CertPreps - SSCP Practice Exam 3

45. A retail company identifies a risk associated with using outdated software. They decide to stop using the software and switch to a more secure, updated version. Which risk treatment strategy are they employing? A. Risk transfer B. Risk acceptance C. Risk avoidance D. Risk mitigation

C. Risk avoidance By stopping the use of outdated software and switching to a more secure version, the company is employing risk avoidance (C), as they are eliminating the risk entirely. Risk transfer (A) would involve shifting the risk to another entity, and risk acceptance (B) would mean acknowledging the risk without taking action. Risk mitigation (D) involves reducing the risk's impact rather than eliminating it.

87. Which of the following scenarios violates the principle of segregation of duties (SoD)? A. An employee who approves expense reports also reconciles bank statements B. A manager who has access to sensitive financial data also approves access requests C. A system administrator who installs software also performs regular security audits D. A cashier who handles cash transactions also manages inventory

A. An employee who approves expense reports also reconciles bank statements This scenario violates the principle of segregation of duties (SoD) because the employee has control over both approving expenses and reconciling bank statements, which could lead to fraud or errors going undetected. The other scenarios (B, C, D) do not necessarily violate SoD as long as there are appropriate controls and oversight in place to mitigate risks.

28. During a routine security check, it was found that a virtual machine is vulnerable to a known exploit due to outdated software. Which countermeasure should be applied to prevent exploitation? A. Apply the latest software patches to the virtual machine B. Increase the resource allocation to the virtual machine C. Encrypt the virtual machine's data storage D. Move the virtual machine to a different network segment

A. Apply the latest software patches to the virtual machine Applying the latest software patches (A) addresses the known vulnerabilities and prevents the virtual machine from being exploited. Increasing resource allocation (B) does not address security issues. Encrypting data storage (C) is important for data protection but does not prevent exploitation of software vulnerabilities. Moving the virtual machine to a different network segment (D) might help with isolation but does not resolve the underlying vulnerability.

76. A host-based firewall is configured to log all connection attempts. After analyzing the logs, the security team notices repeated connection attempts from an unknown IP address. What is the best immediate action to take? A. Block the IP address in the firewall. B. Disable logging to prevent log file overload. C. Increase the firewall's logging level. D. Allow the IP address temporarily for further analysis.

A. Block the IP address in the firewall. Blocking the IP address in the firewall (A) is the best immediate action to prevent potential unauthorized access or attacks from the unknown source. Disabling logging (B) would prevent further monitoring. Increasing the logging level (C) captures more detail but doesn't stop the attempts. Allowing the IP address temporarily (D) poses a security risk without providing immediate benefits.

74. To verify that its security measures comply with regulatory standards, an organization decides to conduct an internal audit. Which process is crucial for ensuring that the audit thoroughly assesses compliance? A. Creating a compliance checklist B. Updating firewall configurations C. Implementing a new backup policy D. Installing the latest antivirus software

A. Creating a compliance checklist Creating a compliance checklist is crucial for ensuring that an internal audit thoroughly assesses compliance with regulatory standards. This checklist helps auditors systematically review all relevant aspects of compliance and ensures that no critical areas are overlooked. Updating firewall configurations (B), implementing a new backup policy (C), and installing the latest antivirus software (D) are important security measures but do not directly ensure a comprehensive audit of compliance requirements.

53. During a routine security check, the EDR system identifies several endpoints with anomalous behavior patterns. What should be the immediate next step? A. Disconnect the affected endpoints from the network. B. Perform a complete system reboot of the affected endpoints. C. Increase the security alert threshold to reduce false positives. D. Conduct a full antivirus scan on the affected endpoints.

A. Disconnect the affected endpoints from the network. The immediate next step should be to disconnect the affected endpoints from the network (A) to prevent potential spread of malware or further damage. This isolation helps contain the threat while further investigation is conducted. Performing a system reboot (B) may not resolve the issue and could disrupt evidence. Increasing the alert threshold (C) could overlook serious threats. Conducting an antivirus scan (D) is important but should follow containment measures.

43. An organization has a baseline policy that requires encryption of all sensitive data at rest. A security audit reveals that one of the storage systems is storing sensitive data in plaintext. What should be the security analyst's next step? A. Encrypt the data immediately. B. Notify the storage system administrator. C. Update the baseline policy. D. Conduct a risk assessment on the data.

A. Encrypt the data immediately. The immediate action should be to encrypt the sensitive data (A) to comply with the baseline policy and protect it from unauthorized access. Notifying the storage system administrator (B) is necessary but secondary to securing the data. Updating the baseline policy (C) does not address the current non-compliance. Conducting a risk assessment (D) is important but does not mitigate the immediate risk of unprotected data.

34. During a post-incident review of a data leakage event, it was discovered that sensitive data was accessible due to insufficient access controls. What countermeasure should be implemented based on this lesson learned? A. Implementing a data loss prevention (DLP) solution B. Increasing the frequency of security policy reviews C. Conducting regular security awareness campaigns D. Enforcing a stricter password policy for all users

A. Implementing a data loss prevention (DLP) solution Implementing a data loss prevention (DLP) solution (A) directly addresses the issue of data leakage by monitoring and controlling data transfers to ensure sensitive information is not improperly accessed or shared. Increasing policy reviews (B) and conducting awareness campaigns (C) are important but do not specifically prevent data leakage. Enforcing a stricter password policy (D) is beneficial but not directly related to access control deficiencies.

62. A security team needs to prevent data leaks from the shared storage in their virtual environment. What is the best method to enforce data confidentiality? A. Implementing storage encryption with individual keys for each virtual machine B. Regularly defragmenting the shared storage C. Disabling shared storage access for non-administrative users D. Keeping all virtual machine snapshots on shared storage

A. Implementing storage encryption with individual keys for each virtual machine Implementing storage encryption with individual keys for each virtual machine (A) ensures that only authorized virtual machines can decrypt and access their specific data, thereby enforcing data confidentiality and preventing data leaks. Regularly defragmenting the shared storage (B) is related to performance, not confidentiality. Disabling shared storage access for non-administrative users (C) can prevent general access but does not specifically address the confidentiality of stored data. Keeping snapshots on shared storage (D) without additional security measures does not prevent data leaks.

19. During a security audit, it is found that an organization's SSO implementation is not performing as expected. Users experience frequent login prompts when accessing different services. What could be the reason for this issue? A. Incorrect token lifetime settings B. Misconfigured password policies C. Lack of multi-factor authentication D. Insufficient network bandwidth

A. Incorrect token lifetime settings Incorrect token lifetime settings (A) could be causing users to experience frequent login prompts in an SSO implementation. If tokens expire too quickly, users will need to re-authenticate more often, disrupting the seamless access that SSO is meant to provide. Misconfigured password policies (B) do not typically cause frequent login prompts if SSO is set up correctly. Lack of multi-factor authentication (C) may affect security but does not directly relate to the frequency of login prompts in SSO. Insufficient network bandwidth (D) might cause performance issues but is not likely to be the primary reason for frequent login prompts.

47. A large enterprise is looking to migrate its on-premises data center to the cloud. They need full control over their servers, storage, and network resources to run their legacy applications. Which cloud service model should they select? A. Infrastructure as a Service (IaaS) B. Platform as a Service (PaaS) C. Software as a Service (SaaS) D. Function as a Service (FaaS)

A. Infrastructure as a Service (IaaS) Infrastructure as a Service (IaaS) (A) provides the most control over the underlying hardware, including servers, storage, and networking. This model is ideal for a large enterprise that needs to migrate legacy applications to the cloud and requires the ability to configure and manage the infrastructure. Platform as a Service (PaaS) (B) offers a higher level of abstraction, focusing on application development rather than infrastructure management, which is not suitable for running legacy applications that need full control. Software as a Service (SaaS) (C) provides fully managed applications, which would not be appropriate for legacy systems that require specific configurations. Function as a Service (FaaS) (D) is a serverless computing model for running small pieces of code, which is not suitable for the full-scale migration of a data center.

23. An enterprise requires real-time inspection of network traffic to detect and respond to threats promptly. Where should an intrusion detection and prevention system (IDPS) be placed to fulfill this requirement without introducing significant latency? A. Inline, at the perimeter gateway B. Passive, on a mirrored port of the core switch C. Virtual, within the cloud infrastructure D. Inline, between the web and database servers

A. Inline, at the perimeter gateway Inline placement at the perimeter gateway (A) ensures that all incoming and outgoing traffic is inspected in real-time, providing immediate threat response. Passive placement (B) only detects threats without prevention. Virtual deployment (C) might not cover all physical traffic. Inline placement between web and database servers (D) could introduce latency in critical internal communications.

54. An organization is experiencing a series of seemingly unrelated security incidents. Which feature of an event correlation system would best help in identifying if these incidents are related? A. Pattern recognition B. Real-time monitoring C. Data retention policies D. Compliance reporting

A. Pattern recognition Pattern recognition (A) in an event correlation system helps in identifying if seemingly unrelated security incidents are actually connected by detecting recurring sequences or similarities in events across different sources. This allows for the identification of broader attack campaigns or multi-stage intrusions that might not be apparent from individual events alone. Real-time monitoring (B) provides immediate visibility into events but does not necessarily identify patterns or relationships. Data retention policies (C) ensure that logs are stored for a required duration, which is important for historical analysis but does not directly help in correlating current incidents. Compliance reporting (D) focuses on regulatory adherence and is not related to identifying connections between incidents.

