CompTIA SY0-701 Security+ Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q161. A security analyst observes repeated failed login attempts against multiple accounts from different IP addresses. The failed attempts occur slowly over a long period to avoid detection. Which type of attack is likely taking place?

A) Brute-force attack
B) Password spraying
C) Credential stuffing
D) Phishing

Answer: B) Password spraying

 Explanation:

Option  A, brute-force attack, involves attempting every possible password combination against a single account. Brute-force attacks are usually rapid and target individual accounts systematically. In this scenario, the attempts are slow and spread across multiple accounts, so it does not match the typical brute-force behavior.

Option  C, credential stuffing, uses previously leaked usernames and passwords to attempt login across multiple systems. While it may appear similar, credential stuffing relies on known credentials from data breaches, not generic attempts on multiple accounts with common passwords.

Option  D, phishing, involves tricking users into divulging credentials through email or social engineering. Phishing does not involve automated login attempts across multiple accounts in a slow, measured manner.

Option  B, password spraying, is correct. Password spraying is an attack method where attackers attempt a small set of commonly used passwords across a large number of accounts, avoiding account lockouts and detection mechanisms. The attack is slow, persistent, and difficult to detect using traditional brute-force detection systems. Key factors include:

Low and slow attack pattern: Avoids triggering account lockout or intrusion alerts.

 

Multi-account targeting: Attempts passwords across a broad user base.

 

Common password usage: Exploits weak or reused passwords.

 

Mitigation strategies involve implementing multi-factor authentication (MFA), monitoring for unusual login activity, enforcing strong password policies, and educating users to avoid predictable passwords.

Q162. A network administrator wants to isolate guest Wi-Fi traffic from internal corporate resources to prevent unauthorized access. Which method is most appropriate?

A) Port security
B) VLAN segmentation
C) Network tap deployment
D) Load balancing

Answer: B) VLAN segmentation

 Explanation:

Option A, port security, restricts which devices can connect to a switch port based on MAC addresses. While it controls physical access, it does not logically segregate traffic between guest and internal networks.

Option C, network tap deployment, allows passive monitoring of traffic without modifying it. It is a diagnostic tool, not a method for isolating traffic.

Option D, load balancing, distributes traffic across multiple servers to optimize performance and availability. It does not provide security isolation.

Option B, VLAN segmentation, is correct. VLANs (Virtual Local Area Networks) allow network administrators to logically separate traffic within the same physical network. Guest Wi-Fi can be placed on a dedicated VLAN with firewall rules restricting access to internal corporate systems. Benefits of VLAN segmentation include:

Traffic isolation: Prevents unauthorized lateral movement from guest devices to internal resources.

 

Policy enforcement: Firewall rules and access controls can be applied per VLAN.

 

Reduced attack surface: Minimizes exposure of sensitive systems.

 

Best practices include implementing ACLs, ensuring proper VLAN tagging, and monitoring inter-VLAN traffic to detect potential breaches.

Q163. During a forensic investigation, an analyst wants to ensure that a disk image collected from a suspect system has not been altereD) Which method provides the highest assurance of integrity?

A) Disk partitioning
B) Hashing
C) Defragmentation
D) Sanitization

Answer: B) Hashing

Explanation:

Option A, disk partitioning, involves creating or modifying partitions on a disk, which changes the structure and does not verify integrity.

Option C, defragmentation, reorganizes files on a disk to optimize performance, altering the data layout and compromising forensic integrity.

Option D, sanitization, permanently destroys or removes data to prevent recovery, which is counterproductive in a forensic investigation.

Option B, hashing, is correct. Hashing involves using cryptographic algorithms like SHA-256 to create a unique fingerprint of the disk image. Any change to even a single bit produces a different hash value, providing verifiable evidence that the data has not been tampered with. Key points include:

Verification: Hashes of the original media and copies can be compared.

 

Chain of custody: Hash values are documented for legal admissibility.

 

Integrity assurance: Essential for forensic reliability and regulatory compliance.

 

Q164. A financial services company wants to detect unusual login times, unexpected data transfers, and abnormal application usage. Which security solution best supports this requirement?

A) Static firewall
B) Intrusion prevention system
C) Behavior-based analytics
D) Packet filtering

 Answer: C) Behavior-based analytics

 Explanation:

Option A, static firewall, enforces predefined traffic rules but cannot detect deviations from normal behavior.

