrypted emails
D) Unauthorized DNS tunneling
Answer: B) Unauthorized device pairing and potential data exfiltration
Explanation: Bluetooth vulnerabilities can lead to unauthorized pairing, data theft, and Bluetooth-based attacks, such as Bluejacking and Bluesnarfing.
A network engineer is securing a switch to prevent unauthorized access and limit potential attack vectors. Which of the following techniques should they implement?
A) Disable unused ports, apply security patches, and monitor logs via SIEM
B) Enable all interfaces for future expansion, allow remote access via Telnet, and reduce VLAN segmentation
C) Open all ports to improve device communication and reduce complexity
D) Remove authentication requirements for administrators to streamline troubleshooting
Answer: A) Disable unused ports, apply security patches, and monitor logs via SIEM
Explanation: Hardening a switch includes disabling unused ports, applying patches, and monitoring network activity via SIEM tools to detect anomalies.
A security administrator wants to ensure that all wireless authentication methods used on the corporate network adhere to the IEEE 802.1X standard. Which authentication protocol should be implemented?
A) Open System Authentication
B) Pre-Shared Key (PSK) Authentication
C) Wi-Fi Protected Setup (WPS)
D) Extensible Authentication Protocol (EAP)
✅ Correct Answer: D. Extensible Authentication Protocol (EAP)
Explanation: EAP is a flexible authentication framework that supports IEEE 802.1X, which is commonly used in enterprise wireless security for authentication via RADIUS servers and certificates.
❌ Incorrect Answers:
A. Open System Authentication provides no authentication or encryption, making it insecure.
B. PSK authentication is used in WPA2-Personal but does not adhere to the 802.1X standard required for enterprise security.
C. WPS is an insecure simplified setup method, not an authentication protocol for 802.1X networks.
A web application is using cookies to store session information. Which of the following should be implemented to ensure that cookies are transmitted securely?
A) Use deny listing to block unauthorized cookie modifications
B) Store cookies only in the browser cache
C) Encrypt cookies with a symmetric key
D) Use the Secure flag to ensure cookies are sent over HTTPS
✅ Correct Answer: D. Use the Secure flag to ensure cookies are sent over HTTPS
Explanation: The Secure flag ensures that cookies are only transmitted over encrypted HTTPS connections, preventing attackers from intercepting session data via man-in-the-middle (MITM) attacks.
❌ Incorrect Answers:
A. Deny listing does not secure cookie transmissions but instead blocks certain modifications.
B. Storing cookies in the browser cache does not protect them from being sent over insecure connections.
C. Encrypting cookies can help protect stored data but does not ensure secure transmission like the Secure flag does.
A government agency follows strict disposal protocols for classified information. Which of the following is the MOST appropriate method for ensuring complete destruction of classified digital media?
A) Reformatting and overwriting data multiple times
B) Degaussing and physically destroying the storage device
C) Encrypting the data and leaving the storage device in a secure room
D) Disabling the device and placing it in long-term storage
Answer: B) Degaussing and physically destroying the storage device
✔ Correct Explanation: Degaussing erases magnetic storage, while physical destruction (e.g., shredding, pulverizing) ensures classified data cannot be recovered.
✘ Incorrect Answers:
A) Reformatting and overwriting – May reduce the chance of recovery, but advanced forensics can still retrieve data.
C) Encrypting and storing securely – Encryption protects data but does not eliminate it.
D) Disabling and storing the device – Storage does not prevent potential breaches.
A company is implementing an asset classification policy to improve security. Which of the following is the PRIMARY reason for classifying assets?
A) To limit employee access to IT systems
B) To determine appropriate security controls based on data sensitivity
C) To reduce the number of assets in inventory
D) To ensure all data is stored in a single repository
Answer: B) To determine appropriate security controls based on data sensitivity
✔ Correct Explanation: Asset classification ensures sensitive data receives the appropriate security protections, including encryption, access controls, and compliance measures.
✘ Incorrect Answers:
A) Limit employee access – Access may be restricted, but classification is focused on data protection.
C) Reduce asset inventory – Classification does not remove assets, it organizes them by sensitivity.
D) Store all data in one repository – Data should be protected, not necessarily centralized.
A security analyst wants to research vulnerabilities actively being discussed and exploited by cybercriminals. Which source would be the BEST for gathering this intelligence?
A) Vendor security bulletins
B) OSINT
C) Dark web
D) Threat feed monitoring
Answer: C) Dark web
✔ Correct Explanation: The dark web is a known marketplace for cybercriminal activity, where zero-day exploits and vulnerabilities may be discussed before they are widely known.
✘ Incorrect Answers:
A) Vendor security bulletins – Provide official disclosures, but do not cover underground discussions.
B) OSINT – Gathers intelligence from public sources, but not from hidden dark web marketplaces.
D) Threat feed monitoring – Aggregates threat data but does not provide underground cybercriminal insights.
A network engineer is testing a newly discovered vulnerability by sending previously captured network packets back into the system to analyze responses. Which technique is being used?
A) Packet capture
B) Threat intelligence
C) Packet replay
D) Dynamic code analysis
Answer: C) Packet replay
✔ Correct Explanation: Packet replay involves resending previously captured network traffic to test how a system responds to known vulnerabilities.
✘ Incorrect Answers:
A) Packet capture – Records network traffic but does not resend it.
B) Threat intelligence – Monitors threats but does not involve traffic manipulation.
D) Dynamic code analysis – Tests running applications, not network packets.
A cybersecurity team wants to proactively defend against new exploits by gathering intelligence from a constantly updated database of attack signatures and vulnerability information. Which method should they use?
A) Packet monitoring
B) Threat feed monitoring
C) OSINT
D) Dark web forums
Answer: B) Threat feed monitoring
✔ Correct Explanation: Threat feed monitoring provides real-time updates on emerging threats, vulnerabilities, and attack signatures, helping security teams respond proactively.
✘ Incorrect Answers:
A) Packet monitoring – Captures network traffic but does not provide ongoing intelligence on external threats.
C) OSINT – Offers general intelligence but may not provide real-time updates.
D) Dark web forums – May contain valuable exploit discussions, but lack structured, actionable intelligence.
A security firm is conducting an external audit of a company’s cybersecurity posture. The audit follows a structured framework to evaluate compliance with industry security standards. Which assessment method is being used?
A) Penetration testing
B) System/process audit
C) Red team exercise
D) Vulnerability scanning
Answer: B) System/process audit
✔ Correct Explanation: A system/process audit is a formal evaluation that follows a structured framework to assess compliance and identify security gaps.
✘ Incorrect Answers:
A) Penetration testing – Actively exploits vulnerabilities, while audits review security controls.
C) Red team exercise – Simulates real-world attacks instead of focusing on compliance.
D) Vulnerability scanning – Identifies technical weaknesses but does not evaluate overall security processes.
An organization wants to identify unauthorized changes to its web application’s source code. Which of the following methods would be MOST effective?
A) Sandboxing
B) Continuous monitoring
C) Secure cookies
D) Zero trust architecture
Answer: B) Continuous monitoring
✔ Correct Explanation: Continuous monitoring detects changes to application source code, helping identify unauthorized modifications or vulnerabilities.
✘ Incorrect Answers:
A) Sandboxing – This is used for isolating applications but does not monitor real-time code changes.
C) Secure cookies – These protect session data but do not monitor application code.
D) Zero trust architecture – This enforces strict access controls but does not track code modifications.
A security engineer is reviewing a web application that relies solely on client-side validation for input validation. What is the PRIMARY security risk associated with this approach?
