CompTIA PenTest+ PT0-003 Exam Dumps and Practice Test Questions Set 3 Q41-60

Visit here for our full CompTIA PT0-003 exam dumps and practice test questions.

Question 41:

Which type of testing simulates real-world attacks to evaluate an organization’s defenses, detection, and response capabilities?

A) Red team testing

B) Vulnerability scanning

C) Patch management

D) Security policy review

Answer: A) Red team testing

Explanation:

Red team testing is a comprehensive security assessment designed to simulate real-world attacks against an organization. It involves a combination of technical exploitation, social engineering, and operational tactics to evaluate both preventive and detective controls. Red teams emulate sophisticated adversaries, attempting to compromise systems, gain access to sensitive information, or move laterally within the network. The goal is not only to identify vulnerabilities but also to assess how the organization detects, responds, and recovers from attacks. Red team exercises test security operations, incident response processes, monitoring tools, and employee awareness simultaneously, providing insight into strengths and weaknesses across technical, procedural, and human layers.

Vulnerability scanning identifies known vulnerabilities in systems, applications, and configurations. It is a valuable tool for identifying areas that require remediation but does not simulate attacks in a realistic, adversarial context. Scanning generates lists of issues rather than evaluating how an organization would respond to active attacks or complex attack chains.

Patch management is the process of updating software and firmware to fix security vulnerabilities or improve functionality. While critical for reducing the attack surface, patch management does not test operational response capabilities or simulate attacker behavior. It is a preventive maintenance activity rather than a full-scale adversarial evaluation.

Security policy review examines the existence, adequacy, and compliance of written security policies. While important for governance and regulatory adherence, policy reviews do not measure how effectively systems, employees, or processes respond under attack. Policies may be sufficient on paper, but without real-world testing, gaps in operational implementation may remain undetected.

Red team testing provides actionable insights for improving security posture, strengthening incident response, and validating controls in realistic scenarios. It often includes multi-phase simulations, combining reconnaissance, exploitation, privilege escalation, lateral movement, and data exfiltration. By mimicking attacker behavior, red team exercises identify weaknesses that may be missed by automated scans or policy reviews. Organizations benefit from understanding how adversaries could exploit vulnerabilities and how their security teams perform under pressure.

Red team assessments are typically supported by blue teams, which monitor, detect, and respond to attacks in real time. This collaborative simulation provides a controlled environment to train personnel, test technologies, and refine incident response plans. The outcome helps prioritize risk mitigation efforts, strengthen defensive measures, and improve overall organizational resilience.

Question 42:

Which type of attack exploits a vulnerability in a web application’s form fields to manipulate backend database queries?

A) SQL injection

B) Cross-site scripting (XSS)

C) Man-in-the-middle (MITM)

D) Denial of Service (DoS)

Answer: A) SQL injection

Explanation:

SQL injection is a web application attack that exploits improper input validation to manipulate backend database queries. Attackers submit specially crafted input into form fields, URLs, or API requests to alter the logic of SQL statements executed by the server. SQL injection can allow attackers to bypass authentication, retrieve sensitive data, modify or delete records, escalate privileges, and compromise entire database systems. The attack leverages weaknesses in application code where user input is not properly sanitized or parameterized. Automated tools and manual testing can identify SQL injection vulnerabilities and demonstrate the potential impact of exploitation.

Cross-site scripting (XSS) attacks inject malicious scripts into web pages viewed by users. XSS is primarily a client-side vulnerability that affects browsers rather than backend databases. While XSS can steal session cookies or redirect users, it does not directly manipulate SQL queries or database records.

Man-in-the-middle (MITM) attacks intercept communication between two parties to eavesdrop, alter messages, or inject malicious content. MITM targets network communications rather than exploiting application logic. It can be used to steal credentials or sensitive information in transit but does not directly alter database queries through input fields.

Denial of Service (DoS) attacks overwhelm a system or network with traffic to disrupt availability. DoS focuses on preventing access to resources rather than extracting or modifying data. It does not manipulate SQL statements or exploit application input fields.

SQL injection is highly effective because it targets the interaction between application input and backend databases. Exploiting this vulnerability can result in complete compromise of sensitive information, unauthorized modifications, or escalation of privileges. Preventive measures include input validation, parameterized queries, stored procedures, and the use of web application firewalls. Regular testing and secure coding practices are essential to mitigate SQL injection risks.

SQL injection attacks remain among the most critical web application vulnerabilities because they provide direct access to sensitive data and system control. Organizations should implement layered defenses, conduct ongoing security assessments, and educate developers about secure coding practices.

Question 43:

Which type of malware encrypts files and demands payment to restore access?

