Visit here for our full CompTIA SY0-701 exam dumps and practice test questions.
Question 121
Which of the following BEST describes the purpose of a honeypot in network security?
(A) To encrypt network traffic
(B) To lure attackers into a controlled environment to study their behavior
(C) To block unauthorized access
(D) To store sensitive user credentials
Answer: B
Explanation:
A honeypot is a deliberately deployed security mechanism designed to attract attackers by mimicking a vulnerable system, application, or network segment. Its primary objective is to detect, analyze, and understand malicious activity in a controlled and isolated environment, thereby protecting real production assets from compromise. By presenting itself as an appealing target, a honeypot can lure cybercriminals into interacting with it, allowing security teams to observe attacker behavior, methods, and tools without putting operational systems at risk. Unlike simply encrypting traffic, which focuses on protecting data in transit, or blocking unauthorized access, which is the role of firewalls and intrusion prevention systems, a honeypot’s function is to act as a decoy to gather intelligence on potential threats. Similarly, storing credentials is unrelated and insecure, whereas a honeypot safely collects actionable data on attack techniques.
Organizations deploy honeypots to improve their overall cybersecurity posture. They help in identifying zero-day vulnerabilities, malware propagation patterns, phishing attempts, and command-and-control communications. Advanced honeypots can capture payloads, log attacker commands, and trace malicious network traffic, providing valuable insights into attacker tactics, techniques, and procedures (TTPs). This information is crucial for refining intrusion detection system (IDS) signatures, updating firewall rules, and developing proactive defense strategies. Additionally, honeypots serve as practical tools for training security analysts, offering realistic attack scenarios without risking the integrity of critical systems.
From a strategic perspective, honeypots enhance situational awareness by providing early warnings of emerging threats, enabling organizations to respond before attacks impact real assets. They support threat intelligence sharing and contribute to building more accurate threat models, allowing security teams to anticipate attacker behavior and prioritize mitigations effectively. While honeypots do not replace traditional security measures such as firewalls, antivirus, or endpoint detection systems, they complement them by offering a proactive layer of defense. By continuously analyzing interactions with the honeypot, organizations gain a deeper understanding of evolving threats, improve incident response capabilities, and strengthen overall network security against increasingly sophisticated attacks.
Question 122
Which of the following BEST represents a zero-day vulnerability?
(A) A vulnerability that has been patched by the vendor
(B) A vulnerability known to attackers but not yet publicly disclosed
(C) A vulnerability only found in outdated hardware
(D) A vulnerability detected through routine penetration testing
Answer: B
Explanation:
A zero-day vulnerability is a security flaw in software, hardware, or firmware that is unknown to the vendor or developer but may already be exploited by attackers. The term “zero-day” highlights that the developers have had zero days to address or patch the vulnerability once it is discovered, leaving systems exposed to potential compromise. These vulnerabilities are particularly dangerous because no official fix or patch exists at the time of discovery, which means attackers can exploit them freely, often without triggering conventional security defenses. Unlike a patched vulnerability, which has been corrected and is no longer a zero-day threat, or vulnerabilities in outdated hardware, which may be known and mitigated, zero-day exploits are unknown to defenders and present a unique challenge. Similarly, vulnerabilities identified during routine testing are often disclosed and remediated before attackers can take advantage, distinguishing them from zero-day threats.
Zero-day vulnerabilities are highly sought after in cybercrime and espionage markets due to their potential for undetected exploitation. Attackers may use them to gain unauthorized access, steal sensitive data, install malware, or disrupt critical systems. Because traditional signature-based defenses cannot detect unknown exploits, organizations must implement layered security measures to mitigate risk. This includes intrusion detection and prevention systems, endpoint monitoring, anomaly-based detection, and behavioral analytics capable of identifying suspicious activity even without a known signature. Network segmentation, strict access controls, and privilege restrictions further limit the potential impact of a zero-day exploit.
Once a zero-day vulnerability is publicly disclosed or patched, rapid patch management is essential to protect systems from exploitation. Security teams also benefit from threat intelligence, which helps identify indicators of compromise associated with active zero-day attacks. Organizations can conduct simulations and penetration tests to evaluate resilience against hypothetical zero-day attacks, ensuring that defensive measures function as intended. Maintaining awareness of zero-day risks is particularly critical for high-value assets, sensitive data repositories, and critical infrastructure, as these targets are most likely to attract sophisticated attackers. By combining proactive monitoring, rapid response, and threat intelligence, organizations can reduce exposure and maintain robust cybersecurity defenses even in the face of unknown vulnerabilities.
