CompTIA SY0-701 Security+ Exam Dumps and Practice Test Questions Set 10 Q181-200

Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q181. A security analyst notices multiple failed login attempts from different user accounts across several servers within a short period Which type of attack is most likely occurring?

A) Brute-force attack
B) Password spraying
C) Man-in-the-middle attack
D) Phishing

 Answer: B) Password spraying

 Explanation:

 Option A: brute-force attack, involves systematically attempting every possible password for a single account. This attack is often resource-intensive and usually targets one account at a time. While brute-force attacks are effective against weak passwords, they often trigger account lockouts due to repeated failed login attempts on a single account. The scenario, which involves multiple accounts being targeted simultaneously, does not match the typical brute-force pattern.

Option C, man-in-the-middle (MITM) attack, involves intercepting and potentially modifying communications between two parties. MITM attacks are primarily concerned with capturing or altering information in transit, such as credentials or sensitive datA) They do not inherently involve repeated login attempts across multiple accounts, so this option is not applicable to the observed behavior.

Option D, phishing, relies on tricking users into voluntarily providing their credentials via deceptive emails, websites, or messages. Although phishing can lead to compromised accounts, it does not manifest as automated login attempts across multiple accounts from multiple IPs.

Option B, password spraying, is correct. Password spraying attacks take advantage of weak or commonly used passwords by attempting the same password across many accounts instead of targeting one account with many password attempts. Key characteristics include:

Avoiding lockouts: By attempting only a few passwords per account, attackers avoid triggering security measures that lock accounts after repeated failed login attempts.

Automated tools: Attackers often use scripts or specialized software to attempt logins across multiple systems, making the attack faster and scalable.

Common passwords: The attack often uses default or commonly used passwords such as “Password123” or “Welcome1,” exploiting human tendencies to reuse simple passwords.

Detection and mitigation: Organizations can detect password spraying through monitoring failed login attempts across accounts, implementing MFA (multi-factor authentication), enforcing strong password policies, and rate-limiting login attempts.

Password spraying is particularly dangerous because it exploits human behavior and weak password policies, rather than technical vulnerabilities. Proper defense requires a combination of user education, robust authentication controls, and real-time monitoring to detect anomalous access patterns before an attacker can compromise accounts.

Q182. An organization wants to enforce that employees can only access cloud resources from devices that meet specific security requirements. Which access control model is most appropriate?

A) Role-based access control
B) Attribute-based access control
C) Mandatory access control
D) Discretionary access control

 Answer: B) Attribute-based access control

Explanation:

Option A, role-based access control (RBAC), assigns permissions based on a user’s role within the organization. While RBAC efficiently manages access by job function, it does not consider contextual factors such as device compliance, location, or time of access. In the scenario, ensuring access only from compliant devices requires more granular, dynamic enforcement than RBAC provides.

Option C, mandatory access control (MAC), enforces strict policies based on labels or classifications and is typically used in highly secure environments such as government or military systems. While MAC is effective for protecting sensitive information, it does not dynamically enforce access based on device attributes or security posture.

Option D, discretionary access control (DAC), allows resource owners to grant access at their discretion. This model is flexible but does not provide centralized enforcement or consider contextual attributes such as device health or security compliance.

Option B, attribute-based access control (ABAC), is correct. ABAC evaluates access decisions based on attributes associated with users, devices, environments, and resources. Key aspects include:

Contextual enforcement: Access policies consider multiple attributes, such as device compliance, operating system version, security software status, geographic location, and time of day.

Granular control: ABAC can enforce policies at a fine-grained level, ensuring that only compliant devices or authenticated users can access sensitive resources.

Dynamic adaptation: Policies can adapt in real time to changes in the environment, such as revoking access if a device becomes non-compliant.

Zero-trust alignment: ABAC supports modern zero-trust security models by continuously validating access requests based on multiple attributes rather than solely on user identity or role.

Implementing ABAC requires strong identity management, device health assessment, and real-time policy evaluation. It provides organizations with the flexibility and security needed to protect cloud resources in increasingly dynamic and distributed environments.

Q183. During a penetration test, a tester discovers a web application that executes operating system commands based on user input without proper input validation. Which type of attack is this?

A) Cross-site scripting
B) SQL injection
C) Command injection
D) Path traversal

Answer: C) Command injection

Explanation:

Option A, cross-site scripting (XSS), targets clients by injecting malicious scripts into web pages. XSS attacks compromise end users rather than executing commands on the server itself, so it does not match the described scenario.

Option B, SQL injection, manipulates backend database queries through unsanitized input. While SQL injection can exfiltrate data or alter database contents, it typically does not allow direct execution of operating system commands, which is central to this scenario.

Option D, path traversal, manipulates file paths to access restricted files on the server. While it can lead to information disclosure, it does not allow attackers to execute arbitrary system commands.

Option C, command injection, is correct. Command injection vulnerabilities occur when user input is directly passed to system-level functions without proper validation or sanitization. Key elements include:

Execution of arbitrary commands: Attackers can run commands with the same privileges as the application, potentially leading to full system compromise.

Privilege escalation potential: If the application runs with elevated privileges, command injection can allow attackers to gain administrative or root access.

Mitigation strategies: Input validation, parameterized execution, use of secure APIs, and enforcing least privilege for application processes are critical preventive measures.

Forensic and monitoring considerations: Logging and intrusion detection can help identify exploitation attempts and remediate compromised systems.

Command injection is particularly dangerous because it bridges application vulnerabilities and underlying operating system access, creating high-risk exposure for servers.

Q184. A company implements multifactor authentication using a password and a time-based one-time password (TOTP) app. Which type of authentication is being enforced?

