CompTIA SY0-701 Security+ Exam Dumps and Practice Test Questions Set2 Q21-40

 Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q21. A security analyst detects repeated failed login attempts from multiple IP addresses targeting different accounts over a short period. Which type of attack is most likely occurring?

A. Brute-force attack
B. Password spraying
C. Man-in-the-middle attack
D. Phishing

Answer: B. Password spraying

Explanation:

Brute-force attacks are highly systematic attempts to guess a password by trying every possible combination until the correct one is discovered. These attacks usually focus on a single account or a small subset of accounts. Because brute-force attacks generate an extremely high number of login attempts, they are likely to trigger account lockouts or alert security monitoring systems. They also require substantial computational resources, especially for complex passwords. For instance, attempting a full brute-force attack against a system using 12-character alphanumeric passwords could take years, making brute force less practical in large-scale, distributed attack scenarios.

Password spraying is correct. Unlike brute-force attacks, password spraying attempts a small number of common passwords (e.g., “Password123,” “Welcome2025”) against many accounts to avoid detection or triggering account lockouts. Attackers exploit predictable human behavior in password creation. In the scenario, multiple failed login attempts across many accounts from different IP addresses indicate password spraying. Attackers often distribute attempts via botnets or proxies to mask their origin. Password spraying attacks are increasingly effective because they target weak human habits rather than technical flaws, making organizations with poor password policies particularly vulnerable.

Detection and mitigation strategies include:

Monitoring login failure rates across accounts to identify suspicious patterns.

Enforcing account lockout policies after a limited number of failed attempts.

Requiring multi-factor authentication (MFA) to protect against password-only attacks.

Implementing robust password policies encouraging complex, unique passwords.

Logging and analyzing geolocation anomalies to detect rapid attempts from diverse regions.

Man-in-the-middle (MITM) attacks intercept communications between two parties, potentially allowing attackers to eavesdrop, manipulate data, or inject malicious content. MITM attacks are not primarily associated with repeated failed login attempts. While MITM attacks can capture credentials if communication is unencrypted, they do not involve automated, repeated login attempts across multiple accounts.

Phishing relies on social engineering techniques to trick users into disclosing sensitive information, such as usernames and passwords. Although phishing can result in unauthorized access, it does not involve automated, repeated login attempts from multiple IP addresses.

In practice, password spraying represents one of the most common initial attack vectors against large organizations, especially when password policies are weak. By combining automated monitoring and behavioral analysis, security teams can identify these attacks early and implement mitigation strategies such as MFA enforcement, proactive user education, and adaptive login controls.

Q22. An organization wants to ensure that employees can access cloud resources only from authorized devices that meet specific security standards. Which security model should be implemented?

A. Role-based access control
B. Attribute-based access control
C. Mandatory access control
D. Discretionary access control

Answer: B. Attribute-based access control

Explanation:

Role-based access control (RBAC) grants permissions based on an individual’s role within an organization. For example, an HR employee may have access to personnel records while an IT administrator has system configuration permissions. While RBAC is effective for managing access by job responsibilities, it does not account for dynamic contextual factors, such as device security posture, geolocation, or time of access. In environments where conditional access is required, RBAC alone is insufficient.

Attribute-based access control (ABAC) is correct. ABAC evaluates access requests based on attributes, including:

User attributes: Role, department, security clearance.

Resource attributes: Sensitivity level, classification, ownership.

Environmental attributes: Time, geolocation, device health, risk score.

In this scenario, access is granted only if the employee’s device meets security standards (e.g., latest OS patch, antivirus active, encrypted storage). ABAC enables fine-grained access control by evaluating multiple dynamic factors in real time, aligning perfectly with zero-trust security principles. For example, a user trying to access cloud resources from an outdated laptop would be denied access, even if their credentials are valid.

Mandatory access control (MAC) enforces strict policies based on security labels assigned to data and users (e.g., Top Secret, Confidential). MAC is rigid and does not accommodate dynamic device or contextual evaluation, making it unsuitable for cloud conditional access scenarios.

Discretionary access control (DAC) allows users to grant access to resources they own. This model lacks centralized enforcement and does not evaluate device compliance, leaving organizations vulnerable to unauthorized access.

