Security Operations 1 Flashcards

Question

A researcher discovers a critical zero-day vulnerability in a company's web application. The researcher wants to report the issue but is concerned about legal consequences. What is the BEST way to report the vulnerability? A) Disclose the vulnerability on social media to force a response B) Submit the details through the company's Responsible Disclosure Program C) Exploit the vulnerability and contact the company afterward D) Sell the exploit to a third party for financial gain

Answer 1

Answer: B) Submit the details through the company’s Responsible Disclosure Program ✔ Correct Explanation: A Responsible Disclosure Program allows security researchers to safely report vulnerabilities without fear of legal repercussions. ✘ Incorrect Answers: A) Disclosing on social media – May lead to misuse by malicious actors before the company can patch it. C) Exploiting the vulnerability – Could be illegal and unethical without permission. D) Selling the exploit – Violates ethical and legal standards and could be used for malicious purposes.

Answer 2

Answer: C) Non-intrusive penetration test ✔ Correct Explanation: A non-intrusive penetration test identifies vulnerabilities without actively exploiting them, ensuring business operations remain unaffected. ✘ Incorrect Answers: A) Bug bounty program – Involves external researchers, not an in-house penetration test. B) System audit – Reviews security compliance, not exploitable vulnerabilities. D) Red team exercise – Simulates real attacks and could disrupt operations.

Answer 3

Answer: B) It allows external security professionals to continuously test the system ✔ Correct Explanation: Bug bounty programs engage external researchers to identify vulnerabilities continuously, increasing security coverage beyond internal testing. ✘ Incorrect Answers: A) Ensuring all vulnerabilities are patched – Bug bounties help find issues but do not guarantee all vulnerabilities are eliminated. C) Replacing internal security teams – Internal teams are still needed for patching and security management. D) Full security coverage without additional resources – Bug bounty programs require oversight and resource management.

Answer 4

Answer: B) Dynamic analysis ✔ Correct Explanation: Dynamic analysis evaluates an application’s runtime behavior, detecting exploitable vulnerabilities during execution. ✘ Incorrect Answers: A) Static analysis – Only examines source code without execution. C) OSINT – Gathers external intelligence but does not test the application itself. D) Threat feed monitoring – Provides threat intelligence but does not actively analyze code behavior.

Answer 5

Answer: B) Code signing Explanation: Code signing verifies the integrity and authenticity of software by using digital signatures, ensuring that applications haven't been altered after deployment.

Answer 6

✅ Correct Answer: D. Switch to WPA3-Personal with SAE Explanation: WPA3-Personal replaces WPA2-PSK with Simultaneous Authentication of Equals (SAE), which prevents offline dictionary attacks by using a more secure key exchange method. ❌ Incorrect Answers: A. Enabling WPS introduces serious security vulnerabilities, making brute-force attacks easier. B. WEP is highly insecure, even with a longer key, as it can be cracked within minutes. C. WPA2-TKIP is less secure than WPA2-AES and does not protect against dictionary attacks.

Answer 7

✅ Correct Answer: D. Corporate-Owned, Personally Enabled (COPE) Explanation: COPE allows a company to own and manage the devices while also permitting employees to use them for personal purposes, striking a balance between security and user control. ❌ Incorrect Answers: A. Open Access Model does not enforce security standards and would be a high-risk approach. B. BYOD allows employees to use personal devices, which limits company control and security enforcement. C. CYOD allows employees to select a device from an approved list, but COPE provides more personal flexibility while maintaining company security.

Answer 8

Answer: B) The likelihood of exposure and regulatory requirements ✔ Correct Explanation: Data classification considers sensitivity, potential exposure risks, and regulatory requirements, especially in healthcare settings (e.g., HIPAA). ✘ Incorrect Answers: A) Storage location – Location matters, but classification is based on data sensitivity. C) Number of users – Access control matters, but classification is based on data risk. D) Cost of storage – Financial considerations do not define security classification.

Answer 9

Answer: A) Shredding followed by pulping ✔ Correct Explanation: Shredding and pulping destroy the paper fibers, making it impossible to reconstruct the original documents. ✘ Incorrect Answers: B) Storing documents in a locked file cabinet – This does not destroy the documents and leaves them vulnerable to unauthorized access. C) Deleting electronic versions – This does not address the disposal of physical documents. D) Cross-cut shredding only – Additional measures like pulping or incineration further reduce the risk of data reconstruction.

Answer 10

Answer: B) Packet capture and analysis tool ✔ Correct Explanation: A packet capture and analysis tool (e.g., Wireshark) allows the analyst to inspect individual packets, identify the contents of the transmitted data, determine if sensitive information is being exfiltrated, and analyze communication with the unknown external IP. ✘ Incorrect Answers: A) NIDS (Network Intrusion Detection System) – Can detect unusual traffic patterns but does not capture full packet contents for detailed analysis. C) Threat intelligence platform – Provides general information on known threats, but does not inspect live network traffic. D) SIEM (Security Information and Event Management) – Aggregates logs and alerts but does not capture raw packet data for detailed forensic analysis.

Answer 11

Answer: B) Proprietary threat intelligence ✔ Correct Explanation: Proprietary threat intelligence (e.g., vendor reports, closed security groups) provides early access to zero-day vulnerabilities before they become publicly known. ✘ Incorrect Answers: A) OSINT – Offers publicly available intelligence, but not always real-time for zero-days. C) Dark web forums – May have malicious actors discussing exploits, but not a verified intelligence source. D) Information-sharing organizations – Useful for known vulnerabilities but not as fast as proprietary feeds for zero-days.

