Security X Practice Test 3 Hardcover Flashcards
Question 9:
Match the following security compliance frameworks with their primary focus areas:
A. NIST 800-53
B. ISO 27001
C. PCI DSS 4.0
D. FedRAMP
E. SOC 2 Type 2
- Standardized security controls for US federal cloud service providers
- International framework for information security management systems
- Security requirements specifically for payment card transactions and financial data
- Comprehensive security and privacy control guidelines for government and critical infrastructure
- Focuses on auditing cloud service providers for security, availability and confidentiality
A-4. NIST 800-53 is the foundation for security in government and critical infrastructure
B-2. ISO 27001 provides an internationally recognized framework for information security
C-3 PCI DSS 4.0 is specifically designed for securing payment transactions and financial data
D-1 FedRAMP is required for cloud providers handling US government data
E-5 SOC 2 Type 2 focuses on security, availability and confidentiality of cloud service providers
Question 13:
A security analysts suspect an adversarial attack on an AI powered malware detection systrem. Below is a snippet of the AI models detection log, showing unusual classification inconsistencies
AI model log:
2025-02-02 File: report.pdf - AI Classification: Benign
2025-02-02 File: invoice.docx - AI Classification: Benign
2025-02-02 File: trojan.exe - AI Classification: Benign
2025-02-02 File: ransomware.zip - AI Classification: Benign
2025-02-02: virus.bin - AI Classification: Benign
What adversarial attack technique is likely causing this issue?
A. Model poisoning by injecting misleading training data
B. Evasion attack using adversarial perturbations
C. Model inversion to reconstruct training samples
D. Data exfiltration through AI misclassification
E. Feature extraction to extract AI decision weights
B. Evasion attack using adversarial perturbations
Explanation:
B. Evasion attacks use adversarial inputs to trick AI classifiers
Incorrect:
A. Model poisoning corrupts training data but does not alter real time classifications
C. Model inversion reconstructs training data rather than modifying output classifications
D. Data exfiltration reseal to unauthorized data leaks, not AI misclassification
E. Feature extraction steals model parameters but does not affect detections
Question 22:
Your security team is configuring a trusted platform module (TPM) for hardware based encryption. The goal is to ensure secure key storage and prevent software based key extraction attacks. Below is the TPM security policy configuration:
tpm_enable: false
encryption_mode: software_only
What two modifications should be made to enforce TPM security?
A. Enable TPM and use hardware backed key storage
B. Continue using software based encryption
C.Enable secure boot alongside TPM
D. Store encryption keys in cloud based storage
E. Allow untrusted software to access TPM keys
A. Enable TPM and use hardware backed key storage
C.Enable secure boot alongside TPM
Explanation:
A. Enabling TPM ensures hardware-backed key storage for better security
C. Secure Boot enhances TPM security
Incorrect:
B. Software based encryption is vulnerable to key extraction attacks
D. Cloud based key storage does not leverage TPM hardware security
E. Allowing untrusted access weakens TPM security
Question 29:
Your organization is implementing centralized log management to enhance security event correlation across a hybrid environment. Below is the current SIEM configuration:
log_retention: 30 days
alert_threshold: critical_events_only
anomaly_detection: disabled
What two modifications should be made to improve log correlation and forensic analysis?
A. Increase log retention to meet compliance and historical analysis needs
B. Enable anomaly detection to identify behavioral deviations
C. Reduce log retention to minimize storage costs
D. Expand alert thresholds to include low priority security events
E. Disable logging for internal systems to reduce false positives
A. Increase log retention to meet compliance and historical analysis needs
B. Enable anomaly detection to identify behavioral deviations
Explanation:
A. Longer retention improves compliance and supports forensic investigations
B. Anomaly detection helps detect stealthy attacks missed by rule based alerts
Incorrect:
C. Shorter log retention limits forensic investigations
D. Expanding alerts to low priority events can overwhelm analysts
E. Disabling logging weaknes security monitoring
Question 34:
Your API security team detected multiple failed authentication attempts targeting an API protected by OAuth 2.0 and JWT tokens. Below is an extract from the API Gateway logs showing unusual activity. What is the most likely explaining for the security event?