Question 123
Which of the following BEST describes the role of a public key infrastructure (PKI)?
(A)To manage encryption keys and digital certificates
(B) To provide physical security for data centers
(C) To monitor user login attempts
(D) To enforce firewall rules
Answer: A
Explanation:
Public Key Infrastructure (PKI) is a comprehensive framework that manages cryptographic keys and digital certificates, enabling secure communication, authentication, and non-repudiation across digital systems. At its core, PKI relies on asymmetric cryptography, which involves a pair of mathematically linked keys: a private key, kept confidential by the owner, and a public key, which is freely distributed to others for encryption or verification purposes. This asymmetric approach ensures that sensitive information can be securely transmitted, verified, and authenticated without requiring the sharing of secret keys, significantly reducing the risk of interception or tampering. Unlike physical security measures, which protect assets from physical threats, or monitoring login attempts, which focuses on identity and access management, PKI provides cryptographic assurance that data and identities are legitimate. Similarly, enforcing firewall rules safeguards network boundaries but does not provide encryption or digital signature verification, making PKI uniquely essential for secure communications.
PKI enables organizations to protect various types of digital interactions, including secure email communication, user authentication, VPN access, document signing, and data encryption. Its key components include Certificate Authorities (CAs), which issue and verify digital certificates; Registration Authorities (RAs), which authenticate users before certificate issuance; certificate repositories for storage and distribution; and revocation mechanisms such as Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) to ensure compromised or invalid certificates are identified in real time. By leveraging PKI, organizations can validate identities, guarantee data integrity, and maintain non-repudiation, which is critical for legal and compliance purposes.
PKI also underpins widely used technologies such as TLS/SSL for web security, secure email protocols, and digital signatures for document verification, forming the foundation for trust in online systems such as e-commerce platforms, online banking, and confidential communications. Proper implementation requires careful management of certificate lifecycles, secure key storage, trust hierarchy establishment, and compliance with regulations like GDPR, HIPAA, and ISO 27001. Without PKI, encrypted communications would be vulnerable to interception, and digital identities could be easily forged, exposing sensitive information to unauthorized access. Overall, PKI serves as a cornerstone of modern cybersecurity, providing the infrastructure needed to maintain confidentiality, authenticity, and trust in digital interactions across organizations.
Question 124
Which of the following BEST describes ransomware?
(A) Software that monitors network traffic
(B) Malicious software that encrypts files and demands payment for recovery
(C) Hardware used to detect unauthorized access
(D) A technique for bypassing firewalls
Answer: B
Explanation:
Ransomware is a form of malicious software designed to deny access to data, systems, or networks until a ransom is paid, typically in cryptocurrency. Unlike network monitoring, which observes traffic for anomalies, or specialized hardware for detecting unauthorized access, ransomware actively disrupts normal operations by encrypting files and rendering them unusable. It does not function by bypassing firewalls, although attackers may exploit vulnerabilities to deliver it. Ransomware commonly spreads through phishing campaigns, malicious email attachments, infected software downloads, drive-by web attacks, and exploitation of unpatched software vulnerabilities. Once executed, it may encrypt local files, mapped network drives, or even cloud storage, making recovery difficult without proper precautions.
To mitigate the risk of ransomware, organizations must adopt a multi-layered defense strategy. Regular, offline backups are critical, ensuring that encrypted or compromised data can be restored without paying a ransom. Endpoint protection solutions, including antivirus and Endpoint Detection and Response (EDR) systems, help detect suspicious behaviors and halt attacks early. Network segmentation limits the lateral movement of ransomware, reducing its impact if a single system is compromised. Additionally, security awareness training educates employees on identifying phishing attempts, malicious links, and unsafe downloads, which are the most common infection vectors.
Incident response planning is another essential component. Organizations must define clear procedures for isolating infected systems, conducting forensic investigations to determine the attack scope, and communicating with internal stakeholders, law enforcement, and regulatory bodies as necessary. Paying the ransom is generally discouraged, as it does not guarantee data recovery and encourages future attacks. Some advanced ransomware variants not only encrypt data but also exfiltrate sensitive information, creating potential legal, regulatory, and reputational consequences.
