CertPreps - SSCP Practice Exam 7

15. A network engineer is configuring a firewall to allow DNS queries from clients to reach the DNS server. Which port must be opened to facilitate these DNS queries? A. 53 B. 80 C. 123 D. 389

A. 53 DNS queries use port 53 (A) for both UDP and TCP communication. Opening this port on the firewall will allow DNS queries to reach the DNS server. Port 80 (B) is used for HTTP, which is unrelated to DNS. Port 123 (C) is used for NTP, which is used to synchronize time across systems. Port 389 (D) is used for LDAP, which is used for directory services.

37. After detecting an advanced persistent threat (APT) within their network, an organization's response team must act quickly. Which containment measure is most appropriate for limiting the APT's activity? A. Block the IP addresses associated with the threat B. Reboot all affected systems to remove the threat C. Inform external partners and stakeholders D. Initiate a complete system restore

A. Block the IP addresses associated with the threat Blocking the IP addresses associated with the threat (A) helps to cut off the APT's external communication, which is critical for containment. Rebooting systems (B) and initiating a system restore (D) are part of recovery and remediation, not immediate containment. Informing external partners (C) is necessary but follows the containment to control the threat.

21. An organization wants to restrict the installation of unapproved applications on mobile devices used by employees. How can MAM help achieve this? A. By enforcing a whitelist of approved applications B. By disabling access to app stores completely C. By mandating full-disk encryption on all devices D. By setting complex password requirements for device access

A. By enforcing a whitelist of approved applications MAM allows administrators to enforce a whitelist (A) of approved applications, ensuring that only these apps can be installed and used on devices, thereby preventing the installation of unapproved applications. Disabling app store access (B) is too restrictive and not a practical solution for allowing necessary updates and downloads. Full-disk encryption (C) is a security measure unrelated to app installation. Setting complex password requirements (D) focuses on device access security, not application control.

24. As part of the vulnerability management lifecycle, an organization needs to ensure that vulnerabilities are effectively addressed. Which step is essential for confirming that remediation efforts were successful? A. Conducting a follow-up vulnerability scan. B. Training staff on new security procedures. C. Reviewing recent security incidents. D. Documenting the vulnerabilities and remediation actions.

A. Conducting a follow-up vulnerability scan. Conducting a follow-up vulnerability scan (A) is essential for confirming that remediation efforts were successful. This verifies that the vulnerabilities have been effectively mitigated. Training staff on new security procedures (B) is important but not directly related to verifying remediation success. Reviewing recent security incidents (C) helps understand past vulnerabilities but does not confirm current remediation. Documenting the vulnerabilities and remediation actions (D) is necessary for record-keeping but does not verify the effectiveness of remediation.

71. After a significant data breach, the IT team conducts a post-incident review to gather lessons learned. Which of the following actions should be prioritized to improve future incident response? A. Conducting a root cause analysis and updating incident response plans B. Implementing new encryption algorithms for all data C. Purchasing additional cybersecurity insurance D. Expanding the team to include more security analysts

A. Conducting a root cause analysis and updating incident response plans Conducting a root cause analysis and updating incident response plans (A) is crucial for identifying weaknesses in the existing response process and ensuring that future incidents are handled more effectively. Implementing new encryption algorithms (B) is an important security measure but does not directly address the incident response process. Purchasing cybersecurity insurance (C) and expanding the team (D) can provide additional support but do not contribute to improving the immediate incident response capabilities.

90. A company is planning to move its services to a cloud provider. To avoid vendor lock-in and ensure future flexibility, which factor should they prioritize in their SLA with the cloud provider? A. Data Portability B. Disaster Recovery C. Data Encryption D. Network Uptime

A. Data Portability The company should prioritize Data Portability (A) in their SLA to avoid vendor lock-in and ensure future flexibility. Data portability ensures that the company can easily transfer its data to another provider or system if necessary, facilitating smooth transitions and reducing dependence on a single vendor. Disaster Recovery (B) focuses on the ability to recover data and services in the event of a disaster but does not address vendor lock-in. Data Encryption (C) is critical for security but does not impact the ability to move data between providers. Network Uptime (D) ensures continuous service availability but does not facilitate data migration or portability.

80. An organization wants to ensure the confidentiality of its archived customer records stored in the cloud. Which of the following methods is the most appropriate to achieve this? A. Encrypting the data with a strong, unique key per customer B. Using a password-protected file storage system C. Implementing role-based access controls D. Applying data masking techniques

A. Encrypting the data with a strong, unique key per customer Encrypting the data with a strong, unique key per customer (A) ensures that even if one key is compromised, only the data for one customer would be at risk, maintaining a high level of confidentiality for archived records. Password-protected file storage (B) provides minimal security and is susceptible to password theft or brute-force attacks. Role-based access controls (C) manage who can access data but do not protect the data itself if unauthorized access occurs. Data masking (D) is typically used for obscuring data in non-production environments and does not provide actual encryption or confidentiality for the data in storage.

41. As part of incident management preparation, which task should be completed to facilitate a rapid response to security incidents? A. Establishing an incident classification system B. Deploying a next-generation firewall C. Implementing multi-factor authentication across all systems D. Regularly updating antivirus software

A. Establishing an incident classification system Establishing an incident classification system (A) is critical in the preparation phase because it allows the organization to categorize incidents by severity and type, enabling a more tailored and efficient response. Deploying firewalls (B) and implementing multi-factor authentication (C) are preventive measures, while updating antivirus software (D) is essential for ongoing protection but not specifically for incident preparation.

55. During a risk management review, an organization decides to adopt a framework that includes guidelines for establishing a risk management process, with a focus on information security. Which framework best fits this requirement? A. ISO/IEC 27001 B. NIST SP 800-30 C. COBIT 5 D. ISO 31000

A. ISO/IEC 27001 ISO/IEC 27001 (A) includes guidelines for establishing, implementing, maintaining, and continually improving an information security management system, which covers the risk management process related to information security. NIST SP 800-30 (B) provides a guide for conducting risk assessments but not a full framework. COBIT 5 (C) is for IT governance. ISO 31000 (D) provides a broader risk management framework, not specifically focused on information security.

99. Which of the following is the most effective measure to ensure the availability of data in the event of hardware failure? A. Implementing RAID (Redundant Array of Independent Disks) B. Conducting regular vulnerability assessments C. Using full disk encryption D. Enforcing strong password policies

A. Implementing RAID (Redundant Array of Independent Disks) Implementing RAID (Redundant Array of Independent Disks) is the most effective measure to ensure the availability of data in the event of hardware failure. RAID configurations use multiple disks to provide data redundancy and fault tolerance, ensuring that data remains accessible even if one disk fails. Conducting regular vulnerability assessments (B) enhances security but does not address data availability. Using full disk encryption (C) protects data confidentiality but does not ensure availability. Enforcing strong password policies (D) strengthens access control but does not impact hardware redundancy.

79. A network security engineer is tasked with ensuring that a newly added firewall does not become a bottleneck in a high-traffic e-commerce network. What is the most appropriate logical placement for the firewall to balance performance and security? A. Inline, in front of the web server farm B. Passive, connected to a mirrored port of the web server farm switch C. Inline, between the application server and the database server D. Passive, monitoring the traffic between the application and database servers

A. Inline, in front of the web server farm Placing the firewall inline in front of the web server farm (A) ensures that incoming traffic is inspected and filtered before reaching critical systems, which balances performance with security. Passive monitoring (B) does not actively filter traffic. Inline placement between the application and database servers (C) could create a bottleneck, and passive monitoring there (D) would not actively protect against threats.

54. An organization is concerned about the physical security of its network devices. What measure should be taken to protect these devices from unauthorized physical access? A. Install network devices in a locked, restricted-access area B. Use default configurations to prevent tampering C. Enable remote access for all users to reduce physical visits D. Place network devices in common areas for easier monitoring

A. Install network devices in a locked, restricted-access area Installing network devices in a locked, restricted-access area (A) helps prevent unauthorized physical access and tampering, thereby enhancing security. Using default configurations (B) is insecure and can be easily exploited. Enabling remote access for all users (C) increases the risk of unauthorized access. Placing devices in common areas (D) exposes them to potential physical tampering and theft.

85. A company is concerned about the security of its critical systems and decides to segregate these systems from the rest of the network to prevent unauthorized access. What is the best countermeasure to achieve this? A. Isolation B. Patching C. User awareness training D. Data Loss Prevention (DLP)

A. Isolation Isolation (A) involves segregating critical systems from the main network to prevent unauthorized access and limit the impact of potential security breaches. This helps ensure that sensitive systems are protected from unauthorized access and threats originating from other parts of the network. Patching (B) fixes software vulnerabilities but does not segregate systems. User awareness training (C) educates users on security practices but does not involve network architecture changes. Data Loss Prevention (DLP) (D) controls data movement but does not address network isolation.

3. An organization's network is experiencing unexpected traffic surges that impact performance. The network is segmented by several switches. What is the most effective way to identify and manage the source of the traffic? A. Monitor the network traffic using port mirroring on the switches. B. Increase the bandwidth of the network links. C. Configure static IP addresses for all devices. D. Disable unused ports on the switches.

