Try 90 free CompTIA Security+ SY0-801 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length CompTIA Security+ SY0-801 practice exam includes 90 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-801 on Web View full CompTIA Security+ SY0-801 practice page
| Domain | Weight |
|---|---|
| General Security Concepts | 16% |
| Threats, Vulnerabilities, and Attacks | 24% |
| Security Architecture | 19% |
| Security Operations | 27% |
| Security Program Management and Oversight | 14% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Security Operations
A SOC analyst reviews an alert generated by the identity provider. The security team previously created the referenced account only as a monitored tripwire and did not assign it to any application or employee.
Exhibit: Identity alert
| Field | Value |
|---|---|
| Account | audit-review-temp |
| Privileges | None assigned |
| Normal use | No legitimate use |
| Event | Interactive sign-in attempt |
| Source | Unrecognized external IP |
What deception technique is represented by this alert?
Options:
A. Honeyfile access
B. Honeytoken exposure
C. Canary-account detection
D. Honeynet interaction
Best answer: C
Explanation: A canary account is a deliberately created fake or unused identity that should never be used in normal operations. Any authentication attempt against it is suspicious because the account has no business owner, application assignment, or legitimate workflow. In this exhibit, the decisive evidence is an interactive sign-in attempt against a monitored account with no assigned privileges and no legitimate use. That points to possible credential discovery, password spraying, or attacker reconnaissance involving identities.
The closest distractor is a honeytoken, which is usually a fake credential, API key, database value, or marker placed where misuse reveals exposure. Here, the trigger is use of an identity account itself, not access to a planted file or token value.
Topic: Threats, Vulnerabilities, and Attacks
A SOC analyst is triaging several alerts from the same hour. The incident lead wants the first containment action to match the evidence of account compromise, not endpoint, network, or application compromise.
| Evidence | Summary |
|---|---|
| Identity logs | User jlee signed in from two countries 8 minutes apart; a new MFA device was enrolled |
| Email audit | jlee created a forwarding rule to an external mailbox |
| EDR | jlee’s laptop shows no malware or suspicious process activity |
| Network/WAF | Internet port scan and SQL injection attempts were blocked |
Which action should the analyst take first?
Options:
A. Isolate jlee’s laptop for malware analysis
B. Take the web application offline for emergency patching
C. Block the scanning source at the perimeter firewall
D. Revoke jlee’s sessions and reset the account credentials
Best answer: D
Explanation: Account compromise indicators appear in authentication and identity-administration artifacts, such as impossible travel, unexpected MFA enrollment, session activity, mailbox forwarding, and credential changes. In this scenario, the endpoint evidence is clean, while the network and WAF events were blocked background attacks. The user account evidence is active and directly tied to jlee, so containment should focus on the identity: revoke active sessions, reset credentials, review MFA methods, and remove unauthorized mail rules. Isolating a host or changing perimeter controls would target different evidence types and may leave the compromised account usable.
jlee’s identity.Topic: General Security Concepts
A software vendor distributes firmware updates through a public download portal. Customers need to verify that each update was not altered after release, that it came from the vendor, and that the vendor cannot later deny publishing it. Which control best meets these requirements?
Options:
A. Publish a hash value for each update
B. Encrypt each firmware update before download
C. Obfuscate the update package contents
D. Digitally sign each firmware update
Best answer: D
Explanation: Digital signatures are the best fit when the primary requirements are integrity, authenticity, and non-repudiation. The vendor signs the firmware with its private key, and customers verify the signature with the vendor’s public key or certificate. If verification succeeds, customers know the package has not changed since signing and that it was signed by the holder of the private key. A plain hash can detect alteration, but by itself it does not prove who created the hash or prevent denial by the publisher.
Topic: Security Architecture
A company is defining handling rules for employee medical accommodation records. The records must be available only to HR benefits staff and assigned legal counsel, must be encrypted in storage and transit, and must trigger a DLP block if attached to external email. Which classification and handling decision best maps to these requirements?
Options:
A. Confidential, with broad internal access for employees
B. Restricted, with need-to-know access and DLP enforcement
C. Critical, with priority backup and recovery controls only
D. Public, with standard website publishing controls
Best answer: B
Explanation: Data classification drives handling requirements. Employee medical accommodation records contain highly sensitive personal information and have strict access and disclosure limits, so a restricted classification fits the need for need-to-know access, encryption, monitoring, and DLP controls. Critical data is primarily about operational importance and availability, not automatically about privacy or disclosure limits. Confidential data is protected from public release, but the stem requires narrower access and stronger sharing controls than broad internal confidentiality would allow.
The key is to match both the sensitivity of the data and the required handling controls, not just choose a label that sounds important.
Topic: Security Architecture
A company is moving an order-processing application to microservices. The checkout service calls inventory, pricing, and payment services. A review finds that any pod in the cluster can call the payment service directly, but the business cannot pause deployments or rewrite the services this quarter. Payment requests include sensitive customer data. Which decision best reduces risk at the service boundaries?
Options:
A. Allow internal cluster traffic and monitor payment logs later
B. Move all services into one shared runtime process
C. Enforce service-to-service mTLS and least-privilege network policies
D. Place a WAF in front of the public checkout endpoint
Best answer: C
Explanation: Microservices security depends on controlling trust across service boundaries, not only at the public edge. In this scenario, the main risk is that any pod can directly reach the payment service, which creates lateral movement and unauthorized access exposure for sensitive customer data. Requiring service-to-service authentication and encryption, such as mTLS, helps verify service identity and protect traffic. Least-privilege network policies restrict which services can initiate calls to payment, inventory, or pricing based on required dependencies. This fits the business constraint because these controls can often be added at the platform or service-mesh layer without rewriting application logic. Edge controls are still useful, but they do not solve overpermissive internal service access.
Topic: Security Architecture
A company is reviewing a proposed production deployment. Based on the exhibit, which interpretation best describes the security implication of this architecture choice?
Exhibit: Proposed architecture
Deployment model: Public cloud IaaS
Workloads: Web VM, app VM, database VM
Network: One VPC, one subnet, one security group
Security group rule: allow all TCP/UDP from 10.20.0.0/16 to 10.20.0.0/16
Provider responsibility: physical facility, hardware, hypervisor
Customer responsibility: guest OS, VM firewall, security groups, data access
Options:
A. The provider must configure VM-to-VM firewall rules.
B. The single VPC provides isolation between application tiers.
C. The design is serverless, so host controls are not required.
D. The customer must segment VM traffic and manage guest OS controls.
Best answer: D
Explanation: Public cloud IaaS shifts some responsibility to the provider, such as physical infrastructure and the hypervisor, but leaves important operational controls with the customer. In this exhibit, the workloads are customer-managed VMs, and the customer is explicitly responsible for the guest OS, VM firewalls, security groups, and data access. Placing web, app, and database VMs in one subnet with a rule that allows all TCP/UDP across the whole VPC creates weak segmentation and increases lateral movement risk. The key implication is not that cloud removes responsibility, but that IaaS requires the customer to design and operate secure segmentation and workload controls.
Topic: Security Program Management and Oversight
A GRC analyst is updating the security artifact catalog. Which artifact type best matches the request in the exhibit?
Exhibit: Audit evidence request
Need: Show the mandatory organization-wide rules for protecting stored and transmitted data.
Must include: approved algorithms, minimum key lengths, and prohibited ciphers.
Must not include: step-by-step product configuration commands.
Options:
A. Encryption standard
B. Incident response runbook
C. Password requirements
D. System hardening baseline
Best answer: A
Explanation: A standard defines mandatory requirements that support a policy. In this case, the exhibit asks for required cryptographic rules across the organization: approved algorithms, minimum key lengths, and prohibited ciphers. That purpose fits an encryption standard. A baseline is usually a secure configuration starting point for a specific system or platform, while procedures and runbooks describe how to perform tasks step by step. The clue that the request excludes product-specific commands also points away from a procedure or baseline and toward a requirements-focused standard.
Topic: Security Program Management and Oversight
An analyst is preparing the risk register for the quarterly risk steering meeting. The organization’s procedure requires each open risk to have a current owner, treatment decision, review date, and stakeholder communication when conditions materially change.
Exhibit: Risk register excerpt
| Risk ID | Treatment decision | Last review | New information |
|---|---|---|---|
| R-17: unsupported customer portal component | Accept until replacement project | January 5 | Replacement delayed 6 months; active exploitation reported; only the app team was notified |
Today is April 8. Which action best keeps this risk decision visible and current?
Options:
A. Wait for the annual audit to reassess the risk
B. Update the risk entry and escalate it for review
C. Close the risk because it was previously accepted
D. Notify only the application team again
Best answer: B
Explanation: A risk register is useful only when risk ownership, status, treatment decisions, and review dates stay current. In this exhibit, R-17 was accepted under older assumptions, but the replacement delay and active exploitation materially change the risk. The April 5 review date has also passed. The best action is to update the register with the changed conditions and bring the risk back to the appropriate stakeholders or risk committee for review. They may accept, mitigate, transfer, or avoid the risk again, but that decision must be visible and documented.
A prior acceptance is not permanent approval when risk conditions change.
Topic: General Security Concepts
A payroll vendor is adding an API connection to receive employee tax IDs and direct-deposit details from an internal HR application. The connection will traverse the public Internet, and the security team must approve a control before go-live without changing the payload format. Which decision is the BEST way to protect the data in this communication path?
Options:
A. Obfuscate the field names in the payload
B. Hash the tax IDs before transmission
C. Digitally sign each API message
D. Require TLS for the API connection
Best answer: D
Explanation: Transport protection is required when sensitive information crosses an untrusted communication path, such as the public Internet. TLS provides confidentiality and integrity for data in transit between endpoints, which fits the payroll API scenario and avoids changing the existing payload format. Hashing is useful for one-way verification, digital signatures prove integrity and origin, and obfuscation only makes data less readable. None of those substitutes for encrypting sensitive data while it is moving over an untrusted network. The key takeaway is to use transport-layer protection when the exposure is the communication path.
Topic: Security Program Management and Oversight
A customer submits a request to delete personal data. The company must retain billing invoices for 7 years and has an active legal hold on support tickets related to the customer’s pending lawsuit. The customer can be authenticated using the existing account MFA process. Which response best satisfies the privacy request without violating retention or legal-hold duties?
Options:
A. Collect a government ID and full SSN before reviewing the request
B. Delete all customer records immediately after MFA verification
C. Delete eligible data, retain only held or required records, and document the basis
D. Deny the entire request because any legal hold exists
Best answer: C
Explanation: Privacy requests should be fulfilled to the extent allowed, but legal holds and mandatory retention override deletion for the specific records they cover. The right response verifies the requester with a proportionate method, deletes or anonymizes data that is not needed, preserves invoices and lawsuit-related support tickets, and records the reason for each exception. This also supports accountability if the customer, auditor, or legal team later asks why some records remain.
The key is data minimization: do not keep unrelated data just because some data is protected, and do not collect extra sensitive identity data when existing MFA is sufficient.
Topic: Security Architecture
A retailer is selecting an architecture for a customer-facing ordering service before a seasonal sales event. The business requires average monthly cost at or below $12,000, rapid scaling during traffic spikes, and reduced operational ownership because the infrastructure team has limited staffing.
Exhibit: Architecture evaluation notes
| Option | Cost | Ownership | Scalability and risk |
|---|---|---|---|
| On-premises refresh | $18,000/month | Company manages hardware and OS | Slow procurement; high deadline risk |
| Colocation | $14,000/month | Company manages hardware and OS | Manual capacity adds; medium deadline risk |
| Cloud IaaS | $10,000/month normal, $16,000 peak | Company manages OS and scaling rules | Scales, but peak exceeds budget |
| Managed cloud PaaS | $11,500/month average | Provider manages platform; company manages app | Autoscaling; low deadline risk |
Options:
A. Lift and shift the service to cloud IaaS
B. Move company-owned servers to colocation
C. Deploy the service on managed cloud PaaS
D. Buy new on-premises servers
Best answer: C
Explanation: Architecture trade-off decisions should align technical fit with business constraints. Here, the deciding facts are the $12,000 average monthly cost limit, limited staffing, need for rapid seasonal scaling, and deadline risk before a sales event. Managed cloud PaaS is the only option that stays within the cost target while reducing platform ownership and providing autoscaling. Cloud IaaS is tempting because the normal cost is lower, but the exhibit states peak cost exceeds the budget and the company still owns OS and scaling operations. The on-premises and colocation options increase ownership and introduce capacity or procurement risks that conflict with the business need.