14. A security analyst detects multiple unauthorized access attempts and needs to document and communicate these findings to the security manager. Which of the following best practices should the analyst follow? A. Provide a detailed timeline of events and suggest immediate countermeasures. B. Summarize the incident with general observations and wait for further instructions. C. Include speculative causes and potential impacts without concrete evidence. D. Write a high-level overview and avoid technical jargon.

A. Provide a detailed timeline of events and suggest immediate countermeasures. The best practice is to provide a detailed timeline of events and suggest immediate countermeasures (A) to offer a clear, actionable report for the security manager. Summarizing with general observations (B) might be too vague for effective action. Including speculative causes (C) without evidence could mislead decision-making. A high-level overview (D) should be clear but also include necessary technical details for a comprehensive understanding.

52. A company has deployed several containers in production. To ensure security, what should be done to manage container images effectively? A. Regularly update container images to the latest versions B. Store container images in a publicly accessible registry C. Use only official images from trusted sources without modifications D. Frequently restart containers to apply updates

A. Regularly update container images to the latest versions Regularly updating container images to the latest versions (A) is essential to ensure that containers run with the latest security patches and mitigations against known vulnerabilities. Storing container images in a publicly accessible registry (B) increases the risk of tampering and should be avoided. Using only official images from trusted sources (C) is good practice but may not address the need for ongoing updates. Frequently restarting containers (D) does not guarantee that updates are applied unless the underlying image is also updated.

44. A company has deployed a virtual appliance for web filtering. The IT team needs to ensure that the appliance is not compromised and remains effective in its role. Which security measure should be prioritized? A. Regularly update the appliance's software and definitions B. Isolate the appliance on a separate VLAN C. Use a complex password for the appliance management interface D. Monitor the appliance's network traffic for anomalies

A. Regularly update the appliance's software and definitions Regularly updating the appliance's software and definitions (A) ensures that the virtual appliance is protected against known vulnerabilities and can effectively filter web traffic. While isolating the appliance on a separate VLAN (B) enhances network security, it does not directly maintain the appliance's functionality and security posture. Using a complex password (C) is good practice but insufficient on its own to secure the appliance. Monitoring network traffic (D) is important for detecting issues but does not prevent vulnerabilities from being exploited.

72. A healthcare organization is defining its risk tolerance regarding potential disruptions to patient data access. What is the primary factor they should consider when setting their risk tolerance level? A. Regulatory requirements B. Competitors' strategies C. Current security technologies D. Historical security incidents

A. Regulatory requirements Regulatory requirements (A) are crucial in setting risk tolerance for a healthcare organization, as compliance with laws and regulations regarding patient data is mandatory. Competitors' strategies (B) do not directly influence risk tolerance. Current security technologies (C) and historical security incidents (D) are factors in assessing risk but not primary considerations in defining risk tolerance.

50. During a routine security audit, you observe that the corporate network firewall is configured to allow all outbound traffic without restriction. What is the most appropriate course of action to enhance network security while maintaining functionality? A. Restrict outbound traffic to only essential services. B. Block all outbound traffic and monitor the network for anomalies. C. Configure the firewall to allow all outbound traffic from known sources. D. Leave the current configuration as it is.

A. Restrict outbound traffic to only essential services. Restricting outbound traffic to only essential services (A) is the best approach to enhance security while maintaining necessary functionality. This limits potential attack vectors and reduces the risk of data exfiltration. Blocking all outbound traffic (B) is impractical and can disrupt legitimate business operations. Configuring the firewall to allow all outbound traffic from known sources (C) does not address the need to filter outbound traffic by service type, potentially allowing malicious traffic from compromised sources. Leaving the current configuration as it is (D) fails to address the security risk.

88. A security analyst is using a timeline visualization to track security events and notices a correlation between software updates and an increase in failed system checks. What should be the next step? A. Roll back the recent software updates to identify potential issues. B. Continue monitoring to see if the trend persists. C. Notify the software vendor of potential bugs in the update. D. Update the system to the latest software version.

A. Roll back the recent software updates to identify potential issues. Rolling back the updates (A) allows the analyst to determine if the updates are causing the issues. Continuing to monitor (B) without action could prolong the problem. Notifying the vendor (C) is important but secondary to mitigating the immediate impact. Updating to the latest version (D) might introduce new issues without resolving the current ones.

18. An organization wants to simplify the user authentication process across multiple applications without compromising security. Which IAM feature should be implemented to achieve this goal? A. Single sign-on B. Privileged access management C. Access control lists D. Biometric authentication

A. Single sign-on The correct answer is A. Single sign-on (SSO) allows users to authenticate once and gain access to multiple applications without needing to log in separately for each, simplifying the user experience while maintaining security (A). Privileged access management (B) focuses on controlling and monitoring access to critical resources but does not simplify user authentication across applications. Access control lists (C) specify permissions for individual users or groups but do not streamline the authentication process. Biometric authentication (D) enhances security by verifying identity using unique physical characteristics but does not address single sign-on functionality.

10. A security analyst is reviewing system logs and notices that a user account has repeatedly failed login attempts from various locations within a short period. Which of the following actions should the analyst prioritize to address this event? A. Temporarily disable the user account and investigate further. B. Reset the user's password and notify the user. C. Log the event and continue to monitor for further activity. D. Block the IP addresses associated with the failed attempts.

A. Temporarily disable the user account and investigate further. Temporarily disabling the user account and investigating further (A) is the best course of action to prevent potential unauthorized access while determining the cause of the failed login attempts. This prevents the attacker from succeeding if they obtain the correct credentials. Resetting the user's password and notifying the user (B) might be necessary eventually but doesn't immediately stop the potential threat. Logging the event and continuing to monitor for further activity (C) might delay immediate action needed to secure the account. Blocking the IP addresses associated with the failed attempts (D) might help, but if the attempts come from multiple sources, it is not a comprehensive solution.

100. A company has implemented whole disk encryption on all employee laptops to protect sensitive data. An employee reports that their laptop is not booting after a sudden power failure. What is the most likely cause of this issue? A. The encryption key has been corrupted due to the power failure. B. The hard drive needs to be replaced. C. The operating system files are encrypted and cannot be accessed. D. The user forgot the encryption password.

A. The encryption key has been corrupted due to the power failure. The most likely cause is that the encryption key has been corrupted due to the power failure (A), which can happen if the power is lost during a critical operation involving the key. This corruption can prevent the system from booting as the encrypted data cannot be decrypted without a valid key. While a hard drive replacement (B) or forgotten password (D) could cause access issues, they are less likely given the context. The encrypted operating system files (C) are normally accessible as part of the boot process if the key is intact.

57. During the deployment of MDM, a company wants to ensure that all data exchanged between corporate applications on mobile devices is encrypted. What technology would best meet this requirement? A. Transport Layer Security (TLS) B. Full-device encryption C. Biometric authentication D. Application sandboxing

A. Transport Layer Security (TLS) TLS (A) encrypts data exchanged between applications, ensuring secure communication and protecting data from interception. Full-device encryption (B) protects data at rest but not data in transit. Biometric authentication (C) secures access to the device or applications but does not encrypt data. Application sandboxing (D) isolates applications but does not specifically provide encryption for data exchange between applications.

67. In a software development company, access to the code repository should be restricted to only the development team and not to any other departments. Which authorization mechanism is most effective for this scenario? A. Use role-based access control. B. Implement a firewall rule. C. Enforce a complex password policy. D. Apply data encryption.

A. Use role-based access control. The correct answer is A. Role-based access control (RBAC) is the most effective mechanism for restricting access to the code repository to only the development team. By assigning access permissions based on the role (e.g., developer), RBAC ensures that only authorized team members can access the repository (A). Implementing a firewall rule (B) controls network traffic but does not address user authorization for specific resources. Enforcing a complex password policy (C) strengthens authentication but does not control access to the code repository. Data encryption (D) protects data in transit or storage but does not manage access rights to the repository.

49. A company has detected a rootkit infection on multiple systems. To effectively eradicate the rootkit, which of the following steps should be taken? A. Use specialized rootkit removal tools to detect and eliminate the rootkit B. Disconnect all affected systems from the network immediately C. Reformat all affected systems and reinstall the operating systems D. Notify all users to avoid using the affected systems

A. Use specialized rootkit removal tools to detect and eliminate the rootkit Using specialized rootkit removal tools (A) is critical for detecting and eliminating rootkits, as they are often designed to hide from standard security measures. Disconnecting systems (B) is part of containment but does not eradicate the rootkit. Reformatting systems (C) is a more drastic measure and can be disruptive, although it may be necessary in severe cases. Notifying users (D) is part of communication but does not address eradication.

46. A company is planning to upgrade its operating systems to a new version, which includes enhanced security features. What specific aspect of security impact analysis should be prioritized to ensure the upgrade does not introduce new vulnerabilities? A. Evaluating the cost of the upgrade. B. Assessing compatibility with existing security policies. C. Reviewing the user interface changes. D. Analyzing the potential for system performance degradation.