A) Slower application performance due to excessive validation
B) Client-side validation can be bypassed by attackers
C) Increased risk of brute-force attacks
D) Incompatibility with modern encryption standards
Answer: B) Client-side validation can be bypassed by attackers
Explanation:
Client-side validation checks occur on the user’s browser before data is sent to the server. While it provides immediate feedback to the user, attackers can easily manipulate client-side scripts or use browser developer tools to bypass these checks and submit invalid or malicious data to the server. This means that even if the user sees an error message on their screen indicating invalid input, the server could still receive and process the tainted data.
A healthcare organization has implemented secure baselines for its medical devices. However, due to new regulatory changes, the IT team must modify security configurations to comply with updated HIPAA guidelines. What is the MOST effective way to handle this update?
A) Create an entirely new baseline from scratch
B) Deploy patches to individual devices and ignore the baseline
C) Update the secure baseline and push changes through configuration management tools
D) Allow individual departments to configure their own baselines
Answer: C) Update the secure baseline and push changes through configuration management tools
Explanation: Maintaining a secure baseline requires ongoing updates to meet compliance requirements. Configuration management tools ensure organization-wide consistency.
A security analyst is reviewing a heat map of an office building’s wireless network. They notice strong signal coverage outside the company’s perimeter. Which of the following security risks does this pose?
A) Increased network latency
B) Unauthorized access from nearby attackers
C) Decreased network throughput
D) Unintentional interference with wired connections
Answer: B) Unauthorized access from nearby attackers
Explanation: Strong wireless signals extending beyond the intended area can allow war drivers or attackers to attempt unauthorized access, requiring signal tuning and security measures.
A financial institution requires employees to use mobile devices strictly for work purposes. Employees can only install pre-approved apps, and all data is encrypted. Which deployment model is the company using?
A) Bring Your Own Device (BYOD)
B) Corporate-Owned, Personally Enabled (COPE)
C) Choose Your Own Device (CYOD)
D) Corporate-Owned, Restricted Use
✅ Correct Answer: D. Corporate-Owned, Restricted Use
Explanation: Corporate-Owned, Restricted Use (CORU) ensures that mobile devices are strictly for work purposes, allowing only pre-approved apps and enforcing strong security controls like encryption and policy enforcement.
❌ Incorrect Answers:
A. BYOD allows employees to use personal devices, which does not enforce strict work-only policies.
B. COPE allows for personal use, but this scenario restricts all non-work activities.
C. CYOD allows employees to choose a device from a pre-approved list, but it does not inherently restrict personal use.
A company’s security team is deploying WPA3-Enterprise to improve wireless security. What advantage does this provide over WPA2-Enterprise?
A) Eliminates the need for an authentication server
B) Implements perfect forward secrecy to protect past transmissions
C) Uses the TKIP encryption protocol for enhanced security
D) Allows devices to authenticate using MAC address filtering
Answer: B) Implements perfect forward secrecy to protect past transmissions
Explanation: WPA3-Enterprise improves security over WPA2-Enterprise by implementing perfect forward secrecy, ensuring that past data remains encrypted even if credentials are compromised.
A developer wants to prevent an attacker from modifying an application’s executable files after deployment. What security technique should be used?
A) Static code analysis
B) Secure cookies
C) Input allow listing
D) Code signing
✅ Correct Answer: D. Code signing
Explanation: Code signing ensures the integrity and authenticity of an application’s executable files by using digital signatures, preventing attackers from modifying them without detection.
❌ Incorrect Answers:
A. Static code analysis helps identify security flaws before deployment, but it does not prevent modification of executables.
B. Secure cookies protect web sessions, not application executables.
C. Input allow listing helps prevent malicious input attacks (e.g., SQL injection) but does not protect executable files.
A company wants to ensure that its asset disposal process is auditable and verifiable. What step should be implemented?
A) Obtain a certification of destruction from an accredited disposal service
B) Store records indefinitely in an offsite facility
C) Assign an internal team to oversee disposal without documentation
D) Delete electronic records and dispose of physical records informally
Answer: A) Obtain a certification of destruction from an accredited disposal service
✔ Correct Explanation: Certification of destruction provides a documented record proving the asset was properly disposed of, ensuring compliance with security policies.
✘ Incorrect Answers:
B) Store records indefinitely – This does not confirm proper destruction of disposed assets.
C) Oversee disposal without documentation – Lack of documentation makes audits and verification difficult.
D) Dispose informally – This increases the risk of data leaks and does not ensure compliance.
An IT security manager wants to ensure that unauthorized devices cannot connect to the company network. What is the BEST approach to track and secure IT assets?
A) Asset enumeration using network scanning tools
B) Implement a bring-your-own-device (BYOD) policy
C) Assign asset ownership to all employees
D) Restrict administrative access to IT personnel only
Answer: A) Asset enumeration using network scanning tools
✔ Correct Explanation: Asset enumeration scans the network to identify all active and unauthorized devices, ensuring only approved assets are connected.
✘ Incorrect Answers:
B) BYOD policy – This governs employee devices, but does not track unauthorized assets.
C) Assign asset ownership – Ownership defines responsibility but does not track network devices.
D) Restrict IT admin access – This improves access control, but does not track network devices.
A penetration tester is hired to simulate a real-world attack without being given any information about the company’s network infrastructure. What type of penetration test is this?
A) White-box testing
B) Gray-box testing
C) Black-box testing
D) Bug bounty testing
Answer: C) Black-box testing
✔ Correct Explanation: Black-box testing simulates a real-world attack scenario where the tester has no prior knowledge of the target environment, mimicking how an external attacker would operate.
✘ Incorrect Answers:
A) White-box testing – Involves full knowledge of the system.
B) Gray-box testing – Involves partial knowledge of the system.
D) Bug bounty testing – Is not a type of penetration test, but an incentive program for external researchers.
An organization experiences multiple intrusion attempts on its routers. The security team wants to implement additional security measures to protect external network communication. Which of the following is the BEST way to harden a router?
A) Implement VPNs, enable firewalls, and restrict administrative access
B) Allow unrestricted remote access, enable Telnet, and disable logging
C) Open all ports to improve traffic flow, disable encryption, and allow SNMPv1
D) Disable firewall rules, reduce logging to conserve storage, and allow unauthenticated updates
Answer: A) Implement VPNs, enable firewalls, and restrict administrative access
Explanation: Hardening routers involves enabling VPNs for secure communication, firewalls for traffic filtering, and restricting administrative access to prevent unauthorized control.
A security engineer is implementing policies to prevent mobile devices from connecting to rogue Wi-Fi networks while ensuring that employees can still work remotely. Which BEST mitigates this risk?
A) Require VPN usage for all mobile connections
B) Disable all wireless connectivity on mobile devices
C) Enforce a policy that only allows Bluetooth connectivity
D) Require employees to use only 5G networks for remote access
Answer: A) Require VPN usage for all mobile connections
Explanation: VPNs secure remote connections by encrypting traffic, reducing the risk of man-in-the-middle (MITM) attacks on rogue Wi-Fi networks.
A government agency wants to deploy mobile devices that allow employees to select a phone from a company-approved list while ensuring full device security and management. Which deployment model is MOST appropriate?
A) Corporate-Owned, Personally Enabled (COPE)
B) Bring Your Own Device (BYOD)
C) Corporate-Owned, Restricted Use
D) Choose Your Own Device (CYOD)
✅ Correct Answer: D. Choose Your Own Device (CYOD)
Explanation: CYOD allows employees to choose from a pre-approved list of devices while ensuring full corporate security, management, and policy enforcement—making it the best fit for a government agency that requires both flexibility and control.