Topic: Security Operations
A security team is selecting an intrusion detection or prevention control for a branch office. Which deployment best satisfies the need shown in the exhibit?
Exhibit: Wireless security note
Area: conference center Wi-Fi
Finding: SSID similar to Corp-Secure is appearing during events
Impact: users may associate with an unauthorized access point
Current tool: NIDS on a data center switch SPAN port
Goal: detect and actively contain unauthorized AP/client associations
Constraint: keep the solution focused on Wi-Fi radio activity
Options:
A. Deploy host-based IPS agents on user laptops
B. Deploy a WIPS integrated with the wireless infrastructure
C. Deploy an inline NIPS at the internet edge
D. Deploy a NIDS on the wired conference network
Best answer: B
Explanation: The exhibit points to a wireless-layer problem: an unauthorized access point is imitating a corporate SSID, and the goal is active containment of AP/client associations. A wireless intrusion prevention system (WIPS) is the best fit because it monitors Wi-Fi radio activity and can take configured prevention actions within the authorized wireless environment. A NIDS on a SPAN port provides visibility into copied wired traffic but does not prevent wireless association. A network IPS inline at the internet edge can block network traffic that passes through it, but it does not directly manage rogue Wi-Fi radio behavior. The key distinction is visibility versus prevention, and wired traffic inspection versus wireless protection.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst receives an EDR alert from a finance workstation. The alert shows dozens of files on a mapped payroll share being renamed and encrypted within minutes, creation of a README_RECOVER.txt file, and an outbound connection to an unfamiliar IP address. The workstation is still running, payroll processing starts in two hours, and the incident response procedure requires evidence preservation and notification of the incident commander before broad communications. What is the best initial response?
Options:
A. Isolate the workstation, preserve evidence, and notify the incident commander.
B. Delete the ransom note and process while keeping the workstation online.
C. Power off the workstation and immediately restore the share from backup.
D. Email all employees that ransomware is confirmed and payroll is delayed.
Best answer: A
Explanation: The indicators strongly suggest active ransomware: rapid encryption, mass renaming, a ransom note, and suspicious outbound traffic. The best initial response is to contain the affected endpoint by isolating it from the network, preserve relevant logs and artifacts, and notify the incident commander according to procedure. This limits further damage to the payroll share while maintaining evidence needed for investigation and recovery decisions. Communication should follow the incident process because premature broad messaging can create confusion or disclose unverified details. Recovery actions should occur after containment and initial evidence preservation.
Topic: Threats, Vulnerabilities, and Attacks
A vulnerability manager must choose one issue for emergency remediation before the normal monthly patch cycle. The change policy allows emergency work when exposure and business impact justify the risk.
| Finding | Asset exposure | Impact context |
|---|---|---|
| Critical library flaw | Internal dev server only | No production data |
| High-risk RCE | Internet-facing payment portal | Active exploit reported |
| Medium CMS flaw | Public marketing site | WAF rule blocks exploit path |
| High encryption gap | Executive laptop | Full-disk encryption disabled |
Which action should be prioritized first?
Options:
A. Fix the public marketing site CMS flaw
B. Patch the internal dev server library flaw
C. Enable encryption on the executive laptop
D. Patch the internet-facing payment portal RCE
Best answer: D
Explanation: Remediation priority should consider more than the rating label. A vulnerability that is externally reachable, actively exploited, and tied to a high-impact business process often outranks a higher-scored issue on an isolated or lower-impact asset. In this scenario, the payment portal combines several priority drivers: internet exposure, remote code execution, active threat intelligence, and business impact to payment processing. Those factors support using the emergency change process instead of waiting for the monthly cycle.
The key takeaway is to prioritize risk in context, not just by raw severity.
Topic: Security Program Management and Oversight
A company is evaluating a third-party SaaS provider for customer support records. Which constraint is the most important issue supported by the exhibit?
Exhibit: Vendor assessment notes
| Item | Finding |
|---|---|
| Data handled | EU customer names, emails, case notes |
| Mandatory requirement | Personal data must remain in the EU/EEA |
| Vendor hosting | Production, logs, and backups only in US regions |
| Portability | Monthly CSV export; workflows are proprietary |
| Cost | 18% lower than the current platform |
Options:
A. Legal and jurisdictional data-residency constraint
B. Staffing constraint from vendor support hours
C. Vendor lock-in constraint from proprietary workflows
D. ROI constraint from lower platform cost
Best answer: A
Explanation: Third-party risk selection must consider constraints that can block or limit a vendor relationship, not just security features or price. The exhibit shows a mandatory requirement that EU personal data must remain in the EU/EEA, but the vendor stores production data, logs, and backups only in US regions. That creates a legal, geography, and jurisdiction constraint that must be resolved before selection. Portability and cost are relevant to risk and business value, but they do not override a stated mandatory data-residency requirement. The key takeaway is to identify non-negotiable constraints early in vendor evaluation.
Topic: Security Operations
A SOC analyst confirms that a production API token was committed to a public source-code repository. The token has already been revoked. Company policy requires secrets to be blocked before they are accepted into public repositories. Audit logs show a normal developer account, successful MFA, and no endpoint malware indicators. Which control should be validated first?
Options:
A. Repository secret scanning and push protection
B. Email attachment sandboxing
C. Endpoint antivirus quarantine policy
D. Operating system patch compliance
Best answer: A
Explanation: The evidence points to a repository control failure, not an endpoint, email, or operating-system failure. Since the token was accepted into a public repository even though policy requires blocking secrets before acceptance, the first validation should focus on whether repository secret scanning and push protection were enabled, inherited, and enforcing on the affected repository or organization. The revoked token reduces immediate exposure, but validating the failed preventive control helps identify why the exposure occurred and prevents repeat commits. Endpoint and OS controls are reasonable to check only if evidence suggests malware, local compromise, or system weakness.
Topic: Threats, Vulnerabilities, and Attacks
A vulnerability management team discovers a high-severity vulnerability on several application servers. The business owner must choose whether to remediate immediately, apply a temporary mitigation, or monitor until the next maintenance window. Which vulnerability information is most useful for making that decision?
Options:
A. The total number of vulnerabilities found in the scan
B. Contextual risk: exploitability, exposure, criticality, and compensating controls
C. The vendor product name and software install path
D. The scanner plug-in release date and scan duration
Best answer: B
Explanation: Choosing between remediation, mitigation, and monitoring requires vulnerability information that reflects real risk in the environment. A severity label alone is not enough. The team needs to know whether the issue is exploitable, whether the affected systems are exposed to likely threat paths, how important the asset is, and whether compensating controls already reduce the risk. Those facts support a practical decision: patch now for urgent risk, apply a temporary control when patching is constrained, or monitor when exposure and impact are low. Operational metadata, counts, or inventory details may support tracking, but they do not drive the treatment choice by themselves.
Topic: General Security Concepts
A VPN gateway uses client certificates for administrator access. Policy requires certificate revocation status to be verified before trust is granted.
Exhibit: Connection check
Current time: 14:30
Client certificate serial: 7F:21
Certificate notAfter: September 30, 2026
Cached CRL: lastUpdate 02:00, nextUpdate 14:00
Cached CRL result: serial 7F:21 not listed
CRL download: timeout
OCSP responder: timeout
Connection decision: pending
What is the best action supported by the exhibit?
Options:
A. Deny access until revocation status is verified
B. Allow access because the certificate is not expired
C. Allow access because the cached CRL does not list the serial
D. Grant access and retry OCSP after login
Best answer: A
Explanation: Certificate expiration and certificate revocation are separate trust checks. The certificate is still within its validity period, but the policy requires revocation status to be verified before trust is granted. In the exhibit, the cached CRL has passed its nextUpdate time, the gateway cannot download a current CRL, and the OCSP responder is unavailable. Because neither CRL nor OCSP provides a current revocation status, the gateway should fail closed for this access attempt. A cached CRL result from before nextUpdate is not enough after it becomes stale.
notAfter date does not prove the certificate has not been revoked.nextUpdate time.Topic: Security Operations
A security analyst is reviewing an emergency purchase request for a replacement branch router. The branch can remain on its backup LTE link for up to 7 days.
Exhibit: Procurement review
| Field | Review note |
|---|---|
| Source | Third-party marketplace, not approved reseller |
| Ownership | No transfer record; serial shows active lease to another company |
| Support | Vendor lists model as end-of-support |
| Updates | No security firmware available |
Which action best addresses the security risk shown in the exhibit?
Options:
A. Buy the router and wipe the configuration before deployment
B. Reject the purchase and use an approved source for a supported model
C. Approve the purchase if the seller provides a lower price
D. Buy the router and place it on a restricted management VLAN
Best answer: B
Explanation: Secure acquisition includes validating the source, ownership, and supportability of an asset before it enters the environment. Here, the device is from an unapproved marketplace, lacks proof of ownership transfer, appears leased to another organization, and is end-of-support with no security firmware. Those facts create legal, operational, and vulnerability risks. Because the branch has a temporary backup link for 7 days, there is time to avoid the risky purchase and procure a supported model through an approved channel.
Post-purchase controls can reduce some exposure, but they do not fix unclear ownership or lack of vendor security updates.
Topic: Security Architecture
A company is launching a customer analytics platform for records classified as confidential. Governance requires the primary data, backups, and provider-managed replicas to remain within Canada. The team wants to use managed cloud services where possible. Which service selection best meets these requirements?
Options:
A. Use the lowest-cost global managed service tier
B. Use a multi-region service spanning North America
C. Use managed services with Canadian data residency controls
D. Encrypt the data and host it in any region
Best answer: C
Explanation: Data classification identifies the required protection level, and data sovereignty constrains where data may be stored or processed. For confidential records that must remain in Canada, the architecture should use services that explicitly support Canadian data residency and allow control over backup and replica locations. Encryption is important, but it does not by itself satisfy a location requirement. A global or broad multi-region service may improve availability, but it can violate sovereignty if provider-managed copies leave the approved jurisdiction.
The key takeaway is to match both the protection level and the allowed geography when selecting cloud regions and managed services.
Topic: General Security Concepts
A security analyst is reviewing a proposed control for a workstation hardening risk.
Exhibit: Risk register excerpt
| Field | Entry |
|---|---|
| Stated risk | Reused local administrator passwords could allow lateral movement if one workstation is compromised. |
| Required outcome | Each workstation must have a unique, rotated local administrator password. |
| Proposed control | Add all local administrator accounts to the asset inventory and record the assigned system owner. |
Which interpretation best describes the proposed control?
Options:
A. It supports tracking but does not satisfy the required outcome.
B. It is only risk documentation with no operational value.
C. It fully mitigates the risk as a preventive control.
D. It transfers the risk to each system owner.
Best answer: A
Explanation: A proposed control must be compared with the stated risk and required outcome. The risk is credential reuse across workstations, and the required outcome is unique, rotated local administrator passwords. Recording accounts and owners in an asset inventory is useful supporting information for governance, audits, and follow-up work, but it does not enforce uniqueness, rotation, or credential protection. A control that directly addresses this risk would manage local administrator credentials so they are unique per device and rotated according to policy.
The key distinction is between visibility and enforcement: inventory supports control operation, but it is not the control that achieves the security outcome.
Topic: Threats, Vulnerabilities, and Attacks
A finance clerk receives a chat message that appears to come from the CFO, who is traveling. The message says an acquisition will fail unless a wire transfer is sent within 30 minutes and asks the clerk to bypass normal ticketing because the request is confidential. Which operational action best addresses this threat pattern?
Options:
A. Encrypt chat traffic between employee devices
B. Block all messages that contain file attachments
C. Rotate finance users’ passwords after each transfer
D. Require out-of-band verification for urgent financial requests
Best answer: D
Explanation: This scenario shows business email compromise-style social engineering using authority, urgency, secrecy, and a request to bypass normal workflow. The best control is a process requirement that forces high-risk requests, such as wire transfers or payment changes, through independent verification using a trusted channel. For example, the clerk could call a known CFO number or require approval in the normal finance system. Technical controls help, but the decisive issue is that the message may look legitimate while pressuring the user to act outside procedure. The key takeaway is to slow down and verify high-impact requests when social pressure is part of the attack.
