CompTIA PenTest+ PT0-003 Exam Dumps and Practice Test Questions Set 4 Q61-80

Visit here for our full CompTIA PT0-003 exam dumps and practice test questions.

Question 61:

Which authentication method relies on a one-time code generated on a separate device or application?

A) Time-based One-Time Password (TOTP)

B) Single sign-on (SSO)

C) Password-only authentication

D) Biometric authentication

Answer: A) Time-based One-Time Password (TOTP)

Explanation:

Time-based One-Time Password (TOTP) is an authentication mechanism that generates a temporary numeric code, valid for a short period, typically 30 to 60 seconds, to verify user identity. TOTP codes are generated by an algorithm that uses a shared secret key combined with the current timestamp. Users typically receive these codes through authentication apps, hardware tokens, or devices synchronized with the server. TOTP enhances security by providing a dynamic second factor, ensuring that even if passwords are stolen, attackers cannot log in without access to the one-time code. TOTP is widely used for multi-factor authentication (MFA), providing a layer of protection against credential theft, phishing, and password reuse attacks.

Single sign-on (SSO) allows users to authenticate once and gain access to multiple systems or applications without repeated logins. While SSO improves convenience and reduces password fatigue, it does not inherently generate one-time codes. SSO primarily focuses on streamlining authentication rather than providing a dynamic second factor for enhanced security.

Password-only authentication relies solely on a static password for verifying identity. This method is vulnerable to credential theft, brute-force attacks, and phishing because passwords can be reused, stolen, or guessed. Unlike TOTP, password-only authentication provides no temporal or dynamic factor to prevent unauthorized access, even if the password is compromised.

Biometric authentication uses physical or behavioral characteristics such as fingerprints, facial recognition, or voice patterns to verify identity. Biometrics provide strong authentication based on inherent user traits, but they do not generate one-time codes and are distinct from time-based authentication methods. Biometric systems may complement TOTP as part of multi-factor authentication, but do not replace it.

TOTP provides robust protection against many common attacks by requiring possession of a synchronized device or app in addition to knowledge of the password. Even if a password is leaked or reused, attackers cannot authenticate without the correct time-based code. Implementing TOTP strengthens organizational security by mitigating the risk of credential compromise and enhancing overall access control. It is particularly effective when combined with strong passwords, secure key storage, and periodic auditing of authentication practices. Organizations often deploy TOTP for VPN access, cloud services, privileged accounts, and sensitive internal systems to maintain a higher level of assurance in user authentication.

Question 62:

Which tool automatically identifies, prioritizes, and reports security vulnerabilities across networks and systems?

A) Vulnerability management platform

B) Endpoint Detection and Response (EDR)

C) Data Loss Prevention (DLP)

D) Network firewall

Answer: A) Vulnerability management platform

Explanation:

A vulnerability management platform is a security tool designed to continuously scan networks, systems, and applications to detect known security weaknesses. It integrates vulnerability scanning, risk assessment, reporting, and remediation tracking into a centralized platform. Prioritizing vulnerabilities based on severity, exploitability, and business impact enables organizations to allocate resources efficiently and address the most critical risks first. The platform may provide dashboards, alerts, and compliance reporting to facilitate risk management and support regulatory requirements. Vulnerability management platforms combine automated scanning with workflow capabilities, ensuring vulnerabilities are tracked from discovery to resolution.

Endpoint Detection and Response (EDR) monitors endpoint activity to detect suspicious behavior and respond to threats in real time. While EDR provides critical insight into malware, lateral movement, and advanced attacks, it focuses on active threats rather than systematically identifying and prioritizing known vulnerabilities. EDR complements vulnerability management by providing endpoint visibility and incident response.

Data Loss Prevention (DLP) prevents unauthorized access or transfer of sensitive information by monitoring data in use, at rest, or in motion. DLP policies enforce controls to prevent data exfiltration but do not detect software vulnerabilities, misconfigurations, or patching gaps. DLP focuses on protecting information rather than system security weaknesses.

Network firewalls control access and filter traffic based on rules such as IP addresses, ports, and protocols. Firewalls enforce perimeter security and restrict unauthorized connections,  but do not provide automated vulnerability identification or remediation workflows. They operate at the network layer rather than analyzing system-level security issues.

Vulnerability management platforms are essential for proactive security management. They provide organizations with actionable insights into exposure, reduce the risk of exploitation, and support compliance with standards such as ISO 27001, NIST, HIPAA, and PCI DSS. Integrating a vulnerability management platform with patch management, configuration management, and security operations enables organizations to maintain continuous situational awareness and implement timely mitigation strategies. Effective use involves periodic scans, prioritization of high-risk findings, validation of remediation, and reporting for executive oversight. These platforms transform raw vulnerability data into structured, actionable intelligence for improving overall cybersecurity posture.

Question 63:

Which attack uses malicious input to manipulate a database query and retrieve or modify data?

