Security X Practice Test 2 Hardcover Flashcards
Question 2:
A large financial institution recently experienced an increase in credential-based attacks targeting employees. The security team has decided to implement mandatory awareness training to reduce social engineering based attacks. However, security logs indicate that employees continue clicking on suspicious links even after the training sessions. What additional security control should be implemented to enforce behavioral change?
A. Automated phishing simulations to measure awareness effectiveness
B. Regular email reminders about potential security risks
C. Increasing security training sessions without reinforcement measures
D. Allowing employees to report suspicious emails on a voluntary basis
E. Relying on endpoint protection solutions to block malicious links
A. Automated phishing simulations to measure awareness effectiveness
Explanation:
A. Phishing simulations reinforce awareness by providing real world testing for employees
Question 17:
The incident response team detected suspicious TLS negotiation failures between an internal server and a third party service. The SIEM logs reveal repeated TLS handshake failures. Below is a log snippet:
2025-05-01 - TLS Handshake Failure - Server:web1.internal.com - Protocol: TLS 1.3 - Error: Unsupported Cipher
2025-05-01 - TLS Handshake Failure - Server: web1.internal.com - Protocol: TLS 1.2 - Error: Certification Validation
2025-05-01 - TLS Handshake Failure- Server: web1.internal.com - Protocol: TLS 1.3 - Error: Expired Certificate
What is most likely the root cause of these failures?
A. The server is using an outdated certificate that has expired
B. The TLS protocol version is incompatible with the third party service
C. The SIEM Log is incorrectly flagging normal traffic as failed handshakes
D. The client cert is not properly signed by a trusted authority
E. The server is configured to allow only weak cipher suites
A. The server is using an outdated certificate that has expired
Explanation:
The lof shows an expired cert, which is the primary reason for TLS handshake failures
Question 30: Your organization is deploying secure credential issuance for new employees and is implementing self service provisioning. Below is the current IAM configuration:
self_provisioning: enabled
email_vertification:disabled
admin_approval: required
Which two improvements should be made to strengthen security?
A. Enable email verification to prevent unauthorized account creation
B. Implement identity proofing for self provisioned accounts
C. Disable self service provisioning entirely
D. Remove admin approval to reduce friction
E. Allow any email domain for provisioning requests
A. Enable email verification to prevent unauthorized account creation
B. Implement identity proofing for self provisioned accounts
Explanation:
A. Email verification prevents fraudulent self provisioned accounts
B. Identity proofing ensures legitimate user registrations
Question 32:
Match the shared responsibility model tasks with the correct cloud service model (IaaS, PaaS, SaaS)
A. Customer manages OS updates and security patches
B. CSP is responsible for physical data center security
C. Customer secures application layer vulnerabilities
D. CSP controls and maintains network infrastructure
E. Customer is responsible for user access controls
- IaaS
- PaaS
- SaaS
- All cloud models
- CSP-only responsibility
A-1
B-5
C-2
D-5
E-4
A. In IaaS, customers handle OS security updates
B. CSPs manage data center security, regardless of the model
C. In PaaS, customers must secure application vulnerabilities
D. Networking infrastructure is CSP controlled
E. User access control is a shared responsibility across all models
Question 35:
NA
Question 40: Your security operations team is monitoring API logs for signs of unauthorized access attempts. The following log snipper reveals multiple failed authentication attempts folloed by a successful API call:
2025-02-02 - Failed API Auth - user:unknown - IP:203.0.113.50
2025-02-02 - Failed API auth - user:unknown - IP 203.0.113.50
2025-02-02 - Successful API request - user:serviceA - IP - 198.51.100.25
What is the most likely explanation for this event pattern?
A. A legitimate user was locked out after failed login attempts
B. An attacker successfully brute forced API creds
C. The API gateway incorrectly flagged a normal authentication attempt
D. The user switched networks, triggering a new authentication session
E. A session hijacking attack allowed an unauthorized request
E. A session hijacking attack allowed an unauthorized request
Explanation:
E. Session hijacking is likely, as a different IP made a successful request after failures
You need to analyze successful API authentication attempts following multiple failures. Make sure to correlate logs with session based attacks.