B. Assessing compatibility with existing security policies. Assessing compatibility with existing security policies (B) should be prioritized in the security impact analysis to ensure that the upgrade does not introduce new vulnerabilities. This step helps confirm that the new operating system's security features align with the organization's security standards and policies. Evaluating the cost (A) and reviewing user interface changes (C) are important but not directly related to security impact. Analyzing potential performance degradation (D) is relevant but secondary to security policy compatibility.

2. A new employee at a financial institution needs access to the company's internal financial systems. Which of the following actions ensures the employee is granted appropriate entitlements based on their job role? A. Provisioning the employee's email account B. Assigning the employee to a financial analyst role with specific access rights C. Requiring the employee to sign a non-disclosure agreement D. Setting up a regular password expiration policy

B. Assigning the employee to a financial analyst role with specific access rights The correct answer is B. Assigning the employee to a financial analyst role with specific access rights ensures they are granted appropriate entitlements, providing them with access to the necessary financial systems and data based on their job role (B). Provisioning the employee's email account (A) is part of the onboarding process but does not involve entitlements related to job roles. Requiring the employee to sign a non-disclosure agreement (C) is important for confidentiality but not for granting access rights. Setting up a regular password expiration policy (D) enhances security but does not address entitlements based on roles.

55. An employee finds a USB drive labeled "Employee Salary Data" in the parking lot and, out of curiosity, plugs it into their work computer. The drive contains malware that infects the system. What type of social engineering attack does this represent? A. Phishing B. Baiting C. Impersonation D. Spear phishing

B. Baiting The scenario describes a situation where the attacker leaves a tempting item, like a USB drive labeled "Employee Salary Data," to lure the victim into taking action that leads to system compromise. This is known as baiting (B), where the attacker offers something enticing to tempt the victim into a trap. Phishing (A) involves sending fraudulent emails to trick users into revealing personal information, which is not applicable here. Impersonation (C) involves pretending to be someone else to deceive the victim, which is not the case in this scenario. Spear phishing (D) is a targeted form of phishing and does not involve physical bait like a USB drive.

35. To maintain compliance with regulatory requirements, an organization conducts periodic reviews of its security policies and procedures. Which activity is most critical during these reviews? A. Updating software applications B. Benchmarking against industry standards C. Installing new firewall rules D. Reassigning security responsibilities

B. Benchmarking against industry standards Benchmarking against industry standards is the most critical activity during periodic reviews of security policies and procedures to maintain compliance with regulatory requirements. This process involves comparing the organization's policies and procedures to accepted industry standards and best practices to identify areas for improvement and ensure compliance. Updating software applications (A), installing new firewall rules (C), and reassigning security responsibilities (D) are important activities for security management but are not specifically focused on reviewing and comparing policies and procedures for compliance.

33. Upon analyzing event logs, a security analyst discovers a series of login attempts using multiple user accounts within a short timeframe from a single IP address. The event data suggests an attempted brute-force attack. What should be the analyst's immediate response? A. Initiate an account lockout for all user accounts involved. B. Block the IP address at the firewall. C. Notify the affected users to change their passwords. D. Increase password complexity requirements for all accounts.

B. Block the IP address at the firewall. Blocking the IP address (B) helps to immediately stop the brute-force attempts from continuing. Initiating an account lockout (A) might disrupt legitimate users. Notifying affected users (C) is important but secondary to stopping the attack. Increasing password complexity (D) is a long-term measure that does not address the immediate threat.

6. A company places a "No Trespassing" sign at the entrance of its restricted area. How does this sign contribute to the company's security posture? A. By serving as a detective control to monitor and report unauthorized access. B. By acting as a deterrent control to discourage unauthorized individuals from entering. C. By functioning as a preventive control to physically block access to the area. D. By providing a compensating control for insufficient access control mechanisms.

B. By acting as a deterrent control to discourage unauthorized individuals from entering. The "No Trespassing" sign serves as a deterrent control (B), aiming to discourage unauthorized individuals from entering the restricted area by clearly indicating that entry is forbidden and that there may be consequences for trespassing. Detective control (A) would involve systems to identify and report unauthorized access, which the sign does not do. Preventive control (C) physically restricts access, such as through barriers or locks, which is not the function of a sign. Compensating control (D) offers alternative measures when primary controls are lacking, but the sign's primary purpose is to deter, not to compensate for other controls.

81. A company is considering implementing TPM on their devices. How does TPM contribute to the integrity of the system? A. By enforcing password policies for all users. B. By storing and managing cryptographic keys used for system integrity checks. C. By controlling access to external devices such as USB drives. D. By providing real-time monitoring of system files for changes.

B. By storing and managing cryptographic keys used for system integrity checks. TPM enhances system integrity by securely storing and managing cryptographic keys (B) that are used for integrity checks, ensuring that the system has not been tampered with. Enforcing password policies (A), controlling access to external devices (C), and monitoring system files (D) are related to broader security policies and tools, not specifically to the role of TPM.

5. A financial company is concerned about the integrity of its internal applications and wants to ensure that the software they deploy has not been tampered with. Which countermeasure would be most effective in verifying the authenticity of these applications before installation? A. Antivirus B. Code signing C. Intrusion Detection System (IDS) D. Firewall

B. Code signing Code signing (B) is a technique used to ensure the integrity and authenticity of software applications by digitally signing them. This helps verify that the code has not been altered since it was signed by the trusted author, providing a layer of security against tampering. Antivirus software (A) is primarily used to detect and remove malicious software but does not verify the authenticity of software. An Intrusion Detection System (IDS) (C) monitors network traffic for suspicious activity but does not directly relate to verifying software integrity. A firewall (D) controls incoming and outgoing network traffic based on security rules, and it does not authenticate software applications.

73. A security team has detected a potential vulnerability in a web application and needs to implement a patch to address it. During the change management meeting, it was noted that the patch may cause compatibility issues with certain database configurations. What is the most critical step the team should take next to ensure a smooth implementation? A. Skip the patch until further notice. B. Conduct a risk assessment and plan a rollback strategy. C. Apply the patch immediately to mitigate the vulnerability. D. Inform end-users about the potential downtime and proceed.

B. Conduct a risk assessment and plan a rollback strategy. Conducting a risk assessment and planning a rollback strategy (B) is the most critical step because it helps identify the potential impact of the patch on existing systems and ensures that there is a plan in place to revert the changes if something goes wrong. Skipping the patch (A) is not advisable as it leaves the vulnerability unaddressed. Applying the patch immediately (C) without assessing risks may lead to system issues. Informing end-users (D) is important but not the most critical immediate step.

17. An organization is designing a hardware asset management plan and needs to include considerations for the initiation phase. Which of the following is most critical to address at this stage? A. Conducting regular asset audits. B. Defining asset classification criteria. C. Establishing asset retirement procedures. D. Implementing access control mechanisms.

B. Defining asset classification criteria. During the initiation phase of hardware asset management, defining asset classification criteria (B) is essential to categorize assets based on their importance, sensitivity, and usage. This foundational step informs subsequent processes, such as audits (A), which are typically part of the maintenance phase. Asset retirement procedures (C) come into play much later in the asset lifecycle, during the disposal phase. Implementing access control mechanisms (D) is also critical but is more relevant during the deployment or maintenance phases.

90. A legal firm needs to ensure that electronic contracts are binding and cannot be denied by the parties involved. Which of the following methods provides the best assurance for non-repudiation of these electronic contracts? A. Using HMAC with a shared key B. Digital signatures with a certificate authority C. Encrypting contracts with a symmetric key D. Storing contracts in a blockchain ledger

B. Digital signatures with a certificate authority Digital signatures with a certificate authority provide the best assurance for non-repudiation by allowing the verification of the signer's identity and the integrity of the contract through a trusted third party (B). Using HMAC with a shared key (A) provides authentication and integrity but not non-repudiation, as shared keys can be exchanged. Encrypting contracts with a symmetric key (C) secures the data but does not link the action to a specific individual. Storing contracts in a blockchain ledger (D) can provide an immutable record, but it does not inherently provide non-repudiation of the individual action without additional authentication mechanisms.

94. When designing a system to store confidential medical records, which cryptographic practice is most crucial to ensure data confidentiality? A. Using a hash function with salt B. Encrypting data at rest with a secure algorithm C. Implementing SSL/TLS for data in transit D. Applying access control lists (ACLs)

B. Encrypting data at rest with a secure algorithm Encrypting data at rest with a secure algorithm (B) is crucial for ensuring the confidentiality of stored medical records, as it protects sensitive data from unauthorized access if the storage medium is compromised. Using a hash function with salt (A) helps prevent hash collisions and protect against dictionary attacks but does not encrypt data for confidentiality. Implementing SSL/TLS (C) is essential for protecting data in transit but does not address the confidentiality of stored data. Access control lists (ACLs) (D) help manage who can access data but do not provide encryption to protect the data itself from unauthorized access.

58. An organization discovers that unauthorized modifications have been made to critical configuration files on a server. Which of the following controls is most effective in preventing such incidents? A. Implementing multifactor authentication (MFA) B. Enforcing file integrity monitoring (FIM) C. Conducting regular security awareness training D. Using a firewall to block unauthorized access

B. Enforcing file integrity monitoring (FIM)

20. In a secure communication setup using asymmetric encryption, which scenario best demonstrates the application of the private key? A. Encrypting a large file for secure transmission. B. Generating a digital signature to verify document authenticity. C. Encrypting session keys for symmetric encryption. D. Creating a backup of encrypted data.