A) SQL injection

B) Cross-site scripting (XSS)

C) Man-in-the-middle (MITM)

D) Denial of Service (DoS)

Answer: A) SQL injection

Explanation:

SQL injection is a web application attack where malicious input is submitted to manipulate backend database queries. Attackers exploit insufficient input validation or improper parameterization in web applications to execute unauthorized SQL commands. SQL injection can result in unauthorized data retrieval, modification, deletion, privilege escalation, or full database compromise. Common techniques include injecting tautologies to bypass authentication, union queries to extract data, or stacked queries to perform multiple actions in a single request. SQL injection remains a critical security concern because databases often contain sensitive information, intellectual property, or credentials.

Cross-site scripting (XSS) injects malicious scripts into web pages, targeting client-side execution in browsers. XSS is focused on session hijacking, credential theft, or manipulating web page content and does not manipulate server-side database queries. XSS exploits trust between users and applications rather than backend database logic.

Man-in-the-middle (MITM) attacks intercept communication between two systems to monitor, steal, or alter data in transit. MITM affects network traffic but does not manipulate SQL queries or backend databases. MITM attacks compromise confidentiality and integrity but are unrelated to database injection vulnerabilities.

Denial of Service (DoS) attacks flood networks or systems with traffic to exhaust resources and disrupt availability. DoS targets system performance and uptime, not data integrity or retrieval through query manipulation. It is an availability attack rather than a data-centric attack.

SQL injection attacks are highly effective because they provide direct access to sensitive database content, including user credentials, financial records, or proprietary information. Mitigation involves parameterized queries, stored procedures, input validation, web application firewalls, and secure coding practices. Security testing, code review, and vulnerability scanning further reduce the likelihood of SQL injection exploitation. Organizations must continuously update threat intelligence and conduct penetration testing to ensure that applications are resistant to SQL injection techniques and related injection vulnerabilities.

Question 64:

Which type of malware hides its presence to maintain unauthorized access and evade detection?

A) Rootkit

B) Ransomware

C) Trojan horse

D) Adware

Answer: A) Rootkit

Explanation:

A rootkit is malware designed to conceal its presence or the presence of other malicious software on a system. Rootkits often modify core operating system components, kernel modules, drivers, or processes to evade detection by antivirus or security monitoring tools. By operating stealthily, rootkits allow attackers to maintain persistent unauthorized access, monitor user activity, exfiltrate data, or facilitate additional malware deployment. Detection is challenging because rootkits can intercept system calls, hide files or processes, and subvert logging mechanisms. Rootkits can be installed through compromised software, Trojans, or by exploiting system vulnerabilities, making prevention and early detection critical.

Ransomware encrypts files and demands payment to restore access. While ransomware can cause disruption and financial loss, it does not inherently conceal itself; in fact, it explicitly notifies the victim of the attack to demand ransom. Ransomware’s primary purpose is extortion, not stealth.

Trojan horses disguise themselves as legitimate software to trick users into installing them. Trojans may deliver rootkits or other malware, but are defined by their deceptive delivery method rather than their ability to hide once installed. Trojans rely on social engineering and user trust, not stealth after deployment.

Adware displays unsolicited advertisements and may track user behavior for revenue purposes. Adware is usually visible to the user and does not hide its presence to maintain long-term access or avoid detection. Adware is more of a nuisance than a covert security threat.

Rootkits are dangerous because they allow attackers to maintain control over systems without being noticed. Mitigation strategies include secure boot processes, trusted platform modules, behavioral monitoring, integrity checking, and periodic system audits. Preventive measures such as patching, endpoint protection, and avoiding untrusted software reduce the likelihood of rootkit infection. Detecting rootkits often requires specialized tools or boot-time scans, as traditional antivirus solutions may be ineffective against deeply embedded rootkits. Organizations must implement multiple layers of defense to prevent rootkit installation and limit the potential impact of stealthy attacks.

Question 65:

Which security solution continuously monitors user accounts and behaviors to detect suspicious activities and potential compromises?

A) Microsoft Defender for Identity

B) Microsoft Planner

C) Microsoft OneDrive

D) Microsoft Intune

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that continuously monitors on-premises Active Directory and Microsoft 365 accounts for suspicious activities, abnormal login patterns, and potential account compromises. It leverages machine learning to detect behavioral anomalies, privilege escalation attempts, lateral movement, and identity-based threats. By analyzing authentication logs, user activity, and security telemetry, Defender for Identity provides actionable alerts to security teams, enabling timely investigation and remediation. The solution integrates with Microsoft 365, Azure Active Directory, and other services to deliver a comprehensive view of identity security across the organization.

Microsoft Planner is a task and project management tool for organizing work, assignments, and collaboration. It does not monitor user accounts for security threats, detect abnormal behaviors, or provide alerts for potential account compromise. Planner is unrelated to identity protection and cybersecurity monitoring.

Microsoft OneDrive is a cloud storage platform for file storage, sharing, and synchronization. While it includes access controls and data protection features, it does not provide behavior analytics, detect suspicious login attempts, or identify account compromises. OneDrive primarily addresses file management rather than security monitoring of user identities.

Microsoft Intune is a device management solution that enforces compliance policies, manages mobile devices, and controls application access. Intune can enforce conditional access and device compliance, but does not continuously analyze user behavior, detect abnormal logins, or provide alerts for potential account compromises. Intune complements identity protection but is not a dedicated identity monitoring solution.