Implementing ABAC allows organizations to dynamically enforce security policies, including device compliance checks, geolocation restrictions, and session duration limits. ABAC integrates well with modern cloud identity providers and endpoint management systems, enhancing visibility and control over access decisions while reducing risk from compromised devices.

Q23. During a penetration test, a tester discovers a web application that accepts user input in a form field but does not validate or sanitize it. By submitting crafted input, the tester can execute operating system commands on the server. Which type of attack is this?

A. Cross-site scripting
B. SQL injection
C. Command injection
D. Path traversal

Answer: C. Command injection

Explanation:

Cross-site scripting (XSS) targets end users by injecting malicious scripts into web pages. XSS operates on the client side, executing code in a victim’s browser rather than on the server. While dangerous for users, it does not allow attackers to execute commands directly on the server’s operating system.

SQL injection involves manipulating SQL queries to access or modify data in backend databases. While highly impactful, SQL injection is distinct from command injection and does not allow execution of arbitrary OS-level commands unless chained with other vulnerabilities.

Command injection is correct. When a web application directly passes unsanitized user input to the underlying operating system, attackers can execute arbitrary commands. This type of vulnerability is extremely dangerous because it may allow:

Complete server compromise.

Privilege escalation if the application runs with elevated permissions.

Access to sensitive files, system configuration, or network resources.

Installation of persistent malware or backdoors.

Mitigation strategies include:

Proper input validation and sanitization.

Use of secure APIs that avoid direct shell command execution.

Restricting application privileges with least privilege principles.

Application layer firewall rules to block suspicious commands.

Path traversal attacks exploit insecure file path handling to access unauthorized files. While it allows access to system files, it does not execute arbitrary OS commands.

Command injection is considered a critical vulnerability under OWASP guidelines. Successful exploitation can compromise entire systems, often bypassing application-level controls and directly threatening network infrastructure.

Q24. A company is implementing cloud security controls to restrict access to sensitive data. Employees must authenticate using a unique password and a time-based one-time password (TOTP) generated by an app. Which type of authentication is being enforced?

A. Single-factor authentication
B. Two-factor authentication
C. Biometric authentication
D. Certificate-based authentication

Answer: B. Two-factor authentication

Explanation:

Single-factor authentication (SFA) involves only one form of verification, usually a password. While SFA is convenient, it is insufficient for protecting high-value data, as compromised credentials alone can lead to unauthorized access.

Two-factor authentication (2FA) is correct. 2FA combines two independent factors:

Something you know: A password or PIN.

Something you have: A TOTP generated by an authenticator app or hardware token.

This layered approach significantly increases security. Even if an attacker obtains a password, access is blocked without the second factor. For example, cloud providers like AWS, Google Workspace, and Microsoft 365 strongly recommend 2FA to mitigate phishing and credential theft.

Biometric authentication uses physical characteristics such as fingerprints or facial recognition. While strong, it is not part of this scenario.

Certificate-based authentication relies on digital certificates and public-private key pairs. Certificates provide strong machine-based authentication but do not match the described password + TOTP scenario.

Implementing 2FA reduces the effectiveness of phishing, credential stuffing, and keylogging attacks. In enterprise environments, it is often combined with adaptive authentication policies, which consider risk factors such as login location, device compliance, and unusual access patterns. 2FA is a critical control in zero-trust security frameworks.

Q25. During a security audit, it is found that multiple employees are sharing credentials to access a corporate system. This violates internal policies and introduces risk. Which security principle is being violated?

A. Accountability
B. Separation of duties
C. Least privilege
D. Role rotation

Answer: A. Accountability

Explanation:

Accountability is correct. Accountability ensures that all actions on a system can be traced to a specific individual. When credentials are shared, the organization cannot determine who performed specific activities, compromising auditing, incident response, and compliance. Accountability is a key principle in regulatory frameworks like HIPAA, PCI DSS, and GDPR, which require organizations to maintain logs that link actions to individuals.

Separation of duties divides responsibilities to prevent fraud or errors. While separation of duties improves internal control, the primary issue here is the inability to trace actions to individuals, not task division.

Least privilege limits access to only the permissions required for a user’s role. Credential sharing bypasses this principle, but the main violation is the loss of traceability rather than excessive access.

Role rotation changes employee responsibilities periodically to reduce insider threats. Credential sharing is unrelated to role rotation.

