- Which of the following is a type of malware that requires user interaction to activate and replicate, often disguised as legitimate software?
- Rootkit
- Worm
- Trojan
- Ransomware
Correct answer: Trojan
Correct answer: Trojan. Explanation: A Trojan is a type of malware that is often disguised as legitimate software. Unlike viruses and worms, Trojans require user interaction to activate and replicate, tricking users into executing them under the guise of a harmless program.
- In cybersecurity, what is a 'honeypot' primarily used for?
- Filtering spam emails
- Encrypting data
- Detecting and analyzing attacks
- Accelerating network traffic
Correct answer: Detecting and analyzing attacks
Correct answer: Detecting and analyzing attacks. Explanation: A honeypot in cybersecurity is a decoy system or network set up to attract potential attackers. It is used to detect, deflect, or study hacking attempts, thereby gaining insight into the methods used by attackers.
- Which type of attack involves flooding a target system with traffic to exhaust resources and bandwidth, rendering the system unresponsive?
- Phishing attack
- SQL injection
- Man-in-the-middle attack
- Distributed Denial of Service (DDoS)
Correct answer: Distributed Denial of Service (DDoS)
Correct answer: Distributed Denial of Service (DDoS). Explanation: A Distributed Denial of Service (DDoS) attack involves overwhelming a target system, server, or network with a flood of Internet traffic, thereby exhausting its resources and bandwidth. This results in the system becoming unresponsive to legitimate traffic.
- What is the primary purpose of a 'zero-day' exploit in cybersecurity?
- To target known software vulnerabilities
- To exploit vulnerabilities before they are known to the vendor
- To create backups of critical data
- To encrypt data for ransom
Correct answer: To exploit vulnerabilities before they are known to the vendor
Correct answer: To exploit vulnerabilities before they are known to the vendor. Explanation: A zero-day exploit is a cyber attack that occurs on the same day a weakness is discovered in software, before the software vendor has become aware of it. Because the vendor has not had time to issue a patch, the vulnerability is open to exploitation.
- In the context of cybersecurity, what is 'social engineering'?
- Physically breaking into a secure area
- Using technical skills to breach defenses
- Manipulating individuals into revealing confidential information
- Writing malware to exploit system vulnerabilities
Correct answer: Manipulating individuals into revealing confidential information
Correct answer: Manipulating individuals into revealing confidential information. Explanation: Social engineering in cybersecurity refers to the psychological manipulation of people into performing actions or divulging confidential information. It's a type of confidence trick for the purpose of information gathering, fraud, or system access.
- What type of cyber attack involves intercepting and altering communications between two parties without their knowledge?
- Phishing attack
- Man-in-the-Middle (MitM) attack
- Distributed Denial of Service (DDoS) attack
- SQL Injection
Correct answer: Man-in-the-Middle (MitM) attack
Correct answer: Man-in-the-Middle (MitM) attack. Explanation: A Man-in-the-Middle (MitM) attack is a form of eavesdropping where the attacker secretly intercepts and relays, and possibly alters, the communication between two parties who believe they are directly communicating with each other.
- Which type of attack is characterized by the insertion or "injection" of a SQL query via the input data from the client to the application?
- Cross-Site Scripting (XSS)
- SQL Injection
- Buffer Overflow
- Cross-Site Request Forgery (CSRF)
Correct answer: SQL Injection
Correct answer: SQL Injection. Explanation: A SQL Injection attack occurs when an attacker is able to insert a malicious SQL statement into a SQL query through client input data. This can lead to unauthorized access to database information and manipulation of database data.
- What is a 'buffer overflow' attack in the context of cybersecurity?
- An attack that floods a network buffer with traffic
- An attack that overwrites a program's memory buffer
- An attack targeting web application forms
- An attack using large volumes of spam email
Correct answer: An attack that overwrites a program's memory buffer
Correct answer: An attack that overwrites a program's memory buffer. Explanation: A buffer overflow attack occurs when a program writing data to a buffer overruns the buffer's boundary and overwrites adjacent memory locations. This can be exploited to execute arbitrary code or to cause a crash.
- In cybersecurity, what does 'phishing' primarily refer to?
- Disrupting network services
- Stealing sensitive data through a physical medium
- Deceiving individuals into revealing personal information via electronic communication
- Attacking the physical infrastructure of a network
Correct answer: Deceiving individuals into revealing personal information via electronic communication
Correct answer: Deceiving individuals into revealing personal information via electronic communication. Explanation: Phishing is a cybercrime in which targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
- Which type of cybersecurity attack involves exploiting vulnerabilities in web applications by sending malicious scripts to end users?
- Cross-Site Scripting (XSS)
- Trojan Horse
- Rootkit
- Ransomware
Correct answer: Cross-Site Scripting (XSS)
Correct answer: Cross-Site Scripting (XSS). Explanation: Cross-Site Scripting (XSS) is a security vulnerability typically found in web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users, often to bypass access controls or steal information.
- What kind of attack involves the unauthorized interception and retransmission of a valid data transmission, often to bypass authentication processes?
- Replay attack
- Phishing attack
- SQL Injection
- Buffer overflow
Correct answer: Replay attack
Correct answer: Replay attack. Explanation: A replay attack is a network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is often done to perform unauthorized actions in a system that uses authentication sequences.
- In cybersecurity, what is 'vishing'?
- Sending fraudulent emails to obtain sensitive information
- Voice phishing, using the telephone system to obtain sensitive information
- Infecting a system with a virus
- Physically stealing data
Correct answer: Voice phishing, using the telephone system to obtain sensitive information
Correct answer: Voice phishing, using the telephone system to obtain sensitive information. Explanation: Vishing, or voice phishing, involves the use of the telephone system to trick individuals into revealing sensitive information, such as credit card numbers or account passwords. It's a form of social engineering attack.
- Which type of cybersecurity threat involves exploiting a flaw in software before a patch or solution is implemented?
- Zero-day attack
- Phishing
- DDoS
- SQL Injection
Correct answer: Zero-day attack
Correct answer: Zero-day attack. Explanation: A zero-day attack exploits a potentially serious software security flaw that the vendor or developer may be unaware of. The term "zero-day" refers to the fact that the developers have zero days to fix the problem that has just been exposed.
- What is the main difference between a virus and a worm in the context of cybersecurity threats?
- A virus requires user action to spread, while a worm spreads automatically.
- A worm requires user action to spread, while a virus spreads automatically.
- A virus steals data, while a worm corrupts files.
- A worm steals data, while a virus corrupts files.
Correct answer: A virus requires user action to spread, while a worm spreads automatically.
Correct answer: A virus requires user action to spread, while a worm spreads automatically. Explanation: In cybersecurity, a virus is a type of malware that requires some form of user action to propagate, such as opening a file or running a program. A worm, on the other hand, can spread itself automatically without human interaction.
- Which cybersecurity term describes a small piece of data used to identify and authenticate a user's session?
- Cookie
- Token
- Signature
- Certificate
Correct answer: Token
Correct answer: Token. Explanation: A token in cybersecurity is a piece of data that is used to identify and authenticate a user's session. It's often used in various authentication and authorization processes to maintain secure access.
- What is the primary purpose of 'watering hole' attacks in cybersecurity?
- To infect a widely used resource to target a specific group of users
- To encrypt a victim's files and demand a ransom
- To gain unauthorized access to financial information
- To create a botnet for launching DDoS attacks
Correct answer: To infect a widely used resource to target a specific group of users
Correct answer: To infect a widely used resource to target a specific group of users. Explanation: A 'watering hole' attack is a security exploit in which the attacker seeks to compromise a specific group of users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's workplace.
- In the context of cybersecurity, what is 'spear phishing'?
- A broad attempt to trick people into revealing sensitive information
- A highly targeted attempt to trick a specific individual or organization
- Distributing malware through email attachments
- Hacking into a website to steal user data
Correct answer: A highly targeted attempt to trick a specific individual or organization
Correct answer: A highly targeted attempt to trick a specific individual or organization. Explanation: Spear phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. It's more targeted than regular phishing and often appears to come from a trusted source.
- What type of cyber attack uses multiple compromised systems to target a single system, causing a Denial of Service (DoS)?
- Phishing
- SQL Injection
- Distributed Denial of Service (DDoS)
- Cross-Site Scripting (XSS)
Correct answer: Distributed Denial of Service (DDoS)
Correct answer: Distributed Denial of Service (DDoS). Explanation: A Distributed Denial of Service (DDoS) attack involves multiple compromised computer systems attacking a target, such as a server, website, or other network resource, causing a Denial of Service (DoS).
- Which type of attack involves an attacker relaying messages between two parties, making them believe they are talking directly to each other?
- Phishing
- Man-in-the-Middle (MitM)
- Trojan Horse
- Ransomware
Correct answer: Man-in-the-Middle (MitM)
Correct answer: Man-in-the-Middle (MitM). Explanation: A Man-in-the-Middle (MitM) attack is where an attacker secretly intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other. This type of attack can happen in many different communication methods.
- In cybersecurity, what does 'ransomware' do?
- Encrypts data and demands payment for the decryption key
- Steals personal information for identity theft
- Hijacks web browsers to display unwanted ads
- Sends spam emails from the infected computer
Correct answer: Encrypts data and demands payment for the decryption key
Correct answer: Encrypts data and demands payment for the decryption key. Explanation: Ransomware is a type of malicious software that encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. Victims are often threatened with permanent data loss if the ransom is not paid.
- What is the main goal of a 'rootkit' in terms of cybersecurity threats?
- To encrypt the user's data for ransom
- To gain unauthorized access and control over a computer system
- To send out large volumes of spam
- To delete critical system files
Correct answer: To gain unauthorized access and control over a computer system
Correct answer: To gain unauthorized access and control over a computer system. Explanation: A rootkit is a type of malicious software that is designed to gain unauthorized root or administrative access to a computer system without being detected. Rootkits can hide their existence or the existence of other malware.
- What is the primary purpose of a HIDS (Host-based Intrusion Detection System)?
- To monitor and analyze the internals of a computing system
- To manage network firewalls
- To encrypt data transmissions
- To provide a VPN tunnel for remote connections
Correct answer: To monitor and analyze the internals of a computing system
Correct answer: To monitor and analyze the internals of a computing system. Explanation: A Host-based Intrusion Detection System (HIDS) is designed to monitor and analyze the internals of a computing system and the network packets on its network interfaces. HIDS can detect malicious activity on the host where it's installed.
- In cybersecurity, what is the primary function of a SIEM (Security Information and Event Management) system?
- Filtering spam emails
- Providing secure remote access
- Real-time analysis of security alerts
- Encrypting data at rest
Correct answer: Real-time analysis of security alerts
Correct answer: Real-time analysis of security alerts. Explanation: SIEM (Security Information and Event Management) systems provide real-time analysis of security alerts generated by applications and network hardware. They are used for log aggregation, event correlation, alerting, and reporting.
- Which technology is most effective for preventing data leakage via email?
- Firewall
- DLP (Data Loss Prevention)
- Antivirus software
- VPN
Correct answer: DLP (Data Loss Prevention)
Correct answer: DLP (Data Loss Prevention). Explanation: Data Loss Prevention (DLP) technologies are specifically designed to prevent data breaches by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage).
- What is the primary purpose of using a WAF (Web Application Firewall)?
- To filter and monitor HTTP/HTTPS traffic to and from a web application
- To provide end-to-end encryption for web traffic
- To manage network bandwidth
- To detect network intrusions
Correct answer: To filter and monitor HTTP/HTTPS traffic to and from a web application
Correct answer: To filter and monitor HTTP/HTTPS traffic to and from a web application. Explanation: A Web Application Firewall (WAF) is designed to filter, monitor, and block HTTP/HTTPS traffic to and from a web application to protect web applications by controlling and monitoring the data that passes through.
- In the context of network security, what is the main function of an IPS (Intrusion Prevention System)?
- To detect and prevent known vulnerabilities
- To provide a secure tunnel for data transmission
- To encrypt data in transit
- To analyze network traffic for performance issues
Correct answer: To detect and prevent known vulnerabilities
Correct answer: To detect and prevent known vulnerabilities. Explanation: An Intrusion Prevention System (IPS) is designed to detect and prevent known vulnerabilities in network traffic. It actively analyzes the traffic and can take immediate action, such as blocking traffic, to prevent potential security breaches.
- Which tool is primarily used for vulnerability scanning in a network?
Correct answer: Nessus
Correct answer: Nessus. Explanation: Nessus is a widely used tool for vulnerability scanning. It helps in identifying vulnerabilities, misconfigurations, and other security weaknesses in network devices and hosts.
- What is the primary purpose of the tcpdump tool in network security?
- Monitoring network traffic for analysis
- Managing firewall rules
- Performing active intrusion prevention
- Encrypting data transmissions
Correct answer: Monitoring network traffic for analysis
Correct answer: Monitoring network traffic for analysis. Explanation: tcpdump is a command-line packet analyzer tool used for network monitoring and data acquisition. It allows users to capture and display TCP/IP and other packets being transmitted or received over the network to which the host is connected.
- Which of the following is a primary use case for a protocol analyzer in network security?
- Blocking malicious network traffic
- Analyzing and debugging communication protocols
- Encrypting data packets
- Providing secure remote access
Correct answer: Analyzing and debugging communication protocols
Correct answer: Analyzing and debugging communication protocols. Explanation: Protocol analyzers, like Wireshark, are used for capturing and analyzing network packets. They help in understanding network protocols, diagnosing network problems, and identifying security vulnerabilities in the communication protocols.
- What is the primary security function of a UTM (Unified Threat Management) appliance?
- Providing a single platform for multiple security functions
- Offering a secure VPN service
- Encrypting data on a hard disk
- Analyzing user behavior for anomaly detection
Correct answer: Providing a single platform for multiple security functions
Correct answer: Providing a single platform for multiple security functions. Explanation: A Unified Threat Management (UTM) appliance is a security device that combines multiple security functions into a single platform. This includes firewall, antivirus, intrusion prevention, and content filtering, simplifying security management and improving efficiency.
- Which security technology is primarily used to inspect SSL/TLS encrypted traffic at the perimeter of a network?
- Deep Packet Inspection (DPI)
- SSL/TLS Accelerator
- Intrusion Detection System (IDS)
- SSL/TLS Interception Proxy
Correct answer: SSL/TLS Interception Proxy
Correct answer: SSL/TLS Interception Proxy. Explanation: An SSL/TLS Interception Proxy is used to inspect encrypted SSL/TLS traffic. By acting as an intermediary between clients and servers, it decrypts, analyzes, and re-encrypts traffic, enabling the inspection of encrypted content for security purposes.
- What is the main function of a CASB (Cloud Access Security Broker)?
- To encrypt data stored in the cloud
- To provide direct network access to cloud services
- To enforce security policies between cloud users and cloud applications
- To monitor the physical security of cloud data centers
Correct answer: To enforce security policies between cloud users and cloud applications
Correct answer: To enforce security policies between cloud users and cloud applications. Explanation: A CASB (Cloud Access Security Broker) acts as a gatekeeper, allowing organizations to extend their security policies beyond their own infrastructure. It enforces security policies between cloud service users and cloud applications, managing access and ensuring security compliance.
- In network security, what is the primary purpose of using a honeypot?
- To serve as a decoy to detect, deflect, or study hacking attempts
- To encrypt data transmissions
- To increase network bandwidth efficiency
- To serve as a primary firewall
Correct answer: To serve as a decoy to detect, deflect, or study hacking attempts
Correct answer: To serve as a decoy to detect, deflect, or study hacking attempts. Explanation: A honeypot in network security is a system designed to mimic likely targets of cyberattacks. It acts as a decoy to lure attackers, allowing security professionals to study attack methods and to divert attacks from actual targets.
- Which technology is essential for securing a network against Zero Day exploits?
- Antivirus software with signature-based detection
- Network-based firewall
- Behavior-based threat detection system
- Static code analysis tools
Correct answer: Behavior-based threat detection system
Correct answer: Behavior-based threat detection system. Explanation: Behavior-based threat detection systems are essential for identifying and mitigating Zero Day exploits. Unlike signature-based systems, they do not rely on known threat signatures but on analyzing behavior patterns, enabling them to detect previously unknown threats.
- In the context of digital forensics, what is the main purpose of a write blocker?
- To prevent the deletion of data during an investigation
- To encrypt sensitive data on a hard drive
- To prevent any alterations to the data on a storage device
- To increase the speed of data recovery
Correct answer: To prevent any alterations to the data on a storage device
Correct answer: To prevent any alterations to the data on a storage device. Explanation: A write blocker is a device or software used in digital forensics to ensure that the data on a storage device is not altered in any way during the investigation process. It allows read-only access, preserving the integrity of the evidence.
- What is the primary purpose of a Network Access Control NAC system?
- To manage the distribution of IP addresses
- To control access to network resources based on policies
- To encrypt data traffic on a network
- To monitor network traffic for performance issues
Correct answer: To control access to network resources based on policies
Correct answer: To control access to network resources based on policies. Explanation: Network Access Control NAC systems are used to control access to network resources based on predefined security policies. They assess and enforce policy compliance on devices attempting to access the network, ensuring secure and restricted access.
- Which tool is used in cybersecurity to simulate attacks on a system or network to identify vulnerabilities?
- Protocol analyzer
- Vulnerability scanner
- Penetration testing tool
- Antivirus software
Correct answer: Penetration testing tool
Correct answer: Penetration testing tool. Explanation: Penetration testing tools are used to simulate cyberattacks on systems, networks, or applications to identify and exploit security vulnerabilities. They help in assessing the effectiveness of security measures.
- In cybersecurity, what is the primary function of a Next-Generation Firewall (NGFW)?
- To filter spam from email
- To provide VPN services for remote users
- To integrate intrusion prevention with traditional firewall capabilities
- To manage wireless network security
Correct answer: To integrate intrusion prevention with traditional firewall capabilities
Correct answer: To integrate intrusion prevention with traditional firewall capabilities. Explanation: A Next-Generation Firewall (NGFW) goes beyond traditional firewall functions by integrating intrusion prevention systems (IPS) with other advanced features like application awareness and control, SSL inspection, and more.
- What is the primary use of a Security Assertion Markup Language (SAML)?
- To encrypt email communications
- To facilitate Single Sign-On (SSO) for web applications
- To scan for vulnerabilities in software
- To filter network traffic
Correct answer: To facilitate Single Sign-On (SSO) for web applications
Correct answer: To facilitate Single Sign-On (SSO) for web applications. Explanation: Security Assertion Markup Language (SAML) is an open standard that allows identity providers to pass authorization credentials to service providers. Its primary use is to enable Single Sign-On (SSO) for web applications, simplifying the authentication process for users.
- In network security, what is the main function of an IDS (Intrusion Detection System)?
- To block malicious network traffic
- To monitor network traffic and alert on suspicious activities
- To encrypt data traffic
- To provide a secure user authentication mechanism
Correct answer: To monitor network traffic and alert on suspicious activities
Correct answer: To monitor network traffic and alert on suspicious activities. Explanation: An Intrusion Detection System (IDS) monitors network or system activities for malicious activities or policy violations and produces reports to a management station. It serves as a critical component in identifying potential security breaches.
- Which technology is primarily used for securing wireless networks?
Correct answer: WPA2
Correct answer: WPA2. Explanation: WPA2 (Wi-Fi Protected Access 2) is a security protocol and security certification program developed by the Wi-Fi Alliance to secure wireless computer networks. It is widely used for providing security in wireless network communications.
- In the context of secure network design, what is the primary purpose of a Demilitarized Zone (DMZ)?
- To isolate internal network services from the external network
- To encrypt data transmission across networks
- To provide a backup for network services
- To serve as the primary storage for sensitive data
Correct answer: To isolate internal network services from the external network
Correct answer: To isolate internal network services from the external network. Explanation: A Demilitarized Zone (DMZ) in network architecture is used to add an additional layer of security to an organization's local area network (LAN). It isolates internal network services from the external network (usually the internet), allowing external traffic to access only what is exposed in the DMZ, thus adding protection to the internal network.
- Which of the following is a security concept that ensures that data is only modified by authorized users and in authorized ways?
- Confidentiality
- Integrity
- Availability
- Non-repudiation
Correct answer: Integrity
Correct answer: Integrity. Explanation: Integrity, in the context of information security, refers to the assurance that data can only be accessed and modified by those authorized to do so. It ensures that information is reliable and accurate and has not been tampered with or altered by unauthorized individuals.
- What is the primary function of a network-based Intrusion Detection System (NIDS)?
- To encrypt network traffic
- To filter malicious network traffic
- To detect and alert on potential network security breaches
- To serve as a primary firewall
Correct answer: To detect and alert on potential network security breaches
Correct answer: To detect and alert on potential network security breaches. Explanation: A network-based Intrusion Detection System (NIDS) monitors network traffic for suspicious activity and alerts network administrators of potential security breaches. Its primary role is to detect rather than prevent intrusion attempts.
- In a security context, what is the main purpose of employing a honeypot in a network?
- To serve as the main firewall
- To attract and analyze potential attacks
- To encrypt sensitive data
- To provide redundancy for data storage
Correct answer: To attract and analyze potential attacks
Correct answer: To attract and analyze potential attacks. Explanation: A honeypot in network security is a system intended to mimic likely targets of cyberattacks. It serves to attract and analyze potential attacks, helping security professionals to understand threats and how to better protect against them.
- Which security principle is primarily concerned with minimizing the amount of damage that can be done in the event of a security breach?
- Risk Management
- Least Privilege
- Defense in Depth
- Segmentation
Correct answer: Least Privilege
Correct answer: Least Privilege. Explanation: The principle of Least Privilege is about limiting access rights for users, accounts, and computing processes to only those resources absolutely required to perform their tasks. This minimizes potential damage from accidents, errors, or unauthorized use.
- What is the primary purpose of Data Loss Prevention (DLP) technology?
- To encrypt data transmissions
- To detect and prevent data breaches/exfiltration
- To provide a secure data backup
- To monitor network performance
Correct answer: To detect and prevent data breaches/exfiltration
Correct answer: To detect and prevent data breaches/exfiltration. Explanation: Data Loss Prevention (DLP) technologies are designed to detect potential data breach/data exfiltration transmissions and prevent them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest.
- In cloud computing, what is the primary security concern of a Multi-Tenancy environment?
- Data redundancy
- Increased network traffic
- Data isolation
- Resource allocation
Correct answer: Data isolation
Correct answer: Data isolation. Explanation: In a multi-tenancy cloud environment, where multiple customers (tenants) share the same resources, the primary security concern is data isolation. Ensuring that each tenant's data is isolated and cannot be accessed by others is crucial for maintaining confidentiality and integrity.
- What is the main purpose of using a Security Information and Event Management (SIEM) system?
- To manage network devices
- To encrypt data storage
- To analyze and aggregate security logs and alerts
- To serve as a primary firewall
Correct answer: To analyze and aggregate security logs and alerts
Correct answer: To analyze and aggregate security logs and alerts. Explanation: A Security Information and Event Management (SIEM) system is primarily used for real-time analysis and aggregation of security alerts generated by applications and network hardware. It helps in identifying and responding to security incidents and threats.
- Which of the following best describes the concept of 'Zero Trust' in network security?
- Trusting no external systems
- Never changing security protocols
- Not requiring authentication for internal systems
- Verifying everything, regardless of location
Correct answer: Verifying everything, regardless of location
Correct answer: Verifying everything, regardless of location. Explanation: The 'Zero Trust' model in network security is based on the principle of not trusting anything inside or outside the network perimeter and verifying everything trying to connect to its systems before granting access.
- In the context of virtualization security, what is the main purpose of a hypervisor?
- To act as a firewall for virtual machines
- To manage and create virtual machines
- To encrypt virtual machine data
- To monitor network traffic for virtual machines
Correct answer: To manage and create virtual machines
Correct answer: To manage and create virtual machines. Explanation: A hypervisor in virtualization technology is a piece of software, firmware, or hardware that creates and runs virtual machines (VMs). It allows multiple VMs to share a single hardware host, with each VM having its own virtual environment, including a virtual operating system.
- In Secure Software Development Life Cycle SDLC models, which phase primarily focuses on defining security requirements and goals?
- Implementation
- Design
- Deployment
- Planning
Correct answer: Planning
Correct answer: Planning. Explanation: In the Secure SDLC process, the Planning phase is where security requirements and goals are defined. This phase is crucial for setting the foundation for security measures and considerations to be integrated throughout the development lifecycle.
- What is the primary security function of a WAF (Web Application Firewall)?
- To encrypt web traffic
- To monitor network bandwidth
- To protect web applications by filtering and monitoring HTTP traffic
- To act as a reverse proxy
Correct answer: To protect web applications by filtering and monitoring HTTP traffic
Correct answer: To protect web applications by filtering and monitoring HTTP traffic. Explanation: A Web Application Firewall (WAF) is specifically designed to protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as SQL injection, cross-site scripting (XSS), file inclusion, and others.
- In the context of cloud computing, what is the main purpose of a Cloud Access Security Broker CASB?
- To provide additional network bandwidth
- To manage virtual machine deployments
- To act as an intermediary for security policy enforcement
- To encrypt data stored in the cloud
Correct answer: To act as an intermediary for security policy enforcement
Correct answer: To act as an intermediary for security policy enforcement. Explanation: A Cloud Access Security Broker CASB acts as an intermediary between cloud service users and cloud service providers. It enforces security policies, compliance, and best practices for security in cloud environments.
- What is the primary function of Secure Sockets Layer (SSL) / Transport Layer Security (TLS) in network security?
- To manage user access to network resources
- To provide secure, encrypted communications over a computer network
- To serve as a primary firewall
- To monitor network traffic
Correct answer: To provide secure, encrypted communications over a computer network
Correct answer: To provide secure, encrypted communications over a computer network. Explanation: SSL/TLS protocols are primarily used to provide secure, encrypted communications over a computer network, such as the Internet. They are most commonly used for securing data transfer, browsing, email, and voice-over-IP (VoIP).
- In cybersecurity, what is the primary purpose of employing containerization?
- To encrypt data transmissions
- To provide physical security for servers
- To isolate applications for security and dependency management
- To monitor system performance
Correct answer: To isolate applications for security and dependency management
Correct answer: To isolate applications for security and dependency management. Explanation: Containerization in cybersecurity is primarily used to isolate applications. Containers provide an isolated environment for running applications, improving security by isolating the application's runtime and dependencies from the underlying system and other applications.
- Which of the following best describes the concept of defense in depth in network security?
- Implementing multiple layers of security controls throughout an IT system
- Using a single, robust security measure to protect all network assets
- Focusing exclusively on perimeter security
- Concentrating security efforts on internal threats
Correct answer: Implementing multiple layers of security controls throughout an IT system
Correct answer: Implementing multiple layers of security controls throughout an IT system. Explanation: Defense in depth is a layered approach to security which involves implementing multiple layers of defense (administrative, technical, physical) at different points throughout an IT system. It aims to provide a comprehensive and redundant security strategy.
- In network security, what is the main purpose of a VLAN (Virtual Local Area Network)?
- To increase the physical network speed
- To segment a physical network into multiple logical networks
- To serve as the main method for encrypting network traffic
- To provide a backup for network data
Correct answer: To segment a physical network into multiple logical networks
Correct answer: To segment a physical network into multiple logical networks. Explanation: VLANs are used in network design to segment a physical network into multiple logical networks. This segmentation enhances security and performance by separating groups of users and reducing broadcast traffic.
- What is the primary purpose of implementing an IDS (Intrusion Detection System) in tandem with an IPS (Intrusion Prevention System)?
- To exclusively encrypt network traffic
- To provide redundancy for network hardware
- To detect and actively prevent network intrusions
- To manage network bandwidth and data flow
Correct answer: To detect and actively prevent network intrusions
Correct answer: To detect and actively prevent network intrusions. Explanation: An IDS (Intrusion Detection System) is used to detect network intrusions, and when used in tandem with an IPS (Intrusion Prevention System), it adds the capability to actively prevent or block these intrusions. This combination enhances network security by both identifying potential threats and taking actions to mitigate them.
- Which technology is primarily used for isolating network traffic to improve security and performance in a virtualized environment?
- Network Function Virtualization (NFV)
- Software-Defined Networking (SDN)
- Virtual Private Network (VPN)
- Network Attached Storage (NAS)
Correct answer: Software-Defined Networking (SDN)
Correct answer: Software-Defined Networking (SDN). Explanation: Software-Defined Networking (SDN) in a virtualized environment is used for isolating and managing network traffic more efficiently. SDN provides a more flexible and scalable way to manage network resources, improving both security and performance.
- In a cloud computing environment, what is the primary security benefit of implementing microsegmentation?
- To increase data storage capacity
- To improve application performance
- To enhance network traffic speed
- To strengthen security within a virtualized data center
Correct answer: To strengthen security within a virtualized data center
Correct answer: To strengthen security within a virtualized data center. Explanation: Microsegmentation in a cloud computing environment is used to enhance security within a virtualized data center. It allows for fine-grained security policies to be applied to individual workloads, isolating them from each other and reducing the attack surface.