Behavioral analytics and real-time monitoring further enhance detection by identifying unusual patterns indicative of ransomware activity, even before the encryption process begins. By combining proactive defenses, robust backup strategies, user education, and well-defined incident response plans, organizations can build resilience against ransomware and maintain operational continuity even in the face of increasingly sophisticated attacks.
Question 125
Which of the following BEST describes phishing attacks?
(A) Attempts to steal sensitive information by masquerading as a trusted entity
(B) Exploiting software vulnerabilities for privilege escalation
(C) Launching distributed denial-of-service attacks
(D) Infecting hardware with malware
Answer: A
Explanation:
Phishing attacks are a type of social engineering tactic where attackers attempt to manipulate individuals into revealing sensitive information such as usernames, passwords, financial details, or personal identification. These attacks typically occur through email, text messages, or instant messaging platforms and often impersonate trusted entities like banks, colleagues, or service providers. By creating a sense of urgency, fear, or offering an attractive incentive, attackers exploit human psychology to bypass technical defenses and convince victims to take actions they normally would not. Unlike software exploits, which target technical vulnerabilities in systems, phishing primarily targets human behavior. Similarly, distributed denial-of-service (DDoS) attacks aim to disrupt the availability of resources rather than steal information, and infecting hardware is generally unrelated to the typical methods of phishing.
Mitigating phishing attacks requires a combination of technical controls and human-focused strategies. User education is critical, teaching individuals how to recognize suspicious emails, verify senders, and avoid clicking on unknown links or downloading attachments from untrusted sources. Simulated phishing campaigns are an effective training method, allowing employees to experience realistic scenarios in a controlled environment and learn from mistakes. Multi-factor authentication provides an additional layer of security by ensuring that even if credentials are compromised, unauthorized access is prevented. Organizations can also implement email security solutions that filter messages, analyze links for malicious content, and detect anomalous communication patterns. Domain monitoring tools can alert security teams to lookalike domains used in phishing campaigns.
Phishing is often a vector for other attacks, including ransomware, spyware, or credential harvesting, which can escalate security risks across the organization. Understanding the psychology behind phishing enables security teams to design awareness campaigns that address real-world tactics and enhance vigilance. By combining user training, advanced technical defenses, and continuous monitoring, organizations can significantly reduce the effectiveness of phishing attacks, protect sensitive information, and strengthen their overall cybersecurity posture. The focus on human behavior, alongside layered technical controls, ensures a comprehensive defense against one of the most prevalent threats in modern cybercrime.
Question 126
Which of the following BEST describes a botnet?
(A) A network of compromised devices controlled remotely by an attacker
(B) A secure VPN network
(C) A type of firewall
(D) A password manager
Answer: A
Explanation:
A botnet is a network of compromised devices, often called “bots” or “zombies,” that are infected with malware and controlled remotely by a malicious actor without the knowledge of the device owners. These compromised devices can include computers, servers, Internet of Things (IoT) devices, and even mobile phones. Botnets are leveraged for a variety of cybercriminal activities, including distributed denial-of-service (DDoS) attacks that overwhelm targeted systems with traffic, mass spam campaigns, unauthorized cryptocurrency mining, and the propagation of malware across networks. Unlike VPNs, which provide secure and private communication channels, botnets are illicit networks designed for exploitation. Firewalls, while essential for regulating and monitoring traffic, cannot inherently detect or control a botnet once devices are compromised. Similarly, password managers secure credentials but do not prevent devices from being recruited into a botnet.
The formation of a botnet typically exploits weaknesses such as unpatched software vulnerabilities, weak or default passwords, and social engineering attacks like phishing. Once a device is compromised, it may connect to a command-and-control (C2) server or participate in a peer-to-peer communication structure, allowing the attacker to issue instructions to thousands or even millions of infected devices simultaneously. Some botnets utilize advanced techniques like fast-flux DNS, which rapidly changes domain name mappings to avoid detection and takedown, making them highly resilient and difficult to disrupt.