A) Ransomware

B) Trojan horse

C) Adware

D) Rootkit

Answer: A) Ransomware

Explanation:

Ransomware is malicious software that encrypts files on a victim’s system or network and demands payment, usually in cryptocurrency, to provide a decryption key. The attack can be delivered through phishing emails, malicious downloads, compromised websites, or remote access vulnerabilities. Once executed, ransomware encrypts critical files and displays a ransom note explaining the payment instructions and deadline. The impact can range from individual file loss to full organizational disruption, affecting operations, revenue, and reputation. Ransomware often spreads laterally across networks to maximize damage and target high-value systems.

Trojan horses are malware disguised as legitimate applications to trick users into installing them. Trojans can deliver ransomware, keyloggers, or backdoors, but the Trojan itself is defined by deception rather than the encryption of files. Its purpose is typically unauthorized access or payload delivery rather than extortion.

Adware generates unsolicited advertisements and may track user behavior to generate revenue. Adware does not encrypt files or demand payment and is generally considered a low-risk nuisance rather than a severe threat.

Rootkits conceal the presence of malware or attackers within a system by modifying operating system components, drivers, or kernel modules. Rootkits are designed for stealth and persistence, providing covert access to systems, but they do not encrypt files for ransom. Rootkits may facilitate ransomware deployment, but the primary function is to remain undetected.

Ransomware incidents highlight the importance of preventive and recovery measures such as offline backups, network segmentation, endpoint protection, patch management, and user awareness. Detecting early signs of ransomware behavior and isolating affected systems can minimize impact. Testing incident response plans and educating employees on phishing risks further strengthen organizational resilience.

Question 44:

Which attack technique attempts common passwords against many accounts to avoid account lockout?

A) Password spraying

B) Brute force attack

C) Credential stuffing

D) Dictionary attack

Answer: A) Password spraying

Explanation:

Password spraying is a credential-based attack where attackers attempt a small set of commonly used passwords across multiple accounts. Unlike brute force attacks that target a single account exhaustively, password spraying spreads attempts over many accounts to avoid triggering lockout mechanisms. This technique is effective against weak password policies, reused credentials, or predictable patterns. Attackers often combine password spraying with reconnaissance to identify high-value targets or privileged accounts. The method allows attackers to probe multiple accounts without raising immediate alarms or causing system disruptions.

Brute force attacks attempt every possible combination of characters for a single account. Brute force is computationally intensive, noisy, and likely to trigger lockout policies. It targets one account at a time rather than testing multiple accounts lightly.

Credential stuffing uses leaked username-password pairs from previous breaches to gain access to other systems. Credential stuffing exploits password reuse rather than systematically testing common passwords across many accounts. While effective in real-world attacks, it relies on compromised data rather than password pattern testing.

Dictionary attacks use predefined lists of words, phrases, or commonly used passwords to attempt access to individual accounts. These attacks are more focused than password spraying and can be detected by lockout policies, making them less effective for multi-account testing in controlled scenarios.

Password spraying provides insight into weak password policies without causing widespread disruption. It is commonly used in penetration testing to identify accounts that require stronger authentication policies, including multi-factor authentication or enforced complexity rules. Implementing monitoring and detection mechanisms can help organizations detect password spraying attempts and mitigate credential-based attacks.

Question 45:

Which security control monitors endpoint behavior to detect anomalies and potential threats?

A) Endpoint Detection and Response (EDR)

B) Network firewall

C) Security awareness training

D) Patch management

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) solutions provide continuous monitoring of endpoints for suspicious or abnormal behavior. EDR tools analyze processes, file activity, network connections, and system logs to detect malware, ransomware, lateral movement, or unauthorized changes. When anomalies are detected, EDR generates alerts and provides investigation tools for security teams to assess potential threats. Some EDR solutions can automatically contain threats by isolating affected systems or terminating malicious processes, minimizing potential damage.

Network firewalls filter traffic based on defined rules for ports, protocols, or IP addresses. Firewalls protect perimeter and internal segments but do not provide visibility into detailed endpoint behavior. They are primarily preventive controls, not real-time behavioral monitoring tools.

Security awareness training educates employees about phishing, social engineering, and safe computing practices. While training reduces the likelihood of user-caused incidents, it does not monitor endpoint activity or detect anomalies. Awareness mitigates human risk but is not a technical detection solution.

Patch management ensures systems and applications are up to date, reducing vulnerabilities. While important for prevention, patch management does not provide real-time monitoring or threat detection. It addresses known issues but does not respond to anomalous activity on endpoints.

EDR combines detection, analysis, and response capabilities to improve endpoint security. It uses behavioral analysis, machine learning, and threat intelligence to identify both known and unknown threats. EDR provides actionable data for incident response, forensic investigation, and improving overall security posture. Implementing EDR alongside preventive measures like firewalls, patch management, and employee training strengthens defense-in-depth and enhances organizational resilience.

Question 46:

Which method helps prevent data exfiltration by monitoring and controlling sensitive information leaving the organization?