- What is the primary purpose of a SIEM (Security Information and Event Management) system in a cybersecurity infrastructure?
- To manage network device configurations
- To encrypt sensitive data
- To aggregate and analyze security-related data from multiple sources
- To act as the primary firewall for network security
Correct answer: To aggregate and analyze security-related data from multiple sources
Correct answer: To aggregate and analyze security-related data from multiple sources. Explanation: A Security Information and Event Management (SIEM) system is primarily used to aggregate, analyze, and report on security-related data from multiple sources within an IT environment. It is crucial for real-time analysis of security alerts and for improving incident response.
- Which authentication protocol primarily relies on tickets for client-server authentication and does not transmit passwords over the network?
- RADIUS
- TACACS+
- Kerberos
- LDAP
Correct answer: Kerberos
Correct answer: Kerberos. Explanation: Kerberos authentication protocol uses tickets granted by a central authority and avoids sending passwords over the network. This makes it highly secure for client-server authentication.
- In Identity and Access Management, what is the primary purpose of a Federation Service?
- To centralize user authentication for a single organization
- To synchronize user databases between different organizations
- To allow sharing of identity information across multiple organizations
- To manage group policies in a distributed environment
Correct answer: To allow sharing of identity information across multiple organizations
Correct answer: To allow sharing of identity information across multiple organizations. Explanation: Federation Services in Identity and Access Management enable different organizations to share identity information securely. This allows users to access services across organizational boundaries without needing separate identities for each organization.
- What is the primary security concern addressed by the implementation of a Zero Trust model?
- External threats from the internet
- Insider threats
- Distributed denial-of-service (DDoS) attacks
- Malware spreading in the network
Correct answer: Insider threats
Correct answer: Insider threats. Explanation: The Zero Trust model operates under the principle of "never trust, always verify," which is particularly effective against insider threats. It mandates strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter.
- Which of the following best describes a 'Privileged Access Management' (PAM) system?
- A system managing user access based on their role in the organization
- A tool for monitoring network traffic and access patterns
- A framework to manage elevated access and permissions for users
- A protocol for secure communications between different network segments
Correct answer: A framework to manage elevated access and permissions for users
Correct answer: A framework to manage elevated access and permissions for users. Explanation: Privileged Access Management (PAM) is a framework used to control, monitor, and manage elevated access and permissions for users, accounts, and systems across an IT environment. It is crucial in preventing the misuse of privileged access.
- What is the main purpose of using a Security Assertion Markup Language (SAML) in web security?
- To encrypt web traffic
- To provide secure email communication
- To enable single sign-on (SSO) for web services
- To manage network access control
Correct answer: To enable single sign-on (SSO) for web services
Correct answer: To enable single sign-on (SSO) for web services. Explanation: Security Assertion Markup Language (SAML) is an open standard that allows identity providers to pass authorization credentials to service providers. This enables Single Sign-On (SSO), allowing users to log in with a single ID and password to access a range of services.
- What is the primary function of a RADIUS server in network security?
- Firewall management
- Intrusion detection and prevention
- Centralized authentication, authorization, and accounting for users
- Data encryption and decryption
Correct answer: Centralized authentication, authorization, and accounting for users
Correct answer: Centralized authentication, authorization, and accounting for users. Explanation: A RADIUS (Remote Authentication Dial-In User Service) server is primarily used for centralized authentication, authorization, and accounting of users who connect and use a network service. It is a widely used protocol for managing network access.
- In an Identity and Access Management system, what does the term "Least Privilege" primarily refer to?
- Granting users the minimum levels of access necessary to perform their job functions
- Restricting user access to only the most secure parts of the system
- Providing users with temporary access rights that expire within a short time
- Limiting user access to non-confidential data only
Correct answer: Granting users the minimum levels of access necessary to perform their job functions
Correct answer: Granting users the minimum levels of access necessary to perform their job functions. Explanation: The principle of "Least Privilege" in access management means that users are granted only those access rights which are essential to perform their job functions. This minimizes the risk of unauthorized access to sensitive information.
- Which technology is primarily used for multi-factor authentication to enhance security?
- VPN
- Firewall
- Biometric authentication
- Proxy server
Correct answer: Biometric authentication
Correct answer: Biometric authentication. Explanation: Biometric authentication is a security process that uses the unique biological characteristics of an individual to verify their identity. It is often used as part of multi-factor authentication systems, adding a layer of security beyond traditional password-based methods.
- What does the OAuth protocol primarily provide in the context of Identity and Access Management?
- Two-factor authentication
- Secure wireless encryption
- Delegated authorization for web services and applications
- Encrypted file transfers
Correct answer: Delegated authorization for web services and applications
Correct answer: Delegated authorization for web services and applications. Explanation: OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites without giving them the passwords. It provides delegated authorization for web services and applications.
- In a Single Sign-On (SSO) implementation, what is the primary security risk?
- Increased complexity of network configurations
- Higher resource utilization on servers
- A single point of failure for user authentication
- Incompatibility with legacy applications
Correct answer: A single point of failure for user authentication
Correct answer: A single point of failure for user authentication. Explanation: In SSO, users log in once and gain access to multiple systems without being prompted to log in again. While it enhances usability, it creates a single point of failure. If the SSO system is compromised, an attacker could potentially gain access to all linked systems.
- What is the primary function of TACACS+ in network security?
- Network packet filtering
- File encryption
- User authentication and command authorization
- Malware scanning
Correct answer: User authentication and command authorization
Correct answer: User authentication and command authorization. Explanation: TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol providing detailed accounting information and centralized authentication for users who access a network and its services. It also offers command authorization for more granular control.
- Which term best describes a system where different authentication methods are used at different times or in different contexts for the same user?
- Single Sign-On (SSO)
- Multi-factor Authentication (MFA)
- Adaptive Authentication
- Role-Based Access Control (RBAC)
Correct answer: Adaptive Authentication
Correct answer: Adaptive Authentication. Explanation: Adaptive Authentication, also known as risk-based authentication, uses multiple authentication mechanisms, depending on the risk profile of a particular user or transaction. It dynamically adjusts the authentication process according to the current context.
- What is the main advantage of implementing a Role-Based Access Control RBAC system in an organization?
- Reducing the complexity of network configurations
- Simplifying the management of user permissions
- Enhancing the encryption of data in transit
- Increasing the speed of network traffic
Correct answer: Simplifying the management of user permissions
Correct answer: Simplifying the management of user permissions. Explanation: RBAC simplifies the management of user permissions by assigning rights based on roles within an organization. It reduces the complexity and potential errors in assigning permissions to individual users, particularly in large organizations.
- In the context of Public Key Infrastructure (PKI), what role does the Certificate Revocation List (CRL) play?
- Lists all issued digital certificates
- Stores private keys securely
- Records digital certificates that have been revoked
- Encrypts data using public keys
Correct answer: Records digital certificates that have been revoked
Correct answer: Records digital certificates that have been revoked. Explanation: The Certificate Revocation List (CRL) in PKI is a list of certificates that have been revoked by the issuing Certificate Authority CA before their scheduled expiration date and should no longer be trusted.
- Which authentication factor category does a fingerprint scanner fall under?
- Something you know
- Something you have
- Something you are
- Somewhere you are
Correct answer: Something you are
Correct answer: Something you are. Explanation: A fingerprint scanner is a form of biometric authentication, which falls under the "something you are" category. This category refers to authentication based on unique biological traits of an individual.
- In Identity and Access Management, what is a primary security feature of using smart cards as an authentication factor?
- They can store multiple passwords for different systems
- They provide geolocation data for user authentication
- They contain embedded certificates for identity verification
- They automatically update user access rights
Correct answer: They contain embedded certificates for identity verification
Correct answer: They contain embedded certificates for identity verification. Explanation: Smart cards are used as a security token in multi-factor authentication systems. They typically contain embedded certificates used to verify the identity of the cardholder, enhancing security through a physical token that the user possesses.
- What is the main purpose of implementing a Directory Service in network security?
- Filtering network traffic
- Centralizing the storage of user credentials and attributes
- Encrypting data in transit
- Logging network activities
Correct answer: Centralizing the storage of user credentials and attributes
Correct answer: Centralizing the storage of user credentials and attributes. Explanation: A Directory Service in network security is primarily used for centralizing the storage and management of user credentials and attributes. It facilitates the efficient management and retrieval of user information across the network.
- Which access control model dynamically assigns roles to users based on attributes and environmental conditions?
- Mandatory Access Control MAC
- Discretionary Access Control DAC
- Role-Based Access Control RBAC
- Attribute-Based Access Control ABAC
Correct answer: Attribute-Based Access Control ABAC
Correct answer: Attribute-Based Access Control ABAC. Explanation: Attribute-Based Access Control ABAC is a model that assigns roles and access rights dynamically based on attributes (such as department, job title, etc.) and environmental conditions. It provides a more flexible and context-aware approach to access control.
- In a PKI, what is the function of a Key Escrow?
- To increase encryption key length
- To distribute public keys
- To store backup copies of private keys
- To manage digital certificates
Correct answer: To store backup copies of private keys
Correct answer: To store backup copies of private keys. Explanation: Key Escrow in a Public Key Infrastructure (PKI) refers to the secure storage and management of backup copies of private keys. This is crucial for recovery purposes, ensuring access to encrypted data even if the original private key is lost.
- Which concept in risk management involves determining the impact of an adverse event that may affect the assets, resources, or operations of an organization?
- Risk Analysis
- Business Impact Analysis
- Threat Assessment
- Vulnerability Scanning
Correct answer: Business Impact Analysis
Correct answer: Business Impact Analysis. Explanation: Business Impact Analysis (BIA) is a critical component of an organization's business continuity plan. It predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.
- In risk management, what does the term 'risk appetite' refer to?
- The total cost associated with mitigating a risk
- The level of risk an organization is willing to accept
- The probability of a risk occurring
- The impact a risk would have on business continuity
Correct answer: The level of risk an organization is willing to accept
Correct answer: The level of risk an organization is willing to accept. Explanation: Risk appetite refers to the amount and type of risk that an organization is prepared to pursue, retain or take. It essentially defines the organization's willingness to take risks and its tolerance for risk.
- Which of the following best describes a 'risk register' in the context of risk management?
- A document listing all identified risks and their causes
- A tool for tracking the financial impact of risks
- A log of all security incidents that have occurred
- A database of all risk assessments performed
Correct answer: A document listing all identified risks and their causes
Correct answer: A document listing all identified risks and their causes. Explanation: A risk register is a tool used in risk management and project management. It acts as a repository for all risks identified and includes additional details about each risk, e.g., the nature of the risk, reference and owner, mitigation measures.
- In the context of risk management, what is 'residual risk'?
- The risk remaining after all efforts to identify and eliminate risk
- The initial risk identified before any mitigation steps
- The risk transferred to a third party
- The risk accepted by the management without mitigation
Correct answer: The risk remaining after all efforts to identify and eliminate risk
Correct answer: The risk remaining after all efforts to identify and eliminate risk. Explanation: Residual risk is the risk that remains after all efforts to mitigate and eliminate risks have been applied. It's the risk that an organization must accept and manage because it cannot be further reduced or it's not cost-effective to do so.
- What is the primary purpose of 'quantitative risk analysis' in risk management?
- To qualitatively determine the impact of risks
- To numerically analyze the probability and impact of risks
- To categorize risks based on their source
- To delegate risks to respective departments
Correct answer: To numerically analyze the probability and impact of risks
Correct answer: To numerically analyze the probability and impact of risks. Explanation: Quantitative risk analysis involves numerically analyzing the probability and impact of identified risks. This type of analysis assigns real numbers to risks, often in monetary terms, to help in decision-making processes.
- Which approach in risk management prioritizes risks based on their severity and likelihood of occurrence?
- Risk Avoidance
- Risk Aggregation
- Risk Prioritization
- Risk Diversification
Correct answer: Risk Prioritization
Correct answer: Risk Prioritization. Explanation: Risk Prioritization is an approach where risks are ranked and managed based on their severity and the likelihood of their occurrence. It allows organizations to focus resources on the most significant risks.
- In the context of risk management, what is 'risk transference'?
- Reducing the risk by changing business processes
- Eliminating the risk by discontinuing a risky process
- Shifting the risk to another entity, such as an insurance company
- Accepting the risk as part of business operations
Correct answer: Shifting the risk to another entity, such as an insurance company
Correct answer: Shifting the risk to another entity, such as an insurance company. Explanation: Risk transference is a risk mitigation strategy where the impact of a risk is transferred to a third party, such as through insurance or outsourcing. This does not eliminate the risk but transfers its financial impact to another entity.
- What does a 'Single Loss Expectancy' (SLE) calculation involve in risk management?
- Estimating the loss from a single risk over an extended period
- Calculating the total loss an organization can bear in a fiscal year
- Determining the expected monetary loss every time a specific risk occurs
- Summarizing all potential losses from various risks
Correct answer: Determining the expected monetary loss every time a specific risk occurs
Correct answer: Determining the expected monetary loss every time a specific risk occurs. Explanation: Single Loss Expectancy (SLE) is a calculation used to determine the expected monetary loss every time a specific risk event occurs. It is a part of the quantitative risk analysis and is used to assess the financial impact of risks.
- In risk management, what is the primary goal of 'risk mitigation'?
- To transfer all identified risks to third parties
- To completely eliminate all risks
- To reduce the impact or likelihood of risks
- To prioritize risks based on their impact
Correct answer: To reduce the impact or likelihood of risks
Correct answer: To reduce the impact or likelihood of risks. Explanation: Risk mitigation involves taking steps to reduce the adverse effects of threats and vulnerabilities, thereby reducing the impact or likelihood of the risks. It doesn't necessarily eliminate the risks but aims to bring them down to an acceptable level.
- Which document in risk management outlines the steps to be taken in the event of a specific risk occurrence?
- Risk Policy
- Business Impact Analysis
- Risk Response Plan
- Risk Register
Correct answer: Risk Response Plan
Correct answer: Risk Response Plan. Explanation: A Risk Response Plan is a document that outlines the steps or actions that should be taken in response to a specific identified risk. It is a key component of risk management, ensuring preparedness and effective response to risk events.
- In risk management, what is the purpose of conducting a 'gap analysis'?
- To identify the difference between current and desired risk management practices
- To calculate the financial impact of potential risks
- To determine the effectiveness of current security controls
- To identify redundant processes in risk management
Correct answer: To identify the difference between current and desired risk management practices
Correct answer: To identify the difference between current and desired risk management practices. Explanation: A gap analysis in risk management is conducted to identify the difference between the current state of risk management practices and the desired or required state. This helps in pinpointing areas that need improvement or additional focus.
- What does 'Mean Time Between Failures' (MTBF) represent in the context of risk management?
- The average time for a system to recover from a failure
- The predicted time until a system component fails
- The average time between system failures
- The maximum tolerable downtime for a system
Correct answer: The average time between system failures
Correct answer: The average time between system failures. Explanation: Mean Time Between Failures (MTBF) is a measure of how reliable a hardware product or system is. It represents the average time between failures and is used in risk management to predict system reliability and plan for contingencies.
- Which of the following best describes 'Qualitative Risk Analysis' in risk management?
- It involves numerical values to measure the probability and impact of risks
- It uses descriptive methods to identify and assess risks
- It focuses on transferring risks to third parties
- It calculates the total annual loss expectancy of risks
Correct answer: It uses descriptive methods to identify and assess risks
Correct answer: It uses descriptive methods to identify and assess risks. Explanation: Qualitative Risk Analysis involves using descriptive techniques to assess and prioritize risks. It focuses on the characteristics of risks, such as likelihood and impact, but does not assign specific numerical values to them.
- What is the primary focus of 'Operational Risk Management'?
- Managing risks associated with business strategic objectives
- Managing risks related to day-to-day business operations
- Addressing risks associated with external factors
- Mitigating risks related to financial investments
Correct answer: Managing risks related to day-to-day business operations
Correct answer: Managing risks related to day-to-day business operations. Explanation: Operational Risk Management focuses on risks that arise from the daily operations of a business. It involves identifying, assessing, and mitigating risks that could affect the company's ability to perform its routine functions.
- In risk management, what is 'Risk Acceptance'?
- Taking action to reduce the impact of a risk
- Choosing to bear the risk without taking actions to mitigate it
- Transferring the risk to another party
- Prioritizing risks for mitigation
Correct answer: Choosing to bear the risk without taking actions to mitigate it
Correct answer: Choosing to bear the risk without taking actions to mitigate it. Explanation: Risk Acceptance is a risk management strategy where an organization decides to accept the consequences and potential losses from a risk, without engaging in actions to mitigate or transfer it. This is typically chosen when the cost of mitigation exceeds the potential loss.
- What is a 'Risk Threshold' in the context of risk management?
- The maximum level of risk that an organization is willing to accept
- The minimum amount of risk necessary for a project to proceed
- The level at which a risk becomes unacceptable
- The financial impact level at which risk mitigation actions are triggered
Correct answer: The maximum level of risk that an organization is willing to accept
Correct answer: The maximum level of risk that an organization is willing to accept. Explanation: Risk Threshold refers to the level of risk that an organization is willing to accept. It is a critical part of defining an organization's risk appetite and is used to guide decision-making in risk management.
- In risk management, what is the primary purpose of 'Continuous Monitoring'?
- To provide real-time risk assessment
- To ensure compliance with regulations
- To constantly assess the security posture of an organization
- To monitor the financial performance of security investments
Correct answer: To constantly assess the security posture of an organization
Correct answer: To constantly assess the security posture of an organization. Explanation: Continuous Monitoring in risk management is the ongoing process of identifying and managing risks. It involves regularly assessing the security posture of an organization to ensure that controls are effective and to identify any changes in risk.
- Which document in risk management outlines the overall risk strategy and policies of an organization?
- Risk Response Plan
- Business Impact Analysis
- Risk Management Policy
- Incident Response Plan
Correct answer: Risk Management Policy
Correct answer: Risk Management Policy. Explanation: The Risk Management Policy is a document that outlines the overall approach, objectives, and strategy for managing risks within an organization. It sets the foundation for how risk is approached and managed across the organization.
- What role does 'Due Diligence' play in risk management?
- It involves taking necessary steps to identify and mitigate risks
- It refers to the process of transferring risks
- It is the practice of accepting risks that fall within the risk threshold
- It involves regular auditing of risk management processes
Correct answer: It involves taking necessary steps to identify and mitigate risks
Correct answer: It involves taking necessary steps to identify and mitigate risks. Explanation: Due Diligence in risk management refers to the care that a reasonable person or organization should take before entering into agreements or transactions. It involves thoroughly researching and understanding the risks to mitigate them effectively.
- Which term describes the process of prioritizing risks for further analysis or action by assessing their likelihood and impact?
- Risk Assessment
- Risk Response
- Risk Mitigation
- Risk Evaluation
Correct answer: Risk Assessment
Correct answer: Risk Assessment. Explanation: Risk Assessment is the process of identifying and evaluating risks to the organization. It involves prioritizing risks based on their likelihood of occurring and the impact they would have if they did occur.
- In risk management, what does 'Annual Loss Expectancy' (ALE) represent?
- The expected loss for an asset due to a risk over a year
- The total cost of all risks identified in a year
- The maximum loss that can be sustained in a year
- The aggregate value of all risk mitigation actions over a year
Correct answer: The expected loss for an asset due to a risk over a year
Correct answer: The expected loss for an asset due to a risk over a year. Explanation: Annual Loss Expectancy (ALE) is a calculation used in risk management to estimate the potential annual financial loss of an asset due to risks. It helps in understanding the financial impact of risks over a one-year period.
- Which cryptographic attack involves attempting to decrypt a cipher by trying every possible key?
- Cipher text-only attack
- Known plaintext attack
- Chosen plaintext attack
- Brute force attack
Correct answer: Brute force attack
Correct answer: Brute force attack. Explanation: A brute force attack involves systematically checking all possible keys until the correct one is found. This type of attack is often time-consuming and computationally intensive but can be effective against weak encryption schemes.
- Which cryptographic principle prevents the sender of a message from denying the message's content and transmission?
- Confidentiality
- Integrity
- Non-repudiation
- Authentication
Correct answer: Non-repudiation
Correct answer: Non-repudiation. Explanation: Non-repudiation is a cryptographic principle that ensures a sender cannot deny sending a message or performing a transaction. This is often achieved through digital signatures and time stamps.
- What is the main difference between symmetric and asymmetric encryption?
- The number of keys used for encryption and decryption
- The speed of the encryption process
- The types of algorithms used
- The ability to provide digital signatures
Correct answer: The number of keys used for encryption and decryption
Correct answer: The number of keys used for encryption and decryption. Explanation: The primary difference between symmetric and asymmetric encryption is the number of keys used. Symmetric encryption uses the same key for both encryption and decryption, whereas asymmetric encryption uses a pair of public and private keys.
- Which of the following algorithms is not a symmetric key algorithm?
Correct answer: RSA
Correct answer: RSA. Explanation: RSA (Rivest-Shamir-Adleman) is an asymmetric key algorithm, which uses a pair of keys (public and private) unlike symmetric key algorithms (AES, DES, 3DES) that use a single key for both encryption and decryption.
- What cryptographic concept involves the use of two keys, a public key for encryption, and a private key for decryption?
- Symmetric encryption
- Hashing
- Asymmetric encryption
- Digital signature
Correct answer: Asymmetric encryption
Correct answer: Asymmetric encryption. Explanation: Asymmetric encryption involves the use of two keys: a public key for encryption and a private key for decryption. This method is widely used in securing communications over the internet.
- In cryptography, what is a 'collision'?
- When two different keys generate the same ciphertext
- When two different messages produce the same hash value
- A failure in the encryption algorithm
- An unauthorized interception of encrypted data
Correct answer: When two different messages produce the same hash value
Correct answer: When two different messages produce the same hash value. Explanation: In cryptographic hashing, a collision occurs when two different input messages produce the same hash output. This is a significant concern as it can undermine the integrity of the hash function.
- Which cryptographic method is primarily used to ensure the integrity of data?
- Encryption
- Hashing
- Key exchange
- Digital signing
Correct answer: Hashing
Correct answer: Hashing. Explanation: Hashing is used to ensure the integrity of data. A hash function takes an input and returns a fixed-size string of bytes, typically a digest, which is supposed to be unique to each unique input. Any alteration in the data will result in a different hash value.
- In PKI, what is the main purpose of a key escrow?
- To speed up the encryption process
- To recover lost or compromised encryption keys
- To increase the strength of the encryption algorithm
- To authenticate users more efficiently
Correct answer: To recover lost or compromised encryption keys
Correct answer: To recover lost or compromised encryption keys. Explanation: Key escrow refers to a process in which keys are securely held so that under certain conditions (like a court order or if keys are lost), an authorized third party can retrieve the keys. This is crucial in situations where there's a need to recover encrypted data.
- What is the primary purpose of using a salt in cryptographic hashing?
- To encrypt the hash value
- To speed up the hashing process
- To ensure the uniqueness of each hash
- To compress the data before hashing
Correct answer: To ensure the uniqueness of each hash
Correct answer: To ensure the uniqueness of each hash. Explanation: A salt in cryptographic hashing is random data that is used as an additional input to a hash function to ensure the uniqueness of each hash, even if the input data is the same. This helps to prevent hash collision and rainbow table attacks.
- What is the primary difference between stream ciphers and block ciphers in cryptography?
- The size of the keys used
- The way they process the plaintext
- The type of algorithms used for encryption
- The speed of encryption and decryption
Correct answer: The way they process the plaintext
Correct answer: The way they process the plaintext. Explanation: The main difference between stream ciphers and block ciphers lies in how they process the plaintext. Stream ciphers encrypt data one bit or byte at a time, while block ciphers encrypt a group of bits as a single unit or block.
- Which of the following best describes a man-in-the-middle attack in the context of cryptography?
- An attacker decrypts data without the knowledge of the sender or receiver.
- An attacker inserts themselves into a communication session between parties.
- An attacker uses brute force to crack encrypted data.
- An attacker creates a hash collision to alter data without detection.
Correct answer: An attacker inserts themselves into a communication session between parties.
Correct answer: An attacker inserts themselves into a communication session between parties. Explanation: A man-in-the-middle attack involves an attacker secretly relaying and possibly altering the communication between two parties who believe they are directly communicating with each other. It is a significant threat in cryptographic communications.
- What is the primary function of the Diffie-Hellman algorithm in cryptography?
- Hashing data
- Digital signing
- Encrypting data
- Secure key exchange
Correct answer: Secure key exchange
Correct answer: Secure key exchange. Explanation: The Diffie-Hellman algorithm is primarily used for secure key exchange, allowing two parties to establish a shared secret key over an insecure communication channel.
- Which cryptographic protocol provides security for electronic data interchange (EDI) transactions?
- SSL/TLS
- SSH
- PGP
- SET (Secure Electronic Transaction)
Correct answer: SET (Secure Electronic Transaction)
Correct answer: SET (Secure Electronic Transaction). Explanation: SET (Secure Electronic Transaction) is a cryptographic protocol designed specifically to secure electronic data interchange (EDI) transactions, such as credit card purchases.
- In cryptography, what is the main purpose of a Certificate Revocation List (CRL)?
- To list all issued certificates
- To list digital certificates that have been revoked
- To validate the chain of trust in a certificate
- To store public keys
Correct answer: To list digital certificates that have been revoked
Correct answer: To list digital certificates that have been revoked. Explanation: A Certificate Revocation List (CRL) is used in cryptography to list digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date.
- What cryptographic concept involves splitting data into parts where individual parts do not reveal the whole?
- Key escrow
- Data obfuscation
- Secret sharing
- Steganography
Correct answer: Secret sharing
Correct answer: Secret sharing. Explanation: Secret sharing is a cryptographic method where data is divided into parts, giving each participant its own unique part, where individual parts do not reveal the whole secret. This is often used for securely storing or sharing sensitive information.
- Which property of cryptographic hash functions ensures that, if two different messages produce the same hash, it's computationally infeasible to find them?
- Collision resistance
- Pre-image resistance
- Second pre-image resistance
- Non-repudiation
Correct answer: Collision resistance
Correct answer: Collision resistance. Explanation: Collision resistance is a property of cryptographic hash functions that ensures it is computationally infeasible to find two distinct inputs that produce the same hash output. This property is crucial for the security and integrity of hash functions.
- In the context of PKI, what does the term 'chain of trust' refer to?
- A series of trusted intermediaries between the user and the CA
- The sequence of encryption algorithms used for securing data
- The progression of symmetric keys used in a session
- The order in which cryptographic hashes are applied
Correct answer: A series of trusted intermediaries between the user and the CA
Correct answer: A series of trusted intermediaries between the user and the CA. Explanation: In PKI, the 'chain of trust' refers to a series of trusted intermediaries (certificates) that link the end user's certificate to a trusted root Certificate Authority (CA). Each certificate in the chain is signed by the next, establishing trustworthiness.
- A security analyst needs to encrypt several terabytes of database backups quickly using a single shared secret, and separately needs a way for two parties who have never met to agree on that secret over an untrusted network. Which combination correctly matches each task to the right cryptography type?
- Use symmetric encryption for both the bulk backups and the key exchange
- Use hashing for the bulk backups and symmetric encryption for the key exchange
- Use symmetric encryption for the bulk backups and asymmetric encryption to exchange the shared key
- Use asymmetric encryption for the bulk backups and symmetric encryption to exchange the shared key
Correct answer: Use symmetric encryption for the bulk backups and asymmetric encryption to exchange the shared key
Symmetric encryption should handle the bulk backups while asymmetric encryption handles the key exchange. Symmetric encryption uses one shared key for both encryption and decryption, which makes it fast and efficient for large volumes of data, but it cannot safely distribute that key over an untrusted network on its own. Asymmetric encryption uses a public/private key pair, so a sender can encrypt the symmetric key with the recipient's public key and only the recipient's private key can recover it, solving the key-distribution problem. This pairing is the basis of the hybrid model used by TLS. Hashing is wrong because hashing is one-way and cannot be reversed to recover the backup data.
- An organization cannot patch a legacy payroll server because the vendor no longer supports it, but a policy requires that all systems handling sensitive data be on a supported, patched platform. To satisfy the requirement's intent, the team isolates the server on its own segmented VLAN behind strict firewall rules. According to CompTIA's control taxonomy, what BEST describes this firewall-and-segmentation measure?
- A detective control
- A deterrent control
- A compensating control
- A directive control
Correct answer: A compensating control
This is a compensating control. A compensating control provides an alternative safeguard when the primary or required control cannot be implemented, meeting the intent of the requirement through a different means, exactly the situation when an unpatchable legacy system is isolated and firewalled instead. A directive control guides or mandates secure behavior through policy or instruction, so it describes the rule itself, not the workaround. A deterrent control discourages an attacker (such as warning banners), and a detective control identifies and alerts on events after they occur (such as logs), neither of which matches a preventive isolation measure substituting for patching.
- A help-desk analyst is asked to define malware for a new-hire onboarding deck. Which description most accurately captures what malware is?