Answer 12

Answer: B) Execute the file in an isolated virtual sandbox ✔ Correct Explanation: A sandbox isolates the file from the main system, allowing security teams to analyze its behavior safely without risking malware spreading to other systems. ✘ Incorrect Answers: A) Run the file on a developer’s workstation – This could lead to system infection if the file contains malware. C) Upload the file to a cloud-based shared drive – This does not provide a safe execution environment and could expose the file to other systems. D) Install the file on a test server within the production environment – This risks compromising production systems if the file is malicious.

Answer 13

✅ Correct Answer: D. Secure baselines Explanation: Secure baselines provide a predefined set of security configurations that ensure systems are hardened and compliant with industry standards before deployment, reducing security risks. ❌ Incorrect Answers: A. Zero trust architecture enforces strict access controls but does not define predeployment system configurations. B. Least privilege enforcement limits user permissions but does not configure system-wide security settings. C. Security hardening is a broader concept that includes multiple security techniques, whereas a secure baseline provides standardized settings.

Answer 14

Answer: C) IEEE 802.1X authentication with RADIUS Explanation: 802.1X with RADIUS enforces strong authentication through centralized identity verification, reducing the risk of unauthorized access compared to PSK or MAC filtering.

Answer 15

Answer: B) Unauthorized device pairing and potential data exfiltration Explanation: Bluetooth vulnerabilities can lead to unauthorized pairing, data theft, and Bluetooth-based attacks, such as Bluejacking and Bluesnarfing.

Answer 16

Answer: A) Disable unused ports, apply security patches, and monitor logs via SIEM Explanation: Hardening a switch includes disabling unused ports, applying patches, and monitoring network activity via SIEM tools to detect anomalies.

Answer 17

✅ Correct Answer: D. Extensible Authentication Protocol (EAP) Explanation: EAP is a flexible authentication framework that supports IEEE 802.1X, which is commonly used in enterprise wireless security for authentication via RADIUS servers and certificates. ❌ Incorrect Answers: A. Open System Authentication provides no authentication or encryption, making it insecure. B. PSK authentication is used in WPA2-Personal but does not adhere to the 802.1X standard required for enterprise security. C. WPS is an insecure simplified setup method, not an authentication protocol for 802.1X networks.

Answer 18

✅ Correct Answer: D. Use the Secure flag to ensure cookies are sent over HTTPS Explanation: The Secure flag ensures that cookies are only transmitted over encrypted HTTPS connections, preventing attackers from intercepting session data via man-in-the-middle (MITM) attacks. ❌ Incorrect Answers: A. Deny listing does not secure cookie transmissions but instead blocks certain modifications. B. Storing cookies in the browser cache does not protect them from being sent over insecure connections. C. Encrypting cookies can help protect stored data but does not ensure secure transmission like the Secure flag does.

Answer 19

Answer: B) Degaussing and physically destroying the storage device ✔ Correct Explanation: Degaussing erases magnetic storage, while physical destruction (e.g., shredding, pulverizing) ensures classified data cannot be recovered. ✘ Incorrect Answers: A) Reformatting and overwriting – May reduce the chance of recovery, but advanced forensics can still retrieve data. C) Encrypting and storing securely – Encryption protects data but does not eliminate it. D) Disabling and storing the device – Storage does not prevent potential breaches.

Answer 20

Answer: B) To determine appropriate security controls based on data sensitivity ✔ Correct Explanation: Asset classification ensures sensitive data receives the appropriate security protections, including encryption, access controls, and compliance measures. ✘ Incorrect Answers: A) Limit employee access – Access may be restricted, but classification is focused on data protection. C) Reduce asset inventory – Classification does not remove assets, it organizes them by sensitivity. D) Store all data in one repository – Data should be protected, not necessarily centralized.

Answer 21

Answer: C) Dark web ✔ Correct Explanation: The dark web is a known marketplace for cybercriminal activity, where zero-day exploits and vulnerabilities may be discussed before they are widely known. ✘ Incorrect Answers: A) Vendor security bulletins – Provide official disclosures, but do not cover underground discussions. B) OSINT – Gathers intelligence from public sources, but not from hidden dark web marketplaces. D) Threat feed monitoring – Aggregates threat data but does not provide underground cybercriminal insights.

Answer 22

Answer: C) Packet replay ✔ Correct Explanation: Packet replay involves resending previously captured network traffic to test how a system responds to known vulnerabilities. ✘ Incorrect Answers: A) Packet capture – Records network traffic but does not resend it. B) Threat intelligence – Monitors threats but does not involve traffic manipulation. D) Dynamic code analysis – Tests running applications, not network packets.

Answer 23

Answer: B) Threat feed monitoring ✔ Correct Explanation: Threat feed monitoring provides real-time updates on emerging threats, vulnerabilities, and attack signatures, helping security teams respond proactively. ✘ Incorrect Answers: A) Packet monitoring – Captures network traffic but does not provide ongoing intelligence on external threats. C) OSINT – Offers general intelligence but may not provide real-time updates. D) Dark web forums – May contain valuable exploit discussions, but lack structured, actionable intelligence.