A) Data Loss Prevention (DLP)

B) Antivirus software

C) Network Access Control (NAC)

D) Patch management

Answer: A) Data Loss Prevention (DLP)

Explanation:

Data Loss Prevention (DLP) is a security control designed to monitor, detect, and prevent unauthorized transmission of sensitive information outside the organization. DLP solutions can examine data in motion, at rest, or in use, applying rules to prevent accidental or malicious exposure of confidential files, intellectual property, personal identifiable information (PII), or financial records. DLP tools can integrate with email systems, cloud storage, endpoint devices, and network traffic to enforce policies. Policies may include blocking, encrypting, alerting, or quarantining sensitive data to ensure compliance with regulations such as GDPR, HIPAA, or PCI DSS.

Antivirus software is focused on detecting and removing malware from endpoints. While antivirus provides protection against threats that may attempt to steal or destroy data, it does not monitor the flow of sensitive information or enforce policies to prevent data exfiltration. Antivirus operates reactively rather than proactively managing information security policies.

Network Access Control (NAC) ensures that only compliant devices can access network resources. NAC evaluates device configurations, patch levels, and antivirus status, and can quarantine or deny access to non-compliant devices. NAC protects the network perimeter and internal segments but does not monitor or prevent the intentional or accidental exfiltration of sensitive data.

Patch management involves updating systems and applications to mitigate known vulnerabilities. While effective for reducing exploitation risks, patch management does not directly control or monitor the movement of sensitive information. It is a preventive measure rather than a real-time enforcement mechanism for data security.

DLP is critical for organizations that handle sensitive or regulated data because it ensures that confidential information is not transmitted inappropriately. By monitoring user activity and data flows, DLP can prevent accidental leakage through email attachments, cloud uploads, removable storage, or network transfers. DLP solutions may include content inspection, context analysis, and behavioral monitoring to detect policy violations. Alerts generated by DLP allow security teams to investigate incidents promptly and remediate potential exposure.

Organizations often combine DLP with encryption, access controls, monitoring tools, and employee awareness programs to create a layered defense strategy. DLP can help enforce least privilege principles, restrict copy-paste actions, and prevent the sharing of critical files outside approved channels. Continuous tuning and policy updates are essential for DLP effectiveness, as false positives and evolving threats require constant attention.

DLP is a proactive mechanism for maintaining data confidentiality, compliance, and risk mitigation. It protects intellectual property, sensitive customer information, and business-critical data from insider threats, accidental leaks, and external attackers. Proper implementation involves endpoint agents, network monitoring, and content-aware policies tailored to organizational requirements.

Question 47:

Which type of attack uses malicious scripts embedded in web pages to steal user data or execute actions in a browser?

A) Cross-site scripting (XSS)

B) SQL injection

C) Man-in-the-middle (MITM)

D) Denial of Service (DoS)

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) is a client-side web application attack where malicious scripts are injected into web pages viewed by users. The scripts execute in the victim’s browser, allowing attackers to steal session cookies, manipulate web page content, perform unauthorized actions, or redirect users to malicious sites. XSS can target web applications that fail to properly sanitize user input or encode output before rendering it in the browser. There are several types of XSS attacks, including stored, reflected, and DOM-based, each differing in how the malicious code is delivered and executed. Stored XSS permanently embeds the script in the application’s database or content, reflected XSS executes scripts based on user input in URLs or forms, and DOM-based XSS manipulates the client-side Document Object Model directly.

SQL injection targets server-side database queries by injecting malicious input to manipulate SQL statements. While highly effective for extracting or modifying data, SQL injection operates on the backend and does not directly execute scripts in the victim’s browser. It is distinct from XSS because it does not exploit client-side code or session behavior.

Man-in-the-middle (MITM) attacks intercept communication between two parties to eavesdrop or manipulate messages. MITM affects network traffic rather than client-side execution of scripts in web applications. While MITM can compromise confidentiality and integrity of data in transit, it does not involve embedding malicious scripts in web pages.

Denial of Service (DoS) attacks overwhelm systems or networks with excessive traffic to disrupt availability. DoS does not target browsers, sessions, or user input and is unrelated to script execution or session hijacking. Its objective is service disruption rather than data theft or unauthorized actions in a browser.

XSS attacks are particularly dangerous because they exploit trust relationships between users and applications. Attackers can steal authentication tokens, hijack sessions, deface web pages, or perform actions on behalf of users. Mitigating XSS requires input validation, output encoding, secure coding practices, and web application firewalls. Security testing, code review, and user education further reduce the risk of XSS exploitation.

Question 48:

Which control is used to ensure software vulnerabilities are addressed and systems remain secure?