A) Single-factor authentication
B) Two-factor authentication
C) Biometric authentication
D) Certificate-based authentication

Answer: B) Two-factor authentication

 Explanation:

Option A, single-factor authentication (SFA), relies on one form of credentials, typically a passworD) SFA provides limited security, and in this scenario, additional authentication beyond a password is useD)

Option C, biometric authentication, relies on physical traits such as fingerprints or facial recognition, which are not used in this scenario.

Option D, certificate-based authentication, uses digital certificates and public/private keys, which are not mentioned here.

Option B, two-factor authentication (2FA), is correct. Two-factor authentication combines:

Something you know: A password or PIN.

Something you have: A time-based one-time password (TOTP) generated by an authentication app.

Key benefits of 2FA include:

Protection against password compromise: Even if a password is stolen, the TOTP provides an additional security barrier.

Compliance and risk reduction: 2FA is often required for regulatory frameworks such as PCI DSS and HIPAA)

User adoption and operational impact: TOTP apps are easy to deploy and widely supported across platforms.

2FA enhances the security posture of cloud and enterprise environments, mitigating credential-based attacks while maintaining usability.

Q185. A penetration tester finds that multiple employees are sharing accounts to access a corporate system. Which security principle is violated?

A) Accountability
B) Separation of duties
C) Least privilege
D) Role rotation

Answer: A) Accountability

Explanation:

Option B, separation of duties, divides tasks to prevent fraud but is unrelated to shared credentials.

Option C, least privilege, limits permissions but does not specifically address the issue of shared accounts.

Option D, role rotation, shifts job responsibilities periodically to mitigate insider threats but does not enforce individual traceability.

Option A, accountability, is correct. Accountability ensures that all actions in a system are attributable to a specific user. Sharing credentials undermines this principle, resulting in:

Loss of traceability: Auditors or security teams cannot determine who executed specific actions, complicating investigations.

Regulatory non-compliance: Frameworks such as HIPAA, PCI DSS, and SOX mandate unique user accountability.

Increased insider threat risk: Shared accounts enable malicious actors to operate without being individually identifieD)

Operational and forensic challenges: Incident response is hindered when user actions cannot be definitively traceD)

Mitigation includes enforcing unique user accounts, implementing strong authentication, logging all actions, and educating staff about the importance of individual responsibility. Maintaining accountability is foundational to secure operations, regulatory compliance, and effective incident response.

Q186. A network administrator observes a device attempting to connect to multiple external IP addresses over a short period, targeting various ports. Which type of activity is most likely being observed?

A) Denial-of-service attack
B) Port scanning
C) Exploitation
D) Malware propagation

Answer: B) Port scanning

Explanation:

 Option A, denial-of-service (DoS) attack, focuses on overwhelming a system or network with traffic to make it unavailable. While DoS attacks generate high volumes of traffic, the behavior described—systematically probing multiple IP addresses and ports—does not indicate service disruption but reconnaissance.

Option C, exploitation, occurs after reconnaissance, when attackers actively compromise systems using discovered vulnerabilities. Since the administrator is seeing only probing behavior without system compromise, exploitation is not yet occurring.

Option D, malware propagation, involves spreading malicious software across networks or systems. While malware may scan networks to identify targets, propagation is typically accompanied by infection or payload delivery. Observing only connection attempts does not confirm active malware spreaD)

Option B, port scanning, is correct. Port scanning is a reconnaissance technique used to identify live hosts, open ports, and available services. Attackers perform port scans to map the network and gather information before launching targeted attacks. Key elements include:

Scanning techniques: Attackers may use TCP SYN scans, TCP connect scans, UDP scans, or stealth scans to detect services while avoiding detection.

Automated tools: Tools like Nmap, Masscan, and Zmap automate scanning across ranges of IP addresses and ports, making detection and mitigation more challenging.

Indicators of compromise: Repeated connection attempts to multiple ports, unusual traffic patterns, and connections from previously unknown external IPs are common indicators.

Defensive measures: Firewalls, intrusion detection and prevention systems (IDS/IPS), and rate-limiting can help detect or block port scanning. Network segmentation and monitoring for unusual traffic patterns further reduce risk.

Port scanning represents the first phase of the cyber kill chain and is critical for attackers to understand the target environment. Organizations must monitor network traffic proactively, establish baseline behavior, and deploy layered defenses to detect and respond to reconnaissance activity before attacks occur.

Q187. During a forensic investigation, a technician needs to ensure that a disk image collected from a suspect system has not been altereD) Which method provides the highest assurance of integrity?

A) Disk partitioning
B) Hashing
C) Defragmentation
D) Sanitization

Answer: B) Hashing

 Explanation:

Option A, disk partitioning, modifies the disk structure to create or reorganize partitions. This process changes the data layout and does not provide any means to verify data integrity. Using partitioning in forensic investigation would compromise evidence.

Option C, defragmentation, reorganizes files on a disk to optimize storage efficiency. Defragmentation alters the physical layout of data, invalidating the forensic image and potentially destroying evidence.

Option D, sanitization, is the process of securely erasing data to prevent recovery. While important for data security, sanitization is counterproductive in forensics, as the goal is to preserve evidence, not destroy it.

Option B, hashing, is correct. Hashing uses cryptographic functions, such as SHA-256, SHA-512, or MD5 (less preferred), to generate a unique fingerprint of the disk image. Key benefits include:

Verification of integrity: Comparing hash values before and after analysis ensures that the disk image remains unchanged, indicating it has not been tampered with. Even a single bit change produces a completely different hash.

