Security X Practice Test 4 Hardcover Flashcards
(21 cards)
Question 1
A. COBIT 2019
B. ITIL 4
C. NIST 800-53
D. ISO 27001
E. CIS Controls
- Provides a governance focused model for IT security risk management
- Focuses on service management and operational security processes
- Defines security and privacy controls for federal and enterprise environments
- Establishes international certification requirements for security governance
- Offers technical security controls prioritized for cyber defense
A-1
B-2
C-3
D-4
E-5
Explanation:
A. COBIT ensures governance focuses on IT risk management
B. ITIL focuses on service management and operational security
C. NIST 800-53 defines security and privacy controls
D. ISO 27001 defines international certifications for security governance
E. CIS Controls prioritize technical security measures
Question 4:
A technology firm is building a new risk prioritization model for its cloud-based services. While evaluating risk impact assessment approaches, the CISO identifies a flawed methodology that does not accurately reflect real world security risk scenarios. Which of the following techniques does NOT provide an effective risk impact analysis?
A. Business Impact Analysis (BIA) for assessing financial and operational consequences
B. Quantitative risk analysis for financial loss estimation
C. Static checklist based risk assessments
D. Qualitative risk ranking using probability and severity scales
E. Monte Carlo simulations for modeling uncertainty and risk variation
C. Static checklist based risk assessments
Explanation:
Static checklists do not consider evolving threats, vulnerabilities or dynamic risk factors
Incorrect:
A. BIA identifies real world business consequences of security risks
B. Quantitative risk analysis provides objective financial impact assessment
D. Qualitative risk ranking helps prioritize threats based on likelihood and impact
E. Monte Carlo simulations model various risk scenarios under uncertainty
Question 6:
Your organizations backup logs indicate failed attempts to copy critical database snapshots to an offsite storage location. The SIEM alert shows the following entries:
2025-02-02 - Backup failure - Unauthorized access attempt detected
2025-02-02 - Unauthorized deletion attempt - Database snapshot removed
2025-02-02 - Anomalous admin login - IP 182.0.2.10
What is the most likely explanation for this backup failure?
A. An insider threat attempted unauthorized modifications
B. The storage policy denied access due to misconfiguration
C. A ransomware attack targeted backup integrity
D. A scheduled maintenance window caused a backup delay
E. An expired security certificate blocked access to the backup storage
C. A ransomware attack targeted backup integrity
Explanation:
Ransomware often targets backup data to prevent recovery
Incorrect:
A. An insider threat is possible, but the pattern aligns more with external compromise
B. Access policies may prevent backups but the unauthorized deletion suggests a cyberattack
D. A maintenance window does not explain unauthorized access attempts
Question 14:
A healthcare providers deploys AI models to automate patient diagnosis. However, security audits reveal autonomous AI detection making risks, where the model denies urgent treatment due to a misclassified patient condition. Below is the AI access policy:
AI Decision Making Policy (Before):
{
autonomy: Full
humanOverride: None
auditLogging: Minimal
explainability: Disabled
}
What two security controls should be implemented to reduce autonomous AI Risks? (Select two)
A. Require human review for high risk AI decisions
B. Enable AI explain-ability for decision transparency
C. Maintain full AI autonomy to improve efficiency
D. Disable audit logs to protect patient privacy
E. Remove human override functions
A. Require human review for high risk AI decisions
B. Enable AI explain-ability for decision transparency
Explanation:
A. Human review prevents incorrect AI based decisions
B. Explain-ability allows security teams to verify AI logic
Incorrect:
C. Full autonomy without human oversight is dangerous
D. Audit logs are critical for compliance
E. Removing human override reduces accountability
Question 33:
Your team is hardening Kubernetes security after detecting unauthorized pod deployments. Below is the current RBAC configuration, which needs to be updated to restrict administrative actions to specific roles only. What two security modifications should be implemented?
