Security X Practice Test 5 Flashcards
(32 cards)
Question 6:
Your organization is reviewing its business continuity and disaster recovery (BC/DR) plan after a recent ransomware attack disrupted operations. The security team needs to ensure minimum downtime while maintaining data integrity and availability. Which of the following is the most critical component to prioritize for a successful BC/DR plan?
A. Frequent vulnerability scans to identify security weaknesses
B. Geographically distributed redundant data centers
C. Privileged access management (PAM) controls
D. An incident response policy with predefined SLAs
E. Encrypting all backup data at rest and in transit
B. Geographically distributed redundant data centers
Explanation:
B. Geographically distributed redundancy ensures business resilience in case of localized disasters
Incorrect:
A. Vulnerability scans help reduce attack surfaces but do not ensure service continuity
C. PAM controls help prevent privilege escalation but are not the main focus of BC/DR
D. Incident response plans help with detection and mitigation but do not ensure high availability
E. Encryption protects data but does not guarantee disaster recovery readiness
Question 10
A. A structured adversary tracking system
B. A framework focusing on exploitation methods and vectors
C. A sequential breakdown of an intrusion lifecycle
D. A repository that documents attack tactics with real world scenarios
E. A methodology designed to counteract emerging cyber threats
- Maps attack phases from reconnaissance to exfiltration
- Organizes exploitation patterns for system vulnerabilities
- Provides a detailed repository of offensive techniques
- Tracks behavioral patterns to improve cyber defenses
- Develops countermeasure based on attack behavior
A-4: This system helps categorize and trac known adversary methodologies
B-2: This model focuses on how exploits function and spread
C-1: A breakdown of intrusion into multiple phases aids in defense
D-3: A well documented repo enhances detection strategies
E-5: Counteracting cyber threats requires adapting defensive tactics
Question 12:
Your organization is building an attack tree to analyze threats targeting a cloud hosted e-commerce platform. The security team must define the root node, branches and leaves to effectively model the attack vectors. Below is an initial attack tree:
Branch 1: Exploit web application vulnerabilities
Branch 2: Bypass authentication mechanisms
Branch 3: Exfiltrate database records
What additional node or countermeasures should be added to improve the attack tree model?
A. Include a node for insider threats exploiting privileged accounts
B. Remove the authentication bypass branch since MFA is enabled
C. Change the root node to focus only on SQL injection
D. Ignore the attack tree and rely solely on penetration testing
E. Convert all attack branches into risk mitigation strategies
A. Include a node for insider threats exploiting privileged accounts
Explanation:
A. Insider threats can be a significant factor in data compromise and should be modeled in the attack tree
Incorrect:
B. Even with MFA, authentication bypass techniques exist, so this branch should remain
C. Focusing only on SQL injection limits the scope of threat modeling
D. Attack trees provide structured threat analysis beyond pentesting
E. Attack trees model potential attacks, not just mitigations
Question 13:
You are analyzing a SIEM log for a suspected AI driven exploit that automates penetration attempts against a web application. The attacker appears to use machine learning fuzzing to discover vulnerabilities. Below is an excerpt from the SIEM event logs:
2025-02-05 - Request: /admin - Response: 403 Forbidden
2025-02-05 - Request: /admin?bypass= true Response: 403 Forbidden
2025-02-05 - Request: /admin - Response: 200 OK
2025-02-05 - Request:/admin%00 - Response: 200 OK
2025-02-05 - Request: /admin%2F%2E%2F%2E%2Froot - Response: 200 OK
What AI driven attack technique is likely being used here?
A. Automated fuzzing with AI assisted input mutations
B. Model inversion to extract application configurations
C. Adversarial ML training to bypass WAF filters
D. GAN-based credential brute forcing
E. AI generated phishing attacks against system admins
A. Automated fuzzing with AI assisted input mutations
Explanation:
AI driven fuzzing automates input mutation to find vulnerabilities fast
Incorrect:
B. Model inversion extracts ML training data, not application vulnerabilities
C. Adversarial training attacks target ML models, not web applications
D. GAN based attacks simulate phishing or deepfakes, not direct exploits
E, Phishing targets users, not system vulnerabilities
Question 36:
Your cloud security team detected multiple failed authentication attempts on a cloud native security service from an unrecognized IP address. Below is the security event log from the cloud SIEM. What action should be prioritized to investigate this event?