Defender for Identity is designed specifically to strengthen account security by detecting threats that involve user accounts, credentials, or privilege misuse. It supports proactive detection, alerting, and response, helping organizations identify compromised accounts, prevent lateral movement, and mitigate insider threats. By analyzing behavioral patterns and correlating events across the environment, Defender for Identity helps maintain the integrity of user identities and enhances overall cybersecurity posture. It is a critical component for organizations seeking comprehensive identity protection and early threat detection across Microsoft environments.

Question 66:

Which type of authentication provides access based on user roles, responsibilities, or job functions?

A) Role-Based Access Control (RBAC)

B) Mandatory Access Control (MAC)

C) Discretionary Access Control (DAC)

D) Attribute-Based Access Control (ABAC)

Answer: A) Role-Based Access Control (RBAC)

Explanation:

Role-Based Access Control (RBAC) is an access control model where permissions are assigned based on the user’s role within an organization. Roles are defined by job functions, responsibilities, or positions, and users inherit permissions associated with those roles. This approach simplifies access management by reducing the need to assign individual permissions to each user and ensuring consistent enforcement of policies across users with similar responsibilities. RBAC enhances security by ensuring that users only have access to resources required to perform their job duties, reducing the risk of unauthorized access or accidental data exposure.

Mandatory Access Control (MAC) is a stricter model where access decisions are based on predefined security labels and classifications. MAC policies are centrally enforced by the system and cannot be modified by end users. While MAC is highly secure and suitable for sensitive government or military environments, it is less flexible than RBAC for dynamic business operations where roles may frequently change. MAC focuses on clearance levels and classifications rather than job functions.

Discretionary Access Control (DAC) allows resource owners to control access to their resources at their discretion. Users can grant or revoke permissions for files, folders, or applications they own. DAC provides flexibility but may introduce security risks if owners unintentionally grant excessive permissions or fail to manage access appropriately. RBAC provides centralized, consistent control, whereas DAC relies heavily on individual user management.

Attribute-Based Access Control (ABAC) uses attributes such as user properties, environmental factors, or resource characteristics to make access decisions. ABAC is highly dynamic and flexible, allowing fine-grained policies based on multiple criteria. While powerful, ABAC can be complex to implement and maintain compared to the straightforward role-based approach of RBAC.

RBAC is widely adopted in enterprise environments, cloud services, and enterprise applications because it simplifies administrative overhead while ensuring security compliance. Assigning permissions by role reduces errors, ensures separation of duties, and supports auditing. It integrates well with directory services such as Active Directory and Azure AD, enabling centralized management and automated role assignment. By focusing on job responsibilities rather than individual user preferences, RBAC enforces the principle of least privilege, helping organizations limit access to sensitive information, prevent unauthorized actions, and reduce insider threats. RBAC policies can be combined with multi-factor authentication, auditing, and monitoring tools to further strengthen security.

Question 67:

Which type of attack attempts to overwhelm authentication systems by repeatedly guessing passwords across multiple accounts?

A) Password spraying

B) Brute force attack

C) Phishing

D) Man-in-the-middle (MITM)

Answer: A) Password spraying

Explanation:

Password spraying is a credential-based attack where attackers attempt a small set of commonly used passwords across many user accounts. Unlike traditional brute-force attacks that focus on one account and attempt numerous passwords until successful, password spraying minimizes the risk of triggering account lockouts while increasing the chance of success across multiple accounts. Attackers exploit weak or common passwords such as “Password123” or “Welcome1,” targeting organizations where users reuse simple credentials or fail to follow strong password policies. Password spraying is highly effective in large enterprises, cloud platforms, and remote access environments because it avoids detection from traditional rate-limiting or account lockout mechanisms.

Brute force attacks systematically attempt all possible password combinations for a single account. While powerful, brute-force attacks are time-consuming and likely to trigger account lockouts or alerts. Brute force targets one account at a time, unlike password spraying, which targets multiple accounts with limited attempts per account to avoid detection.

Phishing attacks deceive users into revealing credentials or sensitive information through fraudulent emails, websites, or messages. Phishing exploits human behavior and social engineering rather than technical weaknesses in authentication systems. While phishing can lead to credential compromise, it does not involve repeated guessing of passwords across accounts.

Man-in-the-middle (MITM) attacks intercept communication between two parties to monitor, modify, or steal information in transit. MITM attacks exploit network vulnerabilities and trust relationships, not authentication system weaknesses through password guessing. MITM can facilitate credential theft, but does not inherently rely on repeated password attempts.

Password spraying is particularly dangerous because it leverages predictable human behavior regarding password creation. Organizations mitigate password spraying risks by enforcing strong password policies, implementing multi-factor authentication, monitoring failed login attempts, and applying adaptive account lockout policies. Continuous security awareness training for employees further reduces the likelihood of successful attacks. Monitoring authentication logs for unusual patterns, such as repeated failed logins across many accounts, allows security teams to detect and respond to password spraying attempts proactively. It is an attack that highlights the importance of strong, unique passwords and layered security controls.

Question 68:

Which solution provides endpoint protection, threat detection, and response capabilities to manage advanced threats?

