Security Techniques Flashcards
● 4.1 - Given a scenario, you must be able to apply common security techniques to computing resources ● 4.5 - Given a scenario, you must be able to modify enterprise capabilities to enhance security
Scenario:
You are an IT administrator at a mid-sized company. Employees have reported weak Wi-Fi signals in some office areas, and there have been concerns about unauthorized access to the wireless network. You are asked to analyze the current setup and recommend changes.
Which of the following is the BEST solution to improve both coverage and security?
A) Increase the power of all wireless access points (WAPs) to extend the range.
B) Move WAPs closer to the windows and external walls for better outside access.
C) Conduct a site survey, reposition WAPs centrally, and use unidirectional antennas where needed.
D) Disable all but one WAP to prevent interference and control access.
Correct Answer: C) Conduct a site survey, reposition WAPs centrally, and use unidirectional antennas where needed.
Explanation:
(A) Incorrect: Increasing power may worsen security by extending signal coverage outside the building, making unauthorized access easier.
(B) Incorrect: Placing WAPs near windows and external walls increases the risk of signal leakage, exposing the network to external threats.
(C) Correct: A site survey helps analyze signal coverage and interference. Centrally placing WAPs improves indoor coverage while unidirectional antennas prevent signal leakage outside.
(D) Incorrect: Disabling WAPs reduces network coverage and creates dead zones, leading to connectivity issues.
Scenario:
You have been hired as a cybersecurity consultant to evaluate a company’s wireless network setup. Before making any recommendations, you need to determine the optimal locations for WAPs.
What is the FIRST step you should take?
A) Immediately install additional WAPs in all weak signal areas.
B) Perform a site survey to assess radio frequency interference and current coverage.
C) Increase the signal strength of existing WAPs to maximize coverage.
D) Set up new WAPs using only omnidirectional antennas.
Correct Answer: B) Perform a site survey to assess radio frequency interference and current coverage.
Explanation:
(A) Incorrect: Installing WAPs without analyzing current coverage may lead to unnecessary overlap and interference.
(B) Correct: A site survey identifies weak spots, interference sources, and optimal WAP placement.
(C) Incorrect: Increasing signal strength may cause interference and signal leakage outside the building.
(D) Incorrect: Using only omnidirectional antennas may lead to unwanted signal broadcasting outside secure areas.
Scenario:
A company’s IT team has noticed a decline in Wi-Fi performance. Upon investigation, they find that several WAPs are using overlapping channels, causing interference.
What is the BEST way to resolve the interference issue?
A) Configure WAPs to operate on non-overlapping channels such as 1, 6, and 11.
B) Reduce the number of WAPs in use to prevent interference.
C) Switch all WAPs to channel 1 for uniformity.
D) Increase transmission power to overcome interference issues.
Correct Answer: A) Configure WAPs to operate on non-overlapping channels such as 1, 6, and 11.
Explanation:
(A) Correct: In the 2.4 GHz band, channels 1, 6, and 11 do not overlap, reducing interference.
(B) Incorrect: Reducing WAPs could create dead zones, leading to coverage gaps.
(C) Incorrect: Assigning all WAPs to channel 1 causes co-channel interference.
(D) Incorrect: Increasing power may worsen interference rather than resolving it.
Scenario:
Your company recently expanded its office space, and employees are experiencing Wi-Fi disconnections while moving between rooms. The network team wants to ensure seamless connectivity as users move throughout the building.
Which solution would provide the BEST wireless coverage in this situation?
A) Deploy multiple WAPs using an Extended Service Set (ESS) configuration.
B) Install a single high-power WAP in the middle of the building.
C) Assign different SSIDs to each WAP so users manually switch networks.
D) Use only one channel across all WAPs to simplify network management.
Correct Answer: A) Deploy multiple WAPs using an Extended Service Set (ESS) configuration.
Explanation:
(A) Correct: An ESS allows multiple WAPs to work together, enabling seamless roaming without requiring manual network switching.
(B) Incorrect: A single WAP cannot cover a large office space efficiently.
(C) Incorrect: Different SSIDs would force users to reconnect manually, causing disruptions.
(D) Incorrect: Using only one channel across all WAPs increases co-channel interference.
Scenario:
Your company has recently detected unauthorized devices attempting to connect to the wireless network from the parking lot. The IT team is tasked with improving security while maintaining good internal coverage.
Which action would BEST mitigate this issue?
A) Increase the WAP transmission power to create a stronger internal signal.
B) Move WAPs to the building’s center and use unidirectional antennas where necessary.
C) Disable encryption to allow only known devices to connect.
D) Reduce the number of WAPs to limit network availability.
Correct Answer: B) Move WAPs to the building’s center and use unidirectional antennas where necessary.
Explanation:
(A) Incorrect: Increasing power could extend the network even further outside the building, increasing risk.
(B) Correct: Centrally placing WAPs and using unidirectional antennas helps focus the signal inward, reducing external signal leakage.
(C) Incorrect: Disabling encryption exposes the network to unauthorized access.
(D) Incorrect: Reducing WAPs can lead to dead zones and poor coverage.
Scenario:
A heat map of your company’s Wi-Fi network shows strong signals near the building’s edges and even extending outside.
What should you do to resolve this issue?
A) Increase the signal strength to improve coverage.
B) Reduce signal strength and/or reposition WAPs to minimize leakage.
C) Add more WAPs to balance the coverage across the building.
D) Ignore the issue unless employees report problems.
Correct Answer: B) Reduce signal strength and/or reposition WAPs to minimize leakage.
Explanation:
(A) Incorrect: Increasing signal strength will worsen the problem by further extending the signal outside.
(B) Correct: Reducing power and repositioning WAPs can confine the signal within the building.
(C) Incorrect: Adding more WAPs without a proper site survey may create interference.
(D) Incorrect: Ignoring security vulnerabilities puts the network at risk.