API Gateway Log Extract:
2024-02-03 - Event: Authenticate - ClientIP: 192.168.1.10 - Status: 401 Unauthorized
2024-02-03 - Event: Authenticate - ClientIP: 192.168.1.10 - Status: 401 Unauthorized
2024-02-03 - Event: Authenticate - ClientIP: 192.168.1.10 - Status: 200 OK
A. Successful brute force attack using token replay
B. User mistyped password and retried multiple times
C. JWT Token was expired and then refreshed automatically
D. OAuth 2.0 token validation failed due to incorrect scopes
E. Legit user accessing from an unrecognized device
A. Successful brute force attack using token replay
Explanation:
The logs indicate multiple failed attempts followed by a success, suggesting a brute force attack
You need to enforce OAuth token expiration and implement brute force detection for authentication failures. Make sure APIs limit failed logon attempts to prevent automated attacks. Always remember that a successful login after multiple failures indicate credential stuffing or brute force
Incorrect:
B. OAuth tokens do not rely on user entered passwords for every request
C. An expired JWT token would not cause multiple 401 errors before a success
D. OAuth 2.0 scope mismatches typically result in persistent failure, not eventual success
E. Unrecognized device access would not trigger multiple authentication failures
Question 35:
Your cloud security team detected unauthorized decryption attempts in a customer managed key management system. Below is a snipper from the KMS audit log showing repeated failed access attempts. What is the most likely cause of this event?
KMS Audit Log Extract:
2024-02-04 - KeyAccessAttempt - User: service-account-123 - Status: DENIED
2024-02-04 - KeyAccessAttempt - User: service-account-123 - Status: DENIED
2024-02-04 - KeyAccessAttempt - User: service-account-123 - Status: DENIED
A. Misconfigured IAM policy prevent decryption acess
B. Compromised key being used by unauthorized actors
C. Expired encryption key preventing decryption
D. Cloud provider experiencing a service outage
E. Incorrect key rotation policy causing failure
A. Misconfigured IAM policy prevent decryption access
Explanation:
A. The logs indicate a denied access attempt due to a IAM policy misconfiguration
You should enforce strict IAM policies to control encryption key access. Make sure least privilege access is applied to prevent unauthorized decryption attempts. Always remember that key management requires continuous monitoring - regular audits help identify policy misconfigurations before attackers exploit them
Incorrect answers:
B. If the key was compromised, access would likely be successful, not denied
C. Expired keys result in key unavailability, not access denials
D. Cloud outages typically do not return access denied errors
E. Incorrect key rotation would not necessarily cause repeated access denials
Question 39:
Your SIEM has detected unusual VPN authentication attempts across multiple geographic locations within a short time. Below is your VPN authentication log:
2025-02-02 - Successful VPN Login - user: admin - IP: 192.168.5.10
2025-02-02 - Failed VPN Login - user: admin - IP: 203.0.113.55
2025-02-02 - Successful VPN Login - user: admin - IP 198.51.100.30.
What is most likely the cause of this pattern?
A. A user is switching between multiple VPN endpoints rapidly
B. An attacker has gained access to VPN credentials and is logging in from different locations
C. The user is using a misconfigured VPN client causing connection drops
D. The VPN server is incorrectly flagging normal authentication behavior
E. The VPN has split tunneling configuration that allows multiple IP addresses
C. The user is using a misconfigured VPN client causing connection drops
Explanation:
C. Misconfigured VPN clients can cause session disruptions and IP changes
You should enable adaptive VPN access control with anomalous login detection. Make sure to implement session integrity monitoring. Always remember that attackers target persistent VPN sessions to maintain access
Incorrect:
A. Rapidly switching VPN endpoints is unlikely unless intentional
B. The log does not show failed MFA attempts, which would indicate credential theft
D. The VPN server is flagging an actual issue, not a false positive
E. Split tunneling affects traffic routing but does not explain authentication anomalies
Question 49:
The organization’s attack surface monitoring tool has generated logs indicating potential exposure. Below is a log extract showing recent external access attempts on a web server:
2025-02-10 - External Access Attempt - IP: 203.0.11.45 - Resource: /admin - Status: 404
2025-02-10 - External Access Attempt - IP: 203.0.113.45 - Resource: /admin/login - Status: 403
2025-02-10 - External Access Attempt - IP: 203.0.113.45 - Resource: /wp-login.php - Status: 200
What is the most likely security risk indicates by this log data?
A. Brute force attack targeting admin credentials
B. Network scanning by an external entity
C. SQL injection attempt on the web server
D. Phishing attack targeting web admins
E. DDoS attack
B. Network scanning by an external entity
Explanation:
B. Accessing multiple admin pages suggests reconnaissance activity
You should investigate multipole unauthorized access attempts on administrative endpoints. make sure to monitor logs for brute force attempts and credential stuffing attacks. Avoid assuming that failed admin logins are user mistakes. Stay alert to patterns of sequential access attempts on multiple login pages as this indicates active scanning
Question 55:
A financial institution is receive intelligence reports about a botnet preparing a DDoS attack on their login portal. IoCs include IPs associated with known attack campaigns. The logs indicate increased login attempts from suspicious locations
- Large volume of login requests within seconds
- IPs linked to past DDoS attacks
- Failed authentication attempts from different countries
Which mitigation should be prioritized?
