CompTIA PenTest+ PT0-003  Exam Dumps and Practice Test Questions Set 5 Q81-100

Visit here for our full CompTIA PT0-003 exam dumps and practice test questions.

Question 81:

Which security measure monitors user activities, system events, and network traffic to detect anomalies and potential threats?

A) Security Information and Event Management (SIEM)

B) Antivirus software

C) Data Loss Prevention (DLP)

D) Network firewall

Answer: A) Security Information and Event Management (SIEM)

Explanation:

Security Information and Event Management (SIEM) is a comprehensive security solution that collects, aggregates, analyzes, and correlates log and event data from various sources across an organization’s IT environment. This includes system logs, network devices, endpoints, applications, and cloud services. SIEM solutions provide real-time monitoring, historical analysis, and alerting capabilities, helping security teams identify anomalies, suspicious behavior, or potential breaches. SIEM uses correlation rules, machine learning, and threat intelligence feeds to detect patterns indicative of cyberattacks, insider threats, or policy violations. By centralizing security data, SIEM improves visibility, reduces response times, and supports compliance with regulatory frameworks such as PCI DSS, HIPAA, and GDPR.

Antivirus software detects, prevents, and removes known malware threats from endpoints. While antivirus is critical for basic protection, it focuses on malware signatures and does not provide centralized monitoring, correlation of events, or proactive detection of complex attack patterns. Antivirus operates at the device level rather than aggregating enterprise-wide data.

Data Loss Prevention (DLP) monitors and enforces policies to prevent the unauthorized transmission of sensitive information. DLP is concerned with protecting data confidentiality and integrity but does not monitor broad system events or correlate user behavior and network activity for security analysis. While DLP can detect potential policy violations, it does not offer the same event correlation and alerting capabilities as SIEM.

Network firewalls control network traffic based on predefined rules such as IP addresses, ports, and protocols. Firewalls enforce perimeter security and prevent unauthorized access but are limited in their ability to monitor internal activities or analyze event data across multiple systems. Firewalls operate at the network level and do not provide centralized analysis of security events across the entire organization.

SIEM solutions offer multiple benefits. They enable proactive threat detection by identifying abnormal patterns such as repeated failed logins, unusual file access, or unexpected network connections. Security analysts can investigate incidents more efficiently with dashboards, automated alerts, and forensic tools that consolidate information from different sources. SIEM supports compliance reporting by providing auditable records and continuous monitoring aligned with security policies. Integration with threat intelligence feeds enhances the ability to detect known attack indicators and emerging threats. SIEM also facilitates incident response by providing actionable insights and correlating events to determine root causes and affected systems. Organizations often pair SIEM with automation and orchestration platforms to accelerate responses, contain threats, and remediate vulnerabilities. By providing comprehensive visibility, SIEM strengthens overall security posture and reduces the likelihood of undetected breaches or prolonged exposure to attacks.

Question 82:

Which type of malware restricts access to files or systems until a ransom is paid?

A) Ransomware

B) Rootkit

C) Trojan horse

D) Adware

Answer: A) Ransomware

Explanation:

Ransomware is malicious software that encrypts files, locks systems, or otherwise restricts access to critical resources until the victim pays a ransom, typically in cryptocurrency. Attackers often deliver ransomware through phishing emails, malicious attachments, drive-by downloads, or exploiting software vulnerabilities. Once executed, ransomware encrypts data using strong algorithms and displays a ransom note demanding payment with instructions for decryption. Ransomware can target individuals, organizations, and even critical infrastructure, causing financial loss, operational disruption, and reputational damage. Organizations often implement backup strategies, incident response plans, and endpoint protection measures to mitigate ransomware risk and recover without paying the ransom.

Rootkits are designed to hide their presence and maintain persistent unauthorized access on a system. They often operate stealthily at the kernel or firmware level, evading detection by antivirus or monitoring tools. While rootkits can facilitate further attacks, including ransomware deployment, their primary function is stealth and persistence, not demanding ransom payments or encrypting files.

Trojan horses disguise themselves as legitimate software to trick users into installing them. Trojans can deliver additional malware such as ransomware or rootkits, but they are primarily delivery mechanisms based on deception rather than directly encrypting or locking files for ransom.

Adware displays unwanted advertisements and may track user behavior to generate revenue. Adware is generally intrusive but does not encrypt files or demand payment. Its impact is primarily on user experience rather than operational disruption or data ransom.

Ransomware attacks are particularly damaging because they combine technical exploitation with psychological manipulation, leveraging urgency and fear to coerce victims into paying. Organizations mitigate ransomware risk through multiple layers: maintaining regular, isolated backups; employing strong endpoint protection and EDR solutions; keeping software updated; conducting employee security training; and implementing network segmentation to prevent lateral movement. Rapid detection, containment, and response are critical to minimize impact. By understanding ransomware attack vectors and maintaining proactive defenses, organizations can reduce the likelihood of successful infections and recover data efficiently.

Question 83:

Which security control enforces organizational policies for device access before granting network connectivity?

