Visit here for our full CompTIA SY0-701 exam dumps and practice test questions.
Question 1
A company wants to ensure that only authorized users can access sensitive systems based on their job responsibilities. Which security principle is being applied?
( A ) Separation of duties
( B ) Role-Based Access Control (RBAC)
( C ) Mandatory Access Control (MAC)
( D ) Discretionary Access Control (DAC)
Answer: B
Explanation:
Role-Based Access Control (RBAC) is a security framework designed to regulate system access based on a user’s role within an organization. Instead of granting permissions directly to individual users, RBAC assigns permissions to specific roles that correspond to job functions. Users are then placed into these roles according to their responsibilities. This approach ensures that individuals can only access the data and systems necessary for their duties, reducing the likelihood of unauthorized access and minimizing the risk of internal or external security breaches.
RBAC differs significantly from other access control models such as Discretionary Access Control (DAC) and Mandatory Access Control (MAC). In DAC, the owner of a resource has the authority to decide who can access it, which can lead to inconsistent security practices if not carefully managed. MAC, on the other hand, enforces access restrictions based on predefined classifications and security labels. Access decisions in MAC systems are typically governed by a central authority and are not influenced by the discretion of individual users. RBAC provides a balance between flexibility and control by basing access decisions on organizational roles rather than ownership or rigid classification levels.
An important concept often associated with RBAC is the separation of duties, which ensures that critical tasks are divided among multiple individuals to prevent fraud, abuse, or unintentional errors. Although separation of duties is related to risk reduction, it does not directly control system access in the way RBAC does. Instead, it complements RBAC by reinforcing accountability and ensuring checks and balances within processes.
Question 2
A security analyst notices multiple failed login attempts from a single IP address in a short time frame. Which attack is most likely occurring?
( A ) Phishing
( B ) Brute-force attack
( C ) Man-in-the-middle attack
( D ) SQL injection
Answer: B
Explanation:
A brute-force attack is characterized by repeated attempts to guess credentials until successful authentication occurs. Multiple failed login attempts from a single IP address over a short period typically indicate that an attacker is trying various combinations of usernames and passwords to gain unauthorized access. Phishing is a social engineering tactic that tricks users into revealing credentials, but it would not produce repeated login failures from the same IP. Man-in-the-middle attacks intercept communications without necessarily causing repeated login failures, and SQL injection exploits input validation vulnerabilities rather than authentication mechanisms. Brute-force attacks can be mitigated by enforcing account lockouts, implementing CAPTCHA, using Multi-Factor Authentication (MFA), and monitoring for abnormal login patterns.
Organizations often deploy intrusion detection systems (IDS) or security information and event management (SIEM) solutions to detect and alert on brute-force activity. Additionally, maintaining complex password policies and using password managers can reduce the likelihood of successful brute-force attempts. Logging and monitoring failed authentication attempts allows security teams to respond proactively and identify potential compromised accounts. Brute-force attacks remain a fundamental threat vector, and mitigating them requires a layered security approach.
Question 3
Which type of malware is specifically designed to encrypt a user’s files and demand payment for a decryption key?
( A ) Worm
( B ) Ransomware
( C ) Spyware
( D ) Trojan
Answer: B
Explanation:
Ransomware is malicious software that encrypts files on a system and demands a ransom from the victim in exchange for a decryption key. This type of malware is highly disruptive and can impact individuals, businesses, and even critical infrastructure. Unlike worms, which spread autonomously across networks, ransomware typically requires user interaction, such as opening an email attachment or downloading a malicious file. Spyware collects information about a user’s activity without consent but does not encrypt files, and Trojans masquerade as legitimate software to trick users into executing malicious code.
Ransomware infections can be mitigated through regular backups, endpoint protection, network segmentation, and user education to recognize phishing emails and suspicious attachments. Advanced ransomware may also attempt to spread laterally across networks or exploit vulnerabilities in connected devices. Implementing strong access controls, up-to-date patch management, and real-time monitoring can limit ransomware impact. Incident response plans should include ransomware-specific procedures, ensuring that organizations can restore encrypted files without paying the ransom and minimizing operational downtime. Understanding ransomware behavior is critical for security teams aiming to implement proactive defenses and resilience strategies.