Scenario:
You are an IT administrator at a law firm that stores confidential client data. Your manager asks you to ensure that the firm’s Wi-Fi security is strong enough to prevent unauthorized access.
Which encryption method should you use to provide the most secure wireless network?
A) WEP – Wired Equivalent Privacy
B) WPA – Wi-Fi Protected Access
C) WPA2-CCMP – Wi-Fi Protected Access 2 with AES encryption
D) WPA3-SAE – Wi-Fi Protected Access 3 with Simultaneous Authentication of Equals
Correct Answer: D) WPA3-SAE – Wi-Fi Protected Access 3 with Simultaneous Authentication of Equals
Explanation:
(A) Incorrect: WEP is outdated and insecure due to its weak 24-bit Initialization Vector (IV), which is easily cracked.
(B) Incorrect: WPA was an improvement over WEP but still used TKIP, which is vulnerable to attacks.
(C) Correct but not the best: WPA2-CCMP provides strong encryption using AES but is vulnerable to KRACK attacks.
(D) Correct: WPA3-SAE replaces the traditional 4-way handshake with a Diffie-Hellman key agreement, preventing offline dictionary attacks.
Scenario:
A café offers free Wi-Fi to customers but is concerned about the risk of cybercriminals intercepting unencrypted data. They want a security solution that encrypts communications without requiring passwords.
Which feature of WPA3 would be the best solution?
A) AES-GCMP – A stronger encryption algorithm
B) Enhanced Open (Opportunistic Wireless Encryption)
C) WPA3-Enterprise
D) Message Integrity Check (MIC)
Correct Answer: B) Enhanced Open (Opportunistic Wireless Encryption)
Explanation:
(A) Incorrect: AES-GCMP improves encryption strength but does not address public network security directly.
(B) Correct: Enhanced Open encrypts data even in open networks without requiring authentication, preventing passive eavesdropping.
(C) Incorrect: WPA3-Enterprise is for organizations with strict security policies, requiring 802.1X authentication.
(D) Incorrect: MIC prevents tampering but does not secure public networks against passive attacks.
Scenario:
A financial institution wants to prevent unauthorized employees from accessing sensitive data. They need a secure authentication method that verifies both the server and the client before granting access.
Which authentication protocol should they use?
A) EAP-FAST
B) EAP-TTLS
C) PEAP
D) Open Authentication
Correct Answer: C) PEAP (Protected Extensible Authentication Protocol)
Explanation:
(A) Incorrect: EAP-FAST is useful for networks without certificates but does not provide mutual authentication.
(B) Incorrect: EAP-TTLS requires only server certificates, not client authentication.
(C) Correct: PEAP encapsulates authentication within a TLS tunnel and requires both client and server certificates, ensuring strong mutual authentication.
(D) Incorrect: Open Authentication does not provide encryption or authentication, making it highly insecure.
Scenario:
Your company is upgrading from WPA2 to WPA3 to prevent cybercriminals from capturing encrypted Wi-Fi handshakes and attempting offline brute-force attacks.
Which feature of WPA3 prevents this type of attack?
A) AES-CCMP
B) AES-GCMP
C) Simultaneous Authentication of Equals (SAE)
D) RADIUS authentication
Correct Answer: C) Simultaneous Authentication of Equals (SAE)
Explanation:
(A) Incorrect: AES-CCMP is WPA2’s encryption standard but does not address offline attacks.
(B) Incorrect: AES-GCMP enhances encryption but does not prevent brute-force attempts.
(C) Correct: SAE in WPA3 replaces the WPA2-PSK method, preventing hackers from capturing handshakes and guessing passwords offline.
(D) Incorrect: RADIUS provides authentication services but does not prevent offline attacks.
Scenario:
A retail company wants to improve Wi-Fi security without the complexity of managing certificates for thousands of employees. They also want seamless Wi-Fi roaming between store locations.
Which authentication protocol is the best fit?
A) EAP-FAST
B) PEAP
C) EAP-TTLS
D) EAP-TLS
Correct Answer: A) EAP-FAST
Explanation:
(A) Correct: EAP-FAST uses Protected Access Credentials (PACs) instead of certificates, making it ideal for large deployments where employees move between access points.
(B) Incorrect: PEAP requires client-side and server-side certificates, increasing administrative complexity.
(C) Incorrect: EAP-TTLS requires server certificates, but still introduces complexity.
(D) Incorrect: EAP-TLS is one of the most secure methods but requires client certificates, making it difficult to manage for thousands of employees.
Scenario:
A company is experiencing Wi-Fi deauthentication attacks, where employees are randomly disconnected from the network.
Which WPA3 feature prevents this?
A) Enhanced Open
B) Management Frame Protection (MFP)
C) AES-GCMP encryption
D) Opportunistic Wireless Encryption (OWE)
Correct Answer: B) Management Frame Protection (MFP)
Explanation:
(A) Incorrect: Enhanced Open encrypts data in open networks but does not prevent deauthentication attacks.
(B) Correct: MFP protects management frames from being forged or tampered with, preventing deauthentication attacks.
(C) Incorrect: AES-GCMP provides stronger encryption but does not protect management frames.
(D) Incorrect: OWE secures public Wi-Fi but does not prevent targeted Wi-Fi disconnection attacks.
Scenario:
Your IT department is configuring network authentication for remote workers. They need a protocol that centralizes user authentication and logs user activity for security monitoring.
Which protocol should they use?
A) RADIUS
B) TACACS+
C) EAP-TLS
D) PEAP
Correct Answer: A) RADIUS
Explanation:
(A) Correct: RADIUS centralizes authentication, authorization, and accounting (AAA), making it ideal for managing remote worker access.
(B) Incorrect: TACACS+ is better suited for device administration rather than remote authentication.
(C) Incorrect: EAP-TLS is an authentication protocol, not an AAA protocol.
(D) Incorrect: PEAP is an authentication method, not a centralized AAA protocol.