Answer 24

Answer: B) System/process audit ✔ Correct Explanation: A system/process audit is a formal evaluation that follows a structured framework to assess compliance and identify security gaps. ✘ Incorrect Answers: A) Penetration testing – Actively exploits vulnerabilities, while audits review security controls. C) Red team exercise – Simulates real-world attacks instead of focusing on compliance. D) Vulnerability scanning – Identifies technical weaknesses but does not evaluate overall security processes.

Answer 25

Answer: B) Continuous monitoring ✔ Correct Explanation: Continuous monitoring detects changes to application source code, helping identify unauthorized modifications or vulnerabilities. ✘ Incorrect Answers: A) Sandboxing – This is used for isolating applications but does not monitor real-time code changes. C) Secure cookies – These protect session data but do not monitor application code. D) Zero trust architecture – This enforces strict access controls but does not track code modifications.

Answer 26

Answer: B) Client-side validation can be bypassed by attackers Explanation: Client-side validation checks occur on the user's browser before data is sent to the server. While it provides immediate feedback to the user, attackers can easily manipulate client-side scripts or use browser developer tools to bypass these checks and submit invalid or malicious data to the server. This means that even if the user sees an error message on their screen indicating invalid input, the server could still receive and process the tainted data.

Answer 27

Answer: C) Update the secure baseline and push changes through configuration management tools Explanation: Maintaining a secure baseline requires ongoing updates to meet compliance requirements. Configuration management tools ensure organization-wide consistency.

Answer 28

Answer: B) Unauthorized access from nearby attackers Explanation: Strong wireless signals extending beyond the intended area can allow war drivers or attackers to attempt unauthorized access, requiring signal tuning and security measures.

Answer 29

✅ Correct Answer: D. Corporate-Owned, Restricted Use Explanation: Corporate-Owned, Restricted Use (CORU) ensures that mobile devices are strictly for work purposes, allowing only pre-approved apps and enforcing strong security controls like encryption and policy enforcement. ❌ Incorrect Answers: A. BYOD allows employees to use personal devices, which does not enforce strict work-only policies. B. COPE allows for personal use, but this scenario restricts all non-work activities. C. CYOD allows employees to choose a device from a pre-approved list, but it does not inherently restrict personal use.

Answer 30

Answer: B) Implements perfect forward secrecy to protect past transmissions Explanation: WPA3-Enterprise improves security over WPA2-Enterprise by implementing perfect forward secrecy, ensuring that past data remains encrypted even if credentials are compromised.

Answer 31

✅ Correct Answer: D. Code signing Explanation: Code signing ensures the integrity and authenticity of an application’s executable files by using digital signatures, preventing attackers from modifying them without detection. ❌ Incorrect Answers: A. Static code analysis helps identify security flaws before deployment, but it does not prevent modification of executables. B. Secure cookies protect web sessions, not application executables. C. Input allow listing helps prevent malicious input attacks (e.g., SQL injection) but does not protect executable files.

Answer 32

Answer: A) Obtain a certification of destruction from an accredited disposal service ✔ Correct Explanation: Certification of destruction provides a documented record proving the asset was properly disposed of, ensuring compliance with security policies. ✘ Incorrect Answers: B) Store records indefinitely – This does not confirm proper destruction of disposed assets. C) Oversee disposal without documentation – Lack of documentation makes audits and verification difficult. D) Dispose informally – This increases the risk of data leaks and does not ensure compliance.

Answer 33

Answer: A) Asset enumeration using network scanning tools ✔ Correct Explanation: Asset enumeration scans the network to identify all active and unauthorized devices, ensuring only approved assets are connected. ✘ Incorrect Answers: B) BYOD policy – This governs employee devices, but does not track unauthorized assets. C) Assign asset ownership – Ownership defines responsibility but does not track network devices. D) Restrict IT admin access – This improves access control, but does not track network devices.

Answer 34

Answer: C) Black-box testing ✔ Correct Explanation: Black-box testing simulates a real-world attack scenario where the tester has no prior knowledge of the target environment, mimicking how an external attacker would operate. ✘ Incorrect Answers: A) White-box testing – Involves full knowledge of the system. B) Gray-box testing – Involves partial knowledge of the system. D) Bug bounty testing – Is not a type of penetration test, but an incentive program for external researchers.

Answer 35

Answer: A) Implement VPNs, enable firewalls, and restrict administrative access Explanation: Hardening routers involves enabling VPNs for secure communication, firewalls for traffic filtering, and restricting administrative access to prevent unauthorized control.

Answer 36

Answer: A) Require VPN usage for all mobile connections Explanation: VPNs secure remote connections by encrypting traffic, reducing the risk of man-in-the-middle (MITM) attacks on rogue Wi-Fi networks.

Answer 37

✅ Correct Answer: D. Choose Your Own Device (CYOD) Explanation: CYOD allows employees to choose from a pre-approved list of devices while ensuring full corporate security, management, and policy enforcement—making it the best fit for a government agency that requires both flexibility and control. ❌ Incorrect Answers: A. COPE provides a company-issued device that allows personal use, but it does not necessarily offer choice from a list. B. BYOD allows employees to use personal devices, which does not ensure full security and management. C. Corporate-Owned, Restricted Use strictly limits functionality and does not provide employee choice in devices.

