CompTIA PenTest+ PT0-003 Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full CompTIA PT0-003 exam dumps and practice test questions.

Question 101:

Which security protocol encrypts wireless network traffic to protect against eavesdropping?

A) WPA3

B) HTTP

C) FTP

D) Telnet

Answer: A) WPA3

Explanation:

Wi-Fi Protected Access 3 (WPA3) is the latest security protocol designed to encrypt wireless network traffic and enhance protection against unauthorized access. WPA3 replaces WPA2 and provides stronger encryption through the use of Simultaneous Authentication of Equals (SAE), which protects against offline password guessing attacks. It also supports forward secrecy, ensuring that past communications remain secure even if encryption keys are compromised in the future. WPA3 includes individualized encryption for open networks, improving privacy for users in public hotspots. WPA3 protects against eavesdropping, mitigates brute-force attacks, and enforces stronger security policies on Wi-Fi networks.

HTTP is an unencrypted protocol used for transferring web content. Communications over HTTP can be intercepted and read by attackers, making it unsuitable for protecting sensitive data. HTTPS, not HTTP, provides encryption for web traffic using SSL/TLS but does not secure Wi-Fi traffic.

FTP (File Transfer Protocol) is used for transferring files between systems. Traditional FTP does not provide encryption, exposing credentials and data to interception. Secure alternatives such as FTPS or SFTP encrypt file transfers, but FTP itself does not protect wireless traffic.

Telnet is a remote terminal protocol that transmits data, including credentials, in plaintext. It is vulnerable to eavesdropping and is generally replaced by secure alternatives such as SSH. Telnet does not provide encryption for wireless networks.

WPA3 strengthens wireless network security by implementing robust encryption, protecting against offline attacks, and ensuring secure authentication. Organizations and individuals deploying WPA3 benefit from enhanced privacy, protection for public networks, and reduced exposure to unauthorized access. WPA3 also supports backward compatibility with WPA2 devices while encouraging migration to stronger security standards. By enforcing stronger passwords and utilizing advanced encryption techniques, WPA3 reduces the risk of interception, credential compromise, and unauthorized network usage. Wireless network administrators can configure WPA3 on access points to require secure authentication, encrypt traffic, and monitor for anomalies. Regular updates, strong password policies, and network segmentation complement WPA3, creating a layered defense for Wi-Fi environments. WPA3 adoption is critical in modern networks, particularly for enterprise, public, and IoT deployments, where unsecured wireless connections can expose sensitive data and facilitate attacks.

Question 102:

Which authentication factor is based on a physical characteristic of a user?

A) Biometric

B) Password

C) Security token

D) Smart card

Answer: A) Biometric

Explanation:

Biometric authentication relies on unique physical or behavioral characteristics of a user to verify identity. Common biometric factors include fingerprints, facial recognition, iris scans, voice recognition, and behavioral patterns such as typing rhythm. Biometric authentication provides a high level of security because physical traits are difficult to duplicate or steal. It is increasingly used in mobile devices, enterprise systems, and secure facilities to enhance identity verification and reduce reliance on passwords. Biometric authentication can be combined with other factors in multi-factor authentication (MFA) schemes to strengthen security further.

Passwords are knowledge-based factors requiring users to remember a secret string. While passwords are widely used, they are vulnerable to guessing, phishing, or credential stuffing attacks. Passwords are not based on a physical trait.

Security tokens are possession-based factors such as one-time password (OTP) generators or hardware tokens. They require the user to have a physical device but are not intrinsic to the user’s physical characteristics. Tokens can be lost or stolen, unlike biometrics, which are inherent to the user.

Smart cards are physical devices containing embedded credentials or certificates. Like tokens, they are possession-based and provide an additional factor of authentication but are not a biometric factor. Smart cards can be lost or stolen, requiring a combination with PINs for secure authentication.

Biometric authentication enhances security and convenience by leveraging unique user traits. It is difficult to replicate, allowing for robust identity verification in high-security environments. Biometric systems often incorporate anti-spoofing mechanisms, liveness detection, and encryption to protect templates and prevent unauthorized use. Privacy considerations and proper storage of biometric data are critical to ensure compliance with regulations and protect sensitive information. Combining biometric authentication with additional factors in MFA provides layered protection, reduces reliance on passwords, and mitigates risks of unauthorized access. Biometric systems are increasingly integrated with mobile devices, access control systems, and enterprise applications, providing seamless authentication while enhancing overall security posture.

Question 103:

Which attack exploits vulnerabilities in web applications to execute malicious scripts in a user’s browser?

A) Cross-site scripting (XSS)

B) SQL injection

C) Brute force attack

D) Denial of Service (DoS)

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) attacks target vulnerabilities in web applications to inject and execute malicious scripts in a user’s browser. XSS allows attackers to manipulate web content, steal session cookies, hijack accounts, redirect users to malicious sites, or deliver malware. XSS can occur when applications fail to properly validate or sanitize user input, allowing scripts to be embedded in web pages that are later viewed by unsuspecting users. XSS attacks are particularly effective because they exploit trust between the user and the application, executing scripts without triggering server-side alerts.