2024-02-10 - AuthFail - User: security-admin - IP: 185.19..108.30 - Status: DENIED
2024-02-10 - AuthFail - User: security-admin - IP: 195.199.108.30 - Status: DENIED
2024-02-10 - AuthSuccess - User: security-admin - IP: 192.168.1.5 - Status: ALLOWED
A. Investigate if the successful logon was from a known corporate IP
B. Ignore the failed attempts as they did not succeed
C. Disable the security admin account immediately
D. Allow future access from both IP addresses
E. Block all external IPs from accessing the cloud environment
A. Investigate if the successful logon was from a known corporate IP
Explanation:
A. Verifying if the successful logon originated from a trusted corporate IP helps determine if the failed attempts were an attack
Incorrect:
B. Ignoring failed attempts overlooks potential brute force or credential stuffing attacks
C. Disabling the account immediately may cause disruption without proper investigation
D. Allowing both IPs without validation increases security risks
E. Blocking all external IPs is not always feasible in cloud environments
Question 38:
You are configuring adaptive authentication policies for a cloud based enterprise application. The policy should enforce reauthentication under specific high risk conditions, including device change, unusual time of access, and geographic anomalies. Below is the current policy snipper:
authentication methods: MFA, session timeout: 60 mins, georestricitions: none
What two key policy updates should be made to align with adaptive authentications best practices?
A. Reduce session timeout to 15 minutes for all users
B. Enable geographic based authentication triggers
C. Require MFA for all logins regardless of risk level
D. Implement AI driven behavioral risk scoring
E. Disable session persistence for high risk users
B. Enable geographic based authentication triggers
E. Disable session persistence for high risk users
Explanation:
B. Geo-based authentication triggers help to detect anomalous
E. Disabling session persistence for high risk users mitigates hijacking risks
Incorrect:
A. Reducing session timeout alone does not address adaptive authentication
C. While MFA improves security, it should be adaptive rather than mandatory for all users
D. AI based risk scoring is useful but does not directly enforce authentications
Question 39:
Your organization is designing a segmented network architecture to improve security. The security team wants to implement microsegmentation for east-west traffic control between critical workloads in a data center. Below is the current configuration:
{SegmentationType: TraditionalVLANs, FirewallRules: AllowAllInternal, Microsegmentation: false
What is the best modification to implement microsegmentation?
A, SegmentationType: Traditional VLANs FirewallRules: AllowAllInternal Microsegmentation: true
B. SegmentationType: Zero Trust FirewallRules: DenyAllByDefault Microsegmentation: true
C. SegmentationType: Flat Network FirewallRules: AllowEastWest Microsegmentation: false
D. SegmentationType: DMZ Only FirewallRules: AllowInternalOutbound Microsegmentation: false
E. SegmentationType: Hybrid FirewallRules: AllowInternalRestricted Microsegmentation: true
B. SegmentationType: Zero Trust FirewallRules: DenyAllByDefault Microsegmentation: true
Explanation:
B. Zero Trust combined with a deny by default firewall rule ensures granular
microsegmentation security
Incorrect:
A. Simply enabling microsegmentation without a Zero Trust model does not enforce strict east-west traffic control
C. A flat network structure contradicts microsegmentation principles
D. A DMZ only approach does not regulate internal workload communication
E. Hybrid segmentation may improve security but lacks a strict deny by default model
Question 40:
Your organizations asset management system has detected anomalous activity on a high value endpoint. Threat intelligence reports indicate that APT actors are actively exploiting unmonitored assets for lateral movement. Below is an excerpt from the intelligence report:
IoCs: 198.51.100.25 - Known APT C2 server
Attack Method: Exploiting unclassified assets for persistence
Target: Unmonitored IoT and legacy systems.
What security control should be prioritized to mitigate this threat?
A. Enforce strict asset classification and continuous monitoring
B. Increase firewall logging for all outbound traffic
C. Require network segmentation for all IoT devices
D. Deploy deception technology to mislead attackers
E. Block the identified IP address from external communications
A. Enforce strict asset classification and continuous monitoring
Explanation:
A. Proper classification and monitoring ensures that unmonitored assets are identified and protected
Incorrect:
B. Logging improves visibility and does not prevent exploitation of unmonitored assets
C. While segmentation is useful, asset classification is the foundational step for security
D. Deception technology is useful but does not address asset classification issues
E. Blocking a single IP does not prevent attackers from using alternative command and control channels
Question 48:
An organizations threat intelligence team receives a report about a new strain of fileless malware using PowerShell. The EDR system logs multiple suspicious PowerShell executions from non admin accounts.
-PowerShell spawned by unknown applications
- Network connections to command and control servers
- Memory injection detected in critical processes
Which mitigation step should be prioritized?