Detecting botnet activity requires a combination of network monitoring, anomaly detection, traffic analysis, and endpoint behavior monitoring. Indicators may include unusual outbound connections, spikes in network traffic, or unexpected resource usage on devices. Mitigation strategies involve implementing robust endpoint protection, applying timely patches and updates, disabling unnecessary services, enforcing strong authentication practices, and having well-documented incident response plans. Collaboration with threat intelligence networks can also help organizations identify known botnet C2 servers and prevent further compromise. Understanding botnet architecture, recruitment methods, and operational tactics is critical for cybersecurity professionals. Effective prevention and response measures are essential to protect organizational networks, critical infrastructure, and individual devices from the large-scale attacks and disruptions that botnets can generate.
Question 127
Which of the following BEST describes the use of a VLAN in network security?
(A) Segmentation of network traffic to improve security and performance
(B) Encrypting data in transit
(C) Authenticating users
(D) Detecting malware on endpoints
Answer: A
Explanation:
Virtual Local Area Networks, or VLANs, are a fundamental network technology used to logically segment network traffic, creating separate broadcast domains within the same physical network infrastructure. By dividing the network in this way, VLANs reduce unnecessary traffic between devices that do not need to communicate with each other, which not only improves overall network performance but also enhances security. Each VLAN operates as its own isolated segment, which allows network administrators to control and restrict access between different groups or departments. This isolation is particularly valuable in limiting the potential attack surface of the network, as it helps prevent unauthorized users or compromised devices from easily moving laterally across the network.
Unlike encryption, which focuses on protecting the confidentiality of data in transit, VLANs focus on structuring the network itself to segregate traffic. While encryption secures the content of communications, it does not prevent devices on the same network from interacting with each other. Similarly, authentication mechanisms validate the identity of users or devices but do not inherently control how traffic is separated or managed within the network. Malware detection, another important security function, is handled by specialized software and tools that monitor for malicious activity but do not provide traffic segmentation.
VLANs contribute to network security and efficiency in several ways. By grouping devices with similar roles or security requirements, VLANs help enforce access policies and simplify network management. For instance, sensitive systems, guest networks, and administrative functions can each be assigned to separate VLANs, minimizing the risk that a compromised device in one segment could affect another. When combined with additional security measures such as access control lists (ACLs) and firewalls, VLANs provide a layered defense that further controls how devices communicate across segments.
Effective VLAN design is also beneficial for compliance and operational efficiency. Many regulatory frameworks require organizations to demonstrate control over how sensitive information is accessed and transmitted. Logical segmentation through VLANs helps meet these requirements while supporting proactive risk management by containing potential breaches. Overall, VLANs are widely used in corporate networks, data centers, and cloud environments because they provide a balance of performance, security, and administrative control, ensuring that network traffic is efficiently managed while reducing the likelihood of widespread compromise.
Question 128
Which of the following BEST describes a DDoS attack?
(A) Flooding a system or network with traffic to disrupt service
(B) Exploiting zero-day vulnerabilities
(C) Stealing credentials through phishing
(D) Encrypting files for ransom
Answer: A
Explanation:
A distributed denial-of-service, or DDoS, attack is a type of cyberattack in which an attacker seeks to overwhelm a system, server, or network with an exceptionally high volume of traffic. The objective of this attack is to render services unavailable to legitimate users, effectively disrupting normal operations. DDoS attacks are distinct from other types of cyberattacks such as zero-day exploits, which target previously unknown software vulnerabilities, phishing, which focuses on stealing credentials through social engineering, or ransomware, which encrypts data to demand payment. Unlike these attacks, the main goal of a DDoS attack is disruption and service unavailability rather than theft or encryption of data.
DDoS attacks often leverage large networks of compromised devices, known as botnets, to generate traffic from multiple sources simultaneously, making the attack more difficult to mitigate. Techniques such as amplification and reflection attacks are commonly used to increase the volume of traffic directed at the target, multiplying the impact while obscuring the true origin of the attack. Amplification attacks exploit vulnerable servers to generate a higher volume of response traffic, while reflection attacks involve sending requests to third-party systems that then send large replies to the victim. These strategies allow attackers to significantly strain network resources, bandwidth, and server capacity.
Organizations implement multiple strategies to defend against DDoS attacks. Rate limiting, traffic filtering, and intrusion prevention systems help control and restrict malicious traffic. Specialized scrubbing services can intercept and clean incoming traffic before it reaches critical infrastructure, and cloud-based mitigation solutions offer scalable protection against large-scale attacks. Beyond technical controls, network redundancy, content delivery networks (CDNs), and scalable architectures help maintain service availability, ensuring that systems remain operational even under attack.