A. Monitor the network traffic using port mirroring on the switches. Monitoring the network traffic using port mirroring on the switches (A) allows the identification and analysis of traffic patterns to pinpoint the source of the surges. Increasing bandwidth (B) may alleviate the symptoms but does not address the root cause. Configuring static IP addresses (C) does not directly help in identifying traffic sources. Disabling unused ports (D) is a good security practice but does not aid in traffic analysis.

58. In the context of virtual environments, which measure is crucial for ensuring resilience against software vulnerabilities? A. Regularly apply patches and updates to all virtual machines B. Increase the security of the physical data center C. Maintain a single version of all software to reduce compatibility issues D. Limit the number of virtual machines to reduce management overhead

A. Regularly apply patches and updates to all virtual machines Regularly applying patches and updates to all virtual machines (A) is crucial for resilience against software vulnerabilities. This practice ensures that known security issues are addressed promptly, reducing the risk of exploitation. Increasing physical data center security (B) is important but does not directly address software vulnerabilities. Maintaining a single version of software (C) can simplify management but may prevent the use of necessary security updates. Limiting the number of virtual machines (D) might reduce complexity but does not impact the security of the software environment.

62. During a security review, it was found that container images used in a development environment contain vulnerabilities. What is the recommended course of action? A. Scan and update the container images to mitigate vulnerabilities B. Continue using the current images to avoid disruption C. Increase monitoring of container activity D. Migrate the containers to a different hosting provider

A. Scan and update the container images to mitigate vulnerabilities Scanning and updating the container images to mitigate vulnerabilities (A) is the recommended course of action to ensure that the images are secure and do not pose a risk to the environment. Continuing to use the current images (B) leaves the environment exposed to potential exploits. Increasing monitoring (C) is useful but does not address the root cause of the vulnerabilities. Migrating to a different hosting provider (D) does not resolve the issues within the container images themselves.

61. To ensure ongoing compliance with industry regulations, an organization decides to implement a monitoring process. Which action is essential to effectively monitor compliance over time? A. Setting up regular compliance reviews B. Installing additional firewalls C. Conducting staff performance evaluations D. Expanding the physical security perimeter

A. Setting up regular compliance reviews Setting up regular compliance reviews is essential for effectively monitoring compliance with industry regulations over time. These reviews help identify any deviations from compliance standards and allow the organization to address them promptly. Installing additional firewalls (B) enhances network security but does not specifically monitor compliance, conducting staff performance evaluations (C) assesses individual performance but not compliance, and expanding the physical security perimeter (D) improves physical security but does not directly relate to ongoing compliance monitoring.

86. During routine log analysis, a security analyst identifies a series of events indicating that a privileged account was accessed outside of normal working hours. This event data shows the use of the account for unusual activities. What should be the immediate action taken by the analyst? A. Temporarily disable the account to prevent further access. B. Notify the account owner to confirm recent activities. C. Change the account password and notify the user. D. Document the events and continue monitoring.

A. Temporarily disable the account to prevent further access. Temporarily disabling the account (A) helps to prevent any potential unauthorized access or misuse while further investigation is conducted. Notifying the account owner (B) is important but secondary to securing the account. Changing the password (C) may not be sufficient if the account is already compromised. Documenting the events (D) is necessary but should be done after taking immediate action to prevent further unauthorized access.

46. An IT manager is tasked with ensuring that logs from various servers are collected and reviewed regularly. Which of the following would be the most effective approach to streamline this process? A. Using a centralized log management solution B. Manually reviewing logs from each server daily C. Implementing a log retention policy D. Setting up a network share for log files

A. Using a centralized log management solution Using a centralized log management solution (A) is the most effective approach to streamline the collection and review of logs from various servers, as it automates log collection, consolidation, and provides a single interface for reviewing and analyzing logs. Manually reviewing logs from each server daily (B) is labor-intensive and impractical for larger environments. Implementing a log retention policy (C) ensures logs are kept for the required period but does not address the efficiency of log collection and review. Setting up a network share for log files (D) centralizes storage but lacks the automated features of a dedicated log management solution.

44. A security analyst needs to ensure that the virtual machines in a data center remain secure and isolated from one another. They are particularly concerned about preventing malicious code from escaping one VM to affect others. What hypervisor feature is critical for maintaining this level of security? A. VM Escape Prevention B. Hypervisor-based Firewall C. Memory Ballooning D. Live Migration

A. VM Escape Prevention VM Escape Prevention (A) is a critical hypervisor feature for maintaining the security and isolation of virtual machines. It ensures that malicious code running inside one VM cannot escape to the hypervisor or other VMs, thereby maintaining the security boundary between VMs. Hypervisor-based Firewalls (B) provide network security but do not address the issue of VM isolation. Memory Ballooning (C) is a resource management feature that helps allocate memory dynamically among VMs but is not related to security isolation. Live Migration (D) allows VMs to be moved between physical hosts without downtime, which is useful for maintenance and load balancing but does not contribute to security isolation.

100. An incident responder notices unusual outbound connections from a workstation. What should be the next step to support the detection, analysis, and escalation of this incident? A. Block the workstation's IP address on the firewall B. Analyze the outbound traffic for data patterns and destinations C. Shut down the workstation to stop further activity D. Report the activity to upper management

B. Analyze the outbound traffic for data patterns and destinations Analyzing the outbound traffic (B) helps to identify the nature of the suspicious activity and its potential impact. Blocking the IP address (A) and shutting down the workstation (C) are reactive measures that may hinder further analysis. Reporting to upper management (D) is part of escalation but should follow a detailed analysis to provide complete information.

12. An organization is reviewing its risk tolerance levels for data breaches. If they have a high-risk tolerance, what is the most likely action they would take in response to identified risks? A. Implementing strict access controls B. Accepting the risks without additional measures C. Conducting frequent risk assessments D. Increasing security budget significantly

B. Accepting the risks without additional measures If an organization has a high-risk tolerance, they are likely to accept identified risks without implementing additional measures (B). Implementing strict access controls (A), conducting frequent risk assessments (C), and increasing the security budget significantly (D) are actions associated with a lower risk tolerance and proactive risk management.

5. An employee's system is configured with application whitelisting. The employee needs to run a new software tool for a critical project. What is the best course of action to enable the employee to use the tool while maintaining security? A. Disable the application whitelisting permanently. B. Add the software tool to the whitelist after verifying its legitimacy. C. Advise the employee to run the tool on an unprotected system. D. Instruct the employee to use a similar tool that is already whitelisted.

B. Add the software tool to the whitelist after verifying its legitimacy. Adding the software tool to the whitelist after verifying its legitimacy (B) allows the employee to use the necessary tool while ensuring that only trusted software is run on the system. Disabling whitelisting (A) permanently compromises security. Advising to use an unprotected system (C) is not secure and does not solve the problem. Instructing to use a similar tool (D) might not meet the specific needs of the critical project.

91. After a major software update, an organization experiences configuration drift, where some systems deviate from the standard configurations. What configuration management practice should be implemented to detect and correct such issues? A. Perform regular manual inspections of all systems. B. Automate configuration monitoring and enforcement. C. Rely on user reports to identify configuration issues. D. Schedule yearly configuration reviews.

B. Automate configuration monitoring and enforcement. Automating configuration monitoring and enforcement (B) is the best practice to detect and correct configuration drift. This approach allows for continuous monitoring of system configurations and automatic correction of deviations, ensuring compliance with established standards. Regular manual inspections (A) and relying on user reports (C) are less efficient and can miss issues. Yearly reviews (D) are not frequent enough to address configuration drift in a timely manner.

53. An organization has noticed a high volume of traffic from a specific IP address targeting their web server. The traffic appears to be malicious. How should the firewall be configured to handle this situation effectively? A. Block all incoming traffic to the web server. B. Block traffic from the specific IP address. C. Allow traffic only during non-peak hours. D. Monitor the traffic but take no immediate action.

B. Block traffic from the specific IP address. Blocking traffic from the specific IP address (B) effectively mitigates the immediate threat without disrupting legitimate traffic. Blocking all incoming traffic to the web server (A) could deny access to legitimate users. Allowing traffic only during non-peak hours (C) does not address the issue of malicious traffic and could inconvenience legitimate users. Monitoring the traffic without taking immediate action (D) allows the threat to continue unchecked, which is not a proactive approach.

16. During a security audit, you are required to implement a Mobile Device Management (MDM) solution in a corporate environment where employees are allowed to use their own devices. Which provisioning technique would be most appropriate to ensure both corporate data security and user privacy? A. Corporate Owned, Personally Enabled (COPE) B. Bring Your Own Device (BYOD) C. Corporate Owned, Dedicated Device (CODD) D. Mobile Application Management (MAM)

B. Bring Your Own Device (BYOD) BYOD (B) allows employees to use their personal devices for work, promoting flexibility and productivity. It requires robust MDM policies to separate and protect corporate data, often through containerization, ensuring that personal data remains private. COPE (A) involves corporate ownership of devices, allowing personal use, but does not prioritize user privacy as effectively as BYOD. CODD (C) is for devices dedicated solely to work purposes, limiting personal use and not fitting the BYOD scenario. MAM (D) focuses on managing specific applications, which is narrower than the comprehensive approach needed for device management in BYOD.