Shared credentials introduce risks such as unauthorized system changes, insider threats, and compliance violations. Mitigation measures include implementing unique accounts, enforcing multifactor authentication, monitoring login activity, and educating employees on the risks of password sharing. Maintaining accountability also enables forensic investigations in the event of a security incident.

Q26. A security team notices that an attacker exploited a misconfigured cloud storage bucket to gain access to sensitive company data. The attacker did not require stolen credentials but accessed the data openly available on the internet. Which type of security misconfiguration is most likely responsible?

A. Open S3 bucket
B. Weak password policy
C. Unpatched software
D. Improper firewall rules

Answer: A. Open S3 bucket

Explanation:

Open S3 bucket is correct. Cloud storage misconfigurations, especially in services like Amazon S3, can leave sensitive data publicly accessible. When bucket permissions are set incorrectly, anyone on the internet can read, modify, or delete the contents without authentication. This is a common cause of data breaches. Attackers can discover these open buckets using automated scanning tools, which search for publicly exposed endpoints.

Open buckets often contain sensitive information such as customer PII, financial reports, or internal documents. In this scenario, the attacker did not need credentials, indicating that the misconfiguration was at the access-control level rather than authentication. Open cloud storage is a high-risk misconfiguration because it bypasses all account-based protections and is easily exploited by both internal and external threat actors.

Mitigation strategies include:

Enforcing strict access control policies using role-based or attribute-based access controls.

Regularly auditing cloud storage permissions for public accessibility.

Encrypting sensitive data at rest and using audit logs to monitor access.

Implementing automated tools to detect misconfigurations across cloud assets.

Weak password policies do not apply in this scenario because the attacker did not use credentials. Password policies are relevant to protecting accounts but cannot prevent unauthorized access to publicly exposed data.

Unpatched software could be exploited to gain access to systems through known vulnerabilities. However, in this scenario, no exploitation of software flaws is indicated—the data was accessible due to misconfigured permissions.

Improper firewall rules typically control inbound and outbound network traffic, restricting unauthorized access. However, firewalls alone do not prevent access to publicly exposed cloud storage if permissions are set incorrectly.

Open cloud storage remains one of the leading causes of unintentional data exposure. Organizations should combine access control audits, monitoring, encryption, and automated compliance tools to reduce risk. Awareness and proper configuration management are crucial in modern cloud environments.

Q27. A cybersecurity analyst observes that a user’s credentials were used to access multiple applications and services from unfamiliar IP addresses, but there is no evidence of malware on the endpoint. Which attack type does this behavior most likely indicate?

A. Password spraying
B. Credential stuffing
C. Man-in-the-browser attack
D. Insider threat

Answer: B. Credential stuffing

Explanation:

Password spraying involves trying a few commonly used passwords across many accounts. In this scenario, the credentials were already valid, and the attacker successfully authenticated, making password spraying unlikely.

Credential stuffing is correct. Credential stuffing occurs when attackers leverage previously leaked or stolen username-password pairs and attempt automated logins on multiple services. This attack exploits password reuse across services. The evidence of access from unfamiliar IP addresses without malware on the endpoint strongly indicates that the credentials were compromised elsewhere and reused to gain unauthorized access.

Attackers commonly obtain credentials from public breaches, forums, or dark web marketplaces. They often use bots to test credentials across multiple platforms. Successful credential stuffing can lead to account takeover, financial loss, data exfiltration, and further compromise of connected systems.

Mitigation strategies include:

Enforcing multi-factor authentication (MFA) to prevent login even with stolen credentials.

Implementing login anomaly detection to flag suspicious IP addresses or device locations.

Educating users about password reuse risks and encouraging unique, strong passwords.

Employing rate-limiting or IP reputation filtering to mitigate automated attack attempts.

Man-in-the-browser attacks involve malware that intercepts or modifies browser transactions, often targeting financial data. Since no malware is detected, this option is less likely.

Insider threats involve employees or trusted parties misusing access. While possible, the pattern of external IP logins suggests external attackers rather than insiders.

Credential stuffing remains a critical threat in environments with weak password hygiene. Organizations that rely solely on password-based authentication are especially vulnerable. Strong password policies, MFA, and continuous monitoring are key defenses.

Q28. A penetration tester discovers that a web application stores sensitive data such as passwords and tokens in plaintext within client-side cookies. Which type of vulnerability does this scenario demonstrate?

