CompTIA PenTest+ PT0-003  Exam Dumps and Practice Test Questions Set 2 Q21-40

Visit here for our full CompTIA PT0-003 exam dumps and practice test questions.

Question 21:

Which type of attack exploits a user’s browser to run malicious scripts on a trusted website?

A) Cross-site scripting (XSS)

B) SQL injection

C) Man-in-the-middle

D) Denial of Service (DoS)

Answer: A) Cross-site scripting (XSS)

Explanation:

Cross-site scripting (XSS) is a client-side attack that targets web applications by injecting malicious scripts into web pages viewed by other users. When users visit a page containing the malicious code, their browsers execute the script, which can steal cookies, session tokens, or other sensitive data. Attackers can also manipulate the DOM to display fake content, redirect users to malicious sites, or perform unauthorized actions within the context of the user’s session. XSS is particularly dangerous because it leverages the trust between a user and a website. Even if the user follows standard security precautions, the attack occurs in their browser as part of legitimate interaction with the site.

SQL injection exploits backend database queries by inserting malicious SQL statements into input fields. While SQL injection can extract data, manipulate databases, or escalate privileges, it occurs server-side rather than client-side. SQL injection does not directly execute code within the user’s browser, so it does not match the behavior of XSS attacks.

Man-in-the-middle (MITM) attacks intercept communications between two parties, allowing an attacker to eavesdrop, modify, or inject data. MITM affects network traffic and focuses on confidentiality and integrity, rather than executing scripts within a user’s browser. While MITM could be combined with other attacks to deliver malicious content, it does not inherently execute client-side scripts on trusted websites.

Denial of Service (DoS) attacks overwhelm servers or network resources to make systems unavailable. DoS attacks do not involve client-side execution of scripts and target availability rather than user session integrity. They are primarily network-level or application-level attacks and do not exploit browser behavior.

XSS attacks are classified into stored, reflected, or DOM-based types. Stored XSS occurs when malicious input is permanently stored on the server, affecting every user who views the content. Reflected XSS executes scripts immediately upon receiving crafted requests, often via phishing links. DOM-based XSS manipulates client-side scripts to execute attacks without server interaction. All variants rely on exploiting trust relationships between the user and the website.

Effective defenses include input validation, output encoding, content security policies (CSP), and secure development practices. Understanding the distinction between XSS and other attack types is crucial because its mitigation requires both server-side and client-side controls.

In conclusion, XSS is the type of attack that exploits a user’s browser to execute malicious scripts on a trusted website. Other attack types—SQL injection, MITM, and DoS—affect server databases, network traffic, or system availability rather than client-side execution. Therefore, A is the correct answer.

Question 22:

Which technique is most appropriate for validating password strength across multiple user accounts without locking them out?

A) Password spraying

B) Brute force attack

C) Credential stuffing

D) Dictionary attack

Answer: A) Password spraying

Explanation:

Password spraying is a credential-based attack that attempts a limited number of commonly used passwords across many accounts, rather than focusing on a single account. This technique avoids triggering account lockouts because it limits the number of guesses per user. In penetration testing, password spraying is valuable for assessing weak password policies while maintaining ethical boundaries and respecting rules of engagement. It can reveal accounts with predictable passwords without causing unnecessary disruption.

Brute force attacks attempt every possible combination of characters to crack a single account password. While highly effective against weak passwords, brute force attacks are noisy and likely to trigger lockout mechanisms. They are resource-intensive and not suitable for testing multiple accounts without risk of disruption.

Credential stuffing involves using leaked credentials from previous breaches to attempt access to accounts on the same or different systems. This technique relies on the reuse of passwords and is effective in real-world attacks but does not inherently validate password strength across multiple accounts in a controlled testing scenario. It also carries ethical concerns if used improperly.

Dictionary attacks attempt passwords using a predefined list of common words or phrases. While efficient for cracking weak passwords, dictionary attacks target individual accounts intensively and can easily trigger lockouts, making them unsuitable for safe multi-account assessment.

Password spraying works within operational limits to test multiple accounts safely. By selecting a small set of commonly used passwords and spreading attempts across users, it evaluates password policies and highlights weak credentials without overwhelming systems. This approach aligns with controlled penetration testing and security auditing objectives.

In conclusion, password spraying is the technique most appropriate for validating password strength across multiple accounts without triggering lockouts. Other methods—brute force, credential stuffing, and dictionary attacks—either focus on single accounts, risk disruption, or do not assess password strength systematically. Therefore, A is the correct answer.

Question 23:

Which type of malware is designed to encrypt a victim’s files and demand payment for decryption?

