CompTIA SY0-701 Security+ Exam Dumps and Practice Test Questions Set4 Q61-80

Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q61. A network security engineer notices that an internal server is sending sensitive files to an external IP address at unusual hours. After investigation, it is found that malware on the server is exfiltrating data using encrypted channels. What type of attack is being observed?

A. Data breach
B. Command injection
C. Man-in-the-middle attack
D. Denial-of-service attack

Answer: A. Data breach

Explanation:

Data breach is correct. A data breach occurs when confidential or sensitive information is accessed, stolen, or transmitted without authorization. In this scenario, the malware is exfiltrating files from the internal network to an external server using encrypted channels. Key characteristics of a data breach include:

• Unauthorized access to sensitive information, such as intellectual property, financial records, or personally identifiable information (PII).

• Use of covert methods to avoid detection, such as encryption, stealthy communication channels, or obfuscation techniques.

• Indicators of compromise (IoCs), including unusual outbound traffic, unexpected file movements, or spikes in network usage.

• Mitigation strategies for data breaches involve a combination of technical, administrative, and physical controls:
• Network monitoring and anomaly detection: Implement intrusion detection systems (IDS) and anomaly detection tools to identify unusual data flows.

• Endpoint protection: Deploy advanced antivirus/anti-malware solutions capable of identifying and blocking exfiltration behaviors.

• Data loss prevention (DLP): Utilize DLP technologies to prevent sensitive data from leaving the network without authorization.

• Incident response planning: Develop procedures to quickly contain, analyze, and remediate breaches, including communication protocols for affected stakeholders.
  

Command injection involves an attacker executing arbitrary commands on a vulnerable server, often through unsanitized input. While command injection could be part of the malware’s initial compromise vector, the ongoing exfiltration of files points specifically to a data breach rather than active command execution.

Man-in-the-middle attack is a scenario where an attacker intercepts or modifies communication between two parties. Although MITM can be used to capture sensitive data in transit, the malware here actively initiates outbound transfers, which differs from interception.

Denial-of-service attack aims to overwhelm system resources to render services unavailable. Data exfiltration does not impact availability directly and is therefore not a DoS attack.

Data breaches pose severe operational, financial, and reputational risks. Organizations must prioritize early detection, encryption of sensitive data at rest and in transit, and comprehensive monitoring of all endpoints and network traffic. Integrating behavioral analytics and threat intelligence can help identify stealthy exfiltration attempts before significant damage occurs.

Q62. A security auditor finds that an organization does not maintain an up-to-date inventory of all IT assets, making it difficult to apply security patches, enforce access control, or monitor for vulnerabilities. Which security weakness does this indicate?

A. Poor asset management
B. Weak access control
C. Inadequate network segmentation
D. Lack of encryption

Answer: A. Poor asset management

Explanation:

Poor asset management is correct. Asset management refers to the process of identifying, tracking, and maintaining all IT resources, including hardware, software, virtual machines, and cloud instances. Inadequate asset management introduces several risks:

• Inability to prioritize and apply patches, leaving systems vulnerable to known exploits.

• Difficulty enforcing security policies, such as least privilege, because assets and users are not properly inventoried.

• Challenges in incident response and forensic investigations, as the full scope of impacted systems may be unknown.

• Key strategies to improve asset management include:
• Automated discovery tools: Regularly scan networks to identify connected devices, software installations, and cloud resources.

• Configuration management databases (CMDBs): Maintain centralized records of all assets, their owners, configurations, and relationships.

• Lifecycle management: Track asset acquisition, deployment, maintenance, and decommissioning to ensure up-to-date security measures.

• Integration with vulnerability management: Link asset inventories with patch management and vulnerability scanning for comprehensive security coverage.
  

Weak access control refers to insufficiently enforced permissions or poor authentication practices. While weak access control could exacerbate security gaps, the primary problem in this scenario is the absence of a complete asset inventory.