Scenario:
A company is developing a new web application that allows users to log in with their username and password. A security analyst warns the development team about potential SQL injection attacks if they do not properly validate user inputs.
Which technique should they use to prevent this vulnerability?
A) Using Templated Queries (Parameterized Queries)
B) Allowing direct input concatenation in SQL queries
C) Only performing front-end validation for username and password fields
D) Encouraging users to choose complex passwords
Correct Answer: A) Using Templated Queries (Parameterized Queries)
Explanation:
(A) Correct: Parameterized queries prevent SQL injection by separating user input from the SQL query structure, treating it as data instead of executable code.
(B) Incorrect: Concatenating input directly into SQL queries allows attackers to inject malicious SQL code.
(C) Incorrect: Front-end validation alone is insufficient since attackers can bypass it using developer tools or intercept network requests.
(D) Incorrect: Strong passwords help protect user accounts, but they do not prevent SQL injection.
Scenario:
A retail website uses cookies to store session data for logged-in users. However, security researchers have identified that session hijacking is a risk due to improper cookie settings.
Which security measures should be implemented to protect session cookies?
A) Enable the Secure, HttpOnly, and SameSite attributes on cookies
B) Use persistent cookies for session verification
C) Store session IDs in local storage instead of cookies
D) Allow cookies to be transmitted over HTTP to ensure accessibility
Correct Answer: A) Enable the Secure, HttpOnly, and SameSite attributes on cookies
Explanation:
(A) Correct:
✅ Secure Attribute: Ensures cookies are sent only over HTTPS.
✅ HttpOnly Attribute: Prevents cookies from being accessed via JavaScript, protecting against XSS attacks.
✅ SameSite Attribute: Helps prevent CSRF attacks by restricting cross-site requests.
(B) Incorrect: Persistent cookies increase session hijacking risks.
(C) Incorrect: Storing session IDs in local storage exposes them to JavaScript-based attacks.
(D) Incorrect: Allowing cookies over HTTP makes them vulnerable to interception.
Scenario:
A software company is testing its latest financial application. During testing, an engineer notices that when input exceeds a certain length, the application crashes.
Which type of security flaw is most likely responsible for this behavior?
A) Cross-Site Scripting (XSS)
B) Buffer Overflow
C) SQL Injection
D) Code Signing Mismatch
Correct Answer: B) Buffer Overflow
Explanation:
(A) Incorrect: XSS allows attackers to inject malicious scripts, but it does not cause an application to crash due to excessive input.
(B) Correct: A buffer overflow occurs when an input exceeds a program’s allocated memory, leading to crashes or exploitation.
(C) Incorrect: SQL Injection manipulates database queries but does not typically cause crashes from excessive input.
(D) Incorrect: Code signing verifies software integrity but is unrelated to memory vulnerabilities.
Scenario:
A software development team is implementing security testing into their DevOps pipeline. They need a method to detect vulnerabilities in source code before execution.
Which security technique should they use?
A) Static Code Analysis (SAST)
B) Dynamic Code Analysis (DAST)
C) Fuzz Testing
D) Stress Testing
Correct Answer: A) Static Code Analysis (SAST)
Explanation:
(A) Correct: SAST reviews source code for security vulnerabilities before execution, making it ideal for early-stage detection.
(B) Incorrect: DAST tests applications while running, which is not useful for pre-execution analysis.
(C) Incorrect: Fuzz Testing is a subset of DAST, designed to cause crashes by sending malformed input.
(D) Incorrect: Stress Testing evaluates system performance, not security flaws.
Scenario:
A security team is testing a web application for hidden vulnerabilities by injecting random, malformed, or unexpected data into input fields to see how the application reacts.
Which security testing technique are they using?
A) Static Code Analysis (SAST)
B) Fuzz Testing (Fuzzing)
C) Code Signing
D) Secure Cookies
Correct Answer: B) Fuzz Testing (Fuzzing)
Explanation:
(A) Incorrect: SAST analyzes source code statically, but does not inject data dynamically.
(B) Correct: Fuzz Testing finds vulnerabilities by overloading input fields with unexpected data to detect security flaws.
(C) Incorrect: Code Signing verifies software authenticity but is unrelated to input testing.
(D) Incorrect: Secure cookies enhance authentication security but do not test application robustness.
Scenario:
An IT department is developing software for internal use. They want a way to verify the authenticity and integrity of their software before deployment.
Which security feature should they implement?
A) Dynamic Code Analysis
B) Code Signing
C) Sandboxing
D) Input Validation
Correct Answer: B) Code Signing
Explanation:
(A) Incorrect: Dynamic Code Analysis tests for vulnerabilities but does not verify authenticity.
(B) Correct: Code Signing ensures software has not been tampered with and confirms its legitimate source.
(C) Incorrect: Sandboxing isolates applications but does not verify their integrity.
(D) Incorrect: Input validation ensures secure user input but is unrelated to software authenticity.
Scenario:
A company is testing unknown or untrusted software before allowing it to run on their production environment. They want to ensure that any potentially malicious actions remain isolated.
Which security technique should they use?
A) Code Signing
B) Static Code Analysis
C) Sandboxing
D) SQL Injection Prevention
Correct Answer: C) Sandboxing
Explanation:
(A) Incorrect: Code Signing verifies authenticity but does not isolate untrusted applications.
(B) Incorrect: Static Code Analysis helps detect vulnerabilities but does not contain software execution.
(C) Correct: Sandboxing isolates applications, limiting access to system resources and preventing malware from affecting the host system.
(D) Incorrect: SQL Injection Prevention secures databases but does not protect against untrusted software execution.
Scenario:
A company enforces Network Access Control (NAC) to ensure that only secure devices can connect to the network. When a remote employee’s laptop attempts to connect, the system places the device into a virtual holding area for scanning.
What happens next in the NAC process?
A) The laptop is immediately granted full access to the network.
B) The device is scanned for compliance factors such as security patches and antivirus updates.
C) The NAC system requests the user to confirm their identity manually via email.