B. Generating a digital signature to verify document authenticity. The private key in asymmetric encryption is primarily used for generating digital signatures, which are used to verify the authenticity and integrity of a document (B). Encrypting a large file (A) is typically done using symmetric encryption for efficiency. While asymmetric encryption can be used to encrypt session keys (C), the private key's role in this context is decryption. Creating a backup of encrypted data (D) does not specifically involve the private key's function for generating digital signatures.

95. An IT director discovers that a new software update violates the organization's ethical commitment to open-source software usage. What should be the IT director's next step according to the organizational code of ethics? A. Proceed with the update to maintain the software's functionality. B. Halt the update and review alternative solutions that comply with the organization's ethical commitments. C. Ignore the ethical commitment for this update due to time constraints. D. Apply the update and address the ethical concerns later.

B. Halt the update and review alternative solutions that comply with the organization's ethical commitments. The organizational code of ethics requires adherence to stated commitments and values. Halting the update and reviewing alternatives (B) ensures compliance with the organization's ethical guidelines regarding open-source software. Proceeding with the update (A) or ignoring the commitment (C) compromises the organization's values. Applying the update and addressing concerns later (D) fails to uphold the immediate ethical commitment and could lead to longer-term issues.

99. A company is concerned about attackers intercepting and modifying data in transit. They want to ensure that any tampering can be detected. Which cryptographic technique is best suited to address this concern? A. RSA encryption B. Hash-based Message Authentication Code (HMAC) C. Elliptic curve cryptography D. Symmetric key encryption

B. Hash-based Message Authentication Code (HMAC) HMAC provides a way to verify both the integrity and authenticity of a message by combining a cryptographic hash function with a secret key, making it possible to detect any tampering with the data in transit (B). RSA encryption (A) primarily ensures confidentiality and secure key exchange but does not inherently provide integrity checks. Elliptic curve cryptography (C) is used for secure key exchange and digital signatures but is not directly aimed at verifying message integrity like HMAC. Symmetric key encryption (D) ensures confidentiality but does not provide a mechanism for detecting message tampering without additional integrity checks.

80. A company needs to securely transmit data between two branches located in different cities over the internet. The requirement is to ensure that the data is encrypted and cannot be intercepted or tampered with during transmission. Which of the following protocols is most suitable for this use case? A. SSH B. IPsec C. HTTP D. POP3

B. IPsec The correct answer is B. IPsec (Internet Protocol Security) is ideal for securely transmitting data over the internet as it encrypts the data and provides integrity checks, ensuring that the data cannot be intercepted or tampered with during transmission. This makes it suitable for establishing a secure communication channel between two branches over the internet. SSH (A) is primarily used for secure remote access and command execution rather than for encrypting data transmission between networks. HTTP (C) is used for web communication and does not provide security features needed for encrypting sensitive data. POP3 (D) is used for email retrieval and does not address secure data transmission requirements.

21. An organization is using IPsec to secure communication between their offices. The security team is concerned about IPsec's susceptibility to certain types of attacks. Which of the following is a known vulnerability of IPsec? A. IPsec does not support encryption. B. IPsec is vulnerable to replay attacks. C. IPsec is susceptible to DNS spoofing. D. IPsec cannot provide data integrity.

B. IPsec is vulnerable to replay attacks. The correct answer is B. IPsec can be vulnerable to replay attacks if anti-replay services are not enabled. Replay attacks involve intercepting and retransmitting valid data packets to create a malicious effect. Option A is incorrect as IPsec supports encryption. Option C is not directly related to IPsec; DNS spoofing attacks target domain name resolution rather than the IPsec protocol itself. Option D is incorrect because IPsec does provide data integrity through authentication headers and encapsulating security payloads.

1. An organization is choosing a risk management framework to comply with international standards for information security. They require a framework that is globally recognized and provides a comprehensive approach to managing risk. Which framework should they select? A. Control Objectives for Information and Related Technologies (COBIT) B. ISO/IEC 27005 C. Payment Card Industry Data Security Standard (PCI DSS) D. Federal Information Security Management Act (FISMA)

B. ISO/IEC 27005 ISO/IEC 27005 (B) is a globally recognized framework that provides comprehensive guidelines for information security risk management within the context of an organization's overall information security management system (ISMS). COBIT (A) focuses on IT governance rather than risk management specifically. PCI DSS (C) is a standard for securing cardholder data, not a general risk management framework. FISMA (D) applies to federal agencies in the United States and does not offer a global approach.

77. An organization regularly performs vulnerability assessments as part of its vulnerability management lifecycle. What is the primary benefit of this practice? A. Ensuring compliance with regulatory requirements. B. Identifying and addressing security gaps before they are exploited. C. Improving the efficiency of IT operations. D. Enhancing employee awareness of security practices.

B. Identifying and addressing security gaps before they are exploited. The primary benefit of regularly performing vulnerability assessments is identifying and addressing security gaps before they are exploited (B). This proactive approach helps prevent security incidents. Ensuring compliance with regulatory requirements (A) is a benefit but not the primary purpose. Improving the efficiency of IT operations (C) and enhancing employee awareness of security practices (D) are secondary benefits but do not address the core purpose of vulnerability assessments.

71. After a disaster recovery drill, an organization identifies several weaknesses in their response plan. What is the most effective way to address these weaknesses? A. Document the weaknesses and review them at the next scheduled update. B. Immediately update the disaster recovery plan and conduct follow-up drills. C. Conduct a formal audit to determine the root causes of the weaknesses. D. Replace the disaster recovery team members who underperformed.

B. Immediately update the disaster recovery plan and conduct follow-up drills. The correct answer is B. Immediately updating the disaster recovery plan and conducting follow-up drills ensures that weaknesses are addressed promptly and the plan is improved continuously. Documenting weaknesses (A) without action may delay necessary improvements. Conducting a formal audit (C) may be part of a thorough response but should not delay immediate updates and follow-up testing. Replacing team members (D) does not address the plan's shortcomings and may not resolve the identified issues.

56. During an assessment of a company's Wi-Fi security, you discover that WPA3 is already in use. Which additional measure should be implemented to ensure maximum security? A. Use a single SSID for both staff and guest networks to simplify management. B. Implement an enterprise-level RADIUS server for authentication. C. Regularly change the Wi-Fi channel to avoid interference. D. Lower the signal strength to reduce the range of the Wi-Fi network.

B. Implement an enterprise-level RADIUS server for authentication. Implementing a RADIUS server (B) provides robust authentication mechanisms, ensuring only authorized users can access the network. Using a single SSID for both staff and guests (A) is a security risk as it can lead to unauthorized access to sensitive network areas. Regularly changing the Wi-Fi channel (C) is aimed at avoiding interference, not improving security. Lowering the signal strength (D) can help minimize the Wi-Fi range but does not contribute significantly to overall security.

25. A company uses IoT devices for environmental monitoring. To protect the devices from unauthorized access, what practice should be implemented? A. Use default administrative credentials for easy setup. B. Implement secure boot and firmware integrity checks. C. Connect devices to public Wi-Fi networks for easy access. D. Disable all security features to reduce device complexity.

B. Implement secure boot and firmware integrity checks. Implementing secure boot and firmware integrity checks (B) ensures that IoT devices boot with verified software and are protected from tampering and unauthorized access. Using default administrative credentials (A) is a significant security risk as they are commonly known and easily exploited. Connecting devices to public Wi-Fi networks (C) exposes them to potential attacks and unauthorized access. Disabling security features (D) compromises the security of the devices and increases vulnerability.

64. During a supplier risk review, it was identified that a supplier has access to sensitive customer data without adequate encryption. What is the most effective action to take? A. Request the supplier to stop using customer data. B. Implement strong encryption protocols for data in transit and at rest. C. Monitor the supplier's data access more closely. D. Require the supplier to sign a confidentiality agreement.

B. Implement strong encryption protocols for data in transit and at rest. The most effective action to address the risk of a supplier having access to sensitive customer data without adequate encryption is to implement strong encryption protocols for data in transit and at rest (B). This ensures that the data is protected regardless of the supplier's practices. Requesting the supplier to stop using customer data (A) may not be feasible or effective. Monitoring the supplier's data access more closely (C) is important but does not mitigate the risk of unencrypted data. A confidentiality agreement (D) is a legal measure but does not address the technical risk of unencrypted data.

59. A network administrator needs to ensure that video conferencing traffic is prioritized over other types of traffic on the network to prevent latency and jitter issues. Which device or feature should be implemented? A. Firewall with content filtering B. Load balancer with session persistence C. QoS-enabled router D. Intrusion Prevention System (IPS)

C. QoS-enabled router

32. You are tasked with enhancing the security of the company's internal network. One of the measures involves securing the network devices themselves. What is the best practice for securing access to routers and switches? A. Use default usernames and passwords to ensure easy access for all. B. Implement strong, unique passwords and limit access to authorized personnel. C. Enable Telnet for remote management for convenience. D. Open all ports on the devices for maximum connectivity.

B. Implement strong, unique passwords and limit access to authorized personnel. Implementing strong, unique passwords and limiting access to authorized personnel (B) is the best practice for securing access to routers and switches. Using default usernames and passwords (A) is insecure as they are commonly known and can be exploited by attackers. Enabling Telnet (C) is not secure due to its lack of encryption; SSH should be used instead. Opening all ports (D) increases the attack surface and is not recommended for security.