Question 4
Which of the following best describes the purpose of a firewall in network security?
( A ) Detects malware on endpoints
( B ) Filters network traffic based on predefined rules
( C ) Encrypts data stored on disk
( D ) Manages user identities
Answer: B
Explanation:
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls are used to block unauthorized access while permitting legitimate communications, serving as a barrier between internal networks and external threats. Unlike antivirus software, firewalls do not detect malware on endpoints; instead, they filter traffic at the network level. Disk encryption protects stored data but does not manage traffic, and identity management solutions handle user access credentials rather than network packets. Firewalls can be deployed as hardware appliances, software applications, or cloud-based solutions. They can perform packet filtering, stateful inspection, proxying, and deep packet inspection to enforce security policies.
Modern firewalls, known as next-generation firewalls (NGFW), incorporate features like intrusion prevention, application awareness, and SSL/TLS inspection. By restricting traffic based on source, destination, port, and protocol, firewalls help organizations mitigate attacks such as unauthorized access, malware propagation, and data exfiltration. Combining firewalls with complementary security controls like IDS/IPS, endpoint protection, and network segmentation enhances overall security posture and reduces exposure to network-based threats. Firewalls are fundamental components of defense-in-depth strategies and essential for regulatory compliance in many industries.
Question 5
An organization wants to ensure that sensitive data is protected even if a laptop is stolen. Which control is most effective for this purpose?
( A ) Full disk encryption
( B ) Antivirus software
( C ) Multi-factor authentication
( D ) Security awareness training
Answer: A
Explanation:
Full disk encryption (FDE) is a security control that encrypts all data on a storage device, making it unreadable without proper authentication credentials. If a laptop is lost or stolen, FDE ensures that unauthorized users cannot access sensitive information stored on the device. Antivirus software protects against malware but does not secure data in the event of device theft. Multi-factor authentication strengthens user authentication but is only effective when accessing systems remotely and does not protect data at rest on the physical device. Security awareness training reduces human error and improves adherence to policies but does not directly encrypt dat( A ) FDE solutions often integrate with hardware-based security modules like Trusted Platform Modules (TPM) to secure encryption keys and enhance performance.
Implementing full disk encryption complements other security measures, such as endpoint detection, access controls, and backup strategies, to provide layered defense. Organizations deploying FDE must consider key management, user education, and compliance with regulatory standards like GDPR, HIPAA, and PCI DSS. Encrypting laptops and mobile devices mitigates the risk of data breaches due to theft and supports secure operational continuity. Regular auditing and monitoring of encrypted devices ensure compliance and verify that encryption policies are consistently enforced across all endpoints.
Question 6
A security team wants to verify that a web application does not have vulnerabilities that could be exploited by attackers. Which type of testing should they perform?
( A ) Vulnerability scanning
( B ) Penetration testing
( C ) Risk assessment
( D ) Security awareness training
Answer: B
Explanation:
Penetration testing, also known as ethical hacking, involves simulating real-world attacks on a system, application, or network to identify security weaknesses before malicious actors can exploit them. Unlike vulnerability scanning, which identifies known vulnerabilities using automated tools, penetration testing involves hands-on testing by security professionals who attempt to exploit vulnerabilities in a controlled manner. This type of testing provides organizations with actionable insights into their security posture, including potential attack paths, misconfigurations, and logic flaws that might not be detected by automated scans. Risk assessments, on the other hand, evaluate the likelihood and impact of potential threats but do not actively test security controls. Security awareness training educates employees on safe practices but does not involve technical testing of systems.
Penetration testing is essential for critical applications, especially those exposed to the internet, as it helps verify the effectiveness of security controls, compliance with regulations, and the organization’s incident response readiness. It can include testing for SQL injection, cross-site scripting (XSS), weak authentication, privilege escalation, and misconfigured services. Results from penetration tests guide remediation efforts and strengthen defenses, ensuring sensitive data is better protected against sophisticated cyber threats. Regularly performing penetration testing, combined with automated vulnerability scans and continuous monitoring, allows organizations to proactively identify and mitigate risks.