A) Endpoint Detection and Response (EDR)

B) Antivirus software

C) Network firewall

D) Data Loss Prevention (DLP)

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) solutions provide comprehensive security for endpoints by continuously monitoring activity, detecting suspicious behaviors, and enabling rapid response to potential threats. EDR collects telemetry from files, processes, network connections, registry changes, and system logs, allowing security teams to identify anomalies, malware, or advanced persistent threats (APTs). Upon detection, EDR can generate alerts, isolate affected endpoints, terminate malicious processes, and provide forensic data for investigation. EDR goes beyond traditional antivirus by combining prevention, detection, and response in a proactive, real-time approach.

Antivirus software primarily detects and removes known malware based on signature databases. While effective for basic protection, antivirus solutions are reactive and limited in their ability to detect unknown threats, advanced malware, or lateral movement across endpoints. Antivirus does not provide the same level of real-time behavioral analysis and response capabilities as EDR.

Network firewalls filter traffic entering or leaving a network segment based on rules such as IP addresses, ports, and protocols. Firewalls help prevent unauthorized access but do not monitor endpoint activity, detect malware behavior, or respond to threats at the device level. They focus on network perimeter security rather than endpoint protection.

Data Loss Prevention (DLP) monitors and controls the flow of sensitive data to prevent unauthorized disclosure. DLP protects information in motion, at rest, or in use, but does not actively detect malware, respond to threats, or provide detailed endpoint visibility. DLP is information-centric rather than threat-centric.

EDR solutions enhance cybersecurity posture by providing deep visibility into endpoint activity, enabling detection of zero-day exploits, ransomware, credential theft, and malicious insiders. Integration with threat intelligence, SIEM systems, and automated response workflows allows organizations to contain incidents, perform root cause analysis, and prevent recurrence. EDR supports both prevention and mitigation strategies, bridging the gap between reactive antivirus and proactive threat management. By continuously analyzing endpoint behavior, EDR helps identify stealthy attacks, insider threats, and compromised devices before they escalate into significant incidents. Deploying EDR is critical for organizations managing a large number of endpoints, hybrid environments, and cloud-connected devices.

Question 69:

Which authentication mechanism requires multiple forms of verification to access systems?

A) Multi-factor authentication (MFA)

B) Single sign-on (SSO)

C) Password-only authentication

D) Certificate-based authentication

Answer: A) Multi-factor authentication (MFA)

Explanation:

Multi-factor authentication (MFA) is a security control that requires users to provide two or more independent forms of verification before accessing systems or applications. These factors typically fall into three categories: something the user knows (password or PIN), something the user has (hardware token, mobile device), and something the user is (biometric identifier such as fingerprint or facial recognition). MFA increases account security by ensuring that possession of a single credential, such as a password, is insufficient for authentication. It mitigates risks associated with stolen or weak passwords, phishing attacks, and credential reuse. MFA can be implemented for cloud services, VPNs, administrative accounts, and other critical resources.

Single sign-on (SSO) allows users to authenticate once and access multiple systems without re-entering credentials. While convenient, SSO does not inherently require multiple verification factors. It relies on a single authentication event and does not provide the layered security of MFA.

Password-only authentication relies solely on a static password for verification. This method is vulnerable to credential theft, brute-force attacks, and password reuse. Password-only authentication lacks dynamic verification factors and does not protect compromised credentials.

Certificate-based authentication uses digital certificates to verify identity, typically as part of a public key infrastructure (PKI). Certificates can provide strong security, but usually represent a single factor (possession of the certificate) and may not include additional verification,  such as a PIN or biometric factor. MFA strengthens authentication by combining multiple independent factors to reduce the likelihood of unauthorized access, even if one factor is compromised. It provides a robust defense against credential-based attacks and is a recommended best practice for securing critical systems, privileged accounts, and remote access services. MFA also supports adaptive policies, risk-based authentication, and integration with monitoring and incident response workflows, providing a comprehensive security approach.

Question 70:

Which method detects and prevents the accidental or intentional exposure of sensitive organizational data?

A) Data Loss Prevention (DLP)

B) Antivirus software

C) Endpoint Detection and Response (EDR)

D) Network firewall

Answer: A) Data Loss Prevention (DLP)

Explanation:

Data Loss Prevention (DLP) is a set of tools and processes designed to detect, monitor, and prevent unauthorized transmission of sensitive information. DLP policies can be applied to data at rest, in use, or in motion, including email, cloud storage, endpoints, and network communications. DLP solutions identify sensitive content based on patterns, keywords, file types, or contextual factors and can block, quarantine, or encrypt data to prevent accidental or intentional exposure. Organizations use DLP to comply with regulations such as GDPR, HIPAA, and PCI DSS, protecting personally identifiable information (PII), financial data, intellectual property, and confidential business information.

Antivirus software detects and removes malware but does not monitor the movement of sensitive information or enforce data security policies. Antivirus focuses on system integrity rather than information protection.

Endpoint Detection and Response (EDR) monitors endpoints for malicious activity and provides real-time response capabilities. While EDR can detect malware that may attempt data exfiltration, it is not designed specifically to monitor or prevent the unauthorized sharing of sensitive data. EDR is threat-centric rather than information-centric.