Answer 38

Answer: B) WPA2-CCMP Explanation: WPA2-CCMP (AES) provides strong encryption while maintaining compatibility with older devices that do not support WPA3. Why other options are not ideal: A) WEP: WEP (Wired Equivalent Privacy) is outdated and considered insecure. It is easily crackable and should be avoided at all costs. B) WPA2-CCMP: While WPA2 is more secure than WEP, WPA3-SAE offers even better security with its improved encryption and authentication methods. CCMP (Counter Mode with Cipherblock Chaining-Encapsulating) is the encryption used in WPA2, and while it was considered strong at the time, WPA3 has superseded it. D) WPA2-TKIP: WPA2-TKIP uses the Temporal Key Integrity Protocol (TKIP) for encryption, which is now considered weak and vulnerable to attacks. WPA2-CCMP (AES) should be used instead of WPA2-TKIP whenever possible.

Answer 39

Answer: B) Attackers can find ways to insert malicious payloads that bypass the filters Explanation: Deny listing is less secure than allow listing because attackers can use encoding tricks (e.g., Unicode, hex encoding) to bypass input sanitization filters.

Answer 40

Answer: B) The confidentiality and regulatory requirements of the data ✔ Correct Explanation: Confidentiality and regulatory compliance (e.g., PCI DSS) dictate security measures for sensitive banking records. ✘ Incorrect Answers: A) Size of transaction – Classification is based on data sensitivity, not transaction size. C) Geographic location – Location impacts data sovereignty, but does not determine classification. D) Encryption method – Encryption is a security control, not a classification factor.

Answer 41

Answer: B) Perform the update on a sandboxed test system ✔ Correct Explanation: A sandboxed test system allows engineers to analyze how a new feature impacts security before deploying it to production. ✘ Incorrect Answers: A) Implement the feature directly in the production environment – This is risky and can introduce security vulnerabilities without proper testing. C) Monitor the application for vulnerabilities after deployment – This does not prevent security issues from occurring in the first place. D) Disable all security controls – This would expose the system to potential security threats without any protections.

Answer 42

✅ Correct Answer: D. The secure baseline does not include patch management policies Explanation: Secure baselines define security configurations for systems, but if patch management is not included, systems may fail to receive critical updates, leading to security vulnerabilities. ❌ Incorrect Answers: A. Secure baselines do not automatically prevent updates; missing patches indicate a policy gap, not a restriction. B. A zero-trust security model focuses on access control, not patch management. C. User access controls regulate permissions but are not directly responsible for missing patches.

Answer 43

✅ Correct Answer: D. Wi-Fi (2.4 GHz) Explanation: Wi-Fi operating on the 2.4 GHz frequency is highly susceptible to interference from household devices such as microwaves, cordless phones, and baby monitors, which also operate in the same frequency range. ❌ Incorrect Answers: A. Satellite communications are not affected by household device interference but can be disrupted by weather conditions. B. 5G cellular networks operate at higher frequencies (sub-6 GHz or mmWave), which are less prone to household interference. C. Bluetooth also uses 2.4 GHz, but it employs frequency hopping to mitigate interference, making it less susceptible than Wi-Fi.

Answer 44

Answer: D) WPA3-Enterprise Explanation: WPA3-Enterprise provides the strongest encryption, individualized data encryption, and robust authentication mechanisms, making it ideal for high-security environments. Why other options are not ideal: A) WEP: Outdated and insecure, easily crackable by hackers due to weak encryption. B) WPA: An improvement over WEP, but still less secure than WPA3. C) WPA2-PSK: While more secure than WEP and WPA, it uses a shared pre-shared key (PSK) which can be more vulnerable to attacks compared to WPA3-Enterprise's individual encryption.

Answer 45

Answer: A) Industry regulations, storage costs, and destruction policies ✔ Correct Explanation: Data retention policies should comply with industry regulations, balance storage costs, and include secure destruction when data is no longer needed. ✘ Incorrect Answers: B) Keeping all data indefinitely – Increases legal liability and security risks. C) Encrypting and never deleting data – Storage costs and legal issues may arise if data is kept indefinitely. D) Automatically deleting after six months – Retention requirements vary by industry; some data must be stored longer.

Answer 46

✅ Correct Answer: D. Implement network segmentation, monitor data flows, and apply strict access controls Explanation: ICS/SCADA systems require strong security measures to prevent cyberattacks while maintaining stability. Network segmentation, monitoring, and strict access controls reduce the attack surface and improve security without disrupting operations. ❌ Incorrect Answers: A. Removing security controls would increase cyber risks, making the systems more vulnerable. B. Connecting ICS/SCADA systems directly to the internet is highly dangerous and exposes them to remote attacks. C. Upgrading operating systems may help, but ICS/SCADA security requires specialized protections, not just OS upgrades.

Answer 47

Answer: B) EAP-TLS Explanation: EAP-TLS (Extensible Authentication Protocol - Transport Layer Security) is the most secure authentication method for wireless networks when using certificates for authentication. It uses mutual authentication and strong encryption, making it highly resistant to attacks. It also offers certificate-based authentication, which is the preferred method for eliminating password-related attacks. Why other options are incorrect: A) EAP-TTLS: While EAP-TTLS uses TLS for encryption, it doesn't fully utilize certificates for authentication. It uses a combination of certificates and passwords, making it less secure than EAP-TLS. C) EAP-FAST: EAP-FAST (Fast Authentication Security Tunneling) is designed for faster authentication but still relies on passwords in some scenarios. It's not as secure as EAP-TLS. D) PEAP: PEAP (Protected Extensible Authentication Protocol) also uses TLS for encryption, but it can use various authentication methods including MSCHAPv2 which relies on passwords. Since the question specifies certificate-based authentication, PEAP is not the correct choice

Answer 48

Answer: C) CCMP (AES) Explanation: CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code): This protocol uses the AES encryption algorithm and includes a nonce (a unique number) in each packet to prevent replay attacks. WPA2-TKIP: While WPA2 offers improved security over WEP, it uses the Temporal Key Integrity Protocol (TKIP) which is less secure against replay attacks compared to CCMP. WEP (Wired Equivalent Privacy): This is an outdated protocol highly vulnerable to replay attacks due to its weak encryption and lack of a secure nonce mechanism. RADIUS with PAP: RADIUS itself does not inherently prevent replay attacks. It relies on authentication methods like PAP (Password Authentication Protocol) which can be susceptible to attacks if not properly secured with additional measures.