A) Patch management

B) Network firewall

C) Multi-factor authentication (MFA)

D) Data Loss Prevention (DLP)

Answer: A) Patch management

Explanation:

Patch management is the process of applying updates to operating systems, applications, and firmware to fix security vulnerabilities, improve performance, and enhance functionality. Attackers frequently exploit unpatched systems to gain unauthorized access, execute malware, or escalate privileges. Effective patch management involves identifying vulnerabilities, testing patches for compatibility, deploying updates across devices, and verifying successful installation. Organizations prioritize critical patches based on severity, exploitability, and potential business impact to minimize risk exposure.

Network firewalls filter network traffic based on rules such as IP addresses, protocols, and ports. Firewalls prevent unauthorized access but do not remediate vulnerabilities in the underlying software or applications. They are preventive controls rather than mechanisms to address unpatched weaknesses.

Multi-factor authentication (MFA) strengthens account security by requiring multiple verification factors before granting access. MFA protects against credential-based attacks but does not resolve software flaws or vulnerabilities. It complements patch management but cannot substitute for timely updates.

Data Loss Prevention (DLP) monitors and controls the flow of sensitive information to prevent unauthorized disclosure. DLP ensures data confidentiality but does not directly address system vulnerabilities or patching requirements.

Patch management reduces the attack surface and ensures compliance with security policies, industry standards, and regulatory requirements. Automated patch management tools, vulnerability scanning, and inventory tracking streamline the process and reduce human error. Combining patch management with monitoring, endpoint protection, and network segmentation creates layered defense strategies. Timely patching prevents exploitation by attackers who scan for known vulnerabilities and helps organizations maintain operational continuity.

Question 49:

Which attack intercepts communication between two systems to eavesdrop or alter data?

A) Man-in-the-middle (MITM)

B) SQL injection

C) Password spraying

D) Cross-site scripting (XSS)

Answer: A) Man-in-the-middle (MITM)

Explanation:

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts communication between two systems to monitor, steal, or modify information. MITM attacks exploit insecure communication channels such as unencrypted Wi-Fi, misconfigured network devices, or vulnerable protocols. Attackers can manipulate data in transit, inject malicious content, or impersonate one of the parties to gain sensitive information such as credentials, personal data, or financial information. MITM attacks compromise confidentiality and integrity, allowing attackers to exploit trust between the communicating systems.

SQL injection targets backend databases by manipulating input fields to execute unauthorized queries. SQL injection does not intercept or monitor live communication between systems. It operates on server-side data processing rather than network traffic.

Password spraying attempts common passwords across multiple accounts to gain unauthorized access. It exploits weak authentication but does not involve intercepting communication or modifying transmitted data. Password spraying is focused on account compromise rather than data in transit.

Cross-site scripting (XSS) injects malicious scripts into web applications to execute in a user’s browser. XSS affects client-side code and session integrity but does not intercept or alter communication directly between two systems. It is a browser-based attack rather than a network-layer eavesdropping technique.

MITM attacks are sophisticated threats that require mitigation through secure protocols such as TLS/SSL, VPNs, encrypted communication, network monitoring, and strong authentication. Detection involves monitoring unusual traffic patterns, certificate anomalies, or unexpected network behavior.

Question 50:

Which security measure prevents unauthorized users from accessing systems by requiring multiple forms of verification?

A) Multi-factor authentication (MFA)

B) Antivirus software

C) Network segmentation

D) Data Loss Prevention (DLP)

Answer: A) Multi-factor authentication (MFA)

Explanation:

Multi-factor authentication (MFA) is a security control that requires users to provide two or more independent verification factors to gain access to systems or applications. Factors may include something the user knows (password), something the user has (hardware token, mobile device), or something the user is (biometrics such as fingerprint or facial recognition). MFA significantly reduces the risk of account compromise because possession of a single factor, such as a stolen password, is insufficient for access. Attackers attempting credential-based attacks like password spraying, brute force, or credential stuffing encounter additional barriers that make unauthorized access considerably more difficult.

Antivirus software detects and removes known malware from endpoints. While important for endpoint security, antivirus does not enforce identity verification or prevent unauthorized access through compromised credentials. It is a reactive control rather than an authentication mechanism.

Network segmentation divides a network into isolated zones to reduce lateral movement of attackers or malware. Segmentation limits exposure but does not verify the identity of users attempting to log in to systems. It protects resources at a structural level rather than preventing account compromise.

Data Loss Prevention (DLP) monitors and controls the movement of sensitive information to prevent unauthorized disclosure. DLP focuses on protecting information rather than authenticating user access. It does not verify user identity or prevent unauthorized login attempts.

MFA enhances authentication by introducing multiple layers of verification, making it effective against stolen credentials, phishing attacks, and automated password attempts. It is widely recommended for securing email, VPNs, cloud applications, administrative accounts, and privileged access. Organizations often implement adaptive MFA, which adjusts authentication requirements based on device, location, or risk assessment, further strengthening security.