Proactive monitoring and anomaly detection are crucial for identifying unusual traffic patterns that may indicate an ongoing or imminent attack. Rapid incident response, including the ability to reroute traffic or activate mitigation services, is essential to reduce downtime and maintain user access. A thorough understanding of DDoS tactics, trends, and evolving attack methods enables organizations to design resilient networks, safeguard critical infrastructure, and ensure continuity of service, even in the face of high-volume disruptive attacks.
Question 129
Which of the following BEST describes the purpose of a firewall rule set?
(A) To define which traffic is allowed or denied through a network device
(B) To encrypt database records
(C) To monitor user activity on endpoints
(D) To back up critical system files
Answer: A
Explanation:
A firewall rule set is a critical component of network security, defining the criteria for allowing or denying traffic based on factors such as IP addresses, ports, protocols, and applications. These rules act as a gatekeeper, ensuring that only authorized traffic is permitted to enter or leave the network while blocking potentially harmful or unauthorized connections. This function is distinct from other security measures such as encrypting databases, which protects data at rest, endpoint monitoring, which tracks activity on individual devices, or file backup, which ensures data recovery. While these functions are important, they do not control network traffic in the way that a firewall rule set does.
Firewalls are designed to enforce organizational security policies by controlling access to network resources, preventing unauthorized intrusions, and logging network activity for auditing and forensic purposes. A well-structured rule set minimizes the network’s attack surface by restricting unnecessary communication and segregating different segments of the network. For example, sensitive internal systems can be isolated from general user traffic, and specific ports or protocols can be restricted to reduce exposure to vulnerabilities. This approach supports the principle of least privilege, allowing only the traffic that is necessary for business operations while blocking all other connections.
Modern firewalls often include advanced capabilities beyond basic traffic filtering, such as stateful inspection, which monitors the state of active connections, and application-aware filtering, which identifies and controls traffic based on specific applications rather than just ports or protocols. Intrusion prevention features may also be integrated to detect and block suspicious activity in real-time. Regular review and updates of firewall rule sets are essential, as network environments, applications, and threat landscapes constantly evolve.
Properly configured firewalls, when combined with continuous monitoring and a robust incident response strategy, play a key role in enhancing overall network security. They help reduce risk exposure, prevent data breaches, and ensure compliance with regulatory frameworks such as NIST, ISO 27001, and PCI-DSS. By carefully designing and maintaining firewall rule sets, organizations can enforce security policies effectively, protect critical assets, and maintain reliable and secure network operations.
Question 130
Which of the following BEST describes multi-factor authentication (MFA)?
(A) Requiring two or more independent methods of authentication
(B) Using a single complex password
(C) Encrypting passwords for storage
(D) Restricting access based on IP address
Answer: A
Explanation:
Multi-factor authentication (MFA) is a security mechanism that requires users to provide multiple, independent forms of verification before gaining access to systems, applications, or data. The purpose of MFA is to add layers of protection beyond a simple password by combining factors from different categories, typically including something the user knows, such as a password or PIN; something the user has, such as a hardware token, smart card, or mobile authentication app; and something the user is, such as biometric identifiers like fingerprints, facial recognition, or iris scans. This multi-layered approach ensures that even if one factor is compromised, unauthorized access is still significantly more difficult to achieve.
MFA is distinct from other security measures that may appear similar but do not provide equivalent protection. A single password represents only one factor and is vulnerable to phishing, brute-force attacks, and credential stuffing. Encrypting stored passwords protects them from theft but does not verify the user’s identity during login. IP-based restrictions can limit access from certain networks but are easily bypassed and do not constitute true multi-factor verification. MFA is specifically designed to require multiple, independent proofs of identity, making it far more resilient against common attack techniques.
The adoption of MFA has become widespread across enterprise networks, cloud services, virtual private networks (VPNs), and privileged account management. Organizations implement MFA not only to protect sensitive systems and data but also to meet compliance requirements imposed by regulatory frameworks and security standards. Many MFA solutions support adaptive or risk-based authentication, which dynamically adjusts verification requirements based on contextual factors such as geographic location, device type, and user behavior. This allows organizations to balance security with usability, ensuring that legitimate users are not unduly hindered while maintaining strong defenses against unauthorized access.
