CompTIA PenTest+ PT0-003  Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full CompTIA PT0-003 exam dumps and practice test questions.

Question 161:

Which security principle ensures users only have access necessary to perform their jobs?

A) Principle of least privilege

B) Defense in depth

C) Multi-factor authentication (MFA)

D) Role-based encryption

Answer: A) Principle of least privilege

Explanation:

The principle of least privilege (PoLP) is a fundamental security concept that restricts user access rights to the minimum necessary to perform job functions. By granting only the permissions required, organizations reduce the risk of accidental or malicious misuse of resources. PoLP applies to both human users and software processes, ensuring that accounts and applications cannot perform operations outside their authorized scope. This principle limits lateral movement for attackers in case of account compromise, reduces exposure of sensitive data, and helps organizations comply with regulatory standards such as HIPAA, GDPR, and PCI DSS. Security teams implement PoLP using role-based access control (RBAC), attribute-based access control (ABAC), and regular auditing of permissions.

Defense in depth is a layered security strategy that uses multiple security controls across network, application, and endpoint layers. While defense in depth strengthens overall security, it does not specifically enforce minimum access rights. It focuses on redundancy and layered protection rather than restricting user privileges.

Multi-factor authentication (MFA) enhances security by requiring users to provide multiple identity verification factors, such as a password and a token. MFA reduces the risk of unauthorized access but does not define the scope of permissions for users once authenticated.

Role-based encryption is not a standard term in security. Encryption protects data confidentiality but does not assign or limit user access based on roles.

Implementing PoLP involves continuous monitoring of account activity, regular review of permissions, and revocation of unnecessary access. Administrators enforce time-limited privileges, temporary elevation for specific tasks, and separation of duties to minimize risk. PoLP is critical for protecting sensitive data, mitigating insider threats, and reducing attack surfaces. Organizations combine PoLP with other security practices, such as MFA, monitoring, and auditing, to strengthen access control, ensure compliance, and maintain operational security. By minimizing permissions, the principle of least privilege limits the potential impact of compromised accounts, malware, or accidental misuse, forming a foundational element of effective cybersecurity strategy.

Question 162:

Which malware encrypts a victim’s files and demands payment for decryption?

A) Ransomware

B) Rootkit

C) Trojan horse

D) Adware

Answer: A) Ransomware

Explanation:

Ransomware is malware designed to encrypt files, applications, or entire systems, rendering them inaccessible to victims. Attackers demand a ransom payment, often in cryptocurrency, in exchange for a decryption key to restore access. Ransomware spreads through phishing emails, malicious downloads, exploit kits, or compromised websites. It is highly disruptive, often causing operational downtime, data loss, and reputational harm. Double extortion ransomware variants also threaten to publish stolen data if the ransom is not paid. Organizations implement preventive measures including offline backups, endpoint protection, patch management, network segmentation, and user training to avoid infection. Detection and incident response plans are critical for mitigating ransomware impact.

Rootkits conceal themselves within operating systems to maintain persistent access. Rootkits prioritize stealth and control, allowing attackers to monitor activity or deploy additional malware, but do not encrypt files or demand ransom.

Trojan horses disguise themselves as legitimate software to deliver malicious payloads. While Trojans may install ransomware, they are primarily a delivery method, not ransomware itself.

Adware delivers unwanted advertisements and may track user behavior for revenue. Adware is intrusive but not destructive like ransomware and does not encrypt files or demand payment.

Ransomware attacks emphasize the importance of layered defenses. Organizations enforce strong passwords, multi-factor authentication (MFA), regular patching, endpoint protection, and network monitoring. Offline and immutable backups are critical for recovery without paying ransoms. User education reduces the risk of phishing and malicious downloads that deliver ransomware. Security teams monitor abnormal file modifications and unusual network activity to detect early signs of attacks. Incident response plans include isolation of infected systems, forensic analysis, communication procedures, and recovery strategies. By combining preventive, detective, and corrective measures, organizations minimize ransomware risk, protect sensitive data, and maintain business continuity. Ransomware highlights the convergence of malware, social engineering, and operational disruption, making it one of the most significant threats to enterprise security.

Question 163:

Which Microsoft solution enforces device compliance and conditional access policies?

A) Microsoft Intune

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Defender for Identity

Answer: A) Microsoft Intune

Explanation:

Microsoft Intune is a cloud-based endpoint management solution that manages devices, applications, and compliance policies to secure corporate resources. Intune allows administrators to enforce device compliance standards, including password policies, encryption, patch status, operating system versions, and application integrity. Devices failing to meet compliance requirements can be blocked from accessing sensitive data, reducing security risks. Intune integrates with Azure Active Directory for conditional access, ensuring only secure and compliant devices can connect to enterprise resources. Intune supports mobile device management (MDM), mobile application management (MAM), application deployment, reporting, and monitoring across Windows, macOS, iOS, and Android devices. Organizations use Intune to streamline management, enforce policies consistently, and maintain regulatory compliance.

