Threats, Vulnerabilities, and Mitigations Flashcards
A group of hackers is carrying out cyberattacks against a corporation to expose unethical business practices. Which attribute best describes this type of actor?
A. Financially motivated
B. Highly organized with unlimited resources
C. Driven by ideological or political goals
D. Typically operates within an organization
Answer: C. Driven by ideological or political goals
Explanation: Hacktivists are motivated by political or ideological beliefs and use hacking to promote their cause, often targeting corporations, governments, or organizations they oppose.
A cybersecurity team has detected a highly sophisticated and prolonged cyberattack on a government agency. The attackers used custom malware, zero-day exploits, and stealthy persistence tactics. Based on these characteristics, which type of threat actor is most likely responsible?
A. Script kiddie
B. Hacktivist
C. Insider threat
D. Nation-state actor
Answer: D. Insider threat
✅ Correct: Insider threats originate from within an organization and can have deep knowledge of internal systems. A highly skilled insider, such as a rogue administrator, could deploy advanced malware and exploit zero-day vulnerabilities to maintain persistence in a network.
❌ Incorrect Answers:
A. Script kiddie: Script kiddies lack technical expertise and typically use pre-built hacking tools without understanding how they work.
B. Hacktivist: Hacktivists are motivated by political or ideological causes but usually lack the sophistication required for long-term persistence in a network.
C. Nation-state actor: While nation-state actors are highly skilled and well-funded, the question specifies an insider as the likely source of the attack, meaning the threat originates from within the organization.
A state-sponsored hacking group targets another country’s power grid, causing widespread outages. What is the MOST LIKELY motivation?
A. Financial gain
B. War
C. Ethical hacking
D. Disruption/Chaos
Answer: B. War
✅ Correct: Cyberattacks on critical infrastructure are commonly linked to geopolitical conflicts.
❌ Incorrect Answers:
A. Financial gain: The goal is disruption, not profit.
C. Ethical hacking: Ethical hacking aims to improve security, not cause harm.
D. Disruption/Chaos: While disruption occurs, the broader goal is warfare.
A phishing email convinces an employee to download a malicious attachment that installs keylogging software on their system. Which attack surface and threat vector were exploited?
A. Email and removable device
B. Email and file
C. Message and voice call
D. Instant Messaging (IM) and image
Answer: B. Email and file
✅ Correct: The attack surface is email, as it was used to deliver the threat. The threat vector is a malicious file attachment.
❌ Incorrect Answers:
A. Email and removable device: The attack did not involve external media such as USB drives.
C. Message and voice call: The attack was carried out via email, not voice calls.
D. Instant Messaging (IM) and image: The exploit involved email and a file attachment, not an image sent through IM.
A security operations center (SOC) detects unusual outbound traffic from an internal server to an unknown IP address. A forensic analysis reveals that an attacker exploited a remote code execution vulnerability in a legacy database application running on an end-of-life (EoL) operating system. The attacker exfiltrated sensitive records before establishing persistence via a secondary compromised system. Given these findings, which of the following security risks contributed MOST to the success of this attack?
A. Failure to enforce network segmentation
B. Use of unsupported systems and applications
C. Misconfigured access control lists (ACLs)
D. Presence of open service ports on internet-facing systems
Answer: B. Use of unsupported systems and applications
✅ Correct: The legacy operating system and database application were no longer receiving security patches, making them prime targets for exploitation. The attacker leveraged an unpatched vulnerability to gain initial access and establish persistence.
❌ Incorrect Answers:
A. Failure to enforce network segmentation: While segmentation could reduce lateral movement, it would not prevent the initial compromise caused by an unpatched system.
C. Misconfigured access control lists (ACLs): ACLs control network traffic but do not address unpatched software vulnerabilities.
D. Presence of open service ports on internet-facing systems: The attack originated from within the network, not from an external-facing open port.
A cybersecurity audit reveals that a financial institution has dozens of servers with default manufacturer credentials still in place. Further investigation shows that an unauthorized actor successfully logged into one of these servers using publicly available credentials and modified configurations to create persistent access. Additionally, the attacker deployed a hidden process that exfiltrates customer records at random intervals to avoid detection. Based on this scenario, which TWO security vulnerabilities MOST likely contributed to this breach? (Select TWO)
A. Default credentials
B. Supply chain attack
C. Open service ports
D. Client-based vulnerability
E. Misconfigured security controls
Answer: A. Default credentials and E. Misconfigured security controls
✅ Correct:
A. Default credentials: The attacker was able to log into the server using publicly available manufacturer credentials, which should have been changed upon deployment.
E. Misconfigured security controls: The attacker modified system configurations to establish persistent access, indicating that proper hardening measures were not enforced.
❌ Incorrect Answers:
B. Supply chain attack: No evidence of tampering with the hardware/software supply chain is present.
C. Open service ports: While open ports can expose services, the attacker gained access using default credentials, not an exposed port.
D. Client-based vulnerability: The attack targeted a server, not client-side software.
An attacker intercepts network traffic between an employee’s laptop and the corporate network by exploiting a misconfigured wireless access point. The attacker is able to inject malicious payloads into unencrypted HTTP sessions and redirect traffic to a credential-harvesting page disguised as the company’s login portal. The attacker then uses the stolen credentials to access an internal system and escalate privileges. Which THREE security weaknesses enabled this attack?
A. Unsecure network configuration
B. Unsupported legacy authentication mechanisms
C. Failure to enforce transport encryption
D. Use of a compromised supply chain vendor
E. Client-based software vulnerability
Answer: A. Unsecure network configuration, B. Unsupported legacy authentication mechanisms, and C. Failure to enforce transport encryption
✅ Correct:
A. Unsecure network configuration: The misconfigured wireless access point allowed the attacker to intercept and manipulate network traffic.
B. Unsupported legacy authentication mechanisms: The use of outdated or non-secure authentication methods likely contributed to privilege escalation.
C. Failure to enforce transport encryption: The attacker injected malicious payloads into unencrypted HTTP sessions, which should have been secured using TLS encryption.
❌ Incorrect Answers:
D. Use of a compromised supply chain vendor: This attack was network-based, not supply chain-related.
E. Client-based software vulnerability: The exploit targeted network security flaws, not client-side application vulnerabilities.
Which of the following attributes is most commonly associated with organized crime threat actors?
A. Short-term, opportunistic attacks
B. Well-structured operations and financial motivation
C. Government sponsorship and long-term persistence
D. Use of unsophisticated tools and techniques
Answer: B. Well-structured operations and financial motivation
Explanation: Organized crime groups are highly structured and focus on financial gain, using methods like ransomware, fraud, and data theft. They are different from nation-state actors, who are government-sponsored.
Which of the following BEST describes an unskilled attacker?
A. Uses publicly available exploit tools without deep knowledge of how they work
B. Targets critical infrastructure for financial gain
C. Develops custom malware to maintain long-term persistence
D. Engages in cyberattacks to promote an ideological cause
Answer: A. Uses publicly available exploit tools without deep knowledge of how they work
✅ Correct: Unskilled attackers, often called script kiddies, rely on automated tools to conduct cyberattacks without truly understanding the underlying techniques.
❌ Incorrect Answers:
B. Targets critical infrastructure for financial gain: This describes an organized crime group that seeks monetary gain.
C. Develops custom malware to maintain long-term persistence: This is a hallmark of nation-state actors or APTs (Advanced Persistent Threats).
D. Engages in cyberattacks to promote an ideological cause: This describes hacktivists, who act for political or social reasons.
A group of cybercriminals breaches a corporation’s network and leaks confidential trade secrets online, hoping to damage the company’s reputation. What is the MOST LIKELY motivation?
A. Financial gain
B. Espionage
C. Revenge
D. War
Answer: C. Revenge
✅ Correct: The goal of damaging a company’s reputation suggests retaliation.
❌ Incorrect Answers:
A. Financial gain: No monetary incentive is mentioned.
B. Espionage: There is no evidence of theft for a competitor.
D. War: This attack does not target military objectives.
During a forensic investigation, an analyst finds an infected workstation communicating with an external IP address over port 443. The source of the infection was an employee who downloaded an Excel file sent via an instant messaging app. The file contained a hidden macro that executed PowerShell commands. Which two attack surfaces and vectors were MOST LIKELY exploited? (Select TWO)
A. Removable device
B. Instant Messaging (IM)
C. File
D. Voice Call
Answer: B. Instant Messaging (IM) and C. File
✅ Correct:
IM (B) was the attack surface, as the malware was delivered via an instant messaging platform.