A) Network Access Control (NAC)

B) Antivirus software

C) Data Loss Prevention (DLP)

D) Security awareness training

Answer: A) Network Access Control (NAC)

Explanation:

Network Access Control (NAC) is a security solution that enforces policies governing whether devices are permitted to connect to an organization’s network. NAC evaluates device health, compliance with security standards, and user identity before granting access. Devices failing to meet criteria may be denied access, quarantined, or redirected to remediation resources. NAC helps prevent unauthorized devices, unpatched endpoints, or compromised systems from introducing vulnerabilities into the network. By controlling access at the network perimeter or at segment boundaries, NAC reduces the likelihood of lateral movement, malware propagation, and unauthorized data access.

Antivirus software detects and removes malware but does not enforce compliance-based network access. Antivirus protects individual devices rather than controlling connectivity based on policy or identity.

Data Loss Prevention (DLP) monitors and restricts sensitive data transfers but does not control which devices can access the network. DLP is information-centric, whereas NAC is network- and device-centric.

Security awareness training educates users on safe computing practices, phishing recognition, and compliance requirements. Training improves human behavior but does not enforce network access controls or prevent non-compliant devices from connecting.

NAC solutions provide multiple benefits. They enforce endpoint compliance, integrate with directory services, support BYOD (bring your own device) programs, and facilitate policy-based segmentation. NAC can dynamically assign network privileges based on device type, location, or user role. It also provides visibility into connected devices, helping administrators identify rogue or unmanaged endpoints. Implementing NAC strengthens overall network security by ensuring that only trusted, compliant devices access organizational resources. Combined with monitoring, authentication, and threat detection, NAC reduces exposure to security incidents and supports compliance with industry regulations.

Question 84:

Which method ensures only authorized users can perform specific actions or access particular resources?

A) Authorization

B) Authentication

C) Encryption

D) Multi-factor authentication (MFA)

Answer: A) Authorization

Explanation:

Authorization is the process of determining what actions an authenticated user is permitted to perform and which resources they may access. Once identity is verified through authentication, authorization controls enforce permissions, roles, or policies to ensure users operate within their allowed scope. Authorization ensures that sensitive data, applications, and system functions are accessed only by appropriate personnel and supports the principle of least privilege. This prevents unauthorized modification, deletion, or disclosure of information and reduces the risk of insider threats or misuse. Authorization mechanisms can be role-based, attribute-based, discretionary, or mandatory, depending on organizational requirements.

Authentication verifies identity but does not determine what the authenticated user is allowed to do. Authorization is complementary to authentication; without authorization, identity verification alone cannot prevent unauthorized actions.

Encryption protects data confidentiality by encoding information so that only users with the correct keys can read it. While encryption secures data, it does not define what an authenticated user may do with the data or resources. Authorization ensures that even decrypted data is accessed only according to policy.

Multi-factor authentication (MFA) strengthens authentication by requiring multiple forms of verification but does not determine access privileges or permissions. MFA ensures that identity is verified robustly but does not control actions or resource access.

Authorization is critical for enforcing organizational policies, compliance, and security standards. It integrates with identity and access management systems to provide consistent access enforcement across applications, cloud services, and internal systems. Properly implemented authorization reduces security risks, prevents data breaches, and ensures accountability. Organizations often combine authorization with auditing and monitoring to detect policy violations and enforce governance. Effective authorization policies consider roles, attributes, contextual factors, and risk-based criteria, enabling fine-grained control over access and actions while maintaining operational efficiency and security posture.

Question 85:

Which technology secures email communications by encrypting messages and validating sender identity?

A) Secure/Multipurpose Internet Mail Extensions (S/MIME)

B) Antivirus software

C) Data Loss Prevention (DLP)

D) Network Access Control (NAC)

Answer: A) Secure/Multipurpose Internet Mail Extensions (S/MIME)

Explanation:

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a protocol used to secure email communications by providing encryption and digital signatures. Encryption ensures that email content remains confidential and is accessible only to the intended recipient. Digital signatures validate the sender’s identity, ensuring message integrity and authenticity. S/MIME relies on public key infrastructure (PKI) certificates to encrypt messages and verify signatures. Users with S/MIME-enabled email clients can send encrypted emails, preventing unauthorized interception or tampering. S/MIME also helps organizations meet compliance requirements for protecting sensitive communications, including personal data, financial records, or intellectual property.

Antivirus software protects against malware and malicious attachments but does not provide encryption or sender validation for emails. Antivirus ensures that messages are safe but does not enforce confidentiality or authenticity of email content.

Data Loss Prevention (DLP) monitors email traffic for sensitive information and can prevent unauthorized transmission. DLP is information-centric and can complement S/MIME but does not inherently encrypt emails or verify sender identity. DLP focuses on policy enforcement rather than secure communication.

Network Access Control (NAC) enforces policies for device access to networks. NAC does not secure email content, encrypt messages, or validate sender identity. It is network-focused rather than communication-focused.