By requiring multiple forms of authentication, MFA dramatically reduces the risk of account compromise, protects critical infrastructure, and strengthens overall organizational security posture. It is an essential control for defending against phishing, credential stuffing, and other forms of identity-based attacks while enhancing operational confidence and resilience in today’s increasingly complex threat landscape.
Question 131
A security analyst notices repeated login attempts from unusual IP addresses targeting multiple accounts. Which type of attack is most likely occurring?
(A) Brute force
(B) Phishing
(C) SQL injection
(D) Man-in-the-middle
Answer: A
Explanation:
A brute force attack is a type of cyberattack in which an attacker systematically attempts a large number of username and password combinations in order to gain unauthorized access to accounts or systems. The attack relies on automation and computational power to try every possible combination until the correct credentials are discovered. One of the key indicators of a brute force attack is repeated login attempts from multiple unusual or unexpected IP addresses, suggesting that an automated tool or botnet may be targeting user accounts. This makes brute force attacks particularly dangerous for systems without protective measures, as they can be executed at scale and often go unnoticed until successful access occurs.
Brute force attacks differ from other common types of cyberattacks. Phishing, for instance, relies on tricking users into voluntarily providing their credentials through deceptive emails or websites, rather than attempting to guess them directly. SQL injection attacks exploit vulnerabilities in databases to manipulate or retrieve data but do not typically target login mechanisms in this way. Man-in-the-middle attacks intercept communications between parties to eavesdrop or manipulate data, rather than performing repeated login attempts. Brute force attacks are unique because they directly target authentication processes and rely on the attacker systematically guessing credentials rather than exploiting vulnerabilities or deceiving users.
Detecting brute force attacks requires careful monitoring of login activity. Unusually high numbers of failed login attempts, repeated attempts from unknown IP addresses, and alerts from intrusion detection systems are common signs. Mitigation strategies include implementing account lockout policies that temporarily disable accounts after a set number of failed attempts, using multi-factor authentication to add additional layers of security beyond passwords, and applying rate-limiting to restrict the number of login attempts within a specific timeframe. Logging and monitoring are also critical, as they allow security teams to identify patterns and respond quickly, particularly when attacks originate from distributed IP addresses.
Additional measures, such as security awareness training for users and network segmentation to isolate sensitive systems, can further reduce the risk of a successful brute force attack. By combining these strategies, organizations can strengthen their defenses, protect critical accounts, and minimize the likelihood of unauthorized access through automated credential-guessing attacks.
Question 132
Which protocol ensures secure email transmission over the internet by encrypting both the message and transport layer?
(A) SMTP
(B) IMAP
(C) S/MIME
(D) POP3
Answer: C
Explanation:
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a protocol developed to provide cryptographic security for email communications. It is designed to ensure the confidentiality, integrity, and authenticity of email messages. By encrypting the content of an email, S/MIME prevents unauthorized parties from reading the message even if it is intercepted during transmission. In addition, it supports the use of digital signatures, which verify the sender’s identity and confirm that the message has not been altered in transit. This combination of encryption and authentication is critical for protecting sensitive information and maintaining trust in email communications.
While protocols such as SMTP, IMAP, and POP3 are fundamental to email systems, they do not provide cryptographic security by default. SMTP, or Simple Mail Transfer Protocol, is used for sending messages from a client to a server or between servers but lacks native encryption. IMAP and POP3, which are used to retrieve emails from a server, also do not offer built-in encryption. Without additional security measures, emails transmitted over these protocols can be intercepted and read by malicious actors.
Implementing S/MIME requires the use of a public key infrastructure (PKI) to issue digital certificates. These certificates allow senders to encrypt messages with the recipient’s public key and sign messages with their own private key. Recipients can then decrypt the message using their private key and verify the sender’s signature using the sender’s public key. Proper configuration of S/MIME ensures that sensitive emails remain confidential and that the identity of the sender can be reliably verified.
Organizations often use S/MIME in combination with transport layer security (TLS) to provide additional protection during the transmission of messages. Failure to implement secure email protocols can leave organizations vulnerable to data breaches, phishing attacks, and compliance violations, potentially resulting in regulatory fines or reputational damage. By adopting S/MIME, organizations enhance email security, protect sensitive information, and maintain the integrity and trustworthiness of their communications.
