Security Operations 2 Flashcards
A cybersecurity analyst notices unusual outbound traffic originating from a server that should only be communicating internally. The analyst decides to modify the firewall rules to block unauthorized outbound traffic from this server while ensuring it can still communicate with necessary internal systems.
Which of the following firewall rule modifications would BEST address this issue?
A) Block all outbound traffic from the server and create explicit allow rules for necessary internal communications
B) Enable full outbound access for the server but implement intrusion detection to monitor traffic
C) Allow all outbound traffic by default and create explicit deny rules for suspicious connections
D) Disable all firewall rules to analyze the traffic freely before applying restrictions
Answer: A) Block all outbound traffic from the server and create explicit allow rules for necessary internal communications
Explanation:
The best approach is to apply a deny-by-default firewall policy, blocking all outbound traffic unless explicitly required for legitimate internal communications. This ensures that unauthorized outbound connections are immediately cut off while keeping necessary business functions operational.
Incorrect Answers:
B) Enable full outbound access for the server but implement intrusion detection to monitor traffic → This does not actively prevent unauthorized traffic; it only detects it after the fact.
C) Allow all outbound traffic by default and create explicit deny rules for suspicious connections → This is the opposite of best practices. A deny-all, allow-by-exception approach is safer.
D) Disable all firewall rules to analyze the traffic freely before applying restrictions → This exposes the network to potential exploitation before security measures are applied.
A security administrator needs to implement an Access Control List (ACL) to prevent unauthorized external users from accessing internal resources while allowing internal users to access external resources.
Which of the following ACL rules should be implemented? (Select TWO)
A) Deny all inbound traffic from external sources by default
B) Allow all inbound traffic from external sources by default
C) Allow outbound traffic from internal users to external destinations
D) Deny outbound traffic from internal users by default
E) Allow inbound traffic from external sources only for explicitly defined services
Answer: A) Deny all inbound traffic from external sources by default & C) Allow outbound traffic from internal users to external destinations
Explanation:
A well-configured ACL should block all inbound external traffic by default while allowing outbound traffic as needed. Internal users often require internet access, so allowing outbound traffic ensures functionality.
Incorrect Answers:
B) Allow all inbound traffic from external sources by default → This would allow potential attackers unrestricted access.
D) Deny outbound traffic from internal users by default → This would block legitimate traffic like web browsing and email.
E) Allow inbound traffic from external sources only for explicitly defined services → While partially correct, this should only be done after a deny-all rule is in place for security.
A security engineer is conducting a routine audit of firewall configurations and notices that multiple unused ports are left open. Which of the following actions should the engineer take to harden the system?
A) Disable all open ports that are not required for normal operations
B) Keep all ports open in case they are needed for future use
C) Allow only ports used by secure services such as SSH, while blocking all others
D) Enable all commonly used ports regardless of whether they are currently needed
Answer: A) Disable all open ports that are not required for normal operations
Explanation:
Closing unused ports reduces the attack surface, minimizing entry points for threat actors. Only necessary ports should remain open to maintain system functionality.
Incorrect Answers:
B) Keep all ports open in case they are needed for future use → This unnecessarily exposes the system to threats.
C) Allow only ports used by secure services such as SSH, while blocking all others → While partially correct, this assumes only SSH is needed, which is not always true. Only essential services should be open, not just SSH.
D) Enable all commonly used ports regardless of whether they are currently needed → This increases unnecessary attack vectors for intrusions.
A company wants to provide external users with limited access to public web servers while keeping its internal network secure. The company should deploy a ________________.
A) Intrusion Detection System (IDS)
B) Virtual Private Network (VPN)
C) Screened Subnet (DMZ)
D) Honeypot
Answer: C) Screened Subnet (DMZ)
Explanation:
A screened subnet (formerly known as a DMZ) provides a buffer zone between the internal network and external users, allowing limited access to public-facing resources (e.g., web servers).
Incorrect Answers:
A) Intrusion Detection System (IDS) → IDS monitors traffic but does not segment network access.
B) Virtual Private Network (VPN) → VPNs encrypt connections but do not create isolated network areas for public users.
D) Honeypot → Honeypots simulate vulnerable systems to attract attackers but do not provide secure access to web services.
Which of the following methods can enhance firewall security? (Select TWO)
A) Implement a deny-by-default policy and explicitly allow required traffic
B) Disable logging to reduce system overhead
C) Open additional ports to improve network flexibility
D) Regularly review and update firewall rules based on new threats
E) Allow all inbound ICMP traffic to support troubleshooting
Answer: A) Implement a deny-by-default policy & D) Regularly review and update firewall rules based on new threats
Explanation:
A deny-by-default firewall rule ensures that only explicitly allowed traffic is permitted, blocking all else. Regularly updating firewall rules ensures new vulnerabilities are addressed and security remains up to date.
Incorrect Answers:
B) Disable logging to reduce system overhead → Logging is essential for monitoring and forensic analysis.
C) Open additional ports to improve network flexibility → Opening unnecessary ports increases the attack surface.
E) Allow all inbound ICMP traffic to support troubleshooting → While ICMP is useful, allowing all ICMP traffic can be exploited (e.g., ping flood attacks).
A cybersecurity analyst is reviewing security logs and notices that a system flagged multiple unauthorized login attempts but did not take any action to block them. The analyst wants to ensure that future unauthorized attempts are automatically blocked.
Which of the following security controls should be implemented to achieve this goal?
A) Signature-based IDS
B) Anomaly-based IDS
C) Intrusion Prevention System (IPS)
D) Passive Network Monitoring
Answer: C) Intrusion Prevention System (IPS)
Explanation:
An IPS (Intrusion Prevention System) not only detects threats but also blocks them in real time. Since the analyst wants to prevent unauthorized login attempts, an IPS is the best solution.
Incorrect Answers:
A) Signature-based IDS → An IDS (Intrusion Detection System) only detects threats and does not block them.
B) Anomaly-based IDS → While it can detect unusual behavior, it does not actively block threats like an IPS does.
D) Passive Network Monitoring → Passive monitoring only observes traffic but does not prevent attacks.
A company wants to deploy an IDS/IPS solution that can identify new, previously unknown attacks that do not match any existing signatures.
Which of the following detection methods should be used? (Select TWO)
A) Signature-based detection
B) Heuristic-based detection
C) Anomaly-based detection
D) Passive detection
E) Inline detection
Answer: B) Heuristic-based detection & C) Anomaly-based detection
Explanation:
Heuristic-based detection analyzes behavioral patterns to identify potential threats, even if they do not match known signatures.
Anomaly-based detection monitors network behavior and flags deviations from a baseline, allowing detection of zero-day attacks.
Incorrect Answers:
A) Signature-based detection → Only detects known threats based on predefined signatures.
D) Passive detection → Only observes network activity and does not actively detect or prevent attacks.
E) Inline detection → This refers to how IDS/IPS is deployed, not a detection method.
A security engineer configures an IDS to compare incoming traffic against a database of known attack signatures. However, the engineer notices that the IDS is failing to detect a new type of attack that was recently discovered in the cybersecurity community.
What is the MOST likely reason why the IDS failed to detect the attack?
A) The attack does not match any known signatures
B) The IDS is running in inline mode
C) The attack uses encrypted traffic, which signature-based detection cannot analyze
D) The IDS is using heuristic-based detection instead of signature-based detection
Answer: A) The attack does not match any known signatures
Explanation:
Signature-based detection relies on predefined attack patterns. If a new attack has no existing signature, it will not be detected.
Incorrect Answers:
B) The IDS is running in inline mode → Inline mode affects whether the IDS is passive or active, not how it detects attacks.
C) The attack uses encrypted traffic, which signature-based detection cannot analyze → Signature-based detection can analyze decrypted traffic if properly configured.
D) The IDS is using heuristic-based detection instead of signature-based detection → The scenario specifies that the IDS is using signature-based detection.
A company wants to monitor network traffic for malicious activity without affecting normal traffic flow. The best solution for this requirement is a ______________.
A) Firewall
B) Intrusion Detection System (IDS)
C) Intrusion Prevention System (IPS)
D) Honeypot
Answer: B) Intrusion Detection System (IDS)
Explanation:
An IDS is a passive monitoring tool that detects and alerts on malicious activity without disrupting traffic.
Incorrect Answers:
A) Firewall → A firewall filters traffic but does not provide detailed attack analysis.
C) Intrusion Prevention System (IPS) → An IPS actively blocks malicious traffic, which may impact normal network flow.
D) Honeypot → A honeypot is a decoy system designed to lure attackers, not a traffic monitoring solution.
Which of the following are benefits of using an IDS/IPS to analyze network trends? (Select TWO)
A) Identifying an increase in specific types of malware
B) Preventing all zero-day attacks
C) Blocking all unauthorized outbound traffic
D) Detecting patterns in malicious activity before a full-scale attack
E) Automatically updating firewall rules without human intervention
Answer: A) Identifying an increase in specific types of malware & D) Detecting patterns in malicious activity before a full-scale attack
Explanation:
IDS/IPS can track trends in malware activity, helping organizations recognize emerging threats.
Detecting attack patterns early allows organizations to take proactive measures before an attack fully unfolds.
Incorrect Answers:
B) Preventing all zero-day attacks → While heuristic and anomaly-based IDS/IPS can detect some zero-day attacks, they cannot prevent all of them.
C) Blocking all unauthorized outbound traffic → IDS does not block traffic, and IPS focuses on inbound threats, not all outbound traffic.
E) Automatically updating firewall rules without human intervention → IDS/IPS does not control firewall rules; firewall configurations require manual updates or integration with automation tools.
A company is implementing a web filtering solution to enforce security policies on employee workstations, even when they are working remotely and not connected to the corporate network.
Which of the following solutions would BEST meet this requirement?
A) Centralized proxy web filter
B) Agent-based web filter
C) URL scanning
D) Reputation-based web filter
Answer: B) Agent-based web filter
Explanation:
An agent-based web filter is host-based, meaning it enforces web filtering policies directly on the endpoint device. Since it does not require an external connection to function, it is ideal for remote employees.
Incorrect Answers:
A) Centralized proxy web filter → Requires network connectivity to enforce policies, so it won’t protect users working remotely.
C) URL scanning → Only scans URLs but does not enforce filtering policies on devices.
D) Reputation-based web filter → Evaluates website reputation but does not enforce direct filtering policies on remote devices.
A system administrator is securing a fleet of company workstations. The administrator has already deployed anti-malware software and enforced strong password policies. To further improve security, the administrator needs to ensure that users cannot install unauthorized software or modify system settings beyond their job requirements.
Which of the following security measures would BEST meet this requirement?