- A hardware fault that causes a server to crash under heavy load
- A misconfiguration that grants users more permissions than they need
- An unencrypted protocol that exposes credentials in transit
- Any software intentionally designed to cause damage, gain unauthorized access, or disrupt a system or its data
Correct answer: Any software intentionally designed to cause damage, gain unauthorized access, or disrupt a system or its data
Malware (malicious software) is any software intentionally created to damage, disrupt, or gain unauthorized access to a system or its data; ransomware, trojans, spyware, worms, and rootkits are all subcategories of it. A hardware fault, an unencrypted protocol, and an overly permissive misconfiguration are reliability or vulnerability issues, not software written with malicious intent.
- An employee receives a text message claiming to be from the company's IT department, urging them to click a link to 'reverify' their VPN credentials. What type of attack is this?
- Smishing
- Pharming
- Tailgating
- Whaling
Correct answer: Smishing
Smishing is phishing carried out over SMS or text messaging, luring the target to a malicious link or to disclose credentials. Whaling targets high-value executives specifically, pharming redirects victims via DNS or hosts-file tampering rather than a text lure, and tailgating is a physical-entry technique.
- A finance manager gets a phone call from someone claiming to be the company's bank, using urgency and an official-sounding script to extract account verification details. This social-engineering technique is best described as which of the following?
- Watering hole attack
- Smishing
- Vishing
- Typosquatting
Correct answer: Vishing
Vishing (voice phishing) uses live phone calls or voicemail, often with urgency and authority cues, to trick a victim into revealing sensitive information. Smishing uses text messages, typosquatting relies on look-alike domain names, and a watering-hole attack compromises a site the target group already visits.
- A security team detects an intruder who maintained covert access to the network for eight months, moving laterally and exfiltrating intellectual property in small amounts to avoid detection. This pattern is most characteristic of which threat?
- An advanced persistent threat (APT)
- A drive-by download
- A script kiddie
- A logic bomb
Correct answer: An advanced persistent threat (APT)
An advanced persistent threat (APT) is a well-resourced, often nation-state or organized-crime actor that establishes long-term, stealthy access to a network to pursue strategic objectives over months. A script kiddie uses prepackaged tools opportunistically, a drive-by download is a single infection vector, and a logic bomb is malware that triggers on a condition rather than a prolonged campaign.
- An attacker crafts an email that appears to come from a specific manager and is addressed to one named employee in accounting, referencing a real recent project. What type of attack is this?
- Shoulder surfing
- Spear phishing
- Bulk phishing
- Vishing
Correct answer: Spear phishing
Spear phishing is a targeted phishing attack tailored to a specific individual or small group, using personal or contextual details to increase credibility. Bulk phishing is untargeted mass email, vishing uses voice calls, and shoulder surfing is observing a screen or keypad in person.
- A CEO receives a highly personalized fraudulent email impersonating a board member and requesting an urgent confidential wire transfer. Because the target is a senior executive, this attack is specifically classified as which of the following?
- Pretexting
- Smishing
- Whaling
- Credential stuffing
Correct answer: Whaling
Whaling is a form of spear phishing that specifically targets high-profile executives or other senior decision-makers, because their access and authority make them especially valuable. Smishing is text-based, pretexting is the fabricated-scenario technique that may underlie many attacks, and credential stuffing reuses stolen username-password pairs.
- A fraudulent message impersonating a vendor instructs an accounts-payable clerk to change the bank account on file so future invoice payments are redirected to the attacker. This scheme is best described as which of the following?
- Business email compromise (BEC)
- ARP poisoning
- Cross-site scripting
- A rainbow table attack
Correct answer: Business email compromise (BEC)
Business email compromise (BEC) is a financially motivated social-engineering scam in which an attacker impersonates a trusted executive, employee, or vendor to redirect payments or wire transfers. Cross-site scripting and ARP poisoning are technical attacks unrelated to invoice fraud, and a rainbow table is used to crack password hashes.
- Before launching an attack, an adversary calls an employee while posing as a new auditor and invents a detailed backstory to justify requesting system access. The fabricated scenario the attacker uses is known as what?
- Tailgating
- Pretexting
- Watering hole
- Privilege escalation
Correct answer: Pretexting
Pretexting is the social-engineering technique of inventing a believable scenario or false identity to manipulate a victim into divulging information or granting access. Tailgating is following someone through a secured door, a watering-hole attack compromises a frequently visited website, and privilege escalation is gaining higher rights once already inside a system.
- A user reports that their banking passwords were stolen even though they never visited a malicious site. Investigation reveals software that silently records every keystroke and emails the log to an external server. What is this software?
- A keylogger
- A rootkit
- A WAF
- A worm
Correct answer: A keylogger
A keylogger is malware (or hardware) that captures and records keystrokes, then exfiltrates them to an attacker, exposing passwords and other typed secrets. A rootkit hides its presence at a privileged level, a worm self-propagates across hosts, and a WAF is a defensive web application firewall, not malware.
- A user installs a free utility that secretly monitors browsing habits and transmits personal data to an advertiser without consent. Which type of malware best describes this?
- Ransomware
- Spyware
- A logic bomb
- A buffer overflow
Correct answer: Spyware
Spyware is malware designed to covertly monitor a user's activity and exfiltrate personal data such as browsing behavior or credentials. Ransomware encrypts data for extortion, a logic bomb triggers on a condition, and a buffer overflow is a software-exploitation technique rather than a category of monitoring malware.
- A current employee with legitimate database access copies the customer list before resigning to join a competitor. What category of threat does this represent?
- A script kiddie
- A nation-state actor
- A supply chain attack
- An insider threat
Correct answer: An insider threat
An insider threat is a risk that originates from someone with authorized access, such as an employee or contractor, who misuses that access intentionally or accidentally. A nation-state actor and a script kiddie are external actors, and a supply chain attack compromises a third-party product or vendor rather than relying on an internal person.
- A piece of malware is engineered to hide at the operating-system kernel level, intercepting system calls so that its files and processes are invisible to standard antivirus tools. What is this malware?
- A rootkit
- Adware
- A replay attack
- A trojan
Correct answer: A rootkit
A rootkit is malware that embeds itself deep in a system, often in the kernel, to conceal its presence and that of other malicious software, defeating ordinary detection. A trojan is disguised as legitimate software but does not inherently hide at the kernel, adware displays unwanted ads, and a replay attack is a network technique, not malware.
- A vulnerability has been discovered and exploited in the wild, but the software vendor is not yet aware of it and no patch exists. What is this vulnerability called?
- A race condition
- A misconfiguration
- An end-of-life vulnerability
- A zero-day vulnerability
Correct answer: A zero-day vulnerability
A zero-day vulnerability is a flaw that is unknown to the vendor and has no available patch, leaving defenders with zero days to prepare before it can be exploited. A misconfiguration is an avoidable setup error, an end-of-life vulnerability stems from unsupported software, and a race condition is a timing-dependent flaw.
- A web application checks whether a user has permission to access a file and then opens it as two separate steps. An attacker exploits the brief gap between the check and the use to swap the file. This class of vulnerability is known as what?
- A downgrade attack
- An injection flaw
- A rainbow table attack
- A race condition (time-of-check to time-of-use)
Correct answer: A race condition (time-of-check to time-of-use)
A race condition, specifically a time-of-check to time-of-use (TOCTOU) flaw, occurs when the outcome depends on the timing between when a resource is validated and when it is used, allowing an attacker to manipulate it in the interval. An injection flaw inserts malicious input, a downgrade attack forces weaker encryption, and a rainbow table cracks hashes.
- An attacker uses an automated tool to try every possible password combination against a login until one succeeds. What is this attack called?
- A man-in-the-middle attack
- A phishing attack
- A SQL injection attack
- A brute-force attack
Correct answer: A brute-force attack
A brute-force attack systematically tries all possible password combinations until the correct one is found; account lockouts, rate limiting, and MFA mitigate it. Phishing relies on deception, SQL injection targets databases through input, and a man-in-the-middle attack intercepts communications.
- An attacker attempts to gain access to an account by trying a precompiled list of common words and known passwords rather than every possible combination. Which attack is this?
- A replay attack
- A brute-force attack that tries all character combinations
- A dictionary attack
- A side-channel attack
Correct answer: A dictionary attack
A dictionary attack uses a curated list of likely passwords, common words, and previously breached credentials, making it faster than exhaustively trying every combination. A pure brute-force attack tries all combinations, a replay attack reuses captured data, and a side-channel attack infers secrets from physical leakage.
- An attacker obtains a database of password hashes and uses a large set of precomputed hash-to-plaintext tables to reverse them quickly. What technique is being used, and what control best defeats it?
- A replay attack, best mitigated by a firewall rule
- A brute-force attack, best mitigated by a CAPTCHA
- A rainbow table attack, best mitigated by salting hashes
- A dictionary attack, best mitigated by URL filtering
Correct answer: A rainbow table attack, best mitigated by salting hashes
A rainbow table attack uses precomputed tables of hash values to reverse password hashes rapidly; adding a unique random salt to each password before hashing makes the precomputed tables useless. A dictionary or brute-force attack does not depend on precomputed hash tables, and a replay attack reuses captured traffic rather than reversing hashes.
- An attacker inserts a malicious database command into a web form's input field to read and modify records the application should not expose. This attack and its primary mitigation are best described as which of the following?
- A buffer overflow, mitigated by DNSSEC
- Cross-site scripting, mitigated by salting passwords
- SQL injection, mitigated by parameterized queries and input validation
- ARP poisoning, mitigated by code signing
Correct answer: SQL injection, mitigated by parameterized queries and input validation
SQL injection occurs when untrusted input is concatenated into a database query, letting an attacker alter the query's logic; using parameterized (prepared) statements and validating input prevents the input from being treated as code. Cross-site scripting targets the browser, a buffer overflow targets memory, and ARP poisoning targets the local network.
- An attacker injects a malicious script into a vulnerable web page so that the script executes in the browsers of other visitors, stealing their session cookies. What is this attack?
- SQL injection
- Cross-site scripting (XSS)
- A logic bomb
- A side-channel attack
Correct answer: Cross-site scripting (XSS)
Cross-site scripting (XSS) injects malicious client-side script into a trusted web page so it runs in other users' browsers, often to steal cookies or session tokens; output encoding and a content security policy mitigate it. SQL injection targets the backend database, a logic bomb is conditional malware, and a side-channel attack infers data from physical characteristics.
- An attacker registers the domain 'gooogle-login.com' hoping users who mistype the real address will land on a fake credential-harvesting page. This technique is known as what?
- Privilege escalation
- A watering hole attack
- Typosquatting
- Pretexting
Correct answer: Typosquatting
Typosquatting (URL hijacking) registers domain names that resemble legitimate ones, relying on user typos or misreadings to direct victims to malicious or fraudulent sites. Pretexting is a fabricated-scenario social-engineering tactic, privilege escalation gains higher system rights, and a watering-hole attack compromises a legitimate site the target frequents.
- An attacker corrupts the cached records of a DNS resolver so that users requesting a legitimate banking site are silently redirected to a malicious server. What is this attack called?
- DNS poisoning (cache poisoning)
- A downgrade attack
- A logic bomb
- ARP poisoning
Correct answer: DNS poisoning (cache poisoning)
DNS poisoning, or DNS cache poisoning, injects forged records into a resolver's cache so legitimate domain lookups return attacker-controlled addresses; DNSSEC helps mitigate it by authenticating responses. ARP poisoning operates on the local Layer 2 network rather than DNS, a downgrade attack forces weaker protocols, and a logic bomb is conditional malware.
- After a ransomware event, an organization restores from its most recent backup and discovers it lost roughly four hours of customer transactions. Which resilience metric describes the maximum amount of data, measured in time, that the organization is willing to lose?
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
- Mean Time to Repair (MTTR)
- Mean Time Between Failures (MTBF)
Correct answer: Recovery Point Objective (RPO)
Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss expressed as a span of time, which directly drives how frequently backups must run. If four hours of data loss is unacceptable, the RPO must be shorter than four hours, requiring more frequent backups or replication. Recovery Time Objective measures how quickly systems must be restored, not how much data is lost, which is the common point of confusion between the two metrics.
- A business continuity team states that a critical order-entry application must be fully operational within two hours of any outage. Which metric does this two-hour target represent?
- Mean Time Between Failures (MTBF)
- Recovery Point Objective (RPO)
- Maximum Tolerable Downtime (MTD)
- Recovery Time Objective (RTO)
Correct answer: Recovery Time Objective (RTO)
Recovery Time Objective (RTO) is the targeted duration within which a service or system must be restored after a disruption to avoid unacceptable consequences. The two-hour restoration goal is an RTO. Recovery Point Objective addresses acceptable data loss rather than restoration speed, so it does not describe a time-to-recover target.
- A reliability engineer reports that a fleet of identical disk controllers has a mean time between failures of 100,000 hours. What does this MTBF value primarily help the organization predict?
- The number of redundant components required for fault tolerance
- The average operational time expected between failures of a repairable component
- The average time needed to restore a failed component to service
- The maximum acceptable data loss after an outage
Correct answer: The average operational time expected between failures of a repairable component
Mean Time Between Failures (MTBF) is the average elapsed operational time between repairable failures of a system or component, used to forecast reliability and plan maintenance or spares. It is calculated as total operational time divided by the number of failures. It does not measure repair speed, which is the distinct purpose of MTTR.
- An incident manager wants to track how long, on average, the operations team takes to restore a failed service after detecting an outage. Which metric should be reported?
- Mean Time Between Failures (MTBF)
- Mean Time to Repair (MTTR)
- Recovery Point Objective (RPO)
- Annualized Rate of Occurrence (ARO)
Correct answer: Mean Time to Repair (MTTR)
Mean Time to Repair (MTTR) measures the average time required to repair a failed component or restore a service, calculated as total downtime divided by the number of repairs. It quantifies recovery efficiency. MTBF measures how long systems run between failures rather than how quickly they are fixed, which is the core distinction between the two metrics.
- A web application experiences traffic spikes that overwhelm a single server. A security analyst recommends a device that distributes incoming requests across several backend servers and removes unhealthy nodes from rotation. Which technology is being described?
- Forward proxy
- Load balancer
- Web application firewall
- Jump server
Correct answer: Load balancer
A load balancer distributes incoming network or application traffic across multiple backend servers, improving availability and performance and supporting health checks that pull failed nodes out of rotation. This both scales the application and contributes to high availability. A web application firewall inspects and filters HTTP traffic for attacks but does not distribute load across servers.
- A storage administrator configures four drives so that data and parity are striped across all of them, allowing the array to keep operating if any single drive fails. Which storage resilience technology is in use?
- An air-gapped backup
- Network attached storage without redundancy
- A RAID array
- A storage area network snapshot
Correct answer: A RAID array
A RAID array (Redundant Array of Independent Disks) combines multiple physical drives into one logical unit to provide redundancy, performance, or both; parity-based levels such as RAID 5 tolerate a single drive failure. RAID provides fault tolerance at the disk level but is not a backup, because it does not protect against deletion, corruption, or ransomware that affects the logical volume.
- A network engineer needs administrators to reach internal production servers without exposing those servers directly to remote-access connections. The chosen design routes all administrative sessions through a single hardened, heavily monitored host. What is this host called?
- A jump server
- A load balancer
- A captive portal
- A reverse proxy
Correct answer: A jump server
A jump server (also called a jump box or bastion host) is a single hardened, tightly monitored system that administrators connect to first in order to reach devices in a more secure zone, reducing the attack surface by funneling and logging privileged access through one control point. A reverse proxy fronts web services for clients but is not the dedicated administrative pivot point.
- An organization handles personal data for European customers and must ensure that data is stored and processed according to the laws of the country where it physically resides, even when using a global cloud provider. Which concept governs this requirement?
- Data sovereignty
- Data masking
- Data classification
- Data tokenization
Correct answer: Data sovereignty
Data sovereignty is the principle that data is subject to the laws and regulations of the geographic location where it is collected, stored, or processed, which is why cloud customers must control the region in which data resides. It often drives geolocation and residency controls in cloud deployments. Data masking and tokenization protect data values but do not address jurisdictional legal control.
- To prevent an industrial control system from being reached by malware spreading on the corporate network, engineers physically disconnect it from all other networks so there is no electronic path between them. Which protective measure is this?
- A VLAN
- An air gap
- A demilitarized zone
- A virtual private network
Correct answer: An air gap
An air gap is a physical isolation measure in which a system or network has no physical or wireless connection to other networks, eliminating network-borne attack paths. It is common for high-value or critical systems such as ICS and SCADA. A VLAN provides logical separation only and still shares physical infrastructure, so it is not equivalent to an air gap.
- A company wants remote employees and branch offices to reach cloud applications securely while applying consistent inspection and zero trust access policies from the cloud, converging SD-WAN with security functions such as SWG, CASB, and ZTNA. Which architecture best fits this goal?
- A traditional perimeter firewall with port forwarding
- A standalone intrusion detection system
- Secure Access Service Edge (SASE)
- A site-to-site IPsec tunnel only
Correct answer: Secure Access Service Edge (SASE)
Secure Access Service Edge (SASE) is a cloud-delivered architecture that converges networking (SD-WAN) with security services such as secure web gateway, cloud access security broker, firewall-as-a-service, and zero trust network access into a single platform. This lets policy follow users and devices regardless of location. A single IPsec tunnel or perimeter firewall cannot deliver this converged, identity-aware, cloud-edge model.
- A remote worker needs to access internal corporate resources over the public internet as though directly on the office LAN. The solution creates an encrypted tunnel between the worker's device and the corporate gateway. Which technology provides this?
- A network access control appliance
- A load balancer
- A virtual private network (VPN)
- A web application firewall
Correct answer: A virtual private network (VPN)
A virtual private network (VPN) establishes an encrypted tunnel across an untrusted network such as the internet, allowing a remote device to securely access private resources as if locally connected. It protects confidentiality and integrity of traffic in transit. Network access control governs whether a device may join the network but does not itself create the encrypted remote-access tunnel.
- A security architect is designing a site-to-site connection and wants a protocol suite that authenticates and encrypts IP packets, supporting both an authentication-only mode and an encrypting mode using ESP. Which protocol suite meets this need?
Correct answer: IPsec
IPsec is a suite of protocols that secures IP communications by authenticating and encrypting packets, using the Authentication Header (AH) for integrity and authentication and Encapsulating Security Payload (ESP) for confidentiality, commonly deployed for VPN tunnels. It operates at the network layer so it protects all traffic above it. SNMP and SMTP are management and mail protocols with no packet-level encryption role.
- A network administrator wants to require that any device plugging into a switch port must authenticate to a RADIUS server before being granted network access, using EAP for the authentication exchange. Which standard provides this port-based access control?
- 802.1Q
- 802.11ac
- 802.3af
- 802.1X
Correct answer: 802.1X
802.1X is the IEEE standard for port-based network access control; it forces a device (supplicant) to authenticate through an authenticator such as a switch to a RADIUS authentication server, typically using EAP, before the port forwards general traffic. It is a foundation of network access control (NAC) deployments. 802.1Q defines VLAN tagging, not authentication, and is a frequent distractor.
- A security operations team wants a single platform that collects log and event data from servers, firewalls, and applications across the enterprise, normalizes it, and correlates events to generate alerts and support investigations. Which type of system provides this capability?
- Network access control (NAC) appliance
- Virtual private network (VPN) concentrator
- Data loss prevention (DLP) gateway
- Security information and event management (SIEM)
Correct answer: Security information and event management (SIEM)
A security information and event management (SIEM) system aggregates and normalizes log and event data from many sources, correlates them, and produces alerts and reports that analysts use for monitoring and investigation. DLP focuses on protecting sensitive data from leaving the organization, NAC governs which devices may join the network, and a VPN concentrator terminates encrypted remote-access tunnels.
- An organization deploys a tool that automatically executes predefined playbooks to enrich, triage, and respond to alerts across multiple security products, reducing manual analyst effort. Which security operations capability is this?
- File integrity monitoring (FIM)
- Security orchestration, automation, and response (SOAR)
- Endpoint detection and response (EDR)
- Security information and event management (SIEM)
Correct answer: Security orchestration, automation, and response (SOAR)
Security orchestration, automation, and response (SOAR) uses configurable playbooks to automate investigation and response actions across integrated tools, reducing repetitive analyst work. A SIEM primarily collects and correlates data to detect threats but does not, by itself, orchestrate automated multi-tool response; EDR focuses on endpoint telemetry and FIM watches for file changes.
- A manager is comparing SIEM and SOAR for the SOC. Which statement best captures the primary distinction between the two?
- SIEM centers on collecting and correlating data to detect threats, while SOAR centers on orchestrating and automating response actions through playbooks
- SIEM encrypts data at rest, while SOAR encrypts data in transit
- SIEM manages user passwords, while SOAR manages firewall rules
- SIEM blocks malicious packets inline, while SOAR only stores logs
Correct answer: SIEM centers on collecting and correlating data to detect threats, while SOAR centers on orchestrating and automating response actions through playbooks
The core difference is that a SIEM is focused on widespread data collection, normalization, and correlation to detect and surface threats, whereas SOAR is focused on orchestrating and automating the response to those detections using playbooks. Neither is defined by inline packet blocking, encryption duties, or password and firewall administration, which are functions of other controls.
- A vendor offers a platform that ingests and correlates telemetry from endpoints, network, cloud workloads, identity, and email into one unified detection-and-response console, so analysts can see a full attack chain across layers. Which technology is described?
- Host-based intrusion detection system (HIDS)
- Data loss prevention (DLP)
- Extended detection and response (XDR)
- Endpoint detection and response (EDR)
Correct answer: Extended detection and response (XDR)
Extended detection and response (XDR) unifies and correlates telemetry across endpoints, network, cloud, identity, and email to reveal multi-stage attacks in a single console. EDR is narrower, focusing only on endpoint activity; a HIDS monitors a single host for intrusions; and DLP is concerned with preventing data exfiltration rather than cross-layer detection.
- A security team installs agents on laptops and servers to continuously record process execution, file changes, and network connections so threats can be detected and the host isolated and remediated. Which capability is being deployed?
- Security information and event management (SIEM)
- Domain Name System (DNS) sinkhole
- Network access control (NAC)
- Endpoint detection and response (EDR)
Correct answer: Endpoint detection and response (EDR)
Endpoint detection and response (EDR) places agents on hosts to continuously monitor endpoint behavior, detect malicious activity, and enable response actions such as isolating or remediating the device. NAC controls network admission, a SIEM aggregates logs from many sources rather than performing endpoint-level response, and a DNS sinkhole redirects malicious domain lookups.
- Before allowing a suspicious email attachment into the production environment, a security team detonates it inside an isolated, instrumented virtual environment to observe its behavior safely. Which technique is this?
- Salting
- Sandboxing
- Tokenization
- Steganography
Correct answer: Sandboxing
Sandboxing executes untrusted code or files in an isolated, monitored environment so its behavior can be analyzed without risking production systems. Tokenization replaces sensitive data with non-sensitive substitutes, steganography hides data within other files, and salting adds random data to inputs before hashing passwords.
- A web application redirects a user to their corporate identity provider, which returns a signed XML assertion confirming the user's identity so the application grants access without its own login. Which standard is being used?
- Lightweight Directory Access Protocol (LDAP)
- Simple Mail Transfer Protocol (SMTP)
- Security Assertion Markup Language (SAML)
- Internet Control Message Protocol (ICMP)
Correct answer: Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an XML-based standard that exchanges signed authentication and authorization assertions between an identity provider and a service provider, commonly enabling web single sign-on. LDAP queries directory information, SMTP transports email, and ICMP handles network diagnostic messages, none of which exchange federated authentication assertions.
- A mobile app needs to access a user's photos stored in a cloud service without ever receiving the user's password, instead receiving a scoped access token granting limited permission. Which framework provides this delegated authorization?
- RADIUS
- Kerberos
- OAuth
- TACACS+
Correct answer: OAuth
OAuth is an authorization framework that lets a user grant a third-party application scoped, delegated access to their resources via access tokens, without sharing their actual credentials. Kerberos is a ticket-based authentication protocol, while RADIUS and TACACS+ are AAA protocols for network device and remote-access authentication rather than delegated app authorization.
- A developer needs not only to authorize access to an API but also to verify the end user's identity, so they add an identity layer that issues a signed ID token on top of the existing authorization framework. Which protocol provides this identity layer?
- OpenID Connect (OIDC)
- IPsec
- OAuth alone
- SNMPv3
Correct answer: OpenID Connect (OIDC)
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that adds authentication by issuing a signed ID token, letting applications verify who the user is in addition to what they can access. OAuth by itself handles authorization but not user authentication; SNMPv3 manages network devices and IPsec secures network traffic.
- After authenticating once to a central identity service in the morning, an employee can open the email, HR, and expense applications all day without re-entering credentials. Which capability does this describe?
- Privilege escalation
- Single sign-on (SSO)
- Credential stuffing
- Time-based one-time password (TOTP)
Correct answer: Single sign-on (SSO)
Single sign-on (SSO) lets a user authenticate once and then access multiple connected applications without logging in again to each one, improving usability and centralizing authentication. A TOTP is a short-lived one-time code used as a factor, privilege escalation is an attack technique, and credential stuffing is an attack that reuses breached passwords.
- An organization assigns permissions to job functions such as 'Help Desk' and 'Accountant,' and users receive access by being placed into the role that matches their position. Which access control model is in use?
- Mandatory access control (MAC)
- Discretionary access control (DAC)
- Role-based access control (RBAC)
- Rule-based access control
Correct answer: Role-based access control (RBAC)
Role-based access control (RBAC) grants permissions to defined roles tied to job functions, and users inherit those permissions through their assigned role, simplifying administration. DAC lets resource owners decide who gets access, MAC enforces access through system-assigned security labels, and rule-based control applies conditions like time of day rather than job roles.
- An organization needs access decisions that consider multiple dynamic conditions at once, such as the user's department, the device's compliance state, the time of day, and the resource's classification. Which access control model evaluates these characteristics to make a decision?
- Discretionary access control (DAC)
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Attribute-based access control (ABAC)
Correct answer: Attribute-based access control (ABAC)
Attribute-based access control (ABAC) grants or denies access by evaluating policies against attributes of the user, resource, action, and environment, enabling fine-grained, context-aware decisions. RBAC ties access only to predefined roles, DAC leaves decisions to resource owners, and MAC enforces fixed security labels rather than flexible attribute policies.
- A security architect must choose between RBAC and ABAC for a system needing fine-grained, context-sensitive decisions. Which statement correctly distinguishes the two models?
- RBAC uses security clearance labels, while ABAC lets resource owners set permissions
- RBAC grants access based on a user's assigned role, while ABAC grants access by evaluating multiple attributes such as user, resource, and environment conditions
- RBAC and ABAC are identical except for their names
- RBAC is only for cloud systems, while ABAC is only for on-premises systems
Correct answer: RBAC grants access based on a user's assigned role, while ABAC grants access by evaluating multiple attributes such as user, resource, and environment conditions
RBAC assigns permissions through predefined roles tied to job functions, while ABAC evaluates policies against attributes of the subject, object, action, and environment, supporting more granular and dynamic decisions. RBAC is not based on clearance labels (that is MAC) or owner discretion (that is DAC), and neither model is restricted to a specific deployment location.
- On a Windows file server, the user who creates a folder can decide which other users are granted read or write access to it at their own discretion. Which access control model does this illustrate?
- Discretionary access control (DAC)
- Role-based access control (RBAC)
- Mandatory access control (MAC)
- Attribute-based access control (ABAC)
Correct answer: Discretionary access control (DAC)
Discretionary access control (DAC) lets the owner of a resource decide, at their discretion, who else may access it, typically through access control lists. MAC enforces access centrally through system-assigned labels and clearances, RBAC ties access to job roles, and ABAC evaluates attribute-based policies, none of which leave the decision to the resource owner.
- In a high-security government system, every file is assigned a sensitivity label such as Secret or Top Secret, and the operating system, not the file owner, decides access based on each user's clearance. Which access control model is enforced?
- Mandatory access control (MAC)
- Role-based access control (RBAC)
- Discretionary access control (DAC)
- Rule-based access control
Correct answer: Mandatory access control (MAC)
Mandatory access control (MAC) enforces access through system-assigned sensitivity labels and clearances that users and owners cannot override, making it common in classified environments. DAC leaves decisions to resource owners, RBAC bases access on job roles, and rule-based control applies conditional rules rather than mandatory clearance labels.
- A security policy ensures that each user account is given only the permissions strictly necessary to perform that person's job and nothing more. Which principle is being applied?
- Implicit deny
- Defense in depth
- Principle of least privilege
- Security through obscurity
Correct answer: Principle of least privilege
The principle of least privilege grants each account only the minimum permissions required for its tasks, limiting the damage a compromised or misused account can cause. Implicit deny blocks anything not explicitly permitted, defense in depth layers multiple controls, and security through obscurity relies on secrecy of design, none of which define minimal user permissions.
- A bank requires that initiating a wire transfer and approving it must be performed by two different employees so that no single person can complete the entire transaction alone. Which security principle is being enforced?