Microsoft OneDrive provides cloud storage, file access, and sharing capabilities with encryption and access control but does not manage endpoints or enforce device compliance.

Microsoft Planner is a task and project management tool focused on workflow organization and collaboration. Planner does not provide device compliance or conditional access functionality.

Microsoft Defender for Identity monitors user activity and authentication events to detect suspicious behavior and compromised accounts. Defender for Identity strengthens identity security but does not enforce endpoint compliance or conditional access.

Intune enables centralized management of devices and applications, ensuring that corporate resources are accessed only by authorized, compliant systems. Administrators can define policies, monitor device health, remediate non-compliant devices, and integrate with security and identity solutions to implement layered protections. Intune improves security posture, operational efficiency, and regulatory compliance. By controlling devices and access policies centrally, Intune reduces the attack surface and ensures corporate data remains protected from unauthorized or insecure devices. Proper deployment of Intune policies, regular audits, and monitoring of device compliance help maintain organizational security standards and prevent breaches caused by misconfigured or compromised endpoints.

Question 164:

Which type of attack exploits client-side scripts in web applications?

A) Cross-site scripting (XSS)

B) SQL injection

C) Phishing

D) Denial of Service (DoS)

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) attacks exploit vulnerabilities in web applications by injecting malicious scripts into client-side code. When users interact with compromised web pages, the scripts execute in their browsers, potentially stealing session cookies, credentials, or personal information. XSS attacks can also redirect users, manipulate web page content, or perform unauthorized actions on behalf of users. XSS primarily targets client-side vulnerabilities, unlike SQL injection, which targets backend databases. Organizations prevent XSS by implementing input validation, output encoding, secure coding practices, content security policies, and web application firewalls (WAFs). User awareness and browser security settings also help mitigate the risk.

SQL injection manipulates database queries through user input to extract or modify sensitive information. SQL injection focuses on server-side data rather than executing scripts in users’ browsers.

Phishing relies on social engineering to trick users into disclosing credentials or sensitive information. Phishing attacks exploit human behavior rather than technical vulnerabilities in client-side code.

Denial of Service (DoS) attacks overwhelm systems or networks to make services unavailable. DoS attacks target system resources rather than web application scripts or user browsers.

XSS attacks are particularly dangerous because they combine technical and social exploitation. Attackers may hijack sessions, steal personal data, or distribute malware. Mitigation strategies include secure coding, testing for vulnerabilities, and monitoring for suspicious activity. XSS highlights the importance of web application security and the need for continuous vigilance to protect users and systems from exploitation. Proper coding practices, secure input handling, and regular security assessments are essential to prevent XSS attacks and maintain application integrity and user trust.

Question 165:

Which authentication method requires multiple types of verification, such as password and token?

A) Multi-factor authentication (MFA)

B) Password-only authentication

C) Biometric authentication

D) Single sign-on (SSO)

Answer: A) Multi-factor authentication (MFA)

Explanation:

Multi-factor authentication (MFA) enhances security by requiring users to provide two or more verification factors before granting access. MFA combines something the user knows (password), something the user possesses (smart card, hardware token, mobile OTP), or something inherent to the user (biometrics). This layered approach reduces the risk of unauthorized access even if one factor is compromised. MFA is widely used in enterprise environments, online banking, cloud applications, and identity-sensitive systems. It mitigates risks from phishing, credential theft, brute force attacks, and password reuse. Implementation involves integration with identity providers, conditional access policies, and user education to ensure adoption.

Password-only authentication relies solely on a user-provided secret. While common, it is vulnerable to theft, brute force attacks, and phishing, lacking additional layers of protection.

Biometric authentication uses unique physical or behavioral traits, such as fingerprints or facial recognition, as a single authentication factor. Biometrics enhance security but are often combined with other factors for MFA.

Single sign-on (SSO) allows users to access multiple applications with one set of credentials. SSO improves convenience but does not necessarily enforce multiple verification factors.

MFA strengthens identity verification by combining multiple factors. Organizations configure MFA alongside conditional access policies to enforce risk-based authentication, device compliance, and context-aware security measures. MFA reduces account compromise likelihood, improves regulatory compliance, and protects sensitive resources. Security teams monitor authentication patterns, educate users, and manage factor enrollment to maintain effective MFA implementation. By requiring multiple verification factors, MFA provides a robust defense against unauthorized access while maintaining usability for legitimate users.

Question 166:

Which attack attempts to trick users into revealing sensitive information by impersonation?