Question 45:
A multinational corporation uses adaptive authentication strategies to detect unusual access patterns. A security engineer notices that a service account is accessing cloud resources from two different countries simultaneously. The SIEM system flags this as a high risk event. Review the SIEM log and determine the best course of action. SIEM Log Extract:
2025-02-02 - Login Success - user:svc-api - IP:192.168.50.10 (US)
2025-02-02 - Login Success - user:svc-api - IP: 203.113.200 (Germany)
2025-02-02 - Risk Alert - Impossible Travel Detected
What should the security team do first?
A. Disable the account immediately to prevent further unauthorized access
B. Investigate the logs for API token compromise and alert the SOC team
C. Assume the event is benign and whitelist the service account
D. Reboot the authentication server to refresh login sessions
E. Adjust the risk thresholds to reduce false positives
B. Investigate the logs for API token compromise and alert the SOC team
Explanation:
Impossible travel detection suggests API token theft, requiring an incident response
Question 47:
The SOC is monitoring privileged access attempts in their SIEM system. Below is a log extract showing multiple PIM activations:
2025-02-03 - Role Activation - User: admin1 - Role:GlobalAdmin - Duration: 1h
2025-02-03 - Role Activation - User:admin2 - Role:SecurityAdmin - Duration: 2h
2025-02-03 - Role Activation - User:temp_admin - Role: GlobalAdmin - Duration: 12h
What is the most significant security concern based on this log?
A. The use of Just in time access for administrative roles
B. An usually long session duration for temp_admin
C. Normal PIM activations by authorized users
D. The presence of multiple privileged roles in the organization
E. The security team monitoring PIM activations
B. An usually long session duration for temp_admin
Explanation:
A 12 hour session for a temporary account increases risk exposure
Question 52:
An enterprise security team is reviewing access control list rules on an edge router. The goal is to prevent unauthorized traffic from reaching internal systems while ensuring legitimate access. The current ACL configuration is as follows:
Rule1: Allow TCP 10.0.0.0/24 -> 192.168.1.0/24
Rule2: Deny ICMP Any -> Any
Rule3: Allow UDP 0.0.0.0/0 -> 192.168.1.100
Rule 4 Deny All Any -> Any
Which modification should be made to enhance security while maintaining functionality?
A. Remove Rule3 to block all external UDP traffic
B. Modify Rule2 to allow ICMP for network troubleshooting
C. Change Rule1 to allow traffic from any source
D. Move Rule4 above Rule3 to enforce the deny rule first
E. Disable ACL logging to reduce system load
B. Modify Rule2 to allow ICMP for network troubleshooting
Explanation:
B. Allowing ICMP selectively improves network diagnostics while preventing abuse
Question 53:
A company experiences a DNS based data exfiltration attack where encoded data is transmitted via DNS queries. Below is a sample extract from the DNS logs:
2025-02-20 - Query zxHMAwX0CMf0Aw9f0DgfJAW==.malicous.com
2025-02-20 - Query ZGF0Y51icmVhY2g=.malicous.com
2025-02-20 - Query: c2Vuc2I0aXZIZGF0YQ==.malicious.com
What is the best security control to mitigate such an attack?
A. Implement DNS query analysis to detect anomalies
B. Allow only recursive queries from trusted sources
C. Block all domain lookups containing base64-encoded data
D. Disable logging to prevent attackers from analyzing detection methods
E. Enforce DNS query size restrictions
A. Implement DNS query analysis to detect anomalies
Explanation:
DNS query analysis detects patterns associated with data exfiltration attacks
Question 58:
An enterprise is implementing a defense strategy against USB based malware attacks. Several endpoint devices have been compromised through unauthorized USB storage devices.The security team must enforce strictUSB security policies while maintaining productivity. What two actions should be taken?