A. Cross-site request forgery (CSRF)
B. Insecure storage
C. Broken access control
D. Clickjacking

Answer: B. Insecure storage

Explanation:

Cross-site request forgery (CSRF) occurs when an attacker tricks a user into performing unintended actions on a web application in which they are authenticated. While dangerous, CSRF does not involve storing sensitive data in client-side cookies.

Insecure storage is correct. Storing sensitive information such as passwords, session tokens, or personal data in plaintext on the client side exposes users to multiple attack vectors. An attacker who gains access to the device or browser can extract this information, compromising accounts. Modern security best practices dictate that sensitive data should never be stored in plaintext on the client side. If storage is required, data should be encrypted with strong algorithms and protected using secure attributes, including HttpOnly and Secure flags on cookies.

Insecure storage is particularly risky in shared devices, public networks, or environments where malware could access browser data. It can facilitate session hijacking, account takeover, or identity theft. Mitigation strategies include:

Using encrypted storage mechanisms (e.g., encrypted cookies or secure local storage).

Avoiding storage of passwords or highly sensitive information on the client side.

Implementing short-lived tokens with automatic expiration to reduce exposure if data is compromised.

Broken access control occurs when users can access data or functionality they shouldn’t, often due to misconfigured permissions. While serious, it is unrelated to insecure client-side storage.

Clickjacking tricks users into clicking hidden or disguised elements on a webpage, resulting in unintended actions. This is unrelated to cookie storage vulnerabilities.

Secure client-side storage is a fundamental principle in web application security. Organizations should enforce secure session management, implement encryption, and periodically audit applications for insecure storage practices to protect sensitive user data.

Q29. A security engineer detects unusual network traffic consisting of periodic connections from internal devices to an unknown external server, which appears to issue commands to those devices. The devices also show signs of performing distributed denial-of-service attacks externally. Which type of malware behavior is this?

Ransomware
B. Botnet participation
C. Spyware
D. Logic bomb

Answer: B. Botnet participation

Explanation:

Ransomware encrypts files on infected devices and demands payment for decryption. While impactful, ransomware does not typically exhibit periodic command-and-control communication for DDoS activity.

Botnet participation is correct. In this scenario, compromised internal devices are communicating with a command-and-control (C2) server, receiving instructions, and participating in external attacks such as DDoS. Botnets allow attackers to control many devices remotely, leveraging them for malicious activity without the owner’s knowledge. Common botnet activities include:

Distributed denial-of-service (DDoS) attacks.

Spam campaigns.

Cryptocurrency mining.

Data exfiltration.

Botnet infections often involve malware that hides C2 communication to avoid detection. Mitigation includes endpoint monitoring, network traffic analysis, isolating infected devices, and applying robust anti-malware solutions. Organizations should implement network segmentation and anomaly detection to detect unusual command-and-control traffic.

Spyware passively collects sensitive information such as keystrokes or screenshots. While spyware can communicate with external servers, it is not typically associated with actively participating in network attacks like DDoS.

Logic bombs trigger malicious actions under specific conditions (e.g., a particular date or event) but do not exhibit periodic command-and-control communication as part of a botnet.

Botnet detection and mitigation require a combination of network traffic analysis, endpoint protection, threat intelligence, and rapid isolation of compromised systems. Proactive monitoring can prevent internal devices from being leveraged in large-scale attacks.

Q30. During a security review, it is discovered that an organization’s mobile devices are not encrypted, and sensitive data such as emails, contact information, and corporate documents are stored in plaintext. If a device is lost or stolen, which security principle is primarily violated?

A. Confidentiality
B. Availability
C. Integrity
D. Authentication

Answer: A. Confidentiality

Explanation:

Confidentiality is correct. Confidentiality ensures that sensitive information is accessible only to authorized individuals. Storing unencrypted data on mobile devices exposes sensitive information to unauthorized access if the device is lost or stolen. Attackers or unauthorized individuals could extract emails, contacts, or corporate documents, violating confidentiality principles. Encryption protects data at rest, rendering it unreadable to unauthorized users and significantly reducing the risk of data breaches.

Mitigation strategies include:

Enforcing full-disk encryption on mobile devices.

Implementing mobile device management (MDM) solutions to enforce encryption policies.

Remote wipe capabilities to delete data if a device is lost or stolen.

Strong device authentication using passwords, PINs, or biometrics.