Question 7
Which protocol provides secure communication over an insecure network by encrypting traffic between a client and server?
( A ) HTTP
( B ) HTTPS
( C ) FTP
( D ) Telnet
Answer: B
Explanation:
HTTPS, or Hypertext Transfer Protocol Secure, is a communication protocol designed to ensure secure data transmission over networks that may not be inherently safe, such as the internet. It builds upon the foundation of HTTP but incorporates encryption through SSL or TLS protocols to protect the confidentiality and integrity of data exchanged between clients and servers. When a user visits a website using HTTPS, all information sent or received, including login credentials, payment details, and personal information, is encrypted. This encryption prevents unauthorized parties from reading or modifying the data, even if it is intercepted during transmission.
In contrast, traditional HTTP transmits information in plaintext, which means that anyone monitoring network traffic can view sensitive dat( A ) Other older protocols, such as FTP and Telnet, also lack encryption, making them susceptible to eavesdropping and interception. Attackers can exploit these vulnerabilities to conduct man-in-the-middle attacks, where they secretly intercept or alter communication between two parties without their knowledge. HTTPS eliminates most of these risks by ensuring that both communication channels and the identities of the involved parties are verified and protected.
One of the key components of HTTPS is the use of digital certificates issued by trusted Certificate Authorities, often referred to as CAs. These certificates authenticate the legitimacy of a website or server, helping users verify that they are connecting to a genuine service rather than a fraudulent or malicious site. The validation process also strengthens user trust and reduces the likelihood of phishing or spoofing attacks.
Question 8
An attacker sends emails that appear to come from a trusted company to trick employees into revealing sensitive information. Which type of attack is this?
( A ) Spear phishing
( B ) Brute-force attack
( C ) Denial-of-service attack
( D ) SQL injection
Answer: A
Explanation:
Spear phishing is a highly targeted form of social engineering in which attackers craft deceptive emails or messages that appear to come from legitimate and trusted sources. The primary goal of these attacks is to trick specific individuals into revealing sensitive information such as usernames, passwords, financial data, or confidential corporate details. Unlike generic phishing campaigns that cast a wide net and rely on volume to capture victims, spear phishing is personalized and carefully designed to deceive a particular person or group. Attackers often gather information from social media profiles, company websites, leaked data from previous breaches, or public records to make their messages appear convincing and relevant.
This level of customization makes spear phishing particularly dangerous, as it exploits human trust and familiarity rather than technical vulnerabilities. While brute-force attacks focus on systematically guessing passwords and denial-of-service attacks attempt to disrupt systems by overwhelming them with traffic, spear phishing manipulates people directly. Similarly, it differs from SQL injection attacks, which target software weaknesses to execute malicious commands on a database. Spear phishing bypasses many technical defenses such as firewalls, intrusion detection systems, and antivirus software because it targets human behavior rather than system flaws.
Preventing spear phishing requires a layered security approach that addresses both the human and technological aspects of the problem. Technical controls such as email filtering and anti-spoofing mechanisms, including SPF, DKIM, and DMARC, help detect and block fraudulent messages before they reach users. However, technology alone is not sufficient. Continuous security awareness training is essential to teach employees how to identify suspicious messages, verify sender authenticity, and report potential phishing attempts.
Organizations should also implement multi-factor authentication (MFA) to protect accounts even if credentials are compromised. Regular phishing simulations and incident response drills can help reinforce awareness and improve readiness. Monitoring email traffic for anomalies and investigating any unusual communication patterns are also vital steps in early detection. By combining strong technical defenses with well-informed employees, organizations can significantly reduce the risk of successful spear phishing attacks and better protect sensitive data from compromise.
Question 9
Which security measure ensures that a message has not been altered during transmission?
( A ) Encryption
( B ) Hashing
( C ) Digital signature
( D ) Firewall
Answer: C
Explanation:
Digital signatures are a vital component of modern cybersecurity, providing a reliable way to verify that a message or document has not been altered during transmission. They function through the use of asymmetric cryptography, which involves a pair of keys: a private key and a public key. When a sender creates a digital signature, they use their private key to sign the message. The recipient, upon receiving the message, can then use the sender’s public key to verify the signature. If the verification is successful, it confirms both the authenticity of the sender and the integrity of the message, meaning that it has not been modified or tampered with in transit.