A) Deploy host-based intrusion detection systems (HIDS) on each workstation
B) Assign administrative privileges to all users by default
C) Disable all built-in security features to improve performance
D) Implement the principle of least privilege
E) Enable auto-login to reduce the risk of password fatigue
Answer: D) Implement the principle of least privilege
Explanation:
Least privilege ensures that users only have the minimum permissions necessary, preventing unauthorized software installations or system modifications.
Incorrect Answers:
A) Deploy HIDS → HIDS detects malicious activity but does not restrict user privileges.
B) Assign admin privileges to all users → This increases security risks and makes it easier for malware to spread.
C) Disable all built-in security features → Security features protect the system, disabling them reduces security.
E) Enable auto-login → Auto-login eliminates authentication, making the system easier to compromise.
A cybersecurity administrator needs to enforce password complexity policies, user access restrictions, and audit logging across all Windows workstations in the company.
Which of the following Windows tools should the administrator use?
A) Windows Defender
B) Task Scheduler
C) Windows Event Viewer
D) Local User Manager
E) Group Policy
Answer: E) Group Policy
Explanation:
Group Policy allows administrators to enforce security settings across all domain-connected computers, including password complexity, access controls, and auditing policies.
Incorrect Answers:
A) Windows Defender → Provides anti-malware protection, but does not enforce system-wide security policies.
B) Task Scheduler → Used to automate system tasks, but not to manage security settings.
C) Windows Event Viewer → Used for log analysis, but does not enforce policies.
D) Local User Manager → Manages individual users, but does not enforce company-wide policies.
A Linux server administrator wants to enforce strict security policies and access control mechanisms on a web server. The administrator decides to enable Security-Enhanced Linux (SELinux).
What benefit will SELinux provide to the server?
A) It acts as a firewall, filtering network traffic before it reaches the system
B) It enforces security policies at the kernel level, restricting unauthorized access
C) It automatically updates the operating system with the latest security patches
D) It monitors system logs and generates alerts for suspicious activity
Answer: B) It enforces security policies at the kernel level, restricting unauthorized access
Explanation:
SELinux enforces mandatory access controls (MAC) at the kernel level, preventing unauthorized access to resources even if an attacker gains root privileges.
Incorrect Answers:
A) It acts as a firewall → SELinux controls access within the OS, but it is not a firewall.
C) It automatically updates the OS → SELinux does not handle software updates.
D) It monitors system logs and generates alerts → SELinux enforces access policies but does not function as a log monitoring tool.
A security professional needs to configure a secure remote login protocol for administrators accessing company servers. The professional should use _______________.
A) Remote Desktop Protocol (RDP)
B) Telnet
C) Secure Shell (SSH)
D) Simple Network Management Protocol (SNMP)
Answer: C) Secure Shell (SSH)
Explanation:
SSH provides secure encrypted remote access over TCP port 22, making it the best option for remote logins.
Incorrect Answers:
A) RDP → Used for Windows remote access, but not for secure CLI logins.
B) Telnet → Transmits data in plaintext, making it insecure.
D) SNMP → Used for network management, not remote login
A cybersecurity analyst is reviewing network configurations and notices that some legacy systems are using insecure protocols. The analyst needs to recommend secure alternatives for remote access and file transfers.
Which of the following protocol replacements would BEST enhance security? (Select TWO)
A) Replace FTP with SFTP
B) Replace Telnet with SSH
C) Replace HTTP with Telnet
D) Replace DNS with SNMP
E) Replace UDP with ICMP for improved transport reliability
Answer: A) Replace FTP with SFTP & B) Replace Telnet with SSH
Explanation:
SFTP (Secure File Transfer Protocol) is an encrypted alternative to FTP, ensuring secure file transfers.
SSH (Secure Shell) replaces Telnet, providing encrypted remote access.
Incorrect Answers:
C) Replace HTTP with Telnet → Telnet is less secure than HTTP and should not be used.
D) Replace DNS with SNMP → These are two unrelated protocols; DNS is for domain resolution, while SNMP is for network management.
E) Replace UDP with ICMP → ICMP is not a transport protocol, and UDP is used where speed is prioritized over reliability.
A company has been experiencing DNS spoofing attacks and needs to implement security measures to protect DNS integrity.
Which of the following actions should the company take? (Select TWO)
A) Encrypt all DNS traffic using DNS over HTTPS (DoH)
B) Disable logging on DNS servers to prevent information leaks
C) Implement Domain Name System Security Extensions (DNSSEC)
D) Block all DNS queries to prevent external lookups
E) Use the Simple Mail Transfer Protocol (SMTP) for secure DNS lookups
Answer: C) Implement Domain Name System Security Extensions (DNSSEC) & A) Encrypt all DNS traffic using DNS over HTTPS (DoH)
Explanation:
DNSSEC (Domain Name System Security Extensions) prevents DNS spoofing by digitally signing DNS records, ensuring their authenticity.
DoH (DNS over HTTPS) encrypts DNS queries, preventing attackers from intercepting or manipulating them.
Incorrect Answers:
B) Disable logging on DNS servers to prevent information leaks → DNS logging helps detect attacks. Disabling logging reduces security visibility.
D) Block all DNS queries to prevent external lookups → This would completely break internet access, making it an unrealistic security measure.
E) Use SMTP for secure DNS lookups → SMTP is for email, not DNS security. This answer is completely unrelated.
A cybersecurity analyst is investigating a suspicious email that appears to be from the company’s CEO. The analyst wants to verify whether the email was actually sent from the CEO’s domain and whether it has been altered in transit.
Which of the following email security protocols would BEST help verify the email’s authenticity and integrity?
A) Sender Policy Framework (SPF)
B) DomainKeys Identified Mail (DKIM)
C) Domain-Based Message Authentication Reporting and Conformance (DMARC)
D) Hypertext Transfer Protocol Secure (HTTPS)
Answer: B) DomainKeys Identified Mail (DKIM)
Explanation:
DKIM uses a digital signature to verify that an email originated from an authorized sender and has not been tampered with in transit.
Incorrect Answers:
A) SPF → SPF checks if the email was sent from an authorized mail server, but it does not verify message integrity.
C) DMARC → DMARC enforces email security policies using SPF and DKIM but does not directly verify message authenticity.
D) HTTPS → HTTPS secures web traffic, not email integrity.
A cybersecurity analyst is responsible for detecting unauthorized changes to critical system files on a server. The analyst wants a security solution that creates a unique identifier for each file and monitors for unexpected modifications.
Which of the following solutions would BEST meet this requirement?
A) Network Access Control (NAC)
B) File Integrity Monitoring (FIM)
C) User Behavior Analytics (UBA)
D) Endpoint Detection and Response (EDR)
Answer: B) File Integrity Monitoring (FIM)
Explanation:
File Integrity Monitoring (FIM) creates signatures or fingerprints for files and monitors them for changes, ensuring critical files remain unaltered.
Incorrect Answers:
A) NAC → NAC controls network access, but it does not monitor file changes.
C) UBA → User Behavior Analytics tracks user activity, not file integrity.
D) EDR → EDR detects threats on endpoints, but it does not track file changes directly.
A company wants to block employee access to specific categories of websites (e.g., gambling, adult content) rather than blocking individual URLs.
Which of the following web filtering methods would BEST meet this requirement? (Select TWO)
A) Content categorization
B) URL scanning
C) Block rules
D) Reputation-based filtering
E) Agent-based filtering
Answer: A) Content categorization & D) Reputation-based filtering
Explanation:
Content categorization allows administrators to block websites based on predefined content categories instead of manually adding URLs.
Reputation-based filtering blocks sites based on their trustworthiness and security risk, which can be useful for blocking malicious or inappropriate sites.
Incorrect Answers:
B) URL scanning → Checks individual URLs against a list but does not categorize content.
C) Block rules → Block lists deny access to specific URLs but do not categorize content.
E) Agent-based filtering → Enforces policies on endpoints but does not determine which sites to block.
A security team is implementing a solution that will prevent employees from sending confidential company data outside the network. The solution must be able to classify, label, and enforce policies on sensitive data.
Which of the following solutions should the security team implement?
A) Network Access Control (NAC)
B) File Integrity Monitoring (FIM)
C) Data Loss Prevention (DLP)
D) Endpoint Detection and Response (EDR)
Answer: C) Data Loss Prevention (DLP)
Explanation:
DLP (Data Loss Prevention) is designed to monitor, classify, and enforce policies to prevent sensitive data from being leaked or sent outside the organization.
Incorrect Answers:
A) NAC → NAC controls network access, but does not prevent data exfiltration.
B) FIM → FIM tracks file integrity, but does not classify or prevent data movement.
D) EDR → EDR detects threats on endpoints, but does not control data leakage.
A security administrator is tasked with removing access for an employee who has left the company. The administrator must ensure that all associated permissions, accounts, and resources tied to the user are completely removed to prevent unauthorized access.
Which of the following BEST describes this process?
A) Identity proofing
B) Permission creep
C) Deprovisioning
D) Federation
Answer: C) Deprovisioning
Explanation:
Deprovisioning is the process of removing user accounts and all associated permissions, files, and configurations when an employee leaves an organization.
Incorrect Answers:
A) Identity proofing → This is the process of verifying a user’s identity before account creation.
B) Permission creep → This occurs when users accumulate unnecessary permissions over time, but it is not related to account removal.
D) Federation → Federation enables single sign-on (SSO) across multiple organizations, but it is not related to account termination.
A company wants to simplify the login process for employees by allowing them to use one set of credentials to access multiple applications and services within the organization.
Which of the following authentication solutions would BEST meet this requirement?
A) Open Authorization (OAuth)
B) Single Sign-On (SSO)
C) Attestation
D) Interoperability
Answer: B) Single Sign-On (SSO)
Explanation:
SSO (Single Sign-On) allows users to log in once and gain access to multiple services without needing to reauthenticate.
Incorrect Answers:
A) OAuth → OAuth is used to grant access to third-party applications, but it does not provide full SSO functionality.
C) Attestation → Attestation verifies hardware identity, not user authentication across multiple services.
D) Interoperability → Interoperability ensures different authentication systems can work together, but it does not handle authentication directly.
A security administrator configures access controls so that employees can only log into the corporate VPN between 7:00 AM and 7:00 PM. Any login attempt outside this window is automatically denied.
This security measure is known as _______________.
A) Time-of-Day Restrictions
B) Least Privilege
C) Attribute-Based Access Control (ABAC)
D) Rule-Based Access Control (RuBAC)
Answer: A) Time-of-Day Restrictions
Explanation:
Time-of-day restrictions enforce access limitations based on specific time periods, preventing logins outside approved hours.