S/MIME is widely adopted in enterprises and government environments to ensure secure email exchange. By combining encryption and digital signatures, it protects against eavesdropping, tampering, and spoofing. Implementation involves configuring email clients, obtaining PKI certificates, and managing key lifecycles. S/MIME integration with DLP, email gateways, and monitoring solutions enhances security posture, ensuring that sensitive messages are protected while maintaining accountability and regulatory compliance. Proper training and awareness for users are also essential to maximize the benefits of S/MIME, ensuring consistent encryption and signature validation for all sensitive communications.

Question 86:

Which type of attack exploits weaknesses in software or operating systems to gain unauthorized access?

A) Exploit

B) Phishing

C) Password spraying

D) Cross-site scripting (XSS)

Answer: A) Exploit

Explanation:

An exploit is a piece of code, program, or technique designed to take advantage of a vulnerability in software, applications, or operating systems. Exploits can allow attackers to bypass security controls, gain unauthorized access, execute arbitrary code, escalate privileges, or cause system instability. Vulnerabilities exploited may result from coding errors, misconfigurations, unpatched software, or architectural weaknesses. Exploits are often categorized based on the type of vulnerability, such as buffer overflows, SQL injection, or zero-day vulnerabilities. Exploits are a critical component of cyberattacks and are frequently used in combination with other attack vectors, such as phishing, malware delivery, or privilege escalation, to achieve broader objectives. Security testing, patch management, and proactive vulnerability scanning are essential to mitigate the risk of exploits.

Phishing is a social engineering attack that deceives users into providing sensitive information or credentials. While phishing may deliver an exploit payload, it does not inherently take advantage of software vulnerabilities. Phishing targets human behavior rather than technical flaws in software.

Password spraying involves attempting commonly used passwords across many accounts to gain unauthorized access. It is a credential-based attack, relying on weak passwords and predictable human behavior, not on exploiting software vulnerabilities. Password spraying exploits authentication weaknesses rather than technical flaws in systems.

Cross-site scripting (XSS) attacks inject malicious scripts into web pages for execution in users’ browsers. XSS targets web application vulnerabilities to manipulate client-side behavior, steal sessions, or redirect users. While XSS is a type of software vulnerability exploitation, the broader category of exploits includes server-side vulnerabilities, OS flaws, and application weaknesses beyond client-side scripting attacks.

Exploits are central to many advanced attacks because they allow unauthorized access without relying solely on human error or weak credentials. Effective mitigation involves maintaining up-to-date patches, conducting vulnerability assessments, performing penetration testing, and monitoring for abnormal activity indicative of exploitation attempts. Organizations often combine exploit mitigation with endpoint protection, intrusion detection, and threat intelligence to proactively identify and neutralize potential attacks. Exploits can be leveraged to deploy malware, ransomware, or backdoors, making early detection and remediation critical for maintaining system integrity and security posture. Understanding exploit vectors, the vulnerabilities they target, and their potential impact helps organizations prioritize defenses and reduce attack surfaces. Security policies, user training, network segmentation, and layered defense strategies collectively reduce the likelihood of successful exploitation and minimize potential damage.

Question 87:

Which security control detects and prevents the transmission of sensitive data outside an organization?

A) Data Loss Prevention (DLP)

B) Firewall

C) Antivirus software

D) Multi-factor authentication (MFA)

Answer: A) Data Loss Prevention (DLP)

Explanation:

Data Loss Prevention (DLP) is a security control designed to monitor, detect, and prevent the unauthorized transmission of sensitive information. DLP solutions can be implemented on endpoints, networks, and cloud services to identify data that should not leave the organization. Sensitive data may include personal information, financial records, intellectual property, trade secrets, or regulatory-protected information. DLP solutions use pattern matching, contextual analysis, and policy rules to detect sensitive content in emails, file transfers, cloud storage, or removable media. When a violation is detected, DLP can block, quarantine, alert, or encrypt the data to prevent exposure. DLP helps organizations meet regulatory compliance requirements such as GDPR, HIPAA, and PCI DSS.

Firewalls control network traffic based on predefined rules such as IP addresses, ports, and protocols. Firewalls are primarily network-focused and prevent unauthorized access, but they do not inspect the content of data for sensitivity or enforce data protection policies. Firewalls cannot prevent authorized users from transmitting sensitive data inappropriately.

Antivirus software detects, prevents, and removes malware from endpoints. While antivirus protects systems from infections, it does not monitor or control the transmission of sensitive data. Antivirus solutions do not enforce information handling policies or detect policy violations.

Multi-factor authentication (MFA) strengthens user authentication by requiring multiple verification factors. MFA ensures that only legitimate users gain access but does not control what data users can transmit once authenticated. MFA is identity-focused rather than data-focused.

DLP provides proactive control over data security by identifying and enforcing policies regarding sensitive information. DLP can be configured to monitor emails, cloud applications, network traffic, and endpoints, preventing accidental or intentional data leakage. By combining content inspection, contextual analysis, and user behavior monitoring, DLP enables organizations to mitigate risks of data breaches, regulatory violations, and reputational damage. Effective DLP programs integrate with identity management, email security, encryption, and security monitoring systems. Employee awareness, policy definition, and incident response workflows enhance DLP effectiveness. DLP also allows organizations to enforce least privilege principles, ensuring that users only access and transmit data appropriate for their roles. Continuous policy updates and monitoring ensure that DLP remains effective in adapting to evolving business needs and threat landscapes.