A. Implement CAPTCHA for login requests
B. Block IPs associated with botnet activity
C. Deploy a dedicated WAF rule for rate limiting
D. Require MFA
E. increase server bandwidth allocation
B. Block IPs associated with botnet activity
Explanation:
Blocking known botnet IPs reduces attack impact
Incorrect:
CAPTCHA helps but does not prevent large scale automated attacks
Rate limiting helps but does not fully mitigate botnet driven attacls
MFA strengthens authentication but does not address DDoS directly
More bandwidth does not stop application layer DDoS attacks
Question 56:
A multinational corporation is deploying a enterprise firmware security policy to prevent unauthorized modifications. Below is the current policy configuration:
{“FirmwareVerification”: “SHA-1”, “RollbackPolicy”: “Disabled”, “SecureBootEnforced”: true, “UpdateSigning”: “Optional”}
What two essential changes should be made to improve firmware security?
A. Upgrade FirmwareVerification to SHA256
B. Enable RollbackProtection to prevent unauthorized downgrades
C. Disable SecureBootEnforced to allow for easier updates
D. Require UpdateSigning to be mandatory
E. Implement TPM back integrity verification
A. Upgrade FirmwareVerification to SHA256
B. Enable RollbackProtection to prevent unauthorized downgrades
Explanation:
A. SHA-256 improves cryptographic strength over SHA-1
B. Rollback protection prevents attackers from reinstalling vulnerable firmware versions
Incorrect:
C. Disabling secure boot weakens boot integrity
D. While beneficial, signing updates does not prevent firmware rollback attacks
E. TPM integrity verification is useful but does not replace the need for stronger cryptographic verification
Question 65:
Your company is evaluating homomorphic encryption for secure AI model training. below is a configuration used for encrypted computation:
Scheme: BFV
Key Size: 8192 bit
Computation Rounds: 15
Performance: Slow
What two adjustments should be made to optimize performance while maintaining security?
A. Reduce computation rounds to minimize noise accumulation
B. Increase key size to 16384 bit for enhanced security
C. Switch to CKKS for improved floating point operations
D. Decrease noise tolerance to reduce computation errors
E. Use a non homomorphic encryption scheme for better speed
A. Reduce computation rounds to minimize noise accumulation
C. Switch to CKKS for improved floating point operations
Explanation:
A. Reducing computation rounds decreases noise accumulation and improves efficiency
C. CKKS is optimized for floating point computations, improving AI model training efficiency
Incorrect:
Increasing key size further slows performance without significant security gain
D. Reducing noise tolerance increases the likelihood of computational errors
E. Switching to non homomorphic encryption prevents encrypted computation
Question 66:
Your company is deploying a secure enclave for cryptographic key management to protect sensitive customer data. Below is the current key management configuration:
Key Storage: Software based
Key Access: Application Memory
Encryption method: AES-GCM
Security Compliance: PCI-DSS
What two critical modifications should be made to improve security using secure enclave technology?
A. Store crypto keys inside the secure enclave to prevent key expose
B. Implement hardware based key attestation to validate key integrity
C. Use software based key derivation for better performance
D. Enable persistent key caching to improve access speed
E. Allow application level access to secure enclave without restrictions
A. Store crypto keys inside the secure enclave to prevent key expose
C. Use software based key derivation for better performance
Explanation:
A. Storing cryptographic keys in a secure enclave isolates them from applications memory
C. Secure enclave based key derivation enhances security and reduces exposure risks
Incorrect:
B. While useful, attestation does not directly protect keys inside the enclave
D. Persistent key caching increases the risk of key exposure
E. Unrestricted access negates the security benefits of a secure enclave
Question 67:
A healthcare provider is using SMPC for privacy preserving patient data analysis across multiple hospitals. The following configuration is in use:
Computation Type: Homomorphic Encryption
Network Latency: High
Storage Model: Cloud based secure containers
Data Encryption: AES-256
What two modifications should be made to optimize security and efficiency?