Topic: Security Operations
A company hosts a public customer portal over HTTPS. Security operations wants to identify and block SQL injection and cross-site scripting attempts before they reach the web servers, while retaining logs of the blocked HTTP requests for tuning. The load balancer can terminate TLS and forward traffic to an inline security control. Which placement best meets these requirements?
Options:
A. Mirror load balancer traffic to a NIDS sensor
B. Install host firewalls on each web server
C. Add a stateless ACL at the internet edge
D. Place a WAF inline after TLS termination
Best answer: D
Explanation: Control placement should match both the traffic layer and the enforcement objective. SQL injection and cross-site scripting are application-layer web attacks, so the control must see decrypted HTTP content and sit inline where it can block requests. Placing a web application firewall (WAF) after TLS termination lets it inspect URLs, headers, parameters, and request bodies before the web servers process them. It also provides logs that security operations can use to tune detection and response.
A mirrored sensor can monitor traffic but normally cannot enforce blocking. Network ACLs and host firewalls mainly make Layer 3/4 decisions, such as IP addresses and ports, and do not understand web attack patterns well enough for this requirement.
Topic: Threats, Vulnerabilities, and Attacks
An analyst is reviewing a suspected credential attack against a payroll user. Payroll must remain available, HR data is sensitive, and policy requires preserving evidence before cleanup. Current evidence does not show organization-wide compromise.
Exhibit: Investigation notes
02:14 VPN success: user j.smith from 203.0.113.77
02:16 HR-WS17: rundll32.exe spawned from AppData\Roaming\updater.dat
02:17 HR-WS17: outbound DNS to login-micros0ft.example
02:18-02:42 HR-WS17: Windows Security log gap; event log service stopped
File hash: updater.dat SHA-256 matches known infostealer indicator
Which action is the BEST professional decision?
Options:
A. Isolate HR-WS17, disable j.smith sessions, and preserve evidence
B. Delete updater.dat and reboot HR-WS17
C. Add the domain to a deny list only
D. Block all VPN access and take payroll offline
Best answer: A
Explanation: The indicators point to a compromised endpoint and likely credential misuse, not a proven enterprise-wide VPN compromise. The known malicious file hash, suspicious process launched from a user profile path, lookalike domain, and event log gap together support targeted containment. Isolating the affected workstation limits further exposure, disabling active sessions for the user reduces credential abuse, and preserving logs and artifacts supports investigation and legal requirements. This also keeps payroll generally available instead of shutting down unrelated services.
The key is to respond proportionally while protecting evidence before eradication.
Topic: General Security Concepts
A finance system sends purchase approvals by email to vendors. The security team must ensure that a vendor can prove which manager approved an order and that the manager cannot later credibly deny approving it. Which control best meets this requirement?
Options:
A. Store approvals in a centralized audit log
B. Encrypt each approval message in transit
C. Require MFA for manager logins
D. Apply a digital signature to each approval
Best answer: D
Explanation: Non-repudiation is the ability to provide evidence that a specific party performed an action, such as approving a transaction or sending a message. In this scenario, the decisive need is not just confidentiality or stronger login security; it is proof that a particular manager approved the order and cannot plausibly deny it later. Digital signatures provide that proof by using the signer’s private key to create verifiable evidence tied to the message and signer. They also help detect changes to the signed content.
Encryption protects message confidentiality, MFA strengthens authentication, and audit logs support accountability, but they do not provide the same cryptographic proof of origin and integrity for the approval itself.
Topic: Security Architecture
A security architect reviews internet ingress for a payment application. The business goal is to reduce the chance that one defect, compromise, or bad control-plane action disables both production and disaster recovery access. Which action best addresses the risk shown?
Exhibit: Ingress architecture review
| Layer | Primary site | DR site |
|---|---|---|
| Facility | Region A | Region B |
| ISP | Carrier 1 | Carrier 2 |
| Edge firewall | Same appliance family and OS | Same appliance family and OS |
| Management | Controller A | Controller A |
| WAF | Same virtual image and policy | Same virtual image and policy |
Options:
A. Use a dissimilar DR edge stack with separate management
B. Standardize all ingress policies through one pipeline
C. Add another ISP circuit to each site
D. Increase firewall cluster capacity at both sites
Best answer: A
Explanation: Diversity reduces correlated failure risk when redundant paths still depend on the same platform, software, policy source, or management plane. The exhibit already has geographic and carrier diversity, but both ingress paths use the same firewall family, same firewall OS, same controller, and same WAF image. A single defect, bad update, or controller compromise could affect both sites at the same time. Using a dissimilar DR edge stack and separating management reduces the chance that one shared failure mode disables every path.
Redundancy improves availability only when redundant components do not share the same critical weakness. Diversity should be applied where the correlated-failure impact justifies the added operational complexity.
Topic: Security Architecture
A company is redesigning a customer portal after repeated outages during hardware maintenance. The business wants higher availability during a single data center failure, less internal responsibility for operating system and database patching, and no reduction in Internet-facing customer usability. Which architecture choice is the BEST professional decision?
Options:
A. Use managed PaaS services across multiple availability zones
B. Place the portal on an air-gapped on-premises network
C. Build an active-active multicloud design immediately
D. Move the portal to IaaS virtual machines in one zone
Best answer: A
Explanation: Architecture choices change who is responsible for specific layers and what availability or recovery characteristics are realistic. A managed PaaS design reduces the company’s responsibility for operating system, runtime, and database platform patching compared with self-managed infrastructure. Deploying across multiple availability zones addresses the stated single data center failure concern while keeping the portal reachable to Internet customers. The company still remains responsible for items such as identity configuration, data protection choices, application logic, and secure access policies.
The key takeaway is to match the deployment model to the responsibility and availability goals without adding unnecessary complexity or reducing required usability.
Topic: Security Architecture
A healthcare billing team is designing data handling for two repositories. The billing application stores member IDs and claim numbers in fixed columns in a relational database. A separate document repository stores scanned forms and free-text appeal letters. The current requirement is to protect the database identifiers while preserving application lookups and report joins. Which method best fits the requirement?
Options:
A. Encrypt the document repository volume
B. Apply OCR keyword scanning to all documents
C. Tokenize the structured identifier fields
D. Hash each scanned form as a whole file
Best answer: C
Explanation: Structured data has a predictable schema, such as fixed columns in a relational database. For sensitive identifiers in those fields, tokenization can replace the real values with controlled substitutes while allowing applications to maintain joins, references, and workflows. Unstructured data, such as scanned forms and free-text letters, usually needs content discovery, classification, DLP inspection, or OCR-based handling because sensitive values may appear in unpredictable locations. The requirement is specifically about database identifiers and preserving application use, so a field-level structured-data protection method is the best fit. Broad repository encryption protects storage but does not preserve field-level handling semantics.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst is triaging an alert on a payroll workstation during a critical processing window. The team must classify the malware accurately before deciding how broadly to contain systems. Evidence shows WINWORD.EXE launched powershell.exe with an encoded command, the payload ran from memory, persistence was created with a WMI event subscription, and no new executable file or file hash was found on disk. Which classification best fits these indicators?
Options:
A. Trojan
B. Rootkit
C. Fileless malware
D. Worm
Best answer: C
Explanation: Fileless malware uses legitimate system tools, scripts, or memory-resident execution to avoid leaving a traditional malicious executable on disk. In this scenario, Office spawning PowerShell, encoded commands, WMI-based persistence, and the absence of a dropped file or hash all point to fileless activity. The classification matters because the team should preserve evidence and contain the affected host without assuming a self-propagating outbreak unless there is evidence of worm-like spread. A trojan may disguise itself as legitimate software, and a rootkit focuses on hiding privileged activity, but those are not the strongest fit for these indicators.
Topic: Security Operations
A security analyst is reviewing account permissions for a payment-processing environment. The application handles sensitive payment data, must remain available during business hours, and IAM policy requires least privilege with no interactive sign-in for service accounts. Which change is the BEST professional recommendation for the next approved change window?
| Account | Type | Current assignment | Evidence |
|---|---|---|---|
svc-payments | Service | Local admin on app servers; db_owner on payment DB | Runs production service; interactive sign-in seen from an admin workstation |
vendor-ops | Third party | Support queue write access | Active contract; MFA enabled; expires Friday |
breakglass-pay | Emergency | Privileged IAM admin | Vaulted, monitored, quarterly tested |
jlee | User | Payment viewer | Matches current finance role |
Options:
A. Restrict svc-payments to noninteractive, least-privilege permissions.
B. Disable breakglass-pay because it has privileged access.
C. Remove all privileged groups immediately during business hours.
D. Leave svc-payments unchanged until the next quarter.
Best answer: A
Explanation: Service accounts should be tightly scoped, noninteractive, and assigned only the permissions required for the application or service to run. In this scenario, svc-payments violates two important controls: it has broad administrative/database permissions and was used for interactive sign-in. Because it supports a production payment application, the safer professional decision is not an unplanned removal that could cause an outage, but a scheduled change to remove interactive use and reduce permissions to the minimum required. The break-glass account is high privilege by design, but it has compensating controls such as vaulting, monitoring, and testing. The third-party and user accounts do not show the same policy violation in the evidence provided.
Topic: Security Architecture
A payment company wants to reduce disclosure risk when using transaction data outside the billing application. Which data-protection method best satisfies the exhibit?
Exhibit: Data-handling note
| Requirement | Detail |
|---|---|
| Sensitive field | Primary account number (PAN) |
| Business use | Group transactions by the same card |
| Authorized recovery | Billing app must retrieve the PAN for refunds |
| Analyst access | Analysts must not see the PAN |
Options:
A. Encrypt the PAN and give analysts the decryption key
B. Mask the PAN to show only the last four digits
C. Hash the PAN with a one-way salted hash
D. Tokenize the PAN and store mappings in a secured vault
Best answer: D
Explanation: Tokenization replaces a sensitive value with a non-sensitive token while keeping the real value in a protected token vault. In this scenario, the token can remain consistent for the same card, so analysts can group transactions without viewing the PAN. The billing application can be separately authorized to resolve the token back to the PAN for refunds. This reduces disclosure and compliance risk while preserving the required business functions.
Hashing may support matching in some designs, but a one-way salted hash does not support authorized recovery. Masking reduces display exposure but usually does not preserve all needed workflow requirements. Encryption protects data at rest or in transit, but giving analysts the key defeats the access-control goal.
Topic: Security Operations
A security team sees repeated attempts to exploit a vulnerable web service from user workstations before the servers can be patched. The change window allows a network device at the boundary between the user VLAN and the server VLAN. The team must block matching traffic before it reaches the servers, avoid installing agents on legacy hosts, and avoid changes to wireless controls. Which deployment is the BEST professional decision?
Options:
A. Deploy a NIPS inline at the VLAN boundary
B. Deploy a WIPS near the wireless access points
C. Deploy a NIDS on a SPAN port near the servers
D. Deploy HIPS agents on the legacy servers
Best answer: A
Explanation: Intrusion tools differ by where they sit and how they respond. A network intrusion prevention system (NIPS) is placed inline in the traffic path, so it can inspect packets and block or drop traffic that matches attack signatures or policy. That fits the need to stop exploit attempts between VLANs before they reach the servers. A NIDS is also network-based, but it normally observes copied traffic and alerts rather than blocking inline. Host-based tools require host agents, which conflicts with the legacy-server constraint. Wireless IPS focuses on wireless threats such as rogue access points or malicious wireless activity, not wired VLAN-to-server traffic.
Topic: General Security Concepts
A security team plans to deploy a new conditional access policy during tonight’s maintenance window. The change would block legacy authentication for all cloud apps. Predeployment testing shows the policy works for most users, but it prevents the payroll export service from signing in. Payroll processing starts tomorrow morning, the change is not emergency remediation, and no compensating control is ready. What is the safest change-management outcome?
Options:
A. Approve the change because most users passed testing
B. Delay the change until the dependency is remediated
C. Roll back the change after payroll processing fails
D. Fail forward and monitor payroll logs closely
Best answer: B
Explanation: Change outcome decisions should use test evidence and business impact. Here, testing found that the proposed policy would break a payroll dependency before the change is implemented. Because payroll is time-sensitive, the change is not emergency remediation, and no compensating control is ready, the safest outcome is to delay the deployment until the dependency is fixed or an approved workaround exists. Rollback is appropriate after a deployed change causes unacceptable impact. Fail-forward is appropriate only when continuing is safer than reversing or delaying, usually with acceptable residual risk and controls in place.