❌ Incorrect Answers:
A. COPE provides a company-issued device that allows personal use, but it does not necessarily offer choice from a list.
B. BYOD allows employees to use personal devices, which does not ensure full security and management.
C. Corporate-Owned, Restricted Use strictly limits functionality and does not provide employee choice in devices.
A network administrator needs to secure a Wi-Fi network for an environment with mixed legacy and modern devices. The company wants to balance security and compatibility while ensuring data confidentiality. Which encryption protocol should they use?
A) WEP
B) WPA2-CCMP
C) WPA3-SAE
D) WPA2-TKIP
Answer: B) WPA2-CCMP
Explanation: WPA2-CCMP (AES) provides strong encryption while maintaining compatibility with older devices that do not support WPA3.
Why other options are not ideal:
A) WEP:
WEP (Wired Equivalent Privacy) is outdated and considered insecure. It is easily crackable and should be avoided at all costs.
B) WPA2-CCMP:
While WPA2 is more secure than WEP, WPA3-SAE offers even better security with its improved encryption and authentication methods. CCMP (Counter Mode with Cipherblock Chaining-Encapsulating) is the encryption used in WPA2, and while it was considered strong at the time, WPA3 has superseded it.
D) WPA2-TKIP:
WPA2-TKIP uses the Temporal Key Integrity Protocol (TKIP) for encryption, which is now considered weak and vulnerable to attacks. WPA2-CCMP (AES) should be used instead of WPA2-TKIP whenever possible.
A penetration tester is assessing a company’s web application and finds that input validation only removes special characters instead of defining acceptable input formats. Why is this approach LESS secure?
A) It does not allow developers to track user behavior
B) Attackers can find ways to insert malicious payloads that bypass the filters
C) It forces the application to use excessive processing power
D) Removing special characters makes the application more vulnerable to DoS attacks
Answer: B) Attackers can find ways to insert malicious payloads that bypass the filters
Explanation: Deny listing is less secure than allow listing because attackers can use encoding tricks (e.g., Unicode, hex encoding) to bypass input sanitization filters.
A financial institution is classifying assets to improve data security. Which factor is the MOST important when classifying a customer’s banking records?
A) The size of the financial transaction
B) The confidentiality and regulatory requirements of the data
C) The geographic location of the customer
D) The encryption method used to protect the data
Answer: B) The confidentiality and regulatory requirements of the data
✔ Correct Explanation: Confidentiality and regulatory compliance (e.g., PCI DSS) dictate security measures for sensitive banking records.
✘ Incorrect Answers:
A) Size of transaction – Classification is based on data sensitivity, not transaction size.
C) Geographic location – Location impacts data sovereignty, but does not determine classification.
D) Encryption method – Encryption is a security control, not a classification factor.
A security engineer is tasked with analyzing the impact of a newly developed software feature on a network’s security posture before deployment. Which method should they use?
A) Implement the feature directly in the production environment
B) Perform the update on a sandboxed test system
C) Monitor the application for vulnerabilities after deployment
D) Disable all security controls to see how the feature operates without restrictions
Answer: B) Perform the update on a sandboxed test system
✔ Correct Explanation: A sandboxed test system allows engineers to analyze how a new feature impacts security before deploying it to production.
✘ Incorrect Answers:
A) Implement the feature directly in the production environment – This is risky and can introduce security vulnerabilities without proper testing.
C) Monitor the application for vulnerabilities after deployment – This does not prevent security issues from occurring in the first place.
D) Disable all security controls – This would expose the system to potential security threats without any protections.
A security team has deployed secure baselines across all corporate workstations. However, a recent audit found that many systems were missing security patches. What is the MOST likely cause of this issue?
A) Secure baselines automatically prevent software updates
B) The organization does not use a zero-trust security model
C) The company lacks proper user access controls
D) The secure baseline does not include patch management policies
✅ Correct Answer: D. The secure baseline does not include patch management policies
Explanation: Secure baselines define security configurations for systems, but if patch management is not included, systems may fail to receive critical updates, leading to security vulnerabilities.
❌ Incorrect Answers:
A. Secure baselines do not automatically prevent updates; missing patches indicate a policy gap, not a restriction.
B. A zero-trust security model focuses on access control, not patch management.
C. User access controls regulate permissions but are not directly responsible for missing patches.
Which of the following wireless connection methods is MOST susceptible to interference from household devices such as microwaves and cordless phones?
A) Satellite communications
B) 5G cellular
C) Bluetooth
D) Wi-Fi (2.4 GHz)
✅ Correct Answer: D. Wi-Fi (2.4 GHz)
Explanation: Wi-Fi operating on the 2.4 GHz frequency is highly susceptible to interference from household devices such as microwaves, cordless phones, and baby monitors, which also operate in the same frequency range.
❌ Incorrect Answers:
A. Satellite communications are not affected by household device interference but can be disrupted by weather conditions.
B. 5G cellular networks operate at higher frequencies (sub-6 GHz or mmWave), which are less prone to household interference.
C. Bluetooth also uses 2.4 GHz, but it employs frequency hopping to mitigate interference, making it less susceptible than Wi-Fi.
A government agency is deploying a highly secure wireless network. Which encryption protocol should be used to provide the strongest protection?
A) WEP
B) WPA
C) WPA2-PSK
D) WPA3-Enterprise
Answer: D) WPA3-Enterprise
Explanation: WPA3-Enterprise provides the strongest encryption, individualized data encryption, and robust authentication mechanisms, making it ideal for high-security environments.
Why other options are not ideal:
A) WEP: Outdated and insecure, easily crackable by hackers due to weak encryption.
B) WPA: An improvement over WEP, but still less secure than WPA3.
C) WPA2-PSK: While more secure than WEP and WPA, it uses a shared pre-shared key (PSK) which can be more vulnerable to attacks compared to WPA3-Enterprise’s individual encryption.
An organization must comply with legal requirements regarding data retention. Which of the following factors should be considered in the company’s data retention policy?
A) Industry regulations, storage costs, and destruction policies
B) Keeping all data indefinitely to prevent legal issues
C) Encrypting all data and never deleting it
D) Automatically deleting all records after six months
Answer: A) Industry regulations, storage costs, and destruction policies
✔ Correct Explanation: Data retention policies should comply with industry regulations, balance storage costs, and include secure destruction when data is no longer needed.
✘ Incorrect Answers:
B) Keeping all data indefinitely – Increases legal liability and security risks.
C) Encrypting and never deleting data – Storage costs and legal issues may arise if data is kept indefinitely.
D) Automatically deleting after six months – Retention requirements vary by industry; some data must be stored longer.
A manufacturing company operates industrial control systems (ICS) and SCADA systems that are vulnerable to cyberattacks. The organization wants to improve security while ensuring operations remain stable. Which of the following is the BEST approach?
A) Remove all security controls to prevent disruption in operations
B) Connect ICS/SCADA systems directly to the internet for monitoring purposes
C) Upgrade all devices to the latest Windows operating system
D) Implement network segmentation, monitor data flows, and apply strict access controls
✅ Correct Answer: D. Implement network segmentation, monitor data flows, and apply strict access controls
Explanation: ICS/SCADA systems require strong security measures to prevent cyberattacks while maintaining stability. Network segmentation, monitoring, and strict access controls reduce the attack surface and improve security without disrupting operations.