A. Apply application whitelisting for PowerShell usage
B. Block outbound traffic to suspicious IPs
C. Deploy endpoint patches against PowerShell exploits
D. Disable Powershell logging to reduce alerts
E. Enable macros in all Office documents for better visibility
B. Block outbound traffic to suspicious IPs
Explanation:
B. Blocking 2 traffic prevents malware from communicating with attackers
Incorrect:
A. Whitelisting applications helps but does not stop ongoing attacks
C. Patching is important but does not address the active attack
D. Disabling logging reduces forensic evidence for investigations
E. Enabling macros increases the risk of malware execution
Question 52:
The security operations team has received a threat intelligence report about a new IDS evasion technique being used by attackers. The technique involves fragmenting malicious payloads to bypass detection. What is the best strategy to counteract this evasion method?
A. Enable reassembly of fragmented packets in the IDS
B. Increase the IDS logging threshold to detect anomalies
C. Block all fragmented traffic at the firewall
D. Deploy deep packet inspection (DPI) on endpoints
E. Reduce the maximum transmission unit (MTU) size to prevent fragmentation
A. Enable reassembly of fragmented packets in the IDS
Explanation:
A. Enabling reassembly of fragmented packets prevents attackers from evading IDS detection
Incorrect:
B. Logging does not stop attackers from evading detection
C. Blocking all fragmented traffic may disrupt legitimate network operations
D. DPI helps but is not directly related to IDS fragmentation bypass
E. Lowering MTU may cause network performance issues and does not fully prevent evasion
Question 55:
A security operations team detects a potential data exfiltration attempt via an improperly configured ACL. Threat intelligence reports indicate malicious actors scanning for open firewall ports. The attack pattern includes:
-Repeated SSH connection attempts to non standard ports
- Unexpected outbound traffic from internal hosts to untrusted APIs
- Exploitation of overly permissive ACL Rules
Which mitigation strategy should be prioritized?
A. Restrict outbound traffic to known destinations
B. Block all inbound SSH traffic
C. Implement rate limiting on the firewall
D. Apply deep packet inspection for SSH connections
E. Enforce strict geolocation filtering on ACLs
A. Restrict outbound traffic to known destinations
Explanation:
A. Restricting outbound traffic prevents unauthorized data exfiltration
Incorrect:
B. While blocking SSH is useful, it does not address all exfiltration methods
C. Rate limiting may slow attack but does not stop data exfiltration
D. Deep packet inspection helps detect threats but does not prevent data leaks
E. Geolocation filtering may block some threats but is not a complete solution
Question 58:
A hospital’s HVAC system is integrated with its building management system (BMS) to maintain critical client controls for the operating rooms. Below is the current security configuration:
Access Control: Open, Remote Access: Enable, Logging: Disabled
Which modification is most critical for improving security?
A, Enforce RBAC for HVAC management
B. Require MFA for remote access
C. Enable logging and alerting for unauthorized access
D. Disable remote access entirely for reduce attack risks
E. Implement intrusion detection for HVAC control traffic
A, Enforce RBAC for HVAC management
Explanation:
A. RBAC ensures only authorized personnel can modify HVAC settings
Incorrect:
B. MFA is important but does not replace proper access controls
C. Logging is useful but does not actively prevent unauthorized access
D. Disabling remote access may disrupt operational management
E. Intrusion detection helps, but proactive access control is more critical
Question 63:
Your organization must comply with new regulations post quantum cryptography adoption. Below is the transition plan:
Phase 1: Identify legacy cryptographic implementations
Phase 2: Test hybrid cryptographic deployments
Phase 3: Full migration to PQC algortihms
Phase 4: Decommission legacy cryptographic systems
What potential risk must be mitigated during the transition process?
A. Increased computational overhead due to PQC algorithms
B. Immediate deprecation of all existing cryptographic systems
C. Reduced key lengths in hybrid cryptographic schemes
D. Exempting legacy systems from compliance requirements
E. Ignoring performance benchmarks during PQC adoption
A. Increased computational overhead due to PQC algorithms
Explanation:
PQC algorithms require more computational resources
incorrect:
B. Immediate deprecation can disrupt secure communications
C. PQC key lengths are typically larger, not reduced
D. Exempting legacy systems creates compliance gaps
E. Performance must be assessed to ensure scalability
Question 64:
Your organization is implementing key stretching techniques to protect stored user passwords against brute force attacks. Below is the configuration:
hash_algorithm: SHA-256
iterations: 1000
salt: 16-byte random value
Stretching_mechanism: Disabled
What modification should be made to enhance security?