A) Phishing

B) SQL injection

C) Denial of Service (DoS)

D) Cross-site scripting (XSS)

Answer: A) Phishing

Explanation:

Phishing is a social engineering attack that manipulates users into divulging sensitive information such as usernames, passwords, credit card numbers, or personal data. Attackers often impersonate trusted entities, including banks, government agencies, or corporate contacts, to deceive recipients. Phishing is commonly delivered through email, instant messaging, or fake websites that appear legitimate. Attackers use urgency, fear, or incentive tactics to prompt victims to act quickly without verifying authenticity. Phishing is highly effective because it targets human behavior rather than system vulnerabilities, exploiting trust and familiarity to bypass technical controls. Organizations mitigate phishing risks by implementing email filtering, spam detection, anti-malware tools, user education, and multi-factor authentication (MFA). Security awareness campaigns teach users to recognize suspicious emails, verify sender authenticity, avoid clicking on unknown links, and report phishing attempts.

SQL injection exploits vulnerabilities in database queries to retrieve or modify sensitive data. Unlike phishing, SQL injection is a technical attack targeting web applications and server-side logic rather than manipulating human behavior. SQL injection requires exploiting code vulnerabilities rather than convincing a user to act.

Denial of Service (DoS) attacks overwhelm system or network resources to disrupt availability. DoS attacks focus on infrastructure and service disruption, not user manipulation. Attackers aim to exhaust bandwidth, memory, or CPU to prevent legitimate access rather than stealing information.

Cross-site scripting (XSS) injects malicious scripts into web applications to compromise client-side code. XSS may steal session information, execute scripts in users’ browsers, or redirect traffic, but it is a technical attack targeting vulnerabilities, not social manipulation.

Phishing remains one of the most common and dangerous attacks due to its simplicity and effectiveness. Attackers continuously refine tactics, including spear phishing (targeted attacks), whaling (high-profile targets), and clone phishing (duplicated legitimate messages). Phishing defenses involve combining technical and human-centered approaches, including secure email gateways, URL scanning, anomaly detection, MFA, and user vigilance. By training users, monitoring network activity, and enforcing security policies, organizations reduce the likelihood of compromised accounts, data breaches, and financial losses. Phishing demonstrates that cybersecurity is not only about technology but also about influencing human behavior and creating a culture of vigilance to recognize and respond to deceptive attempts.

Question 167:

Which attack involves sending excessive traffic to overwhelm system resources?

A) Denial of Service (DoS)

B) Password spraying

C) SQL injection

D) Phishing

Answer: A) Denial of Service (DoS)

Explanation:

A Denial of Service (DoS) attack is designed to overwhelm system, network, or application resources to make services unavailable to legitimate users. DoS attacks can target bandwidth, server processing power, memory, or application resources, causing operational downtime, loss of productivity, financial damage, and reputational harm. Attackers exploit protocol weaknesses, network configuration flaws, or vulnerabilities in applications to maximize the impact. Common forms of DoS include volumetric attacks that flood networks with excessive traffic, protocol attacks that exploit network stack vulnerabilities, and application-layer attacks that exhaust server resources through legitimate-looking requests. Mitigation strategies involve traffic monitoring, load balancing, intrusion prevention systems, rate limiting, and cloud-based DDoS protection services.

Password spraying attacks target multiple accounts with a few common passwords, attempting to gain unauthorized access while avoiding lockouts. Password spraying focuses on credential exploitation rather than overwhelming system resources and is not a DoS technique.

SQL injection attacks manipulate backend databases through input vulnerabilities to access or modify sensitive information. SQL injection is data-centric and does not involve overwhelming system capacity to deny service. It targets application and database logic rather than resource availability.

Phishing attacks manipulate users into revealing credentials or personal information through social engineering. Phishing relies on deception, not on resource exhaustion, making it unrelated to DoS attacks.

DoS attacks can also be distributed, known as Distributed Denial of Service (DDoS), leveraging multiple compromised devices to amplify traffic and increase impact. Detection requires monitoring network traffic patterns, anomaly detection, and identifying unusual spikes or request patterns. Organizations implement redundancy, content delivery networks (CDNs), and rate-limiting techniques to reduce vulnerability. By understanding attack vectors and applying layered defenses, enterprises maintain availability, minimize disruption, and protect critical business services from the consequences of DoS attacks. DoS demonstrates that availability is a core security component, requiring proactive measures alongside confidentiality and integrity controls.

Question 168:

Which type of malware conceals itself to maintain persistent system access?

A) Rootkit

B) Ransomware

C) Adware

D) Trojan horse

Answer: A) Rootkit

Explanation:

Rootkits are malware designed to remain hidden within a system while providing attackers with persistent access. They manipulate operating system processes, files, and memory structures to avoid detection by users or security software. Rootkits can operate at the kernel or user level, giving attackers deep control over the system, including the ability to monitor activity, deploy additional malware, or steal sensitive data. Detection is challenging because rootkits are designed to integrate seamlessly with system operations, often disabling antivirus tools or hiding processes, files, and network activity. Rootkits are frequently delivered via Trojans, phishing emails, or exploitation of unpatched vulnerabilities. Removing rootkits often requires offline scanning or full system reinstalls, as traditional security tools may be ineffective while the rootkit is active.