- Job rotation
- Least privilege
- Separation of duties
- Mandatory vacation
Correct answer: Separation of duties
Separation of duties splits a sensitive process across multiple people so no single individual can complete it alone, reducing fraud and error risk. Least privilege limits each account's permissions, job rotation moves staff between roles to detect irregularities, and mandatory vacation forces time off to surface hidden misconduct, but none of these specifically divide a single transaction between two people.
- An organization deploys a solution so that administrators must check out elevated credentials from a vault for a specific, time-limited session, with all privileged activity recorded and the password rotated afterward. Which capability is this?
- Privileged access management (PAM)
- Network access control (NAC)
- Single sign-on (SSO)
- Data loss prevention (DLP)
Correct answer: Privileged access management (PAM)
Privileged access management (PAM) controls, vaults, monitors, and time-limits the use of elevated administrative credentials, often rotating passwords and recording privileged sessions. SSO simplifies user authentication across apps, NAC governs device admission, and DLP protects sensitive data from exfiltration, none of which specifically secure and audit privileged accounts.
- Employees in a marketing team begin using an unsanctioned cloud file-sharing service to collaborate, without IT's knowledge or approval. What does this situation represent, and why is it a security concern?
- A security baseline, because it sets a standard configuration
- Federation, because it links two identity providers
- Shadow IT, because unmanaged systems bypass security controls and visibility
- A honeypot, because it lures attackers away from real data
Correct answer: Shadow IT, because unmanaged systems bypass security controls and visibility
Shadow IT is the use of hardware, software, or cloud services without IT or security approval, creating risk because these systems escape patching, monitoring, data protection, and access controls. A honeypot is a deliberate decoy, a security baseline is an approved standard configuration, and federation links identity domains, none of which describe unsanctioned tool use.
- A SOC analyst documents an attack by mapping each observed adversary behavior, such as spearphishing, credential dumping, and lateral movement, to standardized tactic and technique identifiers in a globally recognized knowledge base. Which framework is being used?
- ISO 9001
- OWASP Top 10
- MITRE ATT&CK
- PCI DSS
Correct answer: MITRE ATT&CK
MITRE ATT&CK is a curated knowledge base of real-world adversary tactics and techniques that lets defenders describe and analyze attacker behavior in a common, standardized language. ISO 9001 addresses quality management, PCI DSS governs payment card data security, and the OWASP Top 10 lists common web application risks rather than cataloging adversary techniques.
- An organization deploys a tool that computes cryptographic hashes of critical system files and configuration files, then alerts the SOC whenever any of those hashes change unexpectedly. Which control is this?
- File integrity monitoring (FIM)
- Network time synchronization (NTP)
- Data loss prevention (DLP)
- Full disk encryption (FDE)
Correct answer: File integrity monitoring (FIM)
File integrity monitoring (FIM) baselines and hashes important files, then detects and alerts on unauthorized or unexpected changes, helping identify tampering or compromise. Full disk encryption protects data at rest from theft, DLP prevents sensitive data exfiltration, and NTP synchronizes system clocks, none of which detect file modifications.
- A SOC consolidates log records from hundreds of servers, network devices, and applications into a single central repository so analysts can search and correlate them in one place. What is this practice called?
- Log aggregation
- Log truncation
- Log rotation
- Log encryption
Correct answer: Log aggregation
Log aggregation is the collection and centralization of log data from many disparate sources into one repository to enable unified searching, correlation, and retention. Log rotation manages file size by cycling old logs, truncation discards portions of logs, and encryption protects log confidentiality, but none of these describe centralizing logs from many systems.
- An IT team establishes a documented, approved standard configuration that defines required settings, enabled services, and security parameters that all newly built web servers must conform to. What is this standard called?
- Change request
- Security baseline
- Incident report
- Honeynet
Correct answer: Security baseline
A security baseline is a defined, approved minimum set of security configurations and settings that systems must meet, giving a consistent, hardened starting point and a reference for detecting drift. A honeynet is a network of decoys, a change request proposes a modification, and an incident report documents a security event, none of which define a standard configuration.
- An administrator establishes a structured process to identify missing updates, test fixes, schedule deployment, and verify installation across all endpoints and servers on a regular cadence. Which security operations process is this?
- Patch management
- Penetration testing
- Threat hunting
- Tokenization
Correct answer: Patch management
Patch management is the systematic process of identifying, testing, deploying, and verifying software updates to remediate vulnerabilities and keep systems current. Penetration testing simulates attacks to find weaknesses, threat hunting proactively searches for undetected intrusions, and tokenization substitutes sensitive data, none of which describe the update lifecycle.
- Following a suspected breach, a specialist applies a structured process to identify, collect, preserve, analyze, and report on digital evidence from computers and storage media in a way that maintains its integrity for potential legal proceedings. Which discipline is this?
- Digital forensics
- Penetration testing
- Configuration management
- Network capacity planning
Correct answer: Digital forensics
Digital forensics is the discipline of identifying, collecting, preserving, analyzing, and reporting on electronic evidence while maintaining its integrity and admissibility for legal or investigative purposes. Capacity planning forecasts resource needs, penetration testing actively probes for exploitable weaknesses, and configuration management tracks system settings, none of which govern the handling of evidence after an incident.
- A U.S. hospital is reviewing the regulations that govern how it stores and shares patient medical records electronically. Which law specifically sets national standards for protecting individuals' protected health information (PHI) and requires safeguards such as access controls and breach notification?
- The General Data Protection Regulation (GDPR)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Sarbanes-Oxley Act (SOX)
- The Payment Card Industry Data Security Standard (PCI DSS)
Correct answer: The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is the correct answer. HIPAA is a U.S. federal law that sets national standards for protecting protected health information (PHI), requiring administrative, physical, and technical safeguards plus breach notification by covered entities and their business associates. GDPR governs EU personal data broadly, PCI DSS governs payment card data, and SOX governs financial reporting controls, so none of those specifically protect health records.
- An online retailer operating in the EU must comply with a regulation that grants individuals rights such as access, rectification, and erasure of their personal data and requires breach reporting to a supervisory authority within 72 hours. Which regulation is this?
- The Federal Information Security Management Act (FISMA)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Gramm-Leach-Bliley Act (GLBA)
- The General Data Protection Regulation (GDPR)
Correct answer: The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the correct answer. GDPR is the European Union privacy law that gives data subjects rights including access, rectification, and erasure (the 'right to be forgotten') and obligates controllers to notify the supervisory authority of a qualifying breach within 72 hours. HIPAA and GLBA are U.S. sector laws, and FISMA governs U.S. federal information systems, none of which grant these EU data-subject rights.
- Under GDPR, a marketing company decides what customer personal data to collect and why, then hires a cloud email vendor that sends campaigns strictly according to the marketing company's instructions. How are these two parties classified?
- Both parties are joint data controllers
- The marketing company is the data processor and the cloud vendor is the data controller
- Both parties are data custodians
- The marketing company is the data controller and the cloud vendor is the data processor
Correct answer: The marketing company is the data controller and the cloud vendor is the data processor
The marketing company is the data controller and the cloud vendor is the data processor. Under GDPR Article 4, a controller determines the purposes and means of processing personal data, while a processor processes data only on the controller's behalf and instructions. Because the marketing company decides what data is collected and why, it is the controller, and the vendor that merely acts on those instructions is the processor.
- A merchant that stores and transmits cardholder data must comply with a security standard maintained by the major payment card brands rather than by a government. Which framework imposes requirements such as network segmentation, encryption of cardholder data, and regular vulnerability scanning?
- ISO/IEC 27001
- The Payment Card Industry Data Security Standard (PCI DSS)
- The NIST Cybersecurity Framework
- HIPAA
Correct answer: The Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is the correct answer. PCI DSS is a contractual standard maintained by the PCI Security Standards Council (founded by the major card brands) that any organization storing, processing, or transmitting cardholder data must follow, including segmentation, encryption, and recurring scans. ISO 27001 and the NIST CSF are voluntary frameworks, and HIPAA covers health data, not payment cards.
- An organization wants to become formally certified against an internationally recognized standard that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Which standard should it pursue?
- COBIT
- ISO/IEC 27001
- PCI DSS
- NIST SP 800-53
Correct answer: ISO/IEC 27001
ISO/IEC 27001 is the correct answer. ISO/IEC 27001 is the international standard that specifies the requirements for an information security management system (ISMS) and is the standard organizations can be audited and certified against. NIST SP 800-53 is a U.S. control catalog (not a certifiable ISMS standard), COBIT is an IT governance framework, and PCI DSS applies specifically to payment card data.
- A security manager wants to organize the company's cybersecurity program around six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. Which framework provides this voluntary, outcome-based structure?
- The NIST Cybersecurity Framework (CSF)
- The OWASP Top 10
- The Cyber Kill Chain
- The MITRE ATT&CK framework
Correct answer: The NIST Cybersecurity Framework (CSF)
The NIST Cybersecurity Framework (CSF) is the correct answer. NIST CSF 2.0 (released 2024) organizes cybersecurity outcomes into six functions: Govern, Identify, Protect, Detect, Respond, and Recover, giving organizations a voluntary, risk-based structure. MITRE ATT&CK catalogs adversary tactics and techniques, the OWASP Top 10 lists web application risks, and the Cyber Kill Chain models attack stages, so none provide this governance framework.
- A CISO is establishing the policies, roles, and oversight committees that direct how security decisions are made and held accountable across the enterprise, aligning them with business objectives and regulatory requirements. This overall practice is best described as which of the following?
- Penetration testing
- Security governance
- Incident response
- Vulnerability management
Correct answer: Security governance
Security governance is the correct answer. Security governance is the system of policies, roles, oversight structures (such as boards and committees), and accountability that directs and controls an organization's security program in alignment with business goals and regulations. The other choices are operational activities (responding to incidents, managing flaws, or testing defenses) rather than the overarching direction-setting function of governance.
- A new employee receives ongoing instruction on recognizing phishing emails, reporting suspicious activity, handling sensitive data, and following the company's policies. According to CompTIA's security program guidance, what is this practice called?
- Change management
- Security awareness training
- Penetration testing
- Configuration management
Correct answer: Security awareness training
Security awareness training is the correct answer. Security awareness training educates personnel on recognizing threats such as phishing and social engineering, reporting anomalies, and complying with policies, which strengthens the human layer of defense. Penetration testing assesses technical defenses, while change and configuration management control system modifications, so none of those describe employee education.
- An organization's security program encompasses the continuous process of identifying threats, assessing their likelihood and impact, and deciding how to treat them so that exposure stays within acceptable limits. Which discipline describes this entire ongoing process?
- Digital forensics
- Data classification
- Penetration testing
- Risk management
Correct answer: Risk management
Risk management is the correct answer. Risk management is the ongoing process of identifying, assessing, prioritizing, and treating risks (through mitigation, transfer, avoidance, or acceptance) so that residual exposure stays within the organization's tolerance. The other choices are narrower activities that may feed into risk management but do not encompass the full lifecycle.
- During a quantitative risk assessment, an analyst multiplies the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). Which value does this calculation produce?
- Annualized loss expectancy (ALE)
- Residual risk
- Exposure factor (EF)
- Asset value (AV)
Correct answer: Annualized loss expectancy (ALE)
Annualized loss expectancy (ALE) is the correct answer. ALE is calculated as SLE multiplied by ARO, expressing the expected monetary loss from a risk over one year. The exposure factor is the percentage of asset value lost in one event, asset value is the worth of the asset itself, and residual risk is what remains after controls are applied, so none equals SLE times ARO.
- In a quantitative risk assessment, a server is valued at $40,000 and a fire is estimated to destroy 25 percent of it. What is the single loss expectancy (SLE) for one fire event?
- $25,000
- $10,000
- $40,000
- $1,000
Correct answer: $10,000
$10,000 is the correct single loss expectancy. SLE is calculated as asset value multiplied by the exposure factor (the percentage of the asset lost in a single event), so $40,000 times 0.25 equals $10,000. The other figures ignore either the asset value or the exposure factor and therefore do not represent the loss from one event.
- While calculating loss for a risk assessment, an analyst needs the percentage of an asset's value that would be lost if a specific threat were realized. Which term describes this percentage?
- Exposure factor (EF)
- Annualized loss expectancy (ALE)
- Recovery point objective (RPO)
- Annualized rate of occurrence (ARO)
Correct answer: Exposure factor (EF)
Exposure factor (EF) is the correct answer. The exposure factor is the proportion (percentage) of an asset's value that is lost when a particular threat occurs, and it is multiplied by asset value to produce the single loss expectancy. ARO is how often the event happens per year, ALE is the yearly expected loss, and RPO is a recovery metric, so none represents the percentage of loss per event.
- An analyst is estimating how many times per year a particular threat, such as a server room flood, is expected to occur for use in an ALE calculation. Which metric is the analyst determining?
- Maximum tolerable downtime (MTD)
- Mean time to repair (MTTR)
- Single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
Correct answer: Annualized rate of occurrence (ARO)
Annualized rate of occurrence (ARO) is the correct answer. The ARO expresses the expected frequency of a threat event within a single year and is multiplied by the single loss expectancy to derive the annualized loss expectancy. MTTR and MTD are recovery and downtime metrics, and SLE is the loss per single event, so none of those measure yearly frequency.
- A team performs an automated, non-intrusive examination of systems to identify and report known weaknesses such as missing patches and misconfigurations, but it does not attempt to exploit them. What is this activity called?
- A vulnerability scan
- A penetration test
- A business impact analysis
- A tabletop exercise
Correct answer: A vulnerability scan
A vulnerability scan is the correct answer. A vulnerability scan uses automated tools to identify and report known weaknesses such as missing patches and misconfigurations without exploiting them. A penetration test goes further by actively attempting to exploit weaknesses, a tabletop exercise is a discussion-based drill, and a business impact analysis evaluates disruption consequences, so none matches a non-intrusive automated scan.
- An organization hires an outside firm to actively attempt to breach its systems by exploiting vulnerabilities, simulating a real attacker to validate defenses. What is this authorized engagement called?
- A penetration test
- A compliance audit
- A gap analysis
- A vulnerability scan
Correct answer: A penetration test
A penetration test is the correct answer. A penetration test is an authorized, simulated attack in which testers actively exploit vulnerabilities to demonstrate real impact and validate defenses, going beyond merely identifying flaws. A vulnerability scan only detects weaknesses without exploiting them, a compliance audit checks adherence to requirements, and a gap analysis compares current versus desired state, so none involves actively exploiting systems.
- A company commissions an external penetration test in which the testers are given full knowledge of the network architecture, source code, and credentials before they begin. Which testing approach is this?
- Passive reconnaissance
- White box testing
- Gray box testing
- Black box testing
Correct answer: White box testing
White box testing is the correct answer. In white box (also called full-knowledge) penetration testing, the testers are provided complete information such as architecture diagrams, source code, and credentials before testing, enabling thorough coverage. Black box testing gives testers no prior knowledge to simulate an outside attacker, gray box provides partial knowledge, and passive reconnaissance only gathers public information, so none matches a full-knowledge engagement.
- A vendor contract guarantees that a cloud service will be available 99.95 percent of the time each month, with credits owed if that target is missed. Which type of agreement defines these measurable service commitments?
- A memorandum of understanding (MOU)
- A service level agreement (SLA)
- A business partnership agreement (BPA)
- A non-disclosure agreement (NDA)
Correct answer: A service level agreement (SLA)
A service level agreement (SLA) is the correct answer. An SLA is a contract that defines the specific, measurable levels of service a provider must deliver, such as uptime percentages and response times, along with penalties or credits for failing to meet them. An MOU expresses general intent, a BPA governs a business partnership's terms, and an NDA protects confidential information, so none defines measurable service performance targets.
- Two organizations entering an informal collaboration want to document their mutual intentions and broad responsibilities, while making clear the document is not a legally binding contract. Which agreement best fits this purpose?
- A statement of work (SOW)
- A memorandum of understanding (MOU)
- A master service agreement (MSA)
- A service level agreement (SLA)
Correct answer: A memorandum of understanding (MOU)
A memorandum of understanding (MOU) is the correct answer. An MOU documents the broad intentions, expectations, and responsibilities between parties and is generally non-binding, making it suited to informal or preliminary collaboration. An SLA specifies measurable service levels, an SOW details specific deliverables and timelines for work, and an MSA sets binding overarching contract terms, so none fits a non-binding statement of intent.
- A company installs warning signs, motion-activated lighting, and visible security cameras around its data center perimeter. According to the CompTIA control type taxonomy, into which category do these measures PRIMARILY fall?
- Corrective controls
- Directive controls
- Compensating controls
- Deterrent controls
Correct answer: Deterrent controls
Correct answer: Deterrent controls. Deterrent controls are designed to discourage a threat actor from attempting an attack in the first place; signs, lighting, and visible cameras make a target appear risky and watched. Corrective controls restore systems after an incident, compensating controls substitute for a required control that cannot be implemented, and directive controls instruct or guide behavior through policy.
- An organization wants to map every control it deploys to one of the functional control types used by CompTIA. Which set lists ONLY valid functional control types?
- Technical, managerial, operational, physical
- Confidentiality, integrity, availability, accountability
- Preventive, deterrent, detective, corrective, compensating, directive
- Administrative, logical, hardware, software
Correct answer: Preventive, deterrent, detective, corrective, compensating, directive
Correct answer: Preventive, deterrent, detective, corrective, compensating, and directive. These are the six functional (purpose-based) control types in Security+. Technical, managerial, operational, and physical describe control categories (how a control is implemented), not its function. The other options mix CIA properties and unrelated labels.
- A security policy document instructs all employees that they must lock their workstations whenever they step away from their desks. What functional type of control is this written instruction itself?
- Detective control
- Directive control
- Corrective control
- Preventive control
Correct answer: Directive control
Correct answer: Directive control. A directive control guides or mandates behavior through instruction, such as a policy telling staff what action to take. Detective controls identify events after they occur, corrective controls remediate after an incident, and preventive controls technically stop an action from happening rather than instructing a person to perform it.
- After a malware infection, an organization runs antivirus to remove the malicious files and restores affected files from clean backups. Which functional control type BEST describes these post-incident remediation actions?
- Corrective
- Detective
- Preventive
- Deterrent
Correct answer: Corrective
Correct answer: Corrective. Corrective controls act after an incident has been detected to limit damage and return systems to a known-good state, exactly what removing malware and restoring backups accomplishes. Preventive controls stop incidents beforehand, detective controls identify that an incident occurred, and deterrent controls discourage attackers from trying.
- Which CompTIA control category encompasses measures such as security guards, fences, locks, bollards, and access badges that protect tangible assets?
- Technical
- Managerial
- Operational
- Physical
Correct answer: Physical
Correct answer: Physical. The physical control category includes measures that protect real-world facilities and hardware, such as guards, fences, locks, bollards, and badge readers. Technical controls are implemented through technology and systems, managerial controls involve policy and risk decisions, and operational controls are performed by people in day-to-day processes.
- A risk committee creates a formal acceptable use policy and conducts an annual risk assessment. Within the CompTIA control category model, what type of controls are these governance and policy activities?
- Physical controls
- Technical controls
- Managerial controls
- Detective controls
Correct answer: Managerial controls
Correct answer: Managerial controls. Managerial (administrative) controls are governance-oriented measures such as policies, risk assessments, and security planning that direct how an organization manages risk. Technical controls use technology, physical controls protect tangible assets, and detective is a functional type rather than a control category.
- An administrator configures security awareness training, account provisioning procedures, and routine log review carried out by analysts. Which control CATEGORY do these human-performed, day-to-day activities belong to?
- Technical
- Operational
- Managerial
- Compensating
Correct answer: Operational
Correct answer: Operational. Operational controls are carried out by people as part of regular operations, including awareness training, account management procedures, and manual log review. Technical controls are enforced by systems, managerial controls are policy and risk governance, and compensating is a functional type, not a category.
- Which element of the CIA triad is directly compromised when a denial-of-service attack prevents legitimate users from reaching a web application?
- Availability
- Integrity
- Confidentiality
- Non-repudiation
Correct answer: Availability
Correct answer: Availability. Availability ensures that systems and data are accessible to authorized users when needed; a denial-of-service attack attacks exactly this by making resources unreachable. Confidentiality concerns unauthorized disclosure, integrity concerns unauthorized modification, and non-repudiation concerns proof of origin, none of which is the primary target of a DoS.
- A bank wants to be able to prove that a customer who submitted a wire transfer request cannot later credibly deny having sent it. Which security concept addresses this requirement?
- Confidentiality
- Availability
- Authentication
- Non-repudiation
Correct answer: Non-repudiation
Correct answer: Non-repudiation. Non-repudiation provides undeniable proof of the origin and integrity of an action, typically through digital signatures, so a sender cannot later deny their action. Confidentiality protects against disclosure, availability ensures access, and authentication verifies identity but does not by itself prevent later denial of the action.
- In the AAA framework used for access control, which component records what an authenticated user did, such as the commands run and resources accessed?
- Authentication
- Authorization
- Accounting
- Attestation
Correct answer: Accounting
Correct answer: Accounting. Accounting (the third A in AAA) tracks and logs the actions a user takes after gaining access, supporting auditing and non-repudiation. Authentication verifies identity, authorization determines what an authenticated identity may do, and attestation is the act of proving a system's state, not part of AAA.
- A network architect designing under a Zero Trust model is implementing the control plane. Which function is a responsibility of the Zero Trust control plane rather than the data plane?
- Forwarding the actual user traffic to the requested resource
- Defining and managing access policies through a policy engine and policy administrator
- Encrypting packets as they traverse the network segment
- Physically connecting endpoints to switch ports
Correct answer: Defining and managing access policies through a policy engine and policy administrator
Correct answer: Defining and managing access policies through a policy engine and policy administrator. In Zero Trust, the control plane makes adaptive access decisions using components such as the policy engine and policy administrator. Forwarding user traffic and the enforcement of those decisions occur in the data plane, while encryption and physical cabling are not control-plane policy functions.
- In a Zero Trust architecture, which component is responsible for ENFORCING the access decision by allowing or blocking a session between a subject and a resource?
- Policy Enforcement Point (PEP)
- Policy Engine (PE)
- Policy Administrator (PA)
- Certificate Authority (CA)
Correct answer: Policy Enforcement Point (PEP)
Correct answer: Policy Enforcement Point (PEP). The PEP sits in the data plane and actually permits, denies, or terminates the connection based on the decision passed to it. The Policy Engine makes the access decision, the Policy Administrator establishes or tears down the communication path, and a Certificate Authority issues certificates rather than enforcing access.
- In a Zero Trust architecture, what is the role of the threat scope reduction (microsegmentation) approach?
- It widens the network into a single trusted zone for easier management
- It replaces encryption with plaintext transmission inside the perimeter
- It eliminates the need for any authentication of users
- It limits the blast radius of a breach by minimizing implicit trust and isolating resources
Correct answer: It limits the blast radius of a breach by minimizing implicit trust and isolating resources
Correct answer: It limits the blast radius of a breach by minimizing implicit trust and isolating resources. Threat scope reduction, achieved through microsegmentation, shrinks implicit trust zones so a compromised resource cannot freely reach others, containing damage. It does not create one broad trusted zone, remove authentication, or replace encryption with plaintext.
- A security team deploys decoy systems and fake credentials across the network specifically to mislead attackers and study their behavior. Which category of techniques does this represent?
- Configuration enforcement
- Data loss prevention
- Deception and disruption technology
- Least privilege enforcement
Correct answer: Deception and disruption technology
Correct answer: Deception and disruption technology. Honeypots, honeynets, honeyfiles, and honeytokens are deception and disruption tools used to lure, detect, and analyze attackers without exposing real assets. Data loss prevention stops sensitive data exfiltration, configuration enforcement maintains baselines, and least privilege limits permissions, none of which is fundamentally about misleading attackers.
- An administrator plants a single fake API key in a configuration repository that no legitimate process should ever use, so that any attempt to use it raises an immediate alert. What deception technique is this?
- Honeynet
- Honeytoken
- Honeypot
- Sinkhole
Correct answer: Honeytoken
Correct answer: Honeytoken. A honeytoken is a piece of bait data, such as a fake credential or API key, whose only purpose is to trigger an alert when used, signaling unauthorized access. A honeynet is a network of decoy systems, a honeypot is a single decoy host, and a sinkhole redirects malicious traffic rather than baiting it with fake data.
- Before a planned modification to a production firewall, an organization requires that the change be documented, analyzed for impact, and approved by a review board. Which security governance process mandates these steps?
- Change management
- Incident response
- Vulnerability scanning
- Penetration testing
Correct answer: Change management
Correct answer: Change management. Change management establishes a controlled process, including approval, impact analysis, and documentation, before modifications are made to production systems, reducing the risk of unplanned outages or security gaps. Incident response handles active events, while vulnerability scanning and penetration testing identify weaknesses rather than govern changes.
- During a change management review, the team documents a backout plan. What is the PRIMARY purpose of a backout plan?
- To estimate the financial cost of implementing the change
- To list the personnel authorized to approve the change
- To schedule the maintenance window for the change
- To define how to revert the system to its prior state if the change fails
Correct answer: To define how to revert the system to its prior state if the change fails
Correct answer: To define how to revert the system to its prior state if the change fails. A backout (rollback) plan documents the steps needed to undo a change and restore normal operation if problems arise. Approver lists, maintenance windows, and cost estimates are separate elements of the change management process, not the function of a backout plan.
- A configuration management practice records the version, settings, and dependencies of every approved system build so that unauthorized drift can be detected. Which change management concept does this describe?
- Maintenance window
- Standard operating procedure
- Baseline configuration
- Stakeholder analysis
Correct answer: Baseline configuration
Correct answer: Baseline configuration. A baseline configuration is the documented, approved standard state of a system that serves as a reference point for detecting unauthorized changes or drift. A maintenance window is a scheduled time for changes, a standard operating procedure is a step-by-step process, and stakeholder analysis identifies affected parties.
- An organization implements full-disk encryption on all laptops. At which level of encryption is this protection being applied?
- Record-level encryption
- Full-disk (volume) encryption
- Transport-level encryption
- Field-level encryption
Correct answer: Full-disk (volume) encryption
Correct answer: Full-disk (volume) encryption. Full-disk encryption protects all data on a storage device at once, securing it if the laptop is lost or stolen. Record- and field-level encryption protect specific data elements within a database, and transport-level encryption protects data in motion across a network rather than data at rest on a disk.
- A developer needs to protect sensitive fields in a payment system but must keep the data format and length identical so legacy applications still function. Which technique BEST meets this requirement?
- Tokenization
- Hashing
- Steganography
- Compression
Correct answer: Tokenization
Correct answer: Tokenization. Tokenization replaces sensitive values with format-preserving surrogate tokens that have no exploitable value, keeping length and format intact for legacy systems while the real data is stored securely in a token vault. Hashing produces fixed-length irreversible output, steganography hides data inside other data, and compression reduces size without protecting confidentiality.
- A security analyst hides a confidential message inside the least significant bits of an image file so its very existence is concealed. Which technique is being used?
- Salting
- Symmetric encryption
- Key stretching
- Obfuscation through steganography
Correct answer: Obfuscation through steganography
Correct answer: Obfuscation through steganography. Steganography conceals the existence of data by embedding it within another file, such as an image, so observers do not realize a hidden message is present. Symmetric encryption scrambles data but does not hide its existence, key stretching strengthens weak keys, and salting adds randomness to hashes.
- An organization wants hardware-based protection that securely stores cryptographic keys on a motherboard and supports measured boot for individual endpoints. Which technology is designed for this purpose?
- Hardware Security Module (HSM)
- Key Management System (KMS)
- Trusted Platform Module (TPM)
- Secure web gateway
Correct answer: Trusted Platform Module (TPM)
Correct answer: Trusted Platform Module (TPM). A TPM is a dedicated chip on a device's motherboard that securely stores keys and supports integrity functions like measured boot for that individual endpoint. An HSM is a separate appliance for enterprise-scale key operations, a KMS manages key lifecycles centrally, and a secure web gateway filters web traffic.
- A company must perform thousands of high-volume cryptographic operations and securely manage keys at enterprise scale using a dedicated, tamper-resistant appliance. Which solution is MOST appropriate?
- Trusted Platform Module (TPM)
- Hardware Security Module (HSM)
- Trusted Execution Environment (TEE)
- Self-encrypting drive (SED)
Correct answer: Hardware Security Module (HSM)
Correct answer: Hardware Security Module (HSM). An HSM is a dedicated, tamper-resistant appliance built for high-volume cryptographic processing and centralized key management at enterprise scale. A TPM secures a single endpoint, a TEE provides an isolated execution area within a processor, and a self-encrypting drive only handles encryption of its own storage.
- A team is concerned that future quantum computers could break their current public-key algorithms. Which approach directly addresses this concern?
- Adopting post-quantum (quantum-resistant) cryptographic algorithms
- Increasing the password complexity policy
- Switching from TLS to IPSec
- Implementing role-based access control
Correct answer: Adopting post-quantum (quantum-resistant) cryptographic algorithms
Correct answer: Adopting post-quantum (quantum-resistant) cryptographic algorithms. Post-quantum cryptography uses mathematical problems believed to resist attacks from quantum computers, directly mitigating the future risk to classical public-key schemes. Stronger passwords, changing VPN protocols, and access control models do not address the quantum threat to asymmetric algorithms.