SQL injection is a web application attack that manipulates database queries through user input. SQL injection targets server-side databases, enabling unauthorized data access, modification, or deletion. It does not execute scripts in the client’s browser and focuses on backend vulnerabilities rather than client-side exploitation.

Brute force attacks involve systematically guessing passwords or credentials until access is gained. Brute force is an authentication-focused attack and does not target vulnerabilities in web application code or execute scripts in browsers.

Denial of Service (DoS) attacks overwhelm systems or networks to disrupt availability. DoS focuses on service disruption rather than executing malicious scripts or compromising user sessions. It does not exploit web application vulnerabilities for script execution.

XSS attacks are mitigated through proper input validation, output encoding, use of content security policies (CSP), and secure coding practices. Developers should ensure user input is sanitized, avoid dynamically generating HTML from untrusted sources, and implement frameworks that prevent script injection. Organizations can use web application firewalls (WAFs) and security testing to detect and remediate XSS vulnerabilities before deployment. XSS is a significant threat because it can lead to data theft, session hijacking, and malware distribution while remaining stealthy. Combining secure development practices, testing, and user awareness significantly reduces the risk of successful XSS attacks.

Question 104:

Which method ensures that data cannot be read if intercepted by unauthorized parties?

A) Encryption

B) Authentication

C) Authorization

D) Multi-factor authentication (MFA)

Answer: A) Encryption

Explanation:

Encryption is the process of converting plaintext data into a ciphertext format that cannot be understood without the proper decryption key. Encryption ensures confidentiality, protecting sensitive information from unauthorized access during storage or transmission. Encryption algorithms include symmetric methods, such as AES, and asymmetric methods, such as RSA, depending on the use case. By applying encryption, organizations protect data from interception, eavesdropping, and theft. Encryption is used in web communications (HTTPS), email, file storage, databases, and network traffic to safeguard confidentiality.

Authentication verifies a user’s identity before granting access to systems or resources. While authentication ensures that the person or system requesting access is legitimate, it does not prevent intercepted data from being read if it is transmitted in plaintext. Authentication is identity verification, not confidentiality enforcement.

Authorization determines what actions or resources a user can access after authentication. Authorization enforces permissions and access control policies but does not inherently protect data from interception or ensure its confidentiality. It focuses on allowed operations rather than encryption of content.

Multi-factor authentication (MFA) strengthens authentication by requiring multiple verification factors. While MFA reduces the risk of unauthorized access, it does not encrypt data in transit or at rest. MFA ensures identity verification but does not prevent intercepted communications from being readable without encryption.

Encryption provides strong protection for sensitive information, ensuring that even if intercepted, the data remains unintelligible without the decryption key. Proper implementation requires secure key management, use of strong algorithms, and integration with communication protocols, storage systems, and applications. Encryption protects financial data, personal information, intellectual property, and internal communications from cyberattacks, data breaches, and insider threats. Organizations often combine encryption with other security measures such as access controls, authentication, and monitoring to ensure comprehensive protection for sensitive data across multiple environments.

Question 105:

Which security solution enforces device compliance and access policies for corporate resources?

A) Microsoft Intune

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Defender for Identity

Answer: A) Microsoft Intune

Explanation:

Microsoft Intune is a cloud-based endpoint management and security solution that enforces device compliance and access policies for corporate resources. Intune enables organizations to manage devices, mobile applications, and operating systems, ensuring that endpoints meet security standards before accessing corporate networks. Compliance policies can enforce encryption, password requirements, OS version updates, application restrictions, and device health checks. Conditional access policies integrated with Intune allow administrators to grant or deny access based on device compliance, user identity, and risk factors. Intune supports Windows, macOS, iOS, Android, and hybrid environments, providing centralized management and reporting for secure corporate access.

Microsoft OneDrive is a cloud storage service for file sharing and synchronization. OneDrive protects data through encryption and access controls but does not enforce device compliance or access policies for endpoints connecting to corporate resources. OneDrive is data-centric, not endpoint compliance-focused.

Microsoft Planner is a task and project management tool. Planner is used for collaboration and workflow management and does not manage devices, enforce compliance, or control access to corporate resources. Planner is a productivity tool rather than a security solution.

Microsoft Defender for Identity monitors user accounts and Active Directory for suspicious activity and potential compromise. While it enhances identity security and threat detection, Defender for Identity does not enforce device compliance or access policies. Its focus is on user behavior and account protection rather than endpoint configuration enforcement.

Intune strengthens security by ensuring that only compliant devices can access corporate resources. Administrators can deploy updates, configure policies, monitor device health, and remediate non-compliant devices. Intune integrates with conditional access, threat detection, and identity management to create a secure, unified endpoint management environment. By enforcing compliance and access policies, Intune reduces risks of unauthorized access, data leakage, and malware propagation. Organizations benefit from enhanced visibility, centralized control, and improved security posture while enabling secure access for remote, mobile, and hybrid workforces. Intune also supports regulatory compliance, helping organizations meet standards such as GDPR, HIPAA, and PCI DSS.

Question 106:

Which attack occurs when an attacker floods a network or system with traffic to render it unavailable?