A. Replace AES-256 with a weaker encryption algorithm for better performance
B. Use garbled circuits instead of homomorphic encryption to reduce computational overhead
C. Deploy edge computing nodes to minimize latency in SMPC transactions
D. Increase the number of computation rounds to strengthen privacy at the cost of performance
E. Reduce the number of participating hospitals to minimize computational complexity
B. Use garbled circuits instead of homomorphic encryption to reduce computational overhead
C. Deploy edge computing nodes to minimize latency in SMPC transactions
Explanation:
B. Garbled circuits are an efficient alternative to homomorphic encryption for SMPC
C. Edge computing nodes reduce latency, improving performance in real time monitoring
Incorrect:
A. Weaker encryption compromises security and is not an acceptable trade off
D. Increasing computation rounds enhances security but negatively impacts performance
E. Reducing participating hospitals limits collaborative data analysis, reducing effectiveness
Question 71:
A SOC team is optimizing SIEM event parsing to improve log normalization. Below is a sample log entry before processing:
LogEntry: 2025-02-02 - ALERT - src_ip= 10.0.0.5 - action=blocked
After parsing, the SIEM should extract key fields into structured data for correlation and analysis. What is the best field normalization approach?
A. Retain the raw log format without parsing
B. Convert logs into JSON format for standardization
C. Use a SIEM specific regex parser to extract key fields dynamically
D. Manually categorize each log entry for analysts
E. Store all logs in plaintext format for forensic integrity
C. Use a SIEM specific regex parser to extract key fields dynamically
Explanation:
C. Regex based parsing ensures logs are extracted correctly and mapped to SIEM fields
Incorrect:
A. Retaining raw logs without parsing reduces detection capabilities
B. JSON standardization helps, but dynamic parsing is more adaptable
D. Manual categorization is inefficient and prone to human error
Question 72:
A global retail company is deploying AI driven security analytics to detect fraud attempts in real time. The AI model processes transaction, device fingerprinting and network telemetry. Below is a transaction anomaly detected:
2025-02-02 - INFO -New Transaction - user: alice - Amount: $5000 - Location: US
2025-02-02 - WARNING - Device Fingerprint Mismatch - user: alice - IP: 192.0.2.5
2025-02-02 - CRITICAL - Sudden Account Balance Transfer - user: alice - Amount: $25,000
A. Ignore the anomaly and wait for further data
B. Suspend the transaction and require MFA
C. Send a fraud alert but allow the transaction
D. Block the users account permanently
E. Flag the anomaly as a low risk and allow it
B. Suspend the transaction and require MFA
Explanation:
Suspending transactions with MFA ensures security while reducing disruption
Incorrect:
A. Ignoring anomalies increases fraud exposure
C. Sending an alert without blocking the transaction does not prevent fraud
D. Blocking an account permanently without investigation is excessive
E. Flagging this as a low risk contradicts anomaly detection principles
Question 76:
A DevOps team discovered that their application dependencies contained vulnerabilities from unverified 3rd party libraries. Below is the affected package report:
Package: vulnerable-lib v1.2.3 - CVE-2024-5671 - Remote Code Execution
What is the best proactive measure to reduce the risk of supply chain attacks?
A. Implement a firewall rule blocking external depedencies
B. Regularly audit and update dependencies using a software composition analysis (SCA) tool
C. Encrypt third party libraries to prevent tampering
D. Remove all third party libraries from applications
E. Use EDR to monitor dependencies
B. Regularly audit and update dependencies using a software composition analysis (SCA) tool
Explanation:
You need to implement a software composition analysis (SCA) tool to track vulnerabilities in third party libraries. Regular dependency updates and digital signatures on external packages help prevent supply chain attacks `
Question 77:
A financial institution is deploying a multi later security strategy for endpoint protection. Which of the following is the least effective defense in depth measure?
A. Enforcing strict access controls and user authentication policies
B. Implementing multiple overlapping security layers
C. Using endpoint detection and response with real time analysis
D. Relying solely on traditional antivirus software
E. Segmenting networks to limit lateral movement
B. Implementing multiple overlapping security layers
Explanation:
Overlapping security layers without proper integration may create conflicts and reduce efficiency
Incorrect:
A. Access controls strengthen security
C. EDR provides advanced threat detection
D. Antivirus alone is insufficient but contributes to a layered security model
E. Network segmentation minimizes attack spread
Question 79:
A cybersecurity team is developing custom threat detection rules for identifying APT activity. What is a key risk when writing overly broad detection rules?
A. Reduced SIEM storage capacity
B. Excessive reliance on real time threat intelligence feeds
C. High false positive rates leading to alert fatigue
D. Overlooking low and slow attack patterns
E. Increased dependence on automated security tools
D. Overlooking low and slow attack patterns
Explanation:
D. Broad rules may miss stealthy low and slow attacks that require precise detection
Incorrect:
A. SIEM storage is a concern but secondary to detection accuracy
B. Threat intelligence enhances rule accuracy, not broadens detection
C. False positives are an issue, but missing sophisticated attacks is a greater risk
E. Automation aids security, but detection rules must remain well defined