- An application stores user passwords by adding a unique random value to each password before hashing it. What is the PRIMARY security benefit of adding this unique random value per user?
- It compresses the stored hash to save disk space
- It allows the original password to be decrypted when needed
- It defeats precomputed rainbow table attacks and ensures identical passwords produce different hashes
- It speeds up the hashing process for faster logins
Correct answer: It defeats precomputed rainbow table attacks and ensures identical passwords produce different hashes
Correct answer: It defeats precomputed rainbow table attacks and ensures identical passwords produce different hashes. A unique per-user salt makes precomputed lookup tables ineffective and prevents two users with the same password from sharing a hash. Hashing is one-way so it cannot decrypt, salting does not compress storage, and it does not exist to speed up the process.
- A piece of malware lies dormant on a server until a specific condition is met, such as a particular date or the deletion of an employee's account, at which point it deletes critical files. Which threat does this describe?
- Logic bomb
- Worm
- Spyware
- Adware
Correct answer: Logic bomb
A logic bomb is malicious code that stays inactive until a predefined trigger condition, like a date or event, is satisfied, then executes its payload. A worm self-replicates across networks, spyware covertly gathers information, and adware displays unwanted advertisements, none of which depend on a trigger condition to fire a destructive payload.
- A device ships with numerous unnecessary preinstalled applications that consume resources and expand the attack surface without the user's request. What does this describe?
- A Trojan
- A logic bomb
- Bloatware
- A worm
Correct answer: Bloatware
Bloatware refers to unwanted preinstalled software that wastes resources and increases the attack surface. A Trojan disguises itself as legitimate software, a logic bomb waits for a trigger, and a worm self-replicates, so those do not match the definition of unnecessary preloaded applications.
- Which characteristic best distinguishes fileless malware from traditional malware?
- It always requires the user to download an attachment
- It can only infect Linux systems
- It encrypts the hard drive on every reboot
- It runs in memory using legitimate system tools rather than writing an executable to disk
Correct answer: It runs in memory using legitimate system tools rather than writing an executable to disk
Fileless malware operates in memory and abuses legitimate utilities such as PowerShell instead of dropping a file on disk, which helps it evade signature-based detection. It does not strictly require a downloaded attachment, is not limited to Linux, and does not necessarily encrypt the disk, so the in-memory, living-off-the-land behavior is the defining trait.
- An organization discovers that malicious code was inserted into a software update from a trusted third-party vendor before it was distributed to customers. Which type of attack is this?
- Supply chain attack
- Watering hole attack
- Brute-force attack
- Replay attack
Correct answer: Supply chain attack
A supply chain attack compromises a trusted vendor, supplier, or component so that the malicious code reaches many downstream customers. A watering hole targets sites a victim visits, a brute-force attack guesses credentials, and a replay attack resends captured data, so the trusted-vendor update compromise is best described as a supply chain attack.
- A vulnerability arises because an application checks a resource's state and then acts on it in two separate steps, allowing an attacker to alter the resource between the check and the use. What is this flaw called?
- Buffer overflow
- Race condition (TOCTOU)
- Cross-site scripting
- SQL injection
Correct answer: Race condition (TOCTOU)
This describes a race condition, specifically a time-of-check to time-of-use (TOCTOU) flaw, where the gap between validating and using a resource is exploited. A buffer overflow overruns memory boundaries, cross-site scripting injects browser scripts, and SQL injection targets databases, so only the race condition involves the timing gap between check and use.
- An attacker exploits a flaw to write code into a running process's memory space and execute it, hijacking the program's control flow. Which vulnerability category does this represent?
- Privilege escalation via misconfiguration
- Typosquatting
- Memory injection
- Vishing
Correct answer: Memory injection
Memory injection involves inserting and running malicious code within a process's memory to seize control of execution. Privilege escalation through misconfiguration abuses settings, typosquatting relies on mistyped domains, and vishing uses voice calls, so writing code into process memory is memory injection.
- Which attack derives secret information by measuring physical characteristics such as power consumption, electromagnetic emissions, or timing rather than breaking the algorithm directly?
- Dictionary attack
- Birthday attack
- Downgrade attack
- Side-channel attack
Correct answer: Side-channel attack
A side-channel attack extracts secrets by observing physical leakage like timing, power draw, or emissions rather than attacking the math of an algorithm. A dictionary attack guesses passwords from a list, a birthday attack exploits hash collisions, and a downgrade attack forces weaker protocols, so the physical-measurement approach is the side channel.
- A web server is left with default administrative credentials and unnecessary services enabled, allowing easy compromise. Which vulnerability does this represent?
- Misconfiguration
- Zero-day
- Race condition
- Cryptographic weakness
Correct answer: Misconfiguration
Leaving default credentials and unneeded services running is a misconfiguration, a common and avoidable weakness. A zero-day is an unknown unpatched flaw, a race condition is a timing issue, and a cryptographic weakness involves flawed encryption, so insecure default settings fall under misconfiguration.
- A user removes the manufacturer's software restrictions on a smartphone to install unauthorized applications, increasing the device's exposure to malware. What is this action commonly called?
- Sideloading patches
- Jailbreaking
- Hardening
- Sandboxing
Correct answer: Jailbreaking
Jailbreaking removes vendor-imposed software restrictions on a mobile device, which expands its attack surface and risk of malware. Hardening reduces attack surface, sandboxing isolates applications, and applying patches improves security, so bypassing the restrictions is jailbreaking.
- An attacker sends unsolicited messages to nearby Bluetooth-enabled devices. Which attack is this?
- Bluesnarfing
- Evil twin
- Bluejacking
- Smurf attack
Correct answer: Bluejacking
Bluejacking sends unsolicited messages to nearby Bluetooth devices but does not steal data. Bluesnarfing actually extracts data over Bluetooth, an evil twin is a rogue Wi-Fi access point, and a Smurf attack is an ICMP amplification flood, so unsolicited Bluetooth messaging is bluejacking.
- An attacker connects to a victim's Bluetooth device without authorization and copies contacts, messages, and files. Which attack is this?
- Bluejacking
- Jamming
- Typosquatting
- Bluesnarfing
Correct answer: Bluesnarfing
Bluesnarfing is the unauthorized access and theft of data from a Bluetooth device. Bluejacking only sends unwanted messages, jamming disrupts wireless signals, and typosquatting uses misspelled domains, so stealing data over Bluetooth is bluesnarfing.
- An attacker tries one or a few common passwords across many different user accounts to avoid triggering account lockouts. Which technique is this?
- Password spraying
- Rainbow table attack
- Pass-the-hash
- Keylogging
Correct answer: Password spraying
Password spraying tests a small number of common passwords against many accounts to stay under lockout thresholds. A rainbow table reverses hashes, pass-the-hash reuses captured hashes, and keylogging captures typed input, so the low-and-slow many-accounts approach is password spraying.
- What is the key difference between an online brute-force attack and an offline brute-force attack?
- An online attack only works on encrypted disks
- An offline attack runs against stolen hashes locally, while an online attack submits guesses to the live system
- An offline attack always uses a single password
- There is no practical difference between them
Correct answer: An offline attack runs against stolen hashes locally, while an online attack submits guesses to the live system
An offline brute-force attack works against captured password hashes on the attacker's own systems with no lockout limits, while an online attack submits guesses directly to the running authentication service and risks detection and lockout. The other options misstate where and how the attacks operate, so the local-hashes versus live-system distinction is correct.
- An attacker floods a switch with forged MAC addresses to overflow its address table, causing it to broadcast traffic out all ports so the attacker can capture it. Which attack is this?
- ARP poisoning
- DNS poisoning
- MAC flooding
- Session hijacking
Correct answer: MAC flooding
MAC flooding overwhelms a switch's CAM table with bogus MAC addresses, forcing it to fail open and broadcast frames, enabling eavesdropping. ARP poisoning corrupts ARP caches, DNS poisoning corrupts name resolution, and session hijacking steals an active session, so overflowing the switch table is MAC flooding.
- An attacker sends forged ARP replies on a LAN to associate their MAC address with the default gateway's IP, intercepting victims' traffic. What is this attack?
- MAC cloning
- Smishing
- Buffer overflow
- ARP poisoning
Correct answer: ARP poisoning
ARP poisoning sends spoofed ARP messages to map the attacker's MAC to a legitimate IP, redirecting traffic through the attacker for an on-path position. MAC cloning copies a device's hardware address, smishing uses SMS phishing, and a buffer overflow overruns memory, so spoofing ARP replies is ARP poisoning.
- A DDoS attack sends small DNS queries with a spoofed source address so that large DNS responses are directed at the victim. What is this technique called?
- Reflected/amplified DDoS
- Application-layer DDoS
- SYN flood
- Logic bomb
Correct answer: Reflected/amplified DDoS
A reflected and amplified DDoS spoofs the victim's address in small requests to public servers so the much larger replies flood the target. An application-layer DDoS exhausts app resources, a SYN flood abuses the TCP handshake, and a logic bomb is dormant malware, so the spoofed-query large-response technique is reflection/amplification.
- Which DDoS variant targets a web application's resource-intensive functions, such as search or login, with seemingly legitimate requests rather than overwhelming raw bandwidth?
- Volumetric UDP flood
- Application-layer (Layer 7) DDoS
- Smurf attack
- Fraggle attack
Correct answer: Application-layer (Layer 7) DDoS
An application-layer (Layer 7) DDoS exhausts server resources by hammering costly application functions with requests that look legitimate, often using low bandwidth. A volumetric UDP flood, Smurf, and Fraggle all rely on raw bandwidth or amplification at lower layers, so the resource-targeting app-level attack is the Layer 7 DDoS.
- Security analysts notice an account logging in from New York and, twelve minutes later, from Tokyo. Which indicator of compromise does this represent?
- Resource consumption
- Out-of-cycle logging
- Impossible travel
- Missing logs
Correct answer: Impossible travel
Two logins from geographically distant locations within a time span no human could physically travel is the impossible travel indicator of compromise, suggesting stolen credentials. Resource consumption, out-of-cycle logging, and missing logs are different IoCs, so the geographically impossible login pattern is impossible travel.
- An administrator observes that a server's CPU and memory are pegged at near 100% with no legitimate workload to explain it. Which indicator of compromise does this best illustrate?
- Account lockout
- Concurrent session usage
- Blocked content
- Resource consumption
Correct answer: Resource consumption
Unexplained, sustained high resource consumption can indicate malware such as a cryptominer or an ongoing attack consuming CPU and memory. Account lockout, concurrent session usage, and blocked content are other indicators, so abnormal resource utilization is the resource-consumption IoC.
- Repeated failed authentication attempts that trigger many users being locked out can serve as an indicator of which activity?
- A brute-force or password-guessing attack
- A normal scheduled backup
- A successful software patch
- Routine certificate renewal
Correct answer: A brute-force or password-guessing attack
A surge of account lockouts from failed logins is an indicator of compromise pointing to brute-force or password-guessing attacks. A backup, a patch, and certificate renewal are routine maintenance activities that do not generate mass authentication failures, so the lockout pattern signals a credential attack.
- Which mitigation technique reduces a system's attack surface by disabling unnecessary services, closing unused ports, and removing default accounts?
- Tokenization
- Hardening
- Steganography
- Geofencing
Correct answer: Hardening
Hardening reduces the attack surface by disabling unneeded services, closing ports, and removing default accounts and software. Tokenization substitutes sensitive data, steganography hides data within other files, and geofencing restricts by location, so reducing attack surface through secure configuration is hardening.
- An organization divides its network into isolated zones so that a compromise in one zone cannot easily spread to others. Which mitigation technique is this?
- Patching
- Encryption
- Segmentation
- Tokenization
Correct answer: Segmentation
Segmentation isolates network zones to contain breaches and limit lateral movement. Patching fixes software flaws, encryption protects data confidentiality, and tokenization replaces sensitive values, so dividing the network into isolated zones is segmentation.
- Which mitigation directly addresses known software vulnerabilities by applying vendor-released fixes in a timely, managed way?
- Least privilege
- Network segmentation
- Data masking
- Patch management
Correct answer: Patch management
Patch management remediates known vulnerabilities by deploying vendor fixes through a controlled process. Least privilege limits access rights, segmentation isolates networks, and data masking obscures sensitive fields, so applying vendor fixes to known flaws is patch management.
- Which mitigation ensures that data remains unreadable to attackers even if storage media or backups are stolen?
- Segmentation
- Encryption
- Monitoring
- Patching
Correct answer: Encryption
Encryption renders data unreadable without the proper key, protecting confidentiality even if media or backups are stolen. Segmentation isolates networks, monitoring detects activity, and patching fixes flaws, so making stolen data unreadable is achieved through encryption.
- An organization deploys continuous log collection and analysis to detect threats as they occur. Which mitigation strategy does this represent?
- Decommissioning
- Hardening
- Monitoring
- Least privilege
Correct answer: Monitoring
Monitoring involves continuously collecting and analyzing telemetry such as logs to detect and respond to threats. Decommissioning retires assets, hardening reduces attack surface, and least privilege limits access, so ongoing detection through log analysis is monitoring.
- Which mitigation technique uses tools to detect and automatically correct deviations from an approved secure baseline across systems?
- Tokenization
- Air gapping
- Steganography
- Configuration enforcement
Correct answer: Configuration enforcement
Configuration enforcement uses automated tooling to detect and remediate drift from an approved secure baseline, keeping systems compliant. Tokenization substitutes sensitive data, air gapping physically isolates a network, and steganography hides data, so enforcing a baseline configuration is configuration enforcement.
- When an organization retires old equipment, securely wiping and destroying data-bearing media is part of which mitigation activity?
- Decommissioning
- Provisioning
- Patching
- Sandboxing
Correct answer: Decommissioning
Decommissioning is the secure retirement of assets, including sanitizing or destroying media so residual data is not exposed. Provisioning sets up new resources, patching fixes flaws, and sandboxing isolates execution, so securely retiring equipment and media is decommissioning.
- An attacker abuses a flaw to gain higher permissions than originally granted, such as moving from a standard user to an administrator. What is this called?
- Lateral movement
- Privilege escalation
- Data exfiltration
- Credential stuffing
Correct answer: Privilege escalation
Privilege escalation occurs when an attacker obtains rights beyond those they were assigned, such as becoming an administrator. Lateral movement spreads across systems, data exfiltration steals data, and credential stuffing reuses breached credentials, so gaining higher permissions is privilege escalation.
- An attacker reuses username and password pairs leaked from one breached site to log in to accounts on other sites. Which attack is this?
- Password spraying
- Rainbow table attack
- Credential stuffing
- Dictionary attack
Correct answer: Credential stuffing
Credential stuffing automates logins using credential pairs stolen from prior breaches, exploiting password reuse across sites. Password spraying tries common passwords across accounts, a rainbow table reverses hashes, and a dictionary attack guesses from a word list, so reusing breached credential pairs is credential stuffing.
- A malicious actor sets up a rogue wireless access point with the same SSID as a legitimate corporate network to lure users into connecting. Which attack is this?
- Bluesnarfing
- Smurf attack
- Logic bomb
- Evil twin
Correct answer: Evil twin
An evil twin is a rogue access point that mimics a legitimate SSID to trick users into connecting so traffic can be intercepted. Bluesnarfing steals Bluetooth data, a Smurf attack is an ICMP flood, and a logic bomb is dormant malware, so the fake matching Wi-Fi access point is an evil twin.
- An attacker intentionally transmits radio interference to disrupt a wireless network's availability. What is this attack called?
- Jamming
- Spoofing
- Tailgating
- Pretexting
Correct answer: Jamming
Jamming floods the wireless spectrum with interference to deny service to legitimate users. Spoofing falsifies identity, tailgating is a physical entry technique, and pretexting is a social-engineering pretext, so intentional radio interference is jamming.
- Which vulnerability arises when an application includes outdated open-source libraries or components with known flaws?
- Improper key generation
- Use of vulnerable third-party components
- Cross-site request forgery
- Clickjacking
Correct answer: Use of vulnerable third-party components
Using outdated or vulnerable third-party libraries and components introduces known flaws into an application, a common supply-chain and software vulnerability. Improper key generation is a cryptographic issue, cross-site request forgery tricks authenticated users, and clickjacking overlays UI elements, so the dependency issue is the use of vulnerable components.
- A cryptographic attack exploits the mathematics of hash collisions to find two different inputs that produce the same hash. Which attack is this?
- Downgrade attack
- Replay attack
- Birthday attack
- Side-channel attack
Correct answer: Birthday attack
A birthday attack leverages the probability of hash collisions, named for the birthday paradox, to find two inputs with the same digest. A downgrade attack forces weaker protocols, a replay attack resends captured data, and a side-channel attack measures physical leakage, so the collision-based attack is the birthday attack.
- An attacker forces a secure connection to negotiate an older, weaker protocol or cipher that is easier to break. Which attack is this?
- Birthday attack
- Pass-the-hash
- Watering hole attack
- Downgrade attack
Correct answer: Downgrade attack
A downgrade attack manipulates negotiation so that a weaker, more vulnerable protocol or cipher is used, undermining the connection's security. A birthday attack exploits collisions, pass-the-hash reuses captured hashes, and a watering hole compromises frequented sites, so forcing weaker crypto is a downgrade attack.
- An attacker captures a user's password hash from memory and uses it to authenticate to other systems without ever cracking the plaintext password. Which attack is this?
- Pass-the-hash
- Rainbow table attack
- Brute-force attack
- SQL injection
Correct answer: Pass-the-hash
Pass-the-hash reuses a captured password hash to authenticate directly, bypassing the need to recover the plaintext. A rainbow table reverses hashes to plaintext, a brute-force attack guesses passwords, and SQL injection targets databases, so authenticating with a stolen hash is pass-the-hash.
- Which insider-related risk involves a trusted employee or partner being manipulated or coerced into aiding an attack without realizing the harm?
- Advanced persistent threat
- Unintentional insider threat
- Script kiddie activity
- Hacktivism
Correct answer: Unintentional insider threat
An unintentional insider threat occurs when a trusted person is tricked, negligent, or coerced into facilitating a compromise without malicious intent. An advanced persistent threat is a sophisticated external campaign, script kiddies use prewritten tools, and hacktivism is ideologically motivated, so the manipulated trusted insider is the unintentional insider threat.
- After compromising one workstation, an attacker uses stolen credentials to access additional internal systems and expand their foothold. Which activity is this?
- Privilege escalation
- Reconnaissance
- Lateral movement
- Exfiltration staging
Correct answer: Lateral movement
Lateral movement is the technique of pivoting from an initial foothold to other systems within the network to broaden access. Privilege escalation raises permissions, reconnaissance gathers information, and exfiltration staging prepares data for theft, so moving across internal systems is lateral movement.
- An IoT thermostat with hardcoded credentials and no patching capability introduces what kind of weakness in an enterprise environment?
- A zero-day in the operating system
- A race condition
- A cryptographic downgrade
- A vulnerable embedded/IoT device
Correct answer: A vulnerable embedded/IoT device
Embedded and IoT devices with hardcoded credentials and no update mechanism are a recognized hardware/firmware vulnerability that attackers exploit as a foothold. A zero-day is an unknown software flaw, a race condition is a timing issue, and a downgrade weakens crypto negotiation, so the unpatchable IoT device with hardcoded credentials is a vulnerable embedded/IoT device.
- An attacker on a local network sends forged Address Resolution Protocol replies that map the default gateway's IP address to the attacker's MAC address, causing victim traffic to be routed through the attacker's machine. Which attack is this?
- DNS poisoning
- ARP poisoning
- MAC flooding
- Smurf attack
Correct answer: ARP poisoning
Correct answer: ARP poisoning. Explanation: ARP poisoning (ARP spoofing) sends falsified ARP replies that associate the attacker's MAC address with a legitimate IP such as the gateway, so traffic intended for that host is delivered to the attacker. This enables on-path interception on a local LAN. DNS poisoning targets name resolution, MAC flooding overwhelms a switch's CAM table, and a Smurf attack abuses ICMP broadcast amplification.
- Security staff discover a wireless access point broadcasting the same SSID as the corporate network, set up by an attacker in the parking lot to trick employees into connecting and exposing their traffic. Which threat does this describe?
- Evil twin
- Bluesnarfing
- War driving
- Jamming
Correct answer: Evil twin
Correct answer: Evil twin. Explanation: An evil twin is a rogue access point configured to imitate a legitimate network's SSID so that users unknowingly connect to the attacker, who can then intercept their wireless traffic. Bluesnarfing steals data over Bluetooth, war driving is the act of searching for wireless networks, and jamming floods the RF spectrum to deny service.
- An attacker takes a single commonly used password, such as 'Spring2026!', and tries it against hundreds of different user accounts to avoid triggering account-lockout thresholds. Which attack is this?
- Brute-force attack
- Dictionary attack
- Password spraying
- Rainbow table attack
Correct answer: Password spraying
Correct answer: Password spraying. Explanation: Password spraying tries one or a few common passwords across many accounts, the reverse of a traditional attack, specifically to stay under per-account lockout limits. A brute-force attack tries many passwords against one account, a dictionary attack uses a wordlist against an account, and a rainbow table attack reverses captured hashes.
- A developer plants malicious code in an application that remains dormant until a specific condition is met, such as the developer's name being removed from the payroll database, at which point it deletes files. What is this threat?
- Logic bomb
- Backdoor
- Worm
- Adware
Correct answer: Logic bomb
Correct answer: Logic bomb. Explanation: A logic bomb is malicious code that lies dormant until a defined trigger condition or date occurs, then executes its payload. The payroll-removal trigger is a classic example. A backdoor provides covert access, a worm self-propagates across networks, and adware displays unwanted advertisements.
- Investigators find malicious activity running entirely in memory using legitimate tools such as PowerShell, with no executable written to disk, making it difficult for traditional signature-based antivirus to detect. What type of attack is this?
- Rootkit
- Fileless malware
- Trojan
- Bloatware
Correct answer: Fileless malware
Correct answer: Fileless malware. Explanation: Fileless malware operates in memory and abuses trusted, built-in tools (living-off-the-land) such as PowerShell or WMI, leaving little or no footprint on disk and evading signature-based detection. A rootkit hides at a privileged level but typically has disk artifacts, a Trojan masquerades as legitimate software, and bloatware is unwanted preinstalled software.
- An adversary compromises a trusted software vendor and embeds malicious code into a routine product update, which is then distributed to thousands of downstream customers who trust the vendor's signed package. Which type of attack is this?
- Watering hole attack
- Supply chain attack
- Pharming attack
- Privilege escalation
Correct answer: Supply chain attack
Correct answer: Supply chain attack. Explanation: A supply chain attack targets a trusted vendor, supplier, or update mechanism so that malicious code reaches many downstream customers who inherently trust the source. A watering hole compromises a site the targets visit, pharming redirects users to fraudulent sites, and privilege escalation raises an attacker's access level on a system already breached.
- After gaining access to a standard user account, an attacker exploits a misconfigured service to obtain administrative rights on the same system. Which activity does this describe?
- Lateral movement
- Privilege escalation
- Pivoting
- Credential stuffing
Correct answer: Privilege escalation
Correct answer: Privilege escalation. Explanation: Privilege escalation is the act of gaining higher permissions than originally granted, such as moving from a standard user to administrator by exploiting a flaw or misconfiguration. Lateral movement and pivoting refer to spreading to other systems, and credential stuffing reuses stolen username/password pairs across sites.
- An attacker manipulates a web application's file parameter by submitting '../../etc/passwd' to read files outside the intended web directory. What is this attack called?
- Directory traversal
- Cross-site scripting
- SQL injection
- Session hijacking
Correct answer: Directory traversal
Correct answer: Directory traversal. Explanation: A directory traversal (path traversal) attack uses sequences like '../' to navigate outside the web root and access unauthorized files such as system password files. Cross-site scripting injects scripts into pages, SQL injection inserts database commands, and session hijacking takes over an authenticated session.
- A logged-in user is tricked into clicking a crafted link that causes their authenticated browser to submit an unwanted state-changing request, such as transferring funds, to a banking site without their intent. Which attack is this?
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS)
- Clickjacking
- DNS hijacking
Correct answer: Cross-site request forgery (CSRF)
Correct answer: Cross-site request forgery (CSRF). Explanation: CSRF abuses a victim's existing authenticated session by causing their browser to send a forged, state-changing request to a trusted site without their knowledge. XSS executes malicious scripts in a page, clickjacking overlays deceptive UI elements, and DNS hijacking redirects name resolution.
- A laptop ships from the manufacturer with numerous preinstalled trial applications and utilities that the user did not request, consume resources, and may widen the attack surface. What are these programs collectively called?
- Spyware
- Bloatware
- Keylogger
- Ransomware
Correct answer: Bloatware
Correct answer: Bloatware. Explanation: Bloatware refers to unnecessary, often preinstalled software that consumes resources and can increase the system's attack surface, though it is not necessarily malicious. Spyware covertly gathers data, a keylogger records keystrokes, and ransomware encrypts files for extortion.
- An attacker forces a secure communication session to negotiate an older, weaker protocol version, such as falling back from TLS 1.3 to SSL 3.0, in order to exploit known weaknesses. What type of attack is this?
- Birthday attack
- Downgrade attack
- Replay attack
- Collision attack
Correct answer: Downgrade attack
Correct answer: Downgrade attack. Explanation: A downgrade attack manipulates a negotiation so the parties use a weaker, older protocol or cipher that the attacker can break. A birthday attack exploits hash collision probability, a replay attack retransmits captured data, and a collision attack finds two inputs producing the same hash.
- An organization continues running a server operating system that the vendor no longer supports, meaning no further security patches are released for newly discovered flaws. Which vulnerability does this represent?
- Zero-day vulnerability
- End-of-life (legacy) system
- Misconfiguration
- Improper input validation
Correct answer: End-of-life (legacy) system
Correct answer: End-of-life (legacy) system. Explanation: An end-of-life or legacy system no longer receives vendor security updates, so any newly discovered vulnerabilities remain permanently unpatched, increasing risk. A zero-day is an unknown flaw with no patch yet, a misconfiguration is an insecure setting, and improper input validation is a coding weakness.
- A penetration tester discovers that a network device is still using the credentials 'admin/admin' set by the manufacturer because they were never changed during deployment. Which vulnerability is this?
- Default credentials
- Open service ports
- Cryptographic downgrade
- Race condition
Correct answer: Default credentials
Correct answer: Default credentials. Explanation: Default credentials are factory-set usernames and passwords that, if left unchanged, are widely documented and easily exploited by attackers. Open service ports expose unneeded services, a cryptographic downgrade forces weaker encryption, and a race condition exploits timing between operations.
- A security analyst attributes a sophisticated, well-funded intrusion with long-term strategic objectives and stealthy persistence to a nation-state group. Which threat actor type best describes this adversary?
- Script kiddie
- Hacktivist
- Advanced persistent threat (nation-state)
- Shadow IT
Correct answer: Advanced persistent threat (nation-state)
Correct answer: Advanced persistent threat (nation-state). Explanation: A nation-state advanced persistent threat is highly resourced and sophisticated, pursuing long-term strategic goals while maintaining stealthy, persistent access. A script kiddie uses prebuilt tools with little skill, a hacktivist is driven by ideology, and shadow IT refers to unsanctioned internal technology, not an external actor.
- To reduce the attack surface of a newly deployed server, an administrator removes unnecessary software, disables unused services and ports, and applies a secure baseline configuration. Which mitigation technique is being applied?
- Network segmentation
- System hardening
- Sandboxing
- Least privilege
Correct answer: System hardening
Correct answer: System hardening. Explanation: System hardening reduces the attack surface by removing unnecessary software, disabling unused services and ports, and applying secure baseline configurations. Network segmentation isolates network zones, sandboxing contains untrusted code for testing, and least privilege restricts user permissions to the minimum needed.
- An employee notices a USB cable left in a public charging station and connects their phone, unaware it is a malicious cable designed to inject keystrokes and exfiltrate data. Which attack vector does this best illustrate?
- Removable media / malicious USB attack
- Bluejacking
- RFID cloning
- Jamming
Correct answer: Removable media / malicious USB attack
Correct answer: Removable media / malicious USB attack. Explanation: A weaponized USB cable or drive is a removable-media attack vector that can inject keystrokes (HID spoofing) or deliver malware once connected, exploiting physical and unsecured-network access. Bluejacking sends unsolicited Bluetooth messages, RFID cloning copies access badges, and jamming disrupts wireless signals.
- A bank wants its public-facing payment service to remain reachable even if an entire data center loses power. Which architectural approach BEST meets this requirement?
- Deploying the service across multiple geographically separate availability zones
- Increasing the CPU and memory of the single production server
- Scheduling nightly full backups of the payment database
- Enabling verbose logging on the payment application
Correct answer: Deploying the service across multiple geographically separate availability zones
Correct answer: Deploying the service across multiple geographically separate availability zones. Spreading workloads across separate sites or availability zones removes the single point of failure of one data center, so a power loss in one location does not take the service down. Vertical scaling, backups, and logging improve other qualities but do not provide site-level high availability.