A. Disable USB mass storage class drivers on all endpoints
B. Enforce USB device whitelisting with endpoint security policies
C. Require user authentication before accessing USB storage
D. Implement physical USB port blocking on all machines
E. Restrict USB ports to read only mode for non whitelisted devices
A. Disable USB mass storage class drivers on all endpoints
B. Enforce USB device whitelisting with endpoint security policies
Explanation:
Disabling mass storage drivers prevents USB based malware infections
B. Whitelisting ensures only authorized USB devices can be used
You should enforce USB whitelisting and disable mass storage device drivers to prevent USB based malware attacks. Attackers frequently use USB devices as a initial infection vector.
Question 68:
A threat intelligence report indicates that adversaries are targeting systems using AEAD encryption in transport protocols. The attacker vectors involve modifying associated data without triggering decryption failures. Below are the observed indications:
Threat Actor: ShadowCipher Group
Attack Method: AEAD Header Manipulation
Impact: Undetected data tampering
Mitigation: TBD
What is the best mitigation against this attack?
A. Implement message authentication codes (MACs) separately for header validation
B. Ensure that associated data is crypto-graphically bound to ciphertext
C. Use static authentication tags to detect tampering more easily
D. Apply additional encryption layers using AES-ECB for the header
E. Store associated data in plaintext to verify integrity before decryption
B. Ensure that associated data is crypto-graphically bound to ciphertext
Explanation.
B. Crypto-graphically binding associated data ensures AEAD integrity protection
You need to cryptographically bind associated data (AD) to the ciphertext in AEAD encryption to prevent header manipulation attacks.
Avoid relying solely on message authentication codes 9MACs) for header validation.
Question 73:
The cybersecurity team is correlating logs from endpoints, infrastructure and applications to detect advanced threats. The goal is to identify coordinate attack patterns while minimizing false positives. What is the best strategy to achieve this?
A. Rely solely on endpoint detection logs to track threats
B. Correlate logs across multiple data sources to detect patterns
C. Ignore low severity alerts to reduce alert fatigue
D. Disable logging for no critical applications
E. Increase SIEM log retention period without correlation
B. Correlate logs across multiple data sources to detect patterns
Explanation:
Correlating multiple data sources improve threat detection accuracy
Question 77:
A security engineer is tasked with enforcing least privilege in an enterprise IAM system. Below is the IAM policy for database access:
Role: DatabaseAdmin - Permissions: Read, Write, Delete - Assigned: All engineers
What is the best modification to improve security?
A. Implement a just in time (JIT) access for database modifications
B. Add MFA for all database access
C. Restrict permissions to only specific users who need them
D. Log all database access requests for auditing
E. Use an allow list-based database connection policy
C.
D. Log all database access requests for auditing
Explanation:
D. Auditing ensures that access is monitored and security violations are deteced
Make sure to enforce least privilege by restricting IAM roles based on job functions. JIT and periodic access reviews help prevent privilege creep. Logging and moniroting access activities further enhance security
Wrong answers:
A. JIT access is useful but does not fully enforce least privilege
B. MFA enhances authentication but does not restrict permissions
C. User restrictions help but are not the primary method of enforcing least privilege
E. Allowedlist-based connections controls access sources, not user privileges
Question 78:
A cybersecurity team is setting up an automated system to monitor dark web forums for leaked corporate credentials. The platform must automatically ingest and correlate new breach data with internal identity records. Below is the configuration snippet:
monitoring-config{“sources”:[“darkweb-market1”, “darkweb-market2”], “correlation”:true, “alerting”: “on-match”}
What key security improvement should be made?