Legal admissibility: Courts often require demonstrable proof that evidence has not been altereD) Hashing provides this proof and supports the chain of custody.

Chain of custody: By documenting hash values during acquisition, duplication, and analysis, investigators maintain an auditable trail that shows evidence integrity was preserveD)

Reproducibility: Hashing allows multiple copies of the disk image to be independently verified, enabling collaborative analysis without compromising evidence integrity.

Integration with forensic tools: Most forensic software automatically calculates hashes for disk images and generates reports for legal and compliance purposes.

Hashing is fundamental in digital forensics. It guarantees that evidence is authentic, trustworthy, and admissible in court, while providing a reliable mechanism to detect any inadvertent or malicious changes during analysis, storage, or transfer.

Q188. A financial services company wants to detect unusual patterns such as abnormal logins, unexpected data transfers, or anomalous application activity. Which security solution is most appropriate?

A) Static firewall
B) Intrusion prevention system
C) Behavior-based analytics
D) Packet filtering

Answer: C) Behavior-based analytics

 Explanation:

 Option A, static firewall, enforces predefined rules to allow or deny traffic based on IP addresses, ports, or protocols. While essential for network security, static firewalls cannot identify behavioral anomalies like unusual login times or unexpected data transfers.

Option B, intrusion prevention system (IPS), relies primarily on signatures of known threats to detect and prevent attacks. Signature-based IPS may miss novel threats or subtle deviations from normal behavior, such as compromised credentials being used in unusual patterns.

Option D, packet filtering, examines packet headers to allow or block traffic based on rules. It is focused on network-level traffic control, not analysis of behavior patterns at the user, device, or application level.

Option C, behavior-based analytics, is correct. Behavior-based analytics systems monitor and establish baselines of normal activity across users, devices, applications, and network traffiC) Key capabilities include:

Baseline creation: Systems collect historical data to understand normal patterns of activity for each user and device.

Anomaly detection: Deviations from baseline behavior—such as logins at unusual hours, transfers of sensitive files to unknown locations, or abnormal application usage—trigger alerts.

Machine learning integration: Advanced analytics leverage statistical modeling and machine learning to reduce false positives and improve detection of subtle threats.

Real-time response: Alerts generated by behavioral anomalies enable security operations centers (SOC) to investigate and respond proactively to potential insider threats, compromised accounts, or early-stage attacks.

Compliance support: Continuous behavioral monitoring helps meet regulatory requirements for financial institutions, such as PCI DSS and SOX, by providing evidence of ongoing risk detection and mitigation.

Behavior-based analytics complements signature-based systems, providing proactive detection against unknown, evolving, and sophisticated threats. By monitoring deviations in activity patterns, organizations can respond quickly to incidents and reduce the impact of security breaches.

Q189. During a penetration test, a Linux server has a root-owned cron job that executes a script every five minutes. The script is writable by all users. What type of vulnerability does this scenario represent?
A) Privilege escalation
B) Lateral movement
C) Credential harvesting
D) Pivotin

Answer: A) Privilege escalation

Explanation:

 Option B, lateral movement, refers to spreading attacks from one compromised system to others in a network. While lateral movement may follow exploitation, it is not the immediate concern in this scenario.

Option C, credential harvesting, targets passwords or tokens stored on a system. Writable cron scripts do not inherently involve stored credentials, so this is not the primary vulnerability.

Option D, pivoting, uses a compromised host as a launch point for attacking other systems. Pivoting may occur later but is not the primary risk here.

Option A, privilege escalation, is correct. The writable root-owned cron job represents a severe local privilege escalation risk. Key considerations include:

Misconfigured permissions: Files owned by root should not be writable by all users. Writable permissions allow attackers to insert malicious commands into scripts executed with elevated privileges.

Exploitation method: An attacker can modify the script, waiting for the cron job to run to gain root-level access automatically.

Impact: Root access enables complete system control, installation of persistent malware, modification of system settings, or exfiltration of sensitive datA)

Persistence: Cron jobs provide recurring execution, ensuring continued elevated access unless correcteD)

Mitigation: Apply strict file permissions, conduct regular audits, enforce the principle of least privilege, monitor critical files, and implement intrusion detection to alert on unauthorized changes.

This type of misconfiguration is a classic vector for local privilege escalation in Linux systems. Proper file permissions, secure system configurations, and continuous monitoring significantly reduce the risk.

Q190. A security audit finds that multiple employees are sharing credentials to access corporate systems. Which security principle is being violated

A) Accountability
B) Separation of duties
C) Least privilege
D) Role rotation

Answer: A) Accountability

Explanation:

Option B, separation of duties, is unrelated to credential sharing. It focuses on dividing responsibilities to prevent fraud, not individual user traceability.

Option C, least privilege, restricts permissions to the minimum necessary. While credential sharing could bypass this, the main violation is not about access levels but traceability.

Option D, role rotation, involves periodically shifting responsibilities to mitigate insider threats. This does not enforce individual accountability.

Option A, accountability, is correct. Accountability ensures that every action within a system can be traced to an individual user. Credential sharing violates this principle, introducing significant risks:

Loss of traceability: Investigators cannot determine which individual performed actions in case of an incident.

Compliance risks: Regulatory frameworks such as PCI DSS, HIPAA, and SOX require unique user identification and audit trails.

Operational risk: Shared accounts make it easier for malicious insiders to hide activity.

Mitigation strategies: Enforce unique accounts, implement strong authentication (including MFA), monitor logs, and educate employees on security policies.

Maintaining accountability is fundamental to operational integrity, regulatory compliance, and effective incident response. Systems must ensure all actions are individually attributable to detect, respond to, and prevent malicious or unauthorized activity.