RBAC Policy (Before)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: unrestricted-admin
subjects:
-kind: User
-name:”*”
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
A. Restrict role bindings to named users instead of a wildcard(*)
B. Use least privilege ClusterRole instead of cluster-admin
C. Allow unrestricted access to simplify deployments
D. Disable RBAC enforcement for flexibility
E. Apply a global wildcard permissions for scalability
A. Restrict role bindings to named users instead of a wildcard(*)
B. Use least privilege ClusterRole instead of cluster-admin
Explanation:
A. Wildcard (*) allows users unrestricted admin access, violation security best practices
B. ClusterRole ‘cluster-admin’ should be replaced with least privilege access
Incorrect:
C. Unrestricted access increases attack surface
D. Disabling RBAC negates Kubernetes security controls
E. Wildcard permissions contracts least privileges
Question 39:
A global enterprise is deploying Always On VPN for remote employees to ensure continuous security compliance. The security team notices increased bandwidth consumption and performance issues for cloud based applications accessed through the VPN. Some users have also reported connectivity disruptions when switching between networks. Given this scenario, what is the best way to optimize Always On VPN while maintaining security?
A. Implement split tunneling for trusted cloud services while enforcing full tunnel mode for critical applications
B. Disable Always-On VPN for users accessing cloud based applications
C. Reduce VPN session timeout to force frequent re-authentications
D. Reduce all traffic through a single regional VPN gateway to centralize security
E. Require users to manually initiate VPN sessions instead of Always On VPN
E. Require users to manually initiate VPN sessions instead of Always On VPN
Explanation:
E. Manual VPN initiation allows users to balance security and network performance
Incorrect:
A. Split tunneling introduces risks by passing enterprise security controls
B. Disabling Always On VPN exposes users to security risks when accessing cloud services
C. Frequent re-authentrication does not address performance issues
D. A single regional VPN gateway creates bottleneck, worsening performance
Question 43:
Your company is enforcing Just in Time access controls to reduce excessiv3e permissions and enforcing least privilege principles. Below is the existing IAM role configuration:
{“Role”: “Administrator” , Access Duration: Indefinite, PrivilegeLevel: high,}
What two modifications should be made to align with best practices?
A. Set access duration to time bound, requiring reauthorization for privilege escalation
B. Reduce privilege levels and enforce fine grained access controls
C. Maintain indefinite access to avoid user disruptions
D. Assign all users administrative privileges to ensure availability
E. Disable reuathorization requirements for efficiency
A. Set access duration to time bound, requiring reauthorization for privilege escalation
B. Reduce privilege levels and enforce fine grained access controls
Explanation:
A. Just in time access enforces temporary privileges, reducing the attack surface
B. Fine grained access controls aligns with least privilege principles
Incorrect:
C. Indefinite access contradicts just in time principles
D. Assigning all users administrative privileges introduces excessive risks
E. Reauthorization is necessary for security enforcement
Question 44:
A recent cyber threat report highlights attackers exploiting weak password hashing methods to compromise credentials stored in a database. The report includes:
IoCs: MD5 hashed credentials.High collision vulnerability
Attack Method: Hash cracking using rainbow tables
Target: Application login database. What is the best defense against this type of attack?
A. Implement bcrypt or Argon2 for secure password hashing
B. Increase MD5 hash iterations to strengthen security
C. Store passwords in plaintext with strict access controls
D. Use SHA-1 instead of MD5 for better resistance
E. Require password changes every 24 hours to reduce exposure
A. Implement bcrypt or Argon2 for secure password hashing
Explanation:
A. Bcrypt and Argon2 provide strong password hashing with computational resistance
Incorrect:
B. Increasing iterations does not mitigate MD5 vulnerabilities
C. Storing plaintext passwords is a securit flaw
D. Sha1 is also deprecated due to collision vulnerabilities
E. Frequent password changes does not address weak hashing
Question 54:
A security engineer is reviewing a TLS configuration for an enterprise web server. The current configuration files contains:
“Protocol: TLS 1.0, TLS 1.1, TLS 1.2”
Cipher Suite: RC4, AES-128-CBC, AES-256-CBC
Forward Secrecy: Disable
What two critical changes should be made to improvr security?