Option B, intrusion prevention system (IPS), relies mainly on signatures of known attacks and may miss novel threats or subtle behavioral anomalies.

Option D, packet filtering, examines headers of packets to allow or deny traffic but does not analyze user behavior.

Option C, behavior-based analytics, is correct. This solution monitors normal activity patterns and identifies deviations indicative of insider threats or account compromise. Features include:

Baseline creation: Establish normal patterns for logins, data transfers, and app usage.

 

Anomaly detection: Alerts for deviations like unusual login times or abnormal data exfiltration.

 

Machine learning: Improves detection accuracy over time.

 

Real-time response: Enables SOC teams to investigate and respond promptly.

 

Q165. A penetration tester discovers a Linux server with a root-owned cron job that executes a script every five minutes. The script is writable by all users. What is the immediate risk?

A) Privilege escalation
B) Lateral movement
C) Credential harvesting
D) Pivoting

Answer: A) Privilege escalation

 Explanation:

 Option B, lateral movement, occurs after gaining access to one system and is not the immediate threat here.

Option C, credential harvesting, targets passwords or tokens but does not relate directly to writable cron scripts.

Option D, pivoting, involves using a compromised host to attack other systems, which may follow exploitation but is not the primary risk.

Option A, privilege escalation, is correct. The misconfigured cron job allows users to inject commands that execute with root privileges. This provides:

Root access to the system.

 

Ability to install persistent malware or backdoors.

 

Full control over system configurations and data.

 

Potential to escalate further attacks within the network.

 

Mitigation includes auditing cron jobs, enforcing least privilege, monitoring critical scripts, and applying system hardening practices to prevent such vulnerabilities.

Q166. A security administrator wants to enforce that users can only access the resources necessary for their job functions, and no more. Which security principle is being applied?

A) Separation of duties
B) Least privilege
C) Role rotation
D) Mandatory vacation

Answer: B) Least privilege

Explanation:

 Option A, separation of duties, divides responsibilities among multiple users to reduce the chance of fraud or errors. It is a key internal control principle in cybersecurity and corporate governance, often used in financial, IT, and operational environments. For example, in a payment system, one employee may initiate a transaction while another must approve it. While this reduces risk from collusion or mistakes, separation of duties does not explicitly restrict a user’s access rights to the minimal permissions necessary for their role; it only divides responsibilities.

Option C, role rotation, involves periodically shifting employees between roles or duties. Its primary goal is to prevent insider threats and knowledge concentration. For instance, rotating database administrators or security operators helps detect fraudulent activity or misuse that may go unnoticed if the same person consistently performs the same tasks. While role rotation can complement least privilege, it does not directly enforce access restrictions.

Option D, mandatory vacation, requires employees to take time off from work to uncover anomalies, fraud, or process violations that might only appear in their absence. This approach is mainly used as a fraud detection or audit technique and does not govern what users are allowed to access on a daily basis.

Option B, least privilege, is correct. The principle of least privilege (PoLP) dictates that users, applications, and systems should be granted only the access necessary to perform their legitimate functions, and no more. This is a fundamental concept in cybersecurity frameworks like NIST SP 800-53, CIS Controls, ISO 27001, and the Zero Trust model. Implementing least privilege provides several critical benefits:

Reduces attack surface: If an account is compromised, limited permissions prevent the attacker from easily accessing sensitive data, executing system-wide changes, or moving laterally across the network.

 

Mitigates insider threats: Employees or contractors cannot access resources outside their role, minimizing intentional or accidental misuse of privileged accounts.

 

Ensures regulatory compliance: Many standards and regulations—such as HIPAA, PCI DSS, SOX, and GDPR—explicitly require strict access control measures, which include restricting access to only what is necessary for job duties.

 

Enables more efficient auditing and accountability: When users have only the permissions they require, tracking and monitoring becomes more precise, making it easier to detect anomalies or unauthorized access attempts.

 

Implementation methods for least privilege include role-based access control (RBAC), attribute-based access control (ABAC), discretionary access control (DAC) where appropriate, and periodic permission audits to remove unnecessary access rights. In cloud and hybrid environments, dynamic policies can further enforce least privilege by limiting access based on real-time conditions such as location, device posture, and time of day.

Practical examples: An HR employee can view personnel records but cannot modify payroll system configurations; a help desk technician can reset passwords but cannot access sensitive financial records. Least privilege also applies to service accounts, processes, and applications; for instance, a web application may only require read access to a database, not write access.