❌ Incorrect Answers:
A. Removing security controls would increase cyber risks, making the systems more vulnerable.
B. Connecting ICS/SCADA systems directly to the internet is highly dangerous and exposes them to remote attacks.
C. Upgrading operating systems may help, but ICS/SCADA security requires specialized protections, not just OS upgrades.
A security engineer is reviewing the authentication methods for an enterprise Wi-Fi network. The company requires certificate-based authentication for all wireless clients to eliminate password-related attacks. Which authentication protocol should be used?
A) EAP-TTLS
B) EAP-TLS
C) EAP-FAST
D) PEAP
Answer: B) EAP-TLS
Explanation:
EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is the most secure authentication method for wireless networks when using certificates for authentication. It uses mutual authentication and strong encryption, making it highly resistant to attacks. It also offers certificate-based authentication, which is the preferred method for eliminating password-related attacks.
Why other options are incorrect:
A) EAP-TTLS:
While EAP-TTLS uses TLS for encryption, it doesn’t fully utilize certificates for authentication. It uses a combination of certificates and passwords, making it less secure than EAP-TLS.
C) EAP-FAST:
EAP-FAST (Fast Authentication Security Tunneling) is designed for faster authentication but still relies on passwords in some scenarios. It’s not as secure as EAP-TLS.
D) PEAP:
PEAP (Protected Extensible Authentication Protocol) also uses TLS for encryption, but it can use various authentication methods including MSCHAPv2 which relies on passwords. Since the question specifies certificate-based authentication, PEAP is not the correct choice
A corporation wants to prevent attackers from performing replay attacks on its Wi-Fi authentication system. Which cryptographic protocol should be used to mitigate this risk?
A) WEP
B) WPA2-TKIP
C) CCMP (AES)
D) RADIUS with PAP
Answer: C) CCMP (AES)
Explanation:
CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code):
This protocol uses the AES encryption algorithm and includes a nonce (a unique number) in each packet to prevent replay attacks.
WPA2-TKIP:
While WPA2 offers improved security over WEP, it uses the Temporal Key Integrity Protocol (TKIP) which is less secure against replay attacks compared to CCMP.
WEP (Wired Equivalent Privacy):
This is an outdated protocol highly vulnerable to replay attacks due to its weak encryption and lack of a secure nonce mechanism.
RADIUS with PAP:
RADIUS itself does not inherently prevent replay attacks. It relies on authentication methods like PAP (Password Authentication Protocol) which can be susceptible to attacks if not properly secured with additional measures.
A company wants to securely remove sensitive data from storage devices before reusing them internally. Which method is MOST appropriate?
A) Cryptographic erasure
B) Low-level formatting
C) Degaussing
D) Physically destroying the device
Answer: A) Cryptographic erasure
✔ Correct Explanation: Cryptographic erasure renders data unrecoverable by deleting encryption keys, allowing the device to be securely reused.
✘ Incorrect Answers:
B) Low-level formatting – Data can still be recovered using forensic tools.
C) Degaussing – Wipes data irreversibly, but renders the device unusable.
D) Physical destruction – Eliminates data but prevents device reuse.
An organization wants to detect malicious activity occurring within its web applications in real time. Which security control should it implement?
A) Digital signatures
B) Sandboxing
C) Continuous monitoring
D) Code obfuscation
Answer: C) Continuous monitoring
✔ Correct Explanation: Continuous monitoring provides real-time detection of security threats and vulnerabilities in web applications.
✘ Incorrect Answers:
A) Digital signatures – These validate authenticity but do not track real-time threats.
B) Sandboxing – This is for isolated testing, not real-time monitoring.
D) Code obfuscation – This makes source code harder to analyze but does not detect threats.
A developer is building a banking application that processes sensitive customer transactions. Which of the following security measures should be implemented to ensure data integrity and confidentiality?
A) Allow listing for input validation, secure cookies, and code signing
B) Code signing only, as it prevents unauthorized modification
C) Secure cookies only, as it prevents session hijacking
D) Static code analysis only, as it detects vulnerabilities before deployment
Answer: A) Allow listing for input validation, secure cookies, and code signing
Explanation: A combination of security measures is necessary for secure applications. Allow listing prevents injection attacks, secure cookies protect session data, and code signing ensures software integrity.
A security analyst is reviewing the results of a vulnerability scan and notices that a critical vulnerability has been flagged on multiple servers. However, after manually testing for the issue, the analyst finds that the vulnerability does not actually exist. What type of issue is this?
A) False negative
B) True positive
C) False positive
D) Common Vulnerability Enumeration (CVE) misclassification
Answer: C) False positive
✔ Correct Explanation: A false positive occurs when a vulnerability scan incorrectly flags a vulnerability that does not actually exist, leading to unnecessary investigation.
✘ Incorrect Answers:
A) False negative – This occurs when a scan fails to detect an actual vulnerability, which is a more serious risk.
B) True positive – Would mean the vulnerability actually exists, but here it does not.
D) CVE misclassification – CVE naming errors do not affect whether a vulnerability is detected incorrectly in a scan.
An IT team is configuring access points for a hospital’s wireless network. To ensure coverage in all patient rooms while avoiding interference, what should be performed FIRST?
A) Increase AP power levels to maximum settings
B) Implement WPA2 encryption before deployment
C) Conduct a site survey to identify optimal AP placement
D) Use only a single access point with a high-gain antenna
Answer: C) Conduct a site survey to identify optimal AP placement
Explanation: Site surveys identify signal strength, interference sources, and ideal AP locations to ensure seamless Wi-Fi coverage without excessive interference.
A company’s security team wants to prevent Bluetooth-based attacks on corporate-issued smartphones. Which of the following BEST mitigates this risk?
A) Disabling Bluetooth when not in use and enforcing device pairing policies
B) Blocking all Wi-Fi networks and forcing the use of cellular connections
C) Requiring the use of only hands-free Bluetooth devices
D) Disabling encryption on Bluetooth to improve performance
Answer: A) Disabling Bluetooth when not in use and enforcing device pairing policies
Explanation: Bluetooth security best practices include disabling Bluetooth when not in use and restricting device pairing to trusted devices to prevent unauthorized connections.
A security team performs a vulnerability scan and fails to detect a critical exploit that later leads to a data breach. What type of scanning issue has occurred?
A) False positive
B) Exposure factor miscalculation
C) False negative
D) Incorrect Common Vulnerability Scoring System (CVSS) rating
Answer: C) False negative
✔ Correct Explanation: A false negative occurs when a vulnerability scan fails to detect an actual security weakness, leading to unaddressed risks that attackers can exploit.
✘ Incorrect Answers:
A) False positive – Would mean a vulnerability was incorrectly flagged when it did not exist.
B) Exposure factor miscalculation – Exposure factor refers to likelihood, not detection failures.
D) Incorrect CVSS rating – A miscalculated CVSS score affects severity assessment, not detection failures.
A company is migrating its infrastructure to the cloud and is unsure about security responsibilities. Which of the following is TRUE regarding cloud infrastructure hardening?
A) In SaaS environments, the customer is fully responsible for security configurations
B) In IaaS environments, the cloud provider manages all security settings
C) In SaaS environments, the cloud provider is responsible for most security measures
D) Cloud security responsibilities are always shared equally between provider and customer
Answer: C) In SaaS environments, the cloud provider is responsible for most security measures
Explanation: In Software as a Service (SaaS) models, the provider manages security, while in Infrastructure as a Service (IaaS), the customer has more control over security settings.
A security analyst is auditing a company’s wireless security implementation and finds that the Wi-Fi network relies on MAC address filtering as its primary security control. What is the primary risk associated with this configuration?