Question 51:

Which type of testing involves automated tools to identify known vulnerabilities in systems and applications?

A) Vulnerability scanning

B) Penetration testing

C) Red team assessment

D) Social engineering

Answer: A) Vulnerability scanning

Explanation:

Vulnerability scanning is a security assessment method that uses automated tools to detect known weaknesses in systems, applications, and network configurations. Vulnerability scanners compare system attributes against databases of known vulnerabilities, misconfigurations, or missing patches. Scanners can provide detailed reports highlighting risk levels, affected assets, and recommended remediation steps. Organizations use vulnerability scanning to maintain compliance, prioritize patching efforts, and proactively identify potential attack vectors before attackers can exploit them. Scanners can operate continuously or at scheduled intervals, allowing security teams to track changes and assess the evolving security posture of the environment.

Penetration testing simulates real-world attacks against systems, applications, or networks to evaluate defenses. Unlike automated vulnerability scanning, penetration tests involve human creativity, exploitation, and scenario-based assessment. Pen tests go beyond identifying vulnerabilities by demonstrating how they can be exploited and assessing potential impact.

Red team assessments are broader exercises that emulate sophisticated attackers, combining technical, procedural, and social engineering techniques to evaluate an organization’s overall security posture. Red team operations test detection, response, and resilience in realistic scenarios, rather than focusing exclusively on identifying known vulnerabilities.

Social engineering targets human behavior to manipulate individuals into revealing sensitive information or performing actions that compromise security. Social engineering tests the human layer of security but does not automatically identify technical vulnerabilities in systems or applications.

Vulnerability scanning provides a fast, repeatable, and systematic method for identifying security weaknesses. It helps organizations reduce exposure to attacks by highlighting unpatched software, misconfigured services, weak passwords, and known exploits. Scanners may include features such as compliance checks, automated reporting, and integration with patch management tools to streamline remediation workflows. The results of vulnerability scans are often used as a baseline for further security assessments, including penetration testing or red team exercises, allowing organizations to prioritize resources based on risk severity.

Regular vulnerability scanning is critical for maintaining situational awareness in dynamic environments where new vulnerabilities are discovered daily. Organizations often combine scanning with asset inventories, threat intelligence, and continuous monitoring to ensure that vulnerabilities are identified and addressed promptly. Integrating vulnerability scanning with patch management and security operations enhances the organization’s ability to maintain a strong security posture while reducing the likelihood of exploitation.

Question 52:

Which control restricts network traffic based on rules, such as IP addresses, ports, or protocols?

A) Network firewall

B) Endpoint Detection and Response (EDR)

C) Multi-factor authentication (MFA)

D) Data Loss Prevention (DLP)

Answer: A) Network firewall

Explanation:

A network firewall is a security device or software that filters incoming and outgoing traffic based on defined rules. Firewalls enforce policies regarding IP addresses, ports, protocols, and application types to prevent unauthorized access, mitigate attacks, and control communication between network segments. Firewalls can be stateful or stateless; stateful firewalls track connection states to make dynamic decisions, while stateless firewalls evaluate packets independently. Firewalls may be deployed at the perimeter, between internal segments, or on individual devices to control traffic flows and enforce security boundaries.

Endpoint Detection and Response (EDR) monitors and analyzes endpoint behavior to detect suspicious activity. EDR provides alerts, investigation tools, and response capabilities but does not filter network traffic based on IP addresses, ports, or protocols. EDR focuses on behavior analysis rather than traffic control.

Multi-factor authentication (MFA) requires users to provide multiple verification factors before granting access. MFA protects accounts but does not inspect or filter network traffic. It is an authentication mechanism rather than a traffic control tool.

Data Loss Prevention (DLP) monitors, detects, and prevents unauthorized transmission of sensitive data. DLP policies focus on protecting information in motion, at rest, or in use, but do not regulate network traffic at a low level like IP addresses or ports. DLP and firewalls can complement each other but address different aspects of security.

Firewalls are fundamental for network security because they establish a perimeter defense, segment networks, and limit exposure to threats. They can prevent unauthorized external access, contain internal compromises, and mitigate risks such as malware propagation. Modern firewalls may include intrusion prevention, deep packet inspection, application filtering, and logging capabilities. Firewall rules should be reviewed regularly to ensure relevance, remove unused access, and prevent misconfigurations that could be exploited by attackers. Proper deployment of firewalls enhances the overall security posture by controlling access, monitoring traffic, and reducing the attack surface.

Question 53:

Which attack exploits a software vulnerability by sending input that exceeds allocated memory buffers?