Failure to enforce least privilege can result in catastrophic breaches. High-profile incidents, such as ransomware attacks that exploited overly permissive accounts, demonstrate how attackers gain extensive access when unnecessary privileges exist. Continuous monitoring, automated access reviews, and adherence to the principle of least privilege are thus essential components of robust cybersecurity strategy.

Q167. A network administrator notices that guest users are able to reach internal corporate servers despite being connected to the guest Wi-Fi. Which technique should be used to isolate this traffic effectively?

A) Load balancing
B) VLAN segmentation
C) Port mirroring
D) NAT (Network Address Translation)

 Answer: B) VLAN segmentation

 Explanation:

Option A, load balancing, is a mechanism to distribute workloads across multiple servers or devices to improve performance, availability, and fault tolerance. Load balancing focuses on efficient traffic distribution and system responsiveness rather than isolating network traffic or enforcing security boundaries. While load balancing can support performance under heavy load, it does not prevent guest users from accessing sensitive internal resources.

Option C, port mirroring, allows the duplication of traffic from one port on a network switch to another for monitoring and analysis. Security operations centers (SOCs) and network administrators often use port mirroring to analyze traffic for anomalies or detect intrusions. However, port mirroring does not enforce segmentation or isolation; it only provides visibility for monitoring purposes.

Option D, NAT, translates private IP addresses to public IP addresses and vice versa, enabling multiple devices to share a single external address. NAT facilitates internet access and helps obscure internal IP structures but does not inherently prevent unauthorized access within the internal network or segregate guest traffic from corporate resources.

Option B, VLAN segmentation, is correct. Virtual Local Area Networks (VLANs) allow logical segmentation of networks even over the same physical infrastructure. By assigning guest users to a separate VLAN and applying firewall rules, ACLs, or network policies, administrators can:

Prevent access to internal servers, sensitive applications, or restricted subnets.

 

Reduce risk from compromised devices on the guest network attempting lateral movement.

 

Enforce security boundaries while maintaining connectivity to the internet or isolated resources.

 

VLAN segmentation is widely adopted in corporate networks, particularly in multi-tenant environments or where BYOD (Bring Your Own Device) and guest access are alloweD) Proper VLAN configuration involves assigning devices to the correct VLAN, configuring the switch ports appropriately, applying access control lists, and ensuring routing does not inadvertently bridge isolated networks. Advanced implementations may use private VLANs, VRFs (Virtual Routing and Forwarding), or software-defined networking (SDN) to enhance security and policy enforcement.

Q168. During a forensic investigation, a technician needs to confirm that a collected disk image has not been tampered with after acquisition. Which method provides the highest assurance?

A) Defragmentation
B) Disk partitioning
C) Hashing
D) Sanitization

 Answer: C) Hashing

Explanation

 Option A, defragmentation, reorganizes files on a disk to optimize access and performance. While beneficial for system efficiency, defragmentation modifies data placement and the underlying file system, making it inappropriate for forensic purposes where preserving original structure and integrity is critical.

Option B, disk partitioning, changes or reorganizes partitions on a storage device. Partitioning alters the disk’s structure and is unrelated to verifying the authenticity or integrity of a forensic image.

Option D, sanitization, involves securely erasing or destroying data to prevent recovery. In forensic contexts, sanitization is counterproductive because it eliminates evidence rather than preserving it.

Option C, hashing, is correct. Hashing uses cryptographic algorithms, such as SHA-256 or SHA-512, to generate a fixed-length unique fingerprint (digest) of a file, disk, or image. Hashing ensures that any change to even a single bit will result in a different digest, providing a verifiable guarantee of integrity. Key points include:

Verification: Comparing hash values at the time of acquisition and at each stage of analysis confirms that the data has not been altered.

 

Legal admissibility: Courts and regulatory authorities accept cryptographic hashes as proof that digital evidence has not been tampered with.

 

Chain of custody: Hashes are recorded alongside forensic logs, ensuring evidence can be traced and validated throughout the investigation.

 

Reproducibility: Multiple copies of the disk image can be verified independently using the same hash algorithm to guarantee identical content.

 

Forensic best practices dictate that both the original media and any working copies are hashed, and that hash values are documented thoroughly. Investigators should use algorithms resistant to collision attacks, maintain strict chain of custody, and implement write-blockers during acquisition to prevent unintentional modification. Hashing is indispensable in modern digital forensics, underpinning trust in the integrity of evidence and supporting prosecutorial and investigative processes.