While encryption ensures the confidentiality of data by making it unreadable to unauthorized parties, it does not guarantee that the data remains unchanged. Similarly, hashing can detect whether information has been altered, but it does not confirm who created or sent the dat( A ) A digital signature combines these elements, providing a mechanism that assures authenticity, integrity, and non-repudiation—the sender cannot deny having signed the message once the signature is verified. Firewalls and other security tools may protect networks from intrusion, but they do not verify the integrity or origin of specific messages, which is why digital signatures are essential in many secure communications.
Digital signatures are widely used in various applications, including secure email systems such as S/MIME, software distribution, and digital document signing. They rely on public key infrastructure, or PKI, which issues digital certificates that link public keys to verified identities. This trusted framework ensures that users can confidently validate the source of signed messages and files.
Implementing digital signatures allows organizations to safeguard sensitive communications, prevent unauthorized changes, and maintain compliance with legal and regulatory standards. Many industries, including finance, healthcare, and law, use digital signatures to verify the authenticity of transactions, records, and contracts. When combined with encryption, digital signatures ensure that messages remain confidential, authentic, and tamper-proof. This layered approach not only enhances trust and accountability in digital interactions but also significantly reduces the risk of fraud, forgery, and data corruption across all forms of electronic communication.
Question 10
A company implements multi-factor authentication (MFA) for all employees. Which security principle does MFA strengthen?
( A ) Confidentiality
( B ) Integrity
( C ) Availability
( D ) Authentication
Answer: D
Explanation:
Multi-factor authentication, often abbreviated as MFA, is a security mechanism designed to enhance the authentication process by requiring users to verify their identity through multiple independent factors before gaining access to a system or application. Instead of relying solely on a password, MFA combines two or more forms of verification to ensure that access is granted only to legitimate users. These factors typically fall into three main categories: something the user knows, such as a password or PIN; something the user has, such as a physical security token, smartphone, or authentication app; and something the user is, referring to biometric identifiers like fingerprints, facial recognition, or voice patterns.
This layered approach significantly strengthens access security because it ensures that even if one factor is compromised, such as a stolen password, an attacker cannot successfully log in without the remaining verification elements. While MFA does not directly control data confidentiality, integrity, or availability, it plays a crucial role in the authentication process by ensuring that only authorized individuals can access sensitive systems and information. It effectively mitigates common risks associated with weak or reused passwords, phishing attacks, and credential theft, which are among the most prevalent causes of unauthorized access and data breaches.
MFA has become a cornerstone of modern cybersecurity strategies, particularly in industries that manage sensitive or regulated information such as finance, healthcare, and government. Beyond strengthening authentication, it supports compliance with security frameworks and regulations like PCI DSS, HIPAA, and NIST standards, all of which emphasize strong identity verification controls.
For maximum effectiveness, MFA should be implemented alongside complementary measures such as user awareness training, continuous monitoring for suspicious login activity, and adaptive authentication systems that adjust verification requirements based on risk factors such as location or device type. Organizations that adopt MFA not only reduce the potential impact of security breaches but also enhance user trust by demonstrating a strong commitment to data protection. As cyber threats continue to evolve, MFA remains one of the most effective and practical defenses against unauthorized access in both enterprise and consumer environments.
Question 11
Which type of attack involves injecting malicious code into a website to execute scripts in a victim’s browser?
( A ) SQL injection
( B ) Cross-site scripting (XSS)
( C ) Man-in-the-middle attack
( D ) Denial-of-service attack
Answer: B
Explanation:
Cross-site scripting, commonly known as XSS, is a web application vulnerability that allows attackers to inject and execute malicious scripts within web pages viewed by unsuspecting users. The primary objective of such attacks is to run unauthorized code in the victim’s browser, which can lead to the theft of sensitive information such as cookies, session tokens, or login credentials. In some cases, the attacker may also use XSS to impersonate the victim, manipulate web content, or perform actions on their behalf without their consent.