Availability ensures that data and systems are accessible when needed. While important, lack of encryption does not impact availability directly.

Integrity ensures data remains unaltered and trustworthy. Encryption protects confidentiality but does not inherently verify integrity unless combined with cryptographic signatures.

Authentication confirms the identity of users or devices. While device authentication is important, the primary issue in this scenario is exposure of sensitive data, not unauthorized login.

Confidentiality is a core principle of information security (CIA triad), and mobile device encryption is a fundamental control for protecting corporate and personal data, especially in an era where remote work and mobile access are pervasive.

Q31. A company wants to prevent unauthorized devices from connecting to its corporate Wi-Fi network. Only registered devices with approved security configurations should be allowed. Which security control is most appropriate?

A. Network access control (NAC)
B. VLAN segmentation
C. Port security
D. VPN enforcement

Answer: A. Network access control (NAC)

Explanation:

Network access control (NAC) is correct. NAC solutions enforce security policies on devices attempting to access a network. These policies can include device authentication, operating system version, presence of endpoint protection, patch level, and other compliance checks. NAC can allow, deny, or place non-compliant devices into a restricted network segment until they meet the security requirements. In this scenario, NAC ensures that only registered and secure devices can connect to the corporate Wi-Fi, reducing the risk of unauthorized access, malware introduction, and lateral movement within the network.

NAC solutions operate in various ways: agent-based, agentless, or cloud-managed, providing flexibility for different environments. They are particularly effective in organizations with BYOD (Bring Your Own Device) policies or guest network access, as they can enforce compliance dynamically. NAC also integrates with existing identity and access management (IAM) systems for centralized control and auditing.

VLAN segmentation isolates traffic at the network level but does not enforce device compliance before access. While useful for separating guest Wi-Fi from corporate systems, VLANs alone cannot ensure unauthorized devices are blocked.

Port security restricts switch ports to known MAC addresses, preventing unauthorized devices from connecting at the hardware level. However, it is limited to specific switch ports and cannot verify device configuration or security compliance, making it less effective for large-scale wireless environments.

VPN enforcement secures remote connections by encrypting traffic but does not control which devices connect to a local Wi-Fi network. VPNs are relevant for remote access security rather than on-premises device authorization.

NAC is a proactive solution that prevents unauthorized access, ensures endpoint compliance, and enhances overall network security by integrating device posture assessment with policy enforcement.

Q32. A security analyst notices unusual outbound traffic from multiple internal servers to an unknown external IP, followed by the sudden appearance of cryptocurrency mining processes. Which type of attack is likely taking place?

A. Ransomware infection
B. Botnet exploitation
C. Cryptojacking
D. Data exfiltration

Answer: C. Cryptojacking

Explanation:

Ransomware infection encrypts files and demands a ransom for decryption. While ransomware can cause operational disruption, it does not typically involve silent cryptocurrency mining processes or anomalous outbound traffic unrelated to encryption.

Botnet exploitation involves compromised devices under centralized command-and-control (C2) infrastructure, often used for DDoS attacks or spam campaigns. While similar, the observed behavior is specific to mining cryptocurrency rather than coordinated attack traffic.

Cryptojacking is correct. Cryptojacking occurs when an attacker secretly installs malware or scripts that use system resources to mine cryptocurrency without the user’s consent. Indicators include:

Sudden spikes in CPU/GPU usage.

Anomalous outbound traffic to mining pools or unknown servers.

Appearance of unfamiliar processes or applications running in the background.

Cryptojacking is often stealthy, avoiding immediate detection, as attackers aim to exploit computing resources over an extended period for financial gain. It can affect desktops, servers, and cloud infrastructure. Mitigation strategies include endpoint monitoring, application allowlisting, network traffic inspection, and restricting access to known mining pools or suspicious IP addresses.

Data exfiltration involves transferring sensitive data outside the organization. While outbound traffic is involved in both cryptojacking and exfiltration, data exfiltration does not include cryptocurrency mining activity, which is the key differentiator here.

Cryptojacking demonstrates how attackers can abuse legitimate infrastructure without triggering immediate alarms, emphasizing the importance of monitoring both network traffic and endpoint resource utilization.

Q33. A penetration tester identifies a web application that does not restrict the size or content of file uploads. The tester uploads a malicious script disguised as an image, which is then executed by the server. Which vulnerability is this?