Network firewalls control access and filter traffic based on rules such as IP addresses, ports, and protocols. Firewalls protect network boundaries but do not inspect data content for sensitive information or enforce organizational policies to prevent data leakage.

DLP enforces the principle of least privilege by monitoring user activity, controlling file transfers, and alerting security teams to potential violations. It can prevent confidential data from leaving the organization via email, cloud services, removable media, or messaging platforms. DLP integrates with identity management, encryption, and monitoring solutions to provide a comprehensive approach to data protection. Effective DLP deployment involves continuous policy updates, employee training, and monitoring to balance security and usability while reducing the risk of accidental or malicious data breaches.

Question 71:

Which attack involves intercepting and potentially altering communications between two parties without their knowledge?

A) Man-in-the-middle (MITM)

B) SQL injection

C) Cross-site scripting (XSS)

D) Denial of Service (DoS)

Answer: A) Man-in-the-middle (MITM)

Explanation:

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts, monitors, or manipulates communication between two parties who believe they are directly communicating with each other. MITM attacks can target a wide range of communication channels, including network traffic, email, instant messaging, and even phone calls. Attackers exploit vulnerabilities in network configurations, weak encryption, or unsecured connections to insert themselves into the communication flow. Once in position, they can eavesdrop, alter messages, steal sensitive data, capture authentication credentials, or inject malicious content. MITM attacks can be conducted using techniques such as ARP spoofing, DNS spoofing, rogue Wi-Fi hotspots, or SSL stripping. These attacks are particularly dangerous because neither party is immediately aware that the communication has been compromised.

SQL injection is a web application attack where malicious input is submitted to manipulate backend database queries. SQL injection focuses on unauthorized access or modification of database content rather than intercepting or manipulating communication between two parties. SQL injection is a server-side attack targeting application logic rather than network-level interception.

Cross-site scripting (XSS) injects malicious scripts into web applications to run in the victim’s browser. XSS targets client-side behavior and session data, often to steal cookies or manipulate web content. While XSS can indirectly facilitate credential theft or unauthorized access, it does not involve intercepting the communication channel between two systems.

Denial of Service (DoS) attacks overwhelm networks or systems with traffic to degrade or interrupt availability. DoS attacks target service availability rather than the confidentiality or integrity of communications. Unlike MITM attacks, DoS does not involve interception or manipulation of communication flows.

MITM attacks are particularly effective when encryption is weak or improperly implemented. Attackers may use SSL/TLS stripping to downgrade secure connections to unencrypted channels, allowing sensitive information such as passwords, session tokens, or personal data to be intercepted. Effective defense includes enforcing strong encryption protocols, certificate pinning, secure Wi-Fi configurations, network monitoring, intrusion detection, and user awareness. Organizations should educate users to recognize unsecured connections, avoid untrusted networks, and validate security indicators such as HTTPS certificates. Detection of MITM attacks can also involve analyzing traffic anomalies, validating cryptographic integrity, and implementing network segmentation. These strategies collectively reduce exposure to MITM attacks and protect the confidentiality and integrity of communications.

Question 72:

Which attack exploits a web application by injecting malicious scripts that execute in the victim’s browser?

A) Cross-site scripting (XSS)

B) SQL injection

C) Brute force attack

D) Password spraying

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) is a type of web application attack where attackers inject malicious scripts into web pages that are executed in the victim’s browser. XSS exploits improper input validation, allowing attackers to manipulate client-side content, hijack sessions, steal cookies or tokens, redirect users to malicious sites, or modify displayed content. There are three main types of XSS: stored, reflected, and DOM-based. Stored XSS occurs when malicious code is permanently stored on a server or database, reflected XSS is embedded in URLs and executed when a user clicks the link, and DOM-based XSS manipulates the document object model in the browser. XSS targets users interacting with web applications rather than the server itself, exploiting trust between users and the application interface.

SQL injection attacks target backend databases by inserting malicious SQL commands into web application inputs. SQL injection allows attackers to retrieve, modify, or delete data in the database, but does not execute code in the victim’s browser. SQL injection is server-side exploitation rather than client-side script execution.

Brute force attacks attempt all possible combinations of passwords for a single account until successful. Brute force is a credential-based attack that targets authentication systems, not web application scripts or browser execution. It is unrelated to XSS, which manipulates user interactions and browser behavior.

Password spraying attacks attempt a limited set of commonly used passwords across many accounts to avoid lockouts. Password spraying is a method of credential compromise and does not involve executing scripts or exploiting web page vulnerabilities.

XSS attacks are dangerous because they exploit the human element, targeting users who trust a legitimate application. They can bypass traditional security mechanisms such as firewalls because the malicious code executes within the browser. Defense strategies include input validation, output encoding, content security policies, secure cookie attributes, and user education. Web application developers should adopt secure coding practices, implement automated testing, and conduct penetration testing to identify potential XSS vulnerabilities. Organizations can also use web application firewalls (WAFs) to detect and block malicious requests. Proper monitoring, logging, and alerting mechanisms are essential for detecting and responding to XSS incidents effectively.

Question 73:

Which control ensures sensitive data is encrypted both in transit and at rest?