A. Increase the salt size to 32 bytes
B. Enable PBKDF2 with at least 100,000 iterations
C. Replace SHA256 with MD5 for faster computation
D. Disable salting to avoid redundancy
E. Reduce iteration count to improve performance
B. Enable PBKDF2 with at least 100,000 iterations
Explanation:
B. PBKDF2 with a high iteration count strengthens password security against brute force attacks
Incorrect:
A. Increasing salt size helps but is not a sufficient defense against brute force attacls
C. MD5 is cryptographically broken and should not be used
D. Salting prevents precomputed a
Question 65:
A cybersecurity firm has identified an APT group exploiting legacy TLS configurations that lack forward secrecy. The threat intelligence report states:
Threat Actor: QuantumSpy APT
Attack Method: Stored TLS Session Key Replay
Target: Organizations using RSA based key exchange
Mitigation: TBD
What is the best security measure to mitigate this threat?
A. Implement ephemeral key exchange mechanisms such as ECDHE
B. Increase RSA key size to mitigate brute force attacks
C. Store TLS session keys securely to prevent replay attacks
D. Use a hybrid encryption model combining RSA and AES
E. Disable TLS altogether and enforce VPN only communication
A. Implement ephemeral key exchange mechanisms such as ECDHE
Explanation:
A. ECDHE prevents key reuse, rendering stored session key replay attacks ineffective
Incorrect:
B. Larger RSA keys do not mitigate replay attacks
C. Secure key storage does not prevent attacks if keys are reused
D. Hybrid encryption does not ensure forward secrecy
E. Disabling TLS is impractical and reduces communication security
Question 68:
A multinational corporation is designing a mutual authentication framework for its global workforce. They need a solution that balances security, ease of deployment and performance across diverse environments. What is the best approach?
A. Require hardware security modules (HSMs) for all authentication events
B. Implement PKI based client authentication with auto enrolled certificates
C. Use pre-shared keys (PSKs) instead of certificates for simplicity
D. Disable mutual authentication to reduce complexity
E. Allow users to authenticate using social media credentials
Question 69:
A blockchain based financial system needs to secure its immutable ledger while preventing unauthorized alterations. The security team is evaluating cryptographic mechanisms to ensure non repudiation and data integrity. Below is the current configuration:
Consensus Algorithm: Proof of Stake (PoS)
Hashing Algorithm: SHA256
Transaction Validation: Decentralized nodes
Digital Signature: RSA-1024
What should be improved to enhance security?
A. Replace SHA256 with MD5 for faster hashing
B. Upgrade from RSA-1024 to ECDSA for stronger cryptographic signing
C. Switch from Proof of Stake to Proof of Work to enhance integrity
D. Remove digital signatures to improve transaction processing speed
E. Store cryptographic keys in plaintext for easier access
B. Upgrade from RSA-1024 to ECDSA for stronger cryptographic signing
Explanation:
ECDSA provides stronger security with smaller key sizes
Incorrect:
A. MD5 is insecure and vulnerable to collision attacks
C. Proof of Work is computationally expensive and not necessarily more secure
D. Digital signatures ensure non repudiation and must not be removed
E. Strong keys in plaintext is a major security risk
Question 70:
A smart city infrastructure is deploying IoT enabled sensors for environmental monitoring. The security team needs to implement lightweight cryptography to secure communications while ensuring minimal energy consumption. Below is the proposed cryptographic configuration:
Algorithm: AES-256-GCM
Key Management: Pre-shared keys
Communication Protocol: MQTT over TLS 1.3
Device Constraints: Low power and limited CPU
What is the best modification to enhance efficiency while maintaining security?
A. Switch to RSA-2048 for authentication and encryption
B. Implement ChaCha20-Poly1305 for improved performance
C. Use Ascon encryption instead of AES-256-GCM
D. Disable encryption to reduce processing overhead
E. Store cryptographic keys on the device in plaintext for faster access
C. Use Ascon encryption instead of AES-256-GCM
Explanation:
C. Ascon is a lightweight cryptographic algorithm optimized for constrained environments
Incorrect:
A. RSA-2048 is computationally expensive for IoT devices
B. ChaCha20-Poly1305 improves speed but does not reduce energy consumption as much as Ascon
D. Disabling encryption exposes IoT communications to attacks
Question 71:
A financial institution must comply with PCI DSS and ensure secure log retention for regulatory audits. The security team must determine the best strategy for storing logs securely while maintaining availability. What is the optimal approach?