A) Buffer overflow

B) SQL injection

C) Cross-site scripting (XSS)

D) Password spraying

Answer: A) Buffer overflow

Explanation:

A buffer overflow attack occurs when an attacker sends input that exceeds the allocated memory buffer size, causing unexpected behavior in software or systems. When the program cannot handle the oversized input, memory adjacent to the buffer may be overwritten, potentially allowing attackers to execute arbitrary code, escalate privileges, or crash the system. Buffer overflows exploit poor input validation, insufficient bounds checking, or programming errors in low-level languages such as C or C++. They are among the oldest and most critical types of vulnerabilities, enabling attackers to take control of affected systems or escalate attacks to gain deeper access.

SQL injection targets backend databases by manipulating input to execute unauthorized SQL queries. SQL injection does not rely on memory management issues but rather exploits improper input handling in database commands. It is primarily a web application attack and is unrelated to buffer allocation errors.

Cross-site scripting (XSS) injects malicious scripts into web pages to run in user browsers. XSS attacks affect client-side behavior and session security but do not exploit memory buffers or system-level vulnerabilities. XSS is application-focused rather than memory-focused.

Password spraying attempts a small set of commonly used passwords across multiple accounts to bypass lockout controls. Password spraying targets authentication and does not manipulate memory or exploit software vulnerabilities. It is a credential attack, not a programming error exploitation.

Buffer overflow attacks are highly dangerous because they provide direct access to system memory, enabling attackers to execute arbitrary instructions and gain elevated privileges. Mitigation strategies include bounds checking, input validation, memory-safe programming languages, stack canaries, data execution prevention, and address space layout randomization. Security testing, code review, and regular updates reduce the likelihood of exploitable buffer overflow vulnerabilities. Buffer overflow remains a core concern in both software development and cybersecurity defense planning due to its potential for complete system compromise.

Question 54:

Which type of malware disguises itself as legitimate software to trick users into installing it?

A) Trojan horse

B) Ransomware

C) Rootkit

D) Adware

Answer: A) Trojan horse

Explanation:

A Trojan horse is malware that masquerades as legitimate software to deceive users into installing it. Trojans often appear as useful programs, files, or updates, gaining trust through convincing interfaces or social engineering techniques. Once installed, Trojans can perform malicious actions such as installing additional malware, stealing credentials, logging keystrokes, or creating backdoors for remote access. Trojans rely on user interaction rather than exploiting system vulnerabilities directly, making social engineering a key factor in their success. Trojans can be delivered through email attachments, malicious websites, infected downloads, or compromised software updates.

Ransomware encrypts files and demands payment for decryption. While ransomware may be delivered by a Trojan, its primary function is extortion rather than deception through disguise. Ransomware overtly alerts the user to its presence, unlike a Trojan, which aims to remain hidden.

Rootkits conceal the presence of malware or attackers within a system. Rootkits focus on stealth and persistence, modifying operating system components to evade detection. They are not inherently disguised as legitimate software and typically require initial compromise through other vectors, such as Trojans or exploits.

Adware displays unwanted advertisements and may track user behavior for profit. Adware is generally transparent in its operation and does not necessarily masquerade as legitimate software. It is often considered a nuisance rather than a covert threat.

Trojan horses exploit human trust, emphasizing the importance of security awareness, email filtering, verified software sources, and endpoint protection. Detection can involve behavior analysis, signature-based scanning, and anomaly monitoring. Trojans demonstrate the intersection of technical exploits and social engineering, highlighting the need for layered security controls to protect users and systems from deceptive threats.

Question 55:

Which security control monitors endpoints to detect, investigate, and respond to threats in real time?

A) Endpoint Detection and Response (EDR)

B) Network firewall

C) Multi-factor authentication (MFA)

D) Patch management

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) solutions continuously monitor endpoint devices for suspicious activity, anomalies, and potential threats. EDR collects telemetry from processes, files, network connections, registry modifications, and other system events to detect malicious behavior. When threats are detected, EDR provides alerts, context, and forensic data to assist security teams in investigation and remediation. Some EDR tools can automatically respond by isolating affected devices, terminating malicious processes, or applying containment measures. EDR enhances visibility into endpoint activity, allowing organizations to detect advanced threats that traditional antivirus solutions may miss.

Network firewalls filter traffic between network segments or at the perimeter, enforcing rules based on IP addresses, ports, and protocols. Firewalls prevent unauthorized access but do not provide real-time behavioral monitoring or incident response for endpoints. They are preventive controls rather than detection and response solutions.

Multi-factor authentication (MFA) strengthens account security by requiring multiple verification factors for user authentication. MFA reduces the risk of credential-based attacks but does not monitor endpoint behavior or respond to malware activity. It protects identity, not endpoint operations.

Patch management ensures that software, applications, and firmware are up to date to prevent exploitation of known vulnerabilities. While patching reduces the attack surface, it is a preventive measure and does not provide real-time detection or response capabilities.