File (C) was the threat vector, as the attacker embedded a malicious macro in an Excel document.
❌ Incorrect Answers:
A. Removable device: The malware was not introduced via USB or external storage.
D. Voice Call: The attack did not involve social engineering via phone.
A software development company contracts a third-party vendor to provide cloud-based storage for its application data. Six months later, the company discovers that attackers exploited a vulnerability in the vendor’s infrastructure to gain unauthorized access to the stored data. The breach exposed confidential customer records, including personally identifiable information (PII). Which of the following would have BEST mitigated this supply chain risk?
A. Segmenting vendor systems from internal production environments
B. Encrypting stored data using a client-managed encryption key
C. Restricting third-party vendor access to corporate networks
D. Blocking all non-essential inbound and outbound network traffic
Answer: B. Encrypting stored data using a client-managed encryption key
✅ Correct: If the company had encrypted data before sending it to the vendor, even if the vendor was compromised, attackers would not be able to decrypt the stolen information.
❌ Incorrect Answers:
A. Segmenting vendor systems from internal production environments: While useful, segmentation would not prevent an attacker from accessing vendor-stored data.
C. Restricting third-party vendor access to corporate networks: This helps reduce direct access risks, but the attack occurred on the vendor’s infrastructure, not within the corporate network.
D. Blocking all non-essential inbound and outbound network traffic: While firewalls help, they would not prevent data theft from a compromised third-party vendor.
A red team conducts a penetration test on a corporate network and successfully accesses a database server without triggering any security alerts. The red team achieved this by inserting malicious firmware into a router that was intercepted during shipment. This firmware enabled remote access for the attacker, allowing them to pivot inside the network undetected. What attack vector was used in this scenario?
A. Open service ports
B. Wired network attack
C. Supply chain compromise
D. Client-based exploit
Answer: C. Supply chain compromise
✅ Correct: The attackers tampered with networking hardware before it was deployed, allowing them to establish unauthorized remote access.
❌ Incorrect Answers:
A. Open service ports: The compromise did not involve an externally exposed open port.
B. Wired network attack: While the attack allowed access to a wired network, the entry point was a compromised device, not the network infrastructure itself.
D. Client-based exploit: The attack targeted network hardware, not software installed on an endpoint.
A security analyst is investigating multiple reports from employees who received emails that appeared to be from the company’s finance department. The emails requested urgent invoice payments and contained a link to a website that looked identical to the company’s internal payment portal. Employees who entered their credentials were redirected to an “error” page, but their login information was captured. Which TWO social engineering techniques were MOST LIKELY used in this attack?
A. Business Email Compromise (BEC)
B. Watering Hole Attack
C. Brand Impersonation
D. Misinformation/Disinformation
E. Pretexting
Answer: A. Business Email Compromise (BEC) and C. Brand Impersonation
✅ Correct:
A. Business Email Compromise (BEC): The attacker used a fraudulent email appearing to come from the finance department to manipulate employees into taking action.
C. Brand Impersonation: The attacker created a fake version of the company’s payment portal, leveraging trust in the company’s brand to deceive users.
❌ Incorrect Answers:
B. Watering Hole Attack: The attacker did not compromise a website frequently visited by the target.
D. Misinformation/Disinformation: This technique spreads false information but does not involve credential harvesting.
E. Pretexting: While similar to BEC, this attack relied more on brand impersonation than a detailed backstory (pretexting).
A senior executive receives a phone call from someone claiming to be from the company’s IT help desk. The caller states that urgent security updates are required and asks the executive to provide their login credentials over the phone to verify their identity. The phone number appears to originate from the IT department. What attack method is being used?
A. Vishing
B. Smishing
C. Typosquatting
D. Watering Hole Attack
Answer: A. Vishing
✅ Correct: Vishing (voice phishing) uses phone calls to deceive targets into providing sensitive information. The attacker likely used VoIP spoofing to make the call appear legitimate.
❌ Incorrect Answers:
B. Smishing: Smishing involves SMS-based phishing, not phone calls.
C. Typosquatting: Typosquatting involves fake websites with slight URL variations, not phone calls.
D. Watering Hole Attack: This attack targets websites, not phone interactions.
A cybersecurity team detects a surge in visitors to an external website known to be frequently accessed by employees for industry news. Further analysis reveals that a threat actor injected malicious JavaScript into the website, causing malware to be downloaded when visited by employees using company credentials. What type of attack is being executed?
A. Pretexting
B. Watering Hole Attack
C. Smishing
D. Typosquatting
Answer: B. Watering Hole Attack
✅ Correct: The attacker compromised a trusted website frequently visited by the target audience and injected malicious code to infect users who accessed it.
❌ Incorrect Answers:
A. Pretexting: No false scenario was used to manipulate individuals into revealing information.
C. Smishing: SMS (text messaging) was not involved.
D. Typosquatting: The attack did not involve a fake domain or a misspelled URL.
Which attribute best describes the difference between an insider threat and an external threat actor?
A. Access to organizational resources and data
B. Use of ransomware for financial gain
C. Lack of technical expertise and reliance on public tools
D. Limited knowledge of company systems
Answer: A. Access to organizational resources and data
Explanation: Insider threats originate from within an organization and have access to internal systems and sensitive data, making them particularly dangerous. They may act out of malice, negligence, or coercion.
Which of the following statements BEST describes hacktivists?
A. They conduct cyberattacks for financial gain
B. They are always well-funded and work in structured groups
C. They act based on ideological, political, or activist motivations
D. They are primarily insiders who misuse company data for profit
Answer: C. They act based on ideological, political, or activist motivations
✅ Correct: Hacktivists conduct cyberattacks to promote causes they believe in, often targeting governments or corporations they view as unethical.
❌ Incorrect Answers:
A. They conduct cyberattacks for financial gain: Financial motivation is more common for organized crime groups rather than hacktivists.
B. They are always well-funded and work in structured groups: Hacktivists vary widely in resources; some work alone, while others have support.
D. They are primarily insiders who misuse company data for profit: This describes an insider threat, not a hacktivist.
A hacker gains access to a CEO’s private emails and threatens to release them unless a payment is made. What is the PRIMARY motivation?
A. Service disruption
B. Philosophical beliefs
C. Blackmail
D. Revenge
Answer: C. Blackmail
✅ Correct: Blackmail involves coercion, often using stolen data to force victims into compliance.
❌ Incorrect Answers:
A. Service disruption: The goal is coercion, not denial of service.
B. Philosophical beliefs: No ideological intent is present.
D. Revenge: The attacker seeks payment, not retribution.
During a forensic investigation, analysts find that several employees were redirected to a fraudulent login page after receiving a text message stating their accounts were suspended due to “suspicious activity.” The fake login page captured usernames and passwords before forwarding the victims to the real website. Which attack technique was used?
A. Typosquatting
B. Smishing
C. Brand Impersonation
D. Misinformation/Disinformation
Answer: B. Smishing
✅ Correct: The attacker used SMS-based phishing (smishing) to deceive victims into clicking a malicious link and entering their credentials.
❌ Incorrect Answers:
A. Typosquatting: Typosquatting relies on misspelled domains, but this attack used a direct text message link.
C. Brand Impersonation: While the attacker may have mimicked a trusted brand, the primary method was SMS phishing (smishing).
D. Misinformation/Disinformation: The attacker did not spread false information to manipulate users, but instead used a fraudulent link.
A company employee receives an email that appears to come from their coworker’s legitimate business account. The email requests an urgent transfer of company funds to an external account. The employee, believing the request to be authentic, wires the money without further verification. Which attack technique was used?
A. Phishing
B. Business Email Compromise (BEC)
C. Watering Hole Attack
D. Impersonation
Answer: B. Business Email Compromise (BEC)
✅ Correct: In BEC attacks, threat actors compromise or spoof legitimate business emails to trick employees into authorizing fraudulent transactions.