Question 88:

Which attack involves repeated attempts to guess passwords for a single account until successful?

A) Brute force attack

B) Password spraying

C) Phishing

D) SQL injection

Answer: A) Brute force attack

Explanation:

A brute force attack is a method where an attacker systematically attempts every possible password or key combination to gain unauthorized access to a specific account or encrypted data. Brute force attacks can target user accounts, network devices, applications, or encrypted files. The effectiveness of a brute force attack depends on password complexity, system rate-limiting, and account lockout policies. Attackers often automate brute force attacks using software tools that generate large numbers of combinations rapidly. While computationally intensive, brute force attacks can succeed against weak or short passwords, making strong password policies, multi-factor authentication, and account lockout mechanisms essential defenses.

Password spraying attacks target multiple accounts using a small set of commonly used passwords, minimizing lockout detection. Unlike brute force, which focuses on one account exhaustively, password spraying distributes attempts across users to increase chances of success without triggering security mechanisms.

Phishing attacks rely on social engineering to trick users into revealing credentials or sensitive information. Phishing targets human behavior and trust rather than using systematic password guessing. While phishing may lead to account compromise, it is not a brute-force technical attack.

SQL injection attacks manipulate web application queries to access or modify backend databases. SQL injection exploits coding vulnerabilities in applications rather than attempting repeated password guesses. It focuses on data access rather than password cracking.

Brute force attacks are particularly effective against weak passwords and systems without account lockout policies. Organizations mitigate brute force risks by enforcing strong password complexity, implementing multi-factor authentication, and monitoring for repeated failed login attempts. Rate-limiting login attempts, CAPTCHA challenges, and lockout policies reduce exposure to brute force attacks. Brute force is often used as part of credential stuffing campaigns or combined with other attacks to gain further access. Monitoring and logging authentication activity help detect ongoing brute force attempts, enabling timely response and system hardening. Organizations must balance usability and security to prevent brute force exploitation while maintaining smooth user experience.

Question 89:

Which solution manages and enforces security policies on devices, applications, and endpoints?

A) Microsoft Intune

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Defender for Identity

Answer: A) Microsoft Intune

Explanation:

Microsoft Intune is a cloud-based endpoint management solution that enables organizations to manage devices, applications, and security policies across their IT environment. Intune supports mobile device management (MDM) and mobile application management (MAM), allowing administrators to enforce security configurations, deploy applications, and ensure compliance. Policies can include password requirements, encryption enforcement, conditional access, application control, and device health checks. Intune integrates with Azure Active Directory and other Microsoft 365 services to provide centralized management and support hybrid and cloud environments. By controlling devices and applications, Intune ensures that only compliant and secure endpoints access corporate resources, reducing risks of data breaches or unauthorized access.

Microsoft OneDrive is a cloud storage platform that provides file access, sharing, and synchronization capabilities. OneDrive protects data through storage encryption and access controls but does not manage devices or enforce security policies across endpoints. OneDrive is focused on file storage rather than endpoint security management.

Microsoft Planner is a task and project management tool designed for collaboration and workflow organization. Planner does not provide security policy enforcement or endpoint management functionality. It helps teams manage work but does not address device compliance or security configuration.

Microsoft Defender for Identity is a cloud-based security solution that monitors Microsoft 365 accounts and Active Directory for suspicious activity, behavioral anomalies, and potential account compromise. Defender for Identity focuses on identity security and threat detection rather than policy enforcement on endpoints and devices.

Intune provides comprehensive endpoint management and security enforcement. By applying configuration profiles, compliance policies, and conditional access rules, Intune ensures devices meet organizational requirements before granting access. Administrators can manage Windows, macOS, iOS, Android, and mobile applications, providing centralized reporting and monitoring of device health. Intune also integrates with security monitoring and analytics tools to identify non-compliant or risky devices, trigger remediation workflows, and enforce policies consistently across diverse environments. Its cloud-based architecture allows organizations to scale management, support remote workforces, and maintain regulatory compliance while reducing administrative overhead. Intune strengthens organizational security posture by combining management, monitoring, and policy enforcement in a single platform.

Question 90:

Which authentication method grants users access to multiple applications with a single login?

A) Single sign-on (SSO)

B) Multi-factor authentication (MFA)

C) Password-only authentication

D) Certificate-based authentication

Answer: A) Single sign-on (SSO)

Explanation:

Single sign-on (SSO) is an authentication method that allows users to access multiple applications or systems with a single set of credentials. SSO simplifies user experience by reducing the need to remember multiple passwords and streamlines access across cloud services, enterprise applications, and internal systems. By centralizing authentication, SSO improves productivity, reduces password fatigue, and minimizes the risk of weak or reused passwords. SSO is often integrated with identity providers, directory services, and federated authentication protocols such as SAML, OAuth, or OpenID Connect to securely manage access across systems.

Multi-factor authentication (MFA) strengthens authentication by requiring two or more verification factors, such as a password plus a hardware token or biometric factor. MFA focuses on identity verification and security rather than providing a unified login across multiple applications. While MFA can be combined with SSO, it is not a method for consolidating access.