Ransomware encrypts files and demands payment for decryption. Ransomware is overt and designed to alert the user to its presence, contrasting with rootkits, which prioritize stealth.

Adware delivers unwanted advertisements and may track user behavior for monetization. Adware is intrusive but does not provide persistent hidden access or deep control over the system.

Trojan horses disguise themselves as legitimate software to deliver a malicious payload. While a Trojan may install a rootkit, the defining characteristic of rootkits is stealthy persistence and deep system control, not initial deception.

Rootkits are particularly dangerous because they allow attackers to maintain long-term access to compromised systems, enabling credential theft, data exfiltration, and further malware deployment. Organizations mitigate rootkit risks by enforcing least privilege policies, monitoring system integrity, applying timely patches, and deploying endpoint detection and response (EDR) tools. Awareness of rootkit behavior and proactive monitoring are essential for maintaining security, as rootkits often serve as the foundation for more complex attacks targeting sensitive organizational assets. By understanding rootkit techniques, enterprises can better prepare defenses and reduce the likelihood of prolonged unauthorized access.

Question 169:

Which authentication method uses physical traits like fingerprints or facial recognition?

A) Biometric authentication

B) Knowledge-based authentication

C) Possession-based authentication

D) Certificate-based authentication

Answer: A) Biometric authentication

Explanation:

Biometric authentication verifies identity using unique physical or behavioral characteristics inherent to the user. Common biometric factors include fingerprints, facial recognition, iris scans, voice patterns, or behavioral traits like typing rhythm. Biometrics are difficult to duplicate or share, providing a high level of security compared to traditional knowledge-based methods such as passwords. Biometric authentication is commonly integrated into multi-factor authentication (MFA) systems for enhanced security. Implementation requires specialized hardware, secure storage of biometric templates, and careful privacy considerations. Biometric systems may also include liveness detection to prevent spoofing attacks using images, recordings, or synthetic replicas.

Knowledge-based authentication relies on information the user knows, such as passwords or PINs. While widely used, knowledge-based methods are vulnerable to phishing, social engineering, and credential reuse, unlike biometrics, which are intrinsic to the user.

Possession-based authentication requires something the user possesses, such as smart cards, tokens, or mobile authentication apps. Possession-based factors verify ownership, not inherent physical traits.

Certificate-based authentication relies on cryptographic certificates issued by trusted authorities to verify identity. Certificates are digital in nature and do not involve physical characteristics.

Biometric authentication enhances identity security by providing factors that are intrinsic to the user, reducing reliance on passwords and tokens. Organizations combine biometrics with other authentication factors, such as passwords or possession-based tokens, to achieve MFA. Biometric systems must balance security, privacy, and usability, ensuring that data is encrypted, templates are securely stored, and false acceptance or rejection rates are minimized. Biometric authentication is increasingly common in enterprise, government, banking, and mobile environments, offering a robust defense against unauthorized access while improving convenience for legitimate users. Proper implementation requires ongoing evaluation, monitoring, and integration into overall identity and access management strategies to maintain effective security.

Question 170:

Which Microsoft solution tracks user behavior and alerts on suspicious account activity?

A) Microsoft Defender for Identity

B) Microsoft OneDrive

C) Microsoft Planner

D) Microsoft Intune

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that monitors Microsoft 365 accounts and on-premises Active Directory for suspicious behavior and potential account compromises. It analyzes login patterns, behavioral anomalies, and authentication logs to detect lateral movement, privilege escalation, unusual login attempts, and compromised credentials. Defender for Identity generates actionable alerts that security teams can investigate and remediate. The solution integrates with Azure Active Directory and other Microsoft 365 services to provide a comprehensive view of identity-related threats, enabling proactive detection and rapid response. Defender for Identity leverages machine learning to identify abnormal behaviors that indicate potential account compromise.

Microsoft OneDrive is a cloud storage service for file access, sharing, and collaboration. OneDrive provides encryption and access control but does not monitor user authentication behavior or alert on suspicious activity.

Microsoft Planner is a project and task management tool. Planner organizes workflows and assignments but does not provide security monitoring or alerting for account activity.

Microsoft Intune manages devices, applications, and compliance policies. While Intune enforces conditional access and device compliance, it does not perform behavioral analysis or identify unusual login patterns in user accounts.

Defender for Identity is critical for identity protection because it correlates events, provides context, and helps security teams prioritize alerts. It enhances the organization’s ability to prevent unauthorized access, detect insider threats, and respond to compromised accounts promptly. Defender for Identity also supports compliance with regulations and provides audit logs for investigations. By combining telemetry analysis, behavioral modeling, and integration with Microsoft security solutions, Defender for Identity offers a proactive approach to monitoring, detecting, and remediating threats, ensuring organizational cybersecurity resilience and early identification of suspicious account activity.

Question 171:

Which attack attempts to gain access to multiple accounts using a few common passwords?