EDR combines monitoring, detection, investigation, and response to provide proactive endpoint protection. It leverages behavioral analytics, machine learning, and threat intelligence to identify both known and unknown threats. EDR is an essential component of modern security operations, improving incident response, supporting forensic analysis, and strengthening overall organizational resilience against malware, ransomware, and advanced persistent threats.

Question 56:

Which security measure helps isolate network segments to reduce the impact of a compromise?

A) Network segmentation

B) Multi-factor authentication (MFA)

C) Antivirus software

D) Patch management

Answer: A) Network segmentation

Explanation:

Network segmentation is a strategy that divides a network into separate segments or zones to control traffic and limit the spread of threats. By isolating critical systems, sensitive data, or departments, segmentation ensures that if one segment is compromised, the attacker cannot easily move laterally across the network. Segmentation is often implemented using VLANs, firewalls, access control lists, and micro-segmentation techniques in virtualized environments. Each segment can have specific security policies, monitoring, and restrictions based on its sensitivity or function.

Multi-factor authentication (MFA) strengthens identity verification by requiring multiple forms of authentication before granting access. While MFA protects user accounts, it does not control traffic flows between network segments or prevent lateral movement of attackers. MFA reduces the likelihood of unauthorized access but does not physically or logically isolate systems.

Antivirus software detects, prevents, and removes malware from endpoints. Antivirus provides protection at the device level but does not enforce network-level isolation or restrict communications between compromised and unaffected systems. It focuses on detecting known malware signatures and heuristic threats rather than enforcing structural boundaries in the network.

Patch management ensures systems and applications are up to date with security patches and updates. While patch management reduces vulnerabilities, it does not segment the network or limit exposure in the event of a compromise. Patching complements segmentation by reducing the chance of exploitation but does not replace the need for network isolation.

Network segmentation enhances defense-in-depth by reducing the attack surface, limiting malware propagation, and facilitating targeted monitoring. Segmented networks can have restricted access to critical resources, improved policy enforcement, and easier incident containment. This approach also simplifies compliance with regulatory requirements by isolating sensitive systems and data, making auditing and monitoring more effective. Segmentation is crucial in large enterprises, industrial control systems, cloud environments, and zero-trust architectures, providing a strong layer of protection against both insider and external threats.

Question 57:

Which method prevents unauthorized devices from connecting to a corporate network by checking compliance before granting access?

A) Network Access Control (NAC)

B) Endpoint Detection and Response (EDR)

C) Multi-factor authentication (MFA)

D) Data Loss Prevention (DLP)

Answer: A) Network Access Control (NAC)

Explanation:

Network Access Control (NAC) is a security solution that evaluates devices attempting to connect to a network to ensure they meet compliance and security requirements. NAC checks factors such as operating system updates, antivirus status, firewall configurations, encryption, and device type before granting access. Devices that fail to meet compliance standards may be blocked, quarantined, or given limited access until remediated. NAC helps prevent the introduction of compromised or non-compliant devices, reducing the risk of malware spread, data theft, and unauthorized network access.

Endpoint Detection and Response (EDR) monitors and analyzes endpoint behavior to detect threats and respond in real time. While EDR enhances security by identifying malicious activity on devices, it does not prevent non-compliant devices from initially connecting to the network. EDR is reactive, while NAC is proactive.

Multi-factor authentication (MFA) protects user accounts by requiring multiple forms of verification. MFA strengthens identity security but does not evaluate device compliance or enforce network access controls. It ensures that only authorized users gain access but does not assess the device state.

Data Loss Prevention (DLP) monitors and controls the movement of sensitive information to prevent unauthorized disclosure. DLP focuses on information security rather than device compliance or network access enforcement. It cannot prevent non-compliant devices from connecting to network resources.

NAC integrates with authentication systems, endpoint management, and policy engines to enforce security policies consistently across wired, wireless, and remote networks. By controlling access at the network level, NAC reduces exposure to threats and strengthens overall organizational cybersecurity posture. Effective implementation includes continuous monitoring, remediation workflows, and integration with security incident management processes. NAC is particularly critical in environments with BYOD policies, remote work, or diverse endpoint devices, as it ensures that only secure, compliant devices gain access.

Question 58:

Which type of attack floods a network or server with traffic to disrupt availability?

A) Denial of Service (DoS)

B) Cross-site scripting (XSS)

C) SQL injection

D) Password spraying

Answer: A) Denial of Service (DoS)

Explanation:

Denial of Service (DoS) attacks overwhelm networks, servers, or applications with excessive traffic to make services unavailable to legitimate users. Attackers use a single source or multiple sources in distributed denial-of-service (DDoS) attacks to saturate bandwidth, exhaust server resources, or disrupt application functionality. The goal is to interrupt operations, degrade performance, and potentially cause financial or reputational damage. Mitigation strategies include traffic filtering, rate limiting, load balancing, content delivery networks (CDNs), and DDoS protection services. Monitoring and anomaly detection are also used to identify unusual traffic patterns and respond rapidly.