Password-only authentication relies solely on a static password for access. Password-only authentication does not provide centralized access to multiple applications and is vulnerable to credential theft, reuse, or brute-force attacks. It is a basic authentication method rather than a convenience and security solution like SSO.

Certificate-based authentication uses digital certificates to verify identity, often for devices or users. Certificates provide strong authentication but do not inherently grant access to multiple applications with a single login. Certificate-based authentication is a technical verification method rather than a cross-application login convenience.

SSO enhances both usability and security by centralizing authentication management, reducing credential exposure, and integrating with access control policies, conditional access, and identity monitoring. It is widely adopted in enterprise and cloud environments, supporting single credential management while enabling secure access to diverse resources. Organizations benefit from SSO by improving workflow efficiency, simplifying IT support, and enforcing consistent authentication policies across multiple platforms. Proper implementation of SSO includes secure identity providers, integration with MFA, and monitoring for unauthorized access attempts, ensuring both convenience and security.

Question 91:

Which attack manipulates input to a web application to execute unintended commands on the backend database?

A) SQL injection

B) Cross-site scripting (XSS)

C) Man-in-the-middle (MITM)

D) Phishing

Answer: A) SQL injection

Explanation:

SQL injection is a web application attack where malicious SQL statements are injected into input fields, URLs, or cookies to manipulate backend database queries. Attackers exploit insufficient input validation or poor parameterized query implementation. Successful SQL injection can allow unauthorized data access, modification, or deletion, as well as bypass authentication controls. SQL injection can lead to data breaches, loss of integrity, and potential compromise of application servers. Attackers often combine SQL injection with other techniques to escalate privileges, gain remote code execution, or install persistent backdoors.

Cross-site scripting (XSS) attacks inject malicious scripts into web pages that execute in the victim’s browser. XSS focuses on client-side code execution and user session hijacking rather than manipulating server-side database queries. XSS exploits trust between the user and the application, whereas SQL injection exploits the trust between the application and its database.

Man-in-the-middle (MITM) attacks intercept or modify communications between two parties. MITM focuses on confidentiality and integrity of data in transit, not on backend database manipulation. MITM can be mitigated with encryption and secure channels but does not exploit database vulnerabilities like SQL injection.

Phishing relies on social engineering to trick users into revealing credentials or sensitive data. Phishing targets human behavior rather than software vulnerabilities or database queries. It does not directly manipulate web application logic or data storage.

SQL injection is particularly dangerous due to its ability to compromise the database layer, bypass authentication, extract sensitive information, and potentially compromise the underlying system. Mitigation involves parameterized queries, prepared statements, input validation, stored procedures, and proper error handling. Organizations should conduct regular code reviews, penetration testing, and vulnerability scanning to detect SQL injection risks. Web application firewalls (WAFs) can provide additional protection by filtering malicious inputs. Understanding the mechanics of SQL injection, combined with secure development practices and monitoring, allows organizations to prevent database compromise, maintain data integrity, and protect sensitive information from unauthorized access.

Question 92:

Which security control provides real-time monitoring, alerts, and remediation capabilities for endpoints?

A) Endpoint Detection and Response (EDR)

B) Antivirus software

C) Firewall

D) Network Access Control (NAC)

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint devices for suspicious activity, malicious behavior, and policy violations. EDR collects telemetry from processes, files, network activity, and system events to detect anomalies and emerging threats. When malicious activity is identified, EDR can generate real-time alerts, isolate affected endpoints, terminate malicious processes, and support forensic investigation. EDR provides a proactive and responsive approach to endpoint security, complementing traditional antivirus solutions by detecting unknown or sophisticated threats that signature-based antivirus may miss.

Antivirus software detects and removes known malware using signature-based detection. While antivirus is effective against recognized threats, it lacks the behavioral analysis, threat hunting, and real-time response capabilities provided by EDR. Antivirus is reactive, whereas EDR offers proactive monitoring and investigation.

Firewalls enforce network security by filtering incoming and outgoing traffic based on rules. Firewalls primarily focus on perimeter protection and do not provide comprehensive endpoint monitoring or threat remediation. They are limited to controlling traffic flow rather than analyzing endpoint behavior or responding to detected threats.

Network Access Control (NAC) enforces policies to determine whether devices can access a network based on compliance, configuration, and health status. While NAC restricts access to unauthorized or non-compliant devices, it does not monitor ongoing behavior or provide response capabilities to detected threats.

EDR is essential for modern cybersecurity strategies because endpoints are often targeted by attackers using malware, ransomware, or lateral movement techniques. EDR integrates with security operations centers (SOCs) to provide centralized monitoring, investigation tools, and automated response workflows. By analyzing behavior, detecting anomalies, and providing remediation capabilities, EDR reduces dwell time, limits potential damage, and improves overall security posture. It supports incident response, forensic analysis, and threat hunting activities, allowing organizations to identify both active attacks and subtle indicators of compromise. Effective deployment involves continuous monitoring, integration with other security tools, and establishing response policies to mitigate risk promptly and efficiently.