D) The laptop is permanently blocked from the network unless an administrator intervenes.
Correct Answer: B) The device is scanned for compliance factors such as security patches and antivirus updates.
Explanation:
(A) Incorrect: Devices must pass compliance checks before receiving full access.
(B) Correct: NAC places devices in a virtual holding area to scan for security factors (e.g., antivirus, OS patches, firewall status).
(C) Incorrect: NAC does not rely solely on manual user verification; it automates device compliance checks.
(D) Incorrect: Failing the scan does not result in a permanent block—non-compliant devices are placed into quarantine for remediation.
Scenario:
A corporate office requires all company-issued devices to maintain continuous compliance with security policies before accessing the network. IT decides to use NAC agents to enforce these policies.
Which type of NAC agent is best suited for this environment?
A) Non-Persistent Agent
B) Persistent Agent
C) 802.1X-Based NAC
D) Captive Portal-Based NAC
Correct Answer: B) Persistent Agent
Explanation:
(A) Incorrect: Non-persistent agents are better suited for BYOD (Bring Your Own Device) environments like universities, not corporate environments.
(B) Correct: Persistent agents remain installed on corporate devices, continuously enforcing security policies (e.g., checking for missing patches, expired antivirus).
(C) Incorrect: 802.1X is a foundational NAC method but does not specify persistent vs. non-persistent agent use.
(D) Incorrect: Captive portals are used for guest/BYOD access, not corporate network security enforcement.
Scenario:
A company implements 802.1X authentication as part of its Network Access Control (NAC) strategy.
What happens when an employee’s laptop tries to connect to the corporate network using 802.1X?
A) The device is immediately given unrestricted network access.
B) The user must authenticate with credentials before being allowed onto the network.
C) The laptop is placed in quarantine until an administrator manually approves the connection.
D) The laptop is only allowed to browse the internet, but cannot access internal network resources.
Correct Answer: B) The user must authenticate with credentials before being allowed onto the network.
Explanation:
(A) Incorrect: 802.1X requires authentication before allowing network access.
(B) Correct: 802.1X is a port-based authentication method that verifies a device’s credentials before granting access.
(C) Incorrect: Devices are not automatically quarantined unless they fail compliance checks after authentication.
(D) Incorrect: Access control policies (not 802.1X alone) determine network restrictions.
Scenario:
An organization wants to prevent unauthorized access outside of normal business hours. The IT team configures a NAC policy to block network access from 6:00 PM to 8:00 AM.
Which type of NAC control is being implemented?
A) Location-Based NAC
B) Role-Based NAC
C) Time-Based NAC
D) Health Policy-Based NAC
Correct Answer: C) Time-Based NAC
Explanation:
(A) Incorrect: Location-based NAC controls access based on physical location (e.g., geolocation restrictions).
(B) Incorrect: Role-based NAC grants access based on user/device roles (e.g., employee vs. server).
(C) Correct: Time-based NAC enforces policies based on time schedules (e.g., blocking access outside working hours).
(D) Incorrect: Health policy NAC ensures devices meet security compliance before access is granted.
Scenario:
A company’s CEO always logs in from New York, but today, the system detects an access request from Russia. The NAC system blocks the login attempt automatically.
What type of access control policy was applied?
A) Time-Based NAC
B) Location-Based NAC
C) Role-Based NAC
D) Health Policy-Based NAC
Correct Answer: B) Location-Based NAC
Explanation:
(A) Incorrect: Time-based NAC controls when access is allowed, not where the request comes from.
(B) Correct: Location-based NAC evaluates geolocation/IP address to detect unusual login locations and block unauthorized access.
(C) Incorrect: Role-based NAC grants access based on user/device roles, not physical location.
(D) Incorrect: Health policy NAC checks for security compliance (e.g., antivirus, patches), not login location.
Scenario:
An IT administrator configures Adaptive NAC to continuously monitor user activity after authentication. A marketing employee’s laptop suddenly tries to access the server management network, which is usually restricted to IT staff.
What should Adaptive NAC do in this case?
A) Immediately revoke the employee’s network access.
B) Allow the request because the user has already authenticated.
C) Block the access attempt and alert the IT team.
D) Ignore the request and let the employee explore the system.
Correct Answer: C) Block the access attempt and alert the IT team.
Explanation:
(A) Incorrect: Revoking all access is too extreme—the employee might still need access to approved resources.
(B) Incorrect: Authentication alone does not grant unrestricted access—NAC continuously monitors activity.
(C) Correct: Adaptive NAC dynamically evaluates device behavior and blocks actions that violate role-based permissions.
(D) Incorrect: Ignoring suspicious activity creates a security risk.
A cybersecurity team at a financial company wants to prevent employees from accessing potentially harmful websites. They decide to implement a system that checks website addresses against a database of known malicious sites before allowing access. Additionally, they want to block websites that have a history of hosting malware or phishing attacks.
Which combination of filtering techniques should they use?
A) Agent-Based Web Filtering and Centralized Proxy
B) URL Scanning and Reputation-Based Filtering
C) Block Rules and DNS Filtering
D) Content Categorization and DNS Filtering
✅ Correct Answer: B) URL Scanning and Reputation-Based Filtering
💡 Explanation:
URL Scanning checks website addresses against a database of known threats.
Reputation-Based Filtering evaluates websites based on their historical security risks.
Together, they effectively block access to sites with security concerns.
Question 2: Agent-Based Web Filtering
An IT company has many remote employees working from home or public Wi-Fi networks. They want to enforce the same web usage policies on these remote employees as they would in the office.
Which web filtering method is the best choice?
A) Agent-Based Web Filtering
B) DNS Filtering
C) Centralized Proxy
D) URL Scanning
✅ Correct Answer: A) Agent-Based Web Filtering
💡 Explanation:
Agent-Based Web Filtering installs an agent on each device, ensuring policies are applied no matter where the user is connected (home network, public Wi-Fi, etc.).