Answer 49

Answer: A) Cryptographic erasure ✔ Correct Explanation: Cryptographic erasure renders data unrecoverable by deleting encryption keys, allowing the device to be securely reused. ✘ Incorrect Answers: B) Low-level formatting – Data can still be recovered using forensic tools. C) Degaussing – Wipes data irreversibly, but renders the device unusable. D) Physical destruction – Eliminates data but prevents device reuse.

Answer 50

Answer: C) Continuous monitoring ✔ Correct Explanation: Continuous monitoring provides real-time detection of security threats and vulnerabilities in web applications. ✘ Incorrect Answers: A) Digital signatures – These validate authenticity but do not track real-time threats. B) Sandboxing – This is for isolated testing, not real-time monitoring. D) Code obfuscation – This makes source code harder to analyze but does not detect threats.

Answer 51

Answer: A) Allow listing for input validation, secure cookies, and code signing Explanation: A combination of security measures is necessary for secure applications. Allow listing prevents injection attacks, secure cookies protect session data, and code signing ensures software integrity.

Answer 52

Answer: C) False positive ✔ Correct Explanation: A false positive occurs when a vulnerability scan incorrectly flags a vulnerability that does not actually exist, leading to unnecessary investigation. ✘ Incorrect Answers: A) False negative – This occurs when a scan fails to detect an actual vulnerability, which is a more serious risk. B) True positive – Would mean the vulnerability actually exists, but here it does not. D) CVE misclassification – CVE naming errors do not affect whether a vulnerability is detected incorrectly in a scan.

Answer 53

Answer: C) Conduct a site survey to identify optimal AP placement Explanation: Site surveys identify signal strength, interference sources, and ideal AP locations to ensure seamless Wi-Fi coverage without excessive interference.

Answer 54

Answer: A) Disabling Bluetooth when not in use and enforcing device pairing policies Explanation: Bluetooth security best practices include disabling Bluetooth when not in use and restricting device pairing to trusted devices to prevent unauthorized connections.

Answer 55

Answer: C) False negative ✔ Correct Explanation: A false negative occurs when a vulnerability scan fails to detect an actual security weakness, leading to unaddressed risks that attackers can exploit. ✘ Incorrect Answers: A) False positive – Would mean a vulnerability was incorrectly flagged when it did not exist. B) Exposure factor miscalculation – Exposure factor refers to likelihood, not detection failures. D) Incorrect CVSS rating – A miscalculated CVSS score affects severity assessment, not detection failures.

Answer 56

Answer: C) In SaaS environments, the cloud provider is responsible for most security measures Explanation: In Software as a Service (SaaS) models, the provider manages security, while in Infrastructure as a Service (IaaS), the customer has more control over security settings.

Answer 57

✅ Correct Answer: D. MAC addresses can be easily spoofed by attackers Explanation: MAC address filtering is not a strong security measure because attackers can easily spoof MAC addresses to bypass restrictions and gain unauthorized access to the network. ❌ Incorrect Answers: A. MAC address filtering does not use certificate-based authentication—it simply checks static MAC addresses. B. MAC address filtering does not provide encryption; encryption is handled by protocols like WPA2 or WPA3. C. MAC filtering does not fully prevent unauthorized access since attackers can spoof MAC addresses.

Answer 58

Answer: B) The vulnerability’s CVSS score and potential impact ✔ Correct Explanation: CVSS scores help measure severity, and combining this with potential impact ensures that critical vulnerabilities are prioritized for remediation. ✘ Incorrect Answers: A) False positives in the scan – These should be filtered out but do not determine real prioritization. C) Total number of vulnerabilities – Quantity alone is not a priority factor; severity matters more. D) Environmental variables – These affect risk but do not dictate prioritization of specific vulnerabilities.

Answer 59

Answer: B) Low likelihood, high impact ✔ Correct Explanation: If a vulnerability is difficult to exploit (low likelihood) but could cause severe financial consequences (high impact), it falls into this category. ✘ Incorrect Answers: A) High likelihood, low impact – Would mean it is easy to exploit but has minor consequences. C) High likelihood, high impact – Would mean it is both easy to exploit and highly damaging. D) Low likelihood, low impact – Would mean it is both rare and not very damaging.

Answer 60

Answer: C) Risk acceptance ✔ Correct Explanation: Risk acceptance occurs when an organization acknowledges the risk but chooses not to eliminate it, instead using additional controls to manage it. ✘ Incorrect Answers: A) Risk avoidance – Would mean the organization completely stops using the legacy software. B) Risk mitigation – Would mean the company takes actions to reduce the risk, such as patching. D) Risk transfer – Would mean the company shifts the risk to another party, such as buying cybersecurity insurance.