A. Remote file inclusion (RFI)
B. Insecure deserialization
C. Unrestricted file upload
D. Cross-site scripting (XSS)

Answer: C. Unrestricted file upload

Explanation:

Remote file inclusion (RFI) occurs when an application allows an attacker to include remote files from external servers. While RFI can lead to remote code execution, it typically involves URL-based parameters rather than file uploads.

Insecure deserialization occurs when untrusted data is deserialized into objects without validation, leading to code execution or privilege escalation. This scenario involves file uploads, not object deserialization.

Unrestricted file upload is correct. This vulnerability allows attackers to upload files that the server does not validate or restrict. Malicious scripts disguised as legitimate file types (images, PDFs, etc.) can execute server-side if the application fails to sanitize or verify file content. Consequences include:

Remote code execution.

Malware propagation.

Defacement of web applications.

Data breaches.

Mitigation strategies include:

Validating file types and content using MIME type checks and file signature verification.

Restricting executable permissions on upload directories.

Implementing file size limits and virus scanning.

Renaming uploaded files and storing them outside the web root.

Cross-site scripting (XSS) affects client-side execution of scripts in the browser, not server-side execution through uploaded files.

Unrestricted file uploads remain one of the most dangerous web application vulnerabilities due to their potential to directly compromise the server environment.

Q34. An organization wants to ensure that all sensitive communications between users and internal servers are encrypted, even if data is intercepted on public networks. Which security control best achieves this goal?

A. VPN (Virtual Private Network)
B. TLS/SSL encryption
C. Firewall filtering
D. Network segmentation

Answer: B. TLS/SSL encryption

Explanation:

VPNs encrypt traffic between remote clients and the organization’s network. While effective for remote access, VPNs do not inherently secure all internal communications or connections between internal servers.

TLS/SSL encryption is correct. Transport Layer Security (TLS) and its predecessor SSL encrypt data transmitted over networks, including web applications, email, and other protocols. Encryption ensures confidentiality and integrity of data, preventing attackers from reading or modifying content, even if traffic is intercepted (e.g., on public Wi-Fi). TLS also provides authentication through certificates, verifying the identity of servers to clients.

Best practices include:

Using strong cipher suites and avoiding deprecated protocols (e.g., SSLv3, TLS 1.0).

Enforcing HTTPS across all web applications.

Using certificate management solutions to rotate and validate certificates regularly.

Implementing HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

Firewall filtering controls traffic based on rules but does not encrypt communications. Firewalls can block unauthorized connections but cannot prevent data interception if traffic is unencrypted.

Network segmentation separates traffic into different logical or physical networks to improve security and performance. While it limits exposure in case of compromise, it does not encrypt data in transit.

TLS/SSL encryption is a cornerstone of secure communications, providing confidentiality, integrity, and authentication. It is fundamental for protecting sensitive communications, including web applications, APIs, and internal services.

Q35. During an incident response investigation, a security analyst finds that malware on a user’s workstation altered system files, disabled antivirus software, and created a hidden backdoor. Which type of malware behavior does this describe?

A. Ransomware
B. Rootkit
C. Spyware
D. Adware

Answer: B. Rootkit

Explanation:

Ransomware encrypts files and demands payment for decryption. While destructive, it typically does not hide its presence or disable antivirus silently.

Rootkit is correct. A rootkit is a type of malware designed to gain persistent, stealthy access to a system while concealing its presence. Characteristics include:

Altering system files and kernel modules.

Disabling security software such as antivirus and firewalls.

Installing backdoors to allow remote control by attackers.

Hiding processes, files, and network connections to evade detection.

Rootkits are particularly dangerous because they operate at a low level in the system (kernel or firmware), making detection difficult. They are often installed as a secondary payload by other malware, such as trojans or exploit kits, and can remain undetected for long periods, giving attackers sustained control over compromised systems.

Mitigation strategies include:

Using advanced malware detection tools capable of kernel-level monitoring.

Regular system integrity checks and baseline comparisons.

Reinstalling the operating system from trusted media if rootkits are suspected.

Implementing strict least privilege policies to prevent malware installation.

Spyware passively monitors user activity, such as keystrokes or browsing habits, but does not typically disable security software or manipulate system files.

Adware displays unwanted advertisements and may track user behavior but does not install hidden backdoors or manipulate antivirus software.