Incorrect Answers:
B) Least Privilege → Least privilege ensures users only have the permissions they need, but does not enforce time-based access.
C) ABAC → ABAC assigns permissions based on user attributes, not time-based restrictions.
D) RuBAC → RuBAC enforces rules-based access but is not specifically focused on time-based access control.
A penetration tester is assessing an organization’s authentication system and finds that an attacker can manipulate input fields to alter directory queries, allowing unauthorized access to sensitive user data.
Which of the following vulnerabilities is MOST likely being exploited?
A) SQL Injection
B) LDAP Injection
C) Cross-Site Scripting (XSS)
D) OAuth Token Hijacking
Answer: B) LDAP Injection
Explanation:
LDAP Injection occurs when untrusted input is used to manipulate Lightweight Directory Access Protocol (LDAP) queries, potentially exposing user credentials and sensitive information.
Incorrect Answers:
A) SQL Injection → SQL Injection exploits database queries, not LDAP authentication systems.
C) XSS → Cross-Site Scripting (XSS) targets web browsers by injecting malicious scripts, not LDAP directories.
D) OAuth Token Hijacking → OAuth hijacking targets authentication tokens, but this scenario describes LDAP manipulation.
A company wants to implement strict access controls to minimize security risks. The security team has decided to:
Limit user permissions to only what is necessary for their job.
Ensure that access decisions are based on predefined security labels.
Which of the following access control models should they implement? (Select TWO)
A) Least Privilege
B) Rule-Based Access Control (RuBAC)
C) Discretionary Access Control (DAC)
D) Mandatory Access Control (MAC)
E) Attribute-Based Access Control (ABAC)
Answer: A) Least Privilege & D) Mandatory Access Control (MAC)
Explanation:
Least Privilege ensures that users only have the permissions necessary to perform their job functions, reducing risk in case of a security breach.
MAC (Mandatory Access Control) enforces strict, predefined access rules based on security classifications.
Incorrect Answers:
B) RuBAC → RuBAC enforces predefined rules, but it does not enforce classification-based access like MAC.
C) DAC → DAC allows users to manage their own permissions, which is less secure than MAC.
E) ABAC → ABAC assigns permissions based on user attributes, but MAC is stricter in enforcing security classifications.
A security administrator is configuring multi-factor authentication (MFA) for employees logging into a company VPN. The administrator requires users to enter their password and insert a smart card before gaining access.
Which two authentication factors are being used?
A) Something you have and something you are
B) Something you know and somewhere you are
C) Something you have and something you know
D) Something you know and something you have
Answer: D) Something you know and something you have
Explanation:
“Something you know” = Password
“Something you have” = Smart card
These are two distinct factors, which meet the definition of MFA.
Incorrect Answers:
A) Something you have and something you are → There is no biometric factor (something you are) in this scenario.
B) Something you know and somewhere you are → The scenario does not mention geolocation factors like GPS or IP address.
C) Something you have and something you know → This is correct in content but the phrasing is reversed compared to standard MFA factor listing.
A security team wants to implement an email security protocol that prevents unauthorized mail servers from sending emails on behalf of the company’s domain.
Which protocol should they implement?
A) DomainKeys Identified Mail (DKIM)
B) Sender Policy Framework (SPF)
C) Secure Email Gateway (SEG)
D) Transport Layer Security (TLS)
Answer: B) Sender Policy Framework (SPF)
Explanation:
SPF helps prevent email spoofing by verifying whether an email came from an authorized mail server before accepting it.
Incorrect Answers:
A) DKIM → DKIM authenticates email integrity, but it does not verify whether the sender is authorized.
C) SEG → A Secure Email Gateway filters emails for malicious content, but it does not verify sender legitimacy.
D) TLS → TLS encrypts email communication but does not prevent unauthorized mail servers from sending emails.
A cybersecurity analyst needs to prevent employees from accessing known phishing websites while still allowing access to legitimate sites.
Which web filtering technique should the analyst implement?
A) URL scanning
B) Content categorization
C) Block rules
D) Centralized proxy
Answer: C) Block rules
Explanation:
Block rules (deny lists) are explicitly used to deny access to known malicious sites, making them the best choice for blocking phishing websites.
Incorrect Answers:
A) URL scanning → URL scanning identifies URLs but does not necessarily block them unless paired with filtering policies.
B) Content categorization → Categorization is more useful for broad filtering (e.g., gambling, adult content) rather than specific known phishing sites.
D) Centralized proxy → A proxy can enforce filtering, but it does not inherently block phishing websites.
A company is concerned about unauthorized devices connecting to its network. They want to enforce a security solution that only allows compliant devices to connect and can check device security posture before granting access.
Which security solution would BEST meet this requirement?
A) File Integrity Monitoring (FIM)
B) Endpoint Detection and Response (EDR)
C) Network Access Control (NAC)
D) User Behavior Analytics (UBA)
Answer: C) Network Access Control (NAC)
Explanation:
NAC (Network Access Control) ensures that only authorized and compliant devices can access the network. It can enforce pre-admission (before connection) and post-admission (after connection) security checks.
Incorrect Answers:
A) FIM → FIM monitors file integrity, but does not control network access.
B) EDR → EDR monitors endpoints but does not enforce network access rules.
D) UBA → UBA detects anomalous user behavior, but does not restrict network access.
A company is developing a customer-facing web application and wants to allow users to log in using their existing Google or Facebook accounts instead of creating a new username and password.
Which authentication protocol would BEST meet this requirement?
A) Security Assertions Markup Language (SAML)
B) Lightweight Directory Access Protocol (LDAP)
C) Open Authorization (OAuth)
D) Attestation
Answer: C) Open Authorization (OAuth)
Explanation:
OAuth allows users to authenticate through a third-party provider (e.g., Google, Facebook) without sharing their actual credentials with the application.
Incorrect Answers:
A) SAML → SAML is used for federated identity management, typically between IdPs and SPs in an enterprise setting.
B) LDAP → LDAP is used for directory services and is not designed for third-party authentication.
D) Attestation → Attestation verifies hardware identity, not user authentication for applications.
A junior administrator accidentally grants a finance employee access to HR payroll records. The security team notices this and immediately revokes the unnecessary access.
Which of the following security principles is the team enforcing?
A) Identity proofing
B) Least privilege
C) Federation
D) Deprovisioning
Answer: B) Least privilege
Explanation:
Least privilege ensures that users only have access to the resources necessary for their job functions. Removing unnecessary access aligns with this principle.
Incorrect Answers:
A) Identity proofing → Identity proofing verifies a user’s identity, not access levels.
C) Federation → Federation manages authentication across multiple systems, but does not enforce access control.
D) Deprovisioning → Deprovisioning removes user accounts, but this scenario involves adjusting existing permissions.
An organization wants to implement a biometric authentication system that is contactless and can uniquely identify users based on patterns beneath the skin.
Which biometric authentication method would BEST meet this requirement?
A) Fingerprinting
B) Retina scanning
C) Vein scanning
D) Facial recognition
Answer: C) Vein scanning
Explanation:
Vein scanning detects patterns in veins, usually in the finger or hand, and can be contactless—making it more hygienic than fingerprint scanners.
Incorrect Answers:
A) Fingerprinting → Requires physical contact, which is not ideal for hygiene concerns.
B) Retina scanning → Scans blood vessels in the eye, but is not contactless and can be invasive.
D) Facial recognition → Detects surface features, but does not scan beneath the skin.
A cybersecurity consultant is advising a company on passwordless authentication methods. The company wants a hardware-based solution that can generate one-time passwords (OTPs), store cryptographic keys, and support certificate-based authentication without requiring a traditional password.
Which of the following solutions BEST meets these requirements?
A) Security key
B) Hard token
C) Soft token
D) Biometric authentication
Answer: A) Security key
Explanation:
A security key supports passwordless authentication, generates OTPs, and enables cryptographic authentication using public key cryptography.
Incorrect Answers:
B) Hard token → A hard token only generates OTPs but does not support passwordless authentication.
C) Soft token → A soft token is software-based, not hardware-based like the security key.
D) Biometric authentication → Biometrics verify identity but do not generate OTPs or store cryptographic keys.
A company is implementing an authentication method that does not require users to enter a traditional password but instead uses a hardware device that generates cryptographic keys to verify user identity.
This type of authentication method is BEST described as _______________.
A) Smart card authentication
B) Biometric authentication
C) Security token authentication
D) Passwordless authentication
Answer: D) Passwordless authentication
Explanation:
Passwordless authentication eliminates traditional passwords and instead relies on cryptographic hardware devices such as security keys or authentication tokens to verify a user’s identity.
Incorrect Answers:
A) Smart card authentication → Smart cards are physical devices, but they are often used alongside passwords rather than replacing them entirely.
B) Biometric authentication → Biometric authentication uses fingerprints, retina scans, or facial recognition, which are “something you are” factors, but not necessarily passwordless methods.
C) Security token authentication → Security tokens can be part of MFA, but they do not always eliminate passwords—many implementations still require a PIN or password.
A security administrator is enforcing a password policy requiring employees to use at least 12 characters, including uppercase letters, numbers, and special characters.
Which two password security concepts are being enforced?
A) Password length and password complexity
B) Password expiration and password age
C) Password reuse and password expiration
D) Password age and password reuse
Answer: A) Password length and password complexity
Explanation:
Password length ensures passwords meet a minimum character requirement (e.g., 12 characters).
Password complexity enforces the use of uppercase letters, numbers, and special characters.
Incorrect Answers:
B) Password expiration and password age → These refer to how long a password can be used, not its length or complexity.
C) Password reuse and password expiration → Password expiration sets a time limit on passwords, but it does not enforce length or complexity.
D) Password age and password reuse → Password age prevents immediate resets, but this scenario is about password length and complexity.
A company is implementing a Privileged Access Management (PAM) solution to secure its administrative accounts. Which of the following best describes the principle of least privilege in this context?
A. Granting users permanent access to all systems they might need in the future.
B. Restricting users to only the permissions necessary to perform their job functions.
C. Allowing users to share credentials for convenience and efficiency.
D. Providing full administrative access to all users to ensure business continuity.
Answer: B
Explanation: The principle of least privilege ensures that users have only the minimum permissions required to perform their tasks. This reduces the attack surface and limits the potential damage from compromised accounts. Option A violates least privilege by granting unnecessary access, Option C increases security risks, and Option D is a direct violation of least privilege.
A security analyst wants to monitor suspicious activity on workstations by analyzing system logs and detecting Indicators of Compromise (IoCs). The analyst should implement _______________.