Q169. A financial company wants to detect unusual activity, such as abnormal login times, unexpected data transfers, and suspicious application use. Which type of solution is most appropriate?

A) Static firewall
B) Intrusion prevention system
C) Behavior-based analytics
D) Packet filtering

Answer: C) Behavior-based analytics

 Explanation:

Option A, static firewall, enforces predefined rules for network traffic but lacks intelligence to detect behavioral anomalies. While it can block unauthorized traffic, it cannot identify deviations from normal user or system patterns.

Option B, intrusion prevention system (IPS), primarily relies on signatures of known attacks to detect malicious activity. While effective against recognized threats, IPSs often miss subtle or novel attacks, insider threats, or sophisticated malware that does not match signatures.

Option D, packet filtering, examines packet headers against defined rules to permit or deny traffiC) It is effective for controlling traffic flows but does not provide insights into anomalous behavior, user activities, or abnormal data transfer patterns.

Option C, behavior-based analytics, is correct. Behavior-based analytics solutions establish baselines for normal user, device, and application activity, and detect deviations in real-time. Benefits include:

Early detection of insider threats and compromised accounts.

 

Identification of abnormal logins, unusual data transfers, or deviations in application usage.

 

Integration with machine learning and statistical models to improve detection accuracy and reduce false positives.

 

Alerting SOC teams proactively to respond to anomalies before significant damage occurs.

 

Behavioral analytics complements signature-based detection methods, enabling organizations to identify advanced, sophisticated, and previously unknown threats. It is particularly important in financial services, healthcare, and critical infrastructure where subtle deviations may indicate serious risks, fraud, or regulatory violations.

Q170. During a penetration test, a Linux server has a root-owned cron job that executes a script every five minutes. The script is writable by all users. What is the primary risk?

A) Privilege escalation
B) Lateral movement
C) Credential harvesting
D) Pivoting

Answer: A) Privilege escalation

Explanation:

Option B, lateral movement, occurs after initial compromise, where an attacker uses one system to move to others on the network. While lateral movement can follow privilege escalation, it is not the immediate threat in this scenario.

Option C, credential harvesting, focuses on obtaining stored passwords, tokens, or sensitive information. Writable cron scripts do not directly relate to credential harvesting.

Option D, pivoting, uses a compromised system as a launchpad to access additional network resources. It typically requires elevated privileges first, so the primary risk is not pivoting itself.

Option A, privilege escalation, is correct. Writable root-owned cron scripts allow attackers to insert malicious commands executed automatically with root privileges. This can lead to:

Full system compromise, including the installation of persistent malware or backdoors.

 

Escalation from a standard user to root privileges, enabling control over the OS and critical applications.

 

Potential lateral movement after gaining root access.

 

Risk of complete data exfiltration or disruption of services.

 

Mitigation strategies include:

Enforcing least privilege on all scripts and files, especially those executed by root.

 

Regularly auditing permissions and ownership of cron jobs.

 

Implementing real-time monitoring to detect unauthorized modifications.

 

Applying system hardening standards, such as CIS benchmarks, to prevent misconfigurations.

 

Misconfigured cron jobs are a common vulnerability in Linux environments. By auditing, securing permissions, and monitoring scheduled tasks, administrators can significantly reduce the risk of privilege escalation and maintain a secure system posture.

Q171. A security analyst observes repeated failed login attempts across multiple user accounts from a single external IP address. Which type of attack is most likely being attempted?

A) Brute-force attack
B) Password spraying
C) Phishing
D) Man-in-the-middle attack

Answer: B) Password spraying

 Explanation:

 Option A, brute-force attack, involves systematically attempting all possible password combinations against a single account until the correct one is founD) Traditional brute-force attacks target one account at a time and often trigger account lockouts due to repeated incorrect attempts. While brute-force attacks are effective, they are noisy, slow, and usually easy to detect with standard security monitoring systems. In this scenario, the activity is across multiple accounts, not a single account, which differentiates it from brute-force attacks.

Option C, phishing, is a social engineering attack designed to trick users into providing credentials, personal information, or installing malware. Phishing attacks often occur via email, malicious websites, or deceptive communications. While phishing can result in compromised credentials, it does not manifest as automated login attempts from a single IP across multiple accounts.

Option D, man-in-the-middle (MITM) attacks, involve intercepting or altering communications between two parties without their knowledge. MITM attacks target network traffic integrity and confidentiality but do not generally create repeated login attempts across multiple accounts.