Rootkits exemplify highly persistent and evasive malware. Detecting and mitigating them requires robust endpoint protection, continuous monitoring, and sometimes complete system remediation.

Q36. A security team observes unusual spikes in network traffic originating from multiple internal hosts, all targeting external websites simultaneously. Analysis shows that these hosts are participating in coordinated activity without user knowledge. Which type of threat is most likely occurring?

A. Botnet activity
B. Advanced persistent threat (APT)
C. Denial-of-service (DoS) attack
D. Phishing campaign

Answer: A. Botnet activity

Explanation:

Botnet activity is correct. A botnet is a network of compromised devices controlled by an attacker, often referred to as a botmaster. These devices, called “bots” or “zombies,” are typically infected with malware and can be coordinated to perform malicious activities such as sending spam, launching distributed denial-of-service (DDoS) attacks, cryptocurrency mining, or exfiltrating sensitive information. In this scenario, the simultaneous, coordinated communication from multiple internal hosts to external sites suggests that the devices are acting under centralized control without the users’ awareness.

Botnets can be composed of desktops, servers, IoT devices, or cloud instances. Indicators of compromise include:

Unexpected outbound traffic to unusual IP addresses.

 

High CPU or network utilization without legitimate activity.

 

Unknown processes or scheduled tasks running silently.

 

Mitigation includes deploying intrusion detection and prevention systems (IDS/IPS), endpoint protection with behavioral analysis, network segmentation, and strict outbound traffic monitoring. Organizations can also implement threat intelligence feeds to identify known command-and-control (C2) servers.

Advanced persistent threats (APTs) are sophisticated, targeted campaigns often conducted by nation-state actors. While APTs may use botnets as part of their operation, the key difference is that APTs focus on long-term infiltration and data exfiltration rather than coordinated automated activity visible in network traffic spikes.

Denial-of-service (DoS) attacks are intended to overwhelm a target system’s resources to cause disruption. While botnet traffic could generate a DoS attack, in this scenario, multiple internal hosts participating in covert communication indicate that the devices themselves are compromised, not just performing a DoS externally.

Phishing campaigns attempt to trick users into revealing credentials or installing malware. While phishing can lead to botnet infections, the observed network behavior alone does not directly indicate phishing; it represents post-compromise bot activity.

Botnet infections pose severe risks because attackers can control internal systems covertly, enabling data theft, lateral movement, and persistent access. Continuous monitoring and automated threat detection are crucial to identify and remediate botnet activity.

Q37. A penetration tester identifies a web application that exposes sensitive data through poorly secured API endpoints. By manipulating requests, the tester can access data belonging to other users. Which type of vulnerability is being exploited?

A. Insecure direct object references (IDOR)
B. Cross-site request forgery (CSRF)
C. Cross-site scripting (XSS)
D. SQL injection

Answer: A. Insecure direct object references (IDOR)

Explanation:

Insecure direct object references (IDOR) is correct. IDOR occurs when an application exposes internal objects (files, database entries, records) through identifiers such as sequential numbers, IDs, or filenames without proper access control checks. Attackers can manipulate these references in requests to gain unauthorized access to data or resources. For example, changing a URL parameter  might allow access to another user’s sensitive information if the application does not verify ownership.

Mitigation strategies include:

Implementing proper authorization checks on the server side.

Using opaque or randomized identifiers instead of sequential IDs.

Logging and monitoring abnormal access attempts.

Cross-site request forgery (CSRF) tricks a user into performing unintended actions on a web application they are authenticated with. CSRF attacks do not typically expose other users’ data through identifier manipulation.

Cross-site scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users. XSS primarily affects client-side behavior and user sessions, not direct access to server-side data objects.

SQL injection allows manipulation of database queries to retrieve or modify data. While SQL injection can also expose sensitive data, the scenario describes manipulating valid object references rather than injecting malicious queries.

IDOR vulnerabilities are particularly dangerous in multi-tenant applications and APIs. Organizations must enforce strict server-side authorization checks and avoid exposing predictable resource identifiers.

Q38. During an internal audit, a company finds that employees frequently store sensitive corporate files on personal cloud accounts and USB drives. Which security policy or control would best address this issue?