❌ Incorrect Answers:
A. Phishing: While this shares characteristics with phishing, BEC is more targeted and specific in nature.
C. Watering Hole Attack: No website was compromised in this attack.
D. Impersonation: While BEC may involve impersonation, the key technique here is email compromise.
A security team notices multiple login attempts from geographically dispersed locations on a corporate portal. An investigation reveals that multiple employees unknowingly accessed a fraudulent login page that looked identical to the real site. The fraudulent page was hosted on a domain that used a slight misspelling of the company’s actual website. What attack technique was used?
A. Phishing
B. Typosquatting
C. Pretexting
D. Misinformation/Disinformation
Answer: B. Typosquatting
✅ Correct: Typosquatting relies on users mistyping a legitimate URL, leading them to a fraudulent website controlled by the attacker.
❌ Incorrect Answers:
A. Phishing: While this attack involves deception, the main vector was a misleading domain name.
C. Pretexting: Pretexting involves a false backstory, which is not present in this attack.
D. Misinformation/Disinformation: The attacker did not spread false narratives, only misleading URLs.
An attacker claims to be a high-level executive and calls a company’s accounting department, demanding urgent approval for a wire transfer. The attacker uses intimidation and urgency, threatening severe consequences if the request is delayed. The accounting employee, fearing repercussions, transfers the requested funds without proper verification. Which psychological manipulation technique was MOST LIKELY used?
A. Scarcity
B. Familiarity
C. Intimidation
D. Consensus
Answer: C. Intimidation
✅ Correct: The attacker used authority and fear tactics to pressure the employee into making an unverified financial transaction.
❌ Incorrect Answers:
A. Scarcity: Scarcity manipulates users by creating a sense of limited availability, which does not apply here.
B. Familiarity: Familiarity relies on building trust, whereas this attack relied on fear and urgency.
D. Consensus: Consensus exploits the belief that “everyone else is doing it,” which was not present here.
A script kiddie is primarily characterized by which of the following attributes?
A. High level of technical expertise
B. Use of pre-built hacking tools without deep understanding
C. Advanced persistent threat (APT) tactics
D. Well-funded and highly organized operations
Answer: B. Use of pre-built hacking tools without deep understanding
Explanation: Script kiddies lack technical skills and use publicly available hacking tools, often without fully understanding how they work. They typically seek attention or engage in cyberattacks for fun.
Which two characteristics BEST describe an insider threat? (Select TWO)
A. Motivated by financial gain, ideology, or revenge
B. Often uses sophisticated zero-day vulnerabilities
C. Typically an external actor who infiltrates networks
D. Has legitimate access to internal systems
E. Always unskilled and relies on automated tools
Answer: A. Motivated by financial gain, ideology, or revenge and D. Has legitimate access to internal systems
✅ Correct:
A: Insider threats are motivated by financial gain, revenge, or even coercion by external actors.
D: Unlike external attackers, insider threats already have authorized access, making them particularly dangerous.
❌ Incorrect Answers:
B. Often uses sophisticated zero-day vulnerabilities: Zero-day exploits are typically associated with nation-state actors.
C. Typically an external actor who infiltrates networks: Insider threats originate from within an organization.
E. Always unskilled and relies on automated tools: Some insider threats have advanced skills and deep knowledge of internal systems.
A former employee launches a malware attack against their previous employer, causing severe operational disruptions. What is the MOST LIKELY motivation?
A. Revenge
B. Financial gain
C. Espionage
D. Service disruption
Answer: A. Revenge
✅ Correct: Disgruntled employees often carry out attacks for retribution, targeting former employers.
❌ Incorrect Answers:
B. Financial gain: The goal is harm, not profit.
C. Espionage: The attacker is not stealing confidential data for a competitor.
D. Service disruption: While disruption occurs, the primary driver is revenge, not general service disruption.
A security team is analyzing a phishing attempt that bypassed email filtering. The email contained no attachments or links but instead instructed recipients to call an IT support number. The number led to an attacker impersonating help desk personnel, convincing victims to install “security updates” that contained malware. Which of the following best describes this attack?
A. Removable media attack via malicious USB drop
B. Social engineering via image exploitation
C. Message-based attack exploiting SMS vulnerabilities
D. Hybrid phishing using voice and file-based malware
Answer: D. Hybrid phishing using voice and file-based malware
✅ Correct: The attacker blended phishing and vishing techniques, tricking victims into calling and then installing malware.
❌ Incorrect Answers:
A. Removable media attack via malicious USB drop: No USB devices were involved in this attack.
B. Social engineering via image exploitation: There was no image-based component in this attack.
C. Message-based attack exploiting SMS vulnerabilities: The phishing attempt originated via email, not SMS.
A security analyst is investigating a breach where an attacker gained unauthorized access to a web application by sending excessively large payloads in user input fields. Logs show that the attack resulted in unexpected crashes and arbitrary code execution on the server. Which type of vulnerability was MOST LIKELY exploited?
A. Race condition
B. Memory injection
C. Buffer overflow
D. Malicious update
Answer: C. Buffer overflow
✅ Correct: Buffer overflow attacks occur when an attacker sends more data than allocated memory can handle, causing an overflow into adjacent memory that may be exploited for arbitrary code execution.
❌ Incorrect Answers:
A. Race condition: Race conditions rely on timing discrepancies, not excessive input sizes.
B. Memory injection: Memory injection typically injects malicious code into running processes, but this attack was caused by input size manipulation.
D. Malicious update: No fake software update was involved in the attack.
During a security audit, an organization discovers that its authentication system allows a user to log in even after their credentials have been revoked, provided that the user was already authenticated before the revocation occurred. Which vulnerability does this BEST describe?
A. Time-of-check to time-of-use (TOCTTOU)
B. Buffer overflow
C. Memory injection
D. Malicious update
nswer: A. Time-of-check to time-of-use (TOCTTOU)
✅ Correct: This vulnerability occurs when there is a delay between verifying user credentials (TOC) and enforcing access control (TOU). If credentials are revoked but the session remains active, the user can continue accessing resources despite no longer being authorized.
❌ Incorrect Answers:
B. Buffer overflow: Buffer overflow overwrites memory, but this is an authentication logic flaw.
C. Memory injection: Memory injection injects malicious code, but this attack exploits improper session enforcement.
D. Malicious update: No malicious software update was involved.
A penetration tester is assessing an application’s security and identifies a flaw where two processes attempt to access the same file simultaneously. This results in unexpected behavior, including unauthorized privilege escalation. Which type of vulnerability is being exploited?
A. Race condition
B. Time-of-check (TOC) vulnerability
C. Memory injection
D. Buffer overflow
Answer: A. Race condition
✅ Correct: A race condition occurs when two processes attempt to access the same resource simultaneously, creating an unexpected execution state that can lead to privilege escalation or data corruption.
❌ Incorrect Answers:
B. Time-of-check (TOC) vulnerability: TOC vulnerabilities involve a time gap between a system check and execution, but this attack involves simultaneous resource access.
C. Memory injection: Memory injection involves malicious code execution, but this attack exploits timing errors.
D. Buffer overflow: A buffer overflow exceeds memory allocation, but race conditions involve timing-based execution issues.
A software developer accidentally deploys a feature that checks for user permissions at login but does not verify them again when a session is resumed. Attackers exploit this flaw by maintaining persistent sessions with revoked privileges, allowing them to continue accessing restricted data. Which vulnerability does this describe?
A. Race condition
B. Time-of-use (TOU) vulnerability
C. Buffer overflow
D. Malicious update
Answer: B. Time-of-use (TOU) vulnerability
✅ Correct: A TOU vulnerability occurs when an access control check is performed once at login but is not rechecked when resources are accessed later. This flaw allows revoked sessions to persist.
❌ Incorrect Answers:
A. Race condition: Race conditions involve simultaneous resource access issues, not delayed authentication failures.
C. Buffer overflow: Buffer overflow exploits memory mismanagement, not session mismanagement.
D. Malicious update: No malicious software update is involved.
A user downloads what appears to be a software update for their enterprise password manager. However, once installed, the update grants remote attackers access to stored credentials and allows them to exfiltrate data. What type of vulnerability is this?
A. Memory injection
B. Malicious update
C. Race condition
D. Time-of-check to time-of-use (TOCTTOU)
Answer: B. Malicious update
✅ Correct: Malicious updates are designed to masquerade as legitimate software updates, but contain hidden malware that grants attackers access to systems or data.