Answer 61

Answer: A) Enable air gapping, require multi-factor authentication (MFA), and apply database encryption Explanation: Hardening a server involves physical isolation (air gapping), MFA for strong authentication, and encryption to protect sensitive financial data.

Answer 62

Answer: C) Immediately implement risk mitigation strategies ✔ Correct Explanation: Since the risk tolerance is low and the impact is severe, the best action is to mitigate the risk immediately by applying security controls, patches, or other protections. ✘ Incorrect Answers: A) Accept the risk – This contradicts the organization’s low risk tolerance. B) Assign a CVSS score – This is helpful but does not provide immediate protection. D) Lower the risk tolerance threshold – This goes against the company's risk management strategy.

Answer 63

Answer: B) Test the patch in a controlled environment before deployment ✔ Correct Explanation: Patching should be done in a controlled manner to ensure it does not break existing systems. Testing in a staging or sandbox environment ensures compatibility before applying it to production. ✘ Incorrect Answers: A) Apply the patch immediately – Without testing, this could cause system failures or compatibility issues. C) Wait for a new version of the patch – Delaying remediation leaves the system vulnerable. D) Ignore the patch – Even if no known exploits exist, delaying patching increases risk.

Answer 64

Answer: A) Apply compensating controls such as firewalls and intrusion prevention systems (IPS) ✔ Correct Explanation: Compensating controls (e.g., firewalls, IDS/IPS, VPNs) can reduce risk until a patch is available, limiting the attack surface. ✘ Incorrect Answers B) Purchase cybersecurity insurance – Insurance mitigates financial loss, but does not prevent an attack. C) Wait for a patch – Leaves the system exposed to active threats. D) Shut down the web server permanently – Disrupts business operations without solving the problem.

Answer 65

Answer: B) Heat map analysis Explanation: Heat maps visually display signal distribution and interference, helping IT teams identify dead zones and optimize AP placement.

Answer 66

✅ Correct Answer: D. Cellular networks are less susceptible to rogue AP attacks Explanation: Rogue Access Point (AP) attacks are a major risk in Wi-Fi networks, where an attacker sets up an unauthorized AP to intercept traffic. Cellular networks do not rely on APs, making them less vulnerable to this type of attack. ❌ Incorrect Answers: A. Cellular networks do not provide unlimited bandwidth—they are often metered and throttled. B. Cellular networks still require encryption for security; they are not inherently safe without it. C. Cellular networks can experience latency issues, especially in areas with weak signal coverage.

Answer 67

Answer: A) Conduct a vulnerability rescan to ensure the patch eliminated the identified vulnerability ✔ Correct Explanation: Rescanning is the most direct and efficient method to verify whether the patch successfully eliminated the vulnerability. It provides immediate confirmation that the issue is no longer present. ✘ Incorrect Answers B) Perform a penetration test – This could confirm whether the patch is effective, but penetration testing is time-consuming and typically not the first step in validation. A rescan is quicker and directly identifies if the vulnerability still exists. C) Monitor system logs – This detects new exploit attempts, but does not confirm whether the patch fully eliminated the vulnerability. D) Review vendor documentation – Understanding the patch is important, but reading documentation does not verify the system is actually secure.

Answer 68

Answer: B) Embedded systems may create overlooked network connections Explanation: Embedded systems often have unmonitored network connections, making them attractive targets for attackers due to lack of updates and patching.

Answer 69

Answer: A) The presence of a known exploit for the vulnerability in dark web forums ✔ Correct Explanation: Environmental factors include external threats such as dark web exploits, ongoing cyberattacks, or industry-specific vulnerabilities that increase real-world risk. ✘ Incorrect Answers B) False positives in a scan – Internal issue, not an external environmental factor. C) Scanner detection likelihood – Related to detection, not environmental risk. D) CVE classification – Helps standardize vulnerabilities, but is not an external factor.

Answer 70

Answer: B) Use network segmentation to isolate the devices from critical systems ✔ Correct Explanation: Network segmentation isolates vulnerable devices, reducing the risk of a compromised device affecting critical systems. ✘ Incorrect Answers A) Remove the devices from service immediately – Not always feasible due to operational requirements. C) Apply third-party patches – Unauthorized patches may cause instability or violate compliance regulations. D) Accept the risk without taking action – Leaves patient data and critical systems exposed.

Answer 71

Answer: A) Apply a patch if available, but accept the risk if exploitation is unlikely ✔ Correct Explanation: If the likelihood of exploitation is low, patching is the best course of action, while documenting the risk acceptance if necessary. ✘ Incorrect Answers B) Take the database offline – Not necessary unless the risk is critical. C) Report to a bug bounty program – Internal vulnerabilities are not relevant to public bug bounty programs. D) Purchase cybersecurity insurance – Insurance does not fix vulnerabilities.

Answer 72

Answer: A) Conduct an external security audit to verify the effectiveness of the remediation and compliance with industry standards ✔ Correct Explanation: An external audit is the best option because it not only verifies remediation effectiveness but also ensures the company meets regulatory requirements. Industry compliance often mandates third-party validation, making an audit the strongest choice. ✘ Incorrect (but plausible) Answers B) Internal security assessment (vulnerability scan & log analysis) – Useful but not sufficient for regulatory compliance. While this step confirms the patch, it does not meet external audit requirements for compliance. C) Third-party penetration test – A penetration test is valuable but does not directly satisfy compliance requirements in the same way an external audit does. A compliance-focused audit is more relevant. D) Monitor for exploit attempts – Passive monitoring does not ensure compliance or validate remediation; it should be a complementary process, not the primary action.