XSS attacks typically occur when a web application fails to properly validate or sanitize user input before displaying it to other users. When user-generated content is reflected back onto a web page without adequate output encoding, attackers can insert harmful JavaScript or HTML code that executes when another user loads the page. This makes XSS particularly dangerous in web applications that rely heavily on user interaction and content sharing, such as social media networks, online marketplaces, and financial service portals.
It is important to distinguish XSS from other types of attacks. For instance, SQL injection targets a database by inserting malicious SQL commands to manipulate or extract stored information. Man-in-the-middle attacks intercept communications between two parties, while denial-of-service attacks attempt to overwhelm systems to disrupt their availability. XSS, on the other hand, focuses on exploiting client-side vulnerabilities within web browsers.
There are several forms of XSS, including persistent and reflected. In persistent XSS, the malicious script is permanently stored on the target server, meaning every user who views the affected page becomes a victim. In reflected XSS, the malicious code is executed immediately when a user clicks on a specially crafted link.
Question 12
Which of the following ensures that a user cannot deny performing a specific action, such as sending a message or authorizing a transaction?
( A ) Confidentiality
( B ) Non-repudiation
( C ) Availability
( D ) Integrity
Answer: B
Explanation:
Non-repudiation is a fundamental principle of information security that ensures individuals cannot deny their involvement in specific actions or transactions. It provides proof that a particular event or communication occurred and that it was performed by a verified entity. This principle is essential for maintaining accountability in digital environments, particularly where trust and verification are critical, such as in financial systems, legal agreements, and electronic communications. Non-repudiation relies on cryptographic techniques and secure recording mechanisms to confirm both the origin and authenticity of data or actions.
While confidentiality protects information from being disclosed to unauthorized parties, and integrity ensures that data remains unchanged during transmission or storage, non-repudiation focuses on ensuring that the sender or participant cannot later dispute their involvement. Availability, another key security concept, ensures that systems and data are accessible when needed. Together, these principles form the foundation of a strong cybersecurity framework, but non-repudiation stands out as the mechanism that provides traceability and accountability for digital interactions.
Digital signatures are one of the most common technologies used to achieve non-repudiation. When a sender signs a message or document using their private key, the recipient can verify the signature using the sender’s public key, proving both the authenticity of the sender and the integrity of the message. This process is often supported by public key infrastructure, or PKI, which establishes a trusted framework for certificate issuance, management, and verification. Through PKI, digital certificates link an individual’s or organization’s identity to their cryptographic keys, strengthening trust in digital transactions.
In addition to digital signatures, mechanisms such as cryptographic hashing, secure audit logs, and timestamping play an important role in ensuring non-repudiation. These technologies provide verifiable records of actions and prevent unauthorized modifications. Many organizations incorporate non-repudiation controls into email systems, online banking platforms, document management tools, and other critical services to ensure traceability and deter fraudulent activities.
Question 13
Which type of security control is a CCTV camera considered?
( A ) Detective control
( B ) Preventive control
( C ) Corrective control
( D ) Deterrent control
Answer: A
Explanation:
Closed-circuit television, commonly known as CCTV, serves as a detective control within a security framework because its primary function is to observe, identify, and record events or incidents after they have occurred. Detective controls are an essential part of an organization’s overall security strategy, as they provide the ability to monitor activities, detect suspicious behavior, and gather evidence for investigation. By recording and reviewing footage, organizations can identify the source of security breaches, verify incidents, and support corrective actions that help prevent future occurrences.
Unlike preventive controls, which are designed to stop incidents before they happen, such as access control systems, authentication mechanisms, and security policies, CCTV does not prevent an attack by itself. Instead, it helps security teams recognize that an event has taken place and respond appropriately. Corrective controls, in contrast, are actions taken after an incident to repair or mitigate damage, such as restoring backups, patching vulnerabilities, or reconfiguring systems. Deterrent controls, such as warning signs and visible security cameras, aim to discourage malicious behavior by making potential offenders aware that their actions are being observed.
CCTV systems offer multiple benefits beyond simple observation. They provide real-time surveillance and allow for continuous monitoring of key areas such as entry points, restricted zones, or public spaces. Recorded footage serves as valuable evidence for forensic analysis, legal proceedings, and internal investigations. When integrated with intrusion detection systems or centralized monitoring platforms, CCTV can enhance situational awareness and improve response times during incidents.