❌ Incorrect Answers:
A. Memory injection: Memory injection occurs when attackers insert code into a running process, but this attack was delivered via a fake software update.
C. Race condition: This attack does not involve simultaneous access conflicts.
D. Time-of-check to time-of-use (TOCTTOU): There was no delay-based attack or resource misuse.
A security researcher is conducting a penetration test on an e-commerce website and notices that submitting username’ OR ‘1’=’1’ – into the login field results in a successful authentication bypass. Further testing reveals that executing DROP TABLE users; – deletes all user accounts. What type of vulnerability is being exploited?
A. Cross-Site Scripting (XSS)
B. SQL Injection (SQLi)
C. Virtual Machine Escape
D. Resource Reuse
Answer: B. SQL Injection (SQLi)
✅ Correct: SQL injection exploits database vulnerabilities by manipulating SQL queries. The attacker uses ‘ OR ‘1’=’1’ – to bypass authentication and DROP TABLE users; – to delete database entries.
❌ Incorrect Answers:
A. Cross-Site Scripting (XSS): XSS injects malicious scripts into webpages, not SQL queries.
C. Virtual Machine Escape: This attack targets databases, not VM security.
D. Resource Reuse: Resource reuse occurs in virtualized environments, not databases.
A cybersecurity team discovers that an attacker has compromised an end-of-life (EoL) router model that still receives vendor support. The attacker was able to exploit a previously undisclosed firmware vulnerability, giving them persistent remote access to the corporate network. Which of the following security risks does this scenario highlight?
A. SQL Injection (SQLi)
B. Legacy Hardware
C. Firmware Exploitation
D. Virtual Machine Escape
Answer: C. Firmware Exploitation
✅ Correct: The attacker exploited a vulnerability in the router’s firmware, allowing persistent remote access to the corporate network.
❌ Incorrect Answers:
A. SQL Injection (SQLi): SQLi attacks databases, not firmware.
B. Legacy Hardware: The router is EoL but still supported, meaning it is not fully legacy.
D. Virtual Machine Escape: The attack occurred on physical networking hardware, not a virtualized environment.
Which of the following best describes a key attribute of an advanced persistent threat (APT)?
A. Short-term attacks with immediate financial gain
B. Highly sophisticated and prolonged operations
C. Random, opportunistic hacking attempts
D. Use of simple tools and social engineering exclusively
Answer: B. Highly sophisticated and prolonged operations
Explanation: APTs are long-term, sophisticated cyberattacks often carried out by nation-state actors or well-funded cybercriminal groups. Their goal is to infiltrate a network, remain undetected, and exfiltrate data over time.
Which type of threat actor is MOST LIKELY to be involved in ransomware attacks, identity theft, and financial fraud?
A. Hacktivist
B. Nation-state actor
C. Organized crime group
D. Script kiddie
Answer: C. Organized crime group
✅ Correct: Organized crime groups operate for financial gain, engaging in ransomware attacks, identity theft, and fraud.
❌ Incorrect Answers:
A. Hacktivist: Hacktivists are ideologically motivated, not financially.
B. Nation-state actor: Nation-state actors conduct cyber espionage, not common cybercrime for profit.
D. Script kiddie: Script kiddies lack organization and mainly conduct attacks for fun or attention.
A whistleblower uncovers a critical security vulnerability in a banking application and publicly reports it to raise awareness. What is the PRIMARY motivation behind this action?
A. War
B. Ethical hacking
C. Blackmail
D. Financial gain
Answer: B. Ethical hacking
✅ Correct: Ethical hackers expose vulnerabilities to help organizations improve security, often with permission.
❌ Incorrect Answers:
A. War: There is no conflict-related motivation.
C. Blackmail: The whistleblower is not demanding ransom or coercing action.
D. Financial gain: The intent is to improve security, not make money.
A network administrator notices an increase in outbound traffic to an unknown domain. Logs reveal that an attacker used a fake recruiter profile to engage with employees via a messaging app, eventually convincing a target to download a ZIP file. The ZIP contained a disguised executable that established a persistent connection to a command-and-control server. Which of the following best describes this attack?
A. Social engineering via an instant messaging attack
B. Removable device attack leveraging an infected file
C. Image-based malware hidden in an email attachment
D. Voice phishing combined with file execution
Answer: A. Social engineering via an instant messaging attack
✅ Correct: The attacker manipulated the employee via a fake recruiter profile on a messaging app, convincing them to download and execute malware.
❌ Incorrect Answers:
B. Removable device attack leveraging an infected file: No USB or external device was involved.
C. Image-based malware hidden in an email attachment: The malware was delivered via instant messaging, not email or images.
D. Voice phishing combined with file execution: The attacker did not use voice-based phishing (vishing).
A hacker exploits an operating system vulnerability that allows them to inject and execute malicious code directly into a running process. The attack successfully modifies the process behavior to escalate privileges and extract sensitive data. Which vulnerability was exploited?
A. Race condition
B. Buffer overflow
C. Memory injection
D. Time-of-use (TOU) vulnerability
Answer: C. Memory injection
✅ Correct: Memory injection attacks involve injecting malicious code into running processes, allowing attackers to modify program execution and escalate privileges.
❌ Incorrect Answers:
A. Race condition: A race condition exploits timing issues, not code injection.
B. Buffer overflow: While both involve memory manipulation, buffer overflow overwrites memory, whereas memory injection modifies running processes.
D. Time-of-use (TOU) vulnerability: TOU vulnerabilities involve delayed enforcement of access control, not code injection.
A penetration tester embeds
alert('XSS') into the comments section of a web application. When users view the comments, a popup appears in their browser. Further analysis shows that the malicious script persists even after refreshing the page. What type of vulnerability is being exploited?A. Reflected Cross-Site Scripting (XSS)
B. Stored/Persistent Cross-Site Scripting (XSS)
C. SQL Injection (SQLi)
D. Virtual Machine Escape
Answer: B. Stored/Persistent Cross-Site Scripting (XSS)
✅ Correct: The malicious script is stored in the web application’s database and executes when any user visits the page, making it a persistent XSS attack.
❌ Incorrect Answers:
A. Reflected XSS: Reflected XSS executes only when the victim submits input, but this attack persists in the database.
C. SQL Injection: SQLi targets database queries, while XSS targets web browsers.
D. Virtual Machine Escape: This attack does not involve virtualized environments.
A company runs multiple virtual machines (VMs) on a single hypervisor. A penetration test reveals that one compromised VM can access memory from another VM, exposing sensitive credentials. What type of vulnerability is being exploited?
A. Resource Reuse
B. Virtual Machine Escape
C. Firmware Exploitation
D. End-of-Life Hardware
Answer: A. Resource Reuse
✅ Correct: Resource reuse occurs when shared memory or CPU resources allow data from one VM to be accessed by another.
❌ Incorrect Answers:
B. Virtual Machine Escape: VM escape allows an attacker to access the hypervisor, not just shared memory between VMs.
C. Firmware Exploitation: This attack does not involve firmware manipulation.
D. End-of-Life Hardware: The issue exists within VM configurations, not outdated hardware.
A forensic investigation reveals that a malicious script was embedded into an enterprise software update. Once installed, the malware remained dormant for several weeks before executing its payload, which wiped critical system files. What type of malware was used?
A. Logic Bomb
B. Trojan
C. Rootkit
D. Bloatware
Answer: A. Logic Bomb
✅ Correct: A logic bomb remains inactive until predefined conditions are met, such as a specific date or event, and then executes malicious actions, such as deleting files.
❌ Incorrect Answers:
B. Trojan: Trojans masquerade as legitimate software but do not typically delay execution based on a trigger.
C. Rootkit: Rootkits provide persistent access but do not necessarily wipe files based on a time-based condition.
D. Bloatware: Bloatware is unwanted preinstalled software and is not designed to cause harm.
A company’s network experiences a sudden surge in bandwidth usage. Security logs reveal that the infection started on a single system but quickly spread to multiple devices without user interaction. Affected machines exhibit high CPU usage, frequent crashes, and unauthorized outbound network activity. Which type of malware is MOST LIKELY responsible?