63. During a security audit, a company identifies the need to monitor user activities on its network. Which type of control would most effectively achieve this objective? A. Preventive control B. Detective control C. Compensating control D. Deterrent control

B. Detective control To effectively monitor user activities on a network, a detective control (B) is required. This type of control, such as network monitoring tools or log analysis, identifies and reports on user behavior and potential security incidents. Preventive control (A) aims to prevent incidents, such as access controls or firewalls, rather than monitor activities. Compensating control (C) provides alternative security measures when primary controls are insufficient. Deterrent control (D) aims to discourage unwanted behavior but does not actively monitor or detect activities, which is the key requirement here.

49. An organization wants to ensure that users cannot deny having sent or signed a particular message. Which technology should they implement to achieve non-repudiation for electronic documents? A. Symmetric encryption B. Digital signatures C. Plaintext email confirmations D. Password-protected documents

B. Digital signatures Digital signatures provide a robust method for ensuring non-repudiation by allowing verification that a specific individual has signed a document and ensuring that the document has not been altered after signing (B). Symmetric encryption (A) does not offer non-repudiation as it uses the same key for both encryption and decryption, which can be shared among multiple users. Plaintext email confirmations (C) are not secure and can be easily manipulated. Password-protected documents (D) secure access but do not provide a way to verify the sender's identity or prevent denial of having sent the document.

40. To ensure compliance with security policies, a company needs to regularly update user access based on job role changes. Which of the following is the most effective method for maintaining up-to-date access control? A. Password rotation policy B. Dynamic role assignment C. Multifactor authentication D. User activity monitoring

B. Dynamic role assignment The correct answer is B. Dynamic role assignment is an effective method for maintaining up-to-date access control by automatically adjusting user access rights based on real-time changes in job roles and responsibilities, ensuring that permissions are always aligned with the current roles (B). Password rotation policy (A) focuses on changing passwords regularly but does not address role-based access. Multifactor authentication (C) enhances security but does not maintain access control based on roles. User activity monitoring (D) helps detect anomalies but does not maintain access control.

87. In the context of MDM, which of the following is a critical measure to ensure that corporate data stored on employee mobile devices is protected? A. Installing antivirus software B. Enforcing device-level encryption C. Limiting the use of mobile applications D. Setting up remote data backup

B. Enforcing device-level encryption Device-level encryption (B) is crucial for protecting corporate data stored on mobile devices, ensuring that unauthorized users cannot access the data even if the device is compromised. Installing antivirus software (A) helps to protect against malware but does not specifically protect stored data. Limiting application use (C) is about controlling app behavior, not data protection. Remote data backup (D) ensures data recovery but does not protect the data stored on the device.

10. During a scheduled disaster recovery drill, a company simulates a complete data center failure. Which of the following is the most critical outcome of this exercise? A. Verifying that all employees know the evacuation routes. B. Ensuring that the disaster recovery team can restore critical systems within the defined RTO. C. Confirming that all backup data is encrypted and stored securely. D. Testing the effectiveness of communication protocols with external stakeholders.

B. Ensuring that the disaster recovery team can restore critical systems within the defined RTO. The correct answer is B. Ensuring that the disaster recovery team can restore critical systems within the defined Recovery Time Objective (RTO) is the primary goal of a disaster recovery drill, as it tests the effectiveness of the disaster recovery plan. Verifying evacuation routes (A) is important for physical safety but not the primary focus of a disaster recovery drill. Confirming that backup data is encrypted and stored securely (C) is a security concern but does not directly test recovery capabilities. Testing communication protocols with external stakeholders (D) is part of overall preparedness but secondary to validating system recovery.

67. In preparing for a pandemic, an organization must ensure that essential functions can continue. Which of the following measures should be included in the business continuity plan? A. Stockpiling medical supplies and equipment. B. Establishing telecommuting protocols for critical staff. C. Creating a task force to monitor health advisories. D. Implementing on-site medical screening processes.

B. Establishing telecommuting protocols for critical staff. The correct answer is B. Establishing telecommuting protocols for critical staff ensures that essential functions can continue without interruption during a pandemic. Stockpiling medical supplies (A) is important for health safety but does not directly support business operations. Creating a task force (C) is beneficial for staying informed but does not ensure continuity of operations. Implementing on-site screening (D) helps with health monitoring but does not address operational continuity.

29. An organization needs to ensure that an intern can only access specific training materials and not sensitive company data. Which entitlement management step is critical to achieve this? A. Assign the intern a unique username and password B. Grant the intern access to a predefined set of resources C. Enable biometric authentication for the intern D. Set up an email account for the intern

B. Grant the intern access to a predefined set of resources The correct answer is B. Granting the intern access to a predefined set of resources ensures they receive the correct entitlements for their role, limiting their access to only the training materials and preventing access to sensitive company data (B). Assigning a unique username and password (A) is necessary for authentication but does not control entitlements. Enabling biometric authentication (C) enhances security but does not address resource-specific access. Setting up an email account (D) is part of the onboarding process but does not manage access to specific resources.

69. During the initiation phase of data asset management, what is an essential task to perform? A. Creating a data backup schedule. B. Identifying data owners and stewards. C. Implementing data encryption. D. Conducting regular data audits.

B. Identifying data owners and stewards. Identifying data owners and stewards (B) is essential in the initiation phase to establish accountability and ensure proper management throughout the data lifecycle. Creating a data backup schedule (A) is typically addressed in the planning or maintenance phases. Implementing data encryption (C) is a critical security measure that would be more relevant during the design or deployment phases. Conducting regular data audits (D) is an ongoing activity crucial for the maintenance phase, not the initiation phase.

20. An e-commerce company is assessing the impact of a potential Distributed Denial of Service (DDoS) attack on its online platform. What aspect of risk management are they addressing? A. Threat identification B. Impact assessment C. Risk monitoring D. Vulnerability mitigation

B. Impact assessment An impact assessment (B) evaluates the potential consequences and severity of a threat, such as a DDoS attack, on the company's operations, which is crucial for understanding potential damages. Threat identification (A) involves recognizing potential threats, not assessing their impact. Risk monitoring (C) is for ongoing tracking of risks. Vulnerability mitigation (D) focuses on reducing vulnerabilities rather than assessing impacts.

33. You are a security analyst tasked with assessing the physical security of your company's data center. During the assessment, you notice that the visitor logs are manually recorded and not consistently maintained. What is the most effective course of action to enhance the tracking of visitor access to the data center? A. Install a biometric access control system. B. Implement an automated badge system for visitor tracking. C. Place surveillance cameras at all entry and exit points. D. Conduct periodic training for the security personnel on proper log maintenance.

B. Implement an automated badge system for visitor tracking. Implementing an automated badge system for visitor tracking (B) is the most effective course of action as it ensures a reliable, automated method for recording visitor access, which enhances security and auditing capabilities. This system can automatically log entries and exits, reducing the possibility of human error and inconsistencies. Installing a biometric access control system (A) is more suitable for regular staff and not specifically for tracking visitors. Surveillance cameras (C) are crucial for monitoring, but they do not directly address the issue of tracking visitor access. Periodic training (D) is important for overall security, but it does not solve the problem of inconsistent log maintenance as effectively as an automated system.

48. A security administrator at a financial institution needs to ensure that only authorized employees can access customer financial data through the organization's intranet portal. What is the most appropriate method to implement to ensure that access rights are properly enforced? A. Enforce multifactor authentication. B. Implement role-based access control. C. Use a simple password policy. D. Apply network segmentation.

B. Implement role-based access control. The correct answer is B. Implementing role-based access control (RBAC) ensures that only authorized employees can access specific data based on their roles within the organization. This method assigns permissions to roles rather than individual users, simplifying management and improving security (B). Multifactor authentication (A) enhances security by requiring multiple forms of verification but does not manage authorization. A simple password policy (C) focuses on authentication and password management but does not control access rights to specific resources. Network segmentation (D) isolates network traffic to improve security but does not directly manage user access to resources.

72. Jane, a security professional, is called upon to assist in a forensic investigation of a suspected fraud case in a multinational company. She needs to understand which legal framework will most likely guide the investigation process, considering the scope and jurisdictions involved. What should Jane primarily consider? A. Local criminal law B. International treaties C. The company's internal policies D. Administrative regulations

B. International treaties Given the multinational aspect of the case, international treaties (B) are crucial as they govern cross-border legal matters and cooperation. Local criminal law (A) is limited to specific jurisdictions and may not encompass international scope. The company's internal policies (C) are important for internal compliance but do not have legal authority across borders. Administrative regulations (D) typically deal with government agencies' internal processes and are less relevant to multinational fraud cases. Therefore, Jane should focus on international treaties (B).