51. An organization needs to ensure that all installed software is properly licensed. What is the most effective approach to achieve this? A. Conducting a manual software inventory twice a year. B. Implementing an automated software asset management tool. C. Restricting software installation to the IT department. D. Regularly purchasing new software licenses.

B. Implementing an automated software asset management tool. Implementing an automated software asset management tool (B) is the most effective approach to ensure that all installed software is properly licensed, as it provides continuous monitoring and can automatically detect non-compliance issues. Conducting a manual software inventory (A) is labor-intensive and prone to errors. Restricting software installation (C) can help, but it is not a comprehensive solution. Regularly purchasing new software licenses (D) is not efficient and does not address the need for accurate tracking and compliance.

31. An organization is developing a mobile application that collects sensitive user information. To ensure user privacy, which practice should be prioritized? A. Collecting as much data as possible for future use B. Implementing data minimization principles C. Storing all collected data in plain text D. Disabling user consent options to simplify the user experience

B. Implementing data minimization principles Implementing data minimization principles is crucial for ensuring user privacy by collecting only the necessary data needed for specific purposes, thereby reducing the risk of data breaches and misuse. Collecting as much data as possible for future use (A) increases privacy risks and may violate regulations. Storing all collected data in plain text (C) compromises data security and privacy. Disabling user consent options (D) violates privacy regulations that require informed consent for data collection and processing.

22. During a security assessment, it is found that physical security measures at the data center include locked doors and ID badge verification. However, unauthorized personnel have been gaining access to restricted areas. What additional security measure should be implemented to prevent unauthorized access? A. Increase the frequency of security patrols. B. Install a biometric access control system. C. Enhance the lighting around the perimeter. D. Conduct background checks on all visitors.

B. Install a biometric access control system. Installing a biometric access control system (B) should be implemented as it provides a higher level of security by ensuring that only individuals with pre-approved biometric credentials can access restricted areas, effectively preventing unauthorized access. Increasing the frequency of security patrols (A) can help monitor the area but may not always prevent unauthorized access. Enhancing the lighting around the perimeter (C) improves visibility but does not directly control access. Conducting background checks on all visitors (D) is important but does not address the immediate issue of controlling physical access to restricted areas.

24. A company that uses BYOD policy is looking to enhance its data protection measures. How can containerization help in this scenario? A. It enforces a strict app installation policy on personal devices. B. It provides a clear separation between personal and corporate data. C. It restricts the usage of corporate applications to office premises only. D. It ensures that all data on the device is backed up to a corporate server.

B. It provides a clear separation between personal and corporate data. Containerization (B) separates corporate and personal data, which is crucial in a BYOD environment to protect corporate data without infringing on personal data. Option A focuses on app installation policies, which are less relevant to the concept of data separation. Option C limits application use, which is not related to data separation. Option D suggests a data backup strategy that might not respect personal data privacy.

12. To prevent data leakage, a company deploys a data loss prevention (DLP) system that blocks the transfer of sensitive information. What type of control is this, and why is it effective? A. It acts as a deterrent control by warning employees against data transfer. B. It serves as a preventive control by blocking unauthorized data transfers. C. It functions as a detective control by identifying potential data leaks. D. It operates as a compensating control for insufficient encryption measures.

B. It serves as a preventive control by blocking unauthorized data transfers. A data loss prevention (DLP) system functions as a preventive control (B) by blocking the transfer of sensitive information outside the organization, thus preventing data leakage. A deterrent control (A) would discourage data transfer attempts but not block them. A detective control (C) would monitor and identify potential data leaks, but a DLP system actively prevents them. A compensating control (D) offers alternative methods to achieve security objectives when other measures are lacking, but a DLP system directly prevents data leaks by enforcing policies that block unauthorized transfers.

61. A healthcare organization uses a system that employs data analytics to monitor network traffic for signs of unusual activities, such as large file transfers outside the organization. How does data analytics contribute to identifying these activities? A. It encrypts all data transfers. B. It uses historical data to identify patterns and anomalies. C. It blocks all external connections. D. It installs security patches.

B. It uses historical data to identify patterns and anomalies. Data analytics contributes to identifying unusual activities by using historical data to identify patterns and anomalies (B). By analyzing past network traffic, the system can establish what is considered normal and detect deviations such as large file transfers outside the organization. Data encryption (A) secures data but does not analyze network traffic for anomalies. Blocking all external connections (C) would prevent data loss but is not a method of analyzing activities. Installing security patches (D) addresses vulnerabilities but does not involve analyzing network traffic.

89. A network administrator notices unusual ARP (Address Resolution Protocol) traffic suggesting that an attacker might be intercepting communications between hosts on a local network. What type of attack is this, and what is a recommended countermeasure? A. DNS poisoning; Deploy a secure DNS resolver B. Man-in-the-Middle (MITM); Enable ARP spoofing detection C. DDoS; Utilize an anti-DDoS service D. Phishing; Implement a security awareness program

B. Man-in-the-Middle (MITM); Enable ARP spoofing detection Unusual ARP traffic indicating interception of communication between hosts suggests a Man-in-the-Middle (MITM) attack, where an attacker secretly relays and possibly alters the communication (B). ARP spoofing detection can help identify and block such malicious activities on the local network (B). DNS poisoning (A) involves altering DNS records, which does not align with ARP-related traffic. DDoS (C) attacks overwhelm network resources, unrelated to ARP traffic. Phishing (D) is an attack through social engineering, not network-level interception.

26. A company is transitioning to a cloud service model and is concerned about maintaining compliance with data protection regulations. What is their primary responsibility under the shared responsibility model for IaaS? A. Securing the cloud provider's network B. Managing data encryption and access policies C. Ensuring the physical security of data centers D. Maintaining the virtualization platform

B. Managing data encryption and access policies Under the IaaS model, the company's primary responsibility is Managing Data Encryption and Access Policies (B), ensuring that their data is encrypted, access policies are properly implemented, and compliance with data protection regulations is maintained. The cloud provider secures the network (A), ensures physical security of data centers (C), and maintains the virtualization platform (D). The company must focus on securing their data and managing how it is accessed and protected within the cloud environment.

97. A data center has implemented a mechanism that requires individuals to pass through a secure, controlled entrance that limits entry to one person at a time. Which physical control is being described? A. CCTV cameras B. Mantrap C. Security guards D. Biometric access

B. Mantrap A mantrap is a physical control that consists of two doors with a small space between them, allowing only one person to enter at a time. This mechanism is effective in controlling access and preventing tailgating, where unauthorized individuals might try to follow an authorized person into a secure area. CCTV cameras (A) monitor activity but do not control physical entry, security guards (C) can oversee entry points but are not a mechanical barrier, and biometric access (D) verifies identity but does not restrict the physical flow of individuals like a mantrap does.

66. During the planning of a new office network, you are asked to choose a topology that minimizes the impact of device failure and reduces the risk of network downtime. Which topology would you choose? A. Star topology B. Mesh topology C. Bus topology D. Ring topology

B. Mesh topology The Mesh topology (B) would be the best choice to minimize the impact of device failure and reduce network downtime due to its redundant paths between all nodes. The Star topology (A) has a central point of failure at the hub, which can cause downtime if the hub fails. The Bus topology (C) is vulnerable to a single point of failure in the main communication line. The Ring topology (D) can also suffer from a single point of failure that affects the whole network.

7. During a backup process, an organization uses data deduplication to optimize storage. What is the primary benefit of using data deduplication in their backup strategy? A. Reducing the backup time significantly B. Minimizing the storage space required for backups C. Ensuring backup data is encrypted D. Improving the speed of data recovery

B. Minimizing the storage space required for backups The correct answer is B. Data deduplication minimizes the storage space required for backups by eliminating duplicate copies of repeating data, thus optimizing the use of storage resources. Reducing backup time (A) can be a secondary benefit but is not the primary purpose. Ensuring data encryption (C) is not related to deduplication but to data security practices. Improving recovery speed (D) can be a benefit of having more efficient storage, but the primary advantage of deduplication is storage optimization.

85. To ensure accountability in the use of privileged accounts, which of the following controls should be implemented? A. Allowing shared use of privileged accounts B. Regularly reviewing and auditing privileged account activities C. Disabling logging for privileged accounts to protect sensitive operations D. Limiting privileged account access to business hours only

B. Regularly reviewing and auditing privileged account activities Regularly reviewing and auditing privileged account activities ensures accountability by monitoring the actions performed by users with elevated permissions. This practice helps detect any misuse or unauthorized actions and provides a record for investigating incidents. Allowing shared use of privileged accounts (A) undermines accountability by making it difficult to attribute actions to specific users. Disabling logging for privileged accounts (C) removes the ability to monitor their activities, reducing accountability. Limiting access to business hours only (D) may improve security but does not directly enhance accountability.