Question 93:

Which authentication method requires two or more verification factors to access a system?

A) Multi-factor authentication (MFA)

B) Single sign-on (SSO)

C) Password-only authentication

D) Certificate-based authentication

Answer: A) Multi-factor authentication (MFA)

Explanation:

Multi-factor authentication (MFA) strengthens security by requiring users to provide two or more verification factors before gaining access. Verification factors typically include something the user knows (password or PIN), something the user has (security token, smart card, or mobile device), and something the user is (biometric identifier such as fingerprint, iris scan, or facial recognition). MFA significantly reduces the risk of unauthorized access resulting from stolen or guessed credentials. Even if a password is compromised, the attacker cannot gain access without the additional verification factor. MFA is widely adopted across enterprise systems, cloud applications, and financial services to protect sensitive data, regulatory compliance, and user accounts.

Single sign-on (SSO) allows users to access multiple applications with a single set of credentials. SSO focuses on convenience and efficiency rather than enforcing multiple authentication factors. While SSO can integrate with MFA, SSO alone does not provide the layered verification that MFA requires.

Password-only authentication relies on a single password for access. Passwords alone are vulnerable to phishing, credential stuffing, and brute-force attacks. Password-only authentication does not meet the stronger security requirements provided by MFA, leaving systems more exposed to compromise.

Certificate-based authentication uses digital certificates to verify identity. Certificates provide strong authentication but usually involve a single factor, often combined with password or device trust, rather than multiple independent verification factors. MFA goes beyond certificate-based methods by requiring multiple, distinct forms of verification.

MFA improves overall security by adding multiple layers of protection. It reduces reliance on static credentials, mitigates risks from compromised passwords, and provides auditability for access attempts. Organizations deploying MFA must ensure proper user education, seamless integration with applications, and secure management of authentication factors. Combining MFA with monitoring and incident response enhances security posture by preventing unauthorized access and detecting anomalies in authentication attempts.

Question 94:

Which attack attempts to overload systems or networks to disrupt service availability?

A) Denial of Service (DoS)

B) Phishing

C) SQL injection

D) Man-in-the-middle (MITM)

Answer: A) Denial of Service (DoS)

Explanation:

A Denial of Service (DoS) attack aims to make a network, server, or application unavailable to legitimate users by overwhelming resources. Attackers flood systems with excessive traffic, malformed packets, or requests that consume memory, CPU, or bandwidth. Distributed Denial of Service (DDoS) attacks use multiple compromised systems to amplify impact. The goal is to disrupt service availability, causing operational disruption, financial loss, or reputational damage. Mitigation involves rate limiting, traffic filtering, load balancing, cloud-based DDoS protection, and continuous monitoring to detect abnormal traffic patterns.

Phishing is a social engineering attack that deceives users into providing credentials or sensitive information. Phishing targets human behavior rather than system resources, aiming to compromise accounts or data. Phishing does not directly overload systems or networks to disrupt availability.

SQL injection exploits vulnerabilities in web applications to manipulate database queries. SQL injection targets data access and integrity rather than resource exhaustion or service disruption. While it can lead to data compromise, it is not a DoS attack.

Man-in-the-middle (MITM) attacks intercept or manipulate communications between two parties without their knowledge. MITM targets confidentiality and integrity of transmitted data, not service availability. MITM does not inherently overload systems or networks.

DoS attacks exploit system limitations, making them particularly impactful against web services, applications, or network infrastructure. Continuous monitoring, anomaly detection, and layered mitigation strategies are critical to maintain service availability. Organizations often implement redundant systems, failover mechanisms, and automated defenses to reduce the impact of DoS attacks. Effective detection relies on analyzing traffic patterns, recognizing abnormal activity, and responding quickly to mitigate disruptions. By understanding DoS attack vectors and employing proactive measures, organizations minimize the risk of operational interruptions and maintain business continuity.

Question 95:

Which Microsoft solution monitors Microsoft 365 accounts for suspicious activity and potential account compromise?

A) Microsoft Defender for Identity

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Intune

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that monitors Microsoft 365 and on-premises Active Directory environments for suspicious activity and potential account compromise. It continuously analyzes user behavior, authentication events, and network activity to detect anomalies such as unusual login attempts, privilege escalation, and lateral movement. Defender for Identity uses machine learning, behavioral analytics, and threat intelligence to identify and alert security teams to potential threats. The solution provides actionable insights and integrates with Microsoft 365 security services to facilitate investigation and remediation.

Microsoft OneDrive is a cloud storage service for file access, sharing, and synchronization. While OneDrive provides encryption and access control for files, it does not monitor user behavior for suspicious activity or account compromise. OneDrive focuses on data storage rather than account security monitoring.

Microsoft Planner is a task and project management tool. Planner helps teams organize work and collaborate but does not offer security monitoring, threat detection, or account protection capabilities. It is a productivity tool rather than a security solution.

Microsoft Intune manages devices, applications, and compliance policies. Intune enforces security policies on endpoints but does not analyze user behavior or detect account compromise in Microsoft 365. Intune focuses on device and application compliance rather than monitoring accounts for suspicious activity.