A) Password spraying

B) Brute force attack

C) Phishing

D) SQL injection

Answer: A) Password spraying

Explanation:

Password spraying is a credential-based attack that targets a large number of accounts by attempting a small set of commonly used passwords. Unlike brute force attacks, which systematically try every possible password combination on a single account, password spraying spreads login attempts across multiple accounts to avoid triggering account lockouts. This type of attack exploits weak or reused passwords and can be highly effective in organizations with inconsistent password policies or users who favor simple, predictable passwords. Attackers often rely on previously leaked credentials, commonly used passwords, or variations of popular patterns. Security teams mitigate password spraying through multi-factor authentication (MFA), strong password policies, account lockout thresholds, and monitoring for unusual authentication attempts.

Brute force attacks focus on systematically attempting every possible password combination for a single account until successful. While effective against weak passwords, brute force often triggers lockout mechanisms and security alerts, unlike password spraying, which is distributed to avoid detection.

Phishing is a social engineering attack aimed at deceiving users into revealing credentials or sensitive information. Phishing exploits human behavior rather than attempting automated login attempts across multiple accounts. Although attackers may combine phishing with password spraying by obtaining initial credentials, phishing itself is not a guessing attack.

SQL injection targets databases through manipulation of user input in queries. SQL injection seeks to extract, modify, or delete data directly from backend systems and does not involve repeated login attempts or password guessing. It is unrelated to account authentication attacks.

Password spraying emphasizes the importance of enforcing strong password policies, using MFA, monitoring login activity, and educating users about credential security. Organizations can reduce risk by detecting repeated authentication attempts, analyzing login patterns, and implementing anomaly detection systems. Attackers exploiting weak passwords can gain unauthorized access, but preventive measures like MFA and monitoring reduce the likelihood of compromise. Password spraying illustrates how attackers exploit both predictable human behavior and system weaknesses, demonstrating the need for layered security strategies combining technical controls and user awareness. Continuous vigilance, auditing, and proactive enforcement of security policies are critical in preventing attackers from compromising multiple accounts using simple password patterns.

Question 172:

Which attack targets web applications by injecting malicious scripts into client browsers?

A) Cross-site scripting (XSS)

B) SQL injection

C) Denial of Service (DoS)

D) Phishing

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) is a type of attack that injects malicious scripts into web applications to execute in users’ browsers. XSS targets client-side code rather than backend systems, allowing attackers to manipulate web page content, steal session cookies, capture keystrokes, redirect users, or perform unauthorized actions on their behalf. Attackers exploit vulnerabilities where user input is not properly sanitized, validated, or encoded before rendering. XSS can occur in forms, URL parameters, comments, or other user-input fields. Organizations mitigate XSS by implementing input validation, output encoding, content security policies (CSPs), web application firewalls (WAFs), and secure development practices. User awareness, browser security features, and monitoring of unusual behavior also help reduce risk.

SQL injection manipulates backend database queries through user input vulnerabilities to access, modify, or delete sensitive data. SQL injection focuses on server-side systems rather than executing code in client browsers, making it distinct from XSS.

Denial of Service (DoS) attacks aim to overwhelm system resources, causing service unavailability. DoS is a resource-exhaustion attack that targets availability rather than executing scripts in client browsers.

Phishing attacks manipulate users to reveal sensitive information through social engineering tactics. Phishing targets human behavior rather than technical vulnerabilities in web applications.

XSS attacks are particularly dangerous because they combine technical and social exploitation. Attackers may hijack sessions, redirect traffic, steal sensitive information, or distribute malware. Mitigation requires secure coding, continuous testing, monitoring for anomalies, and implementing layered security defenses. XSS emphasizes the need for secure development practices and web application security, demonstrating how client-side vulnerabilities can lead to data breaches, identity theft, and further exploitation. Organizations must combine proactive prevention, secure design, and ongoing monitoring to maintain safe and trustworthy web applications.

Question 173:

Which type of malware is primarily used for delivering advertisements and tracking user activity?

A) Adware

B) Ransomware

C) Trojan horse

D) Rootkit

Answer: A) Adware

Explanation:

Adware is malware designed to deliver unsolicited advertisements to users and track their behavior for monetization purposes. Adware can appear as pop-ups, banners, or embedded ads within applications and websites. It collects data such as browsing history, search queries, or software usage to serve targeted ads or generate revenue for attackers. While often intrusive and annoying, adware generally does not directly damage the system or encrypt files. Adware is typically installed via software bundles, malicious downloads, or deceptive websites. Detection and removal involve endpoint protection, malware scanners, and user education. Users should avoid installing unknown software or accepting default installations that include optional adware components.

Ransomware encrypts files and demands payment for decryption. Ransomware is destructive and extortion-focused, not primarily for advertisement delivery or tracking.

Trojan horses disguise themselves as legitimate software to deliver malicious payloads. Trojans may deliver adware as part of their payload, but the key characteristic of adware is advertising and user tracking, not initial deception.