A.Remove TLS 1.0 and 1.1, enabling only TLS 1.2 and 1.3
B. Replace RC4 and AES-128-CBC with AES-GCM
C. Enable Forward Secrecy to prevent key compromise
D. Keep TLS 1.0 for backward compatibility
E. Disable all ciphers except AES-256-CBC
A.Remove TLS 1.0 and 1.1, enabling only TLS 1.2 and 1.3
B. Replace RC4 and AES-128-CBC with AES-GCM
Explanation:
A. TLS 1.0 and 1.1 are deprecated and should be disabled
B. AES-GCM provides better security than CBC mode
Incorrect:
C. While beneficial, enabling forward secrecy is secondary to removing insecure ciphers
D. TLS 1.0 is obsolete and should be retained
E. Relying only on AES-256-CBC is not ideal without GCM mode
Question 58:
A defense contractors cybersecurity team is analyzing a sophisticated BIOS/UEFI tampering campaign. Threat intelligence reports indicate that adversaries are using low level firmware exploits to achieve persistence.
-Unauthorized BIOS flash modifications detected
- Increased execution of unsigned firmware code
- Recovery mode bypassed via vendor specific exploit
Which countermeasures is most effective in mitigating this attack?
A. Enable Boot Guard to enforced signed firmware execution
B. Implement periodic firmware integrity checks
C. Restrict BIOS updates to physical access only
D. Deploy endpoint protection software with BIOS Scanning
E. Require administrative approval for all firmware updates
A. Enable Boot Guard to enforced signed firmware execution
Explanation:
Boot Guard enforces cryptographic verification of firmware updates
Incorrect:
B. Integrity checks detect, but do not prevent tampering
C. Physical access restrictions do not prevent software-based attacks
D. Endpoint protection does not provide robust BIOS security
E. Administrative approval does not prevent unauthorized firmware execution
Question 59:
A logistics company monitoring its IoT based vehicle tracking system identifies unusual outbound traffic from GPS devices. The SIEM log indicate that multiple devices are transmitting excessive data to a foreign server. Below is the security event log:
2025-02-02 - Device: GPS_Truck_12 - Destination: 198.51.100.25 - Data Sent: 1.2GB
2025-02-02 - Device: GPS_Truck_24 - Destination: 198.51.100.25 - Data Sent: 1.5GB
2025-02-02 - Device: GPS_Truck_89 - Destination: 198.51.100.25 - Data Sent: 1.3GB
What is the most likely cause of this traffic pattern?
A. Normal GPS synchronization with cloud servers
B. An exfiltration attack using compromised GPS devices
C. A scheduled software update for the GPS fleet
D. A misconfigured routing rule sending traffic externally
E. Increased network congestion affecting data transfer rates
B. An exfiltration attack using compromised GPS devices
Explanation:
IoT devices are a common target for exfiltration attacks
Incorrect:
A. GPS data updates do not typically involve excessive data transmission
C. Software updates would originate from trusted domains
D. Routing misconfigurations do not explain large outbound transfers to unknown IPs
E. Network congestion does not trigger consistent high data transfers
Question 65:
Your organization is migrating legacy TLS 1.2 services to TLS 1.3 to enforce forward secrecy. Below us the current TLS 1.2 configuration:
Protocol: TLS 1.2
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Key Exchange: Static RSA
Session Resumption: Enabled
What are two essential modifications required to achieve forward secrecy?
A. Replace RSA key exchange with ECDHE for ephemeral keying
B. Upgrade to TLS 1.3, which mandates forward secrecy
C. Disable session resumption to enforce unique key generation
D. Increase RSA key size to 4096-bit for stronger encryption
E. Use static Diffie-Hellman for consistent security
A. Replace RSA key exchange with ECDHE for ephemeral keying
B. Upgrade to TLS 1.3, which mandates forward secrecy
Explanation:
A. ECDHE ensures ephemeral key exchange, preventing past session decryption
B. TLS 1.3 enforced forward secrecy by default
Incorrect:
C. Disabling session resumption is unnecessary for forward secrecy
D. Increasing RSA key size does not introduce forward secrecy
E. Static DH does not provide forward secrecy as keys are reused
Question 67:
A security team is analyzing an SMPC-enabled cloud computation environment after detecting anomalies. Below is the SIEM log:
2025-02-06 - Secure Computation Initialized
2025-02-06 - Participant Node 3 unreacahable
2025-02-06 - Computation Failure: Insufficient Nodes
2025-02-06 - Security Alert: Possibly Byzantine Attack Detected
What is the most likely cause of the failure?