Q191. A security analyst notices repeated failed login attempts targeting multiple accounts from different IP addresses, all within a short time frame. Which type of attack is most likely occurring?

A) Brute-force attack
B) Password spraying
C) Man-in-the-middle attack
D) Phishing

 Answer: B) Password spraying

 Explanation:

Option A, brute-force attack, involves systematically attempting all possible password combinations on a single account until the correct password is discovereD) While highly intensive, brute-force attacks generally target one account at a time. In enterprise environments, account lockout policies often limit the effectiveness of brute-force attacks because repeated incorrect attempts trigger temporary suspension of accounts. Brute-force attacks are slower and more detectable compared to the scenario described, where multiple accounts are being targeted in a short perioD)

Option C, man-in-the-middle (MITM) attack, involves intercepting and potentially altering communication between two parties. MITM attacks are typically used to eavesdrop on sensitive information, manipulate traffic, or inject malicious content. MITM attacks do not inherently involve automated login attempts or the systematic testing of credentials against multiple accounts, making it an unlikely explanation for the activity observeD)

Option D, phishing, is a social engineering technique designed to trick users into providing sensitive credentials via email, malicious links, or fake login pages. Phishing does not involve automated login attempts across multiple accounts using predetermined passwords, so it does not fit the pattern observed in this scenario.

Option B, password spraying, is correct. Password spraying is a common attack technique where attackers attempt a small set of commonly used passwords across many accounts, avoiding the rapid account lockouts that occur in traditional brute-force attacks. Key points about password spraying:

Stealth and scale: Instead of targeting one account with many passwords, attackers attempt one or a few common passwords on many accounts. This reduces detection and increases the likelihood of success.

Indicators of compromise: Multiple failed login attempts across different accounts, especially from unusual geographic locations or IP addresses, often signal password spraying.

Mitigation strategies: Enforcing multi-factor authentication (MFA) drastically reduces risk, as a correct password alone is insufficient for access. Monitoring for abnormal login patterns and implementing account lockout policies also help defend against this type of attack.

Regulatory compliance: Password spraying exploits weak password hygiene and can lead to breaches that violate data protection regulations such as GDPR, PCI DSS, or HIPAA)

Password spraying is particularly effective in large organizations with users who reuse simple passwords. Behavior-based monitoring combined with strong authentication practices can detect and prevent unauthorized access attempts, preserving security while minimizing the impact on legitimate users.

Q192. An organization wants to ensure that employees can access cloud resources only from devices that meet specific security requirements, such as updated OS, enabled encryption, and antivirus software. Which access control model should be implemented?

A) Role-based access control
B) Attribute-based access control
C) Mandatory access control
D) Discretionary access control

 Answer: B) Attribute-based access control

Explanation:

Option A, role-based access control (RBAC), grants access based on the user’s role within the organization. RBAC is effective for assigning permissions to job functions but does not account for dynamic conditions such as device health, location, or risk levels. Therefore, RBAC alone cannot enforce access policies based on device compliance, making it unsuitable for this scenario.

Option C, mandatory access control (MAC), enforces centralized, non-discretionary policies based on classification levels and labels. MAC is rigid and designed to prevent unauthorized access based on sensitivity labels but does not inherently evaluate dynamic attributes like device security compliance. While MAC provides high security, it lacks the flexibility required to enforce conditional access based on device attributes.

Option D, discretionary access control (DAC), allows owners of resources to grant access at their discretion. DAC does not provide centralized control or dynamic evaluation of device attributes, making it insufficient for enforcing conditional access to cloud resources.

Option B, attribute-based access control (ABAC), is correct. ABAC evaluates access based on a combination of user, resource, action, and environmental attributes. In this scenario:

Attributes include device compliance: ABAC considers whether devices have updated operating systems, encryption enabled, antivirus running, or meet other security standards.

Dynamic policy enforcement: Access decisions are made in real-time based on the evaluated attributes, allowing conditional and context-aware access control.

Granularity: ABAC provides fine-grained control, enabling enforcement of complex policies such as “allow access to financial data only from managed devices during business hours from approved IP addresses.”

Zero-trust alignment: ABAC is a foundational component of zero-trust architectures, ensuring that access is continuously validated based on risk factors and not solely on user identity.

ABAC allows organizations to secure sensitive cloud resources effectively, reduce risk from non-compliant devices, and support regulatory compliance while maintaining operational flexibility.

Q193. During a penetration test, a tester discovers a web application that accepts unsanitized user input and allows execution of operating system commands on the server. Which type of attack is this?

A) Cross-site scripting
B) SQL injection
C) Command injection
D) Path traversal

Answer: C) Command injection

 Explanation:

 Option A, cross-site scripting (XSS), is a client-side attack that injects malicious scripts into web pages viewed by other users. XSS affects end-users’ browsers and is not capable of executing operating system commands on the server, making it irrelevant to the scenario describeD)

Option B, SQL injection, targets the backend database by manipulating SQL queries via unsanitized input. While SQL injection can exfiltrate or modify data, it does not typically provide the ability to execute arbitrary OS-level commands directly on the server.

Option D, path traversal, allows attackers to access files outside the intended directory by manipulating file paths. Path traversal can read or write files but does not allow arbitrary command execution, differentiating it from command injection.

Option C, command injection, is correct. Command injection occurs when a web application passes unsafe user input to a system shell or OS command interpreter without proper validation or sanitization. Key points include:

Impact: Attackers can execute arbitrary OS commands with the privileges of the web server process, potentially leading to full system compromise.