- An organization wants to run a workload without managing the underlying operating system, patching, or server capacity, paying only for execution time. Which cloud model BEST fits this need?
- Infrastructure as a service (IaaS)
- Serverless (function as a service)
- A dedicated on-premises hypervisor cluster
- A colocation facility
Correct answer: Serverless (function as a service)
Correct answer: Serverless (function as a service). In a serverless/FaaS model the provider manages the OS, patching, and scaling, and the customer is billed only for execution time. IaaS still requires the customer to maintain the guest OS, and on-premises or colocation models leave even more infrastructure responsibility with the customer.
- A security architect wants to provision identical, repeatable cloud environments and track every configuration change in version control. Which approach BEST achieves this?
- Manually clicking through the cloud provider's web console
- Emailing configuration spreadsheets to administrators
- Infrastructure as code (IaC)
- Taking screenshots of each deployed resource
Correct answer: Infrastructure as code (IaC)
Correct answer: Infrastructure as code (IaC). IaC defines infrastructure in declarative templates that can be stored in version control, reviewed, and reused, producing identical and auditable environments. Manual console changes, spreadsheets, and screenshots are error-prone and cannot guarantee repeatable, tracked provisioning.
- A company must store credit card numbers so the production application can still process payments, but it wants to remove the actual card values from its systems and replace them with non-sensitive substitutes. Which data protection technique BEST meets this requirement?
- Steganography
- Compression
- Defragmentation
- Tokenization
Correct answer: Tokenization
Correct answer: Tokenization. Tokenization replaces sensitive values such as card numbers with non-sensitive tokens while the real data is held in a separate, protected vault, reducing the scope of systems that hold actual card data. Steganography hides data in other files, and compression and defragmentation do not protect confidentiality.
- Developers need realistic-looking customer records in a test environment but must not expose real personal data. Which technique BEST allows them to keep the format of the data while hiding the true values?
- Data masking
- Full-disk encryption of the test servers
- Increasing the database connection pool
- Enabling TLS on the test database
Correct answer: Data masking
Correct answer: Data masking. Masking replaces real field values with realistic but fictitious data so the structure remains usable for testing while the genuine personal data is never exposed. Full-disk encryption, larger connection pools, and TLS protect data in other ways but still expose the real values to the test users.
- An architect is selecting a protocol to securely manage network devices and wants to replace the cleartext protocol historically used for remote command-line administration. Which protocol should be used?
Correct answer: SSH
Correct answer: SSH. SSH encrypts the entire remote administration session, replacing the legacy cleartext protocol Telnet that exposes credentials and commands. HTTP and FTP are also unencrypted and are not appropriate replacements for secure command-line management.
- A security team needs to ensure that DNS responses cannot be forged or tampered with in transit by validating their authenticity with digital signatures. Which technology BEST provides this protection?
- DHCP snooping
- NAT
- DNSSEC
- STP
Correct answer: DNSSEC
Correct answer: DNSSEC. DNSSEC adds digital signatures to DNS records so resolvers can verify that responses are authentic and unaltered, defending against forged DNS data. DHCP snooping, NAT, and Spanning Tree Protocol address different network functions and do not authenticate DNS records.
- A hardware vendor wants a dedicated chip on each laptop motherboard to securely store encryption keys and support measured boot. Which component provides this capability?
- Network interface card (NIC)
- Graphics processing unit (GPU)
- Power supply unit (PSU)
- Trusted Platform Module (TPM)
Correct answer: Trusted Platform Module (TPM)
Correct answer: Trusted Platform Module (TPM). A TPM is a dedicated motherboard chip that securely stores cryptographic keys and supports integrity measurements used in measured boot. A NIC, GPU, and PSU handle networking, graphics, and power, not key storage or boot integrity.
- An enterprise wants a centralized, tamper-resistant appliance to generate, store, and manage cryptographic keys for many applications across the data center. Which device BEST meets this requirement?
- Hardware security module (HSM)
- Layer 2 switch
- Load balancer
- KVM switch
Correct answer: Hardware security module (HSM)
Correct answer: Hardware security module (HSM). An HSM is a tamper-resistant appliance dedicated to generating, storing, and managing cryptographic keys for many systems with high assurance. A switch, load balancer, and KVM switch perform networking and management functions unrelated to centralized key protection.
- A zero trust architecture is being designed. Which component is responsible for making the access decision by evaluating policy before a subject is allowed to reach a resource?
- Uninterruptible power supply (UPS)
- Policy decision point (PDP)
- Patch panel
- Time server
Correct answer: Policy decision point (PDP)
Correct answer: Policy decision point (PDP). In zero trust, the policy decision point evaluates rules and trust signals to determine whether access should be granted, while the policy enforcement point carries out that decision. A UPS, patch panel, and time server support infrastructure but do not make access decisions.
- In a zero trust model, which principle dictates that no user or device is trusted by default, even when located inside the corporate network perimeter?
- Trust everything originating from the internal LAN
- Disable authentication for internal traffic
- Never trust, always verify
- Allow lateral movement to speed up access
Correct answer: Never trust, always verify
Correct answer: Never trust, always verify. Zero trust assumes no implicit trust based on network location and continuously authenticates and authorizes every request, even from inside the perimeter. Trusting internal LAN traffic, disabling internal authentication, and permitting unchecked lateral movement contradict the model.
- An organization wants outbound user web traffic to pass through a device that filters content and hides internal client addresses from external sites. Which device performs this role?
- Reverse proxy
- Network tap
- Media converter
- Forward proxy
Correct answer: Forward proxy
Correct answer: Forward proxy. A forward proxy sits between internal clients and the internet, filtering outbound requests and masking client addresses from external servers. A reverse proxy faces inbound traffic toward servers, while a network tap and media converter do not provide outbound filtering or address hiding.
- A web team wants a device positioned in front of their public web servers to terminate TLS, distribute incoming requests, and shield the servers' identities from clients. Which technology fits this role?
- Reverse proxy
- Forward proxy
- Jump server
- DHCP server
Correct answer: Reverse proxy
Correct answer: Reverse proxy. A reverse proxy sits in front of back-end servers, accepting inbound client requests, optionally terminating TLS, and hiding the real servers. A forward proxy serves outbound client traffic, a jump server provides administrative access, and a DHCP server assigns addresses.
- Administrators must connect to sensitive internal systems only through a single hardened, monitored host rather than directly from their workstations. Which architectural element provides this controlled entry point?
- Print server
- Jump server
- Syslog collector
- DHCP relay
Correct answer: Jump server
Correct answer: Jump server. A jump server (jump box) is a hardened, monitored host through which administrators must pass to reach sensitive systems, concentrating and controlling access. A print server, syslog collector, and DHCP relay serve unrelated functions.
- A network designer wants two firewalls in a configuration where, if the active firewall fails, the standby immediately takes over with no manual intervention. Which capability provides this?
- Port mirroring
- MAC filtering
- Active-passive high availability
- Quality of service shaping
Correct answer: Active-passive high availability
Correct answer: Active-passive high availability. In an active-passive pair, a standby firewall automatically assumes traffic when the active unit fails, providing failover without manual action. Port mirroring, MAC filtering, and QoS shaping address monitoring, access control, and traffic prioritization rather than failover.
- A security architect must decide how a critical inline security appliance behaves if it crashes. The business requires that network traffic keep flowing even if inspection is lost. Which design choice meets this requirement?
- Fail-closed
- Air gap
- Honeynet
- Fail-open
Correct answer: Fail-open
Correct answer: Fail-open. A fail-open design allows traffic to continue passing when the inline device fails, prioritizing availability over inspection. Fail-closed would block all traffic on failure, while an air gap and a honeynet are unrelated isolation and deception concepts.
- For a device protecting highly sensitive systems, the organization decides that if the security control fails, all traffic must be blocked rather than allowed through uninspected. Which design does this describe?
- Fail-closed
- Fail-open
- Load balancing
- Geofencing
Correct answer: Fail-closed
Correct answer: Fail-closed. A fail-closed design blocks traffic when the protective device fails, prioritizing security over availability. Fail-open does the opposite, while load balancing and geofencing serve traffic distribution and location-based control.
- A power plant must keep its control network completely physically isolated, with no network connection to the corporate network or the internet. Which approach BEST describes this isolation?
- VLAN trunking
- Air gap
- Port forwarding
- Split tunneling
Correct answer: Air gap
Correct answer: Air gap. An air gap physically separates a network so it has no connection to other networks, providing strong isolation for highly sensitive systems. VLAN trunking, port forwarding, and split tunneling all involve connectivity rather than physical separation.
- A manufacturer ships industrial equipment that runs a real-time operating system on a low-power chip with fixed functionality and limited ability to receive patches. Which category does this BEST describe?
- General-purpose desktop workstation
- Enterprise database server
- Embedded system
- Hypervisor host
Correct answer: Embedded system
Correct answer: Embedded system. An embedded system is purpose-built hardware running fixed-function firmware or an RTOS, often with constrained resources and limited patching, common in industrial equipment. A desktop, database server, and hypervisor host are general-purpose computing platforms with different security considerations.
- A utility uses SCADA systems to monitor and control field devices across remote substations. Which environment do SCADA systems primarily support?
- Consumer mobile gaming
- Corporate email hosting
- Web content delivery
- Industrial control systems / operational technology
Correct answer: Industrial control systems / operational technology
Correct answer: Industrial control systems / operational technology. SCADA (supervisory control and data acquisition) systems monitor and control physical processes in ICS/OT environments such as utilities and substations. They are not designed for consumer gaming, email hosting, or web content delivery.
- A facilities team is adding internet-connected sensors, cameras, and thermostats to buildings. Which characteristic is the MOST common security concern for these IoT devices?
- Weak default credentials and infrequent firmware updates
- Excessive processing power that wastes energy
- Built-in hardware security modules on every device
- Mandatory multifactor authentication by default
Correct answer: Weak default credentials and infrequent firmware updates
Correct answer: Weak default credentials and infrequent firmware updates. IoT devices frequently ship with weak or default passwords and receive few firmware updates, making them attractive targets. They typically have limited, not excessive, processing power and rarely include built-in HSMs or default multifactor authentication.
- An architect wants to separate the network's control plane from the data plane so traffic forwarding can be programmed centrally through software. Which technology provides this capability?
- Spanning Tree Protocol
- Software-defined networking (SDN)
- Power over Ethernet
- Network address translation
Correct answer: Software-defined networking (SDN)
Correct answer: Software-defined networking (SDN). SDN decouples the control plane from the data plane, enabling centralized, programmable management of how traffic is forwarded. Spanning Tree Protocol prevents loops, PoE delivers power over cabling, and NAT translates addresses.
- A company wants to limit each switch access port to a specific number of learned MAC addresses to prevent rogue devices and MAC flooding. Which feature provides this control?
- Jumbo frames
- Link aggregation
- Port security
- Wake-on-LAN
Correct answer: Port security
Correct answer: Port security. Port security restricts the MAC addresses allowed on a switch port and can limit how many are learned, helping block rogue devices and MAC flooding. Jumbo frames, link aggregation, and Wake-on-LAN address performance and management, not unauthorized device control.
- An architect must distribute incoming connections across a server pool and wants new sessions sent to the server with the fewest active connections at the moment. Which load balancing method describes this?
- Round robin
- Broadcast storm
- Source routing
- Least connection
Correct answer: Least connection
Correct answer: Least connection. The least-connection method directs new sessions to the server currently handling the fewest active connections, balancing load by real-time utilization. Round robin cycles servers regardless of load, while broadcast storm and source routing are not load balancing algorithms.
- A load balancer must ensure a user's session keeps returning to the same back-end server so cached session data remains valid. Which capability provides this behavior?
- Session persistence (sticky sessions)
- Promiscuous mode
- MAC spoofing
- Asymmetric routing
Correct answer: Session persistence (sticky sessions)
Correct answer: Session persistence (sticky sessions). Session persistence keeps a client tied to the same back-end server for the duration of a session so session-specific data remains valid. Promiscuous mode, MAC spoofing, and asymmetric routing are unrelated network behaviors.
- An organization wants the ability to encrypt data while it is being actively processed in memory, not just at rest or in transit. Which protection BEST addresses data in this state?
- Full-disk encryption only
- Confidential computing / encryption of data in use
- TLS for network transport only
- Encrypted nightly backups only
Correct answer: Confidential computing / encryption of data in use
Correct answer: Confidential computing / encryption of data in use. Protecting data while it is being processed in memory addresses the data-in-use state, which confidential computing and secure enclaves target. Full-disk encryption protects data at rest, TLS protects data in transit, and encrypted backups protect stored copies, none of which cover active processing.
- A security architect must protect data at rest on database servers so that stolen drives or files reveal no readable content. Which control BEST addresses this requirement?
- Encryption in transit
- Rate limiting
- Encryption at rest
- Banner grabbing
Correct answer: Encryption at rest
Correct answer: Encryption at rest. Encrypting data at rest renders stored files or stolen drives unreadable without the keys, protecting the data-at-rest state. Encryption in transit protects moving data, while rate limiting and banner grabbing are unrelated to protecting stored data.
- An architect needs a protocol that authenticates and encrypts IP traffic for a site-to-site tunnel and operates at the network layer. Which protocol suite is the BEST choice?
Correct answer: IPsec
Correct answer: IPsec. IPsec authenticates and encrypts IP packets at the network layer and is commonly used to build site-to-site tunnels. SMTP transports email, SNMPv1 is an unencrypted management protocol, and ICMP handles diagnostics, none of which secure tunneled IP traffic.
- A SaaS provider runs multiple customers on shared infrastructure. Which architectural control BEST ensures one tenant cannot access another tenant's data?
- Strong logical isolation and access segmentation between tenants
- Sharing a single administrative account across all tenants
- Disabling logging to reduce overhead
- Allowing tenants to share the same encryption keys
Correct answer: Strong logical isolation and access segmentation between tenants
Correct answer: Strong logical isolation and access segmentation between tenants. In multitenant architectures, robust logical isolation and segmentation keep each customer's data and access separate. Sharing administrative accounts or encryption keys and disabling logging would weaken separation and accountability.
- An organization is choosing between cloud and on-premises hosting and wants to keep its most sensitive workloads in its own data center while running elastic, less-sensitive workloads in the public cloud. Which deployment model fits this?
- Single public cloud only
- Hybrid cloud
- Single private cloud only
- Air-gapped standalone host
Correct answer: Hybrid cloud
Correct answer: Hybrid cloud. A hybrid model combines on-premises/private resources for sensitive workloads with public cloud for elastic, less-sensitive workloads. A single public-only or private-only model lacks that combination, and an air-gapped standalone host provides isolation, not hybrid flexibility.
- A development team packages an application with only its required libraries into a lightweight, portable unit that shares the host OS kernel. Which technology are they using?
- Full hardware virtualization with separate guest OSes
- Bare-metal installation on dedicated servers
- Containerization
- Tape archival
Correct answer: Containerization
Correct answer: Containerization. Containers package an application with its dependencies into lightweight, portable units that share the host operating system kernel. Full virtualization runs separate guest OSes per VM, bare-metal installs occupy entire physical servers, and tape archival is unrelated.
- A security team configures storage so that data and parity are striped across multiple drives, allowing the array to survive the failure of any single drive. Which RAID level provides this with single-drive fault tolerance and striping with distributed parity?
- RAID 0
- JBOD
- A single standalone disk
- RAID 5
Correct answer: RAID 5
Correct answer: RAID 5. RAID 5 stripes data with distributed parity across drives, allowing the array to survive a single drive failure. RAID 0 stripes without parity and offers no fault tolerance, while JBOD and a single disk provide no redundancy.
- A company wants automatic failover to a secondary database that stays continuously synchronized with the primary so that no committed transactions are lost on failover. Which configuration BEST meets this requirement?
- Synchronous replication to a hot standby
- Weekly full backups stored offsite
- Manual nightly export of the database
- Storing the database on a single high-capacity disk
Correct answer: Synchronous replication to a hot standby
Correct answer: Synchronous replication to a hot standby. Synchronous replication keeps a hot standby continuously in sync with the primary so failover loses no committed transactions. Weekly backups, manual nightly exports, and a single disk cannot provide near-zero data loss or automatic failover.
- An organization needs to securely transfer files between partners and wants a protocol that runs file transfers over an encrypted SSH channel. Which protocol should be selected?
Correct answer: SFTP
Correct answer: SFTP. SFTP performs file transfers over an encrypted SSH session, protecting both credentials and data. TFTP and plain FTP transmit data without encryption, and SMTP is an email transport protocol, not a secure file transfer mechanism.
- A security architect wants email server administration and directory queries to be encrypted, replacing the legacy cleartext directory access protocol. Which secure protocol should be chosen for directory access?
- LDAP without TLS
- HTTP
- LDAPS (LDAP over TLS)
- Telnet
Correct answer: LDAPS (LDAP over TLS)
Correct answer: LDAPS (LDAP over TLS). LDAPS encrypts directory queries using TLS, protecting credentials and data that plain LDAP would send in cleartext. HTTP and Telnet are unrelated and unencrypted protocols not suited for secure directory access.
- A company wants branch offices and remote users to reach cloud applications securely with centralized policy and inspection delivered from the cloud edge. Which architecture BEST describes this converged networking and security model?
- A standalone on-premises file server
- A single perimeter firewall at headquarters only
- A wireless access point in each office
- Secure Access Service Edge (SASE)
Correct answer: Secure Access Service Edge (SASE)
Correct answer: Secure Access Service Edge (SASE). SASE converges networking and security functions at the cloud edge, applying centralized policy and inspection to remote users and branch offices accessing cloud apps. A single HQ firewall, a file server, or an access point does not provide this cloud-delivered converged model.
- A security architect must protect data in transit for a public website so that browsers verify the server's identity and encrypt the session. Which combination BEST provides this?
- TLS with a valid digital certificate
- An expired self-signed certificate over HTTP
- Cleartext HTTP with basic authentication
- A shared static password in the URL
Correct answer: TLS with a valid digital certificate
Correct answer: TLS with a valid digital certificate. TLS paired with a valid certificate encrypts the session and lets browsers verify the server's identity, protecting data in transit. An expired self-signed certificate, cleartext HTTP, and passwords embedded in URLs fail to provide trustworthy encryption or identity assurance.
- A network is being segmented so that the finance department's systems are logically separated from general user systems on the same physical switches. Which technology BEST accomplishes this logical separation?
- Increasing the DHCP lease time
- VLAN segmentation
- Disabling Spanning Tree Protocol
- Enabling jumbo frames
Correct answer: VLAN segmentation
Correct answer: VLAN segmentation. VLANs logically separate traffic into distinct broadcast domains on shared physical switches, isolating finance systems from general users. Adjusting DHCP leases, disabling STP, or enabling jumbo frames affect addressing, loop prevention, and frame size rather than segmentation.
- An architect wants extremely granular control where security policy is enforced down to individual workloads in a data center, limiting east-west movement between servers. Which approach BEST describes this?
- Placing all servers in one flat subnet
- Disabling host-based firewalls
- Microsegmentation
- Using a single VLAN for all workloads
Correct answer: Microsegmentation
Correct answer: Microsegmentation. Microsegmentation applies fine-grained policy at the individual workload level, restricting east-west lateral movement between servers. A flat subnet, disabled host firewalls, and a single shared VLAN all reduce isolation rather than increase it.
- A company processing European residents' personal data must keep that data within specific geographic boundaries to satisfy legal obligations. Which architectural consideration directly drives where the data may be stored?
- Link aggregation bandwidth
- Switch port density
- Cable category rating
- Data sovereignty / data residency
Correct answer: Data sovereignty / data residency
Correct answer: Data sovereignty / data residency. Data sovereignty and residency requirements dictate the geographic locations where data may be stored and processed to comply with applicable laws. Link aggregation, port density, and cable ratings are physical or performance factors unrelated to legal storage location.
- A company is moving an application to a model where the cloud provider runs individual functions on demand and the customer manages no servers or operating systems at all. Which architecture model is being described, and what is its key security implication for the customer?
- Serverless (Function as a Service); the customer's responsibility shifts toward securing code and data while the provider handles the underlying infrastructure
- Infrastructure as a Service; the customer must patch every guest operating system in the environment
- On-premises hosting; the customer retains full physical control of all servers
- Thick client computing; all processing occurs on the end user's local device
Correct answer: Serverless (Function as a Service); the customer's responsibility shifts toward securing code and data while the provider handles the underlying infrastructure
The correct answer is serverless (Function as a Service). In a serverless model the provider runs short-lived functions on demand and fully manages the servers, operating systems, and runtime, so under the shared responsibility model the customer's security focus narrows to the application code, configuration, identity permissions, and data. Infrastructure as a Service is wrong because it still hands the customer responsibility for patching guest operating systems. On-premises hosting and thick client computing do not describe a provider-run, server-managed model at all.
- A security architect must select a hardware component that generates, stores, and manages cryptographic keys for an entire enterprise at high volume and is often certified to FIPS 140-2/140-3 for use in data centers. Which component best fits this requirement?
- Trusted Platform Module (TPM)
- Self-encrypting drive (SED)
- Hardware Security Module (HSM)
- Universal Serial Bus (USB) token
Correct answer: Hardware Security Module (HSM)
The correct answer is a Hardware Security Module (HSM). An HSM is a dedicated, tamper-resistant appliance built to generate, store, and manage cryptographic keys at enterprise scale and is commonly FIPS 140-validated for data center use. A Trusted Platform Module is a chip bound to a single host for that device's keys and measurements, not enterprise-wide key management. A self-encrypting drive only protects data at rest on one disk, and a USB token is a small per-user credential device, neither of which provides centralized high-volume key management.
- A database stores credit card numbers and the architect wants to replace each real card number with a non-sensitive substitute value that has no mathematical relationship to the original, with the mapping held in a separate secured vault. Which data protection technique is being used?
- Data masking
- Tokenization
- Hashing
- Steganography
Correct answer: Tokenization
The correct answer is tokenization. Tokenization replaces sensitive data with a randomly generated token that has no algorithmic link to the original value, and the real value is retrievable only through a separately secured token vault. Data masking obscures values for display but is typically applied to the data in place rather than swapping in a vault-backed substitute usable in transactions. Hashing is a one-way transformation that cannot be reversed to recover the original, and steganography hides data inside another file rather than substituting it.
- An architect is documenting how an organization protects information across its lifecycle and needs to address the state in which data is actively being processed in a system's memory or CPU. Which protection is specifically designed for data in use?
- Full-disk encryption on the storage volume
- TLS for the network connection
- Offsite backup of the database
- Confidential computing using a hardware-based trusted execution environment (enclave)
Correct answer: Confidential computing using a hardware-based trusted execution environment (enclave)
The correct answer is confidential computing using a hardware-based trusted execution environment, or enclave. Data in use is data loaded into memory and being processed, and a trusted execution environment isolates and protects that data while computations run on it. Full-disk encryption protects data at rest, and TLS protects data in transit across the network. Offsite backup addresses availability and recovery rather than protecting actively processed data in memory.
- An organization needs a recovery site that holds duplicated, continuously synchronized systems and data so it can take over operations almost immediately after a disaster, with minimal downtime. Which recovery site type meets this requirement?
- Hot site
- Cold site
- Warm site
- Mobile site
Correct answer: Hot site
The correct answer is a hot site. A hot site is a fully equipped, continuously updated duplicate of the production environment with near-real-time data replication, allowing the organization to fail over almost immediately. A cold site provides only space and power with no preconfigured systems, requiring lengthy setup. A warm site has hardware and connectivity but data that must still be loaded and synchronized, so recovery is slower than a hot site, and a mobile site is a transportable facility rather than a specific level of readiness.
- A security architect wants to manage infrastructure through version-controlled definition files so that servers and networks are provisioned consistently and configuration drift is reduced. Which practice provides this capability?
- Fat (thick) client deployment
- Manual change tickets in a help desk system
- Infrastructure as Code (IaC)
- Round-robin DNS
Correct answer: Infrastructure as Code (IaC)
The correct answer is Infrastructure as Code. Infrastructure as Code defines and provisions infrastructure through machine-readable, version-controlled templates, producing repeatable deployments and reducing configuration drift between environments. Fat client deployment describes where application processing occurs on endpoints, not how infrastructure is provisioned. Manual change tickets rely on human steps that introduce inconsistency, and round-robin DNS only distributes name-resolution responses among addresses.
- A bank requires that its public-facing web application servers be able to verify their identity to clients using digital certificates issued by a trusted authority. Which architectural component issues and signs those certificates?
- Network Time Protocol (NTP) server
- Dynamic Host Configuration Protocol (DHCP) server
- Syslog collector
- Certificate Authority (CA) within a Public Key Infrastructure (PKI)
Correct answer: Certificate Authority (CA) within a Public Key Infrastructure (PKI)
The correct answer is a Certificate Authority within a Public Key Infrastructure. A Certificate Authority issues and digitally signs certificates that bind a public key to an identity, allowing clients to trust the server's certificate. An NTP server only synchronizes time, and a DHCP server only assigns IP addresses to hosts. A syslog collector aggregates log data and plays no role in issuing or signing certificates.
- Which phase of the incident response process focuses on limiting the spread and impact of an active incident, such as isolating an infected host from the network?
- Containment
- Preparation
- Lessons learned
- Detection
Correct answer: Containment
Correct answer: Containment. Containment is the incident response phase that limits the spread and damage of an active incident, for example by isolating or quarantining an affected host so the threat cannot reach other systems while responders work on eradication and recovery.
- In the incident response lifecycle, which activity is performed during the 'lessons learned' phase?
- Reimaging the compromised servers
- Holding a post-incident review to document findings and improve future response
- Blocking the malicious IP at the firewall
- Detecting the initial indicator of compromise
Correct answer: Holding a post-incident review to document findings and improve future response
Correct answer: Holding a post-incident review to document findings and improve future response. The lessons learned (post-incident) phase analyzes what happened, evaluates how the response performed, and produces recommendations and updated procedures so the organization handles future incidents more effectively.
- During which incident response phase would an organization develop its IR plan, assemble the response team, and train staff before any incident occurs?
- Recovery
- Eradication
- Preparation
- Analysis
Correct answer: Preparation
Correct answer: Preparation. The preparation phase happens before an incident and includes creating the incident response plan, defining roles and the response team, acquiring tooling, and training personnel so the organization is ready to act when an incident is detected.
- A response team has removed malware and confirmed the threat is gone. They now rebuild systems from clean backups and return them to normal operation while monitoring for reinfection. Which incident response phase is this?
- Containment
- Identification
- Preparation
- Recovery
Correct answer: Recovery
Correct answer: Recovery. The recovery phase restores affected systems to normal production—rebuilding or restoring from clean backups, validating functionality, and monitoring closely to ensure the threat does not return before declaring the incident closed.
- Which incident response activity involves completely removing the cause of an incident, such as deleting malicious files, disabling breached accounts, and closing exploited vulnerabilities?
- Eradication
- Containment
- Detection
- Preparation
Correct answer: Eradication
Correct answer: Eradication. Eradication eliminates the root cause and all components of the threat from the environment—removing malware, deleting attacker artifacts, disabling compromised accounts, and remediating the vulnerabilities that allowed the incident.
- An organization runs a discussion-based exercise where the IR team walks through their response to a hypothetical ransomware scenario around a conference table, without touching any production systems. What type of exercise is this?
- Penetration test
- Tabletop exercise
- Failover test
- Simulation with live malware
Correct answer: Tabletop exercise
Correct answer: Tabletop exercise. A tabletop exercise is a discussion-based, scenario-driven walkthrough in which the response team talks through their roles and decisions for a hypothetical incident, validating the plan without affecting live systems.
- In digital forensics, what is the purpose of maintaining a chain of custody for collected evidence?
- To compress evidence files for storage
- To encrypt the evidence so attackers cannot read it
- To document who handled the evidence and when, preserving its admissibility
- To automatically scan the evidence for malware
Correct answer: To document who handled the evidence and when, preserving its admissibility
Correct answer: To document who handled the evidence and when, preserving its admissibility. Chain of custody records every person who collected, accessed, transferred, or stored evidence along with timestamps, demonstrating the evidence was not altered or tampered with so it remains admissible.
- When collecting digital evidence, which principle dictates the order in which sources should be captured, prioritizing the most volatile data first?
- Legal hold
- Data sovereignty
- Right to audit
- Order of volatility
Correct answer: Order of volatility
Correct answer: Order of volatility. The order of volatility specifies that the most ephemeral data—such as CPU registers, cache, and RAM—must be collected before less volatile sources like disk and archived logs, because volatile data is lost quickly when a system is powered off.
- A company instructs employees to stop deleting emails and documents related to a pending lawsuit so the data is preserved as potential evidence. What is this directive called?
- Legal hold
- Data retention purge
- E-discovery export
- Acquisition
Correct answer: Legal hold
Correct answer: Legal hold. A legal hold (litigation hold) is a formal notice requiring preservation of relevant information when litigation is anticipated or underway, suspending normal deletion so potentially responsive data is not destroyed.