A) Denial of Service (DoS)

B) SQL injection

C) Phishing

D) Brute force attack

Answer: A) Denial of Service (DoS)

Explanation:

A Denial of Service (DoS) attack is a type of cyberattack aimed at making a system, network, or service unavailable to legitimate users by overwhelming resources. Attackers send an excessive amount of traffic, malformed packets, or exploit protocol vulnerabilities to exhaust server CPU, memory, or network bandwidth. When the system becomes overloaded, legitimate requests cannot be processed, leading to service disruption. Distributed Denial of Service (DDoS) attacks amplify this effect by using multiple compromised systems, often part of a botnet, to target a single victim simultaneously. DoS attacks can impact websites, cloud services, critical infrastructure, and enterprise networks, causing financial loss, reputational damage, and operational downtime. Organizations mitigate DoS attacks through network traffic monitoring, rate limiting, intrusion prevention systems, redundant infrastructure, and cloud-based DDoS protection services.

SQL injection attacks target web applications by manipulating database queries through input fields or URLs. SQL injection allows attackers to bypass authentication, extract or modify data, and potentially execute arbitrary commands on the server. SQL injection exploits vulnerabilities in input validation, but it does not overwhelm network or system resources to cause unavailability. SQL injection focuses on data access and integrity rather than service disruption.

Phishing is a social engineering attack that manipulates users into revealing sensitive information such as credentials or financial data. Phishing campaigns use email, messaging apps, or fraudulent websites to trick victims. Phishing attacks target human behavior rather than system resources, and they do not involve flooding networks or servers to cause downtime.

Brute force attacks involve systematically attempting numerous password or credential combinations until successful access is achieved. Brute force is primarily focused on authentication systems and is computationally intensive but does not inherently flood networks or servers to disrupt service availability. Brute force targets account compromise rather than system availability.

Denial of Service attacks are particularly dangerous because they can be launched with minimal skill using readily available tools. Organizations implement layered defenses to maintain availability, such as load balancing, firewalls, traffic scrubbing services, and redundancy strategies. Monitoring traffic patterns helps detect abnormal spikes indicating potential DoS activity. Response plans often include incident handling, communication strategies, and coordination with internet service providers to mitigate the impact. DoS attacks are common against high-profile targets, financial institutions, e-commerce sites, and public services. Continuous assessment of infrastructure resilience, automated detection systems, and disaster recovery planning enhance defense against both DoS and DDoS attacks. The goal is to maintain service continuity while minimizing operational, financial, and reputational impacts.

Question 107:

Which solution provides centralized management and protection for mobile devices and endpoints?

A) Microsoft Intune

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Defender for Identity

Answer: A) Microsoft Intune

Explanation:

Microsoft Intune is a cloud-based endpoint management solution that provides centralized control over mobile devices, desktops, laptops, and applications. Intune supports mobile device management (MDM) and mobile application management (MAM), enabling administrators to configure security policies, enforce compliance, deploy software, and remotely manage devices. Policies can include password enforcement, encryption, operating system updates, application restrictions, and conditional access to corporate resources. Intune integrates with Azure Active Directory and Microsoft 365 security services to ensure that only compliant devices can access sensitive data, improving overall organizational security posture. Intune supports Windows, macOS, iOS, and Android platforms, allowing centralized visibility and control across diverse device ecosystems.

Microsoft OneDrive provides cloud storage and file synchronization. While OneDrive offers encryption, sharing controls, and access permissions, it does not provide centralized endpoint management, compliance enforcement, or security monitoring. OneDrive is focused on data storage rather than device management or protection.

Microsoft Planner is a task and project management tool for organizing workflows and team collaboration. Planner does not manage devices, enforce security policies, or monitor endpoints. It is designed for productivity rather than security or centralized device administration.

Microsoft Defender for Identity monitors Microsoft 365 and Active Directory for suspicious activity and potential account compromise. Defender for Identity focuses on identity-based threat detection rather than managing devices, deploying software, or enforcing compliance policies. It is a security monitoring tool, not a device management platform.

Intune provides organizations with centralized oversight of endpoint security and device compliance. Administrators can define policies, remotely wipe lost or compromised devices, deploy updates, and enforce conditional access to protect sensitive data. Integration with security analytics and monitoring tools enhances visibility into potential risks and non-compliant devices. Intune helps maintain regulatory compliance, ensures data protection, and allows secure remote work by managing devices across multiple locations and platforms. By providing consistent security policies, software deployment, and monitoring capabilities, Intune enables organizations to reduce the attack surface, minimize security incidents, and enforce uniform compliance standards across all managed endpoints.

Question 108:

Which type of attack attempts to gain access by guessing commonly used passwords across multiple accounts?

A) Password spraying

B) Brute force attack

C) Phishing

D) SQL injection

Answer: A) Password spraying

Explanation:

Password spraying is a credential-based attack that targets multiple accounts by attempting commonly used passwords, such as “Password123” or “Welcome1,” across many users. Unlike brute force attacks that target a single account with numerous attempts, password spraying focuses on trying a few passwords across multiple accounts to avoid triggering account lockout policies. This method is effective because many users reuse weak passwords or predictable patterns, allowing attackers to compromise accounts without raising immediate alerts. Organizations can detect password spraying by monitoring login attempts, analyzing failed authentication patterns, and implementing multi-factor authentication (MFA).