A) Network Access Control (NAC)
B) Extended Detection and Response (XDR)
C) Endpoint Detection and Response (EDR)
D) User Behavior Analytics (UBA)
Answer: C) Endpoint Detection and Response (EDR)
Explanation:
EDR (Endpoint Detection and Response) is used to monitor endpoint activity, detect Indicators of Compromise (IoCs), and analyze system logs for suspicious activity.
Incorrect Answers:
A) NAC → NAC controls network access, but does not detect endpoint-based threats.
B) XDR → XDR expands on EDR by including network-wide monitoring, but the question specifically asks about workstations (endpoints).
D) UBA → UBA tracks user behavior, not system logs or threat detection.
A company has implemented SPF and DKIM, but phishing emails impersonating the company’s domain are still reaching users. The security team wants to enforce stricter email authentication policies and receive reports on failed authentication attempts.
Which security measure would BEST help achieve this goal?
A) Implement Transport Layer Security (TLS) for email encryption
B) Configure Domain-Based Message Authentication Reporting and Conformance (DMARC)
C) Require all users to digitally sign their emails
D) Enable HTTPS for accessing web-based email
Answer: B) Configure Domain-Based Message Authentication Reporting and Conformance (DMARC)
Explanation:
DMARC enforces email authentication policies by combining SPF and DKIM and provides reports on failed authentication attempts.
Incorrect Answers:
A) TLS → TLS encrypts email in transit but does not verify sender identity.
C) Digital signatures → Email signatures verify individual users, not domain-wide email authentication.
D) HTTPS → HTTPS secures web access, not email security policies
An IT department is creating accounts for remote employees and needs to ensure that each individual is who they claim to be before issuing login credentials.
Which of the following should the IT department implement?
A) Federation
B) Identity proofing
C) Deprovisioning
D) Permission assignments
Answer: B) Identity proofing
Explanation:
Identity proofing is the process of verifying a person’s identity before creating an account. This can include government ID verification, knowledge-based questions, or biometric authentication.
Incorrect Answers:
A) Federation → Federation handles authentication across organizations, but does not verify user identities.
C) Deprovisioning → Deprovisioning removes user accounts, but this scenario is about creating accounts.
D) Permission assignments → Assigning permissions happens after identity proofing, but it does not verify identity.
A security administrator is configuring Just-in-Time (JIT) permissions for a development team. Which of the following best describes the primary benefit of JIT permissions?
A. It allows users to retain access indefinitely for convenience.
B. It reduces the risk of privilege misuse by granting temporary access only when needed.
C. It eliminates the need for password vaulting.
D. It provides permanent access to all resources for all users.
Answer: B
Explanation: JIT permissions grant access only when required and for a limited time, reducing the risk of privilege misuse.
Option A is incorrect because JIT permissions are temporary, not indefinite.
Option C is incorrect because JIT permissions and password vaulting serve different purposes.
Option D violates the principle of least privilege.
A company wants to enforce web filtering policies for all users, including guest users on the network, without installing software on individual devices. The BEST solution for this requirement is a _______________.
A) Agent-based web filter
B) Block rule
C) Centralized proxy web filter
D) URL scanning
Answer: C) Centralized proxy web filter
Explanation:
A centralized proxy web filter is deployed at the network level (Layer 2/3), allowing it to enforce filtering rules for all users—even guests who do not have agent-based software installed.
Incorrect Answers:
A) Agent-based web filter → Requires installation on each device and cannot enforce policies for guest users.
B) Block rule → Denies specific URLs, but does not enforce network-wide filtering.
D) URL scanning → Only analyzes URLs but does not enforce policy network-wide.
Which of the following enhance web security through web filtering? (Select TWO)
A) Implementing block rules to prevent access to known malicious sites
B) Allowing all incoming web traffic by default to improve access speed
C) Using reputation-based filtering to block high-risk websites
D) Enabling URL scanning but allowing all connections to reduce user disruptions
E) Disabling web filters on guest networks to allow unrestricted browsing
Answer: A) Implementing block rules & C) Using reputation-based filtering
Explanation:
Block rules deny access to known malicious URLs, reducing exposure to phishing and malware.
Reputation-based filtering blocks high-risk websites based on threat intelligence and behavior analysis.
Incorrect Answers:
B) Allowing all incoming web traffic by default → Increases security risks by allowing potential malicious sites.
D) Enabling URL scanning but allowing all connections → Scanning alone does not block threats unless enforcement rules are in place.
E) Disabling web filters on guest networks → Exposes the entire network to threats if guest devices are compromised.
An organization wants to filter incoming and outgoing emails for spam, malware, and phishing attempts before they reach internal mail servers. The company should implement a _______________.
A) DomainKeys Identified Mail (DKIM)
B) Sender Policy Framework (SPF)
C) Domain Name System Security Extensions (DNSSEC)
D) Secure Email Gateway (SEG)
Answer: D) Secure Email Gateway (SEG)
Explanation:
A Secure Email Gateway (SEG) acts as an email filter, analyzing incoming and outgoing emails for spam, phishing, and malware.
Incorrect Answers:
A) DKIM → DKIM authenticates sender identity, but it does not filter emails.
B) SPF → SPF verifies authorized mail servers but does not filter content.
C) DNSSEC → DNSSEC secures DNS lookups, not email filtering.
A cloud service provider (SP) wants to integrate with an external identity provider (IdP) for authentication. When a user attempts to log in, the SP redirects the request to the IdP, which then authenticates the user and sends back an authentication token.
This authentication process is BEST described as _______________.
A) Open Authorization (OAuth)
B) Lightweight Directory Access Protocol (LDAP)
C) Interoperability
D) Security Assertions Markup Language (SAML)
Answer: D) Security Assertions Markup Language (SAML)
Explanation:
SAML facilitates authentication between an Identity Provider (IdP) and a Service Provider (SP), allowing users to log in using a trust-based relationship.
Incorrect Answers:
A) OAuth → OAuth delegates authorization, but does not authenticate users between IdPs and SPs.
B) LDAP → LDAP is used for directory services, not federated authentication.
C) Interoperability → Interoperability ensures different systems can communicate, but it does not define an authentication process.
A company enforces a policy where users must change their passwords every 60 days but cannot reuse their last 10 passwords. Additionally, once a user changes their password, they must wait at least 7 days before changing it again.
Which password security policies are being enforced?
A) Password expiration and password age
B) Password length and password reuse
C) Password complexity and password managers
D) Password expiration and password length
Answer: A) Password expiration and password age
Explanation:
Password expiration → Users must change their passwords every 60 days.
Password age → Users must wait at least 7 days before changing it again.
Incorrect Answers:
B) Password length and password reuse → Length is not mentioned, and password reuse refers to previous passwords, not expiration rules.
C) Password complexity and password managers → Complexity refers to character requirements, and password managers store credentials.
D) Password expiration and password length → There is no mention of password length in this scenario.
An IT department assigns employees access to specific systems based on their job functions. For example, HR employees have access to payroll data, while finance employees can view financial reports.
Which access control model does this describe?
A) Rule-Based Access Control (RuBAC)
B) Attribute-Based Access Control (ABAC)
C) Discretionary Access Control (DAC)
D) Role-Based Access Control (RBAC)
Answer: D) Role-Based Access Control (RBAC)
Explanation:
RBAC (Role-Based Access Control) assigns permissions based on job roles, ensuring users can only access the resources necessary for their responsibilities.
Incorrect Answers:
A) RuBAC → RuBAC is rule-driven, not role-driven.
B) ABAC → ABAC considers attributes (e.g., location, job title), but RBAC is strictly role-based.
C) DAC → DAC lets users control permissions, while RBAC is centrally managed based on roles.
The process of storing passwords in a centralized, encrypted location with highly restricted access is known as ___________.
A. Password vaulting
B. Just-in-Time (JIT) permissions
C. Ephemeral credentials
D. Privileged Access Management (PAM)
Answer: A
Explanation: Password vaulting securely stores credentials in a centralized, encrypted location, reducing the risk of exposure.
A security administrator is implementing a Privileged Access Management (PAM) solution in an enterprise environment. The goal is to ensure that privileged users only have access to elevated permissions when required, and those permissions should automatically be revoked when no longer needed.
Which of the following PAM features best meets this requirement?
A. Ephemeral credentials
B. Password vaulting
C. Just-in-Time (JIT) permissions
D. Orchestration
✅ Correct Answer: C. Just-in-Time (JIT) permissions
🔹 Explanation: JIT permissions grant users privileged access only when needed and revoke it after use, reducing security risks.
❌ Incorrect Answers:
A. Ephemeral credentials → Temporary accounts are created for specific time periods but are not necessarily tied to on-demand privileged access.
B. Password vaulting → Securely stores passwords but does not dynamically control access permissions.
D. Orchestration → Manages security tools, but it is not directly related to privileged access timing.
A cybersecurity team is setting up a password vaulting system as part of their PAM solution. They want to ensure that privileged users can access multiple systems without manually entering credentials, while also minimizing the risk of credential theft.
Which of the following are key benefits of implementing password vaulting? (Select TWO.)
A. Users can access privileged systems without knowing the actual passwords
B. Passwords are stored in plaintext for easy access by administrators
C. Reduces credential theft by limiting direct password exposure
D. Ensures that users always remember their own passwords for login
E. Allows unrestricted access to all privileged accounts
✅ Correct Answers: A, C
🔹 Explanation:
A. Users can access privileged systems without knowing the actual passwords → The vaulting system automatically inputs credentials, reducing password exposure.
C. Reduces credential theft by limiting direct password exposure → Since users never directly enter passwords, attackers cannot easily steal them.
❌ Incorrect Answers:
B. Passwords are stored in plaintext → False; passwords are stored in encrypted form to prevent unauthorized access.
D. Ensures users always remember their passwords → False; password vaulting removes the need for users to remember or enter passwords.
E. Allows unrestricted access → False; vaulting controls access, not grants unrestricted permissions.
A security analyst is concerned that automated security tasks and integrated security tools are not functioning as a unified system. The organization needs a centralized method to ensure that all security tools work together efficiently to detect and respond to threats.
Which of the following best addresses this issue?
A. Ephemeral credentials
B. Just-in-Time (JIT) permissions
C. Password vaulting
D. Automation and orchestration
✅ Correct Answer: D. Automation and orchestration
🔹 Explanation: Orchestration integrates security tools into a cohesive system, while automation reduces manual effort in security tasks.
❌ Incorrect Answers:
A. Ephemeral credentials → Provides temporary access but does not address tool integration.
B. Just-in-Time (JIT) permissions → Controls access but does not integrate security tools.
C. Password vaulting → Secures passwords but does not unify security processes
A large organization wants to allow users from multiple business partners to log in to shared services without needing separate credentials for each system. They decide to implement _______________.