A) Ransomware

B) Rootkit

C) Trojan horse

D) Adware

Answer: A) Ransomware

Explanation:

Ransomware is a type of malicious software that encrypts files on a victim’s system, rendering them inaccessible. After encryption, attackers demand a ransom—usually in cryptocurrency—in exchange for a decryption key. Ransomware can propagate through phishing emails, malicious downloads, or exploit kits. Its primary objective is financial gain by creating urgency and pressure on victims to pay to regain access. Ransomware often targets critical business systems, leading to operational disruption and potential reputational damage.

Rootkits are malware designed to remain undetected by modifying operating system components or drivers. They provide stealth and persistent access but do not encrypt files for ransom. Rootkits are typically used to facilitate other attacks, such as data exfiltration or privilege escalation, rather than direct financial extortion.

Trojan horses disguise themselves as legitimate software to trick users into installing them. While Trojans may deliver ransomware, keyloggers, or remote access tools, the Trojan itself is defined by its deceptive delivery method, not by encryption or ransom demands.

Adware displays unsolicited advertisements and may track user behavior. It is generally a nuisance rather than a high-risk financial threat. Adware does not encrypt files or demand payment and focuses on generating revenue through advertising rather than coercion.

Ransomware is characterized by its encryption of valuable data and direct monetary threat. It can spread rapidly across networks, exploit weak backups, and bypass some endpoint defenses. Effective mitigation includes regular backups, user training, patching vulnerabilities, and endpoint protection with behavior analysis.

In conclusion, ransomware is the malware type that encrypts files and demands payment for decryption. Other malware types—rootkits, Trojans, and adware—have different objectives and do not inherently perform file encryption for extortion. Therefore, A is the correct answer.

Question 24:

Which control is most effective at ensuring only devices that meet security standards can access corporate resources?

A) Network Access Control (NAC)

B) Antivirus software

C) Firewalls

D) Backup solutions

Answer: A) Network Access Control (NAC)

Explanation:

Network Access Control (NAC) enforces policies that allow only devices meeting predefined security criteria to connect to corporate networks. NAC can check for compliance with patch levels, antivirus status, encryption, and configuration baselines. Non-compliant devices can be quarantined, blocked, or given limited access. By enforcing endpoint security standards before granting network access, NAC significantly reduces the risk of malware introduction, data exfiltration, or unauthorized access. NAC solutions often integrate with directory services and endpoint management platforms for centralized policy enforcement.

Antivirus software protects devices from malware by detecting and blocking malicious files. While critical for endpoint security, antivirus does not control network access based on device compliance or enforce organizational security policies across all devices. It is reactive rather than preventative in terms of network access.

Firewalls enforce network traffic filtering based on IP, port, or protocol rules. Firewalls protect perimeter and internal segments from unauthorized access but do not evaluate the security posture of individual devices attempting to connect. Firewalls alone cannot prevent insecure endpoints from joining a network.

Backup solutions preserve data for recovery in case of failure or compromise. While essential for resilience, backups do not enforce security standards on connecting devices and cannot prevent untrusted devices from accessing resources.

NAC directly addresses the requirement by verifying device compliance before granting access. It ensures that only devices that meet security standards can communicate with corporate resources, effectively reducing risk and enforcing policy. Other controls—antivirus, firewalls, and backups—support security but do not manage access based on device posture.

In conclusion, Network Access Control (NAC) is the most effective control for ensuring only compliant devices access corporate resources, making A the correct answer.

Question 25:

Which assessment method evaluates the effectiveness of both technical and human security controls simultaneously?

A) Red team engagement

B) Vulnerability scanning

C) Policy review

D) Penetration test on a single system

Answer: A) Red team engagement

Explanation:

Red team engagements are comprehensive security assessments that simulate real-world attacks, including both technical and social engineering components. Red teams attempt to bypass defenses, exploit vulnerabilities, and compromise systems while evaluating human responses to threats. This holistic approach tests technical controls such as firewalls, intrusion detection systems, patching, and configuration baselines, while also assessing human factors like security awareness, response to phishing, adherence to procedures, and operational vigilance. Red team exercises provide a realistic view of an organization’s security posture, revealing gaps that isolated assessments may not detect.

Vulnerability scanning is a technical assessment that identifies known weaknesses in systems or applications. While valuable for discovering technical flaws, it does not evaluate human behavior or the effectiveness of operational controls. Scanning alone cannot determine whether employees respond correctly to simulated attacks.

Policy review examines documentation, standards, and procedures. It ensures that policies exist and are adequate on paper, but it does not validate their practical implementation or effectiveness against real-world threats. Employees may ignore or misinterpret policies, so policy review alone is insufficient for holistic assessment.

A penetration test on a single system evaluates the security of that system by exploiting vulnerabilities and attempting unauthorized access. While useful for focused technical testing, it does not assess broader organizational defenses or human factors, limiting its scope compared to a full red team engagement.