For CCTV to be most effective, cameras must be strategically placed to cover high-risk or high-traffic areas. Regular maintenance and monitoring by trained personnel ensure that equipment functions properly and that recordings are securely stored and accessible when needed. Modern CCTV solutions have evolved to include intelligent features such as motion detection, object tracking, facial recognition, and integration with access control systems. These advancements allow organizations to automate detection, streamline security operations, and increase the overall efficiency of surveillance programs.
By combining CCTV with preventive, corrective, and deterrent controls, organizations can establish a comprehensive, layered security approach. This combination not only reduces risks and strengthens incident response but also ensures that all activities are documented, enhancing accountability and trust within the organization’s security infrastructure.
Question 14
Which authentication method relies on something the user has, such as a smart card or token?
( A ) Knowledge-based authentication
( B ) Biometric authentication
( C ) Possession-based authentication
( D ) Multifactor authentication
Answer: C
Explanation:
Possession-based authentication is a security method that relies on something the user physically owns to verify their identity. Common examples include smart cards, hardware tokens, and mobile authenticator applications. This form of authentication is often used as one of the factors in multi-factor authentication systems, where it is combined with other methods to provide stronger protection against unauthorized access. By requiring physical access to an authentication device, possession-based authentication significantly reduces the likelihood of remote attacks, as an attacker would need to obtain the user’s actual device to proceed.
Authentication systems typically rely on three main categories of factors: something the user knows, something the user has, and something the user is. Knowledge-based authentication depends on information known only to the user, such as a password, PIN, or security question. Biometric authentication, on the other hand, verifies identity using unique physical traits like fingerprints, facial features, or iris patterns. Possession-based authentication complements these by introducing a tangible, physical component that adds another layer of defense.
Tokens used in possession-based authentication may function in different ways. Some generate time-based one-time passwords, also known as TOTPs, that change periodically to ensure each login attempt is unique. Others contain embedded cryptographic keys or digital certificates that interact with authentication servers to validate the user’s identity securely. Mobile applications that serve as authenticators can perform similar functions, providing push notifications or codes that users must approve before access is granted.
Organizations implementing possession-based authentication should plan for contingencies in case the device is lost, damaged, or stolen. Backup authentication methods, secure token provisioning, and recovery procedures help maintain access while preventing misuse. Additionally, communications between devices and authentication servers should be encrypted to prevent interception or tampering.
This authentication approach is widely adopted in industries that require strong access control, such as finance, healthcare, government, and enterprise environments. By combining possession-based methods with knowledge-based and biometric factors, multi-factor authentication ensures that compromising one element alone is not enough to gain access. The result is a more secure and trustworthy authentication process that protects sensitive information, reduces identity theft, and supports compliance with modern cybersecurity standards.
Question 15
Which of the following attacks exploits software vulnerabilities without requiring user interaction?
( A ) Worm
( B ) Trojan
( C ) Phishing
( D ) Keylogger
Answer: A
Explanation:
A worm is a type of malicious software designed to replicate and spread automatically across computer networks without requiring any user interaction. Unlike many other forms of malware that depend on users to execute or install them, worms exploit software or system vulnerabilities to move from one device to another on their own. Once active, a worm can rapidly infect large portions of a network, consuming bandwidth, degrading system performance, and potentially carrying additional malicious payloads such as ransomware, spyware, or backdoors that allow attackers to gain persistent access to systems.
The key characteristic that distinguishes worms from other types of malware is their ability to propagate autonomously. Trojans, for instance, rely on social engineering or user actions to install themselves, often disguising their malicious intent by appearing as legitimate software. Phishing attacks use deceptive messages or websites to trick individuals into disclosing sensitive information, such as login credentials or financial details. Keyloggers, another form of malware, record a user’s keystrokes to capture passwords or other personal data, typically requiring some form of installation or user permission to operate.
Worms pose a significant cybersecurity risk because they can exploit zero-day vulnerabilities—unknown flaws that have not yet been patched by software developers. Once unleashed, a worm can spread at an exponential rate, infecting multiple systems within minutes. Some worms are also programmed to deliver secondary attacks, such as installing additional malware or launching distributed denial-of-service (DDoS) attacks.