- In security alerting, what does the term 'false positive' describe?
- A real attack that the system failed to detect
- An alert generated for activity that is actually benign
- A legitimate event correctly identified as benign
- A real attack correctly identified and blocked
Correct answer: An alert generated for activity that is actually benign
Correct answer: An alert generated for activity that is actually benign. A false positive is an alert that flags normal, legitimate activity as malicious; excessive false positives cause alert fatigue and can lead analysts to overlook genuine threats.
- A security tool fails to generate any alert for an actual intrusion that successfully occurred. What is this missed detection called?
- False positive
- True positive
- False negative
- True negative
Correct answer: False negative
Correct answer: False negative. A false negative occurs when a security control fails to detect or alert on genuine malicious activity, leaving an attack undetected; reducing false negatives is critical because they represent successful, unnoticed compromises.
- Which process establishes a definition of typical, normal activity for a system or network so that deviations from it can be flagged as anomalies?
- Hardening
- Tokenization
- Sandboxing
- Baselining
Correct answer: Baselining
Correct answer: Baselining. Baselining captures expected normal behavior—typical traffic volumes, login patterns, resource usage—so monitoring tools can compare current activity against the baseline and raise alerts when behavior deviates significantly.
- An organization continuously evaluates whether its deployed security controls remain effective and compliant by automatically checking system configurations against required standards. Which capability is this?
- Continuous monitoring
- Quarantine
- Archiving
- Tokenization
Correct answer: Continuous monitoring
Correct answer: Continuous monitoring. Continuous monitoring provides ongoing, automated assessment of systems, configurations, and controls against required standards, giving real-time visibility into security posture and prompt detection of drift or violations.
- Which network management protocol is commonly used to collect device health and performance metrics, but in older versions transmits community strings in plaintext, creating a security concern?
Correct answer: SNMP
Correct answer: SNMP. The Simple Network Management Protocol is widely used to monitor and collect metrics from network devices; SNMP versions 1 and 2c send community strings (effectively passwords) in cleartext, so SNMPv3 with authentication and encryption is preferred.
- What is the key behavioral difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?
- An IDS encrypts traffic while an IPS decrypts it
- An IDS works at the application layer and an IPS only at the network layer
- An IDS only detects and alerts, while an IPS can actively block malicious traffic inline
- An IDS requires agents while an IPS is always agentless
Correct answer: An IDS only detects and alerts, while an IPS can actively block malicious traffic inline
Correct answer: An IDS only detects and alerts, while an IPS can actively block malicious traffic inline. An IDS passively monitors and raises alerts on suspicious activity, whereas an IPS sits inline in the traffic path and can drop, reset, or block detected malicious traffic in real time.
- A firewall rule set ends with a final rule that denies any traffic not explicitly permitted by earlier rules. What is this concept called?
- Stateful inspection
- Port forwarding
- Network address translation
- Implicit deny
Correct answer: Implicit deny
Correct answer: Implicit deny. Implicit deny is the principle that any traffic not explicitly allowed by a preceding rule is blocked, typically enforced by a default deny-all rule at the bottom of an access control list so only sanctioned traffic passes.
- Which type of firewall can make filtering decisions based on the application and user identity, integrate IPS functions, and perform deep packet inspection, going beyond simple port and protocol rules?
- Next-generation firewall (NGFW)
- Packet-filtering firewall
- Stateless firewall
- Proxy of last resort
Correct answer: Next-generation firewall (NGFW)
Correct answer: Next-generation firewall (NGFW). An NGFW combines traditional firewall functions with application awareness, user-identity-based policies, deep packet inspection, and integrated intrusion prevention, enabling far more granular control than port/protocol-only filtering.
- An organization deploys a control that inspects employee web requests and blocks access to gambling, malware-hosting, and other policy-violating sites based on URL categories. Which capability is this?
- Load balancing
- Web filtering (content filter)
- Network tap
- Jump server
Correct answer: Web filtering (content filter)
Correct answer: Web filtering (content filter). A web/content filter inspects outbound web requests and blocks or allows access based on URL reputation and content categories, enforcing acceptable use policies and preventing access to malicious or inappropriate sites.
- Which security control prevents users from reaching known-malicious domains by intercepting and blocking name resolution requests at the DNS layer?
- MAC filtering
- Egress NAT
- DNS filtering (DNS sinkhole)
- Spanning tree protocol
Correct answer: DNS filtering (DNS sinkhole)
Correct answer: DNS filtering (DNS sinkhole). DNS filtering inspects domain name resolution requests and blocks or redirects (sinkholes) lookups for malicious domains, stopping malware command-and-control and phishing connections before a network session is even established.
- An email security gateway adds DMARC, DKIM, and SPF checks. What is the primary purpose of these three mechanisms together?
- To encrypt the body of every email
- To compress attachments for faster delivery
- To archive all messages for compliance
- To authenticate the sending domain and reduce email spoofing
Correct answer: To authenticate the sending domain and reduce email spoofing
Correct answer: To authenticate the sending domain and reduce email spoofing. SPF authorizes sending mail servers, DKIM cryptographically signs messages to verify integrity and sender domain, and DMARC ties them together with a policy that tells receivers how to handle messages that fail authentication—collectively reducing spoofing and phishing.
- Which hardening practice reduces a system's attack surface by removing software, services, and accounts that are not required for its function?
- Disabling unnecessary services and removing unneeded software
- Enabling all default services
- Granting every user administrator rights
- Opening all firewall ports
Correct answer: Disabling unnecessary services and removing unneeded software
Correct answer: Disabling unnecessary services and removing unneeded software. Hardening minimizes the attack surface by turning off services that aren't needed, uninstalling unused applications, and removing default or unnecessary accounts, leaving fewer potential entry points for attackers.
- What is the security purpose of changing or disabling default vendor credentials on a newly deployed device?
- To improve network throughput
- To prevent attackers from logging in using widely known default usernames and passwords
- To enable remote firmware updates
- To reduce the device's power consumption
Correct answer: To prevent attackers from logging in using widely known default usernames and passwords
Correct answer: To prevent attackers from logging in using widely known default usernames and passwords. Default credentials are published and commonly targeted; changing or disabling them is a fundamental hardening step that blocks trivial unauthorized access to the device.
- An organization uses a configuration management tool to ensure all production servers continuously match an approved secure template, automatically correcting any drift. This is an example of enforcing what?
- A honeypot
- A demilitarized zone
- A secure baseline
- A jump box
Correct answer: A secure baseline
Correct answer: A secure baseline. A secure baseline is the approved set of security configuration settings a system must conform to; enforcing and continuously remediating against the baseline ensures systems stay in a known-good, hardened state and configuration drift is corrected.
- Which mobile device deployment model allows employees to use their personally owned devices to access corporate resources, raising data separation and management challenges?
- COPE (Corporate-Owned, Personally Enabled)
- Kiosk-only deployment
- Air-gapped deployment
- BYOD (Bring Your Own Device)
Correct answer: BYOD (Bring Your Own Device)
Correct answer: BYOD (Bring Your Own Device). In a BYOD model employees use their own personal devices for work, which complicates security because the organization has limited control and must separate and protect corporate data on a device it does not own.
- A company centrally enforces encryption, app restrictions, and remote-wipe policies across all enrolled smartphones and tablets. Which technology provides this?
- MDM (Mobile Device Management)
- RAID controller
- DLP scanner only
- Hypervisor
Correct answer: MDM (Mobile Device Management)
Correct answer: MDM (Mobile Device Management). MDM platforms centrally enroll and manage mobile devices, pushing security policies such as encryption requirements, application controls, passcode rules, and remote lock or wipe to protect corporate data on the devices.
- During secure asset disposal, which method guarantees data cannot be recovered by physically destroying the storage media?
- Reformatting the drive
- Shredding or pulverizing the media
- Moving files to the recycle bin
- Deleting partitions
Correct answer: Shredding or pulverizing the media
Correct answer: Shredding or pulverizing the media. Physical destruction such as shredding, pulverizing, or incinerating storage media renders the data unrecoverable; simple reformatting or deletion leaves data that can often be recovered with forensic tools.
- On a mobile device, which technology cryptographically and logically separates personal data and apps from corporate data and apps?
- Geofencing
- Tethering
- Containerization
- Carrier unlocking
Correct answer: Containerization
Correct answer: Containerization. Containerization creates an isolated, encrypted workspace on a device that keeps corporate applications and data separate from the user's personal content, allowing the organization to manage and wipe only the work container.
- After a vulnerability scan, which step prioritizes findings so the most critical, exploitable, and high-impact vulnerabilities are remediated first?
- Asset disposal
- Tokenization
- Log rotation
- Vulnerability prioritization and analysis
Correct answer: Vulnerability prioritization and analysis
Correct answer: Vulnerability prioritization and analysis. After identification, vulnerabilities are analyzed and prioritized—using factors like severity scores, exploitability, asset criticality, and exposure—so limited remediation resources address the highest-risk issues first.
- Which standardized framework produces a numeric severity score from 0.0 to 10.0 to help organizations rank the criticality of vulnerabilities?
- CVSS (Common Vulnerability Scoring System)
- CVE
- CWE
- OWASP
Correct answer: CVSS (Common Vulnerability Scoring System)
Correct answer: CVSS (Common Vulnerability Scoring System). CVSS assigns a 0.0–10.0 base score reflecting a vulnerability's exploitability and impact characteristics, giving organizations a consistent way to compare and prioritize vulnerabilities for remediation.
- A scanning vendor reports a vulnerability that, upon investigation, does not actually exist on the target system. In vulnerability management, what is this finding called?
- Zero-day
- False positive
- Exploit
- Patch
Correct answer: False positive
Correct answer: False positive. A false positive in vulnerability scanning is a reported flaw that is not actually present or exploitable on the system; validating scan results helps eliminate false positives so teams don't waste effort remediating nonexistent issues.
- An organization decides to accept the risk of a low-severity vulnerability it will not fix, documenting management approval. In vulnerability management, what is this response called?
- Patching
- Penetration testing
- Risk acceptance (exception/exemption)
- Eradication
Correct answer: Risk acceptance (exception/exemption)
Correct answer: Risk acceptance (exception/exemption). When an organization chooses not to remediate a vulnerability and instead formally documents and approves living with the risk, it is exercising risk acceptance, often recorded as an exception or exemption in the vulnerability management program.
- Which type of vulnerability assessment requires valid login credentials so the scanner can evaluate the system from an authenticated, insider perspective for deeper accuracy?
- Passive scan
- Black-box external scan
- Banner-grab-only scan
- Credentialed (authenticated) scan
Correct answer: Credentialed (authenticated) scan
Correct answer: Credentialed (authenticated) scan. A credentialed scan logs into the target with valid credentials to inspect installed software, patch levels, and configurations directly, yielding more accurate and comprehensive results with fewer false positives than an uncredentialed scan.
- Which authentication method uses a temporary code that changes every 30 to 60 seconds and is generated by an authenticator app synchronized with the server?
- TOTP (Time-based One-Time Password)
- Static password
- Knowledge-based question
- Single sign-on
Correct answer: TOTP (Time-based One-Time Password)
Correct answer: TOTP (Time-based One-Time Password). TOTP generates a short-lived numeric code derived from a shared secret and the current time, refreshing on a fixed interval; because the code expires quickly, it resists reuse and is widely used as a second authentication factor.
- An administrator account's elevated permissions are automatically removed after a fixed time window unless explicitly renewed. Which access management concept enforces this?
- Time-of-day restrictions only
- Just-in-time (JIT) permissions
- Mandatory vacation
- Single sign-on
Correct answer: Just-in-time (JIT) permissions
Correct answer: Just-in-time (JIT) permissions. JIT access grants elevated privileges only for the limited period they are needed and then revokes them automatically, reducing the window in which powerful permissions exist and limiting the risk of standing privileged access.
- Which password policy control prevents users from immediately reusing a recent password by remembering and rejecting a set number of prior passwords?
- Password complexity requirement
- Account lockout threshold
- Password history
- Password length minimum
Correct answer: Password history
Correct answer: Password history. A password history setting stores a number of previously used passwords and blocks their reuse, forcing users to choose genuinely new passwords and preventing them from cycling back to old, possibly compromised credentials.
- What is a primary security benefit of automating repetitive security operations tasks through scripting and orchestration?
- It eliminates the need for any logging
- It removes the need for access controls
- It guarantees zero false positives
- It enforces consistent, repeatable actions and reduces human error
Correct answer: It enforces consistent, repeatable actions and reduces human error
Correct answer: It enforces consistent, repeatable actions and reduces human error. Automation executes tasks the same way every time, scaling response, accelerating remediation, and minimizing the mistakes that arise from manual, repetitive work—while freeing analysts for higher-value analysis.
- Which potential drawback should an organization weigh before automating a security process?
- A flaw or misconfiguration in the automation can rapidly cause widespread, repeated errors
- Automation always increases analyst workload
- Automation cannot be applied to repetitive tasks
- Automation makes responses slower
Correct answer: A flaw or misconfiguration in the automation can rapidly cause widespread, repeated errors
Correct answer: A flaw or misconfiguration in the automation can rapidly cause widespread, repeated errors. Because automation executes at scale and speed, a bug or bad rule can propagate the same mistake across many systems quickly, so automated processes require careful testing, guardrails, and oversight.
- Which data source records authentication successes and failures, account lockouts, and privilege changes, making it essential for investigating suspicious access?
- Application performance dashboards
- Security (authentication/audit) logs
- DNS zone files
- DHCP lease scope settings
Correct answer: Security (authentication/audit) logs
Correct answer: Security (authentication/audit) logs. Security and audit logs capture logon events, failed authentications, account lockouts, and privilege or policy changes, providing the trail investigators use to reconstruct who accessed what and detect unauthorized or anomalous access.
- During an investigation, analysts review records of which internal IP address was assigned a given private address at a specific time. Which log source provides this mapping?
- Antivirus signature database
- TLS certificate store
- DHCP logs
- Firmware changelog
Correct answer: DHCP logs
Correct answer: DHCP logs. DHCP logs record the lease assignments of IP addresses to client MAC addresses along with timestamps, allowing investigators to determine which device held a particular internal IP address at the time an event occurred.
- Which metadata field, captured in network flow records (such as NetFlow), is most useful for identifying which hosts communicated, how much data moved, and over which ports—without capturing packet payloads?
- Full disk images
- Endpoint registry hives
- Email message bodies
- Flow data (source/destination, ports, byte counts)
Correct answer: Flow data (source/destination, ports, byte counts)
Correct answer: Flow data (source/destination, ports, byte counts). Network flow records like NetFlow summarize conversations between hosts—source and destination addresses, ports, protocols, and volume—giving investigators visibility into communication patterns and possible exfiltration without the storage cost of full packet capture.
- An administrator publishes a DNS TXT record listing the mail servers authorized to send email on behalf of the company's domain so receiving servers can reject spoofed messages. Which email authentication mechanism is being configured?
Correct answer: SPF
Correct answer: SPF. Sender Policy Framework (SPF) uses a DNS TXT record that lists the IP addresses or hosts authorized to send mail for a domain, allowing receiving servers to detect and reject spoofed senders. DKIM signs messages, DMARC sets policy on SPF/DKIM failures, and S/MIME encrypts and signs message content.
- A mail server attaches a cryptographic signature to outbound messages using a private key, while the matching public key is published in DNS so recipients can verify the message was not altered in transit. Which email security control is described?
Correct answer: DKIM
Correct answer: DKIM. DomainKeys Identified Mail (DKIM) adds a digital signature to outbound email using the sender domain's private key, and recipients validate it with the public key published in DNS, confirming integrity and origin. SPF only checks authorized senders, POP3S retrieves mail, and TLS encrypts the transport channel.
- After deploying SPF and DKIM, a security team wants to instruct receiving servers how to handle messages that fail those checks and to receive aggregate reports about spoofing attempts. Which policy framework provides this?
Correct answer: DMARC
Correct answer: DMARC. Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM, telling receivers whether to quarantine or reject failing messages and sending the domain owner aggregate reports. SMTP and IMAP move mail, and DNSSEC protects DNS responses, not email policy.
- A company wants to enforce screen-lock passcodes, push security policies, and remotely wipe lost devices across hundreds of employee smartphones and tablets. Which solution provides this centralized control?
- VPN concentrator
- Network access control (NAC)
- Host-based firewall
- Mobile Device Management (MDM)
Correct answer: Mobile Device Management (MDM)
Correct answer: Mobile Device Management (MDM). MDM centrally enforces policies such as passcode requirements, encryption, app restrictions, and remote wipe across an organization's mobile fleet. A VPN concentrator handles remote tunnels, NAC governs network admission, and a host firewall filters traffic on a single host.
- An organization allows employees to use their personally owned phones for work, accepting that the company has limited control over the hardware. Which mobile deployment model does this describe?
- BYOD (Bring Your Own Device)
- COPE (Corporate-Owned, Personally Enabled)
- CYOD (Choose Your Own Device)
- VDI (Virtual Desktop Infrastructure)
Correct answer: BYOD (Bring Your Own Device)
Correct answer: BYOD (Bring Your Own Device). In BYOD, employees use personally owned devices for work, which gives the organization the least hardware control and raises data-ownership and security concerns. COPE and CYOD involve company-purchased devices, and VDI delivers virtual desktops rather than describing device ownership.
- Before donating retired laptops, an organization must guarantee that no recoverable confidential data remains on the solid-state drives. Which action best ensures the data cannot be recovered?
- Performing a quick format of the drive
- Using a sanitization method such as cryptographic erase or secure wipe
- Deleting the user partitions
- Moving the files to the recycle bin and emptying it
Correct answer: Using a sanitization method such as cryptographic erase or secure wipe
Correct answer: Using a sanitization method such as cryptographic erase or secure wipe. Proper media sanitization (cryptographic erase, secure overwrite, or physical destruction) ensures data is unrecoverable before disposal. Quick formatting, deleting partitions, and emptying the recycle bin leave data recoverable with forensic tools.
- A SOC wants metadata about network conversations such as source and destination IPs, ports, and byte counts to baseline traffic and detect anomalies, without capturing full packet payloads. Which data source provides this?
- Full packet capture
- Syslog severity codes
- NetFlow records
- Antivirus quarantine logs
Correct answer: NetFlow records
Correct answer: NetFlow records. NetFlow (and similar flow data) summarizes network conversations by recording source/destination, ports, protocol, and volume without storing payloads, which is efficient for baselining and anomaly detection. Full packet capture stores payloads, syslog carries event messages, and antivirus logs report malware actions.
- A network team uses a protocol that lets a management station poll routers and switches for performance counters and receive unsolicited trap notifications about device events. Which protocol provides this monitoring capability?
Correct answer: SNMP
Correct answer: SNMP. The Simple Network Management Protocol (SNMP) allows a management station to query managed devices for metrics and to receive traps when events occur, and SNMPv3 adds authentication and encryption. SMTP sends email, SFTP transfers files securely, and SAML handles federated authentication.
- A change management policy requires that disruptive infrastructure updates be performed only during a pre-approved, scheduled period when impact to users is minimized. What is this period called?
- Maintenance window
- Recovery point objective
- Mean time to repair
- Change advisory board
Correct answer: Maintenance window
Correct answer: Maintenance window. A maintenance window is the scheduled, approved time frame during which changes are made to minimize business disruption. RPO measures acceptable data loss, MTTR measures repair time, and the change advisory board reviews and approves changes rather than naming the time period.
- Part of a documented change request specifies the exact steps to return a system to its prior working state if the deployment fails or causes problems. What is this component of change management called?
- Impact analysis
- Backout (rollback) plan
- Approval workflow
- Test plan
Correct answer: Backout (rollback) plan
Correct answer: Backout (rollback) plan. A backout or rollback plan documents how to revert a change to the previous known-good state if it fails. Impact analysis assesses potential effects, the approval workflow authorizes the change, and the test plan validates it before production.
- Before a major change is implemented, a cross-functional group reviews the request, evaluates risk and impact, and grants formal authorization. What is this group called?
- Incident response team
- Red team
- Change Advisory Board (CAB)
- Steering committee on procurement
Correct answer: Change Advisory Board (CAB)
Correct answer: Change Advisory Board (CAB). The CAB is the cross-functional body that reviews, assesses, and approves proposed changes within a change management process. The incident response team handles security incidents, the red team simulates attacks, and a procurement committee evaluates purchases.
- An administrator configures endpoints so that only an explicitly approved set of applications may execute, and everything else is blocked by default. Which control is being applied?
- Deny list (blocklist)
- Sandboxing
- Greylisting
- Allow list (whitelist)
Correct answer: Allow list (whitelist)
Correct answer: Allow list (whitelist). An allow list permits only explicitly approved applications to run and blocks everything else by default, which is the most restrictive application control. A deny list blocks only known-bad items, sandboxing isolates execution, and greylisting temporarily defers actions such as email delivery.
- In a Windows Active Directory environment, an administrator centrally enforces password complexity, account lockout, and security settings across all domain-joined computers from a single location. Which mechanism provides this?
- Group Policy
- Registry Editor on each host
- Local Security Authority
- Task Scheduler
Correct answer: Group Policy
Correct answer: Group Policy. Group Policy lets administrators centrally define and enforce security configurations such as password policies and lockout settings across all domain-joined systems. Editing the registry per host is not centralized, the LSA enforces local security but is not the management tool, and Task Scheduler runs jobs.
- While hardening a newly built server, an administrator turns off unused network services and closes ports that no application requires. What is the primary security benefit of this action?
- It increases network throughput for legitimate traffic
- It reduces the system's attack surface
- It eliminates the need for patching
- It enables single sign-on
Correct answer: It reduces the system's attack surface
Correct answer: It reduces the system's attack surface. Disabling unnecessary services and closing unused ports removes potential entry points an attacker could exploit, shrinking the attack surface. It does not primarily improve throughput, replace patching, or provide single sign-on.
- An EDR platform detects active malware on an employee laptop and the analyst immediately uses the tool to cut the device off from the network while preserving it for analysis. Which response action is this?
- Eradication
- Recovery
- Isolation (containment)
- Lessons learned
Correct answer: Isolation (containment)
Correct answer: Isolation (containment). Isolating or quarantining the host stops the threat from spreading while preserving it for investigation, and it is a containment activity in incident response. Eradication removes the threat, recovery restores normal operation, and lessons learned is the post-incident review.
- Which incident response phase includes developing the response plan, training staff, establishing communication procedures, and deploying detection tooling before any incident occurs?
- Detection
- Containment
- Eradication
- Preparation
Correct answer: Preparation
Correct answer: Preparation. The preparation phase happens before incidents and includes building plans, training teams, defining communications, and putting detection and response tooling in place. Detection identifies incidents, containment limits their spread, and eradication removes the cause once an incident is underway.
- To test its incident response plan without disrupting production systems, an organization gathers stakeholders to walk through a simulated breach scenario and discuss how they would respond. Which type of exercise is this?
- Tabletop exercise
- Penetration test
- Full-interruption test
- Vulnerability scan
Correct answer: Tabletop exercise
Correct answer: Tabletop exercise. A tabletop exercise is a discussion-based walkthrough of a scenario that validates the incident response plan and roles without affecting live systems. A penetration test actively attacks systems, a full-interruption test shuts down operations, and a vulnerability scan enumerates weaknesses.
- During an investigation, every transfer and handling of seized evidence is documented with who had it, when, and why, so its integrity can be defended in court. What is this documentation called?
- Legal hold
- Chain of custody
- Order of volatility
- E-discovery
Correct answer: Chain of custody
Correct answer: Chain of custody. The chain of custody is the documented, unbroken record of who collected, handled, and transferred evidence and when, preserving its admissibility. A legal hold preserves data from deletion, order of volatility prioritizes collection, and e-discovery is the legal data-production process.
- When collecting digital evidence from a running system, a forensic analyst captures the data most likely to be lost first, such as CPU registers and RAM, before imaging the disk. Which principle guides this sequence?
- Principle of least privilege
- Separation of duties
- Order of volatility
- Defense in depth
Correct answer: Order of volatility
Correct answer: Order of volatility. The order of volatility dictates collecting the most ephemeral data (registers, cache, RAM) before more persistent data (disk, archives), to avoid losing transient evidence. Least privilege, separation of duties, and defense in depth are access and architecture principles, not evidence-collection sequencing.
- Anticipating litigation, an organization issues a directive requiring that all emails and documents related to a specific matter be preserved and exempt from routine deletion. What is this directive called?
- Chain of custody
- Data retention schedule
- Acceptable use policy
- Legal hold
Correct answer: Legal hold
Correct answer: Legal hold. A legal hold (litigation hold) suspends normal data destruction so relevant information is preserved for anticipated or ongoing legal proceedings. Chain of custody tracks evidence handling, a retention schedule defines normal lifecycles, and an AUP governs acceptable system use.
- A security team configures a vulnerability scanner with valid login accounts so it can authenticate to hosts and inspect installed software, patch levels, and configurations from the inside. Which type of scan is this?
- Credentialed scan
- Non-credentialed scan
- Passive scan
- Port scan
Correct answer: Credentialed scan
Correct answer: Credentialed scan. A credentialed (authenticated) scan logs into the target to examine installed software, patches, and settings, producing more accurate and detailed results than an external view. A non-credentialed scan sees only externally observable data, passive scanning observes traffic, and a port scan only enumerates open ports.
- A vulnerability scanner reports that a server is missing a critical patch, but manual verification confirms the patch is already installed and the service is not actually vulnerable. How should this finding be classified?
- True positive
- False positive
- False negative
- Zero-day
Correct answer: False positive
Correct answer: False positive. A false positive is a reported vulnerability that does not actually exist, as confirmed by verification. A true positive is a real, confirmed issue, a false negative is a real issue the scanner missed, and a zero-day is an unknown, unpatched flaw.
- A vulnerability management team needs an industry-standard numeric score from 0.0 to 10.0 to gauge the severity of each discovered flaw and prioritize remediation. Which system provides this score?
Correct answer: CVSS
Correct answer: CVSS. The Common Vulnerability Scoring System (CVSS) produces a 0.0-10.0 severity score used to prioritize remediation. CVE assigns unique identifiers to vulnerabilities, the OWASP Top 10 ranks web risk categories, and STIX is a threat-intelligence sharing format.
- An analyst gathers threat indicators from publicly available sources such as security blogs, vendor advisories, social media, and public reputation feeds. Which category of intelligence source is this?
- Proprietary closed-source feed
- Human intelligence (HUMINT)
- Dark web brokerage
- Open-source intelligence (OSINT)
Correct answer: Open-source intelligence (OSINT)
Correct answer: Open-source intelligence (OSINT). OSINT is intelligence collected from publicly available sources like blogs, advisories, and social media. Proprietary feeds are paid and closed, HUMINT comes from human sources, and dark web brokerage involves purchasing data from criminal marketplaces.
- Organizations want to exchange machine-readable threat indicators automatically between their security platforms using a standardized language and transport. Which pair of standards supports this?
- STIX and TAXII
- SAML and OAuth
- SPF and DKIM
- RADIUS and TACACS+
Correct answer: STIX and TAXII
Correct answer: STIX and TAXII. STIX defines a structured language for describing threat intelligence, and TAXII defines how that intelligence is transported and shared automatically between systems. SAML/OAuth handle authentication and authorization, SPF/DKIM secure email, and RADIUS/TACACS+ provide AAA services.
- Rather than waiting for alerts, an analyst forms a hypothesis about a possible undetected intrusion and proactively searches logs and endpoint data for evidence of it. Which security operations activity is this?
- Patch management
- Threat hunting
- Penetration testing
- Configuration management
Correct answer: Threat hunting
Correct answer: Threat hunting. Threat hunting is the proactive, hypothesis-driven search through telemetry for threats that have evaded automated detection. Patch management remediates vulnerabilities, penetration testing simulates attacks against scope, and configuration management maintains approved system settings.
- A SOC scripts the routine provisioning of user accounts and the disabling of accounts at termination so the steps run identically every time without manual intervention. Which benefit of automation does this primarily illustrate?
- Increased technical debt
- Eliminating the need for a SIEM
- Enforcing consistent, repeatable, and scalable processes
- Removing the requirement for access reviews
Correct answer: Enforcing consistent, repeatable, and scalable processes
Correct answer: Enforcing consistent, repeatable, and scalable processes. Automating routine tasks like provisioning and deprovisioning ensures the steps execute the same way every time, reduces human error, and scales without added effort. It does not inherently create technical debt, replace a SIEM, or remove the need for access reviews.
- A platform builds behavioral baselines for each user and flags a finance employee who suddenly downloads gigabytes of data at 3 a.m. from an unusual location as anomalous. Which capability is this?
- Data Loss Prevention
- Network Access Control
- Public Key Infrastructure
- User and Entity Behavior Analytics (UEBA)
Correct answer: User and Entity Behavior Analytics (UEBA)
Correct answer: User and Entity Behavior Analytics (UEBA). UEBA establishes normal behavior baselines and detects deviations that indicate compromised accounts or insider threats, such as abnormal data access patterns. DLP prevents data exfiltration by content, NAC controls network admission, and PKI manages certificates and keys.