Exploitation: Modifying input fields to include shell commands or special characters (e.g., semicolons, pipes) can force execution of unintended commands.

Mitigation: Input validation, parameterized APIs, minimal privileges for application processes, and runtime monitoring prevent command injection.

Forensics: Command injection incidents can alter logs, install persistent backdoors, or compromise other networked systems, making detection and investigation challenging.

Command injection is a severe vulnerability because it directly exposes the underlying operating system. Proper secure coding practices, least privilege enforcement, and continuous monitoring are essential for preventing such attacks in web applications.

Q194. A company implements multi-factor authentication (MFA) using a password and a time-based one-time password (TOTP) from an authentication app. What type of authentication is being enforced?

A) Single-factor authentication
B) Two-factor authentication
C) Biometric authentication
D) Certificate-based authentication

Answer: B) Two-factor authentication

Explanation:

Option A, single-factor authentication (SFA), uses only one credential type, typically a passworD) SFA is insufficient for protecting sensitive systems, particularly when passwords may be compromised through phishing or reuse.

Option C, biometric authentication, relies on physical characteristics like fingerprints or facial recognition. This scenario does not use biometric factors, so it does not apply.

Option D, certificate-based authentication, uses digital certificates and cryptographic keys to verify identity. While strong, this method is not part of the described password plus TOTP combination.

Option B, two-factor authentication (2FA), is correct. Two-factor authentication requires two separate factors:

Something you know: In this case, the user passworD)

Something you have: The TOTP generated by an authentication app.

Benefits: 2FA reduces risk from stolen or reused passwords, mitigates phishing, and ensures stronger protection for sensitive accounts.

Implementation: Widely supported across cloud platforms, financial systems, and enterprise networks, 2FA enhances security posture by combining knowledge-based and possession-based factors.

MFA significantly increases the effort required for attackers to compromise accounts, as possession of the password alone is insufficient for access. Properly implemented 2FA aligns with modern security best practices and regulatory requirements.

Q195. During a security audit, multiple employees are discovered to be sharing login credentials for corporate systems. Which security principle is being violated?

A) Accountability
B) Separation of duties
C) Least privilege
D) Role rotation

Answer: A) Accountability

Explanation:

Option B, separation of duties, divides responsibilities among employees to prevent fraud but is unrelated to credential sharing.

Option C, least privilege, limits access rights to only what is necessary for a role. While shared accounts may bypass least privilege, the main violation is related to traceability, not permission levels.

Option D, role rotation, periodically shifts responsibilities to reduce insider threats, which does not address individual accountability or credential sharing.

Option A, accountability, is correct. Accountability ensures that all actions are traceable to specific individuals. Credential sharing undermines accountability, introducing risks such as:

Loss of traceability: Investigators cannot determine which individual performed specific actions, hindering forensic investigations.

Regulatory non-compliance: Frameworks such as PCI DSS, HIPAA, and SOX mandate unique identification and audit trails. Shared accounts violate these requirements.

Operational risks: Shared credentials allow malicious activity to go undetected and make enforcing accountability difficult.

Mitigation: Organizations should enforce unique accounts, strong authentication policies, multi-factor authentication, and monitoring of access logs to maintain accountability.

Accountability is fundamental for security governance, forensic investigations, and compliance. Ensuring each user has a unique identity within systems supports traceable, auditable actions that protect organizational integrity.

Q191. A security analyst notices repeated failed login attempts targeting multiple accounts from different IP addresses, all within a short time frame. Which type of attack is most likely occurring?
A) Brute-force attack
B) Password spraying
C) Man-in-the-middle attack
D) Phishing

Answer: B) Password spraying

Explanation:

Option A, brute-force attack, is a method where an attacker systematically attempts every possible combination of passwords against a specific account until access is gaineD) While this technique can eventually succeed, it is highly resource-intensive and slow, particularly against systems with strong password policies, account lockouts, or throttling mechanisms. Brute-force attacks usually focus on one account at a time. Modern intrusion detection systems can detect repeated failed attempts and raise alerts, making brute-force less practical for targeting multiple accounts simultaneously. In the scenario described, repeated failed logins across many accounts in a short timeframe indicate that the attacker is not trying exhaustive passwords on a single account, but a more strategic approach.

Option C, man-in-the-middle (MITM) attack, occurs when an attacker intercepts communication between two parties. The attacker can eavesdrop on messages, alter data in transit, or inject malicious content. MITM attacks can compromise confidentiality and integrity, particularly in unencrypted networks. However, MITM does not inherently involve attempting multiple login attempts on accounts. While an MITM could potentially capture credentials if successful, it is not represented by automated login attempts from multiple IP addresses targeting numerous accounts.

Option D, phishing, involves tricking users into voluntarily revealing credentials or sensitive information. This could include emails that mimic legitimate services, fake websites, or other social engineering tactics. Phishing attacks are effective but do not involve automated, systematic login attempts across multiple accounts from different IP addresses. Phishing is an indirect method that relies on user action rather than automated credential testing.

Option B, password spraying, is correct. Password spraying is a targeted, low-volume attack that attempts a small set of common passwords across many accounts, rather than trying multiple passwords on a single account. The attacker’s goal is to avoid account lockouts and detection. Key characteristics and considerations include:

Stealth: By trying only a few passwords per account, attackers minimize detection risk while increasing their chances of exploiting weak passwords.

Scale: Attackers often leverage lists of usernames or email addresses to automate attempts across multiple accounts, covering hundreds or thousands of users in a short perioD)

Exploitation of human behavior: Many users select simple or commonly reused passwords, which makes password spraying effective against large organizations.