Defender for Identity provides early detection of account-based threats by collecting telemetry from authentication logs, analyzing behavioral patterns, and generating alerts for suspicious activity. Alerts can trigger investigation workflows, enabling rapid remediation of compromised accounts. By focusing specifically on identity security, Defender for Identity helps prevent data breaches, unauthorized access, and credential theft. Its integration with Microsoft 365 services ensures organizations maintain visibility and control over account security, enhancing overall cybersecurity posture and reducing the risk of account-related threats.

Question 96:

Which attack involves intercepting and altering communications between two parties without their knowledge?

A) Man-in-the-middle (MITM)

B) SQL injection

C) Phishing

D) Denial of Service (DoS)

Answer: A) Man-in-the-middle (MITM)

Explanation:

A Man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts or manipulates communications between two parties. MITM attacks can compromise the confidentiality, integrity, and authenticity of data in transit. Attackers can eavesdrop, modify messages, inject malicious content, or redirect users to fraudulent sites without the parties’ knowledge. Common MITM techniques include ARP spoofing, DNS spoofing, SSL stripping, and Wi-Fi eavesdropping. MITM attacks are especially effective on unencrypted networks or when users ignore certificate warnings.

SQL injection is a web application attack that targets database queries by injecting malicious input. SQL injection focuses on exploiting backend application vulnerabilities to access, modify, or delete data. It does not involve intercepting communication between two parties and operates at the database and application level rather than the network communication level.

Phishing attacks rely on social engineering to trick users into revealing credentials or sensitive information. Phishing targets human behavior and does not intercept or manipulate live communication between two parties. While phishing may lead to credential compromise, it does not function like MITM attacks that intercept data in transit.

Denial of Service (DoS) attacks aim to make systems or networks unavailable to legitimate users by overwhelming resources. DoS does not compromise the content or integrity of communications between parties. Its focus is on service disruption rather than data interception or alteration.

MITM attacks exploit trust between communicating parties. Attackers position themselves between endpoints, often using rogue network devices, compromised routers, or insecure Wi-Fi networks. Encryption, HTTPS, VPNs, and certificate validation are critical defenses against MITM attacks. Organizations implement intrusion detection systems, network monitoring, and public key infrastructure (PKI) to detect and prevent MITM attempts. MITM can lead to credential theft, sensitive data exposure, financial fraud, or session hijacking. Effective mitigation requires a combination of secure protocols, strong encryption, user awareness, and continuous monitoring to prevent interception and maintain confidentiality and integrity in communication channels.

Question 97:

Which type of malware conceals its presence and provides persistent unauthorized access?

A) Rootkit

B) Ransomware

C) Trojan horse

D) Adware

Answer: A) Rootkit

Explanation:

A rootkit is malware designed to hide its presence on a system while providing persistent unauthorized access to attackers. Rootkits often operate at the kernel, firmware, or hypervisor level to evade detection by traditional security tools. They can intercept system calls, hide files or processes, and manipulate logs to conceal malicious activity. Rootkits are frequently used to maintain control over compromised systems, facilitate the installation of additional malware, exfiltrate data, or conduct espionage. Detecting rootkits often requires specialized forensic analysis, integrity checks, or behavior-based monitoring because signature-based antivirus solutions may not identify them.

Ransomware encrypts files or locks systems, demanding payment to restore access. While ransomware causes immediate operational disruption and financial loss, it does not necessarily hide its presence. The attack is overt, displaying ransom notes and instructions.

Trojan horses disguise themselves as legitimate software to trick users into installing malicious code. Trojans often serve as a delivery mechanism for additional malware, such as rootkits or ransomware, but they are not inherently stealthy on their own. Trojans rely on deception rather than concealment at a system level.

Adware displays unwanted advertisements and tracks user behavior for revenue. While intrusive, adware does not typically provide unauthorized persistent access or conceal its presence. Its impact is primarily on user experience and privacy rather than system control.

Rootkits are particularly dangerous because they can maintain long-term control over compromised systems without detection. Attackers can leverage rootkits to exfiltrate sensitive data, create backdoors, or install further malware. Mitigation involves maintaining updated operating systems, deploying behavior-based detection tools, performing integrity checks, and conducting periodic audits. Removing rootkits can be challenging, often requiring system restoration or reinstallation. Organizations must combine preventative measures, such as endpoint protection, least privilege policies, and secure configuration, with monitoring and threat intelligence to reduce the risk of rootkit infections and maintain system integrity.

Question 98:

Which process systematically discovers, evaluates, prioritizes, and mitigates vulnerabilities?

A) Vulnerability management

B) Endpoint Detection and Response (EDR)

C) Data Loss Prevention (DLP)

D) Network Access Control (NAC)

Answer: A) Vulnerability management

Explanation:

Vulnerability management is the ongoing practice of identifying, assessing, prioritizing, and remediating security vulnerabilities across systems, networks, and applications. It begins with vulnerability scanning to detect missing patches, misconfigurations, or software flaws. Each discovered vulnerability is then evaluated for severity, impact, and exploitability. Organizations prioritize remediation based on the risk posed to critical assets and business operations. Vulnerability management involves tracking remediation efforts, validating fixes, and continuously monitoring systems to reduce exposure to potential attacks. The goal is proactive security, identifying weaknesses before they can be exploited.