Brute force attacks attempt all possible password combinations for a single account until access is gained. Brute force is account-focused and highly resource-intensive, often triggering lockouts or alerts. It is different from password spraying, which spreads attempts across multiple accounts with minimal repetition to bypass detection.

Phishing relies on social engineering to trick users into disclosing sensitive information, such as usernames and passwords. Phishing exploits human behavior rather than attacking multiple accounts using predictable passwords. While phishing can complement password attacks, it is not the same as systematically attempting common passwords across many accounts.

SQL injection exploits web application vulnerabilities to manipulate database queries. SQL injection targets technical flaws in application input validation rather than credential guessing. It does not attempt passwords or focus on user accounts but rather on accessing or altering backend data.

Password spraying is effective because it exploits weak credential habits while remaining under detection thresholds. Mitigation strategies include enforcing strong password policies, deploying MFA, monitoring authentication logs for unusual activity, and educating users about password hygiene. Security teams often implement automated detection of multiple failed logins from diverse sources or locations to identify potential password spraying campaigns. By combining preventive, detective, and corrective measures, organizations reduce the risk of account compromise while maintaining security without unduly restricting legitimate access.

Question 109:

Which security control prevents sensitive data from being sent outside an organization?

A) Data Loss Prevention (DLP)

B) Firewall

C) Antivirus software

D) Multi-factor authentication (MFA)

Answer: A) Data Loss Prevention (DLP)

Explanation:

Data Loss Prevention (DLP) is a security control designed to monitor, detect, and prevent sensitive information from leaving an organization. DLP solutions inspect data in motion, at rest, and in use across endpoints, email, cloud services, and network traffic. DLP can identify sensitive data such as Personally Identifiable Information (PII), financial records, intellectual property, or regulatory-protected information. Upon detecting a policy violation, DLP can block transmission, quarantine data, notify administrators, or encrypt content to prevent unauthorized disclosure. DLP ensures compliance with regulations such as GDPR, HIPAA, and PCI DSS while protecting corporate data from leaks, accidental exposure, or insider threats.

Firewalls regulate network traffic based on IP addresses, ports, and protocols. While firewalls control access to external networks and block unauthorized connections, they do not inspect the content of data to determine if sensitive information is being transmitted. Firewalls enforce network boundaries rather than information security policies.

Antivirus software detects, prevents, and removes malware. Antivirus protects endpoints from malicious code but does not monitor or prevent sensitive data from leaving the organization. Malware detection focuses on threats rather than policy enforcement for data handling.

Multi-factor authentication (MFA) strengthens authentication by requiring multiple verification factors. MFA reduces the risk of unauthorized access but does not prevent users from sending sensitive data externally once authenticated. It focuses on identity verification, not content control.

DLP provides organizations with proactive mechanisms to protect sensitive data by enforcing rules and policies. It enables real-time monitoring, alerts, and automated responses to potential data leaks. Integration with identity management, email security, encryption, and endpoint controls enhances DLP effectiveness. Employee training, policy updates, and monitoring of user behavior ensure that sensitive data remains secure. DLP protects intellectual property, customer data, and confidential information while helping organizations maintain regulatory compliance. By combining detection, prevention, and reporting capabilities, DLP provides a comprehensive approach to controlling the flow of sensitive data across enterprise environments.

Question 110:

Which attack involves exploiting input fields to execute unintended commands in a backend system?

A) SQL injection

B) Cross-site scripting (XSS)

C) Phishing

D) Denial of Service (DoS)

Answer: A) SQL injection

Explanation:

SQL injection is a cyberattack where malicious SQL statements are injected into input fields, URLs, or cookies to manipulate backend database queries. Attackers exploit inadequate input validation or improper query parameterization, allowing unauthorized access, modification, or deletion of database content. SQL injection can bypass authentication, extract sensitive data, escalate privileges, or execute commands on the database server. It is particularly dangerous because attackers can compromise the integrity, confidentiality, and availability of database systems while remaining difficult to detect without proper monitoring. Prevention measures include using parameterized queries, stored procedures, input validation, and web application firewalls (WAFs).

Cross-site scripting (XSS) targets client-side execution in users’ browsers. XSS injects malicious scripts to hijack sessions, redirect users, or steal information, but it does not manipulate backend database queries. XSS focuses on client interaction rather than server-side database control.

Phishing attacks trick users into revealing credentials or sensitive information through deceptive communications such as email, messaging, or fraudulent websites. Phishing is a social engineering attack that targets human behavior, not technical flaws in database query processing.

Denial of Service (DoS) attacks overwhelm system or network resources to disrupt service availability. DoS focuses on making services unavailable rather than exploiting application input fields to execute backend commands.

SQL injection is a prevalent web application threat due to poorly validated input handling. Attackers can use automated tools to discover vulnerabilities, extract data, and escalate attacks. Effective mitigation involves secure coding practices, input validation, query parameterization, continuous monitoring, penetration testing, and implementing security controls to detect abnormal database behavior. Organizations should also train developers in secure coding, conduct regular vulnerability assessments, and deploy WAFs to filter malicious inputs. SQL injection remains a critical risk because it targets sensitive backend systems and can have severe operational, financial, and reputational consequences if not properly addressed.