Preventing worm infections requires a combination of proactive and reactive security measures. Regularly patching and updating operating systems, applications, and network devices helps close known vulnerabilities that worms might exploit. Deploying endpoint protection software, intrusion detection systems, and firewalls can detect and block malicious traffic before it spreads. Network segmentation is another effective strategy, limiting the ability of worms to move laterally between systems.
Question 16
Which principle ensures that users have the minimum level of access necessary to perform their job functions?
( A ) Least privilege
( B ) Separation of duties
( C ) Defense in depth
( D ) Role-based access control
Answer: A
Explanation:
The principle of least privilege is a foundational concept in information security that ensures users, applications, and systems are granted only the access rights necessary to perform their specific tasks. By limiting permissions to the minimum required, organizations can significantly reduce the likelihood of accidental or intentional misuse of resources and contain the potential impact of security breaches. When privileges are restricted, even if an account is compromised, an attacker’s ability to move laterally, access sensitive data, or manipulate critical systems is greatly reduced.
Least privilege complements other security practices such as separation of duties, defense in depth, and role-based access control. Separation of duties divides critical functions among multiple individuals to prevent errors or fraudulent activity, while defense in depth relies on multiple layers of security controls, including technical, administrative, and physical safeguards. Role-based access control assigns permissions based on job responsibilities, providing a structured approach to access management. Implementing least privilege within these frameworks ensures that each user or system component operates within narrowly defined boundaries, enhancing overall security.
Enforcing the principle of least privilege typically involves the use of access control lists, permission reviews, and policy audits. Organizations must carefully plan access levels, regularly review them, and update permissions as roles or responsibilities change. Automated tools can help track user privileges, detect deviations, and identify excessive access rights that could pose a risk. Monitoring and logging user activities further reinforce least privilege by providing visibility into how resources are being accessed and ensuring accountability for all actions.
Combining least privilege with additional security measures, such as multi-factor authentication and continuous monitoring, strengthens the organization’s security posture and supports compliance with regulations and standards, including PCI DSS, HIPAA, and GDPR. This principle is particularly important in environments that manage sensitive information, financial systems, or critical infrastructure, where excessive access can lead to significant data breaches or operational disruptions. By minimizing the attack surface and ensuring that users and systems operate under controlled privileges, organizations can reduce risk, enhance accountability, and maintain a more resilient and secure IT environment.
Question 17
Which type of attack intercepts communication between two parties to eavesdrop or manipulate data?
( A ) Man-in-the-middle attack
( B ) Brute-force attack
( C ) Phishing
( D ) Ransomware
Answer: A
Explanation:
A man-in-the-middle (MITM) attack is a cybersecurity threat in which an attacker secretly intercepts or alters communications between two parties without their knowledge. The primary goal of these attacks is to eavesdrop on sensitive information, capture login credentials, or manipulate data being transmitted. MITM attacks can occur in various ways, such as exploiting unsecured Wi-Fi networks, compromising routers, or using techniques like ARP spoofing, DNS hijacking, or session hijacking. By positioning themselves between the communicating parties, attackers gain the ability to monitor traffic, steal confidential information, or inject malicious content into the communication stream.
Unlike brute-force attacks, which attempt to gain access by repeatedly guessing passwords, or phishing attacks, which rely on social engineering to trick users into disclosing sensitive information, MITM attacks directly target the communication channel itself. Ransomware, on the other hand, encrypts files to demand payment from victims and is not dependent on intercepting live communications. The impact of MITM attacks primarily affects the confidentiality and integrity of information, as attackers can read, alter, or inject data without the knowledge of the sender or receiver.
Encryption plays a critical role in defending against MITM attacks. Secure communication protocols such as TLS and HTTPS ensure that data transmitted over networks is encrypted, making it unreadable to attackers. Certificate validation, secure VPN connections, and multi-factor authentication further strengthen protection by verifying the identities of the communicating parties and safeguarding access to sensitive systems. Organizations can also implement network segmentation to limit exposure, configure intrusion detection systems to alert on suspicious traffic, and continuously monitor network activity to identify anomalies indicative of an MITM attack.