Cross-site scripting (XSS) injects malicious scripts into web applications to manipulate client-side behavior. XSS targets user sessions and browser behavior rather than causing network congestion or service unavailability. While XSS can have significant impact, it does not flood servers with traffic to deny service.

SQL injection manipulates backend database queries by submitting malicious input. SQL injection can result in unauthorized data access, modification, or deletion, but it does not inherently disrupt network availability. SQL injection is a data-centric attack rather than a service availability attack.

Password spraying attempts common passwords across multiple accounts to bypass lockouts. This attack targets authentication systems but does not flood servers with traffic to disrupt availability. It focuses on gaining access rather than creating service outages.

DoS attacks exploit resource exhaustion to impact service availability. They are highly disruptive and can affect entire organizations or critical infrastructure. Defense involves layered strategies, including network redundancy, traffic inspection, anomaly detection, and cloud-based mitigation. Preventing DoS attacks requires proactive planning, continuous monitoring, and the ability to respond to sudden surges in traffic.

Question 59:

Which attack uses stolen credentials to access multiple systems where users reuse passwords?

A) Credential stuffing

B) Password spraying

C) Brute force attack

D) Man-in-the-middle (MITM)

Answer: A) Credential stuffing

Explanation:

Credential stuffing is an attack technique where attackers use stolen username and password combinations from one breach to access other systems where users may have reused the same credentials. It exploits the tendency of users to reuse passwords across multiple platforms, allowing attackers to gain unauthorized access to email, cloud services, banking accounts, or corporate systems. Credential stuffing is highly automated, using bots to test large volumes of credentials quickly and efficiently. Detection involves monitoring login attempts, implementing rate limiting, and analyzing patterns for unusual authentication activity. Multi-factor authentication significantly reduces the effectiveness of credential stuffing by requiring additional verification factors beyond the password.

Password spraying attempts commonly used passwords across many accounts to avoid triggering lockout mechanisms. Unlike credential stuffing, it does not rely on previously compromised credentials and targets weak or default passwords instead of known combinations.

Brute force attacks attempt all possible password combinations on a single account to gain access. Brute force focuses on exhaustive guessing rather than leveraging already stolen credentials across multiple systems. It is more time-intensive and likely to trigger security controls compared to credential stuffing.

Man-in-the-middle (MITM) attacks intercept communications between two systems to eavesdrop or alter data in transit. MITM focuses on network traffic interception rather than exploiting reused credentials across platforms. MITM may facilitate credential theft, but credential stuffing specifically involves testing compromised credentials on multiple systems.

Credential stuffing highlights the importance of unique passwords, password managers, monitoring for breached credentials, and implementing multi-factor authentication. Organizations can mitigate risk by enforcing strong password policies, blocking known compromised credentials, and monitoring authentication patterns for anomalies. Credential stuffing attacks can have a widespread impact, particularly for cloud services and online platforms with reused credentials.

Question 60:

Which type of testing evaluates human susceptibility to phishing and social engineering attacks?

A) Social engineering testing

B) Vulnerability scanning

C) Penetration testing

D) Red team assessment

Answer: A) Social engineering testing

Explanation:

Social engineering testing assesses the ability of employees to recognize and respond appropriately to phishing, pretexting, baiting, or other manipulative tactics. It simulates real-world attacks that exploit human behavior, trust, and decision-making rather than technical vulnerabilities. Testing may involve sending simulated phishing emails, making phone calls, or presenting deceptive scenarios to evaluate how personnel handle requests for sensitive information, system access, or confidential data. Social engineering testing helps identify weaknesses in user awareness, training effectiveness, and adherence to security policies.

Vulnerability scanning identifies known technical vulnerabilities in systems, applications, and network configurations. While important for technical security, vulnerability scanning does not assess human behavior or susceptibility to manipulation. It focuses on system flaws rather than employee awareness.

Penetration testing simulates attacks against systems to evaluate defenses, but traditional pen tests primarily focus on technical exploitation rather than targeting human users. While social engineering may be included as a component, penetration testing alone is not specifically designed to assess human response.

Red team assessments emulate sophisticated attackers using a combination of technical, operational, and social engineering tactics. Red team exercises provide comprehensive testing of security posture, including technical systems, detection, and response processes. Social engineering testing is more focused, targeting human behavior specifically, without the broader scope of full red team operations.

Social engineering testing provides actionable insights for improving employee training, awareness programs, and policies. Organizations can reinforce security culture, measure the effectiveness of training initiatives, and implement controls to reduce the likelihood of falling victim to phishing or manipulative attacks. Regular testing ensures that employees remain vigilant, helping organizations mitigate one of the most exploitable aspects of security: human behavior.