36. An organization has decided to implement an access control model that uses roles to determine access to different systems and data. Each user will be assigned to one or more roles that grant specific permissions. What is a key advantage of this approach? A. Users can individually set permissions for their resources B. Roles can be quickly updated to reflect changes in job functions C. Access is based on the security classification of data D. Access permissions are defined by multiple user attributes

B. Roles can be quickly updated to reflect changes in job functions The correct answer is B, Roles can be quickly updated to reflect changes in job functions, because Role-Based Access Control (RBAC) allows for rapid adjustment of access rights by simply changing the permissions associated with roles, which is beneficial in dynamic organizational environments. Option A, Users can individually set permissions for their resources, is incorrect as it describes Discretionary Access Control (DAC). Option C, Access is based on the security classification of data, is incorrect because it describes Mandatory Access Control (MAC). Option D, Access permissions are defined by multiple user attributes, is incorrect as it pertains to Attribute-Based Access Control (ABAC), not the role-based system.

15. After conducting a vulnerability scan, the report shows a critical vulnerability in the organization's email server. What should be your immediate next step? A. Informing the users to avoid using the email server. B. Scheduling downtime to apply necessary patches. C. Rebooting the email server to clear any active threats. D. Disabling all incoming and outgoing email services.

B. Scheduling downtime to apply necessary patches. The immediate next step after identifying a critical vulnerability is scheduling downtime to apply necessary patches (B). This addresses the vulnerability directly. Informing users to avoid the email server (A) does not resolve the issue. Rebooting the server (C) might clear some threats but does not fix the vulnerability. Disabling email services (D) may be necessary temporarily, but it should be done as part of a coordinated plan that includes patching.

91. A company wants to allow its employees to use their corporate credentials to access a third-party cloud service. Which federated authentication method can be used to enable this, while ensuring secure and seamless access? A. Simple Mail Transfer Protocol (SMTP) B. Security Assertion Markup Language (SAML) C. File Transfer Protocol (FTP) D. Internet Protocol Security (IPsec)

B. Security Assertion Markup Language (SAML) Security Assertion Markup Language (SAML) (B) is a standard for exchanging authentication and authorization data between an identity provider and a service provider. It allows users to authenticate once with their corporate credentials and access third-party services without needing to log in again, ensuring secure and seamless access. Simple Mail Transfer Protocol (SMTP) (A) is used for sending emails and is not related to federated authentication. File Transfer Protocol (FTP) (C) is used for transferring files over a network and does not handle authentication. Internet Protocol Security (IPsec) (D) is a protocol suite for securing Internet Protocol (IP) communications, not specifically for federated authentication.

38. An enterprise is considering deploying a network solution that allows centralized control and automation of their network infrastructure across multiple sites. Which of the following technologies should they implement to achieve these goals? A. Traditional WAN B. Software-Defined Wide Area Network (SD-WAN) C. Virtual Private Network (VPN) D. Local Area Network (LAN)

B. Software-Defined Wide Area Network (SD-WAN) Software-Defined Wide Area Network (SD-WAN) (B) enables centralized control and management of network infrastructure across multiple sites, providing enhanced flexibility, automation, and cost savings. Traditional WAN (A) does not provide the centralized control and flexibility offered by SD-WAN. A Virtual Private Network (VPN) (C) provides secure connections over the internet but does not offer centralized network management or automation capabilities. A Local Area Network (LAN) (D) is limited to a single location and does not address the needs of managing multiple sites.

29. During a disaster recovery test, a company finds that their backup systems are taking too long to restore data. What action should be taken to address this issue in their restoration plan? A. Increase the frequency of backup tests. B. Upgrade to faster, more efficient storage solutions. C. Simplify the data structure to reduce restoration time. D. Improve staff training on the restoration process.

B. Upgrade to faster, more efficient storage solutions. The correct answer is B. Upgrading to faster, more efficient storage solutions will directly reduce restoration time by improving the speed of data retrieval and restoration. Increasing backup test frequency (A) helps in identifying issues but does not address the root cause of slow restoration. Simplifying the data structure (C) may help but is not a direct solution to hardware limitations. Improving staff training (D) is beneficial for efficiency but will not significantly impact the technical speed of data restoration.

30. Which of the following is the best method to ensure non-repudiation of a contract signed electronically? A. Storing the contract on a secure server B. Using a public key infrastructure (PKI) for digital signatures C. Sending a copy of the contract via secure email D. Requiring a witness to verify the electronic signing process

B. Using a public key infrastructure (PKI) for digital signatures Using a public key infrastructure (PKI) for digital signatures ensures non-repudiation of a contract signed electronically by providing a reliable method to verify the signer's identity and the authenticity of the document. Storing the contract on a secure server (A) ensures its security but does not provide proof of signing. Sending a copy of the contract via secure email (C) ensures secure transmission but not non-repudiation. Requiring a witness (D) adds a layer of verification but is not as reliable or practical as digital signatures for electronic documents.

40. A network architect is designing a network with multiple segments to handle different types of traffic. Which technique would most effectively limit the interaction between these segments to only what is necessary for security reasons? A. Creating physical segmentation with separate switches B. Using micro-segmentation to enforce granular security policies C. Implementing firewall zones for each type of traffic D. Deploying access control lists on all network interfaces

B. Using micro-segmentation to enforce granular security policies Micro-segmentation (B) provides granular control over traffic interactions, allowing security policies to be applied at a very detailed level, ensuring that segments only interact as necessary for security reasons. Physical segmentation (A) is less flexible and more complex to manage. Firewall zones (C) offer broad control but lack the granularity of micro-segmentation. Access control lists (D) control access but do not provide detailed interaction management between segments.

4. During the recovery phase of a security incident, which action is critical to ensure that systems are safe and secure before they are returned to operation? A. Reinstall all operating systems from scratch B. Validate the integrity of all system components C. Notify regulatory bodies of the incident D. Reconnect all network segments to the internet

B. Validate the integrity of all system components Validating the integrity of all system components (B) is crucial to ensure that no malicious code or vulnerabilities remain before systems are brought back into operation. Reinstalling operating systems (A) is an extreme measure and typically unnecessary unless the systems are heavily compromised. Notifying regulatory bodies (C) is part of incident response and compliance but not directly related to system recovery. Reconnecting network segments (D) should only be done after ensuring system integrity.

39. In a Web of Trust system, an employee, John, wants to verify a new colleague's, Sarah's, public key. He notices that several other trusted colleagues have signed Sarah's key. What should John do to ensure that he can trust Sarah's key? A. Directly sign Sarah's key without further checks. B. Verify Sarah's key fingerprint in person or through a secure channel. C. Use the key's metadata to determine its trustworthiness. D. Assume the key is trustworthy if signed by at least three colleagues.

B. Verify Sarah's key fingerprint in person or through a secure channel. The correct answer is B. Verifying Sarah's key fingerprint in person or through a secure channel ensures that John can trust the key's authenticity. Directly signing Sarah's key (A) without verification is not advisable, as it skips the necessary step of ensuring the key's authenticity. The key's metadata (C) does not provide sufficient information to determine trustworthiness. Assuming the key is trustworthy if signed by at least three colleagues (D) is risky, as John should personally verify the key to prevent potential security issues. Verifying the fingerprint directly with Sarah or through a trusted method ensures that the key truly belongs to her.

48. A retail chain wants to secure customer transactions over their Wi-Fi network using a strong encryption protocol. Which protocol should they avoid, and why? A. WPA3, because it is not widely supported on older devices. B. WEP, because it has known security vulnerabilities. C. EAP-TTLS, because it requires a complex setup process. D. WPA2-Enterprise, because it is only suitable for small networks.

B. WEP, because it has known security vulnerabilities. WEP (B) should be avoided as it has numerous well-known security vulnerabilities that can be easily exploited. WPA3 (A) is actually a good choice for secure transactions but might not be supported on older devices. EAP-TTLS (C) is secure and provides strong encryption but requires a more complex setup, which can be managed by an IT department. WPA2-Enterprise (D) is suitable for large networks and provides strong security, contrary to the incorrect assertion that it is only suitable for small networks.

83. An enterprise is upgrading its encryption infrastructure and needs to choose an appropriate key length for its AES encryption to ensure compliance with stringent security policies. What is the most suitable key length for maximizing security? A. 128-bit B. 192-bit C. 256-bit D. 512-bit

C. 256-bit AES-256 is the most suitable key length for maximizing security, as it offers the highest level of protection against brute force attacks and is commonly used in environments requiring stringent security policies (C). AES-128 (A) and AES-192 (B) provide strong security but are less robust than AES-256. A 512-bit key (D) is not a standard option for AES encryption, which supports only 128, 192, and 256-bit key lengths.

8. A company is experiencing issues with remote desktop connectivity. The IT team needs to ensure the correct port is open on the firewall to allow this service. Which port should they verify or open? A. 22 B. 443 C. 3389 D. 3306

C. 3389 Remote Desktop Protocol (RDP) uses port 3389 (C) for remote desktop connectivity. Ensuring this port is open on the firewall will allow remote desktop services to function properly. Port 22 (A) is used for SSH, which provides secure shell access, not remote desktop. Port 443 (B) is used for HTTPS, which secures web traffic. Port 3306 (D) is used by MySQL databases for database connections, not remote desktop.

68. Which of the following scenarios best demonstrates the principle of least privilege? A. A receptionist having access to financial records B. An IT administrator having access to all network resources C. A developer having access to source code repositories only D. A manager having access to all employee records

C. A developer having access to source code repositories only A developer having access to source code repositories only demonstrates the principle of least privilege by limiting access to only the resources necessary to perform the developer's job functions. A receptionist having access to financial records (A) violates the PoLP. An IT administrator having access to all network resources (B) provides more access than necessary. A manager having access to all employee records (D) grants excessive access.