A) MAC address filtering enforces certificate-based authentication
B) MAC address filtering provides end-to-end encryption
C) MAC address filtering prevents all unauthorized access
D) MAC addresses can be easily spoofed by attackers
✅ Correct Answer: D. MAC addresses can be easily spoofed by attackers
Explanation: MAC address filtering is not a strong security measure because attackers can easily spoof MAC addresses to bypass restrictions and gain unauthorized access to the network.
❌ Incorrect Answers:
A. MAC address filtering does not use certificate-based authentication—it simply checks static MAC addresses.
B. MAC address filtering does not provide encryption; encryption is handled by protocols like WPA2 or WPA3.
C. MAC filtering does not fully prevent unauthorized access since attackers can spoof MAC addresses.
A cybersecurity analyst is prioritizing vulnerabilities identified in a scan. Which factor is the MOST important when determining the priority of remediation?
A) The number of false positives in the scan
B) The vulnerability’s CVSS score and potential impact
C) The total number of vulnerabilities found in the scan
D) The environmental variable affecting vulnerability detection
Answer: B) The vulnerability’s CVSS score and potential impact
✔ Correct Explanation: CVSS scores help measure severity, and combining this with potential impact ensures that critical vulnerabilities are prioritized for remediation.
✘ Incorrect Answers:
A) False positives in the scan – These should be filtered out but do not determine real prioritization.
C) Total number of vulnerabilities – Quantity alone is not a priority factor; severity matters more.
D) Environmental variables – These affect risk but do not dictate prioritization of specific vulnerabilities.
A security engineer is classifying a newly discovered vulnerability. The vulnerability is difficult to exploit but could have severe financial consequences if successfully attacked. How should this vulnerability be classified?
A) High likelihood, low impact
B) Low likelihood, high impact
C) High likelihood, high impact
D) Low likelihood, low impact
Answer: B) Low likelihood, high impact
✔ Correct Explanation: If a vulnerability is difficult to exploit (low likelihood) but could cause severe financial consequences (high impact), it falls into this category.
✘ Incorrect Answers:
A) High likelihood, low impact – Would mean it is easy to exploit but has minor consequences.
C) High likelihood, high impact – Would mean it is both easy to exploit and highly damaging.
D) Low likelihood, low impact – Would mean it is both rare and not very damaging.
A security analyst is assessing the risk tolerance of an organization. The company decides to accept the risk of running legacy software but increases monitoring and access controls. Which risk approach is being applied?
A) Risk avoidance
B) Risk mitigation
C) Risk acceptance
D) Risk transfer
Answer: C) Risk acceptance
✔ Correct Explanation: Risk acceptance occurs when an organization acknowledges the risk but chooses not to eliminate it, instead using additional controls to manage it.
✘ Incorrect Answers:
A) Risk avoidance – Would mean the organization completely stops using the legacy software.
B) Risk mitigation – Would mean the company takes actions to reduce the risk, such as patching.
D) Risk transfer – Would mean the company shifts the risk to another party, such as buying cybersecurity insurance.
A security engineer is tasked with hardening a database server that contains highly sensitive financial records. Which of the following measures would provide the highest level of protection?
A) Enable air gapping, require multi-factor authentication (MFA), and apply database encryption
B) Store backups on the same system, disable logging, and allow root access to all users
C) Reduce access restrictions, allow external sharing, and disable auditing
D) Allow database access from public networks, enable Telnet for remote administration, and disable encryption
Answer: A) Enable air gapping, require multi-factor authentication (MFA), and apply database encryption
Explanation: Hardening a server involves physical isolation (air gapping), MFA for strong authentication, and encryption to protect sensitive financial data.
A financial institution is assessing vulnerabilities in its core banking system. If exploited, a vulnerability could cause significant financial losses and reputational damage. The organization has a very low risk tolerance. What should be the next step?
A) Accept the risk and document it for review
B) Assign a CVSS score and compare it to industry benchmarks
C) Immediately implement risk mitigation strategies
D) Lower the risk tolerance threshold to accommodate operational needs
Answer: C) Immediately implement risk mitigation strategies
✔ Correct Explanation: Since the risk tolerance is low and the impact is severe, the best action is to mitigate the risk immediately by applying security controls, patches, or other protections.
✘ Incorrect Answers:
A) Accept the risk – This contradicts the organization’s low risk tolerance.
B) Assign a CVSS score – This is helpful but does not provide immediate protection.
D) Lower the risk tolerance threshold – This goes against the company’s risk management strategy.
A security administrator identifies a critical vulnerability in a company’s core financial system. A patch is available but has not been tested for compatibility with the organization’s environment. What is the BEST immediate course of action?
A) Apply the patch immediately to prevent exploitation
B) Test the patch in a controlled environment before deployment
C) Wait for a new version of the patch to be released
D) Ignore the patch if no exploit has been detected in the wild
Answer: B) Test the patch in a controlled environment before deployment
✔ Correct Explanation: Patching should be done in a controlled manner to ensure it does not break existing systems. Testing in a staging or sandbox environment ensures compatibility before applying it to production.
✘ Incorrect Answers:
A) Apply the patch immediately – Without testing, this could cause system failures or compatibility issues.
C) Wait for a new version of the patch – Delaying remediation leaves the system vulnerable.
D) Ignore the patch – Even if no known exploits exist, delaying patching increases risk.
A company’s web server is vulnerable to a critical zero-day exploit, and no patch is currently available. What is the BEST immediate action to mitigate risk?
A) Apply compensating controls such as firewalls and intrusion prevention systems (IPS)
B) Purchase cybersecurity insurance to cover potential damages
C) Wait until a patch is available before taking any action
D) Shut down the web server permanently to prevent exploitation
Answer: A) Apply compensating controls such as firewalls and intrusion prevention systems (IPS)
✔ Correct Explanation: Compensating controls (e.g., firewalls, IDS/IPS, VPNs) can reduce risk until a patch is available, limiting the attack surface.
✘ Incorrect Answers
B) Purchase cybersecurity insurance – Insurance mitigates financial loss, but does not prevent an attack.
C) Wait for a patch – Leaves the system exposed to active threats.
D) Shut down the web server permanently – Disrupts business operations without solving the problem.
A retail company operates a large warehouse and is experiencing dead zones in its wireless coverage. The IT department has deployed multiple access points, but coverage remains inconsistent. Which tool should they use to identify problem areas?
A) Penetration testing framework
B) Heat map analysis
C) Packet sniffer
D) Log monitoring system
Answer: B) Heat map analysis
Explanation: Heat maps visually display signal distribution and interference, helping IT teams identify dead zones and optimize AP placement.
A company allows employees to connect to the corporate network via cellular connections. Which advantage does this provide over Wi-Fi?
D) Cellular networks are less susceptible to rogue AP attacks
B) Cellular networks do not require encryption for security
C) Cellular networks do not experience latency issues
A) Cellular networks provide unlimited bandwidth
✅ Correct Answer: D. Cellular networks are less susceptible to rogue AP attacks
Explanation: Rogue Access Point (AP) attacks are a major risk in Wi-Fi networks, where an attacker sets up an unauthorized AP to intercept traffic. Cellular networks do not rely on APs, making them less vulnerable to this type of attack.
❌ Incorrect Answers:
A. Cellular networks do not provide unlimited bandwidth—they are often metered and throttled.
B. Cellular networks still require encryption for security; they are not inherently safe without it.
C. Cellular networks can experience latency issues, especially in areas with weak signal coverage.
A security team applies a critical security patch across multiple systems to remediate a high-risk vulnerability. To confirm that the remediation is fully effective, which of the following actions should be performed FIRST?