Detection: Security operations centers (SOC) can identify password spraying by monitoring for widespread failed login attempts, unusual geographic locations, or login attempts during off-hours.

Mitigation strategies: Multi-factor authentication (MFA) is one of the most effective defenses because it requires a second factor even if a password is guesseD) Account lockout policies, anomaly detection, and user education on strong, unique passwords also reduce exposure.

Password spraying is particularly significant because it bridges social engineering and technical attacks, exploiting predictable human behavior rather than complex vulnerabilities. Organizations need proactive monitoring, adaptive security measures, and continual training to mitigate this risk effectively.

Q192. An organization wants to ensure that employees can access cloud resources only from devices that meet specific security requirements, such as updated OS, enabled encryption, and antivirus software. Which access control model should be implemented?

A) Role-based access control
B) Attribute-based access control
C) Mandatory access control
D) Discretionary access control

Answer: B) Attribute-based access control

Explanation:

Option A, role-based access control (RBAC), assigns permissions to users based on their roles within the organization. While RBAC simplifies management and ensures that users receive access consistent with their job responsibilities, it does not account for contextual attributes such as the health or compliance of the device being used, its location, or current security posture. As such, RBAC alone cannot enforce dynamic, condition-based access policies, which are critical in a modern cloud environment where users may connect from a variety of devices and locations.

Option C, mandatory access control (MAC), is a rigid, centrally enforced model where access is determined by classification levels and labels assigned to both users and resources. MAC is highly secure and suitable for classified environments but lacks the flexibility to evaluate dynamic environmental or device-specific attributes. It does not support conditional access decisions based on device compliance in real time, limiting its applicability in cloud-based, dynamic contexts.

Option D, discretionary access control (DAC), allows resource owners to grant access to users at their discretion. DAC is flexible but offers little centralized oversight, and it does not incorporate environmental or device-based attributes. DAC would not enforce compliance requirements or validate that devices meet specific security standards before allowing access to sensitive cloud resources.

Option B, attribute-based access control (ABAC), is correct. ABAC evaluates access based on multiple attributes: user identity, resource sensitivity, action requested, and environmental or contextual factors. In this scenario, ABAC enables the organization to:

Enforce device compliance policies: Only allow access if the device has updated OS, encryption enabled, antivirus software running, and other security standards met.

Apply dynamic policies: Access decisions are made in real time based on the current attributes of the device, user, and environment.

Implement fine-grained control: Policies can be specific, e.g., allowing access to HR systems only from managed devices during business hours from the corporate network.

Align with zero-trust principles: ABAC ensures that trust is continually evaluated and not assumed based on user identity alone.

Implementing ABAC requires integration with device compliance tools, identity providers, and continuous monitoring solutions. ABAC provides the granularity and adaptability necessary to protect sensitive cloud resources while accommodating remote work and bring-your-own-device (BYOD) scenarios.

Q193. During a penetration test, a tester discovers a web application that accepts unsanitized user input and allows execution of operating system commands on the server. Which type of attack is this?

A) Cross-site scripting
B) SQL injection
C) Command injection
D) Path traversal

Answer: C) Command injection

Explanation:

Option A, cross-site scripting (XSS), is a client-side attack in which malicious scripts are injected into web pages displayed to other users. XSS affects the end-user’s browser and cannot execute commands directly on the server, making it unrelated to the scenario where OS-level commands are being run.

Option B, SQL injection, targets the database layer. It allows attackers to manipulate SQL queries to exfiltrate, modify, or delete datA) SQL injection can have severe consequences but typically does not provide the ability to execute arbitrary operating system commands on the server.

Option D, path traversal, allows attackers to access files outside the intended directory by manipulating file paths. While it can expose sensitive files or configuration data, path traversal does not permit arbitrary command execution, which differentiates it from command injection.

Option C, command injection, is correct. This vulnerability occurs when an application passes unvalidated input directly to the system shell or operating system interpreter. Critical aspects include:

Direct OS-level access: Attackers can execute arbitrary commands with the privileges of the web server, potentially gaining root or administrative access.

Exploitation techniques: Injection of special characters (such as semicolons, pipes, or backticks) allows concatenation or execution of additional commands.

Real-world impact: Command injection can compromise server integrity, install persistent backdoors, exfiltrate sensitive data, and propagate malware across the network.

Mitigation strategies: Input validation, output encoding, principle of least privilege, use of secure APIs instead of shell execution, and runtime monitoring.

Command injection is considered a critical vulnerability because it directly exposes the server to complete compromise. Secure coding practices, regular security assessments, and active monitoring are essential to prevent this type of attack.

Q194. A company implements multi-factor authentication (MFA) using a password and a time-based one-time password (TOTP) from an authentication app. What type of authentication is being enforced?

A) Single-factor authentication
B) Two-factor authentication
C) Biometric authentication
D) Certificate-based authentication

Answer: B) Two-factor authentication

Explanation:

Option A, single-factor authentication (SFA), involves only one type of credential, typically a passworD) SFA is increasingly insufficient due to widespread phishing, password reuse, and credential theft. In this scenario, the presence of an additional factor means SFA is not being useD)

Option C, biometric authentication, relies on physical or behavioral traits such as fingerprints, facial recognition, or voice recognition. While effective, the scenario specifically mentions a password and TOTP app, so biometrics are not involveD)

Option D, certificate-based authentication, uses cryptographic certificates to verify identity. This approach provides strong authentication but does not apply to the combination of a password and a TOTP app.

Option B, two-factor authentication (2FA), is correct. Two-factor authentication enhances security by requiring:

Something you know: A passworD)

Something you have: A time-based one-time password (TOTP) from an app.