Option B, password spraying, is correct. Unlike brute-force attacks that focus on a single account, password spraying uses a limited set of commonly used passwords (e.g., “Password123” or “Welcome2025”) across many user accounts to avoid triggering account lockouts. This type of attack leverages the fact that users often reuse weak passwords. Key characteristics and risks include:

Detection challenge: Since each account is only attempted a few times, standard account lockout policies do not trigger, making detection more difficult.

 

Scale: Attackers often target large numbers of accounts using automation tools that perform rapid login attempts across multiple IP addresses or geographic locations.

 

Initial access vector: Password spraying is often the first step in gaining unauthorized access to corporate systems or cloud accounts. Once successful, attackers may attempt lateral movement, data exfiltration, or privilege escalation.

 

Mitigation strategies: Organizations can prevent password spraying by enforcing strong, unique passwords, enabling multi-factor authentication (MFA), implementing anomalous login detection (e.g., monitoring for logins from unexpected geolocations), and applying rate-limiting policies to failed login attempts.

 

Understanding the subtle difference between brute-force and password spraying is critical. Password spraying is stealthier, more scalable, and designed to exploit human password behavior rather than computational weakness. In large enterprises, monitoring failed login patterns across multiple accounts and correlating them with known attack signatures is essential to early detection and prevention.

Q172. An organization wants to restrict access to sensitive resources based on user attributes such as location, device compliance, and time of access. Which access control model is most appropriate?

A) Role-based access control
B) Discretionary access control
C) Mandatory access control
D) Attribute-based access control

Answer: D) Attribute-based access control

 Explanation:

 Option A, role-based access control (RBAC), grants permissions based on a user’s assigned role in the organization. While RBAC simplifies management by aligning access with job functions, it does not take contextual factors such as device posture, geolocation, or time into account. RBAC is static in nature and is effective in environments where access needs are predictable and tied solely to roles, not dynamic conditions.

Option B, discretionary access control (DAC), allows owners of resources to decide who can access them. This model gives flexibility but lacks centralized enforcement and cannot evaluate conditional attributes, making it unsuitable for highly sensitive resources that require context-aware control.

Option C, mandatory access control (MAC), enforces access decisions based on classification labels and is highly rigiD) Access to resources is determined by system-enforced policies that consider sensitivity levels (e.g., top secret, confidential) but typically does not incorporate dynamic attributes like device health or login time. MAC is suitable for highly classified government or military environments but is inflexible for business contexts requiring conditional access.

Option D, attribute-based access control (ABAC), is correct. ABAC evaluates access based on attributes of the user, resource, action, and environment. Key features include:

Contextual enforcement: ABAC allows policies such as “allow access to financial records only if the device is compliant, the user is on corporate network, and access occurs during business hours.”

 

Granular control: Access decisions are not limited to roles but can be based on a combination of user identity, device security posture, location, time, and risk level.

 

Dynamic adaptability: Policies can adjust in real time based on changing conditions, such as geolocation restrictions, VPN usage, or threat intelligence signals.

 

Zero Trust integration: ABAC is commonly used in zero-trust architectures where every access request is evaluated continuously rather than granting implicit trust based on network location or role.

 

Security benefits: Reduces the attack surface by ensuring only authorized and compliant devices and users can access sensitive resources. Provides compliance enforcement for regulations like HIPAA, PCI DSS, and GDPR.

 

Implementing ABAC requires a well-designed policy engine, identity and access management (IAM) integration, and continuous monitoring. ABAC is ideal for cloud and hybrid environments where resource access conditions change dynamically and require real-time evaluation to maintain security.

Q173. During a penetration test, a tester identifies a web application that executes system commands directly based on user input without validation. Which type of vulnerability is present?

A) SQL injection
B) Command injection
C) Cross-site scripting
D) Path traversal

Answer: B) Command injection

Explanation:

Option A, SQL injection, targets a database backend by manipulating SQL queries. Attackers can exfiltrate data, modify records, or escalate privileges within the database. While SQL injection can be devastating, it operates at the database query level and does not allow arbitrary execution of operating system commands.

Option C, cross-site scripting (XSS), targets end users by injecting malicious scripts into web pages that are executed in the browser. XSS exploits client-side vulnerabilities rather than executing commands on the server.

Option D, path traversal, manipulates file paths to access files outside the intended directory scope. While dangerous, it does not inherently allow execution of arbitrary commands on the server.