Red team engagements combine technical exploitation with social engineering, insider threat simulations, and operational scenarios. This method provides actionable intelligence on the interplay between people, processes, and technology. Organizations can identify weaknesses in detection, incident response, awareness, and defense-in-depth strategies.

Question 26:

Which security control prevents unauthorized users from reading sensitive files even if they gain access to the file system?

A) File encryption

B) Antivirus software

C) Firewall

D) Intrusion detection system (IDS)

Answer: A) File encryption

Explanation:

File encryption is a cryptographic method used to protect the confidentiality of data at rest. When files are encrypted, their contents are transformed into ciphertext, making them unreadable without the correct decryption key. This ensures that even if an attacker gains physical access to a device or successfully bypasses access controls on the file system, they cannot interpret or use the sensitive information. Encryption provides a strong layer of defense for protecting intellectual property, personal data, financial records, and other critical information. Modern encryption algorithms, such as AES (Advanced Encryption Standard), provide high levels of security and are widely adopted across industries for both compliance and operational protection.

Antivirus software detects and removes known malware, helping prevent unauthorized modification or exfiltration of data. While antivirus is an essential protective measure against threats, it does not prevent a user or attacker with legitimate access to the file system from reading unencrypted files. Antivirus is reactive and focused on malware threats rather than ensuring confidentiality in case of access control failure.

Firewalls control incoming and outgoing network traffic based on defined security rules. Firewalls protect network boundaries and limit exposure to external threats, but they do not protect individual files stored on local devices or network shares. If an attacker bypasses the firewall and gains direct access to a system, the files remain readable unless they are encrypted.

Intrusion detection systems (IDS) monitor network or host activity to detect suspicious behavior. IDS can alert administrators to potential breaches, unauthorized access attempts, or abnormal actions, but they do not inherently prevent data from being read. IDS is a monitoring control rather than a preventive measure for protecting file contents.

File encryption is proactive and ensures that data confidentiality is preserved even if access controls fail or the device is stolen. It complements other security measures such as strong access controls, monitoring, antivirus, and network defenses. Encryption protects sensitive files regardless of user or attacker privileges, making it a critical control for data protection, regulatory compliance, and risk mitigation. It is especially effective against insider threats, theft, and accidental exposure of sensitive information.

In conclusion, file encryption prevents unauthorized users from reading sensitive files even if they gain access to the file system. Other controls—antivirus, firewalls, and IDS—serve important security functions but do not directly enforce confidentiality at the file level. Therefore, A is the correct answer.

Question 27:

Which attack exploits a vulnerability in an application’s input validation to access or manipulate the backend database?

A) SQL injection

B) Cross-site scripting (XSS)

C) Buffer overflow

D) Phishing

Answer: A) SQL injection

Explanation:

SQL injection is a server-side attack that targets vulnerabilities in an application’s input validation. Attackers provide specially crafted input that manipulates SQL queries executed by the backend database. When applications fail to properly sanitize user input, the malicious input can alter query logic, allowing attackers to retrieve, modify, or delete data, escalate privileges, or bypass authentication controls. SQL injection is one of the most common and severe web application vulnerabilities, often ranked highly on lists such as the OWASP Top Ten. Exploiting SQL injection can result in unauthorized access to sensitive data, financial loss, or full compromise of the database system.

Cross-site scripting (XSS) attacks operate on the client side by injecting malicious scripts into web pages. XSS affects the user’s browser and session, allowing attackers to steal cookies, perform actions as the victim, or manipulate content. While XSS exploits improper input validation, it does not directly manipulate the backend database. Its impact is limited to client-side compromise rather than server-side data manipulation.

Buffer overflow attacks exploit programming errors where an application writes more data into memory than allocated. This can lead to memory corruption, crashes, or execution of arbitrary code. While buffer overflows can compromise a system, they are distinct from SQL injection because they target memory management rather than backend database logic.

Phishing attacks are social engineering techniques aimed at deceiving users into revealing sensitive information or credentials. Phishing relies on human behavior rather than exploiting application input validation or technical vulnerabilities. It does not directly manipulate databases or application logic.

SQL injection remains a high-priority risk because it directly targets the logic of database queries, enabling attackers to read or modify data without authorization. Preventive measures include input validation, parameterized queries, stored procedures, and web application firewalls. Understanding SQL injection is essential for secure application development and risk management.

In conclusion, SQL injection exploits input validation weaknesses to manipulate backend databases. XSS, buffer overflows, and phishing are different types of attacks affecting other layers of systems or human behavior. Therefore, A is the correct answer.

Question 28:

Which security measure ensures that critical systems remain operational during a ransomware attack?