The key takeaway is to avoid knowingly introducing a preventable outage when testing has already shown material impact.
Topic: Threats, Vulnerabilities, and Attacks
A SOC analyst receives alerts for repeated failed sign-ins and MFA prompts against several employee accounts. Management asks whether the activity is malicious credential abuse, accidental user behavior after a password change, or the result of a newly enforced access policy. Which artifact would be most useful to validate the cause?
Options:
A. Identity provider sign-in logs
B. External vulnerability scan report
C. Firewall bandwidth utilization graph
D. Endpoint antivirus quarantine log
Best answer: A
Explanation: Credential-activity investigations usually start with identity provider sign-in and audit logs. These records tie authentication attempts to users, timestamps, source IPs, device or user-agent details, MFA results, failure reasons, and conditional access or policy decisions. That combination helps distinguish a password spray or suspicious login pattern from normal mistakes after a password change or a policy-driven block. The key is to use an artifact that records the authentication decision path, not just general system health or network volume.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst reviews a vulnerability scan for an Internet-facing Linux server that hosts a customer portal. The business requires only HTTPS access for customers and SSH access for administrators through the corporate VPN. The scan also shows an old file-sharing package and a default admin web console that no team currently uses.
| Finding | Exposure |
|---|---|
| TCP 443 | Internet |
| TCP 22 | Internet |
| TCP 445 | Internet |
| TCP 8080 admin console | Internet |
Which action is the BEST professional decision?
Options:
A. Remove unused services and restrict SSH to the VPN
B. Block all Internet access to the server immediately
C. Patch the file-sharing package but keep it enabled
D. Leave all services running and monitor them more closely
Best answer: A
Explanation: Attack surface includes every reachable port, service, application, and exposed management interface that could be targeted. In this scenario, HTTPS is the only required Internet-facing service, and SSH is required only from the corporate VPN. The unused file-sharing service and default admin console add exposure without business value, so they should be removed or disabled. SSH should not remain open to the Internet if the stated administrative path is through the VPN. Monitoring and patching are useful, but they do not eliminate unnecessary exposure. The key takeaway is to reduce what is reachable while preserving approved business functions.
Topic: General Security Concepts
A developer proposes the following change to reduce accidental exposure of customer data in support exports. The data owner requires confidential fields to remain protected if an export file is copied outside the company.
Exhibit: Change note
Fields: email, phone, government_id
Transform: Base64 encode each value before export
Key management: none
Support requirement: analysts can decode values when needed
Stated benefit: values are not readable at a glance
What is the best security interpretation of this change?
Options:
A. It is encryption because the exported values are unreadable.
B. It is sufficient if the encoding alphabet is customized.
C. It is obfuscation and still needs cryptographic protection.
D. It is hashing because the original values are transformed.
Best answer: C
Explanation: Obfuscation hides data from casual viewing, but it is not the same as cryptographic protection. The exhibit shows Base64 encoding with no key management, which means anyone who recognizes the encoding can reverse it with standard tools. That may reduce accidental disclosure during quick viewing, but it does not satisfy a requirement to protect confidential fields if the export is copied outside the company. For sensitive data, use an appropriate protection method such as encryption, tokenization, or masking based on whether authorized users must recover the original values. The key point is that reversible encoding without a secret is not a security boundary.
Topic: Threats, Vulnerabilities, and Attacks
A city government’s public website is defaced during a controversial policy vote. The message names the policy, urges residents to protest, and links to a social media campaign. No evidence shows data theft, ransom demands, or long-term persistence. Which threat actor motivation best fits the scenario?
Options:
A. Hacktivist seeking ideological influence
B. Nation-state actor seeking espionage
C. Organized crime seeking payment
D. Insider seeking personal revenge
Best answer: A
Explanation: Threat actor identification often starts with the target, method, and desired outcome. In this scenario, the target is a public government website, the method is visible defacement, and the outcome is public attention around a political issue. That combination most closely aligns with hacktivism, where the motivation is ideological, social, or political influence. The lack of ransom demand weakens a financial-crime explanation, and the lack of stealthy access or data collection weakens an espionage explanation.
The key takeaway is that motivation is inferred from what the attacker appears to gain, not just from the type of organization targeted.
Topic: Threats, Vulnerabilities, and Attacks
A company is receiving phishing reports involving HTML attachments, QR codes embedded in images, and links to fake SaaS login pages. Finance and sales must still receive external invoices, images, and shared-document links from customers. Leadership wants to reduce user exposure quickly without disabling external email or slowing normal browser-based work. Which decision is BEST?
Options:
A. Block all external attachments, images, and shortened links at the gateway
B. Add attachment sandboxing, URL protection, external warnings, and easy phishing reporting
C. Bypass scanning for known customers to avoid business disruption
D. Rely on annual phishing training and remind users to inspect links
Best answer: B
Explanation: The best professional decision is a layered set of user-facing controls that lowers exposure without stopping legitimate work. Attachment sandboxing can detonate suspicious files before delivery, URL protection can rewrite or inspect links at click time, external sender warnings help users recognize social-engineering context, and a phishing-report button makes escalation fast. These controls address the observed message, attachment, image/QR, browser, and human vectors while still allowing finance and sales to receive business content.
Blocking broad categories of external content may reduce risk, but it conflicts with the stated business need. Training helps, but it should not be the only control when technical protections can reduce exposure before the user makes a decision.
Topic: Threats, Vulnerabilities, and Attacks
A security practitioner reviews a lobby report for a restricted records area. Camera footage shows an unknown person closely following an employee through a badge-controlled door after the employee held it open. The door and badge reader show no damage or tampering, and the business wants normal lobby operations to continue while the event is handled. What is the BEST professional decision?
Options:
A. Classify it as skimming and inspect payment terminals
B. Classify it as tailgating and alert physical security
C. Classify it as forced entry and disable the lobby door
D. Classify it as shoulder surfing and reset employee PINs
Best answer: B
Explanation: The key physical attack indicator is the way the unknown person gained access. Tailgating occurs when someone enters a controlled area by closely following an authorized person, often relying on courtesy or inattention rather than damaging equipment. The evidence does not show observation of secrets, card-reader tampering, or physical damage. A proportional response is to alert physical security, identify the person, review access procedures, and reinforce badge-each-person policy without unnecessarily disrupting lobby operations. The closest distractor is forced entry, but forced entry would involve bypassing or damaging a physical barrier rather than walking in behind an authorized user.
Topic: Threats, Vulnerabilities, and Attacks
An organization is adding an LLM assistant to triage security tickets. The assistant may read ticket text and search an internal knowledge base, but it must not run shell commands, call unapproved tools, or send customer PII to an external model. Some ticket text may contain attacker-controlled instructions. Which safeguard best addresses these requirements?
Options:
A. Require MFA before analysts access the assistant
B. Use tool allow-listing, prompt isolation, and DLP redaction
C. Store prompts and responses for long-term audit review
D. Encrypt all API traffic to the model provider
Best answer: B
Explanation: LLM safeguards should match the specific abuse paths. Tool allow-listing limits what the assistant can invoke, so attacker-controlled ticket text cannot cause shell execution or unapproved actions. Prompt isolation treats ticket content as untrusted data instead of system instructions, reducing prompt-injection risk. DLP redaction or blocking prevents customer PII from being sent to an external model. These controls directly address execution, prompt-handling, and disclosure requirements together. Access control, encryption, and logging can support the system, but they do not by themselves stop malicious prompts from triggering tools or exposing sensitive data.
Topic: Security Program Management and Oversight
A security analyst must brief executives on whether to fund a mitigation before a SaaS contract renewal. Which risk-management output best supports the leadership decision shown in the exhibit?
Exhibit: Risk notes
Asset/process: Online order processing
Dependency: Single SaaS provider
Known impact: $120,000 per hour if unavailable
Uncertainty: Provider recovery test evidence is pending
Options: accept risk, negotiate stronger SLA, add alternate provider
Decision needed: fund mitigation or accept residual risk
Options:
A. Firewall rule review for the provider connection
B. Risk register entry with treatment options and residual risk
C. Asset inventory update for the SaaS application
D. Awareness training completion report for order-processing staff
Best answer: B
Explanation: Leadership decisions under uncertainty need a risk-management output that connects the business impact, incomplete information, available treatment choices, and remaining risk after action. A risk register entry or risk decision record is designed for this purpose: it documents the risk scenario, likelihood or uncertainty, impact, owner, treatment options, decision status, and residual risk. In this case, executives are deciding whether to fund mitigation or accept residual risk, so the output must frame that decision rather than only list technical details.
Asset records, training reports, and firewall reviews can support security operations, but they do not provide the decision context needed to compare risk treatments.
Topic: Security Architecture
A company manages several cloud environments with manually configured networks, security groups, and storage settings. Recent audits found drift between development and production, and the operations team cannot reliably identify who approved each architecture change. Which control best meets the need for consistency, traceability, and reduced change risk?
Options:
A. Require administrators to document manual changes in a shared spreadsheet
B. Create monthly screenshots of cloud console settings
C. Use version-controlled Infrastructure as Code with peer-reviewed deployment pipelines
D. Use separate administrator accounts for each environment
Best answer: C
Explanation: Infrastructure as Code (IaC) manages infrastructure definitions as files, which can be stored in version control, peer reviewed, tested, and deployed through an approved pipeline. In this scenario, the main issues are configuration drift, weak approval evidence, and risky manual changes. IaC addresses those requirements by making the desired architecture repeatable across environments and by creating a change history tied to commits, reviews, and deployments. It does not remove the need for change management, but it gives change management a more reliable technical enforcement point. Manual documentation can help auditing, but it does not consistently prevent drift or reduce deployment risk.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst is preparing an initial threat-actor assessment after an unauthorized login to a partner portal. The activity accessed only product roadmap files and bid-pricing documents for a contract currently under negotiation. Two days later, a competing vendor referenced nonpublic pricing details in its proposal. There is no ransom note, political message, destructive activity, or evidence of broad customer data theft. Which assessment is the BEST fit for the visible behavior and intent?
Options:
A. State-sponsored espionage campaign
B. Hacktivist promoting an ideology
C. Organized crime seeking extortion revenue
D. Competitor seeking business advantage
Best answer: D
Explanation: Threat actor classification should follow visible behavior, target selection, and apparent intent. Here, the accessed data is commercially sensitive but narrow: product roadmaps and bid-pricing documents tied to an active contract. The later use of nonpublic pricing by a competing vendor points to market advantage rather than ransom, ideology, destruction, or geopolitical intelligence collection. A professional initial assessment can identify the most likely actor type without over-attributing to a specific organization unless evidence supports that claim. The closest alternative is state-sponsored espionage because it can target intellectual property, but the immediate contract-bidding benefit makes competitor activity the better fit.
Topic: Security Operations
A security analyst is investigating a possible data exfiltration incident from a file server. The team needs to identify which internal host communicated with a suspicious external IP address, the ports used, and the approximate volume of traffic over the last 24 hours. The team does not need packet payloads. Which data source best meets these requirements?
Options:
A. Surveillance footage
B. Full packet captures
C. Vulnerability scan results
D. NetFlow or IPFIX records
Best answer: D
Explanation: NetFlow and IPFIX are network telemetry sources that summarize conversations between systems. They typically show metadata such as source and destination IP addresses, ports, protocols, timestamps, byte counts, and packet counts. That matches the investigation need: who talked to the suspicious external IP, over which service, and how much data moved. Because the team does not need payload contents, flow data is usually faster and more storage-efficient than full packet capture for a 24-hour review. Packet captures are useful when payload inspection is required, but they are heavier and may not be retained as long.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst is updating an exposure record for an internet-facing payroll application. The record has separate fields for vulnerability characteristics and threat characteristics. Which observed item should be entered as a threat characteristic?
Options:
A. A ransomware group is actively exploiting the flaw in similar organizations
B. The vulnerable service is reachable from the internet
C. The application uses an unsupported third-party library
D. The affected server is missing the vendor security patch
Best answer: A
Explanation: A vulnerability characteristic describes a weakness or exposure condition in the asset, such as missing patches, unsupported software, insecure configuration, or network reachability. A threat characteristic describes the actor, capability, intent, activity, or attack pattern that could exploit that weakness. In this scenario, active exploitation by a ransomware group is information about adversary activity and likelihood pressure. The unsupported library, internet exposure, and missing patch all describe conditions that make the application susceptible to exploitation. The key distinction is weakness in the system versus activity or capability of a potential attacker.