27. During a large-scale natural disaster, a company's data center is flooded, and all systems go offline. The organization has an emergency response plan in place. Which of the following actions should be prioritized to ensure business continuity? A. Initiate the data restoration process from off-site backups. B. Contact local emergency services to assist with the evacuation. C. Activate the alternative data center and reroute critical business processes. D. Inform customers about potential service disruptions and expected recovery times.

C. Activate the alternative data center and reroute critical business processes. The correct answer is C. The priority during a disaster that affects critical systems is to ensure the continuity of essential business functions, which involves activating the alternative data center and rerouting processes to maintain operations. Initiating data restoration (A) is crucial but follows the activation of an alternative site to minimize downtime. Contacting emergency services (B) is part of crisis management but not directly related to continuity of operations. Informing customers (D) is important for communication but does not directly address business continuity and should follow the activation of backup systems.

9. When implementing an MDM solution for a BYOD environment, which of the following measures is essential to ensure compliance with corporate security policies? A. Restricting personal device features B. Mandating regular security training C. Applying device compliance checks D. Enforcing device encryption only for corporate apps

C. Applying device compliance checks Device compliance checks (C) ensure that BYOD devices adhere to corporate security standards, such as up-to-date software and security patches, which is crucial for maintaining security. Restricting personal features (A) is impractical for BYOD and can reduce user acceptance. While regular security training (B) is important, it does not directly enforce compliance. Device encryption limited to corporate apps (D) is insufficient as it may leave other areas of the device vulnerable.

13. During a forensic investigation in a company, a security professional discovers that key evidence is located on a server in another country. To legally obtain this evidence, which action is most appropriate? A. Sending an informal request to the server's administrator B. Using a hacking tool to access the server remotely C. Applying for a Mutual Legal Assistance Treaty (MLAT) D. Requesting assistance from a local law enforcement agency

C. Applying for a Mutual Legal Assistance Treaty (MLAT) A Mutual Legal Assistance Treaty (MLAT) (C) provides a formal mechanism for obtaining evidence from another country, ensuring legal compliance and admissibility in court. Sending an informal request (A) does not guarantee legal compliance or evidence admissibility. Using a hacking tool (B) is illegal and unethical. Requesting assistance from a local law enforcement agency (D) is helpful but may not have jurisdiction over international matters. Thus, applying for an MLAT (C) is the appropriate action.

37. A company needs a remote access solution for its sales team that travels frequently. The solution must be secure and provide full access to internal applications. Which solution is most appropriate? A. Site-to-site VPN B. Thin client access C. Client-to-site VPN D. Secure Shell (SSH)

C. Client-to-site VPN The most appropriate solution for a frequently traveling sales team requiring secure and full access to internal applications is a client-to-site VPN. This allows individual remote users to securely connect to the corporate network and access internal resources as if they were on-site. Option A, a site-to-site VPN, connects different office networks and is not suitable for individual remote users. Option B, thin client access, would require a persistent connection to a server, which may not be feasible for traveling employees who need access to a wide range of applications. Option D, Secure Shell (SSH), is primarily used for secure command-line access to servers and does not provide comprehensive access to internal applications. Therefore, a client-to-site VPN is the ideal solution.

42. A company wants to minimize the risk of former employees accessing sensitive data after they leave. What is an essential step in the de-provisioning process to achieve this? A. Update security policies B. Perform a network assessment C. Deactivate user accounts and revoke access D. Review access logs regularly

C. Deactivate user accounts and revoke access The correct answer is C. Deactivating user accounts and revoking access is essential in the de-provisioning process to ensure former employees cannot access sensitive data after leaving the company (C). Updating security policies (A) is important for governance but does not directly remove access. Performing a network assessment (B) helps identify vulnerabilities but does not de-provision users. Reviewing access logs regularly (D) is good for monitoring but does not actively remove access.

92. A company's marketing department is using a new content management system where each user needs the ability to set access permissions for the content they create. The system should allow content creators to determine who can read or edit their content. Which access control model is appropriate for this scenario? A. Mandatory Access Control (MAC) B. Role-Based Access Control (RBAC) C. Discretionary Access Control (DAC) D. Rule-Based Access Control

C. Discretionary Access Control (DAC) The correct answer is C, Discretionary Access Control (DAC), because DAC allows the content creators to set access permissions for their content, giving them the flexibility to decide who can read or edit their work. Option A, Mandatory Access Control (MAC), is incorrect because it uses a strict policy-based system that would not allow individual discretion. Option B, Role-Based Access Control (RBAC), is incorrect because it manages access based on user roles, which might not provide the granularity needed for individual content control. Option D, Rule-Based Access Control, is incorrect because it enforces access based on rules rather than user discretion.

96. An organization's network security monitoring system has detected unusual traffic patterns indicative of a possible data exfiltration attempt. Which of the following steps should be taken first to analyze and escalate the incident? A. Isolate the affected system from the network B. Notify senior management immediately C. Gather and review relevant logs to understand the scope of the incident D. Inform all employees about the potential security breach

C. Gather and review relevant logs to understand the scope of the incident Gathering and reviewing relevant logs (C) is critical to analyze the extent and nature of the incident, which is essential for an effective response. Isolating the affected system (A) is important but should be based on initial analysis. Notifying senior management (B) and informing all employees (D) are part of the escalation and communication plan but should occur after preliminary analysis to provide accurate information.

65. An organization wants to ensure maximum security for stored passwords. Which of the following practices should they adopt for salting? A. Use a globally unique salt for each user. B. Use a short, fixed-length salt for all passwords. C. Generate a new random salt for each password update. D. Use the same salt for each user's password.

C. Generate a new random salt for each password update. Generating a new random salt for each password update ensures that even if a password remains the same, the resulting hash changes, thus enhancing security (C). Using a globally unique salt for each user (A) is not sufficient because it does not change with password updates. Using a short, fixed-length salt (B) can reduce security as longer, more random salts provide better protection against attacks. Using the same salt for each user (D) does not prevent attackers from using precomputed hash tables and significantly reduces the effectiveness of the salt.

60. A company's cloud service provider offers several options for disaster recovery. They need to ensure their critical applications remain available in the event of a primary data center failure. Which disaster recovery option should they choose? A. Cold Site B. Warm Site C. Hot Site D. Data Archiving

C. Hot Site The company should choose a Hot Site (C) for disaster recovery to ensure their critical applications remain available in the event of a primary data center failure. A hot site is a fully operational, redundant setup that can take over immediately in case of a disaster, ensuring minimal downtime and business continuity. A Cold Site (A) has basic infrastructure but lacks immediate operational capability, resulting in longer recovery times. A Warm Site (B) is partially equipped and requires some setup, leading to moderate recovery times. Data Archiving (D) focuses on long-term storage of data and is not suitable for disaster recovery of critical applications.

82. An organization's primary data center is compromised, and they must shift operations to an interim processing strategy. Which of the following ensures continuity with minimal disruption and no loss of transaction data? A. Cold site B. Reciprocal agreement C. Hot site D. Cloud-based services

C. Hot site The correct answer is C. A hot site ensures continuity with minimal disruption and no loss of transaction data because it maintains an up-to-date mirror of the primary data center. A cold site (A) lacks immediate resources for operation and would cause significant delays. A reciprocal agreement (B) relies on mutual arrangements which may not guarantee the immediate availability of resources. Cloud-based services (D) can also be an effective solution but might involve complexities related to data synchronization and security.

98. An organization is transitioning from an on-premises infrastructure to a cloud environment. They are concerned about data privacy and want to maintain control over their data while still leveraging cloud services. Which deployment model should they choose to best meet their needs? A. Public Cloud B. Private Cloud C. Hybrid Cloud D. Community Cloud

C. Hybrid Cloud The Hybrid Cloud model (C) combines both on-premises infrastructure (private cloud) and public cloud resources, allowing organizations to maintain control over their data while still leveraging the scalability and cost benefits of public cloud services. This model is ideal for organizations with concerns about data privacy and security, as it allows sensitive data to be kept in a private environment while using public cloud for less sensitive applications. The Public Cloud (A) is not suitable for organizations that want to maintain control over their data because it involves sharing resources with other users, which can increase security risks. The Private Cloud (B) offers full control over data but may not provide the same cost savings or flexibility as hybrid models. The Community Cloud (D) involves sharing infrastructure with other organizations with similar requirements, which may not meet the specific needs for control and privacy of a single organization.

75. In an effort to enhance security and performance, a medium-sized company wants to implement a network model that supports both centralized resource management and direct peer-to-peer file sharing. Which network relationship would be most appropriate? A. Peer-to-peer (P2P) B. Client-server C. Hybrid network D. Distributed network

C. Hybrid network A Hybrid network (C) is most appropriate for a medium-sized company looking to balance centralized resource management with direct peer-to-peer file sharing. This model combines the centralized control of client-server networks with the flexibility of peer-to-peer communication. A Peer-to-peer (P2P) (A) network alone lacks centralized management. The Client-server (B) model does not support direct peer-to-peer file sharing. A Distributed network (D) emphasizes resource distribution across multiple locations but does not specifically address the combination of centralized control and peer-to-peer sharing.