DNS Filtering (B) works at the network level, but may not enforce policies when the device is outside the corporate network.
Centralized Proxy (C) applies filtering but requires users to be connected to the company’s network.
A university wants to monitor and control all web traffic that students generate while using the campus Wi-Fi. They need a solution that evaluates web requests and applies restrictions based on policies before granting access.
Which method is the most suitable?
A) DNS Filtering
B) Centralized Proxy
C) Agent-Based Web Filtering
D) Reputation-Based Filtering
✅ Correct Answer: B) Centralized Proxy
💡 Explanation:
Centralized Proxy acts as an intermediary, evaluating and controlling web requests based on institutional policies.
DNS Filtering (A) blocks entire domain names but does not inspect web requests in detail.
Agent-Based Web Filtering (C) works on individual devices rather than the entire network.
A school administrator wants to ensure students cannot access social media or adult content websites while using school devices. The administrator wants a solution that blocks these websites at the domain level before they can be accessed.
What is the most effective filtering method?
A) URL Scanning
B) DNS Filtering
C) Reputation-Based Filtering
D) Agent-Based Web Filtering
✅ Correct Answer: B) DNS Filtering
💡 Explanation:
DNS Filtering blocks entire domain names from being translated into IP addresses, effectively preventing access.
URL Scanning (A) only checks URLs after a user tries to access them.
Reputation-Based Filtering (C) blocks based on reputation scores but does not necessarily enforce content category restrictions.
A network administrator detects unusual outbound data transfers from the company’s network to an unknown remote server. The security team suspects a data exfiltration attempt.
What should the administrator do first?
A) Add the server’s IP address to the block list
B) Enable URL Scanning for the remote server’s domain
C) Implement Agent-Based Web Filtering on all company devices
D) Use Reputation-Based Filtering to check the website’s score
✅ Correct Answer: A) Add the server’s IP address to the block list
💡 Explanation:
Blocking the server’s IP address immediately prevents further data exfiltration.
URL Scanning (B) may not detect the issue fast enough.
Agent-Based Web Filtering (C) helps enforce policies but does not directly stop an ongoing data transfer.
Reputation-Based Filtering (D) can provide insight but does not actively stop the data breach.
A company wants to restrict employee access to social media, gambling, and adult content while still allowing work-related websites. Instead of blocking individual URLs, they want to enforce restrictions based on website categories.
Which filtering method should they use?
A) Reputation-Based Filtering
B) Content Categorization
C) DNS Filtering
D) Agent-Based Web Filtering
✅ Correct Answer: B) Content Categorization
💡 Explanation:
Content Categorization groups websites into predefined categories (e.g., social media, gambling) and blocks entire categories based on company policies.
Reputation-Based Filtering (A) focuses on security threats, not productivity concerns.
DNS Filtering (C) blocks entire domain names but does not categorize content dynamically.
A retail company wants a comprehensive web filtering strategy to protect employees from phishing, malware, and data exfiltration while ensuring productivity.
Which combination of techniques provides the best overall protection?
A) DNS Filtering and Content Categorization
B) URL Scanning and Reputation-Based Filtering
C) Centralized Proxy, Block Rules, and Reputation-Based Filtering
D) Agent-Based Web Filtering and DNS Filtering
✅ Correct Answer: C) Centralized Proxy, Block Rules, and Reputation-Based Filtering
💡 Explanation:
Centralized Proxy inspects web requests and enforces policies.
Block Rules prevent access to suspicious domains and servers.
Reputation-Based Filtering blocks harmful websites based on historical data.
A & D provide security but lack active content inspection.
A company’s IT administrator receives multiple reports that employees are receiving fake emails that appear to be from the CEO, urging them to transfer money. The administrator needs to implement a solution that ensures only authorized email servers can send emails from the company’s domain.
Which security mechanism should be implemented?
A) DKIM
B) SPF
C) DMARC
D) Spam Filtering
✅ Correct Answer: B) SPF
💡 Explanation:
SPF (Sender Policy Framework) verifies that emails are sent from an authorized server by checking the sender’s IP address against the domain’s DNS records.
DKIM (A) validates email integrity but does not restrict senders.
DMARC (C) provides additional enforcement, but SPF is the primary solution for sender verification.
Spam Filtering (D) reduces spam but does not prevent sender address spoofing.
A financial institution wants to ensure that emails sent from its domain cannot be modified during transit. They also want receiving email servers to verify that emails were genuinely sent from their organization.
Which email security protocol should they use?
A) SPF
B) DKIM
C) DMARC
D) Spam Filtering
✅ Correct Answer: B) DKIM
💡 Explanation:
DKIM (DomainKeys Identified Mail) adds a digital signature to an email’s header to validate its authenticity and integrity.
SPF (A) checks the sender’s IP but does not verify email content integrity.
DMARC (C) enforces SPF/DKIM policies but does not directly prevent email tampering.
Spam Filtering (D) does not provide authentication.
A healthcare provider wants to ensure that only authorized servers can send emails from its domain, that emails are not modified, and that receiving mail servers know what to do if an email fails verification.
Which combination of techniques provides the best protection?
A) SPF and Spam Filtering
B) DKIM and DNS-Based Blacklists
C) SPF, DKIM, and DMARC
D) Spam Filtering and Email Gateway
✅ Correct Answer: C) SPF, DKIM, and DMARC
💡 Explanation:
SPF ensures only authorized email servers can send emails.
DKIM prevents email tampering by validating integrity.
DMARC enforces SPF/DKIM checks and defines handling policies for failed emails.
Spam Filtering (A, D) is useful but does not authenticate emails.
DNS Blacklists (B) help detect spam servers but are not authentication mechanisms.
A corporation wants to prevent domain spoofing and configure a policy that rejects fraudulent emails. They also want to receive reports about authentication failures.
Which DMARC policy should they set?