A. Expand sources to include general OSINT feeds
B. Require manual validation before alerting
C. Implement hashing for breached credentials before storage
D. Increase polling frequency to every minute
E. Disable correlation reduce false positives
C. Implement hashing for breached credentials before storage
Explanation:
Hashing ensures sensitive breach data is not stored in plaintext
Incorrect answers:
A. OSINT expansion helps but does not secure credential storage
B. Manual validation delays automated threat detection
D. Excessive polling may cause operational overhead
E. Correlation improves threat response by linking breaches to internal users
Question 79
A forensic investigator is using YARA rules to identify malware patterns in a compromised system. The rule below is used:
rule Trojan_Detection{
string: $a = {6A 40 68 00 30 00 00}
condition: $a}
The detection rate is low despite known infections. What should the investigator modify for improve malware detection?
A. Add additional hexadecimal string patterns
B. Convert rule conditions to detect full executable hashes
C. Reduce the number of conditions to match more files
D. Change the rule name to be more descriptive
E. Enable case insensitive string matching
E. Enable case insensitive string matching
Explanation:
Case insensitive matching ensures variations are detected
Incorrect:
A, Additional patterns improves accuracy but may not fix false negatives
B. Hash based detection limits flexibility against obfuscated variants
C. Reducing conditions increases false positives
D. Rule names does not impact detection logic
Question 85:
After a supply chain attack compromised a software vendor, an enterprise security team is evaluating lessons learned. The goal is to enhance security and prevent similar incidents. What is the best long term security measure?
A. Enforce mandatory security audits for all third party vendors
B. Implement a Zero Trust architecture with continuous monitoring
C. Require MFA for software developers
D. Restrict network access to vendor systems
E. Conduct bi annual red team exercises
B. Implement a Zero Trust architecture with continuous monitoring
Explanation:
Zero Trust minimizes risks by enforcing strict access controls and monitoring
Incorrect answers:
A. Audits help but do not continuously protect against threats
C. MFA enhances security but does not address supply chain risks comprehensively
D. Restricting access is useful but not a holistic defense
E. Red team exercises improve detection but does not prevent breaches
Question 88:
A SOC analyst is monitoring cloud workloads using a cloud workload protection platform (CWPP). The analyst detects an alert for an unauthorized container execution in a production Kubernetes cluster. The alert includes multiple failed access attempts followed by a successful privilege escalation event. The security team needs to determine the attackers entry point into the cluster. Which log entry provides the clearest indicator of initial compromise? SIEM Log Extract:
2025-02-03 - Unauthorized API request - User: unknown - Resource: kube-apiserver
2025-02-03 = Multiple Failed SSH Attempts - Source IP: 203.0.113.12
2025-02-03 - Privilege Escalation - Pod Access Gained
2025-02-03 - Suspicious Outbound Traffic - Dest: external-server.com
A. The unauthorized API request log
B. The failed SSH attempts log
C. The privilege escalation log
D. The suspicious outbound traffic log
E. The Kubernetes pod access log
A. The unauthorized API request log
Explanation:
Unauthorized API requests often indicate the initial attack vector
Incorrect Answers:
B. SSH attempts are suspicious but may not be directly related
C. Privilege escalation occurs post compromise, not during initial access
D. Outbound traffic is part of the attack lifecycle, but not the initial entry
E. Pod access logs help track lateral movement but not initial compromise
Question 90:
An organization deploys deception techniques to disrupt attacker reconnaissance efforts. The security team wants to implement a dynamic deception strategy that changes attacker visible assets in real time. Below is the current deception policy. Deception Strategy (Before):
{“decoy_endpoints”: “static”, “interaction_level “: “low”, “logging”: “disabled}
What two modifications should be made for effective adversary engagement?
A. Change decoy_endpoints : dynamic for real time deception
B. Set interaction_level to high to capture detailed tactics
C. Enable logging to full for forensic analysis
D. Reduce decoy visibility to hidden to minimize exposure
E. Implement auto shutdown to on to remove compromised decoys
A. Change decoy_endpoints : dynamic for real time deception
B. Set interaction_level to high to capture detailed tactics
Explanation:
A. Dynamic decoy assets increase deception effectiveness
B. High interaction levels provide detailed intelligence on attacker behavior