Rootkits conceal themselves within operating systems to maintain persistent access. Rootkits prioritize stealth and system control, rather than monetization or advertisement display.

Adware highlights the importance of safe software practices, endpoint security, and monitoring. Organizations deploy web filtering, anti-malware solutions, and network monitoring to detect adware activity. Adware may compromise system performance and user experience, making preventive measures essential. While less destructive than ransomware or rootkits, adware still represents a security concern because it exposes user behavior and system vulnerabilities to exploitation. Continuous user training, software vetting, and endpoint protection help mitigate risks, ensuring privacy and operational integrity. Adware demonstrates how seemingly benign software can introduce vulnerabilities and unwanted behaviors into computing environments, emphasizing vigilance and layered security strategies.

Question 174:

Which authentication factor relies on something the user possesses, like a token or smart card?

A) Possession-based authentication

B) Knowledge-based authentication

C) Biometric authentication

D) Certificate-based authentication

Answer: A) Possession-based authentication

Explanation:

Possession-based authentication verifies identity by requiring something the user physically possesses, such as hardware tokens, smart cards, mobile authentication devices, or security keys. This method enhances security by ensuring that even if a password is compromised, access requires possession of the additional factor. Possession-based authentication is commonly used in multi-factor authentication (MFA) implementations, combining something the user knows (password) with something they have. It provides an effective safeguard against unauthorized access and credential compromise. Organizations implement secure token distribution, enrollment procedures, and monitoring of lost or stolen devices to maintain the integrity of possession-based authentication systems.

Knowledge-based authentication relies on information the user knows, such as passwords or PINs. Knowledge factors alone are vulnerable to phishing, social engineering, and password reuse, and do not provide physical verification.

Biometric authentication uses physical or behavioral traits like fingerprints or facial recognition. Biometrics verify inherence rather than possession and are typically combined with other factors for MFA.

Certificate-based authentication relies on cryptographic certificates issued by trusted authorities to verify identity. Certificates are digital and do not require physical possession of a token.

Possession-based authentication strengthens identity verification by introducing a factor that is external to the user and difficult to replicate. It is commonly combined with knowledge or biometric factors to form MFA. Organizations enforce policies for secure token management, loss reporting, and revocation procedures to mitigate risks associated with stolen or lost tokens. Monitoring and logging authentication attempts helps detect unauthorized use. Possession-based factors reduce the likelihood of compromise from password theft, phishing, or brute force attacks, forming a critical component of layered identity security strategies. Proper implementation ensures that only authorized users can access sensitive resources while maintaining usability and operational efficiency.

Question 175:

Which attack targets backend databases by manipulating SQL queries through user input?

A) SQL injection

B) Password spraying

C) Cross-site scripting (XSS)

D) Phishing

Answer: A) SQL injection

Explanation:

SQL injection is a cyberattack that manipulates input fields in web applications to execute malicious SQL commands against backend databases. Attackers exploit vulnerabilities in code that fails to validate, sanitize, or parameterize user input. SQL injection can retrieve sensitive data, modify records, delete information, or bypass authentication mechanisms. Attackers may use automated tools to identify vulnerable fields, test queries, and extract database content systematically. SQL injection is a server-side attack, differing from client-side attacks like cross-site scripting, and focuses on data confidentiality, integrity, and sometimes availability. Prevention strategies include prepared statements, parameterized queries, stored procedures, input validation, least privilege database accounts, web application firewalls (WAFs), and regular security audits.

Password spraying targets multiple accounts using common passwords, attempting to avoid lockouts. Password spraying exploits credentials rather than backend database query vulnerabilities and is unrelated to SQL injection techniques.

Cross-site scripting (XSS) injects malicious scripts into client-side code to execute in users’ browsers. XSS targets user interaction and browser behavior, whereas SQL injection targets server-side databases and is unrelated to client-side script execution.

Phishing is a social engineering attack that deceives users into revealing credentials or sensitive information. Phishing relies on human behavior rather than exploiting software vulnerabilities, making it distinct from SQL injection.

SQL injection emphasizes the importance of secure coding practices, proper input handling, and database access control. Attackers exploiting SQL injection can compromise sensitive organizational data, steal credentials, or disrupt applications. Organizations mitigate SQL injection risks through developer training, automated vulnerability scanning, penetration testing, and monitoring for suspicious database activity. Security teams enforce least privilege for database access, implement query logging, and use anomaly detection to identify unauthorized operations. SQL injection demonstrates the critical intersection of application development, input validation, and security monitoring in maintaining data confidentiality and operational integrity.

Question 176:

A company wants to monitor all Microsoft 365 accounts for suspicious login attempts, unusual behavior, and potential account compromises. Which solution is most appropriate?