Preventing MITM attacks also requires user awareness, especially when accessing public or unsecured networks. Employees and users should be educated about the dangers of connecting to untrusted Wi-Fi networks and prompted to verify website certificates and connections. Because MITM attacks can be stealthy and difficult to detect, combining technical safeguards with robust security policies is essential. By enforcing strong encryption, secure authentication, and proactive monitoring, organizations can significantly reduce the risk of MITM attacks and protect sensitive communications from interception or tampering.
Question 18
Which security control can prevent users from visiting malicious websites or downloading harmful files?
( A ) Web proxy
( B ) Firewall
( C ) Antivirus software
( D ) IDS/IPS
Answer: A
Explanation:
A web proxy acts as an intermediary between a user and the internet, filtering requests to prevent access to malicious websites and blocking harmful downloads. It enforces acceptable use policies, inspects content, and can log user activity for auditing purposes. Firewalls control traffic at the network level but may not filter URLs effectively. Antivirus software detects and removes malware on endpoints but does not proactively block web-based threats. IDS/IPS monitors for suspicious activity and can block known exploits but may not provide granular control over web content. Web proxies enhance security by inspecting web traffic, blocking phishing sites, preventing malware downloads, and enforcing content policies. Advanced web proxies integrate threat intelligence feeds to update filtering rules in real time. Combining web proxies with endpoint protection, DNS filtering, and security awareness training ensures layered defense against web-based attacks. Organizations use web proxies to reduce risk from drive-by downloads, ransomware, and phishing, and to comply with regulatory and organizational policies. Web proxies also provide visibility into user activity, enabling incident response teams to investigate suspicious browsing patterns and prevent data leakage.
Question 19
Which type of backup strategy involves copying only the data that has changed since the last full backup?
( A ) Full backup
( B ) Incremental backup
( C ) Differential backup
( D ) Snapshot backup
Answer: B
Explanation:
Incremental backups copy only the data that has changed since the last backup, whether full or incremental. This approach reduces storage requirements and speeds up the backup process compared to performing full backups every time. Differential backups, in contrast, copy all changes since the last full backup. Full backups duplicate all data regardless of changes, while snapshot backups capture the system state at a specific point in time. Incremental backups are commonly used in enterprise environments to maintain up-to-date data with minimal storage overhead. Recovery typically requires restoring the last full backup and all subsequent incremental backups, which can take more time compared to restoring from a single full backup. However, incremental backups optimize resource usage, network bandwidth, and storage costs. Organizations should combine full and incremental backups in a backup strategy to balance performance and recovery objectives. Regular testing of backup and restore processes ensures data integrity, compliance with business continuity plans, and readiness for disaster recovery scenarios. Advanced backup solutions may also incorporate encryption, deduplication, and offsite replication to further enhance data protection and resilience.
Question 20
Which cryptographic method uses the same key for encryption and decryption of data?
( A ) Asymmetric encryption
( B ) Symmetric encryption
( C ) Hashing
( D ) Digital signature
Answer: B
Explanation:
Symmetric encryption uses the same key for both encryption and decryption of dat( A ) This method is efficient and fast, making it suitable for large volumes of dat( A ) Asymmetric encryption, by contrast, uses a key pair (public and private) for encryption and decryption, supporting secure communication and digital signatures. Hashing generates a fixed-length value from data to verify integrity but is not reversible, and digital signatures ensure authenticity and non-repudiation using asymmetric cryptography. Symmetric encryption algorithms, such as AES, DES, and 3DES, are widely used for protecting sensitive information in storage and transmission. Proper key management is critical for symmetric encryption because the same key must be securely shared and protected from unauthorized access. Symmetric encryption is commonly used in VPNs, file storage, and database encryption. Combining symmetric encryption with asymmetric encryption, such as in hybrid encryption systems, balances performance and security. While symmetric encryption provides speed, asymmetric encryption ensures secure key exchange. Organizations implementing symmetric encryption should enforce key rotation, secure storage, and access controls to prevent compromise. Symmetric encryption remains a fundamental part of cybersecurity, protecting confidentiality, integrity, and sensitive communications across networks and storage systems.