A) Data encryption

B) Antivirus software

C) Network firewall

D) Endpoint Detection and Response (EDR)

Answer: A) Data encryption

Explanation:

Data encryption is a security control that converts readable data into an encoded format to prevent unauthorized access. Encryption ensures that sensitive information remains confidential, whether stored on devices or transmitted across networks. At rest, data stored in databases, files, or storage media is encrypted to protect against physical theft or unauthorized access. In transit, data transmitted via networks or communications channels is encrypted using protocols such as TLS/SSL, IPsec, or VPN tunnels, ensuring that interception does not expose the underlying information. Strong encryption algorithms, proper key management, and secure implementation practices are critical to maintaining data confidentiality and integrity.

Antivirus software detects, prevents, and removes malware from systems. Antivirus protects against malicious programs but does not encrypt data. While antivirus software contributes to overall security, it does not ensure the confidentiality of stored or transmitted data.

Network firewalls control traffic flows between networks by filtering based on IP addresses, ports, and protocols. Firewalls enforce network boundaries and prevent unauthorized access, but do not encrypt the data traversing the network. Firewalls support network security but are not a substitute for data encryption.

Endpoint Detection and Response (EDR) monitors endpoint behavior to detect and respond to malicious activity. While EDR enhances threat detection and response, it does not provide encryption for data at rest or in transit. EDR protects against malware or attacks, but not data confidentiality by itself.

Data encryption is essential for protecting sensitive organizational information such as financial records, personal data, intellectual property, and credentials. It provides a layer of security that remains effective even if other defenses fail, such as physical theft or interception. Effective encryption requires proper key management, access controls, and compliance with industry standards. Encryption reduces the risk of data breaches, maintains regulatory compliance, and enhances trust in digital systems. Both symmetric and asymmetric encryption algorithms may be used depending on performance and security requirements. Data encryption is a fundamental security measure in modern cybersecurity frameworks.

Question 74:

Which attack targets network or system resources to disrupt availability by overwhelming them with traffic?

A) Denial of Service (DoS)

B) SQL injection

C) Cross-site scripting (XSS)

D) Phishing

Answer: A) Denial of Service (DoS)

Explanation:

A Denial of Service (DoS) attack aims to disrupt the availability of networks, servers, or applications by overwhelming them with excessive traffic or resource requests. Attackers may send malformed packets, flood connections, or exploit system limitations to exhaust bandwidth, CPU, memory, or application capacity. Distributed Denial of Service (DDoS) attacks involve multiple sources, often botnets, amplifying the impact. The goal is to prevent legitimate users from accessing services, potentially causing financial loss, reputational damage, or operational disruptions. Mitigation strategies include traffic filtering, rate limiting, anomaly detection, load balancing, and cloud-based DDoS protection services.

SQL injection attacks manipulate backend database queries to access or modify data without authorization. SQL injection focuses on data confidentiality and integrity rather than service availability. It does not overwhelm network or system resources to deny access to legitimate users.

Cross-site scripting (XSS) injects malicious scripts into web pages for execution in user browsers. XSS targets user sessions and client-side behavior but does not inherently disrupt the availability of systems or networks. XSS is a client-side attack rather than a resource exhaustion attack.

Phishing attacks deceive users into revealing credentials or sensitive information through social engineering. Phishing targets human behavior, aiming for unauthorized access, data theft, or fraud, but does not aim to flood systems or prevent service availability.

DoS attacks are particularly dangerous because they exploit resource limitations and can impact critical infrastructure, cloud services, and organizational operations. Detection involves monitoring traffic patterns, implementing automated mitigation, and maintaining redundancy. Proactive strategies such as rate limiting, firewall rules, and anomaly-based intrusion detection can reduce the risk of service disruption. Organizations often combine multiple techniques to defend against DoS attacks, including cloud-based mitigation, traffic analysis, and load balancing across multiple servers. Proper planning and monitoring are essential to minimize operational and financial impacts from DoS attacks.

Question 75:

Which security measure verifies the identity of users before granting access to systems?

A) Authentication

B) Authorization

C) Encryption

D) Data Loss Prevention (DLP)

Answer: A) Authentication

Explanation:

Authentication is the process of verifying the identity of users, devices, or systems before granting access to resources. It ensures that only authorized individuals can access sensitive systems, applications, or data. Authentication methods can include passwords, PINs, biometrics, smart cards, hardware tokens, and multi-factor authentication (MFA). The goal of authentication is to establish trust in the user’s identity and prevent unauthorized access. Authentication precedes authorization, which determines what resources an authenticated user can access based on permissions or roles. Strong authentication methods help mitigate credential theft, phishing, and unauthorized access, supporting overall security policies.

Authorization determines the level of access or permissions for authenticated users. While authorization is critical for enforcing access control, it assumes that the user’s identity has already been verified through authentication. Authorization alone does not verify identity.

Encryption protects the confidentiality of data by converting it into unreadable formats for unauthorized users. While encryption secures information, it does not verify the identity of users before access. Encryption protects data at rest or in transit, but is not an authentication control.

Data Loss Prevention (DLP) monitors and controls the movement of sensitive data to prevent unauthorized disclosure. DLP protects information but does not verify user identity. It is information-centric, focusing on data security rather than access verification.