A. A participant node intentionally failed, disrupting SMPC consensus
B. The SIEM misclassified a normal computation failure as an attack
C. The cryptographic algorithm used is compatible with distributed computation
D. The TLS protocol used for SMPC transmission is outdated
E. The network firewall is blocking communication between participating nodes
A. A participant node intentionally failed, disrupting SMPC consensus
Explanation:
A. A Byzantine attack involves a malicious code disrupting consensus, leading to a computation failure
Incorrect:
B. While misclassification is possible, the log specifically mentions an attack
C. The failure is due to node unreachability, not algorithmic issues
D. While TLS upgrades are important, they do not address Byzantine failures in SMPC
E. Firewalls may cause connecitvitiy issues, but do not specifically indicate an attack
Question 70:
A logistics company is implementing end to end encrypted tracking system for fleet management. The company needs to balance security , performance and power consumption. What is the best cryptographic approach?
A. Use AES-128-GCM for encryption and Poly1305 for message authentication
B. Rely on MD5 hashing for lightweight security
C. Implement post quantum cryptography for future proof security
D. Use a symmetric stream cipher optimized for embedded devices
E. Disable authentication mechanisms to improve performance
B. Rely on MD5 hashing for lightweight security
Explanation:
Symmetric stream ciphers are lightweight and efficient for embedded systems
Incorrect:
A. AES 128 GCM and Poly1305 are secure but may not be optimal for constrained IoT devices
C. Post quantum cryptography is too resource intensive for IoT applications
D. MD5 is outdated and insecure
E. Disabling authentication increases the risk of unauthorized data access
Question 72:
A SOC analyst is investigating anomalous system behavior that suggests possible malware activity. The threat intelligence feed reports an increase in suspicious process execution patterns across multiple endpoints. Below is a sample forensic log:
2025-02-02 - INFO - Unusual Process Execution - user: jdoe - process: svchost.exe
2025-02-02 - WARNING - New Unknown Binary Execution - user: jdoe - file: XYZ.exe
2025-02-02 - CRITICAL - Process Injection Detected - process: XYZ.exe -> svchost.exe
What is the best immediate response to contain this potential threat?
A. Log the incident and monitor for future occurrences
B. Isolate the affected hosts and conduct forensic analysis
C. Allow the process to execute and collect more data
D. Disable the SIEM correlation rules temporarily
E. Assume the activity is a false positive
B. Isolate the affected hosts and conduct forensic analysis
Explanation:
B. Isolating affected hosts prevents lateral movement and facilitates investigation
Incorrect:
A. Passive monitoring does not mitigate an active threat
C. Allowing execution increases potential impact of an attack
D. Disabling correlation rules reduces visibility into malicious behavior
E. Assuming false positives without investigation creates security risks
Question 74:
A compliance audit requires the organization to generate automated security reports. The reports must provide insights into threats, vulnerabilities and incident trends. Below is a sample security report configuration:
{report_frequency: daily, sections: threats, incidents, vulnerabilities}, format: PDF}
What improvement should be made to enhance report automation?
A. Reduce reporting frequency to weekly
B. Include real time SIEM data for live threat tracking
C. Remove vulnerability tracking to simplify reports
D. Change format to CSV for easier integration with analytics tools
E. Enable manual review before finalizing reports
C. Remove vulnerability tracking to simplify reports
Explanation:
C. Removing vulnerabilities improves focus on live incidents
Incorrect:
A. Reducing frequency may delay threat response
B. Real time SIEM data should be used separately for immediate action
D. CSV improves integration but does not automate report insights
E. Manual reviews slow down automation
Question 77:
A security engineer is configuring endpoint hardening settings to prevent unauthorized application execution. Below is the current security policy configuration:
security-policy: {block-unsigned-executables:true, enforce-execution-control: true, allow-system-updates: true}
What additional measures should be implemented?