A) Offline backups

B) Antivirus software

C) Network firewalls

D) Security awareness training

Answer: A) Offline backups

Explanation:

Offline backups are copies of data stored in locations disconnected from live systems and networks. In the event of a ransomware attack, where attackers encrypt files on operational systems, offline backups allow organizations to restore critical systems without paying ransom. By keeping backups isolated from network access, offline storage prevents attackers from encrypting or deleting these copies. Effective backup strategies include regular backup schedules, offsite storage, redundancy, and validation of backup integrity. These measures provide resilience against ransomware and other catastrophic events.

Antivirus software helps detect and remove malware, including some ransomware variants. While essential for prevention, antivirus alone cannot recover encrypted files once ransomware has executed. Relying solely on antivirus provides reactive rather than restorative capabilities.

Network firewalls protect systems from unauthorized external access. Firewalls can block malicious traffic and limit exposure but do not restore data or operational capability after encryption. They are primarily preventative and do not address recovery during a ransomware event.

Security awareness training educates users about phishing, social engineering, and safe practices. Awareness reduces the likelihood of ransomware infection but does not ensure system continuity if an attack succeeds. Training supports prevention rather than system recovery.

Offline backups are critical because they provide a reliable recovery mechanism independent of compromised systems. They allow organizations to resume operations quickly, minimize downtime, and reduce financial and reputational impact. They are part of a broader resilience strategy, including testing disaster recovery plans, maintaining redundancy, and segmenting backups from production networks.

In conclusion, offline backups ensure critical systems remain operational during a ransomware attack. Other controls—antivirus, firewalls, and awareness training—support prevention but cannot restore encrypted data or guarantee business continuity. Therefore, A is the correct answer.

Question 29:

Which technique allows a penetration tester to use a compromised host to attack other devices within the network?

A) Pivoting

B) Phishing

C) Social engineering

D) Password spraying

Answer: A) Pivoting

Explanation:

Pivoting is a technique used during penetration testing to move laterally within a network after compromising a host. A tester leverages the initially compromised system as a bridge to reach otherwise inaccessible network segments or systems. This allows evaluation of internal defenses, trust relationships, network segmentation, and security monitoring. Pivoting can use techniques such as port forwarding, SSH tunneling, or proxying to route traffic through the compromised host. The goal is to simulate how real attackers escalate access from a foothold to critical systems while testing the effectiveness of detection and response mechanisms.

Phishing involves tricking users into revealing credentials or executing malicious actions through emails or messages. While effective for gaining initial access, phishing does not directly facilitate lateral movement through a compromised host. It is a social engineering technique rather than a network pivoting method.

Social engineering exploits human behavior to bypass security controls, manipulate users, or obtain sensitive information. Social engineering can deliver payloads or credentials but does not inherently involve using a compromised host to attack other systems in a network.

Password spraying attempts common passwords across multiple accounts to gain access. While it may help compromise additional accounts, it does not provide the controlled method of using an already compromised host as a pivot point for further exploitation.

Pivoting is essential for red team exercises and advanced penetration tests because it evaluates the effectiveness of internal segmentation, access controls, and monitoring within the organization. Without pivoting, testers might be limited to the initially compromised system, missing the opportunity to simulate realistic attack paths. Pivoting highlights weaknesses in lateral movement detection, trust boundary enforcement, and network architecture.

In conclusion, pivoting allows a penetration tester to use a compromised host to attack other devices within the network. Phishing, social engineering, and password spraying serve other purposes in gaining access or credentials but do not describe lateral movement through a compromised host. Therefore, A is the correct answer.

Question 30:

Which security control detects abnormal behavior on endpoints and alerts administrators?

A) Endpoint Detection and Response (EDR)

B) Network firewall

C) VPN access control

D) Patch management

Answer: A) Endpoint Detection and Response (EDR)

Explanation:

Endpoint Detection and Response (EDR) solutions continuously monitor endpoints for suspicious or abnormal behavior, such as unusual process execution, unexpected network connections, or privilege escalation attempts. EDR provides visibility into endpoint activity, identifies potential compromises, and generates alerts for administrators to investigate. It can also provide containment options, forensic data, and response capabilities to stop or mitigate active attacks. EDR focuses on both known and unknown threats, leveraging machine learning, behavioral analytics, and threat intelligence to detect advanced attacks like malware, ransomware, or fileless exploits.

Network firewalls filter traffic based on rules such as IP addresses, ports, or protocols. While firewalls protect the network perimeter and internal segments from unauthorized access, they do not monitor detailed activity on individual endpoints or detect behavioral anomalies. Firewalls are primarily preventive rather than responsive.

VPN access control ensures that only authorized devices can connect to corporate resources remotely. While VPNs enforce authentication and encryption, they do not provide continuous monitoring of endpoint behavior or generate alerts for suspicious activity on the devices themselves.

Patch management ensures software is updated to fix vulnerabilities. While important for reducing risk, patch management is a preventive administrative control and does not provide real-time monitoring or alerting for abnormal endpoint behavior.