Question 111:

Which attack involves manipulating a user into performing actions or revealing confidential information?

A) Social engineering

B) SQL injection

C) Denial of Service (DoS)

D) Brute force attack

Answer: A) Social engineering

Explanation:

Social engineering is a type of cyberattack where attackers manipulate human behavior to gain access to confidential information, systems, or physical locations. It exploits psychological tactics, such as trust, fear, urgency, curiosity, or authority, to convince users to divulge sensitive data, click malicious links, or perform actions that compromise security. Social engineering attacks can be delivered via email (phishing), phone calls (vishing), text messages (smishing), or even in-person interactions. Successful social engineering attacks often bypass technical security controls because they target the human element, which is frequently the weakest link in an organization’s security posture.

SQL injection attacks exploit vulnerabilities in web application input fields to execute malicious commands on backend databases. SQL injection is technical in nature and targets software weaknesses rather than human behavior, making it distinct from social engineering. SQL injection can extract or modify data but does not rely on manipulating a user to take an action.

Denial of Service (DoS) attacks aim to overwhelm network or system resources to disrupt service availability. DoS attacks do not involve tricking users or exploiting human behavior. They focus on system downtime and resource exhaustion rather than social manipulation.

Brute force attacks attempt to gain access by systematically guessing passwords or credentials. Brute force is an automated attack against authentication systems and does not manipulate users into performing actions. It relies on computation rather than social tactics.

Social engineering attacks are often combined with other attack types. For example, phishing emails may contain links to malicious websites that exploit software vulnerabilities, or attackers may use pretexting to gather information needed for SQL injection or password attacks. Organizations mitigate social engineering risks by conducting user awareness training, simulating phishing campaigns, implementing strict verification procedures, and deploying technical controls such as email filters, two-factor authentication, and secure communication channels. Monitoring and incident response plans help detect and respond to social engineering attempts quickly, minimizing the risk of compromise. Effective defenses require continuous education, policies, and processes that reduce susceptibility to manipulation while maintaining usability and productivity. Social engineering attacks remain highly effective because they exploit inherent human traits such as trust and curiosity, emphasizing the importance of combining technical and behavioral defenses.

Question 112:

Which type of attack allows attackers to gain access by exploiting unpatched software vulnerabilities?

A) Exploit

B) Phishing

C) Password spraying

D) Denial of Service (DoS)

Answer: A) Exploit

Explanation:

An exploit is a method or tool used by attackers to take advantage of vulnerabilities in software, operating systems, or applications. Exploits can allow attackers to execute arbitrary code, escalate privileges, exfiltrate data, or gain unauthorized access to systems. Exploits are often delivered through malicious links, documents, network packets, or compromised websites. Exploit effectiveness depends on the presence of a specific vulnerability, which is why timely patching and updating of software are critical components of a cybersecurity strategy. Exploits can target known vulnerabilities with publicly available proofs of concept or zero-day vulnerabilities that are unknown to software vendors.

Phishing attacks manipulate users into revealing sensitive information or performing actions that compromise security. While phishing may lead to account compromise, it does not directly exploit software vulnerabilities. Phishing focuses on social engineering rather than technical weaknesses in software.

Password spraying attacks attempt commonly used passwords across multiple accounts to gain access without triggering account lockouts. Password spraying relies on credential guessing and weak password policies rather than software vulnerabilities. Its success is based on user behavior, not exploitation of unpatched code.

Denial of Service (DoS) attacks overwhelm systems with excessive traffic or resource consumption to disrupt availability. DoS attacks do not exploit software vulnerabilities to gain access or execute code. They target system performance and availability rather than leveraging unpatched software weaknesses.

Exploits pose significant risks because they can bypass security controls, escalate privileges, and compromise sensitive information without user awareness. Organizations mitigate exploit risks by conducting vulnerability management, applying patches promptly, using intrusion detection systems, and implementing endpoint protection solutions. Security teams often analyze exploit trends, threat intelligence feeds, and vendor advisories to anticipate potential attack vectors. Exploits can also be combined with social engineering, malware delivery, or other attacks to increase effectiveness. Maintaining updated software, conducting regular security assessments, and deploying layered defenses reduce exposure to exploit-based attacks, ensuring that systems remain resilient against attackers seeking to leverage unpatched vulnerabilities.

Question 113:

Which authentication mechanism uses a one-time code generated by a device or application?

A) One-Time Password (OTP)

B) Password

C) Biometric

D) Certificate-based authentication

Answer: A) One-Time Password (OTP)

Explanation:

A One-Time Password (OTP) is an authentication mechanism that provides a unique, temporary code for each login attempt or transaction. OTPs are generated by hardware tokens, software applications, or sent via SMS/email and typically expire after a short period, usually 30–60 seconds. OTPs add a layer of security by ensuring that even if a password is compromised, an attacker cannot reuse the same code to gain access. OTPs are widely used in multi-factor authentication (MFA) to protect sensitive accounts, financial transactions, and corporate systems.