A) Microsoft Defender for Identity

B) Microsoft Planner

C) Microsoft OneDrive

D) Microsoft Intune

Answer: A) Microsoft Defender for Identity

Explanation:

Microsoft Defender for Identity is a cloud-based security solution that continuously monitors Microsoft 365 and on-premises Active Directory for suspicious activities, unusual login patterns, and potential account compromises. It uses machine learning and behavioral analytics to detect anomalies, such as lateral movement, privilege escalation attempts, or multiple failed login attempts from unusual locations. Defender for Identity collects telemetry from user accounts, analyzes authentication logs, and correlates signals across Microsoft 365 services to generate actionable alerts for security teams. These alerts allow organizations to investigate potential threats proactively, reduce response time, and remediate compromised accounts quickly. Defender for Identity integrates with Azure AD, enabling organizations to enforce conditional access policies based on detected anomalies, thereby enhancing the overall security posture.

Microsoft Planner is a task and project management tool used to assign, track, and manage team tasks. While it improves productivity and workflow organization, Planner does not provide security monitoring, behavioral analysis, or threat detection capabilities. It cannot detect suspicious account activity or generate security alerts.

Microsoft OneDrive is a cloud storage platform that allows users to store, share, and synchronize files across devices. OneDrive provides file encryption and access control features but does not monitor user behavior, analyze login patterns, or detect potential account compromises. Its primary function is file storage and collaboration, not security monitoring.

Microsoft Intune focuses on device and application management. It enforces compliance policies, ensures device security, and integrates with Azure AD for conditional access. While Intune helps prevent unauthorized device access and enforces secure configurations, it does not analyze user login behavior or detect compromised accounts directly.

Defender for Identity’s strength lies in combining identity analytics, anomaly detection, and integration with Microsoft 365 security tools. It provides detailed reporting and investigative capabilities that allow security teams to detect early indicators of compromise, prevent lateral movement, and maintain operational security. By analyzing both on-premises Active Directory and cloud identity data, Defender for Identity offers comprehensive visibility into authentication events, risky behaviors, and potential insider threats. Unlike Planner, OneDrive, or Intune, Defender for Identity specializes in identity threat detection, providing real-time monitoring, alerts, and actionable insights that enable organizations to proactively secure accounts and prevent data breaches. Its deployment ensures that security teams are alerted to suspicious activity, even before a compromise occurs, helping reduce overall risk and improving organizational resilience against identity-based attacks.

Question 177:

Which authentication factor relies on something the user knows, such as a password or PIN?

A) Knowledge-based authentication

B) Biometric authentication

C) Possession-based authentication

D) Certificate-based authentication

Answer: A) Knowledge-based authentication

Explanation:

Knowledge-based authentication (KBA) relies on information that a user knows, such as passwords, PINs, or answers to personal security questions. This type of authentication is widely used because it is simple to implement and easy for users to understand. The underlying principle is that only the legitimate user possesses the correct knowledge, making access verification straightforward. Organizations implement password complexity requirements, rotation policies, and MFA to strengthen KBA. Despite its widespread use, knowledge-based authentication is vulnerable to phishing, social engineering, brute force attacks, and credential reuse, which is why many organizations combine it with other authentication factors for enhanced security.

Biometric authentication relies on inherence factors, such as fingerprints, facial recognition, or iris scans. Biometrics verify identity based on unique physical or behavioral characteristics and do not depend on information the user knows.

Possession-based authentication verifies identity through something the user possesses, such as a security token, smart card, or mobile device. While secure, it does not rely on the user’s knowledge.

Certificate-based authentication uses cryptographic certificates issued by trusted authorities to validate identity. Certificates rely on digital cryptography rather than user knowledge.

Knowledge-based authentication remains foundational in identity verification. Organizations combine it with MFA and monitoring to mitigate risks associated with compromised credentials. Strong passwords, user education on phishing, and account monitoring enhance KBA effectiveness. While simple knowledge-based factors are vulnerable to attack, when integrated with other authentication methods, they provide a baseline layer of security. Knowledge-based authentication continues to be relevant in corporate, online, and banking environments, serving as the first step in access control strategies while ensuring user familiarity and accessibility. Properly implemented KBA forms a critical component of identity and access management frameworks, reducing unauthorized access risk while maintaining usability for legitimate users.

Question 178:

Which malware disguises itself as legitimate software to deliver a malicious payload?

A) Trojan horse

B) Rootkit

C) Adware

D) Ransomware

Answer: A) Trojan horse

Explanation:

A Trojan horse is malware that appears to be legitimate software to trick users into installing it while secretly delivering malicious functionality. Trojans exploit trust and social engineering tactics to bypass security controls, enabling attackers to perform activities such as credential theft, data exfiltration, installation of additional malware, or remote control of infected systems. Trojans are often distributed through email attachments, downloads, malicious websites, or software bundles. Detection of Trojans requires endpoint protection, behavioral monitoring, and awareness of unusual system behavior. Once installed, a Trojan can remain dormant or actively manipulate system operations, depending on its intended purpose. Organizations mitigate Trojan risks through software verification, patching, email filtering, user training, and anti-malware deployment.