Security benefits: Even if the password is compromised, an attacker cannot authenticate without the TOTP. It mitigates risks associated with phishing, credential stuffing, and password reuse.

Implementation considerations: TOTP apps such as Google Authenticator or Authy generate temporary codes that change every 30–60 seconds. Integration with identity providers, conditional access policies, and user education are essential for effective deployment.

2FA significantly strengthens authentication security, especially for high-value accounts and sensitive resources, aligning with regulatory and industry best practices.

Q195. During a security audit, multiple employees are discovered to be sharing login credentials for corporate systems. Which security principle is being violated?

A) Accountability
B) Separation of duties
C) Least privilege
D) Role rotation

Answer: A) Accountability

Explanation:

Option B, separation of duties, ensures that no single individual has control over all aspects of critical processes, reducing fraud risk. It is unrelated to credential sharing.

Option C, least privilege, ensures users have only the access necessary to perform their jobs. While shared credentials may bypass least privilege, the core violation is the inability to trace actions to a specific user, making accountability the primary concern.

Option D, role rotation, is the periodic reassignment of job responsibilities to prevent insider threats or collusion. This policy does not directly address the violation caused by shared credentials.

Option A, accountability, is correct. Accountability ensures that all actions on systems are traceable to specific individuals. Sharing credentials undermines accountability in multiple ways:

Traceability: Investigators cannot determine which individual performed specific actions, making forensic investigations and incident response challenging.

Regulatory compliance: Standards such as HIPAA, PCI DSS, and SOX require individual identification and audit trails. Shared accounts violate these requirements and increase the risk of non-compliance penalties.

Operational risk: Shared credentials allow malicious or negligent activity to go undetecteD) Systems cannot log and alert on individual behavior accurately, weakening security monitoring.

Mitigation strategies: Enforce unique credentials for every user, integrate multi-factor authentication, monitor audit logs for unusual activity, and educate employees on the risks of sharing accounts.

Accountability is a cornerstone of secure operations, enabling organizations to maintain proper governance, investigate incidents effectively, and comply with legal and regulatory mandates. Enforcing unique user identities and robust authentication mechanisms is critical to maintaining operational integrity and trust.

Q196. A security analyst observes that a previously unknown external IP address is systematically sending requests to multiple ports on the company’s servers over several days. Which type of activity is most likely occurring?

A) Vulnerability scanning
B) Port scanning
C) Exploitation
D) Denial-of-service attack

Answer: B) Port scanning

Explanation:

Option A, vulnerability scanning, is an advanced technique where specific weaknesses in systems, applications, or network devices are identifieD) Vulnerability scanners often probe for outdated software, missing patches, or misconfigurations. Although port scanning is typically a preliminary step in vulnerability scanning, vulnerability scanning involves more targeted testing and attempts to exploit known weaknesses rather than merely mapping open ports. The scenario describes continuous probing across multiple ports without evidence of active exploitation, which aligns more closely with reconnaissance than vulnerability scanning.

Option C, exploitation, occurs when an attacker actively uses identified vulnerabilities to compromise a system. Exploitation follows reconnaissance, but in this scenario, there is no indication that the attacker is attempting to leverage vulnerabilities. Only systematic requests to multiple ports are observed, which is indicative of reconnaissance activity rather than an active compromise.

Option D, denial-of-service (DoS) attacks, aim to overwhelm system resources to make services unavailable. DoS traffic is typically high-volume and disruptive. The described activity does not indicate service disruption or resource exhaustion; instead, it is methodical, slow, and covers multiple ports—characteristics consistent with port scanning rather than DoS.

Option B, port scanning, is correct. Port scanning is a reconnaissance technique used to discover open ports and running services on networked systems. Attackers use scanning to identify potential entry points and assess the attack surface before attempting exploitation. Key aspects include:

Systematic probing: The attacker methodically attempts to connect to various ports, either sequentially or in a randomized pattern.

Multiple IP addresses: Distributed scanning may be employed to evade detection or rate limits.

Indicators: Repeated connection attempts across multiple hosts, unusual traffic patterns, or connection attempts outside normal business hours.

Defensive strategies for mitigating port scanning include deploying intrusion detection and prevention systems (IDS/IPS), configuring firewalls to limit unnecessary port exposure, monitoring for unusual connection patterns, and using honeypots to detect and analyze reconnaissance activity. While port scanning itself does not compromise systems, it is often a precursor to more serious attacks, making early detection critical.

Port scanning is considered the first phase in the cyber kill chain. Effective security practices include minimizing the attack surface, maintaining up-to-date network inventories, and implementing monitoring to detect reconnaissance before it can lead to exploitation.

Q197. During a forensic investigation, a technician discovers that a critical system has been modified without authorization. Detailed logs indicate which user account performed each action. Which security principle is demonstrated?

A) Confidentiality
B) Integrity
C) Accountability
D) Availability

Answer: C) Accountability

Explanation:

Option A, confidentiality, ensures that information is protected from unauthorized access. While confidentiality is critical for protecting sensitive data, it does not ensure that system actions are traceable to a specific user. Knowing who performed a modification goes beyond simply keeping data secret.

Option B, integrity, ensures that information remains accurate and unaltereD) While integrity is concerned with preventing unauthorized changes, it does not inherently provide the capability to identify who made changes. Integrity focuses on the state of the data, while accountability emphasizes attribution of actions.

Option D, availability, ensures that systems and data are accessible when needeD) While availability is a core security principle, it does not address tracking user actions or maintaining logs.