Passwords are static authentication factors that rely on knowledge. They can be reused or stolen, and they are vulnerable to guessing, phishing, and credential stuffing attacks. Unlike OTPs, passwords do not provide time-sensitive uniqueness and therefore do not mitigate reuse risks.

Biometric authentication relies on unique physical or behavioral traits, such as fingerprints, facial recognition, or iris scans. Biometrics provide identity verification but do not generate a temporary, per-login code like an OTP. Biometrics are often combined with OTPs or passwords in MFA schemes for layered security.

Certificate-based authentication uses digital certificates to prove identity. Certificates are cryptographic in nature and provide strong authentication but are typically persistent rather than single-use per login. They rely on possession and trust infrastructure, unlike OTPs which rely on time-sensitive, single-use codes.

OTPs enhance security by combining with traditional passwords or biometric factors, forming multi-factor authentication systems that reduce the risk of account compromise. OTPs mitigate the threat of stolen credentials because codes are valid only for a short duration and are unique per session. OTPs can be delivered through dedicated tokens, mobile applications such as Microsoft Authenticator or Google Authenticator, or via secure messaging channels. Security administrators implement OTPs to protect sensitive systems, enforce MFA policies, and ensure compliance with regulatory standards. OTPs are critical in scenarios requiring high assurance, such as banking, corporate VPNs, and identity management platforms, where protecting access against password compromise is paramount.

Question 114:

Which security tool monitors endpoints for suspicious activity and provides response capabilities?

A) Endpoint Detection and Response (EDR)

B) Firewall

C) Antivirus software

D) Multi-factor authentication (MFA)

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) is a security solution designed to monitor endpoints, such as desktops, laptops, and servers, for suspicious or malicious activity. EDR collects telemetry from processes, network activity, file changes, and system logs, providing deep visibility into endpoint behavior. When threats are detected, EDR can alert security teams, isolate infected endpoints, terminate malicious processes, and support forensic investigations. Unlike traditional antivirus software, which primarily relies on signature-based detection, EDR uses behavioral analysis and threat intelligence to identify previously unknown or sophisticated attacks, including malware, ransomware, and lateral movement.

Firewalls regulate network traffic and enforce access control policies based on IP addresses, ports, and protocols. While firewalls protect network boundaries, they do not provide endpoint monitoring or automated response capabilities. Firewalls cannot analyze individual process behavior or respond to malware within endpoints.

Antivirus software detects known malware using signature databases and may perform heuristic analysis. Antivirus is effective against previously identified threats but lacks real-time behavioral analysis and advanced response capabilities. It is reactive rather than proactive in detecting unknown or sophisticated threats.

Multi-factor authentication (MFA) strengthens user authentication by requiring multiple verification factors. While MFA enhances identity security, it does not monitor endpoint behavior, detect malware, or provide automated incident response. MFA focuses on verifying user identity rather than protecting endpoint integrity.

EDR enables organizations to detect, respond to, and investigate endpoint threats effectively. It integrates with Security Operations Centers (SOC), threat intelligence feeds, and other security tools to provide centralized monitoring, alerting, and remediation. Security teams can track indicators of compromise, analyze malicious activity, and implement containment measures to prevent lateral movement or data exfiltration. EDR solutions support incident response, threat hunting, and proactive defense, helping organizations reduce dwell time, mitigate risk, and maintain endpoint security. By combining visibility, analysis, and automated response, EDR strengthens organizational cybersecurity posture, complementing antivirus, firewall, and identity management solutions to provide comprehensive endpoint protection.

Question 115:

Which Microsoft solution detects unusual login attempts and suspicious behavior in Microsoft 365 accounts?

A) Microsoft Defender for Identity

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Intune

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that continuously monitors Microsoft 365 accounts and on-premises Active Directory environments for unusual login attempts, suspicious behavior, and potential account compromise. Defender for Identity analyzes authentication logs, user behavior, and network activity to identify anomalies such as repeated failed login attempts, unusual geographic login locations, lateral movement, or privilege escalation. Using machine learning and threat intelligence, Defender for Identity generates actionable alerts for security teams, enabling timely investigation and remediation.

Microsoft OneDrive is a cloud storage and file synchronization platform. While OneDrive provides encryption, sharing controls, and access permissions, it does not monitor user behavior, detect anomalies, or alert security teams about potential account compromises. OneDrive focuses on data storage rather than identity protection.

Microsoft Planner is a task and project management tool. Planner helps teams organize tasks and collaborate on projects but does not offer security monitoring or account behavior analytics. Planner is productivity-focused rather than security-focused.

Microsoft Intune manages devices and enforces compliance policies. While Intune ensures that devices meet security standards before accessing corporate resources, it does not monitor Microsoft 365 account login behavior or detect suspicious activities in user accounts. Intune focuses on device compliance and access control rather than identity monitoring.

Defender for Identity provides early detection of compromised accounts and abnormal authentication activity. It integrates with Microsoft 365 security services, offering centralized visibility and advanced analytics. Alerts can trigger investigation workflows, helping security teams respond to threats proactively. Defender for Identity helps organizations prevent credential theft, unauthorized access, and identity-based attacks by continuously monitoring account behavior and providing actionable insights. Its capabilities enhance enterprise security by combining identity monitoring, threat intelligence, and real-time alerting, ensuring that organizations maintain strong defenses against account-based threats and suspicious login activities.