A) Identity proofing
B) Least privilege
C) Permission creep
D) Federation
Answer: D) Federation
Explanation:
Federation enables authentication across multiple organizations using a trusted Identity Provider (IdP) to allow users to log in without needing separate credentials for each service.
Incorrect Answers:
A) Identity proofing → Identity proofing verifies a single user’s identity, but does not provide cross-organizational authentication.
B) Least privilege → Least privilege controls permissions, but does not enable cross-organizational authentication.
C) Permission creep → Permission creep happens when users accumulate excessive access, which is unrelated to federation authentication.
A security team wants to detect insider threats and compromised user accounts by analyzing deviations from normal activity.
Which of the following solutions should they implement? (Select TWO)
A) User Behavior Analytics (UBA)
B) Endpoint Detection and Response (EDR)
C) File Integrity Monitoring (FIM)
D) Extended Detection and Response (XDR)
E) Network Access Control (NAC)
Answer: A) User Behavior Analytics (UBA) & D) Extended Detection and Response (XDR)
Explanation:
UBA (User Behavior Analytics) detects anomalous user activity, such as insider threats and compromised accounts.
XDR (Extended Detection and Response) provides a broader security analysis by correlating data across endpoints, networks, and cloud environments.
Incorrect Answers:
B) EDR → EDR monitors endpoint threats, but does not specifically analyze user behavior.
C) FIM → FIM tracks file integrity, not user activity.
E) NAC → NAC enforces network security policies, not behavior analytics
A company wants to prevent email spoofing and ensure that incoming emails are legitimate.
Which of the following should they implement? (Select TWO)
A) Sender Policy Framework (SPF)
B) DomainKeys Identified Mail (DKIM)
C) Secure Sockets Layer (SSL)
D) Dynamic Host Configuration Protocol (DHCP)
E) Address Resolution Protocol (ARP)
Answer: A) Sender Policy Framework (SPF) & B) DomainKeys Identified Mail (DKIM)
Explanation:
SPF prevents unauthorized mail servers from sending emails on behalf of a domain.
DKIM verifies email integrity by attaching a digital signature.
Incorrect Answers:
C) SSL → SSL encrypts web traffic but is not an email authentication protocol.
D) DHCP → DHCP assigns IP addresses and is unrelated to email security.
E) ARP → ARP is used for resolving IP addresses to MAC addresses, not securing email.
A security team is reviewing access management practices and wants to ensure employees only have the minimum permissions necessary and that user identities are verified before accounts are created.
Which of the following security measures should they implement? (Select TWO)
A) Least privilege
B) Federation
C) Identity proofing
D) Deprovisioning
E) Network Access Control (NAC)
Answer: A) Least privilege & C) Identity proofing
Explanation:
Least privilege ensures that users only have the minimum access necessary to perform their job.
Identity proofing verifies a user’s identity before granting access, ensuring that only legitimate users receive accounts.
Incorrect Answers:
B) Federation → Federation allows authentication across organizations, but does not enforce least privilege or identity verification.
D) Deprovisioning → Deprovisioning removes user accounts, but does not control permission assignments or identity verification.
E) NAC → Network Access Control enforces device-based access policies, not identity or privilege management.
Which of the following is a core function of Privileged Access Management (PAM) tools?
A. Managing and securing privileged accounts
B. Enforcing multi-factor authentication (MFA) for all employees
C. Encrypting all endpoint communications
D. Scanning for software vulnerabilities
✅ Correct Answer: A. Managing and securing privileged accounts
🔹 Explanation: PAM tools are specifically designed to secure and manage privileged accounts, reducing the risk of misuse or compromise.
❌ Incorrect Answers:
B. Enforcing MFA for all employees → MFA enhances security but is not specific to PAM.
C. Encrypting all endpoint communications → A security measure, but not a primary PAM function.
D. Scanning for software vulnerabilities → More related to vulnerability management, not PAM.
A security engineer is implementing a Security Orchestration, Automation, and Response (SOAR) platform to improve the organization’s incident response process. The main goal is to automate manual processes such as monitoring, alerting, and remediation while providing real-time visibility into the network.
Which of the following best describes the primary benefit of implementing SOAR?
A. It integrates security tools into a single cohesive system
B. It prevents unauthorized changes to system configurations
C. It replaces all manual security processes with fully autonomous systems
D. It ensures that all user accounts are automatically deleted when an employee leaves
✅ Correct Answer: A. It integrates security tools into a single cohesive system
🔹 Explanation: SOAR platforms unify security tools, automate response actions, and provide real-time visibility into the network.
❌ Incorrect Answers:
B. It prevents unauthorized changes to system configurations → SOAR improves incident response but does not enforce configuration management.
C. It replaces all manual security processes with fully autonomous systems → False; SOAR still requires human oversight for critical decisions.
D. It ensures that all user accounts are automatically deleted when an employee leaves → This is a user provisioning function, not the main purpose of SOAR.
An organization is concerned about employees retaining excessive permissions after changing roles. To mitigate this risk, the security team wants to implement a solution that automatically adds or removes permissions based on predefined rules when users are assigned to different roles.
Which of the following would BEST address this concern?
A. Guardrails
B. Security groups
C. User provisioning automation
D. Continuous integration
✅ Correct Answer: C. User provisioning automation
🔹 Explanation: User provisioning automation ensures that permissions are granted or revoked dynamically based on a user’s role, reducing the risk of excessive privileges.
❌ Incorrect Answers:
A. Guardrails → Guardrails monitor compliance but do not dynamically adjust user permissions.
B. Security groups → Security groups help organize permissions but do not automate changes.
D. Continuous integration → CI/CD is for software development, not access management.
A security administrator is responsible for ensuring that all systems within the organization follow a standardized security configuration. Due to the size of the enterprise, manually checking configurations is inefficient and prone to errors.
Which of the following automation benefits would BEST help the administrator enforce security settings across all devices?
A. Reaction time
B. Standard infrastructure configurations
C. Workforce multiplier
D. Employee retention
✅ Correct Answer: B. Standard infrastructure configurations
🔹 Explanation: Automation ensures devices are configured consistently and correctly, reducing the likelihood of misconfigurations and increasing security.
❌ Incorrect Answers:
A. Reaction time → Related to incident response, not enforcing configuration standards.
C. Workforce multiplier → Describes automation replacing multiple human tasks but does not specifically address enforcing security configurations.
D. Employee retention → A benefit of automation but not related to standardizing infrastructure configurations.
Which of the following BEST describes the purpose of guardrails in an automated security environment?
A. They automatically adjust user permissions based on predefined policies
B. They establish boundaries that prevent automated processes from exceeding security standards
C. They provide a method for continuously integrating and deploying new security configurations
D. They authenticate and authorize API requests to ensure secure communication
✅ Correct Answer: B. They establish boundaries that prevent automated processes from exceeding security standards
🔹 Explanation: Guardrails define limits within which automated processes must operate, ensuring security and compliance.
❌ Incorrect Answers:
A. They automatically adjust user permissions → This describes user provisioning automation, not guardrails.
C. They provide a method for continuously integrating security configurations → Continuous integration is related to software development, not guardrails.
D. They authenticate and authorize API requests → API security mechanisms handle this, not guardrails.
A DevSecOps team is implementing a Continuous Integration (CI) pipeline to ensure that new code is automatically tested and deployed in a secure manner. They want to improve security by integrating automated security tests into the CI process.
Which of the following actions would enhance security in this environment? (Select TWO.)
A. Automating security vulnerability scans on newly integrated code
B. Using ephemeral credentials for all privileged API requests
C. Removing all manual review processes to increase deployment speed
D. Automating permissions for all privileged user accounts
E. Implementing guardrails to enforce secure coding practices
✅ Correct Answers: A, E
🔹 Explanation:
A. Automating security vulnerability scans → Ensures that newly integrated code is tested for security flaws before deployment.
E. Implementing guardrails → Prevents insecure coding practices from violating security policies.
❌ Incorrect Answers:
B. Using ephemeral credentials → Useful for security, but not directly related to CI/CD security.
C. Removing all manual review processes → Eliminates oversight, increasing security risks.
D. Automating permissions for all privileged users → Not related to securing code in a CI/CD pipeline.
A system administrator notices that users frequently share files with each other by manually setting permissions on their own files and directories.
Which of the following access control models is being used?
A) Rule-Based Access Control (RuBAC)
B) Attribute-Based Access Control (ABAC)
C) Discretionary Access Control (DAC)
D) Mandatory Access Control (MAC)
Answer: C) Discretionary Access Control (DAC)
Explanation:
DAC (Discretionary Access Control) allows the owner of a file or resource to manage permissions and grant or revoke access at their discretion.
Incorrect Answers:
A) RuBAC → RuBAC enforces predefined rules for access, rather than allowing users to manage permissions.
B) ABAC → ABAC uses user attributes (e.g., department, job title), rather than letting individual users assign permissions.
D) MAC → MAC enforces security classifications centrally and does not allow users to change access permissions.
A security team is implementing device-based security policies to ensure that only authorized hardware can connect to the company network. Additionally, they want to ensure that authentication protocols from different vendors can work together seamlessly.
Which of the following solutions should they implement? (Select TWO)
A) Attestation
B) Security Assertions Markup Language (SAML)
C) Interoperability
D) Lightweight Directory Access Protocol (LDAP)
E) OAuth
Answer: A) Attestation & C) Interoperability
Explanation:
Attestation validates hardware identity, ensuring that only trusted devices can access the network.
Interoperability allows different authentication and authorization protocols (e.g., SAML and OAuth) to work together.
Incorrect Answers:
B) SAML → SAML is used for federated authentication, but it does not validate hardware identity.
D) LDAP → LDAP provides directory access, but does not enforce device-based authentication.
E) OAuth → OAuth controls user authorization, but it does not validate hardware identity.
A company is expanding its IT infrastructure rapidly. The security team is concerned that manual configuration of new systems will lead to security gaps due to the increasing complexity of network communications.
Which of the following automation benefits would BEST address this concern?
A. Scaling in a secure manner
B. Enforcing baselines
C. Workforce multiplier
D. Employee retention
✅ Correct Answer: A. Scaling in a secure manner
🔹 Explanation: Scaling securely ensures that security measures are automatically applied as the network expands, preventing misconfigurations and vulnerabilities.
❌ Incorrect Answers:
B. Enforcing baselines → Helps maintain security standards but does not directly address scalability.
C. Workforce multiplier → Reduces manual effort but does not specifically help with secure scaling.
D. Employee retention → Unrelated to security concerns in infrastructure scaling
A security team is implementing automation to improve operational efficiency and security. The organization wants to use automation to reduce manual workloads, ensure systems remain compliant, and improve incident response speed.
Which of the following are key benefits of automation that meet these requirements? (Select TWO.)