A) v=DMARC1; p=none; rua=mailto:reports@company.com
B) v=DMARC1; p=quarantine; rua=mailto:reports@company.com
C) v=DMARC1; p=reject; rua=mailto:reports@company.com
D) v=DMARC1; p=allow; rua=mailto:reports@company.com
✅ Correct Answer: C) v=DMARC1; p=reject; rua=mailto:reports@company.com
💡 Explanation:
p=reject tells mail servers to block emails that fail SPF/DKIM checks.
p=quarantine (B) only marks them as suspicious but does not block them.
p=none (A) allows emails through without enforcement.
Option (D) p=allow is not a valid DMARC policy.
A global company needs an email security solution that offers scalability, minimal maintenance, and third-party management. They do not want to host physical servers.
Which email gateway option is the best fit?
A) On-Premises Email Gateway
B) Cloud-Based Email Gateway
C) Hybrid Email Gateway
D) DNS Sinkhole Filtering
✅ Correct Answer: B) Cloud-Based Email Gateway
💡 Explanation:
Cloud-Based Email Gateways are hosted by third-party providers, reducing maintenance efforts while offering scalability.
On-Premises (A) requires physical servers and internal maintenance.
Hybrid (C) combines both but still requires some on-site resources.
DNS Sinkhole Filtering (D) is used for blocking malicious domains, not for handling email transmission.
A company notices that employees are receiving spam emails containing suspicious links. They want to implement a filtering technique that analyzes email content for spam-like keywords.
Which spam filtering technique should they use?
A) Bayesian Filtering
B) DNS-Based Blacklists
C) Content Analysis
D) DMARC
✅ Correct Answer: C) Content Analysis
💡 Explanation:
Content Analysis scans email text for keywords and patterns associated with spam.
Bayesian Filtering (A) uses machine learning but requires training over time.
DNS-Based Blacklists (B) block known spam servers, not specific email content.
DMARC (D) prevents spoofing but does not detect spam content.
An IT administrator wants to block all incoming emails from known spam IP addresses and prevent emails from being delivered to users.
Which filtering method should they use?
A) Content Analysis
B) Bayesian Filtering
C) DNS-Based Sinkhole List
D) SPF
✅ Correct Answer: C) DNS-Based Sinkhole List
💡 Explanation:
DNS-Based Sinkhole Lists (DNS Blacklists) block known spam IP addresses by preventing domain resolution.
Content Analysis (A) checks email content, not sender IP.
Bayesian Filtering (B) uses machine learning but does not rely on IP blocklists.
SPF (D) checks the sending server’s authorization, not spam blacklists.
A company wants an email security solution that combines the control of on-premises servers with the scalability of cloud-based security.
Which email gateway option should they choose?
A) On-Premises Email Gateway
B) Cloud-Based Email Gateway
C) Hybrid Email Gateway
D) Spam Filtering
✅ Correct Answer: C) Hybrid Email Gateway
💡 Explanation:
Hybrid Email Gateways offer a balance between control (on-premises) and scalability (cloud-based security).
On-Premises (A) offers control but requires high maintenance.
Cloud-Based (B) is fully managed but offers less direct control.
Spam Filtering (D) helps reduce spam but is not a complete email security solution.
A financial institution wants to ensure that critical system files are not tampered with by unauthorized users or malware. They need a solution that continuously monitors files and alerts the security team when unexpected changes occur.
Which solution should they implement?
A) XDR
B) EDR
C) File Integrity Monitoring (FIM)
D) DNS Sinkhole
✅ Correct Answer: C) File Integrity Monitoring (FIM)
💡 Explanation:
FIM (File Integrity Monitoring) continuously monitors system and application files for unauthorized modifications.
XDR (A) integrates multiple security tools but does not specifically focus on file integrity.
EDR (B) monitors endpoint activity but does not perform detailed file integrity checks.
DNS Sinkhole (D) is used for blocking malicious domains, not file monitoring.
An IT security team needs a solution that monitors endpoint activity, detects malicious behavior, and isolates infected devices to prevent malware from spreading.
Which security solution best fits this requirement?
A) XDR
B) File Integrity Monitoring (FIM)
C) EDR
D) Network Firewall
✅ Correct Answer: C) EDR
💡 Explanation:
EDR (Endpoint Detection and Response) is designed to monitor, detect, and respond to endpoint security threats.
XDR (A) extends beyond endpoints and includes network and email security.
FIM (B) detects file modifications but does not actively respond to threats.
Network Firewalls (D) focus on network traffic, not endpoint behavior.
A large enterprise wants a single security solution that monitors network, endpoints, email, cloud, and servers to detect threats across all these layers.
Which solution is the best fit?
A) File Integrity Monitoring (FIM)
B) EDR
C) XDR
D) Antivirus Software
✅ Correct Answer: C) XDR
💡 Explanation:
XDR (Extended Detection and Response) correlates security data across multiple layers (network, cloud, email, endpoints).
FIM (A) focuses only on file integrity, not across security layers.
EDR (B) monitors only endpoints, making it less comprehensive than XDR.
Antivirus (D) protects against known malware but does not provide centralized security monitoring.
An organization experiences a ransomware attack where a hacker encrypts critical system files and demands payment. The security team needs to detect, investigate, and remediate the attack by removing the ransomware and restoring affected systems.
Which security tool is most effective in handling this situation?
A) XDR
B) FIM
C) EDR
D) Firewall
✅ Correct Answer: C) EDR
💡 Explanation:
EDR (Endpoint Detection and Response) detects ransomware behavior, provides threat investigation tools, and assists with remediation (removing malware and restoring systems).
XDR (A) is helpful but focuses on multiple security layers, not just endpoints.
FIM (B) detects file changes but does not actively respond to threats.
Firewalls (D) block network traffic but do not remediate endpoint infections.
A company currently uses separate security tools for endpoint protection, email security, and network monitoring. The IT team wants to consolidate these security tools into a single platform.
Which solution best meets this need?