Endpoint Detection and Response (EDR) provides real-time monitoring, threat detection, and response for endpoints. EDR detects suspicious activity and malware but does not systematically identify and prioritize all vulnerabilities across an organization’s assets. EDR is focused on threat detection and incident response rather than vulnerability lifecycle management.

Data Loss Prevention (DLP) monitors and controls sensitive data to prevent unauthorized disclosure. DLP ensures data security and compliance but does not scan for vulnerabilities or manage the risk posed by software or system flaws. DLP is focused on information protection, not vulnerability remediation.

Network Access Control (NAC) enforces policies to ensure devices meet security requirements before accessing the network. NAC ensures compliance and restricts access but does not systematically evaluate or remediate vulnerabilities across systems. NAC is an access control mechanism rather than a risk management process.

Vulnerability management integrates automated scanning, risk assessment, patch management, and reporting to create a continuous security improvement cycle. Organizations benefit from vulnerability management by reducing attack surfaces, prioritizing resources based on risk, and maintaining compliance with regulatory requirements. It provides metrics to track remediation effectiveness, supports decision-making for security investments, and enhances overall cybersecurity posture. Effective programs combine scanning, patching, threat intelligence, configuration management, and continuous monitoring to reduce exposure to cyber threats. Vulnerability management is foundational for proactive defense, ensuring that known weaknesses do not become entry points for attackers.

Question 99:

Which type of attack tricks users into revealing sensitive information through deceptive communications?

A) Phishing

B) Denial of Service (DoS)

C) SQL injection

D) Brute force attack

Answer: A) Phishing

Explanation:

Phishing is a social engineering attack designed to deceive users into disclosing sensitive information such as login credentials, financial details, or personal data. Phishing typically uses emails, text messages, phone calls, or fraudulent websites to impersonate trusted sources and manipulate victims into taking immediate action. Attackers often create urgency, fear, or curiosity to increase the likelihood of success. Phishing can lead to account compromise, identity theft, financial fraud, or malware installation. Organizations combat phishing through user training, email filtering, awareness campaigns, and multi-factor authentication.

Denial of Service (DoS) attacks overwhelm systems or networks to disrupt availability. DoS does not involve deception to extract sensitive information. Its goal is service disruption rather than obtaining credentials or personal data.

SQL injection targets web application databases by injecting malicious queries. SQL injection exploits technical vulnerabilities in software rather than tricking users. The attack focuses on unauthorized data access or modification through applications, not social engineering.

Brute force attacks attempt to guess passwords by systematically trying multiple combinations. Brute force relies on automation and weak credentials rather than deceiving users into voluntarily providing sensitive information. Brute force is a technical attack on authentication systems, not a social engineering technique.

Phishing is highly effective because it exploits human behavior, trust, and decision-making rather than technical weaknesses alone. Mitigation strategies include email security gateways, threat intelligence, simulated phishing campaigns, and multi-factor authentication to reduce the risk of credential compromise. Awareness and training are essential because even strong technical controls cannot fully eliminate the human factor targeted by phishing attacks.

Question 100:

Which Microsoft 365 solution helps protect accounts from suspicious login attempts and behavioral anomalies?

A) Microsoft Defender for Identity

B) Microsoft Intune

C) Microsoft OneDrive

D) Microsoft Planner

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that monitors Microsoft 365 and on-premises Active Directory for suspicious login attempts, unusual behavior, and potential account compromise. Defender for Identity collects telemetry from user accounts, analyzes authentication patterns, and detects anomalies such as lateral movement, privilege escalation, or repeated failed logins. The solution provides actionable alerts to security teams for investigation and remediation. By integrating with Azure AD and Microsoft 365 services, Defender for Identity offers proactive threat detection, helping organizations prevent unauthorized access and maintain security posture.

Microsoft Intune manages devices and applications, enforcing compliance and security policies. While Intune ensures endpoints are secure, it does not monitor user behavior or detect suspicious logins in Microsoft 365 accounts. Intune focuses on device management rather than account activity analysis.

Microsoft OneDrive provides cloud storage and file synchronization. OneDrive encrypts data and controls file access but does not monitor accounts for behavioral anomalies or unauthorized login attempts. OneDrive is data-centric, not account security-centric.

Microsoft Planner is a project and task management tool. Planner does not provide security monitoring, threat detection, or behavioral analysis. It is a productivity tool rather than a security solution.

Defender for Identity enables early detection of compromised accounts, abnormal authentication patterns, and suspicious activities. Alerts can trigger investigation workflows, allowing security teams to respond quickly and remediate risks. Its advanced analytics, behavioral monitoring, and integration with other Microsoft security solutions strengthen organizational defenses against identity-based threats. Defender for Identity is specifically designed for monitoring user accounts, providing specialized visibility and protection that complements device management, cloud storage, and productivity tools within the Microsoft 365 ecosystem.