Topic: Security Program Management and Oversight
A security analyst is planning an assessment of badge-access termination for 48 offices after one former contractor was found with active building access. The assessment must be completed in two weeks, avoid disrupting office operations, and produce evidence strong enough for management remediation decisions. Which data-gathering method is the BEST professional decision?
Options:
A. Send a self-attestation questionnaire to all office managers
B. Cite the physical access policy as the reference source
C. Use risk-based sampling of termination records and access logs
D. Interview HR staff about the normal termination process
Best answer: C
Explanation: Assessment data-gathering should match the objective, available time, and needed evidence quality. Here, the analyst needs to determine whether badge access is actually being removed, not just whether people believe the process exists. A risk-based sample of termination records and badge-access logs gives direct evidence, limits the workload across 48 offices, and avoids disrupting operations. Sampling is appropriate when reviewing every record is impractical, as long as the sample is selected using a defensible basis such as recent terminations, contractor-heavy locations, or offices with prior findings. Questionnaires, interviews, and reference sources can support context, but they are weaker for validating whether the control operated as intended.
Topic: Security Operations
A security team suspects that a compromised employee account is being used to browse a restricted finance file share. The team needs a low-risk deception control that does not expose a new host, does not disrupt normal file access, and should alert if the intruder opens or copies decoy sensitive data. Which technique is the BEST professional decision?
Options:
A. Deploy a honeypot server in the finance VLAN
B. Publish a fake API key as a honeytoken
C. Place a monitored honeyfile in the finance share
D. Create a canary account in the identity provider
Best answer: C
Explanation: A honeyfile is a decoy file designed to look valuable and generate an alert when it is opened, copied, or otherwise accessed. In this scenario, the suspicious activity is browsing a finance file share, and the team wants detection without adding a new exposed system or changing normal access patterns. Placing a monitored decoy payroll or financial file in the share directly matches the observed behavior and provides evidence of unauthorized data access. Honeypots and honeynets are better for attracting interaction with decoy systems or networks. Honeytokens are fake secrets or identifiers, and canary accounts are decoy identities monitored for use. The key is matching the deception object to the attacker behavior being tested.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst reviews a reported message after an employee entered credentials on a linked page. Which interpretation is best supported by the exhibit?
Exhibit: Message and access summary
Display name: IT Service Desk
Sender domain: helpdesk-example.co
Subject: Final notice: mailbox will be disabled
Message: Revalidate your account within 30 minutes to keep email access.
Link text: Microsoft 365 sign-in
Actual URL: hxxps://m365-login.example-helpdesk.co/verify
Result: User submitted username and password
Options:
A. Phishing using authority, urgency, and a familiar login workflow
B. Credential stuffing against the employee’s mailbox
C. DNS poisoning of the company’s email domain
D. Malware delivery through a malicious attachment
Best answer: A
Explanation: The exhibit shows a social engineering attempt rather than a purely technical compromise. The attacker uses a trusted authority cue by posing as the IT Service Desk, urgency by threatening mailbox disablement within 30 minutes, and a convenient user workflow by presenting a familiar Microsoft 365 sign-in action. The mismatched sender domain and actual URL support credential harvesting through phishing. The key security meaning is that the user was manipulated into voluntarily submitting credentials to an attacker-controlled site.
Topic: Security Architecture
A company is choosing a software composition analysis tool for its CI/CD pipeline. Requirements are to inspect how detection rules work, customize integrations with internal build systems, and have contractual support for critical production issues. Which option best maps to these requirements?
Options:
A. Closed-source proprietary SaaS tool
B. Community-only open-source tool
C. Open-source tool with a paid support contract
D. Internally built scanner with no external support
Best answer: C
Explanation: Open-source and proprietary choices often involve trade-offs among transparency, support, ownership, and integration. In this scenario, the organization needs to inspect detection logic and customize integrations, which strongly favors an open-source option. However, it also needs contractual support for production issues, so a community-only project is not enough. A supported open-source tool best fits both sides: transparency and extensibility from the open model, plus formal support obligations from a vendor or maintainer.
A proprietary SaaS product may provide strong support, but closed source usually limits visibility into detection logic and deep customization. The key takeaway is to match the sourcing model to all stated requirements, not just one.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst is reviewing an after-hours alert for a restricted lab that uses a badge reader, access vestibule, door sensors, and IP cameras. Which interpretation is best supported by the exhibit?
Exhibit: Access vestibule events
| Time | Source | Event |
|---|---|---|
| 02:11 | Camera LAB-VEST-02 | Heartbeat missed |
| 02:12 | Outer badge reader | Pass TEMP-104 accepted |
| 02:12 | Door sensor | Outer door held open 18 seconds |
| 02:12 | Occupancy sensor | Two-person occupancy detected |
| 02:12 | Inner door sensor | Opened before outer door closed |
| 02:13 | Camera LAB-VEST-02 | Link down |
Options:
A. Brute-force guessing against the badge reader
B. Tailgating through the vestibule using a valid pass
C. Routine OT sensor calibration failure
D. A printer being used as a network pivot
Best answer: B
Explanation: The exhibit points to a physical-access incident, not a purely network or endpoint event. In an access vestibule, only one authorized person should pass through after the outer door closes and before the inner door opens. Here, a valid temporary pass was accepted, but the outer door was held open, two people were detected, and the inner door opened before the outer door closed. The camera heartbeat and link-down events increase concern because they reduce visibility during the same time window. The security meaning is most consistent with tailgating or piggybacking through a controlled entry point using a valid, shared, stolen, or misused pass.
Topic: Security Operations
A company is strengthening MFA for administrators who access the VPN from managed laptops. Requirements: do not require personal phones, avoid SMS-based codes, support users whose laptops do not have biometric sensors, and provide a factor the company can issue and recover during offboarding. Which MFA factor best fits these requirements?
Options:
A. Fingerprint verification on the laptop
B. SMS one-time passwords
C. Company-issued hard tokens
D. Authenticator app on a personal phone
Best answer: C
Explanation: MFA factor selection should map the factor to operational and security constraints. Here, administrators need a factor that the organization controls, can issue and recover, and does not depend on personal mobile devices, SMS delivery, or biometric-capable laptops. A hard token, such as a company-issued security key or hardware OTP token, satisfies those constraints by providing a separate possession factor under organizational lifecycle control.
Soft tokens are often valid MFA factors, but they commonly depend on a phone or app deployment model. SMS OTPs add phone-number and carrier dependency. Biometrics can be useful, but they depend on compatible enrollment and device support.
Topic: Security Operations
A security analyst is reviewing email authentication for example.com. Customers reported spoofed invoices using the visible From domain. Marketing also wants the company logo to appear in supporting mailboxes.
| Control | Current state |
|---|---|
| SPF | Includes approved cloud mail service, -all |
| DKIM | Enabled for the cloud mail service |
| DMARC | p=none; reports show one legitimate ticketing sender fails alignment |
| BIMI | Not published |
Which recommendation is the BEST professional decision?
Options:
A. Keep DMARC at p=none and rely on SPF -all
B. Change DMARC directly to p=reject today
C. Publish BIMI now because SPF and DKIM are configured
D. Fix alignment, phase in DMARC enforcement, then publish BIMI
Best answer: D
Explanation: DMARC is the control that tells receivers what to do when mail using the visible From domain fails aligned SPF or DKIM checks. In this scenario, reports already show a legitimate sender failing alignment, so immediate enforcement could block valid ticketing messages. The best path is to correct the legitimate sender first, then move DMARC from monitoring to enforcement, such as quarantine or reject, after validation. BIMI is a sender-trust and brand indicator mechanism that depends on strong domain authentication and is not a substitute for DMARC enforcement. The key takeaway is to use reports to safely enforce DMARC before treating BIMI as a trust signal.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst is triaging an incident involving a customer portal that stores PII. The business needs the incident routed correctly so evidence is preserved before containment changes are made.
Exhibit: Initial evidence
WAF: repeated requests with ' OR '1'='1 in search
App: SQL syntax errors immediately after those requests
Database: large SELECT by webapp_svc after the errors
EDR on database host: no malware detected
Network: bandwidth within normal range
Which professional decision is BEST?
Options:
A. Classify it as a credential attack and disable all service accounts.
B. Classify it as an application attack and preserve web, WAF, and database logs.
C. Classify it as malware and begin reimaging the database host.
D. Classify it as a network attack and tune DDoS protections.
Best answer: B
Explanation: The attack category should be based on the technique shown by the evidence, not only on the asset that was affected. The WAF payload, SQL errors, and large database query by the application service account indicate an application-layer injection path, most likely SQL injection. The database contains sensitive data and may be part of the impact, but that does not make the attack malware or a database-specific attack by itself. Preserving WAF, application, and database logs supports investigation while avoiding premature containment steps that could destroy evidence or disrupt availability unnecessarily.
The key takeaway is to separate the attack vector and technique from the impacted system or data.
Topic: General Security Concepts
A company exports a nightly pricing file from its ERP system to a partner portal. The product data is not confidential, but an unauthorized change to a price could cause incorrect customer billing. The partner must be able to verify that the file was not modified after export before importing it. Which control best meets this need?
Options:
A. Digitally sign the exported file
B. Encrypt the file during transfer
C. Replicate the file to a standby server
D. Mask the product identifiers
Best answer: A
Explanation: The main business need is integrity: the partner must detect whether pricing data changed after export. A digital signature lets the exporter sign the file, and the partner can verify the signature before import. If the file contents are altered, signature validation fails. Encryption during transfer protects confidentiality in transit, but it does not by itself prove that the exported file remained unchanged. Replication and standby capacity support availability, while masking supports confidentiality or privacy. Match the control to the CIA requirement stated in the scenario.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst reviews new vulnerability findings. The change policy allows emergency changes only for actively exploited or internet-facing risks that could affect critical operations.
| Asset | Finding | Exposure and impact |
|---|---|---|
| Remote access VPN | Authentication bypass, exploit reported in threat feeds | Internet-facing; used for administrator access |
| HR file server | Remote code execution, higher CVSS score | Internal only; segmented; no exploit evidence |
| Dev wiki | Stored XSS | Internal; no sensitive data |
| Public marketing site | Outdated library | Internet-facing; static content only |
Which remediation decision is BEST?
Options:
A. Take the marketing site offline until all findings are fixed
B. Prioritize the remote access VPN under emergency change
C. Delay all remediation until the next maintenance window
D. Prioritize the HR file server because it has the highest CVSS score
Best answer: B
Explanation: Remediation priority should consider more than a severity score. Vulnerability type, exploit activity, asset exposure, and business impact can raise or lower urgency. In this case, the VPN has an authentication bypass, is internet-facing, has reported exploit activity, and supports administrator access. Those factors create an immediate path to privileged compromise, and the policy explicitly permits emergency changes for this kind of risk. The internal HR file server still requires remediation, but segmentation and lack of exploit evidence make it less urgent than the exposed, actively exploited access system. The key takeaway is to use risk-based prioritization, not a simple highest-score-first rule.
Topic: Security Operations
A security team is investigating possible data exfiltration from a file server. They need to send a copy of the server’s network traffic to an IDS sensor for packet inspection, but they must not install software on the server or place the sensor inline with production traffic. Which action best meets these requirements?
Options:
A. Review NetFlow summaries for the server
B. Configure port mirroring on the switch
C. Enable SNMP polling in the NMS
D. Create a SIEM dashboard for firewall events
Best answer: B
Explanation: Port mirroring, also called SPAN on some switches, is used when a monitoring tool needs a copy of network traffic without becoming part of the traffic path. In this scenario, the IDS sensor needs packet-level visibility, the server cannot run an agent, and the sensor must not be inline. Mirroring the file server’s switch port or relevant VLAN to the IDS monitoring interface meets those constraints.
SNMP and NMS polling are better for device health, interface counters, and availability monitoring. NetFlow helps identify traffic patterns and endpoints, but it does not provide full packet contents. A SIEM dashboard can correlate alerts and logs, but it does not itself capture packet traffic for inspection.