A. Trojan
B. Worm
C. Spyware
D. Keylogger
Answer: B. Worm
✅ Correct: The self-propagating nature of the infection, rapid spread without user interaction, and high network traffic usage indicate a worm attack.
❌ Incorrect Answers:
A. Trojan: Trojans require user interaction for installation, but this attack spread automatically.
C. Spyware: Spyware collects information discretely and does not cause rapid network-wide infections.
D. Keylogger: Keyloggers record keystrokes but do not spread autonomously.
Which of the following attributes best distinguishes a nation-state actor from other threat actors?
A. Use of off-the-shelf exploit kits
B. Limited financial resources
C. High sophistication and access to zero-day vulnerabilities
D. Motivation driven by personal financial gain
Answer: C. High sophistication and access to zero-day vulnerabilities
Explanation: Nation-state actors are highly sophisticated and often have access to zero-day vulnerabilities due to their extensive resources. They are funded by governments and conduct espionage, cyber warfare, and intelligence-gathering operations.
An employee installs a cloud-based file-sharing application on their work computer without company approval to transfer files between personal and work devices. Which term BEST describes this action?
A. Insider threat
B. Shadow IT
C. Hacktivism
D. Organized crime
Answer: B. Shadow IT
✅ Correct: Shadow IT refers to unauthorized use of technology that is not approved by an organization’s IT department, often creating security risks.
❌ Incorrect Answers:
A. Insider threat: Shadow IT is not necessarily malicious, whereas insider threats involve intentional harm or negligence.
C. Hacktivism: There is no political or ideological motivation here.
D. Organized crime: The scenario does not involve financially motivated cybercrime.
A hacktivist group launches a distributed denial-of-service (DDoS) attack against an oil company to protest environmental policies. What is their MOST LIKELY motivation?
A. Revenge
B. Service disruption
C. Financial gain
D. Blackmail
Answer: B. Service disruption
✅ Correct: Hacktivists often use service disruption to draw attention to their cause by taking down websites or services.
❌ Incorrect Answers:
A. Revenge: Hacktivists act on ideology, not personal grievances.
C. Financial gain: Hacktivists usually do not seek monetary profit.
D. Blackmail: No ransom demand or coercion is involved.
A system administrator notices that an unauthorized remote connection was established on a company server. Despite multiple security scans, no malware is detected, and the attacker appears to have full control of the system. Logs indicate that the infection began after an intern installed a driver from an unverified website. Which type of malware is MOST LIKELY responsible?
A. Trojan
B. Rootkit
C. Ransomware
D. Virus
Answer: B. Rootkit
✅ Correct: The key indicators—persistent unauthorized access, root-level (full access) privileges, and undetected malware—suggest the presence of a rootkit, which is designed to evade detection while maintaining privileged access.
❌ Incorrect Answers:
A. Trojan: A Trojan can install a rootkit, but does not inherently maintain root-level persistence.
C. Ransomware: Ransomware encrypts data and demands payment, which was not observed in this scenario.
D. Virus: A virus spreads through execution but does not provide stealthy remote access.
An employee receives an email from an unknown sender claiming to offer a free software download. Upon downloading and installing the software, the system begins to slow down, and multiple unauthorized applications appear in the task manager. The security team identifies a collection of unnecessary applications consuming CPU and memory. What type of unwanted software is MOST LIKELY present?
A. Bloatware
B. Trojan
C. Logic Bomb
D. Spyware
Answer: A. Bloatware
✅ Correct: Bloatware consists of unnecessary applications that degrade system performance by consuming resources.
❌ Incorrect Answers:
B. Trojan: A Trojan is malicious software disguised as legitimate software, but bloatware is typically non-malicious.
C. Logic Bomb: Logic bombs trigger based on specific conditions, whereas bloatware constantly consumes resources.
D. Spyware: Spyware collects user data, while bloatware slows down performance due to excessive resource usage.
A security analyst discovers an unauthorized process running in memory. The process appears to be injecting itself into system files and modifying security configurations to disable endpoint detection. Users report frequent system slowdowns and unexpected crashes. Further investigation reveals that the infection occurred after an employee clicked a suspicious email attachment. Which type of malware is MOST LIKELY responsible?
A. Virus
B. Keylogger
C. Trojan
D. Spyware
Answer: A. Virus
✅ Correct: The key indicators—memory injection, process modification, and infection through an email attachment—suggest a virus that executes and spreads upon user interaction.
❌ Incorrect Answers:
B. Keylogger: Keyloggers do not inject themselves into system processes or disable security tools.
C. Trojan: Trojans disguise themselves as legitimate software, but this attack exhibited characteristics of self-propagation.
D. Spyware: Spyware steals data but does not modify system files.
A company experiences an outage after its web servers become unresponsive. Network logs indicate an extreme spike in inbound traffic from thousands of unique IP addresses, all sending small DNS requests. This traffic overwhelms the servers and disrupts normal operations. What type of attack is occurring?
A. SYN Flood
B. Amplified DDoS Attack
C. Reflected DDoS Attack
D. Credential Replay Attack
Answer: B. Amplified DDoS Attack
✅ Correct: The attack used small DNS queries to generate large response volumes, overwhelming the company’s web servers—a classic amplified DDoS attack.
❌ Incorrect Answers:
A. SYN Flood: SYN floods exploit TCP handshake mechanisms, not DNS traffic.
C. Reflected DDoS Attack: A reflected attack uses spoofed source addresses, whereas this attack amplified request volume.
D. Credential Replay Attack: This attack involved network traffic flooding, not authentication data interception.
During an incident response investigation, a security analyst discovers that employees attempting to access a banking website are redirected to a fraudulent login page. Further analysis shows that the company’s DNS settings were modified without authorization. Which attack technique was MOST LIKELY used?
A. On-Path Attack
B. DNS Poisoning
C. Replay Attack
D. Wireless Deauthentication Attack
Answer: B. DNS Poisoning
✅ Correct: DNS poisoning redirects users to fraudulent websites by tampering with DNS records or caches. In this case, the attacker altered DNS settings to redirect employees to a fake login page.
❌ Incorrect Answers:
A. On-Path Attack: On-path attacks intercept communications but do not modify DNS records.
C. Replay Attack: Replay attacks reuse authentication packets, not modify DNS settings.
D. Wireless Deauthentication Attack: This attack disconnects users from Wi-Fi, but does not redirect traffic.
A cyber incident response team detects multiple failed login attempts from an internal workstation. The user, a senior executive, denies making these attempts. Upon investigation, it is discovered that a malicious payload was executed after the executive opened an email attachment. The payload exfiltrated stored credentials and attempted to escalate privileges. Which of the following mitigations would have been MOST effective in preventing this attack?
A. Restricting removable media usage
B. Blocking all outbound traffic on port 443
C. Disabling macro execution in email attachments
D. Forcing all email attachments into a sandbox environment
Answer: D. Forcing all email attachments into a sandbox environment
✅ Correct: Sandboxing email attachments allows security teams to analyze and detonate potentially malicious files in an isolated environment before allowing access.
❌ Incorrect Answers:
A. Restricting removable media usage: The attack did not involve USB devices.
B. Blocking all outbound traffic on port 443: While this could disrupt the attack, it would also interfere with legitimate web traffic.
C. Disabling macro execution in email attachments: This would help if the attack used macros, but the payload could have been executed in other ways.
A disgruntled former employee sells intellectual property to a competitor. Which threat actor does this describe?
A. Insider threat
B. Script kiddie
C. Hacktivist
D. Nation-state actor
Answer: A. Insider threat
✅ Correct: An insider threat misuses their access, either for revenge, financial gain, or espionage.
❌ Incorrect Answers:
B. Script kiddie: Script kiddies lack insider access and technical skills.
C. Hacktivist: There is no activist motivation in this scenario.
D. Nation-state actor: Nation-state actors spy for governments, not personal gain.
A criminal syndicate launches a ransomware attack on a hospital, encrypting patient records and demanding a large payment for decryption. What is the MOST LIKELY motivation?
A. Financial gain
B. Revenge
C. Philosophical/political beliefs
D. War
Answer: A. Financial gain
✅ Correct: Ransomware attacks are financially motivated, as criminals seek payments in exchange for decrypting locked data.