A. Ticket creation
B. Employee retention
C. Enforcing baselines
D. Continuous integration
E. Reaction time
✅ Correct Answers: E, C
🔹 Explanation:
A. Ticket creation → Helps with reporting but does not directly enforce baselines or reduce reaction time.
C. Enforcing baselines → Ensures that systems remain compliant with security policies automatically.
❌ Incorrect Answers:
B. Employee retention → Helps reduce turnover but is not a security-focused benefit.
D. Continuous integration → Related to software development, not enforcing security baselines or improving reaction time.
E. Reaction time → Automation detects and responds to security incidents faster than humans, reducing breach impact.
Which of the following is a primary advantage of using automation for enforcing security baselines?
A. It ensures that all systems remain compliant with predefined security standards
B. It increases employee retention by reducing manual workloads
C. It provides real-time escalation for high-priority security incidents
D. It reduces the need for user authentication in automated workflows
✅ Correct Answer: A. It ensures that all systems remain compliant with predefined security standards
🔹 Explanation: Automated baseline enforcement ensures that all systems adhere to security standards, reducing the risk of misconfigurations.
❌ Incorrect Answers:
B. Increases employee retention → A benefit of automation, but not the main reason for enforcing security baselines.
C. Provides real-time escalation → Related to incident response, not security baselines.
D. Reduces the need for user authentication → Security automation does not remove authentication requirements.
A financial institution detects suspicious activity on a workstation. A security analyst investigates and confirms that malware is actively exfiltrating sensitive data. To minimize the damage, the analyst immediately disconnects the workstation from the network.
Which incident response phase is the analyst performing?
A. Detection
B. Containment
C. Eradication
D. Recovery
✅ Correct Answer: B. Containment
🔹 Explanation: The analyst is isolating the affected system to prevent further spread, which falls under containment.
❌ Incorrect Answers:
A. Detection → Occurs before containment, during which the incident is identified.
C. Eradication → Happens after containment, where the malware is removed.
D. Recovery → Focuses on restoring systems after the threat is eradicated.
A company has invested in an automation and orchestration system to improve security operations. However, after implementation, the security team finds that the system requires frequent updates to stay compatible with new technologies. The team is concerned that falling behind on updates could cause security vulnerabilities.
Which of the following challenges is the company facing?
A. Single point of failure
B. Technical debt
C. Ongoing supportability
D. Complexity
✅ Correct Answer: B. Technical debt
🔹 Explanation: Technical debt occurs when automation scripts and systems become outdated due to rapid technological changes, leading to security risks
❌ Incorrect Answers:
A. Single point of failure → Applies when a single system failure can compromise security, but not when scripts become outdated.
C. Ongoing supportability → Related to manufacturer support and system lifecycle, not outdated scripts.
D. Complexity → Describes the difficulty of creating and managing automation but not the issue of outdated technology.
Which of the following best describes Root Cause Analysis (RCA) in the incident response process?
A. A verbal discussion among stakeholders to improve the IR plan.
B. A systematic investigation conducted after an incident to determine its cause.
C. A live exercise where security teams respond to a simulated attack.
D. A proactive approach to identifying unknown threats before they cause harm.
✅ Correct Answer: B. A systematic investigation conducted after an incident to determine its cause.
🔹 Explanation: RCA is conducted after an incident to analyze how and why it happened, allowing security teams to implement preventive measures.
❌ Incorrect Answers:
A. Verbal discussion → Describes a tabletop exercise.
C. Live exercise → Describes a simulation.
D. Identifying unknown threats → Describes threat hunting.
A security team is reviewing its incident response plan. As part of the review, they conduct an exercise where participants verbally discuss how they would respond to a ransomware attack scenario. The team identifies gaps in their response procedures and suggests improvements.
Which of the following best describes the type of exercise conducted?
A. Simulation
B. Root Cause Analysis (RCA)
C. Tabletop Exercise
D. Threat Hunting
✅ Correct Answer: C. Tabletop Exercise
🔹 Explanation: A tabletop exercise is a verbal discussion of an incident response scenario to evaluate the IR plan, identify weaknesses, and improve procedures.
❌ Incorrect Answers:
A. Simulation → Involves an interactive live environment, not just a verbal discussion.
B. Root Cause Analysis (RCA) → Occurs after an incident to determine how it happened.
D. Threat Hunting → Proactively looks for vulnerabilities or threats, not a test of the IR plan.
An enterprise wants to enhance its incident response (IR) readiness. The security team is considering different testing approaches.
Which of the following IR testing exercises would be most appropriate? (Select TWO.)
A. Conducting a company-wide network penetration test to identify vulnerabilities.
B. Running a simulated cyberattack to test real-time incident response.
C. Hosting a meeting where staff verbally discuss their response to an incident scenario.
D. Performing a forensic investigation to determine how a past breach occurred.
E. Configuring automated alerts in the SIEM to improve real-time monitoring.
✅ Correct Answers: B, C
🔹 Explanation:
B. Running a simulated cyberattack → Simulation testing helps assess real-world IR team readiness.
C. Hosting a verbal discussion → Tabletop exercises help teams discuss and improve IR procedures.
❌ Incorrect Answers:
A. Penetration testing → Identifies vulnerabilities but is not an IR test.
D. Performing a forensic investigation → Describes Root Cause Analysis (RCA) and focuses on understanding a past incident, not an IR test.
E. Configuring SIEM alerts → Improves monitoring but is not a testing exercise.
A company is using automation to perform tasks that would typically require multiple employees. This allows the company to accomplish more without increasing headcount.
Which of the following best describes this automation benefit?
A. Standard infrastructure configurations
B. Reaction time
C. Scaling in a secure manner
D. Workforce multiplier
✅ Correct Answer: D. Workforce multiplier
🔹 Explanation: Automation acts as a “workforce multiplier” by handling repetitive tasks that would otherwise require multiple employees, allowing human workers to focus on higher-value tasks.
❌ Incorrect Answers:
A. Standard infrastructure configurations → Related to device setup, not optimizing workforce tasks.
B. Reaction time → Related to incident response speed, not workload efficiency.
C. Scaling in a secure manner → Describes network expansion, not reducing manual workload.
A forensic investigator is examining a laptop involved in an insider threat investigation. To ensure that any evidence gathered remains legally admissible, the investigator documents each transfer of the device from one analyst to another, noting the date, time, and individuals involved.
Which of the following best describes this process?
A. Acquisition
B. Chain of Custody
C. Legal Hold
D. E-Discovery
✅ Correct Answer: B. Chain of Custody
🔹 Explanation: Chain of custody documentation tracks who handled evidence, when, and where, ensuring it remains legally admissible.
❌ Incorrect Answers:
A. Acquisition → The process of collecting data, not tracking evidence transfers.
C. Legal Hold → A legal requirement to preserve data, but doesn’t track handling.
D. E-Discovery → Involves evidence exchange between parties in legal cases, not tracking forensic evidence.
A security operations team wants to automate the process of detecting and escalating significant security incidents. The goal is to ensure that critical alerts are automatically assigned to senior analysts for immediate action.
Which of the following would BEST meet this requirement?
A. SOAR (Security Orchestration, Automation, and Response)
B. Continuous integration and testing
C. Guardrails
D. Password vaulting
✅ Correct Answer: A. SOAR (Security Orchestration, Automation, and Response)
Explanation:
SOAR platforms are designed to automate security incident detection, escalation, and response. They integrate security tools, automatically generate alerts, and assign incidents to the appropriate security personnel for immediate action. This improves response time and reduces manual workload.
Incorrect Answers:
❌ B. Continuous integration and testing → Related to software development, ensuring new code is securely integrated, but not relevant to incident escalation.
❌ C. Guardrails → Enforce security policies and monitor automation but do not handle incident escalation.
❌ D. Password vaulting → Securely stores credentials but does not automate security incident response.
A security administrator is configuring access permissions for a classified government database. The system enforces strict security labels such as Confidential, Secret, and Top Secret, and only users with the appropriate clearance levels can access specific files.
Which access control model is being used?
A) Discretionary Access Control (DAC)
B) Role-Based Access Control (RBAC)
C) Attribute-Based Access Control (ABAC)
D) Mandatory Access Control (MAC)
Answer: D) Mandatory Access Control (MAC)
Explanation:
MAC (Mandatory Access Control) enforces access based on classification labels and is controlled by the operating system and administrators, not individual users.
Incorrect Answers:
A) DAC → DAC allows owners to set permissions, but MAC is centrally controlled.
B) RBAC → RBAC assigns permissions based on job roles, not security labels.
C) ABAC → ABAC uses attributes like job title, location, or department, while MAC is strictly based on predefined security levels.
A company has hundreds of user accounts across multiple platforms, and employees struggle to remember unique passwords for each system. The security team wants a centralized solution to store and manage employee credentials securely.
Which of the following solutions would BEST meet this requirement?
A) Password manager
B) Password reuse policy
C) Password complexity enforcement
D) Password expiration policy
Answer: A) Password manager
Explanation:
A password manager provides a secure, centralized location for storing and managing passwords, helping employees use unique passwords without needing to remember each one.
Incorrect Answers:
B) Password reuse policy → Prevents using old passwords, but does not store or manage passwords.
C) Password complexity enforcement → Ensures strong passwords, but does not help users manage them.
D) Password expiration policy → Requires password changes, but does not help with remembering credentials.
A company has adopted a Zero Trust security model and is looking to implement a method to limit privileged access to only the exact time it is needed. The security team wants to ensure that users do not retain excessive privileges after completing their tasks.
Which of the following technologies should the company implement?
A. Just-in-Time (JIT) permissions
B. Automation and orchestration
C. Ephemeral credentials
D. Password vaulting
✅ Correct Answer: A. Just-in-Time (JIT) permissions
🔹 Explanation: JIT permissions follow the Zero Trust principle by granting access only when required and revoking it immediately after.
❌ Incorrect Answers:
B. Automation and orchestration → Helps streamline security operations but does not directly control privileged access timing.
C. Ephemeral credentials → Temporary credentials help with guest accounts but do not enforce real-time privilege control.
D. Password vaulting → Securely stores credentials but does not control when privileges are granted or revoked.
A security operations team wants to automate the process of detecting and escalating significant security incidents. The goal is to ensure that critical alerts are automatically assigned to senior analysts for immediate action.
Which of the following would BEST meet this requirement?
A. Password vaulting
B. Continuous integration and testing
C. Guardrails
D. SOAR (Security Orchestration, Automation, and Response)
✅ Correct Answer: D. SOAR (Security Orchestration, Automation, and Response)
🔹 Explanation: SOAR automates incident detection, escalation, and response, ensuring critical alerts reach the right personnel quickly.