EDR is uniquely positioned to detect anomalies in real time, investigate potential threats, and provide actionable intelligence. It allows organizations to respond quickly to incidents, reduce dwell time, and maintain operational security. By combining detection, investigation, and response capabilities, EDR enhances endpoint security beyond traditional antivirus solutions.

Question 31:

Which security measure helps prevent attackers from exploiting weak passwords across multiple accounts?

A) Multi-factor authentication (MFA)

B) Antivirus software

C) Network segmentation

D) Offline backups

Answer: A) Multi-factor authentication (MFA)

Explanation:

Multi-factor authentication (MFA) is a security control that requires users to provide two or more verification factors before accessing accounts or systems. These factors can include something the user knows (password), something the user has (hardware token or smartphone app), or something the user is (biometric verification). MFA significantly reduces the risk of attackers exploiting weak passwords because possession of the password alone is insufficient for access. Even if a user’s password is compromised through phishing, password spraying, or credential stuffing, MFA provides an additional barrier, preventing unauthorized access.

Antivirus software protects endpoints from malware and other malicious software. While essential for preventing infections, antivirus does not address the inherent weakness of passwords or prevent account compromise in case credentials are exposed. It focuses on identifying and removing malware rather than authenticating users.

Network segmentation divides a network into isolated zones to limit lateral movement by attackers. Segmentation is effective for reducing exposure if a compromise occurs, but it does not strengthen authentication mechanisms or prevent exploitation of weak passwords. Segmentation controls access between systems rather than individual user credentials.

Offline backups preserve data in locations disconnected from live networks to enable recovery in case of ransomware or data loss. While backups are vital for resilience, they do not prevent unauthorized access or exploitation of weak passwords. Offline backups serve recovery purposes rather than authentication enforcement.

MFA is a preventive security control that addresses the specific risk posed by weak or stolen credentials. By requiring multiple verification factors, it ensures that attackers cannot rely solely on guessing or stealing passwords. MFA is effective against automated attacks such as password spraying, brute-force attempts, and credential reuse. It complements strong password policies and user education, forming part of a defense-in-depth strategy.

Organizations often implement MFA across all critical systems, including email, VPNs, cloud applications, and administrative portals. Integration with identity providers, conditional access policies, and adaptive authentication enhances security by requiring MFA based on device compliance, location, or risk assessment. MFA reduces the likelihood of successful account compromise, protects sensitive information, and improves overall security posture.

In conclusion, multi-factor authentication (MFA) helps prevent attackers from exploiting weak passwords across multiple accounts. Other controls like antivirus, network segmentation, and offline backups are important for security but do not directly mitigate password-based risks. Therefore, A is the correct answer.

Question 32:

Which technique allows an attacker to capture and analyze network traffic between two devices?

A) Packet sniffing

B) Port scanning

C) Password spraying

D) Ransomware deployment

Answer: A) Packet sniffing

Explanation:

Packet sniffing is a technique in which network traffic is intercepted and analyzed to capture data transmitted between devices. Attackers or security professionals can use packet sniffers to examine network packets for sensitive information such as credentials, session tokens, unencrypted messages, or protocol details. Packet sniffing can occur on wired networks, wireless networks, or virtual environments, depending on the attacker’s access. Tools such as Wireshark allow detailed inspection of packet headers, payloads, and protocol interactions, providing visibility into communication patterns and potential vulnerabilities.

Port scanning is a technique used to identify open ports, services, and potential vulnerabilities on a system. While port scanning can help an attacker or penetration tester map network resources, it does not capture the content of the traffic transmitted between devices. Port scanning focuses on identifying attack surfaces rather than analyzing communication data.

Password spraying involves attempting a small set of commonly used passwords against multiple accounts to avoid lockouts. Password spraying targets authentication and does not involve monitoring or capturing network traffic. It is unrelated to the analysis of data flows between devices.

Ransomware deployment is the installation of malicious software that encrypts files and demands a ransom for decryption. Ransomware disrupts systems and compromises availability but does not provide insight into network traffic or communication between devices.

Packet sniffing is often used in ethical hacking to analyze traffic for vulnerabilities, misconfigurations, or unencrypted sensitive data. Security teams use it to detect insecure protocols, monitor network health, and assess compliance with encryption standards. Attackers may exploit sniffed traffic to obtain credentials, session hijacking, or reconnaissance for further attacks. Encryption, VPNs, and secure protocols mitigate the risk of packet sniffing by making intercepted data unreadable without decryption keys.

In conclusion, packet sniffing allows an attacker to capture and analyze network traffic between two devices. Other techniques—port scanning, password spraying, and ransomware deployment—serve different purposes and do not provide direct visibility into network communication. Therefore, A is the correct answer.

Question 33:

Which method is most effective for verifying that a web application correctly handles user input?