Answer 73

Answer: A) Document the issue and escalate for risk assessment ✔ Correct Explanation: New vulnerabilities introduced by remediation efforts must be properly assessed before making further changes. Documenting and escalating the issue ensures proper handling. ✘ Incorrect (but plausible) Answers B) Undo the remediation – Reintroduces the original vulnerability, which is not an ideal solution. C) Immediately deploy a patch – Not always available or tested yet; risk assessment must come first. D) Monitor for anomalies before acting – Delays response and could allow exploitation.

Answer 74

Answer: A) Perform a configuration review to verify that system settings were updated correctly ✔ Correct Explanation: Configuration reviews ensure that the correct security settings and policies were applied as part of the remediation process. ✘ Incorrect (but plausible) Answers: B) Conduct security awareness training – Good for overall security but does not confirm remediation success. C) Enable additional logging – Useful for detecting future issues but does not directly verify remediation effectiveness. D) Perform a risk assessment on unrelated vulnerabilities – Not relevant to verifying the specific remediation effort.

Answer 75

Correct Answer: ✅ B. Detecting and responding to abnormal activity on endpoints Explanation: EDR tools monitor endpoint activity to detect, analyze, and respond to threats such as malware or unauthorized access. They provide real-time analysis and incident response capabilities. Incorrect Answers: A. This is a function of firewalls or Intrusion Prevention Systems (IPS), not EDR. C. Data Loss Prevention (DLP) tools focus on preventing unauthorized data exfiltration. D. Intrusion Detection Systems (IDS) and vulnerability scanners analyze network traffic for vulnerabilities, not EDR.

Answer 76

Correct Answer: ✅ C. Application log analysis Explanation: Application monitoring involves analyzing log data to detect anomalies, such as excessive resource usage, availability issues, or potential bugs. Incorrect Answers: A. Network traffic monitoring is used to analyze data flow but does not focus on resource consumption by applications. B. Infrastructure monitoring involves detecting physical or environmental anomalies, not software-related performance issues. D. Endpoint security monitoring focuses on threats like malware, not application performance.

Answer 77

Answer: C) Physical obstructions and interference sources Explanation: Site surveys assess physical obstacles, interference, and RF propagation to determine optimal wireless network design.

Answer 78

✅ Correct Answer: D. Use firewalls, encryption, and access control lists (ACLs) Explanation: Firewalls, encryption, and Access Control Lists (ACLs) help secure RTOS devices without disrupting real-time data transmission, providing controlled access and protection against cyber threats. ❌ Incorrect Answers: A. Allowing guest network access would expose devices to unauthorized access, increasing security risks. B. Disabling all network communication would prevent the devices from functioning properly. C. Allowing unrestricted admin access could lead to misconfigurations and insider threats.

Answer 79

Answer: B) A separate VLAN for guest access Explanation: Network segmentation via VLANs ensures guest traffic is isolated from internal resources, reducing attack surfaces and security risks.

Answer 80

Answer: A) Identify if the vulnerability affects the organization’s systems ✔ Correct Explanation: Before taking any action, the security team must verify whether the organization’s systems are affected and determine the appropriate response. ✘ Incorrect Answers: B) Immediately patch all systems – Blindly applying patches can cause compatibility issues. C) Purchase cybersecurity insurance – Insurance does not prevent or remediate vulnerabilities. D) Notify users to stop using the application – Only necessary if the vulnerability is actively being exploited.

Answer 81

Correct Answer: ✅ C. Infrastructure security monitoring Explanation: Infrastructure monitoring involves tracking environmental conditions such as humidity, fire, and unauthorized physical movement to protect critical assets. Incorrect Answers: A. Network security monitoring focuses on traffic flow, intrusion detection, and anomaly detection, not physical security. B. Endpoint security monitoring deals with detecting threats on devices like workstations and servers. D. Application security monitoring focuses on software behavior, not environmental factors.

Answer 82

Correct Answer: ✅ B. Blocking unauthorized data transfers and leaks Explanation: DLP solutions monitor and prevent unauthorized attempts to transfer, share, or leak sensitive data, whether through email, USB devices, or cloud services. Incorrect Answers: A. Endpoint Detection and Response (EDR) solutions focus on malware detection and response, not DLP. C. While encryption is a security measure, DLP actively prevents unauthorized data transfers rather than securing stored data. D. Application security testing tools identify vulnerabilities in code, but this is not the function of DLP.

Answer 83

✅ Correct Answer: B. To ensure that high-priority threats are addressed first Explanation: SIEM systems generate numerous alerts, and prioritizing them ensures that security teams focus on critical threats first rather than wasting time on minor issues. This is essential for managing security incidents efficiently. ❌ Incorrect Answers: A. SIEM does not prevent low-severity alerts from being logged; they may still be recorded for later review. C. While log storage management is important, the primary goal of severity-based prioritization is security response, not storage reduction. D. SIEMs may trigger automated responses, but not all vulnerabilities can be remediated without human intervention.

Answer 84

Answer: C) IoT devices are often unpatched and may become attack entry points Explanation: IoT devices are commonly unpatched, lack built-in security, and can be exploited by attackers to infiltrate a network.