❌ Incorrect Answers:
B. Revenge: The attackers are financially motivated rather than acting on personal grievances.
C. Philosophical/political beliefs: The attack lacks ideological intent.
D. War: This is cyber extortion, not an act of war.
An attacker successfully compromises a virtual machine hosted in a cloud environment. They exploit an unpatched hypervisor vulnerability, allowing them to move laterally and access other customer instances. What type of vulnerability is being exploited?
A. Resource Reuse
B. Legacy Platform Attack
C. Virtual Machine Escape
D. Cross-Site Scripting (XSS)
Answer: C. Virtual Machine Escape
✅ Correct: VM escape occurs when an attacker breaches one VM and gains access to other VMs or the underlying hypervisor.
❌ Incorrect Answers:
A. Resource Reuse: Resource reuse allows memory leakage between VMs, but this attack compromised the hypervisor.
B. Legacy Platform Attack: The attack did not target outdated software.
D. Cross-Site Scripting (XSS): XSS targets web applications, not virtualization environments.
A cloud security engineer is reviewing an organization’s Infrastructure-as-a-Service (IaaS) environment and notices that storage buckets containing sensitive data are configured with public access permissions. What security vulnerability does this scenario BEST illustrate?
A. Weak Cryptographic Key Management
B. Supply Chain Attack
C. Cloud Misconfiguration
D. Zero-Day Exploit
Answer: C. Cloud Misconfiguration
✅ Correct: Cloud misconfigurations, such as open storage permissions, are a major security risk that expose sensitive data to unauthorized access.
❌ Incorrect Answers:
A. Weak Cryptographic Key Management: This attack was caused by misconfigured access permissions, not weak key handling.
B. Supply Chain Attack: No third-party compromise was involved.
D. Zero-Day Exploit: This was not an unknown vulnerability, but a security oversight.
An attacker uses an unencrypted public Wi-Fi network to intercept a victim’s online banking login info. The attacker later replays the intercepted authentication request to gain unauthorized access to the victim’s account. Which attack technique was used?
A. Credential Replay Attack
B. Reflected DDoS Attack
C. DNS Poisoning
D. Brute Force Attack
Answer: A. Credential Replay Attack
✅ Correct: Credential replay attacks capture authentication data and use it to impersonate the victim, often bypassing multi-factor authentication if session tokens are replayed.
❌ Incorrect Answers:
B. Reflected DDoS Attack: This attack floods networks with traffic, not steal credentials.
C. DNS Poisoning: DNS poisoning redirects users but does not involve authentication data replay.
D. Brute Force Attack: Brute force attacks guess passwords, but this attack used stolen session data.
A company’s IT security team detects unauthorized traffic leaving the corporate network. Investigation reveals that employees unknowingly connected to a rogue Wi-Fi network named “Company_Guest_WiFi.” Attackers captured login credentials and accessed sensitive data by intercepting traffic. Which type of attack was performed?
A. Brute Force Attack
B. DNS Poisoning
C. Wireless Evil Twin Attack
D. Amplified DDoS Attack
Answer: C. Wireless Evil Twin Attack
✅ Correct: An Evil Twin attack sets up a rogue Wi-Fi access point with a deceptive name, tricking users into connecting so attackers can capture network traffic and credentials.
❌ Incorrect Answers:
A. Brute Force Attack: No password guessing occurred.
B. DNS Poisoning: The attacker spoofed a Wi-Fi network, not DNS records.
D. Amplified DDoS Attack: Evil Twin steals data, whereas DDoS floods networks with traffic.
A cybersecurity team detects unauthorized database queries originating from a web application. The attacker manipulates input fields by injecting OR ‘1’=’1’ – in login forms, allowing them to bypass authentication and gain administrative access. Which attack technique is being used?
A. Privilege Escalation
B. SQL Injection (SQLi)
C. Command Injection
D. Cross-Site Request Forgery (CSRF)
Answer: B. SQL Injection (SQLi)
✅ Correct: The attack exploits SQL vulnerabilities in input validation, allowing attackers to manipulate queries to bypass authentication. The OR ‘1’=’1’ – condition always evaluates as true, granting access.
❌ Incorrect Answers:
A. Privilege Escalation: Privilege escalation increases access privileges but does not involve modifying SQL queries.
C. Command Injection: Command injection targets system-level commands, not SQL databases.
D. Cross-Site Request Forgery (CSRF): CSRF exploits trust between users and a website, not database queries.
A penetration tester performs an assessment on a company’s physical security. They successfully gain access to a restricted data center by following an authorized employee inside without scanning their badge. What attack technique was used?
A. RFID Cloning
B. Brute Force Attack
C. Tailgating
D. Environmental Attack
Answer: C. Tailgating
✅ Correct: Tailgating occurs when an unauthorized individual follows an authorized person into a secure area without using proper authentication.
❌ Incorrect Answers:
A. RFID Cloning: No access card duplication was involved.
B. Brute Force Attack: This attack involved social engineering, not forced entry.
D. Environmental Attack: No natural disaster or emergency was exploited.
A security analyst discovers that a vulnerable web application crashes when processing a specially crafted input. Further investigation reveals that the attack caused excessive data to be written to memory, allowing the execution of arbitrary code with elevated privileges. What type of attack is being conducted?
A. Directory Traversal
B. Privilege Escalation
C. Buffer Overflow
D. Injection Attack
✅ Correct Answer: C. Buffer Overflow
The key indicators in the revised question are:
Application crash due to excessive input
Memory corruption
Execution of arbitrary code with elevated privileges
❌ Incorrect Answers:
A. Directory Traversal – Involves unauthorized access to files/folders, not memory corruption.
B. Privilege Escalation – Occurs after an attacker gains access, but this attack exploits memory first.
D. Injection Attack – Targets data input manipulation, not memory corruption.
A penetration tester modifies a website’s URL parameters to attempt to access restricted directories outside the web root. The tester enters ../../etc/passwd into an input field and successfully retrieves sensitive system files. What type of attack is this?
A. Directory Traversal
B. SQL Injection
C. Cross-Site Request Forgery (CSRF)
D. Privilege Escalation
Answer: A. Directory Traversal
✅ Correct: Directory traversal exploits file system vulnerabilities, allowing attackers to navigate beyond authorized directories using ../ sequences.
❌ Incorrect Answers:
B. SQL Injection: SQL injection targets databases, not file system directories.
C. Cross-Site Request Forgery (CSRF): CSRF tricks users into executing unauthorized actions, not accessing restricted directories.
D. Privilege Escalation: This attack accesses unauthorized directories, but does not elevate system privileges.
A company is notified of a zero-day exploit targeting a virtualization software vendor. The exploit allows attackers to execute code with hypervisor-level privileges from within a guest VM. What is the PRIMARY concern regarding this vulnerability?
A. It allows guest VMs to bypass network segmentation.
B. It enables attackers to inject malicious scripts into web applications.
C. It allows attackers to compromise the hypervisor and access all VMs.
D. It exploits weak authentication mechanisms in legacy platforms.
Answer: C. It allows attackers to compromise the hypervisor and access all VMs.
✅ Correct: A VM escape attack allows an attacker to bypass the hypervisor’s isolation mechanisms, gaining control over all hosted VMs.
❌ Incorrect Answers:
A. It allows guest VMs to bypass network segmentation: While possible, the bigger issue is hypervisor control.
B. It enables attackers to inject malicious scripts into web applications: This describes XSS attacks, not VM exploits.
D. It exploits weak authentication mechanisms in legacy platforms: The attack exploits a zero-day hypervisor vulnerability, not legacy authentication.
A hacker gains unauthorized access to a pharmaceutical company’s research database and sells the data to a rival company. What is the PRIMARY motivation behind this attack?
A. Disruption/Chaos
B. War
C. Data exfiltration
D. Ethical hacking
Answer: C. Data exfiltration
✅ Correct: The attacker is stealing proprietary research, which falls under data exfiltration—taking sensitive information for personal or financial gain.
❌ Incorrect Answers:
A. Disruption/Chaos: This attack is focused on data theft, not random chaos.
B. War: War-related cyberattacks usually target military or national security operations.
D. Ethical hacking: Ethical hackers expose vulnerabilities with permission, not for profit.
An organization’s employees report receiving phone calls from an unknown number claiming to be from the IT help desk. The caller instructs them to reset their credentials via a provided link. Security logs later indicate that some employees followed the instructions, resulting in unauthorized access to internal systems. What type of attack vector was used?