Topic: Security Operations
A security operations team must improve asset visibility before a hardware refresh. The team needs evidence to identify devices that are connecting without approval, inventory records that have not been seen recently, and assigned endpoints that may be missing from monitoring. Which control best meets these requirements?
Options:
A. Verify backup job success for endpoint user folders
B. Rank vulnerability scan findings by CVSS severity
C. Reconcile NAC discovery and EDR check-ins with the CMDB
D. Review DLP events for file transfers to external domains
Best answer: C
Explanation: Asset visibility is strengthened by reconciling authoritative inventory records with evidence that assets are actually present and monitored. NAC or DHCP discovery can show devices currently connecting to the network, while EDR or MDM check-ins show managed endpoints reporting in. Comparing those sources to the CMDB can identify unknown devices, stale records with no recent activity, and assigned assets that are not reporting to required monitoring tools. The key is correlation across asset-tracking and monitoring data, not only reviewing security events from one control.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst reviews a vulnerability scan before a quarterly risk meeting. One server supports a warehouse application that cannot be patched during business hours. The scan and CMDB show the following facts:
| Finding | Evidence |
|---|---|
| OS status | Vendor support ended |
| Patch status | No security patches in 11 months |
| Ownership | No assigned system owner |
| Network access | Reachable from user VLANs |
Which action is the BEST professional decision?
Options:
A. Accept the risk because the server is not Internet-facing
B. Power off the server immediately without stakeholder coordination
C. Wait until the application vendor releases a new warehouse version
D. Treat it as an exposure, assign ownership, restrict access, and plan remediation
Best answer: D
Explanation: Unsupported, unpatched, obsolete, or unmanaged systems are exposure points because known vulnerabilities may remain exploitable and no clear owner is accountable for remediation. In this scenario, multiple facts increase risk: vendor support has ended, patches are missing, ownership is absent, and user VLANs can reach the server. The best response is not simply to wait or ignore the issue. A security practitioner should establish ownership, reduce exposure with compensating controls such as segmentation or access restrictions, and create a remediation or formal risk-treatment plan that accounts for business availability needs. Immediate shutdown may be appropriate only for imminent danger, but the stem describes a business-critical warehouse application with a patch-window constraint, so coordinated treatment is the better decision.
Topic: General Security Concepts
A network team wants to add an inbound firewall rule for a vendor support portal used by the finance department. The change could affect access to a payment system and must be reviewed before the maintenance window. Which action best supports risk management for this security-relevant change?
Options:
A. Identify the asset owner, affected stakeholders, and approval authority
B. Document the vendor’s requested source IP addresses
C. Run a vulnerability scan after the firewall rule is deployed
D. Schedule the change during the next low-traffic maintenance window
Best answer: A
Explanation: Security-relevant changes need clear accountability before implementation. The change record should identify who owns the affected asset or business process, which stakeholders may be impacted, and who has authority to approve the change or accept residual risk. For a firewall change touching a payment system, technical details are not enough because the risk may affect finance operations, data exposure, and service availability. Maintenance timing, validation testing, and rule documentation are useful parts of change management, but they do not replace ownership and approval facts needed for risk-based decision-making.
Topic: Security Program Management and Oversight
A company’s governance review identified inconsistent handling of externally reported security flaws. Which policy update best addresses the gap shown in the exhibit?
Exhibit: Review notes
| Finding | Current state |
|---|---|
| External report intake | No published reporting channel |
| Researcher guidance | No authorized scope or safe-harbor language |
| Triage ownership | Help desk closes reports as unsolicited email |
| Remediation tracking | Only internal scan findings enter the ticket queue |
Options:
A. Shorten the data retention schedule
B. Add quarterly access recertification
C. Revise the acceptable use policy
D. Publish a vulnerability disclosure policy
Best answer: D
Explanation: The exhibit shows a governance gap in how externally discovered vulnerabilities are reported, accepted, triaged, and tracked. A vulnerability disclosure policy gives researchers a clear reporting path, states what testing is in scope, provides safe-harbor expectations, and routes valid findings into the organization’s remediation workflow. This is different from internal vulnerability management because the problem is not scanning frequency or patch ownership alone; it is the absence of a formal external disclosure process. The key takeaway is to update the policy artifact that governs external reporting and coordinated handling of security flaws.
Topic: Security Program Management and Oversight
A customer tells an online lender that the income value in their profile is inaccurate. The customer wants the lender to keep the account open but stop using that disputed value in eligibility decisions until the review is complete. Which privacy control best maps to this requirement?
Options:
A. Immediately correct the profile value
B. Process a right-to-be-forgotten request
C. Record an opt-out preference
D. Apply a processing restriction
Best answer: D
Explanation: Processing restriction is used when personal data should be retained but not used for certain processing activities, often while accuracy or legitimacy is being reviewed. In this scenario, the customer is not asking to close the account or delete all data. The key requirement is to prevent the disputed income value from being used in eligibility decisions until the review is complete. A correction may happen later if the value is verified as wrong, but the immediate control is to restrict processing of that disputed data.
Topic: Security Operations
A security analyst is reviewing an intake request before a new file-transfer appliance is purchased and deployed. The team wants to avoid gaps in inventory, ownership, and control assignment.
Exhibit: Asset intake request
| Field | Current entry |
|---|---|
| Business owner | TBD |
| Data handled | Customer contracts |
| Network zone | TBD |
| Support model | Vendor-managed |
| Required controls | TBD |
Which action best supports accurate asset management before acquisition or deployment?
Options:
A. Run a vulnerability scan after the appliance is online
B. Assign a disposal date during decommissioning planning
C. Purchase the appliance and inventory it after installation
D. Require a completed asset profile and deployment scope
Best answer: D
Explanation: Accurate asset management starts before purchase or deployment by defining the asset’s required inventory and governance attributes. The exhibit shows several planning gaps: no business owner, no network zone, no support responsibility, and no required controls. Those fields affect classification, access control, monitoring, patch responsibility, vendor oversight, and CMDB accuracy. Requiring a completed asset profile and deployment scope lets the organization approve the acquisition with the right ownership, control requirements, and operational responsibilities already defined.
Post-deployment discovery and scanning are useful, but they do not replace pre-acquisition scoping. The key takeaway is to make the asset known, owned, classified, and controlled before it enters the environment.
Topic: Security Operations
A company is hardening Linux web servers that run a public-facing application. Security requires a local operating system control that can restrict what the web service process may access, even if a file permission or service account is misconfigured. Which control best meets this requirement?
Options:
A. SELinux-style mandatory access control policy
B. Centralized log aggregation
C. Network firewall allow list
D. Group Policy Object for endpoint settings
Best answer: A
Explanation: SELinux-style controls provide mandatory access control at the operating system level, commonly used on Linux servers to constrain processes such as web services. The key requirement is local enforcement over what a service process can read, write, execute, or bind to, even when normal discretionary permissions or an account configuration are too permissive. Group Policy is the better fit for centrally enforcing Windows endpoint and domain settings, such as password policy, software restrictions, and desktop configuration. A firewall can limit network flows, and log aggregation can support detection and investigation, but neither directly constrains process access to local OS resources.
Topic: Security Architecture
A security architect proposes hosting a customer portal and its database in a single isolated data center to minimize external exposure. The business requires the portal to survive a single-site outage with an RTO of 4 hours and an RPO of 15 minutes. Customer data must remain in approved in-country locations and must be encrypted in transit and at rest. What is the BEST professional decision?
Options:
A. Replicate data to any global region for availability
B. Delay launch until the portal can run fully offline
C. Use in-country resilient sites with encrypted replication
D. Approve the isolated single-site design
Best answer: C
Explanation: Architecture trade-offs should not optimize one constraint so strongly that a higher-priority business or technical requirement fails. The single-site isolation approach reduces exposure, but it cannot meet the stated requirement to survive a site outage with a 4-hour RTO and 15-minute RPO. A better design keeps data in approved in-country locations while using resilient sites or availability zones, encrypted replication, least-privilege access, and segmentation. This preserves security controls without ignoring availability and recovery requirements.
The key takeaway is to balance confidentiality, integrity, availability, and compliance instead of treating one constraint as the only design goal.
Topic: Security Architecture
A company is selecting infrastructure for a new analytics service. The data set includes public website metrics, internal operational data, and customer PII classified as confidential. Company policy requires confidential PII for EU residents to be stored and processed only in EU jurisdictions by approved providers. The business also wants elastic scaling with minimal server administration. Which option is the BEST professional decision?
Options:
A. Host the platform in the company’s U.S. data center
B. Use an approved managed PaaS in an EU region with data residency controls
C. Use a global SaaS analytics platform with no regional processing commitment
D. Use the lowest-cost public cloud region and encrypt all stored data
Best answer: B
Explanation: Data classification and data sovereignty should drive placement and service selection before cost or convenience. Confidential PII has stronger handling requirements than public or internal data, and the stem explicitly requires EU resident PII to stay stored and processed in EU jurisdictions by approved providers. A managed PaaS in an EU region can meet the residency requirement while also supporting elastic scaling and reducing server administration. Encryption is important, but it does not by itself satisfy a jurisdictional processing requirement. The key is to choose a service model and region that enforce where regulated data resides and where it is processed.
Topic: General Security Concepts
A company is configuring mutual TLS validation for a partner API. The partner provides this certificate chain:
Leaf: api.partner.example
Issued by: Partner Issuing CA
Partner Issuing CA
Issued by: Partner Root CA
Partner Root CA
Issued by: Partner Root CA (self-signed)
The gateway must trust renewed partner leaf certificates without manual updates, but policy allows only self-signed roots to be configured as trust anchors. Which action best meets the requirement?
Options:
A. Add Partner Root CA to the trusted root store
B. Add Partner Issuing CA as the trust anchor
C. Pin the current leaf certificate thumbprint
D. Issue a new certificate from the company internal CA
Best answer: A
Explanation: Certificate chain validation works by building a path from the presented leaf certificate through one or more intermediate CAs to a trusted root, also called the trust anchor. In this scenario, the gateway should trust certificates only when the chain terminates at the agreed self-signed Partner Root CA. Adding that root to the trusted root store lets the partner renew the API leaf certificate under the same CA hierarchy without reconfiguring the gateway each time. The gateway can still reject certificates that do not chain to that root or fail other checks such as hostname, expiration, or revocation status.
Pinning the current leaf certificate is tighter but conflicts with the renewal requirement.
Topic: Security Operations
A security team is reducing risk for an engineering subnet that stores confidential product designs. The subnet includes several workstations that run a legacy design tool that cannot be fully patched for 45 days, but engineers must keep working during business hours. Recent alerts show malicious email attachments and attempts to use unapproved USB storage. Which mitigation package is the BEST professional decision?
Options:
A. Disconnect the subnet until all legacy systems can be patched
B. Segment the subnet, harden endpoints, sandbox attachments, add deception, monitor alerts, and enforce device control
C. Rely on endpoint antivirus and user reminders until the patch window
D. Deploy decoy files and SIEM alerts, but allow USB storage for productivity
Best answer: B
Explanation: Layered mitigation combines complementary controls so one failure does not expose the environment. In this scenario, segmentation limits lateral movement to and from the engineering subnet, hardening reduces exploitable services and unsafe settings, sandboxing evaluates suspicious attachments before execution, deception can expose intruder behavior, monitoring gives the team detection and response visibility, and device control addresses the specific USB risk. This approach also preserves business-hour availability while compensating for the temporary inability to fully patch the legacy tool. A single control or a disruptive shutdown does not satisfy the risk, evidence, and business constraints together.
Topic: Security Operations
A company is replacing a shared Wi-Fi password for its office network. Requirements are to authenticate employees before network access, verify that managed laptops have EDR running and disk encryption enabled, place noncompliant devices in a remediation network, and send visitors to Internet-only access after accepting terms of use. Which NAC design best meets these requirements?
Options:
A. Static firewall rules based on device IP addresses
B. A guest SSID protected by a shared passphrase
C. 802.1X with posture checks and dynamic VLAN assignment
D. A captive portal for all wireless clients
Best answer: C
Explanation: Network Access Control (NAC) maps identity and device health to network access. In this scenario, employees must be authenticated before access, managed endpoints must be checked for required security controls, and noncompliant systems must be isolated for remediation. 802.1X supports port- or wireless-based authentication before granting access, and NAC posture assessment can evaluate endpoint compliance. Dynamic VLAN assignment or equivalent segmentation can then place devices into the correct network: internal, remediation, or guest. A captive portal is useful for visitor terms-of-use workflows, but by itself it does not provide strong employee authentication or endpoint health enforcement.