17. A security analyst is monitoring a dashboard that shows a sudden spike in CPU usage across multiple servers. This metric deviation is visualized with a red alert on the dashboard. What should be the analyst's immediate course of action? A. Increase server capacity to handle the load. B. Investigate the cause of the spike to determine if it's a security issue. C. Restart the affected servers to clear any temporary glitches. D. Ignore the alert if the servers are still operational.

B. Investigate the cause of the spike to determine if it's a security issue. The analyst should immediately investigate the cause of the spike (B) to determine if it's related to a security issue, such as a potential DoS attack or malware. Increasing server capacity (A) might address performance but not the underlying security concern. Restarting servers (C) could temporarily resolve symptoms but not the cause. Ignoring the alert (D) could lead to missing critical security threats.

22. During a security review, an auditor suggests implementing micro-segmentation to improve network security. What is the primary advantage of micro-segmentation in a network environment? A. It creates physical barriers between network segments B. It allows fine-grained control over communication between virtualized resources C. It segregates data and control plane traffic D. It simplifies network configuration and management

B. It allows fine-grained control over communication between virtualized resources Micro-segmentation (B) offers fine-grained control over network traffic, particularly within virtualized environments, enabling specific security policies to be applied to individual workloads or applications. Physical barriers (A) are unrelated to micro-segmentation. Segregating data and control plane traffic (C) pertains to network architecture, not fine-grained control. While it enhances security, micro-segmentation does not necessarily simplify network configuration and management (D).

27. An organization wants to implement a PKI solution that includes a process for securely recovering keys if they are lost or compromised. Which key management practice should be included to support this requirement? A. Key rotation B. Key escrow C. Key exchange D. Key generation

B. Key escrow The correct answer is B. Key escrow involves securely storing keys so that they can be recovered in case they are lost or compromised, ensuring that encrypted data remains accessible. Key rotation (A) focuses on regularly updating keys to limit exposure. Key exchange (C) is about securely sharing keys between parties, not recovering them. Key generation (D) is the process of creating new keys, which does not address the need for key recovery. By implementing key escrow, the organization ensures that it can maintain access to encrypted data even if keys are lost, providing an important safety net for critical information.

77. An organization wants to ensure secure remote access for its employees using VPNs. They need to choose a VPN protocol that provides both data confidentiality and integrity. Which of the following protocols is most suitable for this requirement? A. PPTP B. L2TP/IPsec C. GRE D. SLIP

B. L2TP/IPsec L2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security) is most suitable for providing secure remote access because it combines the tunneling features of L2TP with the robust security features of IPsec, including encryption for confidentiality and integrity checks. Option A, PPTP (Point-to-Point Tunneling Protocol), offers less security as it has known vulnerabilities and lacks strong encryption. Option C, GRE (Generic Routing Encapsulation), is a tunneling protocol that does not provide encryption or integrity checks. Option D, SLIP (Serial Line Internet Protocol), is an outdated protocol that does not support secure remote access. Thus, L2TP/IPsec is the best choice for secure VPNs, offering both data confidentiality and integrity.

26. An IT administrator needs to migrate several VMs from one hypervisor to another without shutting them down. Which feature is essential for performing this task? A. High availability (HA) configuration B. Live migration or vMotion C. VM snapshot capability D. Hypervisor failover clustering

B. Live migration or vMotion Live migration or vMotion (B) is the essential feature required for moving VMs between hypervisors without downtime. This capability allows the transfer of VM states, memory, and storage while the VMs continue to run, ensuring uninterrupted service. High availability (HA) (A) helps with automated failover in case of host failure but does not support live migration. VM snapshots (C) capture the state of VMs but are not used for migration. Hypervisor failover clustering (D) ensures redundancy and failover but does not inherently provide live migration capabilities.

76. An organization has implemented a system that analyzes user behavior to detect deviations from normal patterns, such as accessing unusual files or logging in from unexpected locations. What technology is most likely being used to achieve this? A. Data encryption B. Machine learning C. Patch management D. Two-factor authentication

B. Machine learning The scenario describes a system that analyzes user behavior to detect deviations from normal patterns, such as accessing unusual files or logging in from unexpected locations, which is indicative of machine learning (B). Machine learning uses algorithms to learn from data and identify patterns, enabling the detection of anomalies in user behavior. Data encryption (A) secures data by converting it into an unreadable format but does not analyze user behavior. Patch management (C) involves updating software to fix vulnerabilities and does not focus on behavior analysis. Two-factor authentication (D) adds an extra layer of security by requiring two forms of verification but does not analyze behavior.

11. A defense contractor is required to implement an access control system that ensures employees can only access documents if they have the appropriate security clearance. Access control policies must be strictly enforced and not subject to user discretion. Which model best fits these requirements? A. Attribute-Based Access Control (ABAC) B. Mandatory Access Control (MAC) C. Role-Based Access Control (RBAC) D. Discretionary Access Control (DAC)

B. Mandatory Access Control (MAC) The correct answer is B, Mandatory Access Control (MAC), because MAC is designed to enforce access control policies based on security classifications that align with the requirements for managing access to sensitive defense-related documents. Users cannot change access permissions, which ensures compliance with security regulations. Option A, Attribute-Based Access Control (ABAC), is incorrect because it provides a flexible approach to access control based on various attributes, which may not meet the stringent requirements of the scenario. Option C, Role-Based Access Control (RBAC), is incorrect as it assigns access based on user roles rather than strict classification levels. Option D, Discretionary Access Control (DAC), is incorrect because it allows user discretion in managing access, which is not suitable for environments requiring strict access control enforcement.

50. A company wants to ensure that only devices with a specific security posture can access sensitive data. Which device authentication mechanism can be used to enforce this requirement? A. Biometric verification B. Network Access Control (NAC) C. Two-factor authentication D. Password policies

B. Network Access Control (NAC) Network Access Control (NAC) (B) can be used to enforce device authentication by checking that devices meet specific security requirements, such as having up-to-date antivirus software or a particular operating system configuration, before allowing them to access sensitive data. Biometric verification (A) is used for user authentication, not devices. Two-factor authentication (C) enhances user authentication security but does not directly enforce device security postures. Password policies (D) pertain to user credentials and do not validate device compliance with security standards.

68. A developer team is working on a project that requires an environment where they can quickly build and test applications with integrated tools, databases, and support services. They do not want to manage infrastructure or OS-level configurations. Which cloud service model should they utilize? A. Infrastructure as a Service (IaaS) B. Platform as a Service (PaaS) C. Software as a Service (SaaS) D. Network as a Service (NaaS)

B. Platform as a Service (PaaS) Platform as a Service (PaaS) (B) is the most suitable option for a developer team that wants a robust environment to build and test applications with integrated tools, databases, and support services. PaaS allows them to focus on application development without the need to manage underlying infrastructure or operating systems. Infrastructure as a Service (IaaS) (A) provides virtualized computing resources but requires more hands-on management of infrastructure and OS-level configurations. Software as a Service (SaaS) (C) provides ready-to-use applications and does not support application development. Network as a Service (NaaS) (D) offers network services and is not relevant to application development environments.

23. A security consultant notices that their client is not implementing adequate security measures, potentially exposing sensitive customer data. How should the consultant handle this situation in accordance with the (ISC)² Code of Ethics? A. Disclose the client's negligence to the public to force action. B. Privately discuss the issue with the client and recommend immediate corrective actions. C. Ignore the issue to maintain the client relationship. D. Implement the security measures without the client's consent.

B. Privately discuss the issue with the client and recommend immediate corrective actions. The (ISC)² Code of Ethics mandates professionals to protect society and the infrastructure, and act honorably and responsibly. Privately discussing the issue and recommending corrective actions (B) fulfills the ethical obligation to protect sensitive data and helps the client address the problem. Disclosing to the public (A) could breach confidentiality and harm the client. Ignoring the issue (C) does not address the risk. Implementing measures without consent (D) violates client autonomy and trust.

13. An enterprise is configuring federated access using SAML to integrate their internal identity provider with a cloud-based application. What is the main advantage of using SAML in this scenario? A. Reduces the need for multi-factor authentication B. Provides federated identity and SSO capabilities C. Ensures compliance with data encryption standards D. Lowers the cost of maintaining authentication servers

B. Provides federated identity and SSO capabilities The main advantage of using SAML in this scenario is that it provides federated identity and single sign-on (SSO) capabilities (B), allowing users to authenticate once and access multiple systems and services seamlessly. SAML does not reduce the need for multi-factor authentication (A); it complements it by providing a way to share authentication credentials across domains. While it can support encryption, SAML's primary purpose is not to ensure compliance with data encryption standards (C). Lowering the cost of maintaining authentication servers (D) is not a direct advantage of SAML, as it focuses on interoperability and federated access.

7. During a routine audit, it is discovered that HIPS on several servers is not logging any events. The HIPS was configured by a junior administrator. What is the best course of action to ensure proper HIPS functionality? A. Reinstall the HIPS software on the affected servers. B. Review and correct the HIPS configuration to ensure proper logging. C. Increase the verbosity of the server logs to capture more data. D. Disable and then re-enable the HIPS software.