Question 116:

Which attack injects malicious scripts into web pages to execute in users’ browsers?

A) Cross-site scripting (XSS)

B) SQL injection

C) Phishing

D) Denial of Service (DoS)

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) is a web application attack that targets vulnerabilities in input handling to inject malicious scripts into web pages viewed by users. These scripts execute in the victim’s browser, allowing attackers to hijack sessions, steal cookies, modify content, redirect users to malicious sites, or deliver malware. XSS attacks exploit insufficient input validation, improper output encoding, and the failure to sanitize user-provided data. They are particularly effective because they manipulate trusted websites, exploiting the user’s trust in the site rather than targeting technical infrastructure directly. XSS can be classified into stored, reflected, or DOM-based variants, each differing in delivery and execution methods.

SQL injection targets web applications by manipulating database queries through input fields. SQL injection exploits technical vulnerabilities in database-driven applications, enabling attackers to retrieve, modify, or delete data. Unlike XSS, SQL injection affects server-side data and does not execute scripts in the client’s browser. It is focused on backend exploitation rather than client-side manipulation.

Phishing is a social engineering attack that tricks users into revealing sensitive information, such as credentials or financial data. Phishing manipulates human behavior rather than exploiting technical vulnerabilities in web applications. While phishing may lead to malware infection or account compromise, it does not involve executing scripts within a browser environment.

Denial of Service (DoS) attacks aim to disrupt service availability by overwhelming networks, servers, or applications. DoS focuses on resource exhaustion and service disruption, not on injecting scripts or stealing session information through browsers.

XSS attacks are dangerous because they exploit the trust between users and websites, often bypassing security controls such as firewalls. Mitigation strategies include input validation, output encoding, implementing Content Security Policies (CSP), and using frameworks that automatically escape content. Security teams perform code reviews, penetration tests, and automated vulnerability scanning to identify potential XSS vulnerabilities before deployment. Effective mitigation requires combining secure development practices, user awareness, and monitoring to detect suspicious behavior. By preventing XSS attacks, organizations protect user credentials, maintain session integrity, and prevent malware distribution through trusted web applications. XSS remains a significant threat because even minor coding oversights can allow attackers to execute malicious scripts, compromise data, and exploit users.

Question 117:

Which attack attempts to gain access to accounts by repeatedly guessing passwords for a single user?

A) Brute force attack

B) Password spraying

C) SQL injection

D) Phishing

Answer: A) Brute force attack

Explanation:

A brute force attack systematically attempts all possible password combinations to gain access to a single user account. The attack relies on computational power to test numerous character combinations until the correct password is found. Brute force attacks can be applied to online login forms, encrypted files, or authentication systems. Success depends on the strength and complexity of the targeted password. Accounts with simple or common passwords are particularly vulnerable. Brute force attacks can trigger account lockouts, generate noticeable log patterns, or trigger alerts if security monitoring is in place. Mitigation includes enforcing strong password policies, implementing account lockouts, using CAPTCHAs, and deploying multi-factor authentication (MFA) to reduce the effectiveness of these attacks.

Password spraying attacks differ from brute force attacks because they target multiple accounts using a small set of common passwords. Password spraying avoids triggering account lockouts by distributing attempts across multiple accounts. Brute force focuses on a single account, often triggering protective measures if not mitigated.

SQL injection is a web application attack that manipulates database queries to access or modify data. SQL injection targets backend systems rather than authentication credentials, making it distinct from brute force password attacks. SQL injection does not rely on repeated attempts to guess passwords but rather on exploiting input validation weaknesses.

Phishing attacks use social engineering to trick users into revealing passwords or sensitive information. While phishing can result in credential compromise, it does not involve repeated automated password guessing for a specific account. Phishing targets user behavior rather than password systems directly.

Brute force attacks are effective against accounts with weak or predictable passwords but are mitigated by strong password policies, MFA, rate-limiting, and account lockout mechanisms. Organizations combine user education, automated monitoring, and endpoint security to detect and prevent brute force attempts. Security monitoring tools track repeated failed login attempts, abnormal IP addresses, and unusual access patterns. By enforcing robust authentication practices and monitoring login activity, brute force attacks can be substantially mitigated, protecting sensitive accounts and reducing the risk of unauthorized access. Brute force remains a foundational method in credential-based attacks and underscores the importance of multi-layered password security and vigilance.

Question 118:

Which type of malware encrypts files and demands payment to restore access?

A) Ransomware

B) Rootkit

C) Trojan horse

D) Adware

Answer: A) Ransomware

Explanation:

Ransomware is malicious software designed to encrypt files, systems, or entire networks and demand payment for the decryption key. Ransomware attacks often begin with phishing emails, malicious downloads, or exploit kits that compromise endpoints. Once executed, ransomware encrypts critical files, rendering them inaccessible and often displaying a ransom note with instructions for payment, typically in cryptocurrency. Ransomware can affect individuals, businesses, and government organizations, causing operational disruption, financial loss, and reputational damage. Ransomware mitigation strategies include regular data backups, endpoint protection, user training, patch management, network segmentation, and incident response planning. Preventing infection and maintaining offline backups are essential to recover without paying the ransom.