A. Enable automatic execution of administrator approved applications
B. Allow users to request temporary execution exceptions
C. Restrict execution to applications signed by trysted vendors only
D. Disable execution control for local admins
E. Whitelist commonly used productivity applications
E. Whitelist commonly used productivity applications
Explanation:
Whitelisting necessary applications ensures security while maintaining productivity
Incorrect:
A. Automatic execution increases security risks
B. Temporary execution exceptions can be exploited
C. Trusted vendor signing improves security but is not comprehensive
D. Local administrators should not have unrestricted execution
Question 83:
A malware researched is analyzing a newly discovered ransomware sample. The sample contains metadata showing the compiler version, timestamp and author details. However, the author information seems to be obfuscated using automated tools. What is the best technique to identify the actual malware author?
A. Reverse engineer the binary to locate hardcoded developer identifiers
B. Ignore the metadata as it is likely manipulated
C. Scan the binary against a threat intelligence database
D. Correlate embedded metadata with historical malware samples
E. Upload the sample to public sandboxes for attribution analysis
A. Reverse engineer the binary to locate hardcoded developer identifiers
Explanation:
A. Reverse engineering the binary may reveal hidden developer identifiers
Incorrect:
B. Ignoring metadata may cause loss of valuable attribution information
C. Scanning the binary aids in classification but not authorship detection
D. Metadata correlation is useful but secondary to direct analysis
E. Public sandboxing may expose sensitive samples
Question 84:
A cybercriminal deleted sensitive files from a compromised enterprise workstation to cover their tracks. The security team needs to ensure forensic integrity while recovering deleted file fragments. Standard file recovery tools fail due to particular overwriting. The forensic team needs a reliable recovery method. Wha t is the most effective forensic approach?
A. Use raw disk imaging to capture unallocated space before further analysis
B. Run an antivirus scan to detect any remnants of deleted files
C. Restore files from the workstations system restore points
D, Check logs for file modification and deletion timestamps
E. Attempt to rebuild detected files using RAID parity data
A. Use raw disk imaging to capture unallocated space before further analysis
Explanation:
A. Imaging preserves unallocated space, allowing forensic reconstruction
Incorrect:
B. AV scans detect malware but do not recover deleted files
C. System restore does not retain user created files
D. Logs track event but do not reconstruct file contents
E. RAID parity recovery applies only to RAID storage arrays
Question 85:
A Zero trust architecture is being deployed in an organization to secure critical resources from insider threats. To enforce contextual access policies, the organization configures an identity and access management (IAM) policy. Below is the initial IAM Policy:
{Version: 2025-01-01, Statement: {{Effect: Allow, Action: s3: “resource”:””, Condition:{}]}
What two changes should be made to align with Zero trust?
A, Restrict actions to “s3:GetObject and specify resources by ARN
B. Add a condition to geo based access control
C. Change Effect to Deny to block all access
D. Implement time based restrictions within the condition block
E. Enable MFA by adding a condition: stringequals: aws:MFAPresent
A, Restrict actions to “s3:GetObject and specify resources by ARN
E. Enable MFA by adding a condition: stringequals: aws:MFAPresent
Explanation:
A. Limiting actions and specifying resources reduces exposure to insider misuse
E. Enforcing MFA adds an additional layer of verification for user access
Incorrect:
B. Geo-based controls are useful but do not directly enforce Zero Trust measure
C. Blocking all access would disrupt legit operations
D. Time based restrictions are supplementary but not a primary Zero trust measure
Question 87:
A cybersecurity team is analyzing threat intelligence related to a recent zero-day vulnerability exploit The IoCs suggest an attack by an APT group, but there are inconsistencies in the attribution data. The team must determine whether the attribution is accurate or a false flag operation. What is the best approach to validate the attackers identity?
A. Compare IoCs with MITRE ATT&CK tactics and techniques
B. Analyze attacker infrastructure using threat intelligence platforms
C. Correlate attack artifacts with past APT campaign
D. Perform reverse engineering on malware samples
E .Cross reference incident data with law enforcement threat reports
C. Correlate attack artifacts with past APT campaign
Explanation:
C. Correlating attacks artifacts with past APT campaigns improves attribution accuracy
Incorrect:
A. MITRE ATT&CK helps classify tactics but does not confirm attribution
B. Infrastructure analysis aids investigation but does not directly confirm attribution accuracy
D. Malware analysis helps, but attribution requires a broader correlation
E. Law enforcement reports help but are not always comprehensive for attribution