B. Review and correct the HIPS configuration to ensure proper logging. Reviewing and correcting the HIPS configuration (B) ensures that the system is properly set up to log events, which is crucial for monitoring and incident response. Reinstalling the software (A) might fix the issue but does not address the root cause, which is configuration. Increasing log verbosity (C) without correcting HIPS configuration might capture more data but not necessarily HIPS-specific events. Simply toggling the HIPS (D) might not resolve configuration issues.

9. A laptop with TPM is undergoing maintenance. The technician wants to ensure that no unauthorized software can be installed during this period. What TPM feature can assist in this scenario? A. TPM locking the device during maintenance. B. TPM verifying the integrity of the software installation process. C. TPM enabling multi-factor authentication for software installations. D. TPM creating backups of the existing software.

B. TPM verifying the integrity of the software installation process. TPM can verify the integrity of the software installation process (B), ensuring that only authorized and untampered software is installed on the device. Locking the device (A) or enabling multi-factor authentication (C) may help control access but do not directly verify software integrity. Creating backups (D) is not a function of TPM and does not prevent unauthorized software installations.

8. During a security incident, an event correlation tool has identified a series of failed login attempts followed by a successful login from an unusual location. What action should the security team take next? A. Notify the user of the unusual login and request verification B. Temporarily disable the user account and investigate C. Update the event correlation rules to prevent similar incidents D. Increase the logging level to capture more detailed information

B. Temporarily disable the user account and investigate The security team should temporarily disable the user account and investigate (B) to prevent any further potential unauthorized access while the incident is being reviewed. This action ensures that the account is secured while the team analyzes the logs and determines the legitimacy of the login. Notifying the user of the unusual login and requesting verification (A) may be necessary but is secondary to securing the account. Updating the event correlation rules (C) is a long-term action to improve detection but does not address the immediate threat. Increasing the logging level (D) may help in future analysis but is not an immediate response to the detected incident.

57. An organization is acquiring a new software solution. What is a critical factor to evaluate during the selection process to ensure the solution aligns with security requirements? A. The software's user interface design. B. The vendor's history of addressing security vulnerabilities. C. The software's feature set and customization options. D. The training requirements for end-users.

B. The vendor's history of addressing security vulnerabilities. Evaluating the vendor's history of addressing security vulnerabilities (B) is crucial during the selection process to ensure that the software solution will continue to be secure and that the vendor is proactive in managing and mitigating security risks. The software's user interface design (A) is important for usability but not for security. The feature set and customization options (C) are relevant for functionality but do not guarantee security. Training requirements for end-users (D) are important for implementation but do not directly ensure the solution's security alignment.

82. An organization is in the process of implementing a new software asset management system. What is the primary goal during the implementation phase to ensure the system's effectiveness? A. To train end-users on the new system features. B. To integrate the system with existing asset inventories. C. To assess the total cost of ownership of the system. D. To document the software licensing requirements.

B. To integrate the system with existing asset inventories. The primary goal during the implementation phase of a software asset management system is to integrate the system with existing asset inventories (B). This ensures that all assets are accurately tracked and managed within a single system, providing a comprehensive view of software usage and compliance. Training end-users (A) is important for usability but is secondary to establishing an effective integration. Assessing the total cost of ownership (C) is part of the planning phase, not implementation. Documenting software licensing requirements (D) is also crucial but should be completed during the planning or initiation phases.

89. An IT administrator is configuring an SSO solution with ADFS. Which of the following components is essential for establishing trust between the identity provider and the service provider? A. DNS server B. Trust policy C. Network firewall D. Application gateway

B. Trust policy Establishing trust between the identity provider (IdP) and the service provider (SP) in an SSO solution using ADFS requires a trust policy (B). This policy defines the trust relationship and the attributes that are shared between the two parties. A DNS server (A) helps with name resolution but is not directly involved in establishing trust. A network firewall (C) provides security at the network level but does not facilitate trust relationships. An application gateway (D) manages traffic to applications but is not responsible for trust in SSO configurations.

34. You are tasked with securing the Wi-Fi network at a corporate office. The current network uses WPA2-PSK. What is the most effective way to enhance the security of this network? A. Enable MAC address filtering and disable SSID broadcast. B. Upgrade to WPA3 and implement a strong, unique passphrase. C. Increase the Wi-Fi signal strength and use a hidden SSID. D. Change the SSID frequently and use a guest network for visitors.

B. Upgrade to WPA3 and implement a strong, unique passphrase. Upgrading to WPA3 enhances the security significantly by providing stronger encryption mechanisms and protecting against brute-force attacks. Implementing a strong, unique passphrase further secures the network. While enabling MAC address filtering and disabling SSID broadcast (A) can provide a layer of obscurity, they are not effective security measures as MAC addresses can be spoofed and SSIDs can be discovered. Increasing Wi-Fi signal strength (C) does not impact security and using a hidden SSID is not a reliable security measure. Changing the SSID and using a guest network (D) can help, but it is not as impactful as upgrading the security protocol and using a strong passphrase.

65. You are deploying IoT sensors in a hospital to monitor patient vitals. Which security practice should be prioritized to protect sensitive health data? A. Transmit data unencrypted for faster processing. B. Use strong encryption protocols for data transmission and storage. C. Disable user authentication to streamline access to the data. D. Connect sensors directly to the internet for real-time monitoring.

B. Use strong encryption protocols for data transmission and storage. Using strong encryption protocols (B) ensures that sensitive health data transmitted and stored by IoT sensors is protected from unauthorized access and eavesdropping. Transmitting data unencrypted (A) poses a significant risk to patient privacy and security. Disabling user authentication (C) compromises data security by allowing unauthorized access. Connecting sensors directly to the internet (D) without adequate security measures exposes them to potential attacks and compromises data integrity.

96. A security analyst needs to ensure that data on all company laptops is encrypted and accessible only to authorized users. Which method should be implemented to achieve this goal? A. Enable file-level encryption on all sensitive documents. B. Use whole disk encryption with pre-boot authentication. C. Install antivirus software on all laptops. D. Implement strong password policies for all user accounts.

B. Use whole disk encryption with pre-boot authentication. Using whole disk encryption with pre-boot authentication (B) ensures that all data on the laptops is encrypted and can only be accessed by authorized users who have the correct credentials. File-level encryption (A) only protects specific files, not the entire disk. Antivirus software (C) helps protect against malware but does not encrypt data. Strong password policies (D) enhance security but do not provide encryption.

19. After a disaster at their main facility, a company shifts to using cloud-based services as their interim processing strategy. What key factor must be considered to ensure seamless transition and continued operations? A. Ensuring on-site backup power availability B. Verifying cloud service provider's compliance with regulations C. Updating all on-site hardware to latest standards D. Implementing a new disaster recovery plan for the cloud

B. Verifying cloud service provider's compliance with regulations The correct answer is B. Verifying the cloud service provider's compliance with regulations is crucial to ensure that data handling meets legal and security requirements, thus enabling a seamless transition and continued operations. Ensuring on-site backup power (A) is irrelevant when using cloud-based services. Updating on-site hardware (C) is unnecessary for cloud services. Implementing a new disaster recovery plan for the cloud (D) is important but not an immediate requirement for transition.

39. A company's web server has been targeted by an attacker who exploited vulnerabilities in the web application to inject malicious code. This code redirected users to a fraudulent site designed to steal their credentials. What type of malicious activity does this describe? A. Zero-day exploit B. Web-based attack C. Insider threat D. Advanced Persistent Threat (APT)

B. Web-based attack The scenario describes the exploitation of web application vulnerabilities to inject malicious code that redirects users to a fraudulent site, which is characteristic of a web-based attack (B). Web-based attacks exploit weaknesses in web applications and often aim to steal information or manipulate web content. A zero-day exploit (A) targets unknown vulnerabilities but does not necessarily involve web applications. Insider threat (C) involves malicious actions from within the organization, not external exploitation of web vulnerabilities. An Advanced Persistent Threat (APT) (D) is a prolonged and targeted attack, which is more sophisticated than a typical web-based attack.

42. An organization needs to secure its web servers with SSL/TLS to protect data during transmission. What is the recommended minimum key length for RSA to ensure adequate security in this context? A. 512-bit B. 1024-bit C. 2048-bit D. 4096-bit

C. 2048-bit A 2048-bit RSA key is currently considered the minimum recommended length for secure SSL/TLS communications to protect against brute force and other cryptographic attacks (C). A 512-bit key (A) is extremely weak and easily compromised. A 1024-bit key (B) is also considered inadequate for long-term security against modern threats. While a 4096-bit key (D) offers even greater security, it is not typically required and may result in higher computational overhead, making 2048-bit the optimal choice for balancing security and performance.

93. A financial firm needs to track user access to sensitive data and ensure compliance with regulatory requirements. Which IAM feature should be prioritized to achieve this? A. Single sign-on B. Privileged access management C. Access auditing and reporting D. Biometric authentication

C. Access auditing and reporting The correct answer is C. Access auditing and reporting are crucial for tracking user access to sensitive data and ensuring compliance with regulatory requirements, as they provide detailed logs and reports of user activities and access patterns (C). Single sign-on (A) simplifies authentication but does not provide detailed access tracking. Privileged access management (B) controls access to critical resources but does not focus on auditing. Biometric authentication (D) provides a secure method for identity verification but does not track access activities.