A) File Integrity Monitoring (FIM)
B) XDR
C) EDR
D) DNS-Based Blacklists
✅ Correct Answer: B) XDR
💡 Explanation:
XDR (Extended Detection and Response) integrates multiple security solutions (email, endpoint, cloud, and network security) into a single platform, reducing complexity.
FIM (A) only monitors file integrity, not multiple security layers.
EDR (C) is focused only on endpoints.
DNS Blacklists (D) block malicious domains but do not unify security solutions.
A company is concerned about phishing attacks and network-based intrusions. They need a security solution that monitors both email and network activity for suspicious behavior.
Which security solution is the best choice?
A) EDR
B) XDR
C) FIM
D) Intrusion Detection System (IDS)
✅ Correct Answer: B) XDR
💡 Explanation:
XDR monitors email, endpoint, network, cloud, and servers to correlate threat data across multiple security layers.
EDR (A) only focuses on endpoints, not email or network traffic.
FIM (C) detects file changes, not email or network-based threats.
IDS (D) detects network intrusions but does not monitor email security.
An IT administrator wants to detect unauthorized changes to critical configuration files and trigger alerts when suspicious modifications are made.
Which security tool should they implement?
A) FIM
B) EDR
C) XDR
D) SIEM
✅ Correct Answer: A) FIM (File Integrity Monitoring)
💡 Explanation:
FIM monitors binary files, system application files, and configuration files for unauthorized changes.
EDR (B) monitors endpoint activity, but not specifically file integrity.
XDR (C) provides multi-layered security but does not focus solely on file integrity monitoring.
SIEM (D) collects security logs but does not provide real-time file integrity monitoring.
A company wants to improve its security posture and is debating between EDR and XDR. They need to monitor endpoints, cloud workloads, and email security.
Which solution is more suitable?
A) EDR
B) XDR
C) FIM
D) Firewall
✅ Correct Answer: B) XDR
💡 Explanation:
XDR extends security beyond endpoints and monitors cloud workloads, email, and networks.
EDR (A) focuses only on endpoints, not multiple security layers.
FIM (C) only monitors file integrity, not security events.
Firewalls (D) protect network traffic, not endpoint or email security.
An IT security team implements a User Behavior Analytics (UBA) system to monitor user login patterns. One employee, who normally logs in between 8 AM and 5 PM, suddenly starts logging in at 2 AM from an unfamiliar location.
How should the UBA system respond?
A) Allow the login, assuming the user is working late.
B) Automatically block the login attempt without further review.
C) Flag the login as anomalous and generate an alert for the security team.
D) Ignore the login since users sometimes work at odd hours.
✅ Correct Answer: C) Flag the login as anomalous and generate an alert for the security team.
💡 Explanation:
UBA systems establish a baseline of normal user behavior and flag anomalies.
Since the user is logging in at an unusual time and location, this may indicate a compromised account.
Blocking the login (B) may cause false positives if the login is legitimate.
Ignoring the login (D) could result in a security breach.
A company implements User and Entity Behavior Analytics (UEBA) instead of User Behavior Analytics (UBA) to improve its security posture.
What additional security benefit does UEBA provide over UBA?
A) It extends monitoring to non-user entities like servers, routers, and endpoints.
B) It uses machine learning to detect threats more effectively than UBA.
C) It replaces the need for endpoint detection and response (EDR).
D) It eliminates the need for security teams to investigate alerts.
✅ Correct Answer: A) It extends monitoring to non-user entities like servers, routers, and endpoints.
💡 Explanation:
UBA focuses only on user behavior, whereas UEBA includes monitoring of entities like servers, routers, and endpoints to detect anomalies in both user and device activity.
Machine learning (B) is used in both UBA and UEBA.
UEBA does not replace EDR (C); rather, it complements it.
Security teams are still required to investigate alerts (D) to confirm threats.
A UBA system detects that an employee in the marketing department is attempting to access financial records, even though they typically only access social media analytics and campaign data.
What should happen next?
A) Immediately terminate the employee’s account.
B) Generate an alert for further investigation.
C) Allow the access since it may be a mistake.
D) Automatically log out the user and block their future logins.
✅ Correct Answer: B) Generate an alert for further investigation.
💡 Explanation:
UBA identifies unusual user behavior, such as accessing unauthorized data.
Security teams should investigate (B) before taking action.
Automatically blocking access (D) may disrupt legitimate work if it was accidental.
Immediate termination (A) is excessive without further review.
A UBA system flags an employee downloading large amounts of sensitive data from the company’s internal database, even though they normally only download small reports.
Which type of attack might this indicate?
A) Ransomware attack
B) Insider threat or data exfiltration attempt
C) Distributed Denial-of-Service (DDoS) attack
D) SQL Injection
✅ Correct Answer: B) Insider threat or data exfiltration attempt
💡 Explanation:
UBA detects anomalous behavior, such as excessive data downloads, which may indicate data theft by an insider.
Ransomware (A) encrypts files but does not usually involve large data downloads.
DDoS attacks (C) focus on overloading servers, not stealing data.
SQL Injection (D) is an attack on databases but is not necessarily linked to data exfiltration.
A UBA system detects that a developer is accessing a new set of servers for the first time. However, the IT department confirms that the developer was recently assigned new tasks that require this access.
What can be done to reduce false positives in the future?
A) Disable the UBA system for developers.
B) Update the developer’s normal behavior baseline.
C) Block the developer’s access immediately.
D) Remove machine learning algorithms from the UBA system.
✅ Correct Answer: B) Update the developer’s normal behavior baseline.
💡 Explanation:
UBA uses behavioral baselines, and when user roles change, their baseline should be updated to avoid false positives.
Disabling UBA (A) weakens security.
Blocking access (C) is unnecessary if the activity is legitimate.
Removing machine learning (D) would reduce the system’s ability to detect threats.
A UBA system detects an unusual surge in failed login attempts from a user’s account, followed by a successful login from an unfamiliar IP address.