3. During a security audit, it was discovered that sensitive company data has been accessed and copied by an employee without proper authorization. What type of malicious activity does this represent? A. Zero-day exploit B. Web-based attack C. Insider threat D. Distributed Denial of Service (DDoS)

C. Insider threat The scenario describes an employee accessing and copying sensitive data without authorization, which is indicative of an insider threat (C). Insider threats involve malicious activities performed by individuals within the organization who have access to sensitive data and systems. A zero-day exploit (A) takes advantage of vulnerabilities that are not yet known to the software vendor, but it does not typically involve authorized access by employees. A web-based attack (B) targets web applications and services from outside the organization. Distributed Denial of Service (DDoS) (D) attacks aim to disrupt services by overwhelming them with traffic but do not involve unauthorized access to sensitive data.

93. A government agency requires a security model where access to classified documents is controlled strictly based on the user's clearance level. Users should be unable to grant or revoke access to documents themselves. Which access control method is most suitable for this scenario? A. Discretionary Access Control (DAC) B. Role-Based Access Control (RBAC) C. Mandatory Access Control (MAC) D. Rule-Based Access Control

C. Mandatory Access Control (MAC) The correct answer is C, Mandatory Access Control (MAC), because MAC enforces access control policies based on security classifications that cannot be altered by individual users. This ensures that only users with the appropriate clearance can access classified documents, and users do not have the ability to change these access permissions. Option A, Discretionary Access Control (DAC), is incorrect as it allows users to control access to their own data, which could lead to security policy violations. Option B, Role-Based Access Control (RBAC), is incorrect because it assigns access based on user roles, which is not as rigid or secure as MAC for handling classified information. Option D, Rule-Based Access Control, is incorrect as it is more flexible and can be used to implement various policies but does not inherently provide the strict classification control required by MAC.

11. After identifying a set of critical vulnerabilities in their network, an organization decides to document these along with their potential impact and mitigation strategies. Which tool would they use to maintain visibility and track the status of these vulnerabilities? A. Incident response plan B. Security policy C. Risk register D. Threat intelligence report

C. Risk register A risk register is specifically designed to document risks, including vulnerabilities, their potential impact, and mitigation strategies, and to track their status over time. An incident response plan (A) is focused on handling security incidents rather than tracking vulnerabilities. A security policy (B) sets out the rules and guidelines for securing an organization but does not track specific risks. A threat intelligence report (D) provides information on potential threats but does not track the management of vulnerabilities.

79. In the acquisition phase of data management, what is the key consideration for selecting a third-party data service provider? A. The provider's geographical location. B. The cost of the service compared to competitors. C. The provider's data encryption standards. D. The speed of data access provided by the service.

C. The provider's data encryption standards. The provider's data encryption standards (C) are critical to ensure that sensitive data is protected during transit and at rest, which is essential for maintaining data security. The provider's geographical location (A) may affect legal and compliance considerations but is not directly related to security. The cost of the service (B) is important for budget considerations but does not guarantee security. The speed of data access (D) affects performance but does not ensure the security of the data.

41. A financial institution must comply with Payment Card Industry Data Security Standards (PCI-DSS) to protect cardholder data. Which cryptographic practice is required by PCI-DSS for transmitting cardholder data over public networks? A. Hashing with SHA-256 B. Encrypting data using a symmetric key C. Using SSL/TLS for encryption D. Implementing digital signatures

C. Using SSL/TLS for encryption PCI-DSS mandates the use of strong encryption, such as SSL/TLS (C), to protect cardholder data during transmission over public networks. SSL/TLS provides encryption that ensures confidentiality and integrity of the transmitted data. Hashing with SHA-256 (A) provides integrity checks but does not encrypt data for secure transmission. Symmetric key encryption (B) could protect data but requires a secure method for key exchange and is typically used for data at rest. Digital signatures (D) are used for verifying authenticity and integrity but are not specifically required for encrypting data in transit under PCI-DSS.

84. An organization is required to retain security logs for a specific period to comply with regulatory requirements. Which log management practice would best ensure compliance and facilitate future log reviews? A. Archiving old logs on removable media and storing them off-site B. Implementing a log rotation policy to manage log file size C. Using a log retention policy that specifies the retention duration D. Encrypting all logs and storing them in a secure location

C. Using a log retention policy that specifies the retention duration Using a log retention policy that specifies the retention duration (C) is essential for ensuring compliance with regulatory requirements as it clearly defines how long logs should be retained and facilitates future log reviews by maintaining logs for the necessary period. Archiving old logs on removable media and storing them off-site (A) can aid in disaster recovery but does not inherently ensure compliance with retention requirements. Implementing a log rotation policy to manage log file size (B) helps in log management but does not address retention requirements directly. Encrypting all logs and storing them in a secure location (D) protects log confidentiality but is not directly related to retention compliance.

70. A network administrator notices that the Intrusion Detection System (IDS) is generating a large number of alerts, many of which are false positives. What is the best action to take to improve the efficiency of the IDS? A. Increase the threshold for alert generation to reduce false positives. B. Turn off the IDS to avoid unnecessary alerts. C. Ignore the alerts as they are likely non-critical. D. Analyze and tune the detection rules to better distinguish between legitimate and malicious traffic.

D. Analyze and tune the detection rules to better distinguish between legitimate and malicious traffic. Analyzing and tuning the detection rules (D) allows the IDS to better differentiate between legitimate and malicious traffic, reducing the number of false positives while maintaining security. Increasing the threshold for alert generation (A) may reduce false positives but could also allow real threats to go undetected. Turning off the IDS (B) leaves the network without crucial monitoring capabilities. Ignoring the alerts (C) can lead to missing actual security incidents, which is not a responsible approach.

63. You are configuring a firewall to block a specific type of traffic. Which layer of the OSI model should you configure the firewall to inspect if you want to block HTTP traffic? A. Physical layer B. Data link layer C. Transport layer D. Application layer

D. Application layer HTTP traffic operates at the Application layer (D), so configuring the firewall to inspect and block traffic at this layer would be the most effective. The Physical layer (A) deals with the actual hardware transmission and cannot block specific types of traffic. The Data link layer (B) handles node-to-node data transfers and is not specific to types of application traffic. The Transport layer (C) manages the transmission of data packets between hosts but does not handle specific application protocols like HTTP.

69. A financial services firm needs to ensure the integrity of its transaction logs over time. What is the best hashing practice they should implement to detect any unauthorized changes? A. Use the same hash algorithm with a static salt for all logs. B. Use a different hash algorithm for each log file. C. Append a timestamp to each log entry and hash the entire log periodically. D. Apply hashing to each log entry individually and then hash the concatenated entries at regular intervals.

D. Apply hashing to each log entry individually and then hash the concatenated entries at regular intervals. Hashing each log entry individually ensures that any change to a single entry can be detected (D). Hashing the concatenated entries periodically provides an additional layer of integrity checking, helping to identify if any entries have been tampered with after the fact. Using the same hash algorithm with a static salt for all logs (A) does not provide individual entry integrity and a static salt can be vulnerable. Using different hash algorithms for each log file (B) is not necessary and does not add significant security benefits. Appending a timestamp to each log and hashing periodically (C) ensures integrity over time but does not provide granular detection of changes at the individual entry level.

16. An organization has deployed HIPS on all its servers to prevent malware attacks. The security team notices an increase in false positives. What is the most appropriate action to address this issue while maintaining robust security? A. Disable the HIPS feature responsible for the false positives. B. Adjust the sensitivity levels of HIPS to reduce false positives. C. Remove HIPS from the servers and rely on antivirus software. D. Conduct a thorough review and tune the HIPS rule sets.

D. Conduct a thorough review and tune the HIPS rule sets. Reviewing and tuning HIPS rule sets (D) helps to refine the system's detection capabilities, reducing false positives while maintaining security. Disabling features (A) compromises security by potentially allowing threats. Adjusting sensitivity levels (B) can be part of tuning but alone might reduce overall effectiveness. Removing HIPS (C) entirely in favor of antivirus reduces layered security and is not advisable.

78. In a scenario where a company needs to verify that a received financial report is both from a trusted source and has not been altered, which cryptographic tool should they employ? A. Symmetric Key Encryption B. Data Masking C. Hash Functions D. Digital Signatures

D. Digital Signatures Digital signatures (D) are the appropriate cryptographic tool for verifying that a received financial report is from a trusted source (authenticity) and has not been altered (integrity). They provide a means to confirm both the origin and the unchanged nature of the report. Symmetric key encryption (A) focuses on data confidentiality and does not provide integrity or authenticity. Data masking (B) hides data content but does not verify authenticity or integrity. Hash functions (C) can ensure data integrity by generating a hash value but do not verify the authenticity of the source.

86. A company's web server was compromised due to outdated software that had known vulnerabilities. To prevent future attacks, what action should the company prioritize? A. User awareness training B. Data Loss Prevention (DLP) C. System hardening D. Patching

D. Patching Patching (D) is the process of updating software to fix known vulnerabilities. By keeping software up-to-date, the company can prevent exploitation of these vulnerabilities, thereby protecting against future attacks. User awareness training (A) is important but does not directly address software vulnerabilities. Data Loss Prevention (DLP) (B) focuses on preventing data leaks rather than securing software. System hardening (C) involves securing systems by reducing their vulnerability surface, but patching specifically addresses known vulnerabilities and is the most relevant countermeasure for this scenario.