Option B, command injection, is correct. Command injection occurs when user-supplied input is improperly handled and passed directly to the underlying operating system for execution. Key risks include:

Complete system compromise: Attackers can execute arbitrary commands with the privileges of the vulnerable application, potentially leading to root-level control.

 

Escalation opportunities: Once command execution is achieved, the attacker may install malware, create persistent backdoors, or pivot to other networked systems.

 

Exploitation techniques: Command injection may involve appending shell commands to input fields, using special characters or escape sequences, and leveraging poorly sanitized input in scripts or APIs.

 

Mitigation: Input validation, use of parameterized APIs, least privilege execution, sandboxing, and monitoring for abnormal system calls are critical. Security frameworks such as OWASP Top 10 highlight command injection as a critical web vulnerability due to its potential impact.

 

Command injection is particularly dangerous because it bypasses the application’s intended logic and directly interacts with the operating system. Proactive testing, code review, and secure coding practices are essential defenses.

Q174. A company wants employees to authenticate using a combination of something they know and a time-based code generated by an app. Which authentication method is being enforced?

A) Single-factor authentication
B) Two-factor authentication
C) Biometric authentication
D) Certificate-based authentication

Answer: B) Two-factor authentication

 Explanation:

 Option A, single-factor authentication, relies on one type of credential, such as a passworD) While simple, it is insufficient for high-security environments because if the credential is compromised, access is fully exposed.

Option C, biometric authentication, uses physical attributes like fingerprints, iris scans, or facial recognition. While secure, it is not part of this scenario, which specifies a password plus a time-based code.

Option D, certificate-based authentication, relies on digital certificates and public-private key pairs for authentication. Certificates are strong for device or user verification but are not mentioned here.

Option B, two-factor authentication (2FA), is correct. 2FA requires two distinct authentication factors:

Something you know: Typically a password or PIN.

 

Something you have: A time-based one-time password (TOTP) generated by an app such as Google Authenticator or Microsoft Authenticator.

 

2FA enhances security by requiring two separate proofs of identity. Even if the password is compromised, access is denied without the second factor. Key benefits include:

Protection against password reuse and theft.

 

Compliance with regulatory standards such as PCI DSS and NIST guidelines.

 

Compatibility with cloud and on-premises systems for secure authentication.

 

Best practices include enforcing strong password policies, educating users on phishing risks, and integrating 2FA with SSO solutions to balance usability and security.

Q175. During a security audit, multiple employees are discovered sharing credentials to access corporate systems. Which security principle is being violated?

A) Accountability
B) Separation of duties
C) Least privilege
D) Role rotation

 Answer: A) Accountability

Explanation:

Option B, separation of duties, divides responsibilities to prevent fraud but is unrelated to credential sharing.

Option C, least privilege, limits permissions but does not directly address shared credentials.

Option D, role rotation, prevents insider threats through periodic job shifts but does not address accountability.

Option A, accountability, is correct. Accountability ensures that all actions in a system are attributable to a specific user. Shared credentials violate this principle, creating significant risks:

Inability to trace activity: Investigators cannot determine who performed actions or introduced errors.

 

Compliance violations: Regulations like HIPAA, PCI DSS, and SOX require individual accountability.

 

Increased insider threat risk: Shared accounts obscure responsibility, facilitating unauthorized actions.

 

Mitigation strategies include enforcing unique user accounts, monitoring access logs, and implementing authentication controls. Ensuring accountability is fundamental for both security and regulatory compliance.

Q176. A security analyst notices repeated failed login attempts on multiple accounts from different external IP addresses. What type of attack is most likely occurring?

A) Brute-force attack
B) Password spraying
C) Phishing
D) Man-in-the-middle attack

Answer: B) Password spraying

 Explanation:

Option A, brute-force attack, involves systematically attempting every possible password for a single account until the correct one is discovereD) This attack typically targets one account at a time, making it slower and more prone to detection due to account lockouts triggered by repeated failed attempts. While brute-force attacks are effective in environments with weak password policies, they are not optimized for attacking multiple accounts at once.

Option C, phishing, is a social engineering tactic aimed at tricking users into revealing credentials, downloading malware, or providing sensitive information. Phishing attacks are not characterized by repeated automated login attempts; rather, they rely on human interaction and deception, usually via email or fake websites.