A) Input validation testing

B) Vulnerability scanning

C) Security awareness training

D) Patch management

Answer: A) Input validation testing

Explanation:

Input validation testing is a security assessment technique that ensures a web application properly checks and sanitizes all user inputs. Improper input validation can lead to critical vulnerabilities, including SQL injection, cross-site scripting (XSS), buffer overflows, and command injection. During input validation testing, testers provide both expected and unexpected inputs to observe how the application handles them. Effective validation includes enforcing data type constraints, length restrictions, character restrictions, and context-specific encoding. Proper validation prevents malicious input from being processed, manipulated, or executed by the application or backend systems.

Vulnerability scanning is an automated process that identifies known weaknesses in systems and applications. While valuable for discovering general security issues, vulnerability scanning does not specifically test how an application handles user input in different contexts. It may flag misconfigurations or outdated software but lacks the detailed analysis required for input validation assessment.

Security awareness training educates employees on safe practices, social engineering threats, and security policies. While important for human risk management, it does not assess technical behavior of web applications or validate handling of input. Training mitigates user errors but does not address application-level vulnerabilities.

Patch management involves applying software updates to fix security flaws or functionality issues. While keeping software up to date is critical for minimizing known vulnerabilities, patch management does not verify application input handling. It addresses preventive maintenance rather than proactive testing of input processing logic.

Input validation testing is essential because improper handling of user input is one of the most common causes of web application breaches. It allows developers and security teams to proactively identify and remediate potential vulnerabilities, ensuring the integrity, confidentiality, and availability of application data. Automated tools, such as fuzzers, and manual testing techniques are often combined to test various input scenarios effectively.

In conclusion, input validation testing is the most effective method for verifying that a web application correctly handles user input. Vulnerability scanning, security awareness training, and patch management support security in other ways but do not specifically validate input handling. Therefore, A is the correct answer.

Question 34:

Which type of attack involves intercepting and modifying communication between two parties without their knowledge?

A) Man-in-the-middle (MITM)

B) Cross-site scripting (XSS)

C) Denial of Service (DoS)

D) Ransomware

Answer: A) Man-in-the-middle (MITM)

Explanation:

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly intercepts and potentially alters communications between two parties. The attacker can eavesdrop on sensitive information, manipulate messages, inject malicious content, or impersonate one of the participants. MITM attacks threaten confidentiality and integrity by exploiting weaknesses in network security, insecure protocols, or poor encryption practices. They can occur on wired, wireless, or virtual networks and may be combined with phishing or credential theft to achieve broader objectives.

Cross-site scripting (XSS) attacks inject malicious scripts into web pages, affecting users who visit the site. XSS is primarily client-side and targets browsers rather than intercepting communication between two parties. While it can steal information, it does not directly intercept or modify messages in transit.

Denial of Service (DoS) attacks overwhelm a system or network resource to disrupt availability. DoS focuses on rendering systems or services unusable and does not intercept or manipulate communications. It is an availability-focused attack rather than one compromising confidentiality or integrity.

Ransomware encrypts files on victim systems and demands payment for decryption. Ransomware affects data availability and can disrupt operations but does not intercept or alter communications between parties. It is a threat to operational continuity rather than network communication integrity.

MITM attacks are dangerous because they exploit trust relationships and can remain undetected for extended periods. Attackers may use ARP spoofing, DNS poisoning, or unsecured Wi-Fi networks to position themselves between communicating parties. Countermeasures include end-to-end encryption, HTTPS, VPNs, and strong authentication to ensure that communications cannot be intercepted or altered without detection.

In conclusion, Man-in-the-Middle (MITM) attacks involve intercepting and modifying communication between two parties without their knowledge. Other attack types—XSS, DoS, and ransomware—affect client-side scripts, system availability, or file access, respectively. Therefore, A is the correct answer.

Question 35:

Which method is most effective for assessing the organization’s overall security posture through real-world attack simulation?

A) Red team assessment

B) Vulnerability scanning

C) Security policy review

D) Antivirus deployment

Answer: A) Red team assessment

Explanation:

A red team assessment is a comprehensive security evaluation designed to simulate real-world attacks against an organization. Red teams combine technical exploitation, social engineering, physical security testing, and operational tactics to test defenses, policies, and incident response capabilities. Unlike targeted penetration tests, red team engagements assess the organization’s ability to detect, respond, and recover from attacks that emulate sophisticated adversaries. They evaluate technical, human, and procedural controls simultaneously, providing a holistic view of security posture and revealing gaps that isolated assessments may miss.

Vulnerability scanning identifies known software weaknesses and misconfigurations. While useful for remediation planning, it only addresses technical vulnerabilities and cannot simulate complex multi-vector attacks or test human behavior. Scanning is limited to surface-level detection and does not measure organizational response.