A) Conduct a vulnerability rescan to ensure the patch eliminated the identified vulnerability
B) Perform a penetration test to see if the vulnerability can still be exploited
C) Monitor system logs for indications of continued exploitation attempts
D) Review vendor documentation to verify the patch addresses all known exploits
Answer: A) Conduct a vulnerability rescan to ensure the patch eliminated the identified vulnerability
✔ Correct Explanation: Rescanning is the most direct and efficient method to verify whether the patch successfully eliminated the vulnerability. It provides immediate confirmation that the issue is no longer present.
✘ Incorrect Answers
B) Perform a penetration test – This could confirm whether the patch is effective, but penetration testing is time-consuming and typically not the first step in validation. A rescan is quicker and directly identifies if the vulnerability still exists.
C) Monitor system logs – This detects new exploit attempts, but does not confirm whether the patch fully eliminated the vulnerability.
D) Review vendor documentation – Understanding the patch is important, but reading documentation does not verify the system is actually secure.
Which of the following presents the biggest security risk for embedded systems?
A) Embedded systems are frequently patched and updated
B) Embedded systems may create overlooked network connections
C) Embedded systems have strong encryption by default
D) Embedded systems require air-gapped environments for security
Answer: B) Embedded systems may create overlooked network connections
Explanation: Embedded systems often have unmonitored network connections, making them attractive targets for attackers due to lack of updates and patching.
A security analyst is evaluating a vulnerability based on external environmental factors. Which of the following is an example of an environmental variable affecting a vulnerability?
A) The presence of a known exploit for the vulnerability in dark web forums
B) The number of false positives detected in a vulnerability scan
C) The likelihood that a vulnerability scanner will detect the issue
D) The method used to categorize a vulnerability in the CVE database
Answer: A) The presence of a known exploit for the vulnerability in dark web forums
✔ Correct Explanation: Environmental factors include external threats such as dark web exploits, ongoing cyberattacks, or industry-specific vulnerabilities that increase real-world risk.
✘ Incorrect Answers
B) False positives in a scan – Internal issue, not an external environmental factor.
C) Scanner detection likelihood – Related to detection, not environmental risk.
D) CVE classification – Helps standardize vulnerabilities, but is not an external factor.
A healthcare provider uses legacy medical devices that contain unpatchable vulnerabilities. The organization wants to ensure patient data remains secure while continuing to use the devices. What is the BEST security strategy?
A) Remove the devices from service immediately
B) Use network segmentation to isolate the devices from critical systems
C) Apply software patches from third-party vendors
D) Accept the risk without taking additional measures
Answer: B) Use network segmentation to isolate the devices from critical systems
✔ Correct Explanation: Network segmentation isolates vulnerable devices, reducing the risk of a compromised device affecting critical systems.
✘ Incorrect Answers
A) Remove the devices from service immediately – Not always feasible due to operational requirements.
C) Apply third-party patches – Unauthorized patches may cause instability or violate compliance regulations.
D) Accept the risk without taking action – Leaves patient data and critical systems exposed.
A company discovers a vulnerability in an internal database but determines that exploiting it would require administrative access, making the risk minimal. What should the company do next?
A) Apply a patch if available, but accept the risk if exploitation is unlikely
B) Immediately take the database offline to prevent any potential attacks
C) Report the issue to a bug bounty program for further investigation
D) Purchase cybersecurity insurance to protect against any future breaches
Answer: A) Apply a patch if available, but accept the risk if exploitation is unlikely
✔ Correct Explanation: If the likelihood of exploitation is low, patching is the best course of action, while documenting the risk acceptance if necessary.
✘ Incorrect Answers
B) Take the database offline – Not necessary unless the risk is critical.
C) Report to a bug bounty program – Internal vulnerabilities are not relevant to public bug bounty programs.
D) Purchase cybersecurity insurance – Insurance does not fix vulnerabilities.
A company recently patched a high-risk vulnerability in its customer-facing web application. The security team needs to ensure compliance with industry regulations and verify that the remediation was fully effective.
Which of the following is the BEST next step?
A) Conduct an external security audit to verify the effectiveness of the remediation and compliance with industry standards
B) Perform an internal security assessment, including vulnerability scanning and log analysis, to validate remediation efforts
C) Engage in a third-party penetration test to simulate real-world attacks and confirm the vulnerability is no longer exploitable
D) Monitor for ongoing exploit attempts and document any anomalies before deciding if further action is needed
Answer: A) Conduct an external security audit to verify the effectiveness of the remediation and compliance with industry standards
✔ Correct Explanation: An external audit is the best option because it not only verifies remediation effectiveness but also ensures the company meets regulatory requirements. Industry compliance often mandates third-party validation, making an audit the strongest choice.
✘ Incorrect (but plausible) Answers
B) Internal security assessment (vulnerability scan & log analysis) – Useful but not sufficient for regulatory compliance. While this step confirms the patch, it does not meet external audit requirements for compliance.
C) Third-party penetration test – A penetration test is valuable but does not directly satisfy compliance requirements in the same way an external audit does. A compliance-focused audit is more relevant.
D) Monitor for exploit attempts – Passive monitoring does not ensure compliance or validate remediation; it should be a complementary process, not the primary action.
After remediating a security vulnerability, a security team conducts a follow-up audit and discovers a new, unexpected security flaw introduced by the remediation process. What is the BEST response?
A) Document the issue and escalate for risk assessment
B) Undo the remediation to restore the previous system state
C) Immediately deploy a security patch for the new flaw
D) Monitor the system for further anomalies before taking action
Answer: A) Document the issue and escalate for risk assessment
✔ Correct Explanation: New vulnerabilities introduced by remediation efforts must be properly assessed before making further changes. Documenting and escalating the issue ensures proper handling.
✘ Incorrect (but plausible) Answers
B) Undo the remediation – Reintroduces the original vulnerability, which is not an ideal solution.
C) Immediately deploy a patch – Not always available or tested yet; risk assessment must come first.
D) Monitor for anomalies before acting – Delays response and could allow exploitation.
A security analyst is verifying the effectiveness of a recent remediation effort by comparing pre- and post-remediation vulnerability scan results. What additional validation method would BEST confirm successful remediation?
A) Perform a configuration review to verify that system settings were updated correctly
B) Conduct a security awareness training session for employees
C) Enable additional logging to detect any further attacks
D) Perform a risk assessment on unrelated vulnerabilities
Answer: A) Perform a configuration review to verify that system settings were updated correctly
✔ Correct Explanation: Configuration reviews ensure that the correct security settings and policies were applied as part of the remediation process.
✘ Incorrect (but plausible) Answers:
B) Conduct security awareness training – Good for overall security but does not confirm remediation success.
C) Enable additional logging – Useful for detecting future issues but does not directly verify remediation effectiveness.
D) Perform a risk assessment on unrelated vulnerabilities – Not relevant to verifying the specific remediation effort.
A company deploys an Endpoint Detection and Response (EDR) system across its network. What is the primary function of this tool?
A. Blocking malicious traffic before it enters the network
B. Detecting and responding to abnormal activity on endpoints
C. Preventing data from being exfiltrated by unauthorized users
D. Analyzing network traffic for potential vulnerabilities
Correct Answer:
✅ B. Detecting and responding to abnormal activity on endpoints
Explanation: EDR tools monitor endpoint activity to detect, analyze, and respond to threats such as malware or unauthorized access. They provide real-time analysis and incident response capabilities.