A. Email phishing
B. Voice-based attack (vishing)
C. Instant messaging exploitation
D. File-based attack
Answer: B. Voice-based attack (vishing)
✅ Correct: Vishing involves fraudulent voice calls designed to trick users into divulging sensitive information, such as credentials.
❌ Incorrect Answers:
A. Email phishing: The attack occurred via phone calls, not email.
C. Instant messaging exploitation: The attack did not involve chat-based deception.
D. File-based attack: No malicious file was used in this scenario.
A security team is investigating a data breach in a cloud-based storage environment. Logs indicate that an attacker gained unauthorized access to an administrator’s credentials, which were stored in a plaintext file within the cloud environment. Once inside, the attacker modified security policies, allowing further persistence. Which TWO vulnerabilities contributed MOST to this breach?
A. Supply Chain Compromise
B. Weak Cryptographic Implementation
C. Misconfiguration of Security Policies
D. Zero-Day Exploit
E. Improper Key Management
Answer: C. Misconfiguration of Security Policies and E. Improper Key Management
✅ Correct:
C. Misconfiguration of Security Policies: The attacker modified cloud security settings, indicating that weak default policies or lack of privilege controls allowed further exploitation.
E. Improper Key Management: Storing plaintext credentials in a cloud environment is a severe security risk, allowing attackers to easily obtain administrator access.
❌ Incorrect Answers:
A. Supply Chain Compromise: The attack did not involve third-party vendors or hardware/software tampering.
B. Weak Cryptographic Implementation: The breach was due to exposed credentials, not weak encryption algorithms.
D. Zero-Day Exploit: The attack exploited misconfigurations and weak credential storage, not an unknown vulnerability.
A security team is investigating intermittent network outages. Analysis reveals that attackers have been sending crafted packets to multiple DNS servers while spoofing the source IP to match the target company’s address. The attack causes an overwhelming amount of DNS response traffic directed at the company’s network. Which attack method is being used?
A. On-Path Attack
B. Amplified DDoS Attack
C. Reflected DDoS Attack
D. Replay Attack
Answer: C. Reflected DDoS Attack
✅ Correct: Reflected DDoS attacks send requests with spoofed source addresses so that responses are sent to the victim, overloading their network.
❌ Incorrect Answers:
A. On-Path Attack: This attack exploits DNS reflection, not network interception.
B. Amplified DDoS Attack: Amplified attacks use small requests to trigger large responses, but this attack relies on reflection.
D. Replay Attack: Replay attacks reuse authentication packets, not flood a network with traffic.
A web application allows users to submit URLs as input. A security audit finds that attackers are embedding malicious URLs into form fields, tricking the application into making unauthorized backend requests to internal services. This allows the attacker to retrieve internal system information. Which attack technique is being used?
A. Server-Side Request Forgery (SSRF)
B. Cross-Site Request Forgery (CSRF)
C. Command Injection
D. Buffer Overflow
Answer: A. Server-Side Request Forgery (SSRF)
✅ Correct: SSRF tricks a server into making unauthorized internal requests on behalf of an attacker by manipulating trusted input fields.
❌ Incorrect Answers:
B. Cross-Site Request Forgery (CSRF): CSRF forces a user to perform unauthorized actions, but this attack targets a server making unauthorized requests.
C. Command Injection: Command injection executes OS commands, but this attack abuses URL-based requests.
D. Buffer Overflow: Buffer overflow overwrites memory, which is unrelated to backend request manipulation.
A company detects unusually high CPU and memory usage on its authentication server. Analysis reveals a high volume of login requests originating from external sources, attempting to authenticate users. The source IP addresses vary significantly. Which attack technique is MOST LIKELY occurring?
A. Brute-Force Attack
B. Password Spraying
C. Resource Consumption Attack
D. Concurrent Session Usage
Answer: C. Resource Consumption Attack
✅ Correct: Resource consumption attacks flood a system with excessive authentication requests, overwhelming CPU and memory resources, leading to degraded system performance.
❌ Incorrect Answers:
A. Brute-Force Attack: Brute-force attacks target passwords, but the question focuses on high system resource usage.
B. Password Spraying: Password spraying is targeted at multiple user accounts, but this attack is resource-based.
D. Concurrent Session Usage: Concurrent sessions involve multiple logins using the same credentials, not excessive system resource use.
A security analyst is investigating an incident where encrypted network communications were compromised. The attacker manipulated the connection handshake process, forcing the application to use a weaker encryption protocol. This allowed them to intercept and decrypt sensitive data.
Which of the following BEST describes this attack?
A. Collision Attack
B. Birthday Attack
C. Command Injection
D. Downgrade Attack
✅ Correct Answer: D. Downgrade Attack
A downgrade attack forces a system to use a weaker, outdated encryption protocol, making it vulnerable to decryption and interception by an attacker.
❌ Incorrect Answers:
A. Collision Attack: Targets hash functions, not encryption protocol negotiation.
B. Birthday Attack: Exploits hashing probability, not encryption downgrade.
C. Command Injection: Alters system commands, not cryptographic protocol enforcement.
A security team detects multiple failed login attempts on an administrator’s account in a short time frame. Further analysis shows that the same IP address is attempting different password combinations for multiple accounts within the organization. Which of the following BEST describes this attack?
A. Password Spraying
B. Brute-Force Attack
C. Out-of-Cycle Logging
D. Concurrent Session Usage
Answer: A. Password Spraying
✅ Correct: Password spraying differs from traditional brute force attacks by trying a single password (or small set of common passwords) across many different accounts, avoiding account lockouts. The pattern of multiple account attempts from the same IP suggests password spraying.
❌ Incorrect Answers:
B. Brute-Force Attack: Brute-force attacks focus on a single account by trying multiple passwords, whereas password spraying targets multiple accounts.
C. Out-of-Cycle Logging: This refers to login attempts occurring at unusual times, not systematic password guessing.
D. Concurrent Session Usage: This occurs when one credential is used in multiple locations at the same time, not failed login attempts.
A system administrator notices that login attempts are being made on a corporate portal using usernames and passwords from a leaked database found on the dark web. The attacker is trying these credentials on multiple accounts across different services. Which attack type is being performed?
A. Brute-Force Attack
B. Credential Replay Attack
C. Password Spraying
D. Resource Inaccessibility Attack
Answer: B. Credential Replay Attack
✅ Correct: Credential replay attacks use previously stolen usernames and passwords from data breaches to attempt unauthorized logins. Attackers assume users reuse passwords across multiple services.
❌ Incorrect Answers:
A. Brute-Force Attack: Brute-force attacks guess passwords, but this attack uses known credentials.
C. Password Spraying: Password spraying uses a few common passwords, but this attack uses known credentials.
D. Resource Inaccessibility Attack: Resource inaccessibility refers to unavailable system resources, not credential misuse.
A cybersecurity team is implementing a security measure to restrict unauthorized access between different parts of the network. This measure ensures that even if an attacker gains control of one system, they are unable to move freely across other systems or sensitive resources.
Which of the following security controls is being applied?
A. Account Lockout Policy
B. Credential Hashing
C. Out-of-Cycle Logging
D. Network Segmentation
✅ Correct Answer: D. Network Segmentation
Network segmentation limits access within a network by dividing it into isolated sections, preventing lateral movement by attackers.
❌ Incorrect Answers:
A. Account Lockout Policy: Prevents password brute-force attacks but does not restrict lateral movement.
B. Credential Hashing: Protects password security but does not limit access between systems.
C. Out-of-Cycle Logging: Detects suspicious login activity but does not prevent network access.
A security researcher discovers that two different plaintext messages result in the same cryptographic hash output. This discovery allows the researcher to craft a fake document that appears identical to the original when hashed. What type of attack was performed?
A. Birthday Attack
B. Collision Attack
C. Privilege Escalation
D. Buffer Overflow
Answer: B. Collision Attack
✅ Correct: A collision attack occurs when two different inputs produce the same hash output, undermining the integrity of cryptographic hash functions.
❌ Incorrect Answers:
A. Birthday Attack: While related, birthday attacks predict collisions faster than brute force, but collision attacks directly exploit hash weaknesses.