Option D, man-in-the-middle attacks, involve intercepting communications between two parties, often to capture sensitive data or manipulate transactions. MITM attacks focus on network traffic rather than login attempts across multiple accounts.

Option B, password spraying, is correct. Unlike brute-force attacks, which exhaust all possible passwords for a single account, password spraying uses a limited set of commonly used passwords (such as “Password123” or “Welcome2025”) across many accounts. This approach minimizes the chance of triggering account lockouts while exploiting the human tendency to use weak, predictable passwords. Key characteristics and considerations include:

Detection evasion: Since only a small number of attempts are made per account, password spraying is often difficult to detect with traditional account lockout policies.

 

Automation and scale: Attackers often employ automated tools to target hundreds or thousands of accounts efficiently.

 

Initial compromise: Password spraying is typically used to gain initial access to corporate accounts or cloud services. Successful access may lead to lateral movement, privilege escalation, or data exfiltration.

 

Mitigation strategies: Organizations can reduce risk by implementing multi-factor authentication (MFA), enforcing strong password policies, monitoring anomalous login patterns, applying rate-limiting, and educating users about credential hygiene.

 

Understanding the subtle difference between brute-force and password spraying is critical for both detection and defense. Password spraying attacks are stealthier, more scalable, and exploit human behavior rather than computational weakness. In enterprise environments, monitoring patterns of failed logins across multiple accounts and correlating them with known attack signatures is essential for early detection.

Q177. An organization wants to enforce access policies based on device health, location, and user role to secure cloud resources. Which access control model is most suitable?

A) Role-based access control
B) Discretionary access control
C) Mandatory access control
D) Attribute-based access control

Answer: D) Attribute-based access control

 Explanation:

 Option A, role-based access control (RBAC), assigns permissions based on user roles. While RBAC simplifies management, it is static and does not consider contextual factors such as device compliance, geolocation, or time of access. RBAC is suitable in environments where access requirements are predictable and tied to job roles rather than dynamic conditions.

Option B, discretionary access control (DAC), allows resource owners to decide access rights. While flexible, DAC lacks centralized enforcement and cannot evaluate real-time attributes, making it unsuitable for enforcing security policies that depend on context or compliance.

Option C, mandatory access control (MAC), enforces access based on security labels and classification levels. While highly secure, MAC is inflexible and generally does not account for dynamic conditions such as device health, location, or risk score.

Option D, attribute-based access control (ABAC), is correct. ABAC evaluates access using attributes of the user, resource, environment, and requested action. Key features include:

Contextual decision-making: Policies like “allow access to sensitive data only from corporate-managed devices, within approved locations, during business hours” are enforceable.

 

Granular control: ABAC allows dynamic, fine-grained access decisions beyond static roles.

 

Zero-trust alignment: ABAC supports continuous evaluation of access requests, consistent with zero-trust security principles.

 

Risk mitigation: ABAC reduces the likelihood of unauthorized access by enforcing policy compliance at the point of access.

 

Implementation considerations: ABAC requires an identity and access management (IAM) framework capable of evaluating multiple attributes, policy enforcement points integrated with cloud resources, and real-time monitoring for anomalous activity.

 

ABAC is highly effective in modern hybrid and cloud environments where access requirements are dynamic, and security depends on both user identity and contextual factors. Properly implemented, ABAC ensures sensitive data is accessible only to authorized users under compliant conditions, supporting both security and regulatory compliance.

Q178. A web application accepts user input without validation, allowing execution of arbitrary operating system commands. Which vulnerability is present?

A) SQL injection
B) Command injection
C) Cross-site scripting
D) Path traversal

Answer: B) Command injection

Explanation:

 Option A, SQL injection, targets database queries by manipulating input to execute unintended SQL commands. While dangerous, SQL injection operates at the database level and does not inherently allow direct execution of OS-level commands.

Option C, cross-site scripting (XSS), affects the client side by injecting scripts into web pages viewed by other users. XSS exploits browsers and user sessions but does not allow server-level command execution.

Option D, path traversal, allows attackers to access unauthorized files by manipulating directory paths. While serious, path traversal does not provide arbitrary command execution capabilities.

Option B, command injection, is correct. Command injection occurs when user input is improperly handled and passed to the underlying OS for execution. Key points include:

Complete system compromise: Attackers may execute commands with application privileges, potentially gaining full server control.

 

Privilege escalation: Once OS command execution is achieved, attackers can attempt privilege escalation to gain administrative access.