What should happen next?
A) Immediately disable the user’s account and notify the security team.
B) Allow access since the login was eventually successful.
C) Block all user logins across the organization.
D) Remove the UBA system from monitoring logins.
✅ Correct Answer: A) Immediately disable the user’s account and notify the security team.
💡 Explanation:
A high number of failed logins followed by a successful login from an unusual location indicates a possible account compromise.
Disabling the account (A) prevents further unauthorized access while an investigation is conducted.
Allowing access (B) risks data breaches.
Blocking all users (C) is unnecessary.
Removing UBA (D) weakens security monitoring.
A company’s UEBA system detects a server communicating with an unfamiliar external IP address at unusual hours. The server normally only communicates with internal databases.
What kind of security incident might this indicate?
A) Normal system maintenance
B) A misconfigured firewall rule
C) Unauthorized data exfiltration or malware activity
D) Routine backup process
✅ Correct Answer: C) Unauthorized data exfiltration or malware activity
💡 Explanation:
UEBA can monitor not just users, but also servers and endpoints.
Unusual external communications may indicate data exfiltration, malware, or a compromised server.
Maintenance (A) and backups (D) should be pre-approved activities and not occur at random times.
Misconfigured firewalls (B) are security risks but do not necessarily indicate data exfiltration.
A system administrator wants to ensure that all users access the company’s website only through a secure HTTPS connection.
What action should they take?
A) Block Port 443 and allow Port 80.
B) Block Port 80 and allow Port 443.
C) Allow both Port 80 and Port 443 for compatibility.
D) Assign a random port number to HTTPS instead of Port 443.
✅ Correct Answer: B) Block Port 80 and allow Port 443.
💡 Explanation:
Port 443 is used for HTTPS (encrypted traffic), while Port 80 is used for HTTP (unencrypted traffic).
Blocking Port 80 ensures that all connections are forced through HTTPS.
Allowing both ports (C) does not enforce security, as users can still access HTTP.
Assigning a random port (D) can obscure the service but does not provide encryption.
A security engineer notices that employees are using Telnet to remotely manage internal servers. They want to improve security by replacing Telnet with a more secure alternative.
Which protocol should they implement?
A) SSH
B) FTP
C) HTTP
D) SNMP
✅ Correct Answer: A) SSH
💡 Explanation:
Telnet transmits data (including passwords) in plaintext, making it vulnerable to eavesdropping.
SSH (Secure Shell) encrypts all data, ensuring secure remote access.
FTP (B) and HTTP (C) are insecure protocols.
SNMP (D) is used for network monitoring, not remote management.
A network administrator is configuring a web server and wants to reduce the likelihood of automated attacks targeting Port 80.
What is the best approach?
A) Use Port 8888 instead of Port 80.
B) Disable all ports and allow only ICMP traffic.
C) Use Port 22 instead of Port 443 for HTTPS.
D) Keep using Port 80, but enforce strong passwords.
✅ Correct Answer: A) Use Port 8888 instead of Port 80.
💡 Explanation:
Changing the default port (Port 80) to a non-standard port (e.g., 8888) adds a layer of obscurity, making it harder for attackers to find the service.
Disabling all ports (B) prevents users from accessing the server.
Port 22 (C) is used for SSH, not HTTPS.
Strong passwords (D) are important but do not address the risk of automated attacks scanning default ports.
A streaming service needs a transport protocol that prioritizes speed over data accuracy.
Which transport method should they use?
A) TCP
B) UDP
C) ICMP
D) SMTP
✅ Correct Answer: B) UDP
💡 Explanation:
UDP (User Datagram Protocol) is connectionless and prioritizes speed, making it ideal for video streaming and gaming.
TCP (A) ensures accurate data delivery but introduces latency.
ICMP (C) is used for network diagnostics, not data transmission.
SMTP (D) is used for sending emails, not streaming data.
An email administrator wants to ensure that outgoing email is encrypted when sent from the company’s mail server.
Which protocol and port combination should they configure?
A) SMTP over Port 25
B) SMTPS over Port 587
C) IMAP over Port 143
D) POP3 over Port 110
✅ Correct Answer: B) SMTPS over Port 587.
💡 Explanation:
SMTP (Simple Mail Transfer Protocol) over Port 25 does not use encryption.
SMTPS (secure SMTP) over Port 587 encrypts outgoing email, making it secure.
IMAP (C) and POP3 (D) are used for receiving emails, not sending them.
A network administrator is reviewing firewall rules to ensure only necessary ports are open to minimize the attack surface.
Which best follows the principle of least privilege?
A) Allow all incoming connections for flexibility.
B) Open only the ports required for business operations and block all others.
C) Keep all default ports open for troubleshooting.
D) Use a single firewall rule to allow all traffic inside the network.
✅ Correct Answer: B) Open only the ports required for business operations and block all others.
💡 Explanation:
The principle of least privilege means only enabling necessary services to reduce potential attack points.
Allowing all connections (A, C, D) increases security risks.
A company wants to configure secure email retrieval for employees.
Which protocol should they use?
A) IMAP
B) IMAPS
C) POP3
D) SMTP
✅ Correct Answer: B) IMAPS
💡 Explanation:
IMAPS (Internet Message Access Protocol Secure) encrypts email retrieval using Port 993.
IMAP (A) over Port 143 is unencrypted.
POP3 (C) is an older email retrieval protocol that does not support synchronization across multiple devices.
SMTP (D) is used for sending, not receiving emails.
A company is setting up a new web application and wants to ensure secure data transmission.
Which protocol should they choose?
A) HTTP
B) FTP
C) SFTP
D) Telnet
✅ Correct Answer: C) SFTP
💡 Explanation:
SFTP (Secure File Transfer Protocol) encrypts data during transmission, ensuring security.
HTTP (A) and FTP (B) transmit data in plaintext, making them insecure.
Telnet (D) is an outdated remote access protocol that lacks encryption.