Rootkits are malware that conceal their presence while providing persistent access to compromised systems. Rootkits are stealth-focused and allow attackers to hide processes or manipulate the operating system. Rootkits do not typically encrypt user files or demand payment; their main purpose is to maintain unauthorized control without detection.

Trojan horses masquerade as legitimate software to trick users into installing malicious code. Trojans can serve as delivery mechanisms for malware, including ransomware or rootkits. While Trojans facilitate infections, they do not inherently encrypt files or demand payment unless they carry a ransomware payload.

Adware is malware that displays unwanted advertisements and may track user behavior. Adware is primarily intrusive but does not encrypt files, disrupt operations, or demand a ransom. Its purpose is usually financial gain through advertising rather than coercion.

Ransomware is particularly effective because it combines immediate operational disruption with financial coercion. Security teams deploy preventative measures such as antivirus, endpoint detection and response (EDR), network segmentation, and threat intelligence to reduce exposure. Organizations conduct employee awareness training to prevent phishing and malicious attachment execution, maintain offline and tested backups, and implement incident response procedures. Ransomware attacks are increasingly sophisticated, with variants targeting specific industries or using double-extortion tactics, where attackers threaten to release sensitive data if ransom is not paid. The combination of proactive defenses, monitoring, and rapid response enables organizations to mitigate risk and recover from ransomware incidents.

Question 119:

Which security control verifies the identity of a user before granting access?

A) Authentication

B) Authorization

C) Encryption

D) Data Loss Prevention (DLP)

Answer: A) Authentication

Explanation:

Authentication is the process of verifying the identity of a user, system, or device before granting access to resources. It ensures that the entity requesting access is who it claims to be. Authentication can be based on knowledge (passwords), possession (tokens, smart cards), inherence (biometrics), or a combination in multi-factor authentication (MFA). Effective authentication is critical for protecting sensitive data, preventing unauthorized access, and supporting compliance with regulatory standards. Authentication precedes authorization, as verifying identity is necessary before determining permissions or access levels.

Authorization is the process of granting or denying access to resources based on an authenticated identity. While authorization defines what an authenticated user can do, it does not verify identity. Authorization enforces permissions but relies on prior authentication.

Encryption transforms data into unreadable ciphertext to protect confidentiality. Encryption safeguards data in transit or at rest but does not verify who is accessing the data. Without authentication, encrypted data could be vulnerable if access control is not enforced.

Data Loss Prevention (DLP) monitors, detects, and prevents sensitive information from leaving an organization. DLP protects data and enforces policies but does not verify the identity of users accessing resources. DLP is content-focused rather than identity-focused.

Authentication provides the foundation for secure access by ensuring only legitimate users can access systems and data. Organizations implement strong authentication mechanisms, including passwords, MFA, biometrics, and certificate-based methods. Security teams enforce policies such as password complexity, rotation, session timeouts, and account lockouts. Authentication integrates with logging, monitoring, and identity management systems to detect unauthorized attempts and provide accountability. Proper authentication reduces the risk of breaches, insider threats, and credential compromise. It is a critical component of overall cybersecurity posture, forming the first line of defense in protecting sensitive information and maintaining regulatory compliance across enterprise environments.

Question 120:

Which security solution monitors Active Directory and Microsoft 365 accounts for suspicious activity?

A) Microsoft Defender for Identity

B) Microsoft Intune

C) Microsoft Planner

D) Microsoft OneDrive

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that continuously monitors Active Directory (AD) and Microsoft 365 accounts for suspicious activity, unusual login patterns, and potential account compromises. It collects telemetry from user accounts, authentication logs, and directory activity to detect threats such as lateral movement, privilege escalation, pass-the-ticket attacks, and abnormal login behaviors. Defender for Identity uses advanced analytics and machine learning to generate actionable alerts for security teams, enabling rapid investigation and remediation of compromised accounts.

Microsoft Intune manages devices and enforces compliance policies. While it ensures endpoint security, Intune does not monitor Active Directory or Microsoft 365 accounts for suspicious login activity. Intune is focused on device management and compliance rather than identity threat detection.

Microsoft Planner is a productivity tool used for task and project management. Planner does not provide security monitoring, threat detection, or analysis of user account behavior. Its functionality is focused on collaboration rather than security.

Microsoft OneDrive is a cloud storage platform for file access, synchronization, and sharing. While OneDrive provides encryption and access controls, it does not detect suspicious behavior in user accounts or monitor authentication activity. OneDrive is data-centric, not identity-centric.

Defender for Identity provides organizations with early detection of compromised accounts, anomalous login behavior, and insider threats. Alerts can trigger workflows for investigation, remediation, and further security measures. Integration with Microsoft 365 security services enhances visibility and allows security teams to respond proactively. Defender for Identity helps organizations reduce risk from credential-based attacks, maintain compliance, and strengthen identity security by providing continuous monitoring, advanced analytics, and actionable insights into suspicious activity within Microsoft environments.