Security policy review assesses the adequacy and clarity of written security policies. Policy reviews ensure compliance with standards and regulatory requirements but do not evaluate operational effectiveness. Policies may exist on paper but fail during real attacks if implementation or adherence is weak.

Antivirus deployment protects endpoints from malware and other known threats. While important for endpoint defense, antivirus does not evaluate human, procedural, or network controls in a simulated attack context. It does not provide insight into real-world attacker techniques or organizational readiness.

Red team assessments are the most effective method for testing overall security posture because they combine technical, procedural, and human aspects in realistic scenarios. The results provide actionable insights into detection gaps, incident response weaknesses, and areas for improvement in defense-in-depth strategies. Red team exercises help organizations strengthen resilience, validate controls, and improve coordination among IT, security, and operational teams.

In conclusion, a red team assessment is the method most effective for assessing an organization’s overall security posture through real-world attack simulation. Other approaches—vulnerability scanning, policy review, and antivirus deployment—support specific security objectives but do not provide comprehensive, realistic testing. Therefore, A is the correct answer.

Question 36:

Which security control is designed to prevent unauthorized devices from connecting to a corporate network?

A) Network Access Control (NAC)

B) Endpoint Detection and Response (EDR)

C) Antivirus software

D) Data Loss Prevention (DLP)

Answer: A) Network Access Control (NAC)

Explanation:

Network Access Control (NAC) is a security mechanism that enforces policies to allow or deny access to network resources based on the compliance status of devices attempting to connect. NAC solutions evaluate endpoints for required configurations, patch levels, antivirus status, encryption, and other security attributes before granting access. Devices that fail to meet defined standards may be quarantined, given limited access, or blocked entirely. NAC enhances the security of corporate networks by reducing the likelihood of compromised or non-compliant devices introducing malware, ransomware, or other threats.

Endpoint Detection and Response (EDR) focuses on monitoring, detecting, and responding to suspicious behavior on endpoints. EDR provides alerts, forensic data, and containment options for detected threats, but it does not proactively prevent unauthorized devices from accessing a network. It addresses threats on devices that are already connected rather than controlling network access at the entry point.

Antivirus software detects and removes known malware from devices. While antivirus is crucial for endpoint protection, it does not evaluate devices attempting to connect to a network or enforce compliance policies. Malware may be detected after the device is already on the network, which does not prevent initial unauthorized access.

Data Loss Prevention (DLP) is designed to prevent sensitive information from leaving the organization through email, cloud services, or removable media. DLP controls data exfiltration and enforces compliance with data handling policies, but it does not evaluate or restrict devices connecting to the network. Its focus is on information security rather than device authentication.

NAC integrates with directory services, endpoint management systems, and policy engines to create a secure network access environment. It can enforce role-based access control, segment users based on risk, and automatically remediate or restrict non-compliant devices. NAC helps organizations enforce security policies consistently across wired, wireless, and remote connections. Effective implementation of NAC reduces exposure to malware, limits lateral movement by attackers, and ensures that only trusted and compliant devices can access sensitive systems.

Question 37:

Which method allows attackers to discover open ports and services on a target system?

A) Port scanning

B) Packet sniffing

C) Social engineering

D) Ransomware deployment

Answer: A) Port scanning

Explanation:

Port scanning is a reconnaissance technique that identifies open ports and services on a target system. Attackers use port scanners to probe TCP and UDP ports to determine which services are listening and potentially vulnerable. By mapping available ports and services, attackers can prioritize targets for further exploitation. Port scanning can be performed using tools such as Nmap, which provides information about service type, version, and operating system fingerprinting. Scanning can also reveal firewall rules, network segmentation weaknesses, and the presence of intrusion detection systems.

Packet sniffing captures network traffic for analysis, providing visibility into the data transmitted between devices. While sniffing can reveal sensitive information like credentials or session tokens, it does not identify open ports or enumerate services on a target system. Sniffing focuses on traffic analysis rather than network reconnaissance.

Social engineering manipulates humans into revealing information, performing actions, or granting access. This technique targets user behavior and psychology rather than technical details like ports or services. Social engineering may be used in combination with reconnaissance, but it does not inherently discover open network ports.

Ransomware deployment installs malware that encrypts files and demands a ransom. It is an attack vector that disrupts availability and causes operational damage. Ransomware does not perform reconnaissance or gather information about open ports or services prior to execution.

Port scanning is a crucial first step in penetration testing and ethical hacking. It allows security professionals to identify exposed services, misconfigurations, or outdated software. Proper port scanning informs vulnerability assessment and helps organizations understand their attack surface. Defensive measures, such as firewall rules, intrusion detection, and port obfuscation, mitigate risks associated with port scanning by reducing the visibility of network services.