Topic: Threats, Vulnerabilities, and Attacks
A security team is addressing endpoint risk after several workstations used built-in Windows tools in unusual ways after a phishing campaign. The team must monitor workstations and servers for suspicious use of tools such as PowerShell and certutil, preserve approved administrator automation, and collect command-line and process-tree evidence for investigations. Which control best meets these requirements?
Options:
A. Block all built-in administrative tools with Group Policy
B. Monitor only perimeter firewall logs for unusual outbound traffic
C. Require MDM enrollment before allowing any endpoint network access
D. Deploy EDR with behavior-based detections and approved-script allow listing
Best answer: D
Explanation: Living-off-the-land risk occurs when attackers misuse trusted, built-in tools instead of dropping obvious malware. The requirements point to endpoint visibility: command lines, parent-child process relationships, and behavior-based detection on workstations and servers. EDR is designed for that telemetry and can alert when normal tools are used abnormally, such as a document spawning a scripting engine or a certificate utility retrieving suspicious content. Pairing it with approved-script allow listing helps avoid breaking legitimate administrator automation. A network-only control may see connections, but it usually cannot prove which local process, script, or user action caused them.
Topic: General Security Concepts
A security team changes the remote access design so administrators must now use a bastion host with MFA before reaching production servers. The change was approved, tested, and deployed during the maintenance window. Which follow-up action best keeps documentation accurate for future operations and audits?
Options:
A. Record only the test results in the change ticket
B. Update the asset inventory with server warranty dates
C. Notify administrators but leave the baseline diagrams unchanged
D. Update the network diagram, access policy, and remote access SOP
Best answer: D
Explanation: Change management does not end when a technical control is deployed. After a security change, the organization should update the documents that describe the current environment and how it is operated. In this scenario, the bastion host and MFA requirement affect the network path, the remote access policy, and the procedure administrators follow. Keeping those artifacts current helps operations teams troubleshoot correctly, supports audits, and prevents later teams from bypassing or misunderstanding the new control. Test results and notifications are useful change records, but they do not replace updating the authoritative diagrams, policies, and SOPs.
Topic: Threats, Vulnerabilities, and Attacks
A security analyst reviews an exposure alert for the finance VLAN. Approved devices in this VLAN must have a CMDB record and report to EDR daily. Which exposure source is most directly supported by the exhibit?
| Signal | Observation |
|---|---|
| NAC | New MAC address assigned 10.30.14.77 |
| CMDB | No matching asset record |
| EDR | No agent check-in for the device |
| DHCP | Hostname mini-server, first seen today |
Options:
A. Rogue or unmanaged device
B. Shadow IT SaaS application
C. Stale privileged credential
D. Misconfigured firewall rule
Best answer: A
Explanation: The core exposure is an unmanaged or rogue device. The host is active on the finance VLAN, but it has no CMDB record and no EDR check-in, so the security team cannot confirm ownership, configuration, patch status, or monitoring coverage. The NAC and DHCP evidence proves the device is on the network; the missing inventory and endpoint telemetry make it an operational exposure source. A reasonable next step would be to contain or quarantine the device through NAC while validating ownership.
The key distinction is that the evidence is about an unknown endpoint, not an identity event, cloud application, or firewall policy.
Topic: Security Operations
A SOC analyst is investigating a possible data exfiltration event. The team needs to identify which internal hosts communicated with the external address and compare connection volume during the alert window. Full packet payload capture is not retained.
Exhibit: Alert summary
Time window: 01:00-03:00 UTC
Alert: Unusual outbound transfer volume
External address: 203.0.113.45
Needed: source IPs, destination IPs, ports, byte counts, timestamps
Constraint: summarize traffic quickly without packet payloads
Which data source is the best fit for this investigation need?
Options:
A. Vulnerability scan results
B. Surveillance footage
C. Data-loss prevention policy report
D. NetFlow or IPFIX records
Best answer: D
Explanation: NetFlow and IPFIX are network telemetry sources that summarize traffic flows. They are useful when an analyst needs to determine who talked to whom, when, over which ports, and how much data was transferred. The exhibit asks for source and destination IPs, ports, byte counts, and timestamps, while also stating that full packet payloads are not retained. That points to flow data rather than packet captures or physical evidence.
A packet capture would be stronger for payload-level inspection, but it is unavailable and not required for this first scoping step. Flow records are the best match for quickly scoping possible exfiltration by volume and endpoint.
Topic: Security Operations
A company receives a bug bounty report showing an authentication bypass in a customer portal. The issue appears valid, is not yet patched, and may require customer notification after legal review. The bounty program requires timely acknowledgment and coordinated disclosure. Which communication action best fits these requirements?
Options:
A. Acknowledge through the bounty platform and route validated details to engineering, legal, and communications.
B. Ask the researcher to resubmit the report after remediation is complete.
C. Send the report only to engineering until a patch is deployed.
D. Publish a detailed public advisory before remediation begins.
Best answer: A
Explanation: Vulnerability-management communication should match the audience and stage of the process. A bug bounty report needs timely acknowledgment through the approved program channel, but unpatched exploit details should be controlled. Validated technical details should go to the asset owner or engineering team for remediation, while legal and communications teams evaluate disclosure duties and customer messaging. Coordinated vulnerability disclosure balances researcher expectations, internal remediation needs, and external notification requirements. Public details should normally wait until the organization has validated impact and coordinated the disclosure path.
Topic: Security Program Management and Oversight
A security team is standardizing server hardening for several business units. Audit leadership wants a vendor-neutral artifact that lists specific configuration settings, can be used to compare systems against expected values, and supports repeatable compliance checks. Which governance artifact best meets these requirements?
Options:
A. Reference architecture
B. Advisory
C. Guideline
D. Benchmark
Best answer: D
Explanation: A benchmark is the best fit when the requirement is to compare actual configurations against a defined set of expected settings. Benchmarks are commonly used for hardening and compliance validation because they provide specific, testable configuration recommendations rather than broad advice. A guideline may recommend good practices, but it is usually less prescriptive. An advisory warns about a current issue, such as a vulnerability or threat. A reference architecture shows a recommended design pattern for systems or environments, not a checklist of settings to audit. The key clue is the need for specific configuration values and repeatable compliance checks.
Topic: General Security Concepts
A company is deploying a web application that sends customer PII from a branch office to a cloud-hosted API over the public Internet. The data is already encrypted in the database, but the security requirement says sensitive information must be protected whenever it crosses an untrusted network path. Which control best meets this requirement?
Options:
A. Enforce TLS for all API connections
B. Obfuscate the API endpoint names
C. Add a digital signature to each record
D. Hash the PII before database storage
Best answer: A
Explanation: Transport protection is required when sensitive information moves across an untrusted communication path, even if the same data is protected elsewhere. In this scenario, the public Internet is the untrusted path, and customer PII is being transmitted between the branch office and the cloud API. TLS protects data in transit by encrypting the session and helping validate the server identity. Database encryption protects stored data, but it does not protect the network transfer by itself. The key distinction is data state: data at rest needs storage protection, while data in transit needs transport protection.
Topic: Security Program Management and Oversight
A security team repeatedly handles the same alert but gets inconsistent evidence and escalation results. Based on the exhibit, which artifact should the security manager create first?
Exhibit: Recurring alert handling need
Alert: Orphaned privileged account detected
Frequency: 3-5 times per week
Audience: Tier 1 on-call analysts
Needed content: exact checks, command sequence, evidence to save,
escalation conditions, and closure steps
Goal: make each analyst execute the response the same way
Options:
A. Risk register entry for privileged accounts
B. Awareness guideline for account owners
C. Runbook for the alert workflow
D. High-level access control policy
Best answer: C
Explanation: The exhibit points to repeatable operational execution: the same alert occurs often, Tier 1 analysts need exact checks, evidence requirements, escalation conditions, and closure steps. A runbook is the best fit for this need because it translates an operational scenario into a consistent sequence of actions that staff can follow during routine response work. Policies state management intent, risk registers track risk decisions, and guidelines provide recommendations. They do not give the detailed execution path needed to reduce analyst variation for a recurring operational task.
The key takeaway is that detailed repeatable work belongs in a procedure, SOP, or runbook, with runbooks especially suited to task-based operational workflows.
Topic: Security Architecture
A company is choosing a resilience design for a customer portal. The business requires a maximum outage of 1 hour, maximum data loss of 15 minutes, average repair time under 30 minutes for common node failures, and an average of at least 200 days between platform failures.
| Design | Expected measures |
|---|---|
| Nightly backups and cold site | RTO 8 hours; RPO 24 hours; MTTR 2 hours; MTBF 300 days |
| Warm standby with 15-minute replication | RTO 45 minutes; RPO 15 minutes; MTTR 25 minutes; MTBF 220 days |
| Active-active with daily data export | RTO 5 minutes; RPO 24 hours; MTTR 20 minutes; MTBF 180 days |
| Same-site hot spare with synchronous replication | RTO 20 minutes; RPO 0 minutes; MTTR 20 minutes; MTBF 90 days |
Which design best meets all requirements?
Options:
A. Active-active with daily data export
B. Nightly backups and cold site
C. Warm standby with 15-minute replication
D. Same-site hot spare with synchronous replication
Best answer: C
Explanation: RTO is the maximum acceptable outage, RPO is the maximum acceptable data loss, MTTR is the expected repair or recovery duration, and MTBF is the expected time between failures. The warm standby option maps to all four thresholds: 45 minutes is within the 1-hour RTO, 15-minute replication meets the RPO, 25-minute repair time is under the 30-minute MTTR target, and 220 days exceeds the 200-day MTBF requirement. The other designs each satisfy some goals but fail at least one stated constraint. When evaluating resilience designs, all recovery and reliability targets must be checked together, not optimized one at a time.
Topic: General Security Concepts
A company hosts an Internet-facing customer portal with a separate administrator console. A recent phishing incident captured a valid administrator password, so management wants to reduce the chance that one failed control leads to compromise. The solution must strengthen identity checks, limit where admin access can originate, and provide visibility into suspicious login activity. Which approach best supports defense in depth?
Options:
A. Send all administrator logs to a SIEM only
B. Accept the risk and update the security policy
C. Require longer administrator passwords only
D. Layer MFA, admin access restrictions, and login alerting
Best answer: D
Explanation: Defense in depth uses multiple, complementary controls so the failure of one control does not expose the organization to the full risk. In this scenario, a password policy alone did not sufficiently reduce risk because a valid password was captured. Adding MFA strengthens authentication, restricting admin access limits the reachable attack surface, and login alerting improves detection and response. These controls work at different layers rather than depending on one barrier. A single stronger password rule or logging-only approach may help one requirement, but it does not meet all stated requirements.
Topic: Security Program Management and Oversight
A company is reviewing responsibility assignments for employee payroll records that include names, addresses, tax IDs, and bank details. Based on the exhibit, which interpretation is supported?
Exhibit: Payroll data-handling note
| Party | Relevant facts |
|---|---|
| Company | Decides payroll is collected and retained for employment and tax purposes |
| HR director | Approves internal access and retention rules for payroll records |
| PayFlow vendor | Processes records only under written company instructions |
Options:
A. PayFlow: controller because it stores payroll records
B. Employees: data owners because the records identify them
C. Company: controller; PayFlow: processor; HR director: data owner
D. HR director: processor because they approve access
Best answer: C
Explanation: Privacy and governance roles depend on decision authority, not just possession of data. The controller determines why and how personal information is processed. A processor handles personal information on the controller’s behalf and follows documented instructions. A data owner is typically an internal business role accountable for classification, access, retention, and acceptable use of a data set. In the exhibit, the company decides the payroll purpose and retention basis, PayFlow follows company instructions, and the HR director approves internal access and retention rules. Employees are data subjects, but that does not make them the organizational data owner.
Topic: Security Operations
An analyst is investigating a public web server that processes customer orders. The application owner can tolerate a short isolation window, but not an unplanned rebuild. Legal has requested defensible evidence.