Question 133
A company wants to implement a system that identifies insider threats by monitoring abnormal user behaviors. Which type of system should they deploy?
(A) IDS
(B) SIEM
(C) DLP
(D) Behavior analytics
Answer: D
Explanation:
User and Entity Behavior Analytics, commonly referred to as UEBA, is a security approach focused on monitoring and analyzing the typical behavior patterns of users and devices within an organization. By establishing a baseline of normal activity, UEBA systems are able to detect deviations that may indicate potential security threats, particularly insider threats or compromised accounts. These deviations can include unusual login times, accessing sensitive files without proper authorization, unexpected patterns of data transfer, or anomalous system usage. The primary goal of UEBA is to identify behaviors that fall outside of normal patterns, which may signal malicious activity, careless actions, or compromised credentials.
UEBA differs from traditional security solutions in important ways. Intrusion Detection Systems (IDS) primarily focus on identifying external attacks or known threat signatures, while Security Information and Event Management (SIEM) platforms aggregate and correlate logs from multiple sources to identify security events. Neither IDS nor SIEM is inherently designed to detect subtle behavioral anomalies within users or devices. Similarly, Data Loss Prevention (DLP) tools are focused on preventing the unauthorized exfiltration of sensitive data but typically do not provide insights into deviations from normal behavior. UEBA fills this gap by using advanced analytics, machine learning, and statistical models to identify patterns that might be missed by human analysts or traditional rule-based systems.
Implementing UEBA enhances an organization’s security posture by providing early warning of potentially malicious or negligent insider activity. This proactive approach reduces the risk of data breaches, theft of intellectual property, and regulatory non-compliance. UEBA works most effectively when integrated with existing security infrastructure, such as access control mechanisms, logging frameworks, and SIEM platforms, enabling a comprehensive, centralized view of threats across the network. By correlating behavioral anomalies with other security signals, organizations can prioritize responses, investigate suspicious activity more efficiently, and apply targeted mitigations.
Overall, UEBA provides a dynamic and intelligent layer of defense that goes beyond conventional security monitoring. By continuously learning and adapting to the evolving behaviors of users and entities, it enables organizations to detect and respond to insider threats and compromised accounts before they result in significant damage, improving both risk management and operational resilience.
Question 134
Which cryptographic method uses two separate keys, one for encryption and one for decryption?
(A) Symmetric encryption
(B)Asymmetric encryption
(C) Hashing
(D) Steganography
Answer: B
Explanation:
Asymmetric encryption, also known as public-key cryptography, uses a pair of keys: a public key for encryption and a private key for decryption. This ensures that only the intended recipient can decrypt the message, even if the encryption key is publicly known. Symmetric encryption uses a single shared key for both encryption and decryption, which requires secure key distribution. Hashing creates a fixed-length representation of data but cannot be reversed to retrieve the original message. Steganography hides information within other files or media, rather than encrypting it. Asymmetric encryption underpins technologies like SSL/TLS, digital signatures, and secure email protocols such as S/MIME. Proper key management and secure storage of private keys are essential to maintain confidentiality and prevent unauthorized decryption.
Question 135
An administrator wants to prevent unauthorized devices from connecting to the corporate Wi-Fi. Which method is the most effective?
(A) MAC filtering
(B) WPA3 encryption
(C) Captive portal
(D) SSID broadcasting
Answer: A
Explanation:
MAC filtering restricts network access by allowing only devices with specific MAC addresses to connect. This provides a layer of control over which devices can access corporate Wi-Fi. WPA3 encryption secures data transmission over Wi-Fi but does not inherently prevent unauthorized devices from attempting to connect. Captive portals require user authentication, typically for guest access, but do not enforce device-specific restrictions. SSID broadcasting simply announces the network and has no direct security control. While MAC filtering can be bypassed by spoofing MAC addresses, it remains an effective deterrent in combination with strong encryption, authentication, and network monitoring. Implementing multiple security layers enhances protection against unauthorized connections, reducing the risk of data exposure, malware infiltration, and insider attacks.
Question 136
Which attack type is characterized by an attacker intercepting communication between two parties to eavesdrop or alter messages?