Question 38:

Which technique involves tricking users into revealing credentials through email or messaging?

A) Phishing

B) Brute force attack

C) SQL injection

D) Buffer overflow

Answer: A) Phishing

Explanation:

Phishing is a social engineering attack where attackers send emails, messages, or other communications designed to deceive recipients into revealing sensitive information, such as usernames, passwords, or financial details. Phishing attacks often mimic legitimate organizations, use urgent or alarming language, and include links to fake login pages. Phishing may also include attachments that deliver malware when opened. It exploits human trust and behavioral tendencies rather than technical vulnerabilities in systems. Security awareness training, email filtering, and multi-factor authentication help mitigate phishing risks by educating users and providing additional authentication layers.

Brute force attacks involve systematically trying all possible password combinations to gain access to an account. Brute force relies on computational power and password complexity but does not involve deceiving users into revealing credentials. It targets the technical weaknesses of authentication systems rather than human behavior.

SQL injection is a web application attack where attackers manipulate input fields to execute arbitrary SQL queries against a database. SQL injection exploits coding errors and lack of input validation. It does not involve interacting with users to obtain credentials or personal information.

Buffer overflow attacks target memory handling errors in software by inputting data that exceeds allocated buffers, potentially allowing arbitrary code execution. Buffer overflows are technical exploits affecting software memory, unrelated to tricking users into providing credentials.

Phishing attacks combine psychological manipulation and technical delivery methods to steal credentials. They can be highly targeted (spear-phishing) or broad (mass phishing campaigns) and often bypass technical defenses by exploiting human vulnerabilities. Effective phishing defenses include awareness programs, email authentication protocols like DMARC, and monitoring suspicious login behavior.

Question 39:

Which type of malware hides its presence and activities to avoid detection by antivirus software?

A) Rootkit

B) Adware

C) Ransomware

D) Trojan horse

Answer: A) Rootkit

Explanation:

A rootkit is a type of malware designed to conceal its presence and maintain privileged access to a system. Rootkits manipulate operating system components, kernel modules, or drivers to hide processes, files, and registry entries. This stealth capability allows attackers to maintain persistent control over the system, execute malicious operations, and evade detection by security software. Rootkits can be installed via phishing, malware, or physical access to a device and are particularly dangerous because they compromise system integrity without alerting users or administrators. Detecting rootkits often requires specialized tools, behavior-based monitoring, or offline analysis.

Adware is software that displays unwanted advertisements to users, often generating revenue for the developer. Adware does not aim to hide its presence extensively; it is more of a nuisance than a covert threat. It lacks root-level control or stealth mechanisms and can typically be detected and removed using standard security software.

Ransomware encrypts files and demands payment for decryption. While ransomware is malicious and disruptive, it does not primarily focus on hiding its presence. Its activity is overt, as the encryption of files alerts users and administrators immediately.

Trojan horses are malware disguised as legitimate software to trick users into installing them. Trojans may deliver additional payloads like keyloggers, ransomware, or rootkits, but the Trojan itself is identified by its deceptive delivery method, not its ability to hide once executed.

Rootkits are a sophisticated form of malware that enable attackers to maintain long-term access while avoiding detection. They can undermine trust in security mechanisms, manipulate logs, and provide a platform for further exploitation. Detection often involves integrity checks, behavioral analysis, and forensic techniques. Proper patching, endpoint protection, and minimizing privileged access help reduce the risk of rootkit installation.

Question 40:

Which control limits the spread of malware within a network by dividing it into isolated segments?

A) Network segmentation

B) Multi-factor authentication (MFA)

C) Security awareness training

D) Patch management

Answer: A) Network segmentation

Explanation:

Network segmentation divides a network into smaller, isolated segments, restricting communication between devices based on policy. Segmentation limits the spread of malware, ransomware, and unauthorized access by preventing attackers or infected devices from moving laterally across the network. Segmentation can be implemented through VLANs, firewalls, or access control lists that enforce strict boundaries between departments, applications, or critical systems. It enhances security, reduces the impact of compromises, and improves monitoring by isolating traffic to specific segments.

Multi-factor authentication (MFA) strengthens authentication processes but does not restrict the movement of malware within a network. MFA protects user accounts rather than limiting lateral propagation of threats.

Security awareness training educates employees about phishing, social engineering, and safe practices. While effective at reducing the likelihood of infection, training alone cannot control malware spread within network infrastructure.

Patch management updates software and firmware to fix vulnerabilities. While it reduces the risk of exploitation, patching does not inherently segment networks or prevent lateral movement of malware between compromised systems.

Network segmentation provides structural defense-in-depth, controlling access between different parts of the network. It is often combined with monitoring, firewalls, and endpoint protection to detect and isolate malicious activity. Properly implemented segmentation ensures that critical systems remain protected even if other parts of the network are compromised.