A. Data loss prevention (DLP)
B. Role-based access control (RBAC)
C. Network segmentation
D. Firewall filtering

Answer: A. Data loss prevention (DLP)

Explanation:

Data loss prevention (DLP) is correct. DLP solutions monitor and control data movement across endpoints, networks, and cloud services. They can detect sensitive information based on content inspection, contextual analysis, and user activity. DLP policies can block or alert when sensitive files are copied to unauthorized cloud services or removable media. Features often include:

Endpoint DLP to prevent copying to USB drives.

Network DLP to monitor and restrict email or web uploads.

Cloud DLP to enforce secure storage policies.

By implementing DLP, organizations reduce the risk of accidental or intentional data leakage, enforce compliance with regulations (e.g., GDPR, HIPAA, PCI DSS), and maintain visibility over sensitive information.

Role-based access control (RBAC) manages who can access certain resources based on job roles but does not prevent improper copying or uploading of files.

Network segmentation isolates network traffic but does not prevent unauthorized file transfers or cloud storage.

Firewall filtering controls network traffic based on rules but cannot inspect file content or enforce corporate storage policies.

DLP is essential for protecting intellectual property and sensitive customer or financial data, especially in organizations with remote work or BYOD policies.

Q39. A company wants to protect sensitive financial records by ensuring that even if a hacker gains access to the storage environment, the data cannot be read without proper authorization. Which security technique achieves this?

A. Encryption
B. Backup
C. Network segmentation
D. Antivirus scanning

Answer: A. Encryption

Explanation:

Encryption is correct. Encryption transforms data into a format that is unreadable without the appropriate decryption key. For sensitive financial records, encryption ensures that even if an attacker bypasses network defenses or gains access to storage systems, the information remains confidential. Common encryption approaches include:

At-rest encryption for databases and file storage.

In-transit encryption using TLS/SSL to protect data during transmission.

Key management systems (KMS) to securely generate, rotate, and store cryptographic keys.

Proper encryption prevents unauthorized disclosure, mitigates insider threats, and supports regulatory compliance. Full-disk encryption, database encryption, and envelope encryption are common methods.

Backup provides data availability and recovery but does not inherently prevent unauthorized access to sensitive content.

Network segmentation limits access and reduces attack surface but does not protect data at rest if storage is compromised.

Antivirus scanning detects and removes malware but does not prevent unauthorized reading of files.

Encryption remains the cornerstone of data confidentiality, ensuring that sensitive records are protected even in the event of physical theft, compromise, or insider abuse.

Q40. A security analyst identifies that a web server has been compromised, and attackers have modified system files, installed a hidden backdoor, and can maintain access even after reboots. Which type of malware is most likely responsible?

A. Trojan
B. Rootkit
C. Worm
D. Adware

Answer: B. Rootkit

Explanation:

Trojan is malicious software disguised as legitimate software to trick users into executing it. Trojans can deliver payloads like rootkits, ransomware, or spyware, but the persistent, hidden modification of system files indicates more than just a Trojan infection.

Rootkit is correct. Rootkits are designed to hide the presence of malware while granting attackers persistent control over a system. Key characteristics include:

Kernel or firmware-level modifications.

 

Concealed processes, files, or network activity.

 

Ability to survive system reboots.

 

Disabling antivirus and other security tools.

 

Rootkits are highly dangerous due to their stealthy nature, often remaining undetected for long periods while attackers conduct reconnaissance, steal credentials, or establish additional backdoors. They can manipulate system calls to hide files, processes, and network connections from standard monitoring tools. Detection often requires specialized integrity-checking software, offline analysis, or complete system restoration. Preventive measures include strict access controls, routine patch management, endpoint security with rootkit detection capabilities, and ensuring that only trusted software is installed. Regular monitoring of system integrity and unusual behavior can help identify rootkit activity before significant damage occurs.

Worms propagate automatically across networks without user interaction but do not inherently hide their presence or modify system files for stealth.

Adware displays unwanted advertising and may track user activity but does not provide persistent, concealed access to a system.

Rootkits represent some of the most insidious forms of malware, allowing attackers to maintain undetected control over compromised systems. Their ability to evade detection and maintain persistence makes them a critical concern for both servers and endpoints, especially in high-value environments like financial institutions, healthcare systems, and critical infrastructure. Proactive defense, including monitoring, timely patching, and minimizing administrative privileges, is essential to reduce the risk of rootkit infection and limit potential damage.