(A) Man-in-the-middle
(B) SQL injection
(C) Brute force
(D) Cross-site scripting
Answer: A
Explanation:
A Man-in-the-Middle (MitM) attack occurs when an attacker secretly intercepts and possibly modifies communication between two parties without their knowledge. This type of attack can compromise confidentiality, integrity, and authentication. SQL injection targets databases, brute force attacks aim at authentication, and cross-site scripting injects malicious scripts into web applications. MitM attacks often exploit unsecured protocols, weak encryption, or public Wi-Fi networks. Mitigation strategies include using end-to-end encryption, implementing strong certificate validation, deploying VPNs, and enforcing strict authentication mechanisms. Organizations should monitor network traffic for unusual patterns, such as duplicate certificates or suspicious IPs, to detect potential MitM activity. Regular user education on safe network usage also reduces the risk of falling victim to these attacks.
Question 137
Which security control is primarily designed to ensure data cannot be read if intercepted, regardless of who accesses it?
(A) Encryption
(B) Firewalls
(C) Antivirus
(D) Logging
Answer: A
Explanation:
Encryption transforms readable data into a coded format that only authorized users can decipher. Its primary purpose is to maintain confidentiality, ensuring that even if data is intercepted, it cannot be understood without the decryption key. Firewalls control network traffic, antivirus protects against malware, and logging records events for audit purposes but do not prevent data exposure directly. Encryption can be applied to data in transit using protocols like TLS or VPNs, as well as data at rest using full-disk or file-level encryption. Effective encryption relies on secure key management, strong algorithms, and proper configuration. Organizations often combine encryption with access control, monitoring, and intrusion detection to provide comprehensive protection against unauthorized access and data breaches.
Question 138
Which method of access control grants permissions based on roles within an organization?
(A) DAC
(B) MAC
(C) RBAC
(D) ABAC
Answer: C
Explanation:
Role-Based Access Control (RBAC) assigns permissions according to a user’s role within an organization, streamlining management and improving security by ensuring users have only the access necessary for their responsibilities. Discretionary Access Control (DAC) allows owners to grant permissions, Mandatory Access Control (MAC) enforces strict policies defined by administrators, and Attribute-Based Access Control (ABAC) considers multiple attributes like time, location, or device. RBAC reduces administrative complexity, limits exposure to sensitive resources, and ensures compliance with regulatory standards. Effective implementation involves defining roles accurately, regularly auditing role assignments, and integrating with identity and access management systems. RBAC is particularly useful in large organizations with numerous users and complex access requirements.
Question 139
A network administrator wants to ensure that sensitive files are not copied to USB drives or cloud storage by employees. Which control should be implemented?
(A) DLP
(B) IDS
(C) VPN
(D) Firewall
Answer: A
Explanation:
Data Loss Prevention (DLP) solutions are designed to monitor, detect, and prevent unauthorized transfer of sensitive data. They can enforce policies that block copying files to removable media, USB drives, or cloud storage. IDS (Intrusion Detection Systems) monitor network activity for malicious behavior but do not control data movement. VPNs secure remote connections but do not prevent internal data exfiltration, and firewalls primarily control network traffic. Implementing DLP involves classifying data, defining rules for sensitive content, and monitoring endpoints and networks for policy violations. Advanced DLP systems can integrate with email servers, cloud storage, and collaboration tools to provide comprehensive data protection. Organizations benefit from DLP by reducing accidental or malicious data leaks, ensuring regulatory compliance, and protecting intellectual property.
Question 140
Which type of malware disguises itself as legitimate software to trick users into installing it?
(A) Trojan
(B) Worm
(C) Virus
(D) Ransomware
Answer: A
Explanation:
A Trojan is a type of malware that masquerades as legitimate software to deceive users into installing it. Unlike worms, which self-replicate, or viruses, which attach to files, Trojans rely on social engineering to trick users. Ransomware encrypts files and demands payment but may also use Trojan techniques to infiltrate systems. Trojans can create backdoors, steal credentials, or install additional malware. Preventing Trojan infections requires user awareness, email and web filtering, endpoint protection, and restricting administrative privileges. Monitoring system behavior for unusual processes or connections can help detect Trojans early. Organizations often combine antivirus, anti-malware solutions, and continuous monitoring to reduce the risk of Trojan infections and minimize potential damage.