14. A company needs to ensure that a new contractor has limited access to specific systems and data necessary for their project. What identity management process should be followed? A. Role assignment B. Identity proofing C. Account provisioning D. Password policy enforcement

C. Account provisioning The correct answer is C. Account provisioning is the process of creating and configuring user accounts with appropriate access rights for the contractor, ensuring they only have access to the systems and data necessary for their project (C). Role assignment (A) involves defining roles, which is part of provisioning but not the entire process. Identity proofing (B) verifies the contractor's identity before provisioning. Password policy enforcement (D) is important for security but does not directly relate to provisioning access.

75. A security analyst needs to configure host-based firewalls on servers to prevent unauthorized remote access. Which rule should be implemented to ensure that only administrators can access the servers remotely? A. Allow inbound traffic on port 80. B. Block outbound traffic on all ports. C. Allow inbound traffic on port 22 from specific IP addresses. D. Block inbound traffic on port 443.

C. Allow inbound traffic on port 22 from specific IP addresses. Allowing inbound traffic on port 22 from specific IP addresses (C) ensures that only designated administrators can access the servers remotely via SSH, a common method for remote administration. Allowing traffic on port 80 (A) opens the server to HTTP traffic, not secure for remote admin. Blocking outbound traffic (B) doesn't address remote access. Blocking port 443 (D) would prevent HTTPS traffic, unrelated to remote admin access.

60. During the change management lifecycle, which process is critical for ensuring that changes are tested in a controlled environment before deployment to production? A. Change Initiation B. Change Approval C. Change Validation D. Change Review

C. Change Validation Change Validation (C) is critical for ensuring that changes are tested in a controlled environment before being deployed to production. This process helps identify any issues or bugs that could affect the live environment. Change Initiation (A) involves proposing changes, Change Approval (B) involves authorizing changes, and Change Review (D) involves evaluating the success of changes after implementation.

56. An organization has implemented visible security cameras in their parking lot to reduce car theft. What type of control is this, and why is it effective in this context? A. Physical control B. Detective control C. Deterrent control D. Preventive control

C. Deterrent control Visible security cameras in a parking lot act as a deterrent control (C) by discouraging potential thieves from committing a crime due to the increased risk of being caught on camera. Physical control (A) refers to mechanisms that protect physical assets, but the cameras themselves do not physically prevent theft; they merely discourage it. Detective control (B) involves identifying and responding to an incident, such as reviewing footage after a theft has occurred, which is not the primary function of these cameras. Preventive control (D) involves actions that prevent incidents from occurring, like locking gates or installing barriers, which is not the role of a visible camera that serves mainly to deter.

78. During a network redesign, a company needs to choose a relationship model that allows for high availability and redundancy by distributing services across multiple servers. Which model is most appropriate? A. Client-server B. Peer-to-peer (P2P) C. Distributed network D. Cloud-based system

C. Distributed network A Distributed network (C) model spreads services and resources across multiple servers and locations, ensuring high availability and redundancy. This approach minimizes the risk of a single point of failure and enhances system resilience. A Client-server (A) model typically relies on a central server, which could be a single point of failure. A Peer-to-peer (P2P) (B) network distributes resources among peers but is not optimized for high availability and redundancy. A Cloud-based system (D) can offer distributed services, but this option is more about utilizing external resources rather than internal redundancy.

43. To prevent unauthorized access to the building after hours, a company decides to install a physical control that automatically locks doors and requires a valid credential for entry. Which control meets this requirement? A. Intrusion detection system B. Deadbolt locks C. Electronic access control system D. Window bars

C. Electronic access control system An electronic access control system is a physical control that automatically locks doors and requires a valid credential, such as a keycard or PIN, for entry. This ensures that only authorized individuals can access the building after hours. An intrusion detection system (A) alerts to unauthorized access but does not control entry, deadbolt locks (B) provide manual locking and unlocking without automated credential checks, and window bars (D) provide physical barriers but do not control access to entry points.

95. During a security review, an analyst identifies that an encrypted communication channel is vulnerable to attacks that intercept and manipulate data in transit. Which cryptographic countermeasure is most effective against such attacks? A. Implementing strong password policies B. Using a VPN for all communications C. Employing digital signatures D. Applying encryption algorithms with a longer key length

C. Employing digital signatures Digital signatures provide a means to verify the integrity and authenticity of messages, ensuring that any intercepted and manipulated data can be detected and rejected by the receiver, effectively countering man-in-the-middle and data manipulation attacks (C). Implementing strong password policies (A) improves access control but does not protect against data manipulation in transit. Using a VPN (B) can help secure communications but is not a direct countermeasure for ensuring message integrity and authenticity. Applying encryption algorithms with a longer key length (D) enhances security against brute force attacks but does not specifically address data manipulation.

97. Your organization wants to implement an Intrusion Prevention System (IPS) that can actively prevent network attacks. Which of the following is a critical consideration to ensure the IPS does not disrupt normal network operations? A. Set the IPS to block all incoming traffic by default. B. Configure the IPS in passive mode to monitor traffic. C. Establish baseline network behavior and tune the IPS rules accordingly. D. Use the default IPS configuration without modifications.

C. Establish baseline network behavior and tune the IPS rules accordingly. Establishing baseline network behavior and tuning the IPS rules accordingly (C) ensures that the IPS can differentiate between normal and malicious traffic, minimizing disruptions to normal operations. Blocking all incoming traffic by default (A) is overly restrictive and can cause significant disruptions. Configuring the IPS in passive mode (B) does not provide active prevention, which is a key requirement in this scenario. Using the default IPS configuration (D) may not be tailored to the specific network environment, leading to either false positives or missed threats.

35. You are tasked with configuring a secure wireless network for a healthcare facility. The primary requirement is to use a strong authentication protocol. Which of the following should you implement? A. Wired Equivalent Privacy (WEP) B. Wi-Fi Protected Access (WPA2) C. Extensible Authentication Protocol (EAP) D. Wi-Fi Protected Setup (WPS)

C. Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) provides a robust framework for secure authentication methods, making it suitable for environments requiring strong security like a healthcare facility (C). WEP (A) is outdated and insecure. WPA2 (B) offers better encryption but may still benefit from EAP for stronger authentication. WPS (D) is a convenience feature for connecting devices and is not recommended for high-security environments.

52. A company is considering using File Transfer Protocol Secure (FTPS) for secure file transfers. What is a notable limitation or vulnerability of FTPS? A. FTPS does not encrypt data in transit. B. FTPS is not supported by most modern operating systems. C. FTPS can be vulnerable to firewall traversal issues. D. FTPS does not provide server authentication.

C. FTPS can be vulnerable to firewall traversal issues. The correct answer is C. FTPS can face issues with firewall traversal due to its use of multiple ports for control and data connections, which can complicate firewall configurations. Option A is incorrect as FTPS does encrypt data in transit. Option B is incorrect because FTPS is widely supported by modern operating systems. Option D is incorrect because FTPS does support server authentication through SSL/TLS.

51. Which of the following incidents is an example of a breach of data integrity? A. An employee's laptop is stolen, exposing sensitive data. B. A database containing sensitive information is accessed by an unauthorized user. C. Financial records in a database are altered without proper authorization. D. A denial-of-service (DoS) attack renders a web application unavailable.

C. Financial records in a database are altered without proper authorization. A breach of data integrity occurs when information is altered in an unauthorized manner. In this scenario, financial records in a database being altered without proper authorization directly compromises the integrity of the data. An employee's laptop being stolen (A) and unauthorized access to a database (B) are breaches of confidentiality rather than integrity. A denial-of-service (DoS) attack (D) affects the availability of a service but does not necessarily involve altering data.

36. A large corporation with extensive IT resources wants to leverage cloud technologies for non-sensitive, high-performance computing tasks while maintaining its own data centers for sensitive data and critical applications. Which cloud deployment model is most suitable for this approach? A. Public Cloud B. Private Cloud C. Hybrid Cloud D. Community Cloud

C. Hybrid Cloud The Hybrid Cloud (C) is ideal for a large corporation that wants to use cloud technologies for specific tasks while maintaining its own data centers for sensitive data and critical applications. This model allows the organization to take advantage of the scalability and performance benefits of the Public Cloud (A) for non-sensitive tasks, while keeping sensitive data secure in a Private Cloud (B) or on-premises data centers. The Hybrid Cloud provides flexibility and cost savings without compromising security for critical applications. The Community Cloud (D) is not typically used for this kind of scenario as it involves shared resources among organizations with similar requirements, which may not be applicable to a single large corporation with diverse needs.