Rootkits conceal themselves within operating systems to maintain persistent access. Rootkits focus on stealth and long-term control rather than initial deception or delivery.

Adware delivers unwanted advertisements and tracks user activity to generate revenue. While intrusive, adware is generally not designed to steal credentials or provide remote access.

Ransomware encrypts files and demands payment for decryption. Ransomware is overt and extortion-based, unlike Trojans, which are designed to appear harmless while executing hidden malicious activities.

Trojans are dangerous because they exploit trust and user behavior. They can act as a delivery mechanism for other malware, including rootkits and ransomware. Organizations implement multiple layers of defense to prevent Trojan infections, including endpoint protection, application whitelisting, network monitoring, and user education. Trojans demonstrate the importance of secure software practices, vigilance, and layered defenses in mitigating the risk of malware that uses deception to compromise systems. By verifying software sources, avoiding suspicious downloads, and using behavioral monitoring, organizations reduce the likelihood of Trojan infections and maintain operational security. Trojans highlight the intersection of technical and social engineering attacks, emphasizing that cybersecurity requires attention to both human behavior and technical controls.

Question 179:

Which Microsoft 365 service provides cloud storage and file-sharing capabilities?

A) Microsoft OneDrive

B) Microsoft Intune

C) Microsoft Planner

D) Microsoft Defender for Identity

Answer: A) Microsoft OneDrive

Explanation:

Microsoft OneDrive is a cloud-based storage and file-sharing service integrated with Microsoft 365. OneDrive enables users to store files securely, synchronize data across devices, and collaborate in real-time with colleagues. Features include file versioning, sharing permissions, activity monitoring, and integration with Microsoft Office applications, allowing multiple users to co-author documents simultaneously. OneDrive ensures data confidentiality through encryption in transit and at rest and provides compliance with standards such as ISO, GDPR, and HIPAA. Administrators can manage sharing policies, set retention rules, and monitor access logs to ensure data security. OneDrive also supports ransomware detection, file recovery, and auditing, enhancing operational resilience.

Microsoft Intune manages devices, applications, and compliance policies but does not provide cloud storage or file-sharing capabilities. Intune is focused on endpoint security and access control rather than document collaboration.

Microsoft Planner is a project and task management tool used to organize, assign, and track work. Planner does not provide storage or file-sharing functionality.

Microsoft Defender for Identity monitors user behavior and authentication events to detect suspicious activities and potential compromises. Defender for Identity focuses on security monitoring rather than collaboration or storage.

OneDrive provides a secure, accessible, and collaborative environment for file management. Users can access documents from desktops, web browsers, and mobile devices, ensuring productivity across locations. Integration with Teams, SharePoint, and Office 365 streamlines workflows while maintaining security and compliance. Administrators can enforce sharing restrictions, track access activity, and recover files to protect organizational data. OneDrive is critical for modern enterprises, enabling collaboration, mobility, and secure cloud storage while reducing reliance on local storage or insecure sharing methods. By combining accessibility with robust security controls, OneDrive allows organizations to manage data efficiently and safely, supporting both individual and team productivity.

Question 180:

Which attack attempts to guess passwords systematically on a single account until successful?

A) Brute force attack

B) Password spraying

C) Phishing

D) SQL injection

Answer: A) Brute force attack

Explanation:

A brute force attack is a method of systematically attempting every possible combination of a password for a single account until the correct one is found. Attackers often automate this process using software tools capable of generating millions of password guesses quickly. Brute force attacks are effective against weak or short passwords and can target online accounts, encrypted files, or authentication systems. Successful brute force attacks compromise accounts, data, and potentially the broader network if the account has elevated privileges. Organizations mitigate brute force attacks by enforcing strong password policies, using multi-factor authentication (MFA), implementing account lockout mechanisms, rate limiting login attempts, and monitoring suspicious activity. Logging and alerting on repeated failed attempts allow security teams to detect attacks early and respond effectively.

Password spraying targets multiple accounts using a few commonly used passwords. Unlike brute force, which focuses on a single account exhaustively, password spraying is distributed to avoid triggering account lockouts.

Phishing relies on social engineering to trick users into revealing credentials or personal information. Phishing does not involve automated or systematic password guessing.

SQL injection manipulates backend database queries through input vulnerabilities to access or modify data. SQL injection targets server-side applications and is unrelated to systematic guessing of passwords.

Brute force attacks highlight the importance of strong, complex, and unique passwords, alongside multi-factor authentication to reduce risk. Security teams monitor authentication patterns, apply rate limiting, and educate users on safe password practices. Automated defenses, anomaly detection, and lockout policies help prevent attackers from succeeding with brute force attempts. Brute force attacks demonstrate the necessity of combining technical controls with user awareness to secure accounts against credential-based attacks while ensuring continued operational resilience and data protection.