Authentication is a foundational security mechanism that establishes trust in digital interactions. It supports identity management, access control, compliance, and threat prevention. By combining strong passwords, MFA, and modern authentication protocols, organizations can reduce the likelihood of unauthorized access and strengthen their overall cybersecurity posture. Effective authentication strategies include secure credential storage, periodic review of access controls, and monitoring for anomalous login behavior. Authentication integrates with identity and access management (IAM) frameworks to provide a comprehensive approach to securing organizational resources.

Question 76:

Which technique isolates sensitive systems and limits lateral movement within a network?

A) Network segmentation

B) Antivirus software

C) Password management

D) Single sign-on (SSO)

Answer: A) Network segmentation

Explanation:

Network segmentation is the practice of dividing a network into smaller, isolated segments to control traffic flow, enhance security, and reduce the potential impact of a compromise. Segmentation can be implemented using VLANs, subnets, firewalls, or software-defined networking, creating boundaries between systems based on sensitivity, department, or functionality. By isolating sensitive systems from general networks, organizations limit lateral movement by attackers, which reduces the risk of widespread breaches. Segmentation also simplifies monitoring and incident response by containing potential threats within a defined network zone.

Antivirus software provides endpoint-level protection by detecting and removing known malware. While antivirus software protects individual devices from infection, it does not control network traffic or isolate systems. Antivirus cannot prevent lateral movement between compromised and unaffected systems if the network itself is flat and unrestricted.

Password management tools help users store, generate, and manage strong passwords securely. While they improve credential security, they do not segment networks or control the flow of data between systems. Password managers are focused on identity security rather than network architecture.

Single sign-on (SSO) streamlines authentication by allowing users to access multiple applications with one set of credentials. While SSO improves usability and can integrate with security policies, it does not provide isolation between systems or prevent lateral movement if an account is compromised. SSO is identity-centric rather than network-centric.

Network segmentation provides several key benefits. It enforces security boundaries, reduces attack surfaces, and ensures that a compromise in one segment does not automatically affect other segments. It also supports compliance by isolating regulated or sensitive data, such as payment card information, personal health data, or intellectual property. Segmentation can include micro-segmentation, which applies fine-grained controls at the workload or application level, particularly in cloud or virtualized environments. Implementing segmentation effectively involves policy definition, access control enforcement, and continuous monitoring. When combined with intrusion detection systems, firewalls, and security analytics, segmentation strengthens overall security posture by limiting exposure, controlling traffic, and providing actionable insight into anomalies.

Question 77:

Which process identifies, evaluates, and prioritizes vulnerabilities to reduce risk exposure?

A) Vulnerability management

B) Endpoint Detection and Response (EDR)

C) Data Loss Prevention (DLP)

D) Network Access Control (NAC)

Answer: A) Vulnerability management

Explanation:

Vulnerability management is the ongoing process of discovering, evaluating, prioritizing, and mitigating vulnerabilities across systems, networks, and applications. This process begins with automated scanning to detect known vulnerabilities, misconfigurations, and missing patches. Each vulnerability is then assessed for severity, potential impact, and exploitability. Organizations prioritize remediation based on risk, focusing first on vulnerabilities that pose the greatest threat to critical assets. Reporting, tracking, and verification of remediation are integral components of a comprehensive vulnerability management program. The goal is to reduce exposure to attackers by proactively identifying weaknesses before they can be exploited.

Endpoint Detection and Response (EDR) provides real-time monitoring and response capabilities for endpoints. While EDR is critical for detecting active threats, malware, or suspicious behavior, it does not systematically identify all known vulnerabilities or provide prioritization of remediation actions. EDR is threat-centric, whereas vulnerability management is risk-centric.

Data Loss Prevention (DLP) monitors and controls the handling of sensitive data to prevent accidental or intentional exposure. DLP focuses on information protection rather than the identification or prioritization of security weaknesses in systems or networks. It does not evaluate software vulnerabilities or misconfigurations.

Network Access Control (NAC) ensures that devices meet compliance requirements before accessing the network. NAC enforces endpoint policies but does not scan for vulnerabilities across systems or prioritize them based on risk. NAC is a preventive access control measure, not a comprehensive vulnerability assessment program.

Vulnerability management integrates scanning, risk assessment, prioritization, and remediation tracking to create a continuous improvement cycle for organizational security. Automated tools, patch management, threat intelligence, and reporting dashboards enable organizations to proactively manage weaknesses and comply with regulatory frameworks. Effective programs reduce the attack surface, minimize exploit opportunities, and provide metrics for security performance and resource allocation. Organizations that adopt vulnerability management maintain a proactive security posture, focusing on prevention rather than reactive threat response.

Question 78:

Which attack attempts to trick users into providing sensitive information via emails, websites, or messages?

A) Phishing

B) Denial of Service (DoS)

C) SQL injection

D) Cross-site scripting (XSS)

Answer: A) Phishing

Explanation:

Phishing is a social engineering attack where attackers attempt to deceive users into revealing sensitive information such as usernames, passwords, credit card numbers, or personal identification. Phishing is typically conducted via email, instant messaging, fake websites, or other communication channels that appear legitimate. Attackers often create a sense of urgency or mimic trusted sources to manipulate users into taking immediate action, such as clicking links or submitting credentials. Successful phishing attacks can lead to account compromise, identity theft, financial loss, or malware installation. Awareness training, email filtering, and verification procedures are critical defenses against phishing attacks.