❌ Incorrect Answers:
A. Password vaulting → Stores credentials securely but is unrelated to incident escalation.
B. Continuous integration and testing → Related to software development, not incident escalation.
C. Guardrails → Define security boundaries but do not automate escalation.
An organization has fully integrated an automation system to manage security processes. However, the security team is concerned that if the system fails or is compromised, the entire network could be at risk.
Which of the following best describes this issue?
A. Cost
B. Complexity
C. Single point of failure
D. Technical debt
✅ Correct Answer: C. Single point of failure
🔹 Explanation: When a network relies too heavily on a single security automation system, its failure can leave the entire organization vulnerable.
❌ Incorrect Answers:
A. Cost → Relates to financial considerations, not reliance on a single system.
B. Complexity → Automation setup can be difficult, but it does not necessarily create a single point of failure.
D. Technical debt → Describes outdated technology, not a single dependency risk.
An organization recently suffered a ransomware attack. The IR team successfully contained and eradicated the threat by restoring systems from backups. To ensure the same attack does not occur again, the team reviews how the ransomware entered the network and updates security policies.
Which incident response phase is the team conducting?
A. Preparation
B. Lessons Learned
C. Detection
D. Recovery
✅ Correct Answer: B. Lessons Learned
🔹 Explanation: The lessons learned phase involves analyzing the incident, identifying weaknesses, and updating security policies to improve future defenses.
❌ Incorrect Answers:
A. Preparation → Involves setting up tools and policies before an incident occurs.
C. Detection → Occurs earlier, when the ransomware was first identified.
D. Recovery → Focuses on restoring systems, not improving security post-incident.
An organization wants to fully test its incident response procedures by simulating a real-world cyberattack in a controlled environment. The goal is to evaluate how the IR team responds under pressure and identify any weaknesses in detection, containment, and eradication.
Which of the following testing methods should be used?
A. Root Cause Analysis (RCA)
B. Tabletop Exercise
C. Threat Hunting
D. Simulation
✅ Correct Answer: D. Simulation
🔹 Explanation: A simulation is a realistic, interactive practice of the IR plan that allows the team to respond to incidents as if they were real.
❌ Incorrect Answers:
A. Root Cause Analysis (RCA) → Performed after an incident to investigate its cause, not to test response readiness.
B. Tabletop Exercise → Only a verbal discussion, no actual hands-on testing.
C. Threat Hunting → Proactively searches for threats, but is not a test of the IR process.
A corporation is facing a lawsuit, and the court has ordered the company to retain all emails, files, and communications related to the case. The IT team must ensure these records are preserved and not deleted, even if they normally would be under retention policies.
Which of the following best describes this requirement?
A. Chain of Custody
B. Acquisition
C. Legal Hold
D. Reporting
✅ Correct Answer: C. Legal Hold
🔹 Explanation: A legal hold requires an organization to preserve specific data beyond its normal retention policies for litigation purposes.
❌ Incorrect Answers:
A. Chain of Custody → Tracks who handled evidence, but does not mandate preservation.
B. Acquisition → Refers to collecting forensic data, not legally preserving it.
D. Reporting → Involves documenting forensic findings, not preserving data.
A forensic analyst is collecting evidence from a smartphone used in a cybercrime investigation. The analyst follows the order of volatility principle to prioritize data collection.
Which of the following data types should be collected first?
A. Open network connections
B. System logs
C. Hard drive contents
D. Archived email messages
✅ Correct Answer: A. Open network connections
🔹 Explanation: The order of volatility states that the most temporary and easily lost data should be collected first. Open network connections (RAM-based) disappear quickly.
❌ Incorrect Answers:
B. System logs → More persistent and can be collected later.
C. Hard drive contents → Least volatile, can be collected last.
D. Archived email messages → Stored remotely and does not disappear quickly.
A security analyst is investigating a brute-force attack targeting an organization’s Windows Active Directory. The analyst needs to identify multiple failed login attempts from a single IP address.
Which of the following data sources would be the MOST useful in this investigation?
A. Firewall Logs
B. OS-Specific Security Logs
C. Application Logs
D. Metadata
✅ Correct Answer: B. OS-Specific Security Logs
🔹 Explanation: OS-specific security logs, such as Windows Event Logs, contain authentication data and failed login attempts, which are critical for identifying brute-force attacks.
❌ Incorrect Answers:
A. Firewall Logs → Show network traffic but do not log failed authentication attempts.
C. Application Logs → Track application-related events, not authentication failures.
D. Metadata → Describes data about data but does not include login attempts.
A web application firewall (WAF) log shows multiple blocked requests coming from a single external IP address, targeting the /admin directory of the company’s website. The security team wants to determine whether the attacker successfully accessed the admin panel.
Which of the following log sources should the security analyst review NEXT?
A. Endpoint Logs
B. Network Logs
C. Application Logs
D. Metadata
✅ Correct Answer: C. Application Logs
🔹 Explanation: Application logs record login attempts, application errors, and access attempts, making them the best choice for determining whether unauthorized access occurred.
❌ Incorrect Answers:
A. Endpoint Logs → Focus on individual device activity, not web app access.
B. Network Logs → Provide traffic flow data but not application-specific actions.
D. Metadata → Describes file attributes but does not track web access attempts.
Which of the following best describes e-discovery in the context of digital forensics?
A. The process of securing and preserving evidence for forensic analysis.
B. The exchange of digital evidence between parties in a legal case.
C. The forensic acquisition of digital evidence from a suspect’s device.
D. The process of documenting the handling of forensic evidence.
✅ Correct Answer: B. The exchange of digital evidence between parties in a legal case.
🔹 Explanation: E-discovery (electronic discovery) involves the exchange of digital evidence between legal parties and third parties.
❌ Incorrect Answers:
A. Securing and preserving evidence → Describes preservation, not e-discovery.
C. Acquiring evidence from a device → Describes acquisition, not e-discovery.
D. Tracking forensic evidence handling → Describes chain of custody.
Which of the following best describes the role of endpoint logs in an investigation?
A. They track login attempts, authentication failures, and access control violations.
B. They provide visibility into device activity, including malware infections and unusual behavior.
C. They capture network traffic data, including packet headers and flows.
D. They collect metadata related to files stored on a system.
✅ Correct Answer: B. They provide visibility into device activity, including malware infections and unusual behavior.
🔹 Explanation: Endpoint logs monitor device activity, including malware execution, unauthorized file changes, and suspicious processes.
❌ Incorrect Answers:
A. Authentication failures → Found in OS-specific security logs.
C. Network traffic data → Found in network logs.
D. Metadata on stored files → Found in metadata logs.
A security analyst is investigating a network intrusion that resulted in unauthorized access to an internal database. The analyst wants to examine the exact data transmitted over the network to determine if sensitive information was exfiltrated.
Which of the following data sources would BEST help in this investigation?
A. Vulnerability Scans
B. Dashboards
C. Automated Reports
D. Packet Captures
✅ Correct Answer: D. Packet Captures
🔹 Explanation: Packet captures provide full network traffic details, including exactly what data was transmitted, making them ideal for determining whether sensitive data was exfiltrated.
❌ Incorrect Answers:
A. Vulnerability Scans → Identify potential weaknesses but do not capture live network data.
B. Dashboards → Provide high-level summaries, but lack packet-level visibility.
C. Automated Reports → Offer historical summaries, but are not real-time.
Which of the following best describes the purpose of the preparation phase in the incident response process?
A. It focuses on restoring affected systems to normal operation after an attack.
B. It prioritizes identifying indicators of compromise within logs and monitoring tools.
C. It ensures that all malware artifacts are completely removed from the network.
D. It involves setting up IR tools, defining procedures, and training personnel.
✅ Correct Answer: D. It involves setting up IR tools, defining procedures, and training personnel.
🔹 Explanation: The preparation phase involves establishing the IR team, training personnel, and setting up security tools before an incident occurs.
❌ Incorrect Answers:
A. Restoring affected systems → Part of the recovery phase.
B. Identifying indicators of compromise → Part of the detection phase, not preparation.
C. Removing malware artifacts → Part of the eradication phase.
A company-wide phishing attack was recently mitigated by the security team. After containing and eradicating the threat, the security manager assigns a team to analyze how the phishing attack bypassed security controls and what policies need to be improved.
Which of the following processes is the security team conducting?
A. Simulation
B. Root Cause Analysis (RCA)
C. Threat Hunting
D. Tabletop Exercise
✅ Correct Answer: B. Root Cause Analysis (RCA)
🔹 Explanation: RCA is performed after an incident to investigate its cause, how it happened, and how to prevent future occurrences.
❌ Incorrect Answers:
A. Simulation → Used to test incident response, not analyze past incidents.
C. Threat Hunting → Proactively finds potential threats, not analyzing past attacks.
D. Tabletop Exercise → A verbal discussion of IR plans, not a forensic investigation.
Which of the following is a major drawback of implementing automation and orchestration systems in security operations?
A. Increased reliance on vendor support
B. The need for highly skilled personnel to manage scripts
C. A reduced need for human intervention in security processes
D. The inability to scale security infrastructure
✅ Correct Answer: B. The need for highly skilled personnel to manage scripts
🔹 Explanation: Automation scripting is complex and requires highly skilled professionals to develop and maintain, increasing operational difficulty.
❌ Incorrect Answers:
A. Increased reliance on vendor support → Ongoing supportability is a concern, but not the most direct drawback of automation.
C. A reduced need for human intervention → This is a benefit of automation, not a drawback.
D. The inability to scale security infrastructure → Automation enhances scalability, not limits it.
A forensic investigator is collecting evidence from a compromised web server. To ensure the integrity and admissibility of digital evidence, the investigator follows best practices for digital forensic acquisition.
Which of the following actions should the investigator take? (Select TWO.)
A. Prioritize collecting data that is most volatile before it is lost.
B. Immediately power off the machine to preserve all running processes.
C. Maintain a detailed record of who accessed the evidence.
D. Encrypt all collected data to prevent unauthorized access.
E. Run antivirus scans on the affected system before imaging the disk.
✅ Correct Answers: A, C
🔹 Explanation:
A. Prioritize collecting volatile data first → The order of volatility principle ensures the most temporary data (e.g., RAM, cache, running processes) is captured before it disappears.
C. Maintain a detailed record of who accessed the evidence → Part of the chain of custody, ensuring the integrity of collected evidence.
❌ Incorrect Answers:
B. Immediately power off the machine → Wrong! This destroys volatile evidence (e.g., RAM data). Instead, forensic tools should collect memory dumps before shutdown.
D. Encrypt all collected data → While security is important, encryption could alter evidence integrity. Proper hashing (e.g., SHA-256, MD5) should be used instead.