- Before a device is permitted onto the corporate network, a system checks that it has current antivirus signatures, required patches, and an enabled firewall, and quarantines it if it fails. Which technology enforces this?
- Network Access Control (NAC)
- Intrusion Prevention System
- Forward proxy
- Load balancer
Correct answer: Network Access Control (NAC)
Correct answer: Network Access Control (NAC). NAC performs a posture assessment of devices against compliance requirements before granting access and can quarantine noncompliant endpoints. An IPS blocks malicious traffic, a forward proxy mediates outbound web requests, and a load balancer distributes traffic across servers.
- On a quarterly basis, managers must review and re-approve the permissions held by each of their direct reports, removing any access that is no longer needed. Which identity governance practice is this?
- Single sign-on
- Access recertification (entitlement review)
- Password rotation
- Just-in-time provisioning
Correct answer: Access recertification (entitlement review)
Correct answer: Access recertification (entitlement review). Periodic access recertification has managers confirm that each user's permissions are still appropriate, helping prevent privilege creep. Single sign-on streamlines logins, password rotation changes credentials, and just-in-time provisioning grants temporary access on demand.
- A security operations team must track expiration dates and renew TLS certificates before they lapse to prevent service outages and browser warnings. Which operational practice addresses this?
- Key escrow
- Certificate pinning
- Certificate lifecycle management
- Perfect forward secrecy
Correct answer: Certificate lifecycle management
Correct answer: Certificate lifecycle management. Certificate lifecycle management covers issuing, monitoring, renewing, and revoking certificates so they do not expire unexpectedly and cause outages. Key escrow stores keys for recovery, certificate pinning binds a host to a specific certificate, and perfect forward secrecy protects past sessions if a key is later compromised.
- To ensure every new virtual machine starts in a known, hardened state, the operations team builds golden images with approved configurations and deploys all instances from them automatically. Which security operations practice does this support?
- Ad hoc manual configuration per server
- Disabling all logging to save space
- Granting all new VMs administrator access by default
- Secure provisioning from standardized hardened baselines
Correct answer: Secure provisioning from standardized hardened baselines
Correct answer: Secure provisioning from standardized hardened baselines. Deploying instances from approved golden images ensures consistent, hardened configurations and reduces drift and misconfiguration. Manual per-server setup invites inconsistency, disabling logging removes visibility, and granting default admin access violates least privilege.
- An organization classifies its security documents so that the high-level mandatory statement of management intent sits above more detailed documents. Which document type expresses the broad, enforceable management direction that other documents support?
- Policy
- Procedure
- Guideline
- Standard
Correct answer: Policy
Correct answer: Policy. A policy is the high-level, mandatory statement of management intent and direction; standards, procedures, and guidelines are subordinate documents that implement and support the policy.
- A security team writes a document that lists the exact, step-by-step instructions an administrator must follow to disable a terminated employee's accounts. Which type of governance document is this?
- Standard
- Procedure
- Policy
- Guideline
Correct answer: Procedure
Correct answer: Procedure. A procedure is a detailed, step-by-step set of instructions for performing a specific task; it operationalizes the requirements set by policies and standards.
- A company publishes a document offering recommended but non-mandatory advice on choosing strong passphrases. Because it is advisory rather than required, which governance document type best describes it?
- Policy
- Standard
- Guideline
- Procedure
Correct answer: Guideline
Correct answer: Guideline. A guideline provides recommended, optional best-practice advice; unlike policies and standards it is not mandatory, which distinguishes it from the other document types.
- An organization mandates that all stored passwords be hashed with a specific algorithm and minimum length to ensure consistency across systems. Which governance document type defines these specific, mandatory technical requirements?
- Guideline
- Policy
- Procedure
- Standard
Correct answer: Standard
Correct answer: Standard. A standard specifies mandatory, uniform technical or operational requirements (such as a required algorithm and length) that enforce consistency in support of broader policies.
- Leadership wants security decisions to be centralized so that a single executive team and committee set direction for the entire enterprise. Which governance structure does this describe?
- Centralized governance
- Decentralized governance
- Distributed governance
- Federated governance
Correct answer: Centralized governance
Correct answer: Centralized governance. Centralized governance concentrates security decision-making authority in one central group or leadership team, whereas decentralized models push that authority out to individual business units.
- A large conglomerate lets each subsidiary set and enforce its own security policies tailored to its local needs, with little central control. Which governance approach is this?
- Centralized governance
- Decentralized governance
- Hierarchical governance
- Mandatory governance
Correct answer: Decentralized governance
Correct answer: Decentralized governance. Decentralized governance distributes security decision-making authority to individual units or subsidiaries, allowing locally tailored policies rather than a single central authority.
- A board of directors forms a group of senior leaders that meets regularly to review cyber risk, approve security strategy, and hold the program accountable. Which governance body is being described?
- Incident response team
- Change advisory board
- Steering committee
- Red team
Correct answer: Steering committee
Correct answer: Steering committee. A security steering committee is a governance body of senior stakeholders that provides oversight, sets direction, and ensures accountability for the security program.
- A regulatory framework explicitly applies to an organization and carries legal penalties for non-compliance, leaving the organization no choice but to follow it. How are such considerations categorized?
- Voluntary frameworks
- Industry guidelines
- Internal standards
- Regulatory (mandatory) considerations
Correct answer: Regulatory (mandatory) considerations
Correct answer: Regulatory (mandatory) considerations. Regulatory considerations are legally binding requirements imposed by law or regulators, distinguishing them from voluntary frameworks or internal standards an organization adopts by choice.
- Within the data lifecycle, one role holds ultimate accountability for a particular data set, including its classification and authorizing access. Which role is this?
- Data owner
- Data custodian
- Data processor
- Data subject
Correct answer: Data owner
Correct answer: Data owner. The data owner is the senior individual accountable for a specific data set, responsible for its classification, value, and access decisions, while custodians handle day-to-day technical protection.
- An IT administrator is responsible for the technical handling of data, such as performing backups, applying access controls, and maintaining storage, but does not decide classification. Which role does this person hold?
- Data owner
- Data custodian
- Data controller
- Data steward
Correct answer: Data custodian
Correct answer: Data custodian. The data custodian carries out the technical protection and day-to-day management of data (backups, access enforcement, storage) under the direction of the data owner.
- Under privacy roles, the individual whose personal data is being collected and processed is given specific rights over that data. What is this person called?
- Data processor
- Data controller
- Data subject
- Data custodian
Correct answer: Data subject
Correct answer: Data subject. The data subject is the natural person to whom the personal data relates and who holds rights such as access and erasure over that data.
- An organization appoints a role focused on ensuring data quality, consistent definitions, and proper use of data on behalf of the data owner. Which role best fits this responsibility?
- Data custodian
- Data subject
- Data processor
- Data steward
Correct answer: Data steward
Correct answer: Data steward. A data steward is responsible for data quality, metadata, definitions, and ensuring data is used appropriately, supporting the data owner's accountability.
- A company appoints a senior executive accountable for the overall data privacy program and compliance with privacy laws across the enterprise. Which title best describes this role?
- Data Protection Officer
- Chief Information Security Officer
- Data custodian
- System administrator
Correct answer: Data Protection Officer
Correct answer: Data Protection Officer. A Data Protection Officer (DPO) oversees an organization's privacy program and compliance with privacy regulations such as GDPR, distinct from the broader security focus of a CISO.
- Before engaging a new cloud provider, a company thoroughly investigates the vendor's financial stability, security posture, and reputation to ensure it is trustworthy. What is this vetting activity called?
- Right-to-audit
- Due diligence
- Penetration testing
- Conflict of interest review
Correct answer: Due diligence
Correct answer: Due diligence. Due diligence is the investigative process of vetting a prospective vendor's qualifications, security, and stability before entering a relationship, part of third-party risk management.
- An organization continually re-evaluates an existing vendor's ongoing performance and security posture throughout the contract term. Which third-party risk activity does this describe?
- Due diligence
- Vendor selection
- Due care (ongoing vendor monitoring)
- Onboarding
Correct answer: Due care (ongoing vendor monitoring)
Correct answer: Due care (ongoing vendor monitoring). Due care/ongoing vendor monitoring is the continuous oversight of a vendor after engagement to ensure it keeps meeting security and performance expectations, complementing the initial due diligence.
- Two companies sign a legally binding master contract that establishes the general terms, responsibilities, and liabilities governing all future transactions between them. Which agreement is this?
- Memorandum of understanding
- Statement of work
- Non-disclosure agreement
- Master service agreement
Correct answer: Master service agreement
Correct answer: Master service agreement. A master service agreement (MSA) is a binding contract that sets the overarching terms governing the relationship, under which specific work is later defined by documents such as a statement of work.
- After signing a master agreement, a client issues a document that defines the specific deliverables, timelines, and tasks for a single project. Which document is this?
- Statement of work
- Service level agreement
- Business partnership agreement
- Memorandum of agreement
Correct answer: Statement of work
Correct answer: Statement of work. A statement of work (SOW) details the specific deliverables, scope, schedule, and tasks for a particular engagement, typically issued under a master service agreement.
- Before sharing sensitive product designs with a contractor, a company requires the contractor to sign a document legally obligating it to keep that information confidential. Which agreement is this?
- Service level agreement
- Non-disclosure agreement
- Statement of work
- Interconnection security agreement
Correct answer: Non-disclosure agreement
Correct answer: Non-disclosure agreement. A non-disclosure agreement (NDA) is a legal contract binding parties to protect and not disclose confidential information shared during a relationship.
- Two firms form a formal, legally binding contract to operate a joint venture and share in its profits and liabilities. Which agreement type best describes this relationship?
- Memorandum of understanding
- Statement of work
- Business partnership agreement
- Non-disclosure agreement
Correct answer: Business partnership agreement
Correct answer: Business partnership agreement. A business partnership agreement (BPA) is a binding contract defining a partnership's terms, profit-sharing, and responsibilities between the parties.
- A company negotiates a clause in its vendor contract allowing it to inspect and verify the vendor's security controls and compliance during the engagement. Which contractual provision is this?
- Service level agreement
- End-of-life clause
- Non-compete clause
- Right-to-audit clause
Correct answer: Right-to-audit clause
Correct answer: Right-to-audit clause. A right-to-audit clause grants a customer the contractual ability to examine a vendor's controls, records, and compliance, a key third-party risk management safeguard.
- A vendor announces that a product will no longer be sold or actively developed but will still receive limited support for a period. Which term describes this stage?
- End-of-life
- End-of-service-life
- End-of-support
- Decommissioning
Correct answer: End-of-life
Correct answer: End-of-life. End-of-life (EOL) marks the point at which a product is no longer sold or developed but may still receive limited support, preceding end-of-service-life when support fully ends.
- A piece of network hardware has reached the date after which the manufacturer will provide no patches, updates, or support of any kind. Which term applies?
- End-of-life
- End-of-service-life
- Beta release
- General availability
Correct answer: End-of-service-life
Correct answer: End-of-service-life. End-of-service-life (EOSL) is the date after which a vendor provides no further support, patches, or updates, making continued use a significant security risk.
- A regulator requires an organization to formally declare, in writing, that it is in compliance with a specific control framework and to provide evidence on demand. This formal declaration is best described as which of the following?
- Penetration test
- Risk register
- Attestation
- Gap analysis
Correct answer: Attestation
Correct answer: Attestation. Attestation is a formal, often signed declaration affirming that an organization meets specified compliance or control requirements, frequently required as part of regulatory reporting.
- An organization fails to meet a mandatory regulatory requirement and faces fines, loss of a license, and reputational harm. These outcomes are examples of which compliance concept?
- Compliance monitoring
- Due diligence
- Risk acceptance
- Consequences of non-compliance
Correct answer: Consequences of non-compliance
Correct answer: Consequences of non-compliance. Fines, sanctions, license loss, and reputational damage are the consequences of non-compliance, which drive organizations to maintain compliance programs.
- A compliance team continuously tracks systems and processes to confirm the organization stays aligned with applicable laws and standards over time. Which compliance activity is this?
- Compliance monitoring
- Attestation
- Penetration testing
- Vendor selection
Correct answer: Compliance monitoring
Correct answer: Compliance monitoring. Compliance monitoring is the ongoing process of verifying that an organization continues to meet regulatory and policy requirements, often supported by automated tools and internal reporting.
- An auditor employed by the company itself reviews internal controls and reports findings to management to improve the security program. What kind of audit is this?
- External audit
- Internal audit
- Regulatory examination
- Penetration test
Correct answer: Internal audit
Correct answer: Internal audit. An internal audit is performed by the organization's own staff to evaluate controls and report to management, in contrast to an external audit conducted by an independent third party.
- To satisfy a partner's trust requirements, a company hires an independent third-party firm to objectively evaluate and attest to its security controls. What type of audit is this?
- Internal audit
- Self-assessment
- External audit
- Tabletop exercise
Correct answer: External audit
Correct answer: External audit. An external audit is conducted by an independent third party to provide objective assurance about an organization's controls, often used to build trust with customers or regulators.
- Penetration testers are given no prior knowledge of the target environment and must discover everything from scratch, simulating an outside attacker. Which testing approach is this?
- Known environment (white-box) testing
- Partially known (gray-box) testing
- Vulnerability scanning
- Unknown environment (black-box) testing
Correct answer: Unknown environment (black-box) testing
Correct answer: Unknown environment (black-box) testing. In unknown-environment (black-box) testing, testers receive no internal information and must reconnoiter the target as an external attacker would.
- Penetration testers are provided some limited information, such as user-level credentials, but not full architecture details, blending insider and outsider perspectives. Which testing approach is this?
- Partially known (gray-box) testing
- Known environment testing
- Unknown environment testing
- Compliance audit
Correct answer: Partially known (gray-box) testing
Correct answer: Partially known (gray-box) testing. Partially known (gray-box) testing gives testers some limited knowledge or access, balancing the thoroughness of known-environment testing with the realism of unknown-environment testing.
- Before launching attacks, penetration testers gather information about a target by querying public records and DNS without interacting directly with the target's systems. Which activity is this?
- Active reconnaissance
- Passive reconnaissance
- Exploitation
- Privilege escalation
Correct answer: Passive reconnaissance
Correct answer: Passive reconnaissance. Passive reconnaissance collects information from publicly available sources without directly engaging the target, minimizing the chance of detection.
- During an engagement, testers send packets to and scan the target's live systems to map open ports and services. Which reconnaissance type is this?
- Passive reconnaissance
- Open-source intelligence
- Active reconnaissance
- Social engineering
Correct answer: Active reconnaissance
Correct answer: Active reconnaissance. Active reconnaissance involves directly interacting with the target (such as scanning ports and probing services), which is more informative but more detectable than passive methods.
- An organization invites the public to find and responsibly report vulnerabilities in its applications in exchange for monetary rewards. Which program is this?
- Penetration test
- Internal audit
- Red team exercise
- Bug bounty program
Correct answer: Bug bounty program
Correct answer: Bug bounty program. A bug bounty program crowdsources vulnerability discovery by offering rewards to external researchers who responsibly disclose flaws, complementing formal testing.
- During a security exercise, a designated offensive team attacks while a defensive team protects, and a third group enforces rules and scoring. Which group label refers to the defenders?
- Blue team
- Red team
- White team
- Purple team
Correct answer: Blue team
Correct answer: Blue team. In adversarial exercises the blue team is the defensive group protecting systems, the red team is the offensive attackers, and the white team oversees and adjudicates the exercise.
- In an attack simulation exercise, the offensive group is tasked with emulating real adversaries to probe the organization's defenses. Which team label applies to this group?
- Blue team
- Red team
- White team
- Green team
Correct answer: Red team
Correct answer: Red team. The red team is the offensive group that emulates real attackers during exercises, while the blue team defends and the white team facilitates.
- A new employee is required to sign a document that defines what is and is not permitted when using company computers, email, and internet. Which policy is this?
- Business continuity policy
- Change management policy
- Acceptable use policy
- Incident response policy
Correct answer: Acceptable use policy
Correct answer: Acceptable use policy. An acceptable use policy (AUP) defines the permitted and prohibited uses of an organization's IT resources by users, a foundational governance document.
- An organization runs a security awareness campaign that sends fake phishing emails to employees and records who clicks, in order to measure and improve user behavior. What is this technique called?
- Bug bounty program
- Tabletop exercise
- Vulnerability scan
- Phishing simulation campaign
Correct answer: Phishing simulation campaign
Correct answer: Phishing simulation campaign. Phishing simulations send controlled, fake phishing messages to employees to measure susceptibility and reinforce security awareness training.
- As part of a security awareness program, a company tracks how employee click rates on simulated phishing drop over time and reports the trend to leadership. This use of metrics is best described as which of the following?
- Reporting and monitoring of awareness effectiveness
- Penetration testing
- Risk transference
- Attestation
Correct answer: Reporting and monitoring of awareness effectiveness
Correct answer: Reporting and monitoring of awareness effectiveness. Tracking metrics such as phishing click rates and reporting them measures the effectiveness of the security awareness program and guides improvement.
- An organization sets rules for how long different categories of records must be kept and when they should be securely destroyed to meet legal and business needs. Which governance policy is this?
- Acceptable use policy
- Data retention policy
- Change management policy
- Password policy
Correct answer: Data retention policy
Correct answer: Data retention policy. A data retention policy specifies how long records are kept and when they are disposed of, balancing legal obligations, business needs, and risk reduction.
- A formal change management process requires that every proposed change be reviewed and authorized before implementation to prevent unmanaged disruptions. Which body typically performs this review and approval?
- Security steering committee
- Red team
- Change advisory board
- Data governance council
Correct answer: Change advisory board
Correct answer: Change advisory board. A change advisory board (CAB) reviews, evaluates, and approves proposed changes as part of the change management process, helping ensure changes are controlled and documented.
- When responding to a risk, an organization chooses to stop the activity that creates the risk entirely so the threat can no longer affect it. Which risk treatment strategy is this?
- Risk acceptance
- Risk transference
- Risk mitigation
- Risk avoidance
Correct answer: Risk avoidance
Correct answer: Risk avoidance. Risk avoidance eliminates exposure by ceasing or not undertaking the risky activity altogether, distinct from accepting, transferring, or mitigating the risk.
- A governance team is documenting the order of precedence among security documents. Which document type is a high-level, mandatory management statement that defines the organization's overall intent and expectations regarding security?
- Guideline
- Procedure
- Policy
- Standard
Correct answer: Policy
The correct answer is a policy, which is a high-level, mandatory management directive that establishes the organization's overall intent, goals, and expectations for security. A procedure is a detailed, step-by-step set of instructions for performing a task. A guideline offers recommended but non-mandatory best practices, and a standard specifies mandatory, measurable technical or operational requirements that support the policy.
- A company publishes a document that all employees must sign, defining permitted and prohibited uses of corporate laptops, email, and internet access. Which security governance document is this?
- Memorandum of understanding (MOU)
- Service level agreement (SLA)
- Business continuity plan (BCP)
- Acceptable use policy (AUP)
Correct answer: Acceptable use policy (AUP)
The correct answer is the acceptable use policy (AUP), which defines the rules for how employees may and may not use organizational systems, networks, and resources. A service level agreement (SLA) specifies measurable service commitments between a provider and customer. A business continuity plan (BCP) describes how operations continue during a disruption, and a memorandum of understanding (MOU) documents informal mutual intentions between parties.
- Before deploying a configuration change to production firewalls, a security team requires that the change be submitted, reviewed, approved, scheduled, and accompanied by a documented backout plan. Which security program process enforces this discipline?
- Incident response
- Change management
- Vulnerability management
- Configuration enforcement
Correct answer: Change management
The correct answer is change management, the formal process that requires changes to be requested, reviewed, approved, scheduled, and supported by a backout plan to reduce risk and maintain stability. Incident response addresses detecting and recovering from security events, not routine changes. Vulnerability management focuses on identifying and remediating weaknesses, and configuration enforcement applies and maintains baselines rather than governing the approval workflow.
- An organization is sorting its data into categories such as public, internal, confidential, and restricted so that appropriate protections can be applied based on sensitivity. Which governance activity is being performed?
- Data minimization
- Data masking
- Data classification
- Data sovereignty
Correct answer: Data classification
The correct answer is data classification, the process of categorizing information by sensitivity or value so that appropriate handling and protection controls can be applied. Data masking obscures specific data values to protect them during use or display. Data minimization is the principle of collecting only the data that is necessary, and data sovereignty concerns the laws of the jurisdiction in which data is stored.
- In a data governance model, an individual holds accountability for a specific data set, including decisions about its classification and who may access it, while delegating day-to-day storage and backup tasks to others. Which role does this individual hold?
- Data subject
- Data custodian
- Data processor
- Data owner
Correct answer: Data owner
The correct answer is data owner, the senior role accountable for classifying a data set and authorizing access while delegating technical handling. The data custodian carries out the operational tasks such as storage, backup, and applying controls. A data processor handles personal data on behalf of a controller, and a data subject is the individual whom personal data describes.
- Two companies forming a long-term strategic partnership want a formal, legally binding contract that defines the responsibilities, expectations, and terms of their ongoing business relationship. Which agreement type best fits this need?
- Business partners agreement (BPA)
- Memorandum of understanding (MOU)
- Non-disclosure agreement (NDA)
- Master service agreement (MSA)
Correct answer: Business partners agreement (BPA)
The correct answer is the business partners agreement (BPA), a legally binding contract that defines the terms, responsibilities, and expectations between organizations entering a business partnership. A memorandum of understanding (MOU) documents informal, generally non-binding mutual intentions. A non-disclosure agreement (NDA) protects confidential information shared between parties, and a master service agreement sets baseline terms governing future contracts rather than defining a partnership.
- During third-party vendor due diligence, a buyer insists that the contract include a clause permitting it to inspect and review the vendor's security controls and compliance at any time. Which contractual provision is this?
- Indemnification clause
- Statement of work
- Right-to-audit clause
- Force majeure clause
Correct answer: Right-to-audit clause
The correct answer is the right-to-audit clause, which grants an organization the contractual ability to examine and verify a vendor's security controls and compliance practices. A statement of work details the specific tasks, deliverables, and timelines of an engagement. An indemnification clause assigns liability for losses between parties, and a force majeure clause excuses performance during extraordinary events beyond a party's control.
- Before a penetration test begins, both parties sign a document defining the test's scope, timing, permitted techniques, target systems, and points of contact so the testers stay within authorized boundaries. What is this document called?
- Acceptable use policy
- Service level agreement
- Non-disclosure agreement
- Rules of engagement
Correct answer: Rules of engagement
The correct answer is the rules of engagement, which defines the scope, timing, permitted methods, in-scope targets, and contacts that constrain an authorized penetration test. A service level agreement specifies measurable service commitments rather than test boundaries. A non-disclosure agreement protects confidential information, and an acceptable use policy governs how employees use organizational resources.
- An organization wants independent assurance that a cloud provider's stated security controls are designed and operating effectively, so it requests a formal report produced by an external auditor. Which type of audit is the organization relying on?
- Internal audit
- Third-party (independent external) audit
- Self-assessment
- Vulnerability scan
Correct answer: Third-party (independent external) audit
The correct answer is a third-party (independent external) audit, in which an outside auditor objectively evaluates and attests to whether controls are designed and operating effectively, providing impartial assurance. An internal audit is performed by the organization's own staff and carries less external credibility. A self-assessment is conducted by the entity on itself, and a vulnerability scan identifies technical weaknesses rather than auditing control effectiveness.
- In a zero trust architecture, which control plane component continuously adjusts a user's access requirements based on signals such as device posture, location, and behavior during an active session?
- Adaptive identity
- A static allow list applied at login
- A one-time password generator
- A network tap
Correct answer: Adaptive identity
The answer is adaptive identity. Within the zero trust control plane, adaptive identity evaluates contextual signals such as device health, geolocation, and behavioral patterns and dynamically raises or lowers authentication and authorization requirements throughout a session, rather than trusting a single decision made at login. A static allow list and a one-time password generator both make a one-time determination, and a network tap only mirrors traffic for monitoring.
- Attackers compromise a niche industry news website that is frequently visited by employees of a target company, planting malware so that those employees become infected when browsing. What type of attack is this?
- Watering hole attack
- Brute-force attack
- SQL injection
- ARP poisoning
Correct answer: Watering hole attack
The answer is a watering hole attack. In this technique the attacker does not target victims directly but instead infects a third-party website that the intended victims are known to trust and visit regularly, so the malware is delivered when the targeted users browse there. Brute-force attacks guess credentials, SQL injection manipulates database queries, and ARP poisoning corrupts the local link-layer address mapping.
- A developer's build system automatically pulls a package from a public repository because an internal package of the same name does not exist there, allowing an attacker who published a malicious public package to execute code. What attack does this describe?
- Dependency confusion attack
- Cross-site scripting
- Password spraying
- Evil twin attack
Correct answer: Dependency confusion attack
The answer is a dependency confusion attack. This supply-chain technique exploits package managers that prefer or fall back to a public registry when an identically named internal package cannot be resolved privately, so a malicious public package gets installed and executed in the build pipeline. Cross-site scripting injects scripts into web pages, password spraying tries common passwords across accounts, and an evil twin is a rogue wireless access point.
- Malware injects itself into a user's browser process to silently capture and modify online banking transactions after the user has authenticated, even over an HTTPS session. Which threat best describes this?
- Man-in-the-browser (MitB) attack
- Jamming
- Bluesnarfing
- Typosquatting
Correct answer: Man-in-the-browser (MitB) attack
The answer is a man-in-the-browser (MitB) attack. This is a form of on-path attack in which malware (often a Trojan) operates inside the victim's browser, so it can read and alter transactions after TLS has decrypted them and after the user has logged in, defeating the protection HTTPS provides on the wire. Jamming disrupts wireless signals, bluesnarfing steals data over Bluetooth, and typosquatting relies on misspelled domain names.
- When configuring an IPsec VPN, an engineer must ensure the payload data is encrypted for confidentiality. Which IPsec protocol provides encryption of the data payload, which the other does not?
- Encapsulating Security Payload (ESP)
- Authentication Header (AH)
- Internet Key Exchange (IKE) only
- Generic Routing Encapsulation (GRE)
Correct answer: Encapsulating Security Payload (ESP)
The answer is Encapsulating Security Payload (ESP). ESP provides confidentiality through encryption as well as integrity and authentication of the payload, whereas Authentication Header (AH) provides only integrity and authentication and does not encrypt the data. IKE negotiates the keys and security associations but is not itself the data-protection protocol, and GRE is a tunneling protocol that offers no encryption on its own.
- A security team wants vulnerability scanning that does not require installing software on each endpoint and instead queries hosts remotely over the network. Which scanning approach are they choosing?
- Agentless scanning
- Agent-based scanning
- A tabletop exercise
- A bug bounty program
Correct answer: Agentless scanning
The answer is agentless scanning. Agentless scanning collects vulnerability and configuration data by reaching out to hosts over the network without any locally installed software, which simplifies deployment but can miss offline or intermittently connected systems. Agent-based scanning requires a persistent local agent on each host, a tabletop exercise is a discussion-based incident drill, and a bug bounty program pays external researchers for reported flaws.
- A company asks a prospective SaaS vendor for an independent auditor's report covering the operating effectiveness of the vendor's security controls over a period of time. Which report should the company request?
- SOC 2 Type II report
- An acceptable use policy
- A memorandum of understanding (MOU)
- A statement of work (SOW)
Correct answer: SOC 2 Type II report
The answer is a SOC 2 Type II report. A SOC 2 Type II is an independent attestation that evaluates not just the design but the operating effectiveness of a service provider's controls over a defined review period, making it the appropriate evidence for vendor due diligence. An acceptable use policy governs internal user behavior, an MOU is a non-binding statement of intent, and a SOW defines specific work deliverables.
- Under a privacy regulation, an organization collects only the specific personal data fields strictly necessary to deliver the requested service and nothing more. Which privacy principle is being applied?
- Data minimization
- Data sovereignty
- Risk acceptance
- Separation of duties
Correct answer: Data minimization
The answer is data minimization. Data minimization is the privacy principle that limits collection and retention to only the personal information that is directly necessary for the stated purpose, reducing exposure and compliance scope. Data sovereignty concerns the legal jurisdiction governing stored data, risk acceptance is a risk-treatment decision, and separation of duties is an access-control safeguard.
- A customer submits a formal request asking a company to disclose all personal information the company holds about them and to provide a copy of that data. Fulfilling this request supports which privacy capability?
- A data subject access request (DSAR)
- A right-to-audit clause
- A business impact analysis (BIA)
- A penetration test
Correct answer: A data subject access request (DSAR)
The answer is a data subject access request (DSAR). A DSAR is the mechanism, established by privacy laws such as GDPR, by which an individual (data subject) can require an organization to confirm what personal data it holds about them and to receive a copy of it. A right-to-audit clause lets one party inspect another's controls, a BIA evaluates operational impact of disruptions, and a penetration test simulates an attack to find weaknesses.