Answer 85

✅ Correct Answer: B. It standardizes and centralizes log data for analysis Explanation: Log aggregation collects logs from various systems and normalizes them into a standard format. This makes it easier to analyze data across multiple sources for security investigations. ❌ Incorrect Answers: A. SIEM correlation rules are still needed to detect patterns and security incidents. C. Logs may still exist in different locations, but aggregation provides a central repository for analysis. D. Log aggregation helps with analysis but does not automatically detect or fix vulnerabilities.

Answer 86

Correct Answer: B. Validate whether the alert is a false positive Explanation: Before taking drastic actions, security analysts must validate the alert. False positives are common, and responding to an invalid alert can waste resources and cause unnecessary disruptions. ❌ Incorrect Answers: A. Quarantining may be necessary if the exploit is confirmed, but validation must happen first. C. Disabling network access for all users is extreme and would cause major disruptions without confirmation of an active threat. D. Archiving scan results is useful for compliance, but immediate validation is a priority.

Answer 87

✅ Correct Answer: C. Perform alert tuning to adjust sensitivity levels Explanation: Alert tuning involves modifying the settings of vulnerability scanners and SIEMs to filter out low-priority issues while still catching critical vulnerabilities. This reduces false positives and improves security response efficiency. ❌ Incorrect Answers: A. Quarantining every potentially vulnerable system would be impractical and disruptive. B. Increasing scan frequency won’t help if the alerts are not properly tuned; it may actually worsen the issue. D. Disabling all low-priority alerts could cause important issues to be overlooked. Alert tuning is a better solution.

Answer 88

✅ Correct Answer: D. Automated log collection, correlation, and behavioral analysis Explanation: SIEM collects logs, correlates security events, and uses heuristic analysis to detect anomalies. ❌ Incorrect Answers: A. DLP, not SIEM, prevents data exfiltration. B. Web application scanners (e.g., Burp Suite) identify vulnerabilities, not SIEM. C. SIEM does not actively block traffic; IDS/IPS perform this function.

Answer 89

✅ Correct Answer: A. To verify compliance with regulatory retention policies Explanation: Many regulations, such as GDPR, HIPAA, and PCI DSS, require security logs to be archived for a certain period. Reviewing these logs helps ensure compliance and may support forensic investigations. ❌ Incorrect Answers: B. Reviewing archived logs is a retrospective process, not a real-time security activity. C. Security logs are retained for analysis, not deleted to improve network performance. D. While logs may help troubleshoot an outage, archived logs are usually examined for compliance or forensic analysis rather than immediate troubleshooting.

Answer 90

✅ Correct Answer: D. To improve cyber threat intelligence sharing and automation Explanation: SCAP, developed by NIST, standardizes security configurations and automates vulnerability management through frameworks like CVE, CVSS, and OVAL. ❌ Incorrect Answers: A. SCAP is not an encryption standard; it focuses on cybersecurity automation. B. Analyzing user behavior is a function of SIEM and UEBA, not SCAP. C. SCAP does not inspect network packets; IDS/IPS perform packet inspection.

Answer 91

✅ Correct Answer: C. Greater visibility into the security state of devices Explanation: Agent-based NAC installs software on endpoints, allowing deeper security checks like patch levels and antivirus status. ❌ Incorrect Answers: A. Agentless NAC is easier to deploy but offers less visibility into device security. B. Agentless NAC is better for guest users because it does not require software installation. D. Agent-based NAC requires software installation, unlike agentless NAC.

Answer 92

✅ Correct Answer: C. Network Access Control (NAC) Explanation: NAC ensures devices meet security policies (patching, antivirus) before or after being allowed on the network. ❌ Incorrect Answers: A. SIEM collects and correlates logs but does not control network access. B. DLP protects sensitive data, not network access. D. Vulnerability scanners identify weaknesses but do not enforce access control.

Answer 93

✅ Correct Answer: B. Heuristic-based detection Explanation: Heuristic-based detection identifies malware based on behaviors and patterns rather than known signatures, making it effective against new threats. ❌ Incorrect Answers: A. Signature-based detection relies on known malware signatures and is ineffective against new threats. C. Sandboxing runs suspected files in an isolated environment but does not detect behavior-based threats in real time. D. AI and machine learning enhance detection but are separate from heuristic-based detection.

Answer 94

✅ Correct Answer: D. To monitor and restrict unauthorized data transfers Explanation: DLP detects and blocks unauthorized sharing of sensitive data, such as PII or financial records. ❌ Incorrect Answers: A. IAM (Identity and Access Management) controls access to applications, not DLP. B. Vulnerability scanners, not DLP, scan for weaknesses. C. Encryption protects data but does not actively monitor data transfers.

Answer 95

✅ Correct Answer: B. It introduces source authentication, encryption, and message integrity Explanation: SNMPv3 improves security by adding encryption, authentication, and integrity checks, unlike SNMPv1 and SNMPv2. ❌ Incorrect Answers: A. SNMPv3 does not control VPN access. C. Firewalls block unauthorized connections, not SNMPv3.

Answer 96

✅ Correct Answer: A. Identifying security weaknesses in networks and applications Explanation: Vulnerability scanners (e.g., Nessus, OpenVAS) proactively scan networks and systems for security flaws. ❌ Incorrect Answers: B. Vulnerability scanners identify, but do not automatically patch vulnerabilities. C. File Integrity Monitoring (FIM) tools track file changes, not scanners. D. Firewalls and IDS/IPS block malicious traffic, not vulnerability scanners.

Security Operations 1 Flashcards

(120 cards)