Option C, accountability, is correct. Accountability ensures that all actions within a system are traceable to a specific user or entity. Detailed audit trails and logging enable organizations to identify which account performed an action, which is critical for forensic analysis, compliance, and security monitoring. Key considerations include:

Unique user identification: Systems must authenticate users individually, ensuring that actions can be attributed accurately.

Comprehensive logging: All critical actions should be recorded, including file changes, access attempts, and system modifications.

Immutable logs: Logs should be protected against tampering to maintain trustworthiness.

Regulatory compliance: Standards such as PCI DSS, HIPAA, and SOX require the ability to trace actions back to individuals.

Maintaining accountability allows organizations to detect insider threats, investigate incidents effectively, and enforce policies. Shared accounts or weak logging practices compromise accountability, making it impossible to hold specific users responsible for their actions. Accountability is a cornerstone of secure system operations, ensuring that all activity can be traced and verifieD)

Q198. A company wants to ensure that sensitive files stored in a cloud environment cannot be accessed by the cloud provider, even if the provider’s systems are compromiseD) The organization generates, manages, and stores encryption keys internally. Which encryption model does this scenario describe?

A) Provider-managed encryption
B) Customer-managed encryption with provider key storage
C) Customer-managed encryption with customer key storage
D) Provider-managed encryption with customer key storage

Answer: C) Customer-managed encryption with customer key storage

Explanation:

Option A, provider-managed encryption, involves the cloud provider generating and controlling the encryption keys. While this protects against casual exposure, the provider retains access and could decrypt data if required or compromised, making it unsuitable for scenarios where the organization requires full control.

Option B, customer-managed encryption with provider key storage, allows organizations to define encryption policies, but the keys are still stored within the provider’s infrastructure. This reduces control, as the provider maintains potential access to the keys.

Option D, provider-managed encryption with customer key storage, is not a feasible model because provider-managed encryption inherently relies on the provider’s key management. Storing the keys externally contradicts the provider-managed approach.

Option C, customer-managed encryption with customer key storage, is correct. In this model:

Key generation and storage: The organization generates and retains encryption keys, storing them in a secure environment separate from the provider.

Provider access: The cloud provider cannot access the keys or decrypt the data, ensuring confidentiality even if provider systems are breacheD)

Regulatory alignment: This model satisfies strict compliance requirements, including GDPR, HIPAA, and financial regulations.

Key lifecycle management: Organizations must implement policies for key creation, rotation, backup, and secure destruction. Loss of keys can render data unrecoverable, making robust key management essential.

This model provides the highest degree of cryptographic autonomy, balancing the convenience of cloud storage with strong control over sensitive information. Organizations can leverage cloud services without risking unauthorized access by third parties, including the provider itself.

Q199. A security administrator discovers that an employee’s account has been compromised due to reuse of credentials exposed in a previous breach. Automated tools are attempting to access multiple internal systems with these credentials. Which type of attack is occurring?

A) Brute-force attack
B) Credential stuffing
C) Password spraying
D) Keylogging

Answer: B) Credential stuffing

Explanation:

Option A, brute-force attack, involves attempting all possible password combinations for a single account. Brute-force is time-consuming and typically slower than attacks leveraging already exposed credentials.

Option C, password spraying, involves attempting a small set of common passwords across multiple accounts without relying on previously leaked credentials. While similar in targeting multiple accounts, password spraying is not credential-driven.

Option D, keylogging, is malware that records keystrokes to capture credentials. This is a method of stealing credentials, not a method of automated login using already known credentials.

Option B, credential stuffing, is correct. Credential stuffing exploits credential reuse by leveraging breached usernames and passwords to gain unauthorized access to multiple systems. Important aspects include:

Automation: Tools attempt large volumes of login requests quickly.

Scale: Attackers can target many systems within the same organization or across multiple organizations.

Indicators: Rapid login attempts, failed logins from unusual locations, and repeated use of known compromised credentials.

Mitigation strategies: Enforcing unique passwords per system, deploying MFA, monitoring login anomalies, and educating users about secure password practices.

Credential stuffing exploits human behavior, particularly password reuse, and represents a significant threat to organizations, emphasizing the need for comprehensive authentication security measures.

Q200. During a penetration test, a Linux server has a root-owned cron job executing a script every five minutes. The script is writable by all users. Which type of attack could be performed next?

A) Privilege escalation
B) Lateral movement
C) Credential harvesting
D) Pivoting

Answer: A) Privilege escalation

Explanation:

Option B, lateral movement, involves moving from a compromised host to others in the network. While privilege escalation may facilitate lateral movement, it is not the immediate risk.

Option C, credential harvesting, targets stored passwords or tokens. Writable cron jobs do not directly expose credentials, so this is unrelated.

Option D, pivoting, uses a compromised host to attack other systems, which may follow privilege escalation but is not the initial threat vector here.

Option A, privilege escalation, is correct. Writable root-owned cron jobs allow an attacker to modify scripts executed with root privileges, effectively gaining full administrative access. Key points include:

Misconfiguration: Scripts owned by root should not be writable by all users. Improper permissions expose critical system functions.

Exploitation: The attacker inserts commands that execute with root privileges when the cron job runs.

Impact: Full control of the system, installation of persistent malware, ability to modify logs, and compromise of sensitive data.

Mitigation: Restrict file permissions, enforce least privilege, audit cron jobs regularly, monitor critical scripts for changes, and implement intrusion detection systems.

Writable cron jobs are a well-known vector for local privilege escalation in Linux. Proper system hardening and continuous monitoring are essential to prevent exploitation, maintain system integrity, and reduce risk from attackers exploiting misconfigurations.