Exhibit: Investigation notes
FIM: /usr/bin/ssh hash changed from baseline
auth.log: svc_web login from 203.0.113.45; sudo started
EDR: suspicious process still running
Log retention: local logs rotate in 30 minutes; SIEM copy exists
Which response is the BEST professional decision?
Options:
A. Restore from the latest snapshot and parse SIEM logs afterward.
B. Shut down immediately and remove the disk for imaging.
C. Coordinate with stakeholders, isolate, dump memory, preserve logs, image disk.
D. Copy the changed files and auth logs to a share.
Best answer: C
Explanation: The best response balances evidence preservation, availability, and stakeholder coordination. Because a suspicious process is still running, a memory dump should be collected before power loss or reboot removes volatile evidence. The file integrity alert and authentication activity justify preserving logs and acquiring a bit-level disk image or forensic system image so metadata, deleted data, and full filesystem state are retained. The application owner and legal request also matter: coordinating isolation supports business continuity while keeping evidence handling defensible. A snapshot may help recovery or preserve a point in time, but restoring first can destroy volatile evidence and alter the investigative record.
Topic: Security Architecture
A security administrator must recommend a secure access method for a new partner integration. The company does not want to expose the internal API directly to the Internet. Which method best meets the need shown in the exhibit?
Exhibit: Access request
| Item | Detail |
|---|---|
| Source | Partner data center fixed public IP |
| Destination | Internal inventory API on TCP 443 |
| Use | Automated nightly data exchange |
| Users | No interactive user access |
| Requirement | Encrypt traffic over the Internet; limit reachability |
Options:
A. SSH tunnel from a partner workstation
B. Site-to-site IPsec VPN with rules limited to the API
C. Remote access VPN accounts for partner staff
D. Encrypted messaging for nightly data files
Best answer: B
Explanation: Secure access should match the communication pattern and exposure requirement. The exhibit describes automated system-to-system traffic between a partner data center and one internal API, with no interactive users and a need to avoid direct Internet exposure. A site-to-site IPsec VPN is designed for encrypted network-to-network connectivity across an untrusted network. It should still be constrained with firewall or access rules so the partner can reach only the inventory API on TCP 443, not the broader internal network.
Remote access VPNs are better for individual users, while encrypted messaging does not provide live API connectivity. The key is pairing the tunnel with least-privilege reachability.
Topic: Security Operations
A security administrator reviews a weekly IAM report after several employees changed roles or left the company. The HR feed is authoritative, production access must remain available, and policy requires access to match the current job role within 24 hours.
Report excerpt:
| User | HR status | Current access |
|---|---|---|
| Lee | Transferred to Finance | Engineering repo, Finance app |
| Patel | Terminated yesterday | VPN, email, CRM |
| Gomez | New contractor | No access yet |
What is the BEST professional decision?
Options:
A. Disable Patel, remove Lee’s old access, and provision Gomez from an approved contractor role
B. Delete all three accounts and recreate only requested access
C. Keep all current access until the next quarterly access review
D. Wait for each manager to submit separate access tickets
Best answer: A
Explanation: Provisioning and deprovisioning should follow an authoritative identity source, such as HR, and enforce least privilege throughout the account lifecycle. A terminated user’s active accounts should be disabled promptly to prevent orphaned access. A transferred user should keep only access needed for the new role, so old Engineering access should be removed while Finance access remains if appropriate. A new contractor should receive only approved baseline permissions for the contractor role, not ad hoc excessive access. This approach meets the 24-hour policy requirement without disrupting legitimate production access more than necessary.
Topic: Security Program Management and Oversight
A company is selecting a SaaS payroll processor that will store employee PII and receive API access from HR systems. Based on the vendor-risk exhibit, which action best treats the third-party risk before production onboarding?
Exhibit: Vendor-risk review
| Area | Finding |
|---|---|
| Agreement | Confidentiality and breach notice are included |
| Constraint | Data must remain in approved regions |
| Monitoring | Annual questionnaire only |
| Assurance | SOC 2 exception: admin MFA not enforced |
| Policy | High-risk vendors require audit rights and remediation evidence |
Options:
A. Add audit rights and require MFA remediation evidence
B. Approve onboarding based on confidentiality terms
C. Select the vendor with the lowest service cost
D. Accept the risk because monitoring is scheduled annually
Best answer: A
Explanation: Third-party risk treatment should match the vendor’s risk level and cover more than initial selection. For a high-risk SaaS payroll processor handling PII, the organization needs enforceable agreement terms, clear constraints, monitoring, and assurance that control gaps are fixed. The exhibit shows confidentiality and breach notification are present, but audit rights are not shown and the SOC 2 report has an unresolved admin MFA exception. Annual questionnaires alone do not prove that a critical control issue was remediated. The strongest action is to close the agreement and assurance gaps before production access is granted.
Topic: Security Operations
A company’s IAM team is redesigning account lifecycle handling. Employees often keep permissions from prior roles, and several disabled user mailboxes still have active SaaS accounts because offboarding tickets are manual. The company wants least-privilege access during role changes and fast removal of access when employment ends. Which action best meets these requirements?
Options:
A. Require MFA for all SaaS accounts
B. Review privileged accounts during the annual audit
C. Integrate HR events with automated role-based provisioning and deprovisioning
D. Extend disabled accounts for 30 days after termination
Best answer: C
Explanation: Account lifecycle controls should tie provisioning and deprovisioning to an authoritative source, such as the HR system. For movers, role-based access templates help remove previous-role permissions before granting new-role access, which limits privilege creep. For leavers, automated deprovisioning disables or removes accounts across connected systems quickly, reducing orphaned accounts that remain active after termination. MFA is important, but it does not remove unnecessary permissions or close unused accounts. The key takeaway is to automate joiner, mover, and leaver workflows around least privilege rather than relying on delayed manual tickets.
Topic: Security Operations
A security analyst is triaging a potential incident involving the company VPN concentrator. Management asks which identification activity should be performed first to determine whether the environment is affected.
Exhibit: Current facts
| Source | Finding |
|---|---|
| Vendor advisory | Active exploitation of VPN version 8.2.1 |
| Asset inventory | Two internet-facing VPNs run 8.2.1 |
| SIEM alerts | No current alert rule for this activity |
| Logs available | VPN, identity provider, and proxy logs for 30 days |
Which activity best supports incident identification at this point?
Options:
A. Close the case because no alerts have fired
B. Threat hunt using advisory IoCs across available logs
C. Wait for SIEM detection before opening an incident
D. Begin eradication by rebuilding both VPN concentrators
Best answer: B
Explanation: Incident identification uses available facts to determine whether suspicious activity is present and how far it may have spread. In this scenario, a vendor advisory reports active exploitation, the asset inventory confirms affected internet-facing systems, and the SIEM has no existing detection rule. That combination supports targeted threat hunting using the advisory indicators of compromise (IoCs) across VPN, identity, and proxy logs. The goal is to find evidence of exploitation or related authentication activity before moving to containment or eradication decisions. A missing alert does not prove the environment is clean when the detection logic is absent.
Topic: Security Architecture
A regional hospital is designing recovery for its medication-ordering system. The system must be available within 15 minutes of a site outage, and no more than 5 minutes of data loss is acceptable. Leadership has approved the cost of duplicate infrastructure at a geographically separate facility with independent power, cooling, and network connectivity. Which recovery site strategy best meets these requirements?
Options:
A. Environmental monitoring at the primary site
B. Cold site with space and utilities only
C. Warm site with hardware staged offline
D. Hot site with near-real-time replication
Best answer: D
Explanation: Recovery site selection should map directly to RTO, RPO, and facility requirements. A hot site maintains ready infrastructure and current or near-current data so workloads can fail over quickly with minimal data loss. That fits the hospital’s 15-minute recovery target, 5-minute data-loss limit, and approved budget for duplicate infrastructure. A warm site may have some systems or hardware prepared but usually needs configuration, data synchronization, or startup time. A cold site provides basic space and utilities but requires equipment and restoration before use. Environmental controls such as power, cooling, and physical site resilience are important supporting requirements, but they do not replace the need for a ready recovery site.
Topic: Security Program Management and Oversight
A company hires a third-party security firm to perform an assessment against selected Internet-facing systems. Before testing begins, leadership wants a document that explicitly identifies approved targets, testing dates, prohibited techniques, escalation contacts, and written authorization to test. Which artifact best meets these requirements?
Options:
A. Service-level agreement
B. Non-disclosure agreement
C. Rules of engagement
D. Vendor due diligence checklist
Best answer: C
Explanation: Rules of engagement are used before activities such as penetration tests or security assessments to prevent misunderstandings and unauthorized activity. They define what is in scope, what is out of scope, when testing may occur, what techniques are allowed or prohibited, who to contact, and what authorization has been granted. This is especially important for third-party work because the assessor needs clear permission and boundaries before interacting with company systems.
An SLA, NDA, or due diligence checklist may be part of vendor management, but they do not provide the operational permission and testing boundaries needed for the assessment itself.
Topic: Security Operations
A company hosts a public customer portal over HTTPS. During a sale, the SOC sees a spike of requests to /login and /cart from many source IPs. The business requires the site to remain available to legitimate customers, and the security team needs to control abusive HTTP request patterns without blocking all inbound web traffic. Which control is the BEST professional decision?
Options:
A. Enable only IDS alerting for web requests
B. Apply WAF Layer 7 rate-limiting rules
C. Block TCP 443 at the perimeter firewall
D. Deploy a Layer 4 allow list for known customer IPs
Best answer: B
Explanation: The core decision is whether the traffic problem requires network-layer filtering or application-layer control. The evidence points to abusive HTTPS requests against specific web paths, so a Layer 7 control is needed. A WAF can inspect HTTP requests after TLS handling in the web stack, match paths such as /login and /cart, and enforce rate-limiting or challenge rules without shutting down the entire public service. This satisfies the availability requirement while reducing the abusive request volume. A Layer 4 firewall decision is better for IP, port, and protocol filtering, not for distinguishing application behavior inside web requests.
Topic: Security Architecture
A company is redesigning backups for a payroll application after a ransomware incident. The stated objective is to restore the service with no more than 4 hours of data loss, recover month-end payroll files for 35 days, survive a domain administrator credential compromise, and prove recovery at least quarterly.
Exhibit: Current backup review
| Area | Current state |
|---|---|
| Retention | 14 days |
| Backup access | Same AD admins can modify/delete backups |
| Scope | Database volume only |
| Validation | Job success reports only |
| App dependency | App config and payroll export share required |
Which backup plan best addresses the recovery gaps?
Options:
A. Keep current snapshots and add quarterly tabletop reviews
B. Use 90-day mutable backups and daily job-success reviews
C. Use 35-day immutable backups, full app scope, and quarterly restore tests
D. Back up only the database every 4 hours with 35-day retention
Best answer: C
Explanation: The recovery objective requires more than simply having backup jobs complete. The plan must retain the needed data for at least 35 days, protect backups from deletion or encryption by compromised domain administrators, include every dependency needed to restore the payroll service, and validate recovery through actual restoration testing. Because the RPO allows no more than 4 hours of data loss, the backup cadence must also support that target. Immutable or offline backups reduce the risk that ransomware or stolen admin credentials can alter backup copies. Restoration tests prove that the backup scope and recovery procedure work, instead of relying only on job-success logs. A longer retention period alone does not solve immutability, scope, or testability gaps.
Topic: General Security Concepts
A company found that employees sometimes hold the data center door open for unknown visitors. The stated risk is unauthorized physical entry to critical systems. The control must reduce the chance of entry at the door, not merely document expectations or record activity after entry.
Which control best addresses the stated risk?
Options:
A. Add CCTV monitoring inside the data center
B. Install a badge-controlled mantrap at the data center entrance
C. Update the physical access policy to prohibit tailgating
D. Send annual security awareness training about visitor access
Best answer: B
Explanation: The key distinction is whether the control directly reduces the risk or only supports governance or detection. The stated risk is unauthorized physical entry through tailgating, and the requirement is to reduce entry at the door. A badge-controlled mantrap enforces one-person-at-a-time controlled access before entry, so it maps directly to the risk and constraint. A policy documents expected behavior, CCTV can help detect or investigate events, and awareness training supports behavior change, but those do not enforce the access restriction at the point of entry.
Match controls to the risk outcome first, then consider supporting layers.
Use the CompTIA Security+ SY0-801 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-801 on Web View CompTIA Security+ SY0-801 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.