 

Exploitation methods: Attackers use input fields, query parameters, or headers to inject shell commands or special characters that the server executes.

 

Mitigation: Input validation, parameterized API calls, sandboxing, and executing scripts with the least privilege necessary are critical.

 

Command injection is one of the most dangerous web vulnerabilities because it bypasses application logic and interacts directly with the OS. Proactive secure coding, static and dynamic analysis, and penetration testing are essential defenses.

Q179. A company wants employees to authenticate using a password and a time-based one-time code generated by an app. What type of authentication is being implemented?

A) Single-factor authentication
B) Two-factor authentication
C) Biometric authentication
D) Certificate-based authentication

 Answer: B) Two-factor authentication

Explanation:

Option A, single-factor authentication, uses one type of credential such as a passworD) It is insufficient for high-security environments because if the credential is compromised, the account is fully exposed.

Option C, biometric authentication, uses physical attributes like fingerprints or facial recognition. While secure, it is not described in this scenario.

Option D, certificate-based authentication, relies on cryptographic certificates rather than passwords plus a TOTP. It is unrelated to this scenario.

Option B, two-factor authentication (2FA), is correct. 2FA combines:

Something you know: A password or PIN.

 

Something you have: A TOTP generated by an authentication app such as Google Authenticator or Microsoft Authenticator.

 

Key benefits include:

Protection against password theft and reuse.

 

Compliance with standards such as PCI DSS and NIST.

 

Compatibility with cloud services and enterprise systems.

 

Best practices include strong password policies, user education, and integration with single sign-on (SSO) solutions for usability.

Q180. During a security audit, multiple employees are found sharing credentials to access corporate systems. Which principle is being violated?

A) Accountability
B) Separation of duties
C) Least privilege
D) Role rotation

Answer: A) Accountability

Explanation:
 

Option B, separation of duties, divides responsibilities among different individuals to reduce the risk of fraud or errors. While it is an important internal control, it does not specifically prevent credential sharing or enforce traceability of user actions, so it is not the principle being violated in this scenario.

Option C, least privilege, limits user access to only the resources necessary to perform their job functions. While credential sharing could indirectly undermine least privilege by giving users access to rights they are not supposed to have, the core violation here is not about excessive permissions—it is about traceability and responsibility.

Option D, role rotation, periodically shifts responsibilities among personnel to prevent insider threats and reduce the risk of collusion. Role rotation helps detect fraudulent activity over time but does not inherently prevent or address the sharing of login credentials or enforce individual accountability.

Option A, accountability, is correct. Accountability is the principle that ensures all actions within a system can be attributed to a specific user. In corporate environments, accountability is critical for operational integrity, forensic investigations, and regulatory compliance. When employees share accounts, accountability is broken because it becomes impossible to determine who executed specific actions. This lack of traceability introduces a number of significant risks and operational challenges:

Activity attribution: Unique user credentials allow security teams, auditors, and forensic investigators to trace every action back to a specific individual. Credential sharing eliminates this capability, making it difficult or impossible to determine responsibility for malicious or accidental actions, whether intentional data tampering, deletion of records, or policy violations.

 

Regulatory compliance: Regulations such as HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), and SOX (Sarbanes-Oxley Act) mandate that all system activity be attributable to a single user. Violating accountability can lead to audit failures, fines, and legal consequences, especially in regulated industries like healthcare, finance, or government.

 

Insider threats: Shared accounts obscure responsibility, making it easier for malicious insiders to cover their tracks. Malicious actions such as unauthorized data access, exfiltration, or system modifications are more difficult to detect and respond to when user actions are anonymous or conflated across multiple individuals.

 

Operational inefficiencies: When credential sharing occurs, it complicates incident response and troubleshooting. IT teams cannot quickly identify who made a configuration change, which can delay remediation of operational or security incidents.

 

Mitigation strategies for maintaining accountability include enforcing the use of unique user accounts, implementing strong authentication mechanisms such as multi-factor authentication, monitoring and logging all user activities, conducting periodic access reviews, and educating employees on the risks of sharing credentials. Organizations can also integrate identity and access management (IAM) solutions to automate enforcement of accountability and streamline auditing processes.

By ensuring accountability, organizations maintain full visibility over user actions, deter potential misuse of privileges, and support forensic investigations and compliance reporting. Without accountability, the organization not only faces operational risk but also legal and reputational exposure. Maintaining individual user accountability is a cornerstone of a secure and well-governed IT environment.