88. A business needs to ensure secure remote access for its employees to the company's network. The solution should provide a secure tunnel to protect all data transmitted between the remote users and the company's internal network. Which protocol is the best choice for this use case? A. TLS B. SSH C. IPsec D. SMTP

C. IPsec The correct answer is C. IPsec (Internet Protocol Security) is widely used for setting up secure VPN tunnels, providing encryption and integrity for data transmitted between remote users and the company's internal network. This ensures that the data is protected from interception and tampering. TLS (A) is typically used for securing web traffic and is not the best choice for VPN tunnels. SSH (B) is used for secure remote access to systems but not for creating secure tunnels for general network access. SMTP (D) is for sending emails and does not provide secure network access.

64. An organization is required to comply with PCI-DSS for the secure transmission of payment data. Which action should be taken to ensure compliance when transmitting this data over the internet? A. Using asymmetric encryption B. Encrypting data with AES and transmitting it in cleartext C. Implementing TLS for data transmission D. Applying a digital signature to the data

C. Implementing TLS for data transmission PCI-DSS requires the use of strong encryption protocols like TLS (C) to protect payment data during transmission over the internet. TLS ensures that data is encrypted and secure, maintaining confidentiality and integrity. Asymmetric encryption (A) is typically used for key exchange rather than direct data encryption for transmission. Encrypting data with AES (B) is secure for storage but transmitting it in cleartext would not protect the data during transmission. Applying a digital signature (D) provides data integrity and authenticity but does not encrypt the data for secure transmission.

2. During a security impact analysis for a proposed software update, it is identified that the update may lead to increased network traffic, potentially exposing the network to denial-of-service (DoS) attacks. What should be the primary focus of the security team in addressing this issue? A. The performance improvements expected from the software update. B. The potential for user dissatisfaction due to network slowdowns. C. Implementing measures to mitigate the risk of DoS attacks. D. Reviewing the cost of increased network bandwidth.

C. Implementing measures to mitigate the risk of DoS attacks. Implementing measures to mitigate the risk of DoS attacks (C) should be the primary focus of the security team. This may involve setting up defenses such as rate limiting, intrusion detection systems, and redundant pathways to ensure the network remains resilient to increased traffic. The performance improvements (A) and cost of increased bandwidth (D) are important but secondary to addressing the security risk. User dissatisfaction (B) is a consideration, but preventing DoS attacks is more critical.

47. When administering MDM with containerization, what is a critical step to ensure corporate data remains secure when accessed from employee devices? A. Enforcing device-wide encryption for all data B. Installing corporate security certificates on personal devices C. Implementing policies to wipe only corporate data within containers if necessary D. Restricting the installation of new applications on the device

C. Implementing policies to wipe only corporate data within containers if necessary The ability to selectively wipe corporate data within containers (C) is a key benefit of containerization, ensuring that corporate data can be securely removed without affecting personal data. Option A addresses encryption at a device level, not focusing on the selective control offered by containerization. Option B deals with overall security measures but does not highlight container-specific benefits. Option D restricts app installations, which is a broader MDM control not specific to containerization.

18. A business is setting up an extranet to allow its customers to access specific services online securely. What must the company consider to ensure that this setup does not compromise its internal network? A. Using only the internet for all communications B. Integrating the extranet directly with the intranet C. Implementing strong authentication and access controls D. Relying on public Wi-Fi for customer access

C. Implementing strong authentication and access controls Implementing strong authentication and access controls (C) is crucial to ensure that the extranet does not compromise the internal network. This involves verifying the identity of users and controlling their access to specific resources, thereby protecting sensitive data. Using only the internet (A) without additional security measures is insufficient. Integrating the extranet directly with the intranet (B) without adequate security can expose the internal network to risks. Relying on public Wi-Fi (D) for customer access is insecure and poses significant security threats.

45. A healthcare organization is using Software as a Service (SaaS) for managing patient records. Which responsibility is primarily theirs under the shared responsibility model? A. Ensuring the physical security of the data center B. Securing the underlying network infrastructure C. Managing patient data access controls D. Maintaining the SaaS application's backend servers

C. Managing patient data access controls Under the SaaS model, the healthcare organization is primarily responsible for Managing Patient Data Access Controls (C), which involves ensuring that only authorized personnel can access patient records. The cloud provider handles the physical security of the data center (A) and secures the underlying network infrastructure (B), as well as maintaining the backend servers (D) for the SaaS application. The organization must focus on compliance with data privacy regulations and control who accesses the data.

83. A company implements digital signatures for all electronic documents. What primary security concept does this measure support? A. Confidentiality B. Integrity C. Non-repudiation D. Availability

C. Non-repudiation Implementing digital signatures for all electronic documents primarily supports non-repudiation. Digital signatures ensure that the sender of a document cannot deny having sent it, as the signature uniquely identifies the sender and links them to the document. Confidentiality (A) is about preventing unauthorized access to information. Integrity (B) ensures that the information is not altered. Availability (D) ensures that information is accessible when needed. While digital signatures also contribute to integrity, their primary role in this context is non-repudiation.

81. An organization is disposing of obsolete software that may contain sensitive information in its configuration files. What is the best practice to ensure the data is securely destroyed? A. Uninstalling the software using the control panel. B. Deleting the software directory from the system. C. Overwriting the software and configuration files with random data. D. Archiving the software for future reference.

C. Overwriting the software and configuration files with random data. Overwriting the software and configuration files with random data (C) ensures that any sensitive information is securely destroyed and cannot be recovered, providing a higher level of security than simply deleting or uninstalling the software. Uninstalling the software (A) or deleting the directory (B) does not guarantee that all data is removed securely. Archiving the software (D) is not relevant to secure destruction and may lead to potential data exposure.

70. An organization wants to ensure that their software downloads are not tampered with. What is the most effective way to use hashing to achieve this? A. Include the hash value of the software on the download page. B. Use a different hash algorithm for each software version. C. Publish the hash value in a separate secure location. D. Generate a hash for the installer and encrypt it with the company's private key.

C. Publish the hash value in a separate secure location. Publishing the hash value in a separate secure location (C) ensures that users can verify the integrity of the software they downloaded by comparing the computed hash with the one published. Including the hash on the download page (A) does not provide security if the page itself is compromised. Using different algorithms (B) adds complexity without additional security benefits. Encrypting the hash with a private key (D) adds a layer of integrity verification but may complicate the process for users without access to the decryption method.

31. Which of the following is a key benefit of implementing segregation of duties (SoD) in an organization? A. Increased efficiency in task completion B. Improved collaboration among team members C. Reduced risk of fraud and errors D. Simplified management of access controls

C. Reduced risk of fraud and errors Implementing segregation of duties (SoD) reduces the risk of fraud and errors by ensuring that critical tasks are divided among multiple individuals or departments. This prevents any single individual from having too much control over a process, making it harder for malicious actions or mistakes to go unnoticed. Increased efficiency in task completion (A) may not be a direct result of SoD, as it may introduce additional steps. Improved collaboration among team members (B) is possible but not the primary goal of SoD. Simplified management of access controls (D) can be a benefit but is not the primary purpose of SoD.

73. To enhance accountability, an organization has decided to implement user activity logging. Which of the following best practices should be followed to ensure the effectiveness of this logging? A. Allowing users to disable logging for privacy reasons B. Storing logs on the same server being monitored C. Regularly reviewing and analyzing log data for anomalies D. Keeping log data for a short period to save storage space

C. Regularly reviewing and analyzing log data for anomalies Regularly reviewing and analyzing log data for anomalies is a best practice that ensures the effectiveness of user activity logging by identifying unusual or unauthorized activities that may indicate security incidents or policy violations. Allowing users to disable logging (A) undermines accountability and security. Storing logs on the same server being monitored (B) risks losing log data if the server is compromised. Keeping log data for a short period (D) limits the ability to conduct thorough investigations and audits, as historical data may be required to identify patterns or trends.

32. During a security audit, it is discovered that confidential client records are accessible by all employees, including those without a need-to-know basis. What immediate action should be taken to rectify this issue? A. Increase network monitoring to detect unauthorized access. B. Encrypt all confidential client records. C. Restrict access based on the principle of least privilege. D. Perform a full security risk assessment.

C. Restrict access based on the principle of least privilege. Restricting access based on the principle of least privilege ensures that employees only have access to the information necessary for their job roles, which helps in maintaining the confidentiality of client records. Increasing network monitoring (A) and performing a full security risk assessment (D) are important for overall security but do not immediately address the issue of unauthorized access. Encrypting all confidential client records (B) protects data at rest but does not prevent unauthorized access by employees within the organization.

25. Which of the following is an example of applying the principle of least privilege in a software development environment? A. Allowing developers to access production servers for testing purposes B. Giving developers administrative privileges on their workstations C. Restricting developers' access to only the source code repositories they need D. Providing developers with access to all project documentation

C. Restricting developers' access to only the source code repositories they need Restricting developers' access to only the source code repositories they need aligns with the principle of least privilege by granting access based on necessity to perform their job functions. Allowing developers to access production servers (A) violates the PoLP by granting unnecessary access. Giving developers administrative privileges on their workstations (B) provides more access than necessary. Providing developers with access to all project documentation (D) also grants excessive access.