A. Store all logs in encrypted cloud storage with long term retention
B. Keep logs on a local SIEM instance with 30 day retention policy
C. Use a hybrid approach: store critical logs on prem and archive others in the cloud
D. Delete logs older than 90 days to reduce storage costs
E. Disable logging for non essential systems to minimize storage
A. Store all logs in encrypted cloud storage with long term retention
Explanation:
A. PCI DSS requires encrypted log retention with long term storage
Incorrect:
B. 30 day retention is insufficient for compliance
C. Hybrid approaches can work, but full encryption and long term retention are preferred
D. Compliance requires retention beyond 90 days for audit purposes
E. Disabling logging removes essential audit trails
Question 73:
A security team is implementing automated alert triage to improve response time. The system assigns a priority score based on multiple factors, including attack vector, asset criticality and impact. Below is a sample alert categorization:
Alert: Unauthorized File Access
Source: Internal Employee
Target: Financial Database
Priority Score: 92 (high)
How should the system handle this alert based on the assigned priority?
A. Ignore he alert unless violations occur
B. Escalate immediately to the IR team
C. Flag for review and wait for confirmation from IT
D. Automatically block user access until verified
E. Assign to the lowest priority queue for manual analysis
E. Assign to the lowest priority queue for manual analysis
Explanation:
E. High priority alerts require immediate response and should be escalated
Incorrect:
A. Ignoring alerts risks data breaches
B. Escalation without review may lead to unnecessary disruptions
C. Delays in verification increase response times
D. Immediate blocking may affect legitimate users
Question 75:
A company recent suffered a BIOS-level rootkit attack due to outdated firmware. Below is the forensic evidence showing unauthorized firmware changes:
2025-02-07 - BIOS modification detected - System: Endpoint123
What is the best practice proactive measure to prevent this type of attack?
A. Implement secure boot and firmware integrity validation
B. Use endpoint detection and response (EDR) tools for firmware monitoring
C. Configure strict firewall rules for firmware-related traffic
D. Restrict administrative privileges on all devices
E. Require user authentication for firmware updates
E. Require user authentication for firmware updates
Explanation:
A. Secure boot helps, but firmware validation is the critical protection mechanism
B. EDR tools detect but do not prevent firmware tampering
C. Firewall rules do not protect against BIOS level exploits
D. Restricting privileges does not prevent firmware level attacks
Question 76:
A web development team needs to prevent deserialization vulnerabilities in their application while maintaining performance. What is the best approach to balance security and efficiency?
A. Allow user-controlled deserialization but log all events
B. Implement strict input validation and avoid deserialization of untrusted data
C. Use a cryptographic hash to verify deserialized objects
D. Store all serialized objects in an external database
E. Disable serialization altogether to eliminate risks
C. Use a cryptographic hash to verify deserialized objects
Explanation:
C. Cryptographic verification ensures that deserialized data has not been tampered with
Incorrect:
A. Logging does not prevent exploitation
B. Input validation is essential but does not fully prevent deserialization
D. Storing serialized objects externally does not mitigate deserialization risks
E. Disabling serialization can break app functionality
Question 77:
A security analysis detects unauthorized access attempts in a corporate network. The SIEM logs show multiple failed login attempts from different geographic locations, followed by a successful attempt from an unexpected IP.
2025-02-06 - Failed Login - IP: 184.76.32.19
2025-02-06 - Failed Login - IP: 198.51.100.42
2025-02-06 - Successful login - IP: 203.0.113.88
What should be the next security response?
A. Monitor further activity before taking action
B. Configure location based access restrictions
C. Immediately revoked the compromised credentials
D. Enable MFA for all logins
E. Allow the login but increase monitoring alerts
C. Immediately revoked the compromised credentials
Question 78:
A security team is tasked with detecting malware C2 infrastructure using IoCs. Below is a SEM alert:
2025-02-07 - Outbound connection detected - Destination: 185.220.101.45 (flagged IoC)
2025-02-07 - Multiple connections detected - Destination: 185.220.101.45
2025-02-07 - Data transfer initiated- Destination: 185.220.101.45
What should the security team do next?
A. Ignore the alert unless further malicious activity is detected
B. Block all outbound traffic to 185.220.101.45 immediately
C. Investigate the source device, capture network packets and isolate the host
D. Implement DNS filtering to prevent future malicious lookups
E. Add the IoC to the SIEM threat feed but take no immediate action
C. Investigate the source device, capture network packets and isolate the host
Explanation:
C. Investigating the source device and isolating the host prevents further compromise
Incorrect:
A. Ignoring a flagged IOC increases the risk of data exfiltration
B. Blocking the IP is a reactive measure but does not investigate the root cause
D. DNS filtering helps prevent future infections but does not address the current threat
E. Simply adding the IoC does not mitigate active threats