Which of the following best describes digital forensics reporting?
A. A structured document summarizing the forensic investigation and its findings.
B. A process used to store evidence securely until it is needed.
C. A real-time log of security events used for forensic analysis.
D. A method of encrypting forensic evidence to prevent unauthorized access.
✅ Correct Answer: A. A structured document summarizing the forensic investigation and its findings.
🔹 Explanation: Forensics reporting provides a non-technical summary of an investigation’s findings, how evidence was collected, and conclusions.
❌ Incorrect Answers:
B. Storing evidence securely → Describes preservation, not reporting.
C. Real-time log of security events → Describes SIEM logging, not forensic reporting.
D. Encrypting forensic evidence → Incorrect practice; hashing is used instead to maintain integrity.
Which of the following best describes firewall logs and their use in investigations?
A. They record authentication attempts and failed logins on endpoint devices.
B. They store data generated by security software, such as antivirus alerts.
C. They capture inbound and outbound traffic, including blocked connection attempts.
D. They analyze application behavior and record software crashes.
✅ Correct Answer: C. They capture inbound and outbound traffic, including blocked connection attempts.
🔹 Explanation: Firewall logs track network traffic, including allowed and blocked connections, which are essential for detecting malicious activity.
❌ Incorrect Answers:
A. Authentication attempts and failed logins → OS-Specific Security Logs, not firewall logs.
B. Security software alerts → Tracked in endpoint or security logs, not firewall logs.
D. Application behavior and crashes → Found in application logs, not firewall logs.
A security analyst receives an alert indicating suspicious activity on multiple internal servers. The analyst needs to investigate the nature of the activity, determine whether an exploit was used, and identify affected systems.
Which log source should the analyst examine FIRST?
A. Firewall Logs
B. OS-Specific Security Logs
C. IPS/IDS Logs
D. Metadata
✅ Correct Answer: C. IPS/IDS Logs
🔹 Explanation: IPS/IDS logs contain detailed attack signatures and exploit detection data, making them the best source for investigating potentially unknown (zero-day) threats.
❌ Incorrect Answers:
A. Firewall Logs → Show network traffic flow, but do not confirm exploitation.
B. OS-Specific Security Logs → Contain authentication data, but do not log attack signatures.
D. Metadata → Provides descriptive file data but is not useful for identifying exploits.
A security team is investigating a suspicious network slowdown and needs to determine whether the issue is caused by a TCP SYN flood attack.
Which of the following data sources would be MOST useful for this investigation? (Select TWO.)
A. Network Logs
B. Application Logs
C. Metadata
D. IPS/IDS Logs
E. OS-Specific Security Logs
✅ Correct Answers: A, D
🔹 Explanation:
A. Network Logs → Provide traffic flow data, helping analysts identify an unusual number of SYN requests.
D. IPS/IDS Logs → Contain attack signatures and can help confirm the presence of a TCP SYN flood attack.
❌ Incorrect Answers:
B. Application Logs → Record application-level events, not network traffic patterns.
C. Metadata → Describes file attributes but is irrelevant to network analysis.
E. OS-Specific Security Logs → Track authentication events, not network-level attacks.
Which of the following BEST describes the purpose of vulnerability scans in an incident response investigation?
A. They capture and analyze network traffic to detect data exfiltration.
B. They provide a real-time overview of system security metrics.
C. They generate automated reports on security events and logs.
D. They identify weaknesses in a system that may have been exploited.
✅ Correct Answer: D. They identify weaknesses in a system that may have been exploited.
🔹 Explanation: Vulnerability scans help security teams discover weaknesses in systems, which can help analysts determine which vulnerabilities an attacker may have exploited.
❌ Incorrect Answers:
A. Capturing network traffic → Describes packet captures, not vulnerability scans.
B. Real-time system security metrics → Describes dashboards.
C. Generating automated reports → Describes automated reports, not vulnerability scans.
A SOC analyst needs to identify patterns in security alerts across multiple devices to detect potential threats before they escalate. The analyst wants a real-time, high-level overview of system security, including attack trends and endpoint activity.
Which data source would BEST meet this requirement?
A. Packet Captures
B. Vulnerability Scans
C. Automated Reports
D. Dashboards
✅ Correct Answer: D. Dashboards
🔹 Explanation: SIEM dashboards provide real-time, high-level visibility into network security, including alerts, endpoint activity, and attack trends.
❌ Incorrect Answers:
A. Packet Captures → Show raw traffic, but lack high-level summaries.
B. Vulnerability Scans → Identify potential weaknesses, but do not provide real-time insights.
C. Automated Reports → Offer historical summaries, but are not real-time
A company is considering adopting security automation but is concerned about the cost and maintenance requirements. The security director wants to ensure the company understands the potential drawbacks before investing.
Which of the following are key drawbacks of security automation that should be considered? (Select TWO.)
A. Increased cost due to implementation and upkeep
B. Lack of scalability due to automation restrictions
C. The risk of a single point of failure
D. Reduced security visibility due to excessive automation
E. The elimination of all manual security processes
✅ Correct Answers: A, C
🔹 Explanation:
A. Increased cost → Automation requires upfront investment, training, and maintenance costs, which can be a financial challenge.
C. Single point of failure → Relying too much on one automation system can create a significant security risk if the system fails.
❌ Incorrect Answers:
B. Lack of scalability → Automation improves scalability, not limits it.
D. Reduced security visibility → Automation enhances visibility with real-time monitoring, rather than reducing it.
E. The elimination of all manual security processes → Automation does not remove the need for human oversight in security.
After a security breach, the IR team restores all affected systems from secure backups. They also apply security patches to ensure the vulnerabilities that allowed the attack are no longer exploitable.
Which incident response phase does this action fall under?
A. Eradication
B. Recovery
C. Containment
D. Lessons Learned
✅ Correct Answer: B. Recovery
🔹 Explanation: Recovery ensures that systems return to normal operation after an incident and that vulnerabilities are patched.
❌ Incorrect Answers:
A. Eradication → Focuses on removing malware or threat artifacts, not restoring systems.
C. Containment → Prevents further damage, but doesn’t restore operations.
D. Lessons Learned → Occurs after recovery, when improvements are made to prevent future incidents.
A security operations center (SOC) analyst needs to automatically generate reports that summarize failed login attempts, malware alerts, and network activity trends every 24 hours.
Which of the following data sources would BEST meet this requirement?
A. Packet Captures
B. Vulnerability Scans
C. Dashboards
D. Automated Reports
✅ Correct Answer: D. Automated Reports
🔹 Explanation: Automated reports provide scheduled security summaries, reducing the need for manual data collection.
❌ Incorrect Answers:
A. Packet Captures → Capture live network data, but do not generate reports.
B. Vulnerability Scans → Identify security flaws, but do not summarize network activity trends.
C. Dashboards → Provide real-time monitoring, but are not used for scheduled reports.
A cybersecurity team is reviewing an incident where an attacker attempted to exploit known system vulnerabilities. The team wants to identify (1) which vulnerabilities were present before the attack and (2) how those vulnerabilities were being monitored in real time.
Which TWO data sources should the team review?
A. Packet Captures
B. Automated Reports
C. Firewall Logs
D. Dashboards
E. Vulnerability Scans
✅ Correct Answers: D, E
🔹 Explanation:
D. Dashboards → Provide a real-time overview of network security, including alerts on potential threats and vulnerabilities.
E. Vulnerability Scans → Identify pre-existing security weaknesses that may have been exploited.
❌ Incorrect Answers:
A. Packet Captures → Show network traffic, but do not identify vulnerabilities.
B. Automated Reports → Provide historical data, but not real-time monitoring.
C. Firewall Logs → Show network access attempts, but not system vulnerabilities.
A large e-commerce company experiences a data breach. The IR team detects and verifies the incident. The next step is to prevent further exposure while maintaining business operations.
Which of the following are valid containment actions? (Select TWO.)
A. Disconnecting affected systems from the network
B. Deploying backup servers to restore normal operations
C. Blocking malicious IP addresses at the firewall
D. Deleting all logs to remove traces of the attack
E. Conducting forensic analysis to determine the root cause
✅ Correct Answers: A, C
🔹 Explanation:
A. Disconnecting affected systems → Prevents further compromise while allowing the investigation to proceed.
C. Blocking malicious IPs → Stops ongoing external connections related to the attack.
❌ Incorrect Answers:
B. Deploying backup servers → Part of recovery, not containment.
D. Deleting logs → Destroys critical evidence needed for analysis.
E. Conducting forensic analysis → Belongs in the analysis phase, not containment.
A company is reviewing the long-term feasibility of its automation and orchestration system. The security team is concerned that, over time, manufacturer support may end, patches may stop, and the system may not be compatible with newer technologies.
Which of the following concerns is the security team MOST likely referring to?
A. Complexity
B. Cost
C. Technical debt
D. Ongoing supportability
✅ Correct Answer: D. Ongoing supportability
🔹 Explanation: Ongoing supportability refers to whether a system continues to receive updates, patches, and support from the manufacturer over time. If support ends, the system could become vulnerable.
❌ Incorrect Answers:
A. Complexity → Refers to difficulty in creating and managing automation scripts, not long-term support concerns.
B. Cost → Financial concerns are valid, but they do not directly address system lifecycle and support.
C. Technical debt → Describes outdated scripts or systems that do not keep up with changes, but not necessarily the end of manufacturer support.
Which of the following BEST describes packet captures in security investigations?
A. They generate daily reports summarizing security logs.
B. They detect and block malicious traffic attempting to enter a network.
C. They identify system vulnerabilities that may have been exploited.
D. They collect and analyze raw network traffic for forensic analysis.
✅ Correct Answer: D. They collect and analyze raw network traffic for forensic analysis.
🔹 Explanation: Packet captures allow security teams to analyze exact network traffic, helping in forensics, threat hunting, and incident response.
❌ Incorrect Answers:
A. Daily reports → Describes automated reports.
B. Blocking malicious traffic → Describes firewalls or IPS/IDS.
C. Identifying vulnerabilities → Describes vulnerability scans.
A security analyst is investigating an advanced persistent threat (APT) that infiltrated the organization’s network. The analyst is analyzing how the attack occurred, which systems were compromised, and how much data was exfiltrated.
Which incident response phase is the analyst performing?
A. Detection & Analysis
B. Containment
C. Eradication
D. Recovery
✅ Correct Answer: A. Detection & Analysis
🔹 Explanation: The Detection & Analysis phase includes identifying and assessing an incident, determining its impact, and planning the response. Since the analyst is actively investigating how the attack occurred and what systems were affected, this aligns with Detection & Analysis, as defined by the NIST Incident Response Framework.