94. A company's security team discovers software on a server that allows attackers to execute commands remotely and integrate with the operating system at a deep level, making it difficult to detect and remove. Which type of malware does this scenario describe? A. Virus B. Fileless malware C. Rootkit D. Spyware

C. Rootkit The scenario describes a program that enables remote command execution and integrates deeply with the operating system, indicative of a rootkit (C). Rootkits are designed to provide ongoing privileged access and often hide their presence from security tools, making them difficult to detect and remove. A virus (A) is designed to modify or corrupt data and does not usually provide deep system integration for remote access. Fileless malware (B) operates in memory and is typically less integrated with the operating system, aiming to avoid detection through lack of persistent files. Spyware (D) is used for monitoring user activities and does not usually provide deep integration for remote control.

84. A multinational corporation wants to create a trust relationship that allows seamless access between its various domain networks across different regions. The goal is to ensure that trust relationships are inherited across different levels of the organization's domain hierarchy. What type of trust should they implement? A. One-way trust B. Two-way trust C. Transitive trust D. Zero trust

C. Transitive trust Transitive trust (C) is suitable for this scenario as it allows seamless access and automatically extends trust relationships across different domains and levels of the organization's domain hierarchy. This means that if one domain trusts another, all subsequent trusts are also recognized, making management simpler. One-way trust (A) and two-way trust (B) require individual trust relationships to be established for each domain, which is less efficient for a large organization. Zero trust (D) is unrelated as it involves a security model that assumes no trust by default, requiring verification at every stage.

4. While troubleshooting a network issue, you notice that a device on your network is unable to establish a TCP connection with a remote server. After verifying the network configuration and confirming that there are no firewall blocks, you decide to investigate further by checking the OSI model layers. Which layer would be the most relevant to check for potential issues related to the establishment of a TCP connection? A. Network layer B. Data link layer C. Transport layer D. Application layer

C. Transport layer The Transport layer (C) is responsible for establishing, maintaining, and terminating connections, as well as providing error recovery and flow control. TCP operates at this layer, making it the most relevant for investigating connection establishment issues. The Network layer (A) deals with routing and forwarding packets, which is not directly related to connection establishment. The Data link layer (B) handles the physical addressing and error detection between directly connected nodes. The Application layer (D) is responsible for providing network services to applications but does not manage connection establishment.

1. During a routine security assessment, you discover that a critical web application is vulnerable to SQL injection. Which of the following actions would be the most effective in mitigating this vulnerability? A. Implementing input validation on the client side. B. Restricting database access to only trusted IP addresses. C. Using parameterized queries in the application code. D. Enabling SSL/TLS for the web application.

C. Using parameterized queries in the application code. The most effective action in mitigating SQL injection vulnerabilities is using parameterized queries in the application code (C). Parameterized queries ensure that SQL code is not directly executed based on user input, thus preventing injection attacks. Input validation on the client side (A) is not effective because it can be bypassed; server-side validation is required. Restricting database access to trusted IP addresses (B) does not prevent SQL injection, as it is an attack on the application layer. Enabling SSL/TLS (D) secures data in transit but does not mitigate SQL injection, which targets the database directly.

38. An employee reports that their browser is displaying warnings about a website's security certificate. What is the most appropriate response to this situation? A. Ignore the warnings and proceed to the website. B. Update the browser to the latest version. C. Verify the website's certificate and contact the site's administrator if needed. D. Disable browser security warnings for a smoother browsing experience.

C. Verify the website's certificate and contact the site's administrator if needed. Verifying the website's certificate (C) and contacting the site's administrator if needed ensures that the employee is not visiting a potentially malicious or compromised website. Ignoring the warnings (A) could expose the employee to security risks. Updating the browser (B) is good practice but may not address certificate issues. Disabling security warnings (D) reduces protection against malicious websites.

28. A university campus needs to deploy a network that provides high mobility for users while ensuring they can access the network from multiple locations. Which transmission media should they use to best meet these requirements? A. Fiber optics B. Ethernet C. Wi-Fi D. Powerline networking

C. Wi-Fi Wi-Fi (C) provides the high mobility and flexibility needed for users on a university campus, allowing access to the network from various locations without being tethered to a physical connection. Fiber optics (A) offers high-speed, long-distance connections but requires physical cabling and does not provide the mobility needed. Ethernet (B) provides reliable wired connections but lacks the mobility and flexibility of wireless options. Powerline networking (D) uses electrical wiring for data transmission, which is useful for fixed locations but does not support high mobility across a campus.

74. A company cannot implement automatic software updates due to system compatibility issues. As a compensating measure, they conduct regular manual updates and vulnerability scans. What type of control are they applying? A. Preventive control B. Detective control C. Corrective control D. Compensating control

D. Compensating control Conducting regular manual updates and vulnerability scans serves as compensating controls (D) because they provide alternative methods to automatic software updates, which cannot be implemented due to compatibility issues. Preventive control (A) would involve measures like automatic updates to prevent vulnerabilities. Detective control (B) refers to identifying and reporting security issues, and corrective control (C) involves fixing issues after they are detected. The manual updates and scans compensate for the lack of automatic updates by maintaining software security through alternative means.

30. An organization is concerned about ensuring that electronic contracts they receive are from the legitimate sender and have not been altered. Which cryptographic method should be implemented to address these concerns? A. Symmetric Key Encryption B. Digital Certificates C. Asymmetric Key Encryption D. Digital Signatures

D. Digital Signatures Digital signatures (D) are the appropriate method to ensure that electronic contracts are from a legitimate sender (authenticity) and have not been altered (integrity). They create a unique signature based on the sender's private key and the contract's content, providing a means to verify both authenticity and integrity. Symmetric key encryption (A) focuses on confidentiality and does not address integrity or authenticity. Digital certificates (B) are used to validate identities but do not provide direct integrity checks. Asymmetric key encryption (C) is used for secure communication and key exchange rather than directly ensuring integrity and authenticity.

98. A company needs to define the specific steps to follow in case of a security breach to ensure a timely and effective response. Which administrative control should be created? A. Access control standard B. Configuration baseline C. Security policy D. Incident response plan

D. Incident response plan An incident response plan is an administrative control that defines specific steps to follow in case of a security breach. This plan ensures a timely and effective response to incidents, helping to mitigate damage and restore normal operations. An access control standard (A) governs access to resources, a configuration baseline (B) specifies minimum security configurations, and a security policy (C) provides broad guidelines, none of which detail the procedures for responding to security breaches.

59. During a forensic investigation report, which practice ensures that the findings are communicated effectively to law enforcement and other stakeholders? A. Using complex legal terminology B. Ensuring the report is concise and avoids unnecessary detail C. Including all technical jargon to demonstrate thoroughness D. Providing clear, factual evidence and findings

D. Providing clear, factual evidence and findings Providing clear, factual evidence and findings (D) ensures that the report is understandable and useful for law enforcement and stakeholders. Using complex legal terminology (A) can obscure the findings for those without a legal background. Conciseness (B) is important but should not compromise necessary detail. Including all technical jargon (C) may overwhelm non-technical readers. Therefore, clear and factual presentation (D) is crucial for effective communication.

92. An organization faces a high risk of intellectual property theft. They decide to continue operations with full knowledge of the risk but take no action to mitigate it. What risk treatment strategy are they using? A. Risk avoidance B. Risk transfer C. Risk mitigation D. Risk acceptance

D. Risk acceptance Continuing operations with full knowledge of the risk without taking any action to mitigate it is an example of risk acceptance (D). The organization is acknowledging the risk and choosing to accept it without making changes. Risk avoidance (A) would involve stopping the activities that lead to the risk. Risk transfer (B) would shift the risk to another entity, and risk mitigation (C) would involve taking steps to reduce the impact of the risk.

6. An organization is operating a new software application that requires regular updates. What is the best practice to ensure the software remains secure and functional? A. Schedule updates during peak business hours for minimal disruption. B. Implement automatic updates without user intervention. C. Perform manual updates only when a major issue is reported. D. Test updates in a staging environment before applying them to production.

D. Test updates in a staging environment before applying them to production. Testing updates in a staging environment before applying them to production (D) is the best practice to ensure the software remains secure and functional. It allows for identification and resolution of any issues that might arise from the updates without affecting the live environment. Scheduling updates during peak business hours (A) can disrupt business operations. Implementing automatic updates (B) without user intervention can be convenient but may introduce issues if not tested beforehand. Performing manual updates only when major issues are reported (C) can leave the software vulnerable to security threats and other problems that could have been prevented.

66. An organization needs to ensure that personally identifiable information (PII) transmitted between its branches is protected. Which cryptographic solution is best suited for this purpose? A. Public Key Cryptography B. Hashing C. Digital Signatures D. Transport Layer Security (TLS)

D. Transport Layer Security (TLS) Transport Layer Security (TLS) (D) is the best-suited cryptographic solution for protecting PII transmitted between branches. It encrypts the data during transmission, ensuring confidentiality and integrity. Public key cryptography (A) is typically used for secure key exchange but not for encrypting the entire data transmission. Hashing (B) verifies data integrity but does not provide encryption for data in transit. Digital signatures (C) authenticate the sender and ensure integrity but do not encrypt the data for transmission.