Incorrect Answers:
A. This is a function of firewalls or Intrusion Prevention Systems (IPS), not EDR.
C. Data Loss Prevention (DLP) tools focus on preventing unauthorized data exfiltration.
D. Intrusion Detection Systems (IDS) and vulnerability scanners analyze network traffic for vulnerabilities, not EDR.
A security analyst receives an alert indicating an application is consuming excessive system resources and causing performance degradation. Which monitoring method likely generated this alert?
A. Network traffic monitoring
B. Infrastructure monitoring
C. Application log analysis
D. Endpoint security monitoring
Correct Answer:
✅ C. Application log analysis
Explanation: Application monitoring involves analyzing log data to detect anomalies, such as excessive resource usage, availability issues, or potential bugs.
Incorrect Answers:
A. Network traffic monitoring is used to analyze data flow but does not focus on resource consumption by applications.
B. Infrastructure monitoring involves detecting physical or environmental anomalies, not software-related performance issues.
D. Endpoint security monitoring focuses on threats like malware, not application performance.
Which of the following factors should be considered when conducting a wireless site survey?
A) The number of wired network devices
B) The length of Ethernet cables used in the network
C) Physical obstructions and interference sources
D) The number of user accounts in Active Directory
Answer: C) Physical obstructions and interference sources
Explanation: Site surveys assess physical obstacles, interference, and RF propagation to determine optimal wireless network design.
A hospital is deploying network-connected medical devices that require real-time data transmission. Which of the following hardening techniques should be applied to secure Real-Time Operating System (RTOS) devices?
A) Use firewalls, encryption, and access control lists (ACLs)
B) Disable all network communication to prevent cyberattacks
C) Allow unrestricted administrator access to all medical staff
D) Implement guest network access for all RTOS devices
✅ Correct Answer: D. Use firewalls, encryption, and access control lists (ACLs)
Explanation: Firewalls, encryption, and Access Control Lists (ACLs) help secure RTOS devices without disrupting real-time data transmission, providing controlled access and protection against cyber threats.
❌ Incorrect Answers:
A. Allowing guest network access would expose devices to unauthorized access, increasing security risks.
B. Disabling all network communication would prevent the devices from functioning properly.
C. Allowing unrestricted admin access could lead to misconfigurations and insider threats.
A cybersecurity team is securing a corporate Wi-Fi network. They decide to implement network segmentation to isolate guest traffic from internal business operations. What should they configure?
A) MAC address filtering
B) A separate VLAN for guest access
C) WPA3 encryption for all users
D) SSID hiding
Answer: B) A separate VLAN for guest access
Explanation: Network segmentation via VLANs ensures guest traffic is isolated from internal resources, reducing attack surfaces and security risks.
A security team is responding to a newly discovered vulnerability affecting a widely used software application. What should be the FIRST step in the response process?
A) Identify if the vulnerability affects the organization’s systems
B) Immediately patch all systems before verifying compatibility
C) Purchase cybersecurity insurance in case of future exploitation
D) Notify all users to stop using the affected application immediately
Answer: A) Identify if the vulnerability affects the organization’s systems
✔ Correct Explanation: Before taking any action, the security team must verify whether the organization’s systems are affected and determine the appropriate response.
✘ Incorrect Answers:
B) Immediately patch all systems – Blindly applying patches can cause compatibility issues.
C) Purchase cybersecurity insurance – Insurance does not prevent or remediate vulnerabilities.
D) Notify users to stop using the application – Only necessary if the vulnerability is actively being exploited.
An organization is concerned about unauthorized access to their data center. They decide to implement humidity, motion, and fire sensors. What type of security monitoring does this represent?
A. Network security monitoring
B. Endpoint security monitoring
C. Infrastructure security monitoring
D. Application security monitoring
Correct Answer:
✅ C. Infrastructure security monitoring
Explanation: Infrastructure monitoring involves tracking environmental conditions such as humidity, fire, and unauthorized physical movement to protect critical assets.
Incorrect Answers:
A. Network security monitoring focuses on traffic flow, intrusion detection, and anomaly detection, not physical security.
B. Endpoint security monitoring deals with detecting threats on devices like workstations and servers.
D. Application security monitoring focuses on software behavior, not environmental factors.
A company deploys a Data Loss Prevention (DLP) system. What primary function does this system perform?
A. Preventing malware infections on endpoints
B. Blocking unauthorized data transfers and leaks
C. Encrypting sensitive data to prevent breaches
D. Identifying vulnerabilities in application code
Correct Answer:
✅ B. Blocking unauthorized data transfers and leaks
Explanation: DLP solutions monitor and prevent unauthorized attempts to transfer, share, or leak sensitive data, whether through email, USB devices, or cloud services.
Incorrect Answers:
A. Endpoint Detection and Response (EDR) solutions focus on malware detection and response, not DLP.
C. While encryption is a security measure, DLP actively prevents unauthorized data transfers rather than securing stored data.
D. Application security testing tools identify vulnerabilities in code, but this is not the function of DLP.
A security analyst configures a Security Information and Event Management (SIEM) system to prioritize alerts based on severity levels. What is the main reason for implementing this configuration?
A. To prevent all low-severity alerts from being logged
B. To ensure that high-priority threats are addressed first
C. To reduce storage costs by filtering out all minor alerts
D. To allow automatic remediation of vulnerabilities without human intervention
✅ Correct Answer: B. To ensure that high-priority threats are addressed first
Explanation: SIEM systems generate numerous alerts, and prioritizing them ensures that security teams focus on critical threats first rather than wasting time on minor issues. This is essential for managing security incidents efficiently.
❌ Incorrect Answers:
A. SIEM does not prevent low-severity alerts from being logged; they may still be recorded for later review.
C. While log storage management is important, the primary goal of severity-based prioritization is security response, not storage reduction.
D. SIEMs may trigger automated responses, but not all vulnerabilities can be remediated without human intervention.
An organization is deploying thousands of Internet of Things (IoT) devices throughout its network. Which of the following security risks should be the PRIMARY concern?
A) IoT devices are frequently patched and secure by default
B) IoT devices rarely require encryption or authentication
C) IoT devices are often unpatched and may become attack entry points
D) IoT devices are inherently immune to cyber threats
Answer: C) IoT devices are often unpatched and may become attack entry points
Explanation: IoT devices are commonly unpatched, lack built-in security, and can be exploited by attackers to infiltrate a network.
A security team is implementing a log aggregation solution. What is the primary benefit of this approach?
A. It reduces the need for SIEM correlation rules
B. It standardizes and centralizes log data for analysis
C. It prevents log data from being stored in different locations
D. It automatically detects and mitigates vulnerabilities
✅ Correct Answer: B. It standardizes and centralizes log data for analysis
Explanation: Log aggregation collects logs from various systems and normalizes them into a standard format. This makes it easier to analyze data across multiple sources for security investigations.
❌ Incorrect Answers:
A. SIEM correlation rules are still needed to detect patterns and security incidents.
C. Logs may still exist in different locations, but aggregation provides a central repository for analysis.
D. Log aggregation helps with analysis but does not automatically detect or fix vulnerabilities.
A vulnerability scanner has generated an alert about a potential zero-day exploit. What should be the security team’s first action?
A. Immediately quarantine the affected system
B. Validate whether the alert is a false positive
C. Disable network access for all users
D. Archive the scan results for future reference
Correct Answer: B. Validate whether the alert is a false positive
Explanation: Before taking drastic actions, security analysts must validate the alert. False positives are common, and responding to an invalid alert can waste resources and cause unnecessary disruptions.