C. Privilege Escalation: Privilege escalation gains unauthorized access, but does not involve cryptographic hashing.
D. Buffer Overflow: Buffer overflow overwrites memory, which is unrelated to hash collisions.
A security team investigates unauthorized database modifications and finds that attackers leveraged an input field vulnerability to modify stored SQL queries. What mitigation technique would have BEST prevented this attack?
A. Enforcing strict input validation and prepared statements
B. Implementing a web application firewall (WAF)
C. Encrypting database records with AES-256
D. Using an intrusion detection system (IDS) for SQL queries
Answer: A. Enforcing strict input validation and prepared statements
✅ Correct: Prepared statements sanitize user input, preventing SQL injection attacks from executing malicious SQL queries.
❌ Incorrect Answers:
B. Implementing a web application firewall (WAF): WAFs help detect but may not fully prevent SQLi attacks.
C. Encrypting database records with AES-256: Encryption protects stored data but does not prevent SQL injection exploits.
D. Using an IDS for SQL queries: IDS detects but does not prevent SQL injection attacks.
A nation-state cyber operation is detected targeting a defense contractor. The attackers attempt to steal classified blueprints for military equipment. What is the MOST likely motivation for this attack?
A. Financial gain
B. Service disruption
C. Revenge
D. Espionage
Answer: D. Espionage
✅ Correct: Espionage involves stealing secret or confidential data, often for a competing nation-state or corporate entity. In this case, the attackers are seeking classified military data.
❌ Incorrect Answers:
A. Financial gain: Financial motivation is typical for cybercriminals or ransomware operators, not nation-state espionage.
B. Service disruption: While service disruption is a possible goal, stealing classified blueprints aligns more with espionage than short-term disruption.
C. Revenge: Revenge attacks are usually carried out by disgruntled employees or hacktivists, not nation-state actors.
Security logs show an unauthorized attempt to access a corporate network via an unknown external device. Upon investigation, analysts find that an infected USB drive was inserted into a workstation, triggering an automatic script execution. The script attempted to exfiltrate local files and escalate privileges. Which of the following security measures would have been the BEST defense against this attack?
A. Application whitelisting
B. Disabling AutoRun and AutoPlay
C. Enforcing multi-factor authentication (MFA)
D. Implementing a host-based intrusion detection system (HIDS)
Answer: B. Disabling AutoRun and AutoPlay
✅ Correct: AutoRun and AutoPlay automatically execute scripts when a USB device is inserted. Disabling these features prevents the malicious script from executing automatically.
❌ Incorrect Answers:
A. Application whitelisting: This helps control executable applications but does not prevent USB AutoRun exploits.
C. Enforcing multi-factor authentication (MFA): MFA secures user logins but does not prevent USB-based attacks.
D. Implementing a host-based intrusion detection system (HIDS): HIDS detects attacks but does not prevent execution of malicious scripts.
A cybersecurity team detects unusual network activity where encrypted packets are being intercepted and resent multiple times. The attack delays legitimate traffic, and some packets are misdirected. Which attack technique is being used?
A. On-Path Attack
B. Brute Force Attack
C. Replay Attack
D. RFID Cloning
Answer: C. Replay Attack
✅ Correct: Replay attacks involve intercepting and retransmitting packets to delay, misdirect, or exploit network communications.
❌ Incorrect Answers:
A. On-Path Attack: This attack intercepts and alters packets, whereas replay attacks resend unaltered packets.
B. Brute Force Attack: Brute force attempts password cracking, but this attack focused on network packets.
D. RFID Cloning: RFID cloning duplicates access credentials, not intercepts network traffic.
A security team detects an attack where an attacker forces users to execute unintended actions on a banking website without their consent. Victims are tricked into clicking a hidden button that transfers money from their accounts. The attack exploits an active user session without requiring authentication. What type of attack is occurring?
A. Cross-Site Request Forgery (CSRF)
B. Cross-Site Scripting (XSS)
C. Server-Side Request Forgery (SSRF)
D. Privilege Escalation
Answer: A. Cross-Site Request Forgery (CSRF)
✅ Correct: CSRF exploits a user’s authenticated session to execute unauthorized transactions by tricking them into performing actions without their consent.
❌ Incorrect Answers:
B. Cross-Site Scripting (XSS): XSS injects malicious scripts, but CSRF executes unintended actions.
C. Server-Side Request Forgery (SSRF): SSRF tricks a server into making unauthorized requests, not users performing unintended actions.
D. Privilege Escalation: Privilege escalation gains higher access rights, but CSRF exploits session authentication.
An administrator notices multiple employees reporting that they are locked out of their accounts. Upon investigation, it is discovered that an attacker attempted thousands of password variations on a handful of accounts, triggering security lockouts. What type of attack is the attacker MOST LIKELY performing?
A. Password Spraying
B. Brute-Force Attack
C. Resource Consumption Attack
D. Credential Replay Attack
Answer: B. Brute-Force Attack
✅ Correct: Brute-force attacks repeatedly attempt different passwords on the same account until the correct one is found. The excessive failed login attempts triggered an account lockout mechanism.
❌ Incorrect Answers:
A. Password Spraying: Password spraying targets multiple accounts with a small set of passwords to avoid lockouts.
C. Resource Consumption Attack: This describes overuse of system resources, not credential guessing.
D. Credential Replay Attack: A credential replay attack reuses stolen credentials, rather than guessing passwords.
A network administrator configures a router to allow only approved traffic based on IP addresses, port numbers, and protocols. This is done to restrict access to sensitive resources. What security control is being applied?
A. Access Control List (ACL)
B. Decommissioning
C. Host-Based Firewall
D. Patching
Answer: A. Access Control List (ACL)
✅ Correct: An ACL defines rules that filter and control traffic based on IP addresses, ports, and protocols at the network level.
❌ Incorrect Answers:
B. Decommissioning: Involves removing systems from use, not traffic filtering.
C. Host-Based Firewall: Protects individual hosts, whereas ACLs filter network traffic on routers or firewalls.
D. Patching: Fixes software vulnerabilities, but does not control traffic flow.
A cybersecurity team detects a malware infection on a corporate workstation. To prevent the infection from spreading, the security analyst removes the workstation from the network entirely. Which mitigation technique is being applied?
A. Quarantine
B. Hardening
C. Isolation
D. Monitoring
Answer: C. Isolation
✅ Correct: Isolation completely removes an infected system from the network to prevent further spread.
❌ Incorrect Answers:
A. Quarantine: A quarantine is temporary separation for further analysis, but isolation is more restrictive.
B. Hardening: Hardening prevents vulnerabilities but is not a response action.
D. Monitoring: Monitoring detects threats, but does not actively remove infected systems.
A security team is hardening new employee laptops before deployment. They implement the following actions:
Remove all unnecessary preinstalled software
Disable unused ports and protocols
Change all default passwords
Which of the following security practices are being applied?
A. Encryption & ACLs
B. Endpoint Protection & Segmentation
C. Hardening & Configuration Enforcement
D. Monitoring & Least Privilege
Answer: C. Hardening & Configuration Enforcement
✅ Correct: These proactive security measures align with hardening (removing vulnerabilities) and configuration enforcement (ensuring settings comply with policy).
❌ Incorrect Answers:
A. Encryption & ACLs: Encryption secures data, and ACLs control traffic, but neither applies directly to endpoint hardening.
B. Endpoint Protection & Segmentation: Segmentation isolates networks, not hardens individual devices.
D. Monitoring & Least Privilege: Monitoring detects issues, but does not configure endpoints.
A system administrator deploys a security measure that blocks unauthorized applications, prevents unapproved software installations, and enforces firewall settings across all workstations. What security control is being enforced?
A. Host-Based Intrusion Prevention System (HIPS)
B. Decommissioning
C. Least Privilege
D. Configuration Enforcement
Answer: D. Configuration Enforcement
✅ Correct: Configuration enforcement ensures security policies are properly applied and maintained across systems.
❌ Incorrect Answers:
A. Host-Based Intrusion Prevention System (HIPS): Detects and blocks threats, but does not enforce security settings.
B. Decommissioning: Involves removing systems from service, not enforcing settings.
C. Least Privilege: Controls user permissions, but does not enforce application/firewall settings.