Denial of Service (DoS) attacks aim to disrupt service availability by overwhelming networks or systems with traffic. DoS does not rely on user deception or harvesting credentials. Its goal is to prevent access to resources rather than extract sensitive information from users.

SQL injection attacks exploit web application vulnerabilities to manipulate backend database queries. SQL injection targets data storage systems and applications rather than users directly. It does not involve tricking users into voluntarily providing credentials or personal information.

Cross-site scripting (XSS) injects malicious scripts into web pages for execution in a user’s browser. XSS can steal session tokens, hijack accounts, or manipulate content, but relies on exploiting web applications rather than social engineering users. XSS does not involve direct deception through emails or messages.

Phishing is particularly effective because it targets human behavior, exploiting trust, curiosity, or fear. Attackers often combine phishing with other techniques such as spear-phishing (targeted campaigns), whaling (targeting executives), or vishing (voice phishing). Mitigation involves training employees to recognize phishing attempts, implementing multi-factor authentication, using email security gateways, and maintaining up-to-date threat intelligence. Organizations also employ simulated phishing exercises to assess user awareness and reinforce training. Phishing attacks remain one of the most common and successful methods for compromising credentials and infiltrating organizational systems.

Question 79:

Which technology monitors endpoints to detect suspicious activity, investigate incidents, and respond to threats?

A) Endpoint Detection and Response (EDR)

B) Antivirus software

C) Network firewall

D) Data Loss Prevention (DLP)

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) is a security technology designed to continuously monitor endpoints for suspicious activity, detect threats, investigate incidents, and enable rapid response. EDR solutions collect and analyze telemetry from processes, files, network connections, and system logs to identify anomalies, malware behavior, or advanced persistent threats. When suspicious activity is detected, EDR tools can generate alerts, quarantine affected devices, terminate malicious processes, and provide forensic evidence for further investigation. Unlike traditional antivirus software, which focuses primarily on known threats using signature-based detection, EDR offers behavioral analytics, threat hunting, and real-time response capabilities to counter unknown or sophisticated attacks.

Antivirus software protects against malware by detecting and removing known threats based on signature databases. Antivirus is reactive and limited in detecting unknown threats or advanced malware. It does not provide comprehensive monitoring, investigation, or automated response capabilities.

Network firewalls filter traffic entering or leaving network segments based on rules such as IP addresses, ports, and protocols. Firewalls prevent unauthorized access but do not monitor endpoint behavior, detect threats on devices, or facilitate response to incidents. They operate at the network layer rather than the device level.

Data Loss Prevention (DLP) protects sensitive information by monitoring, detecting, and preventing unauthorized data transfer. While DLP is crucial for preventing data breaches, it does not analyze endpoint behaviors for malicious activity or respond to security incidents.

EDR is a cornerstone of modern cybersecurity strategies. It integrates prevention, detection, and response, allowing organizations to proactively identify threats, contain infections, and perform root cause analysis. EDR enhances situational awareness, supports incident response workflows, and provides visibility into endpoint environments. Organizations benefit from EDR by reducing the dwell time of attackers, mitigating potential damage, and strengthening their overall security posture. EDR tools are particularly important in environments with remote endpoints, cloud integration, or sophisticated adversaries employing stealth techniques.

Question 80:

Which security control prevents unauthorized access to sensitive resources based on identity and policy?

A) Access control

B) Data encryption

C) Antivirus software

D) Security awareness training

Answer: A) Access control

Explanation:

Access control is a security mechanism that restricts access to resources based on the identity of the user or system and predefined policies. Access control ensures that only authorized individuals or devices can access sensitive data, systems, applications, or network segments. Policies may be role-based, attribute-based, discretionary, or mandatory, defining what actions users are permitted to perform. Access control enforces the principle of least privilege by granting only the minimum necessary access to perform job functions. Effective access control prevents unauthorized users from reading, modifying, or deleting critical information, reducing the risk of insider threats, data breaches, and unauthorized activity.

Data encryption protects information by converting it into an unreadable format without the proper decryption key. While encryption ensures confidentiality, it does not control who can access the encrypted data. Access control is complementary to encryption, providing identity-based enforcement in addition to data protection.

Antivirus software detects, prevents, and removes malicious software. While antivirus software protects devices from malware, it does not determine access rights to resources based on identity or policies. It is a preventive measure against threats rather than a mechanism for controlling access.

Security awareness training educates employees on safe computing practices, phishing recognition, and organizational policies. Training reduces human risk but does not enforce access restrictions or manage identity-based permissions. Awareness complements access control but cannot replace it.

Access control is fundamental to maintaining secure operations within an organization. It integrates with identity management, authentication, and monitoring systems to provide a comprehensive approach to resource protection. Organizations implement access control policies to meet regulatory requirements, prevent data breaches, and enforce segregation of duties. Access control mechanisms can be automated through directory services, role assignments, and policy engines, ensuring consistency and reducing administrative overhead. Combined with auditing and monitoring, access control supports accountability and strengthens the overall security posture of the organization.