❌ Incorrect Answers:
A. Quarantining may be necessary if the exploit is confirmed, but validation must happen first.
C. Disabling network access for all users is extreme and would cause major disruptions without confirmation of an active threat.
D. Archiving scan results is useful for compliance, but immediate validation is a priority.
A company uses vulnerability scanning tools that frequently generate alerts for low-impact vulnerabilities. What technique should be used to reduce false positives while ensuring critical vulnerabilities are still detected?
A. Quarantine all potentially vulnerable systems
B. Increase the frequency of vulnerability scans
C. Perform alert tuning to adjust sensitivity levels
D. Disable automatic alerting for all low-priority issues
✅ Correct Answer: C. Perform alert tuning to adjust sensitivity levels
Explanation: Alert tuning involves modifying the settings of vulnerability scanners and SIEMs to filter out low-priority issues while still catching critical vulnerabilities. This reduces false positives and improves security response efficiency.
❌ Incorrect Answers:
A. Quarantining every potentially vulnerable system would be impractical and disruptive.
B. Increasing scan frequency won’t help if the alerts are not properly tuned; it may actually worsen the issue.
D. Disabling all low-priority alerts could cause important issues to be overlooked. Alert tuning is a better solution.
What advantage does a Security Information and Event Management (SIEM) system provide to security teams?
A. Preventing unauthorized data exfiltration across the network
B. Scanning web applications for vulnerabilities
C. Real-time packet analysis and active blocking of malicious traffic
D. Automated log collection, correlation, and behavioral analysis
✅ Correct Answer: D. Automated log collection, correlation, and behavioral analysis
Explanation: SIEM collects logs, correlates security events, and uses heuristic analysis to detect anomalies.
❌ Incorrect Answers:
A. DLP, not SIEM, prevents data exfiltration.
B. Web application scanners (e.g., Burp Suite) identify vulnerabilities, not SIEM.
C. SIEM does not actively block traffic; IDS/IPS perform this function.
A security analyst is reviewing archived security logs from a vulnerability scan conducted six months ago. What is the most likely reason for this review?
A. To verify compliance with regulatory retention policies
B. To identify real-time security threats
C. To increase network performance by reducing log storage
D. To determine the cause of a current network outage
✅ Correct Answer: A. To verify compliance with regulatory retention policies
Explanation: Many regulations, such as GDPR, HIPAA, and PCI DSS, require security logs to be archived for a certain period. Reviewing these logs helps ensure compliance and may support forensic investigations.
❌ Incorrect Answers:
B. Reviewing archived logs is a retrospective process, not a real-time security activity.
C. Security logs are retained for analysis, not deleted to improve network performance.
D. While logs may help troubleshoot an outage, archived logs are usually examined for compliance or forensic analysis rather than immediate troubleshooting.
A security analyst is configuring a Security Content Automation Protocol (SCAP) tool. What is the primary purpose of SCAP in a security environment?
A. To define a new encryption standard for secure communications
B. To analyze user behavior and detect anomalies in authentication logs
C. To perform real-time packet inspection on network traffic
D. To improve cyber threat intelligence sharing and automation
✅ Correct Answer: D. To improve cyber threat intelligence sharing and automation
Explanation: SCAP, developed by NIST, standardizes security configurations and automates vulnerability management through frameworks like CVE, CVSS, and OVAL.
❌ Incorrect Answers:
A. SCAP is not an encryption standard; it focuses on cybersecurity automation.
B. Analyzing user behavior is a function of SIEM and UEBA, not SCAP.
C. SCAP does not inspect network packets; IDS/IPS perform packet inspection.
A company uses an agent-based Network Access Control (NAC) system. What is one advantage of this approach compared to agentless NAC?
A. Easier deployment on unmanaged devices
B. Higher accessibility for guest and external users
C. Greater visibility into the security state of devices
D. Reduced software installation requirements for endpoints
✅ Correct Answer: C. Greater visibility into the security state of devices
Explanation: Agent-based NAC installs software on endpoints, allowing deeper security checks like patch levels and antivirus status.
❌ Incorrect Answers:
A. Agentless NAC is easier to deploy but offers less visibility into device security.
B. Agentless NAC is better for guest users because it does not require software installation.
D. Agent-based NAC requires software installation, unlike agentless NAC.
An organization wants to enforce strict access control by evaluating the security posture of devices before granting network access. Which solution should they implement?
A. Security Information and Event Management (SIEM)
B. Data Loss Prevention (DLP)
C. Network Access Control (NAC)
D. Vulnerability Scanning
✅ Correct Answer: C. Network Access Control (NAC)
Explanation: NAC ensures devices meet security policies (patching, antivirus) before or after being allowed on the network.
❌ Incorrect Answers:
A. SIEM collects and correlates logs but does not control network access.
B. DLP protects sensitive data, not network access.
D. Vulnerability scanners identify weaknesses but do not enforce access control.
Which method does antivirus software use to detect unknown malware based on suspicious behavior?
A. Signature-based detection
B. Heuristic-based detection
C. Sandboxing
D. AI and machine learning
✅ Correct Answer: B. Heuristic-based detection
Explanation: Heuristic-based detection identifies malware based on behaviors and patterns rather than known signatures, making it effective against new threats.
❌ Incorrect Answers:
A. Signature-based detection relies on known malware signatures and is ineffective against new threats.
C. Sandboxing runs suspected files in an isolated environment but does not detect behavior-based threats in real time.
D. AI and machine learning enhance detection but are separate from heuristic-based detection.
A company deploys a Data Loss Prevention (DLP) solution. What is the primary function of DLP?
A. To prevent unauthorized access to sensitive applications
B. To scan networks for potential vulnerabilities
C. To encrypt sensitive data before it is transmitted
D. To monitor and restrict unauthorized data transfers
✅ Correct Answer: D. To monitor and restrict unauthorized data transfers
Explanation: DLP detects and blocks unauthorized sharing of sensitive data, such as PII or financial records.
❌ Incorrect Answers:
A. IAM (Identity and Access Management) controls access to applications, not DLP.
B. Vulnerability scanners, not DLP, scan for weaknesses.
C. Encryption protects data but does not actively monitor data transfers.
What is a key security benefit of using SNMPv3 compared to older versions of SNMP?
A. It prevents unauthorized users from connecting to a corporate VPN
B. It introduces source authentication, encryption, and message integrity
C. It enhances firewall protection by blocking unauthorized connections
D. It provides automatic patch management for network devices
✅ Correct Answer: B. It introduces source authentication, encryption, and message integrity
Explanation: SNMPv3 improves security by adding encryption, authentication, and integrity checks, unlike SNMPv1 and SNMPv2.
❌ Incorrect Answers:
A. SNMPv3 does not control VPN access.
C. Firewalls block unauthorized connections, not SNMPv3.
Which of the following best describes the primary function of a vulnerability scanner?
A. Identifying security weaknesses in networks and applications
B. Automatically patching security vulnerabilities
C. Monitoring file integrity changes in real time
D. Blocking malicious traffic before it reaches endpoints
✅ Correct Answer: A. Identifying security weaknesses in networks and applications
Explanation: Vulnerability scanners (e.g., Nessus, OpenVAS) proactively scan networks and systems for security flaws.
❌ Incorrect Answers:
B. Vulnerability scanners identify, but do not automatically patch vulnerabilities.
C. File Integrity Monitoring (FIM) tools track file changes, not scanners.
D. Firewalls and IDS/IPS block malicious traffic, not vulnerability scanners.