Inadequate network segmentation allows untrusted or less secure devices to access critical systems. Although segmentation is essential, it is ineffective if the organization does not know which assets exist.

Lack of encryption pertains to protecting sensitive data at rest or in transit. While important, encryption does not address the core issue of untracked IT assets.

Organizations with robust asset management can more effectively enforce security policies, remediate vulnerabilities, and respond to incidents. Without it, security controls become reactive rather than proactive, leaving the environment exposed to preventable attacks.

Q63. A penetration tester discovers that a web application uses user-supplied input to generate SQL queries without proper sanitization. An attacker could exploit this to retrieve sensitive database records or modify data. Which type of vulnerability is present?

A. Cross-site scripting (XSS)
B. SQL injection
C. Command injection
D. Broken authentication

Answer: B. SQL injection

Explanation:

Cross-site scripting (XSS) allows attackers to inject client-side scripts into web pages viewed by other users, primarily targeting web browsers rather than databases. XSS does not directly allow attackers to manipulate backend SQL queries.

SQL injection is correct. SQL injection occurs when unvalidated user input is embedded directly into SQL statements, allowing attackers to manipulate queries. Key characteristics include:

Retrieval of sensitive data, such as passwords, financial records, or personal information.

Modification or deletion of database records.

Execution of administrative functions in the database, depending on privileges.

Potential pivoting into other parts of the network if database credentials are compromised.

Mitigation strategies include:

Parameterized queries (prepared statements): Prevent dynamic injection of malicious input.

Input validation: Enforce strict data types, lengths, and allowed characters for all user-supplied input.

Least privilege for database accounts: Limit the scope of permissions to reduce potential damage from successful injection attacks.

Web application firewalls (WAFs): Detect and block suspicious query patterns in real time.

Command injection involves executing arbitrary OS commands on the server through unsanitized input. While conceptually similar, command injection targets the underlying operating system rather than SQL databases.

Broken authentication relates to weaknesses in login mechanisms or session management. Although broken authentication can exacerbate SQL injection risks, it does not describe the direct vulnerability identified here.

SQL injection remains one of the most critical web application vulnerabilities due to its potential impact, ease of exploitation, and prevalence. Organizations should prioritize secure coding practices, regular code reviews, and security testing to prevent SQL injection attacks.

Q64. A security operations center (SOC) analyst observes a significant spike in failed login attempts across multiple accounts originating from foreign IP addresses. The attempts use common passwords like “Password123” or “Welcome1.” Which attack is most likely occurring?

A. Brute-force attack
B. Credential stuffing
C. Password spraying
D. Phishing

Answer: C. Password spraying

Explanation:

Brute-force attack involves trying all possible password combinations against a single account. While comprehensive, brute-force attacks are slow and often trigger account lockouts, unlike the low-and-slow pattern of password spraying.

Credential stuffing exploits previously leaked credentials from data breaches and attempts to reuse them on other accounts. Credential stuffing relies on knowledge of existing valid credentials rather than commonly used passwords.

Password spraying is correct. Password spraying attacks try a small number of commonly used passwords across a large number of accounts. Characteristics of password spraying include:

Attempts distributed over multiple accounts to evade account lockout mechanisms.

Focus on weak, predictable, or default passwords.

Often automated using scripts or attack frameworks.

Mitigation strategies for password spraying include:

Enforcing strong, unique passwords: Ensure all accounts comply with complexity requirements.

Multi-factor authentication (MFA): Even if a password is guessed, access is denied without the secondary factor.

Monitoring login failures: Detect patterns indicative of distributed attempts across multiple accounts.

Account lockout policies: Carefully designed to prevent abuse without creating denial-of-service risks.

Phishing relies on tricking users into voluntarily disclosing credentials, which is different from automated attempts using a common password list.

Password spraying remains a favored method for attackers targeting enterprise environments because it is stealthy and effective against weak password policies. Organizations can significantly reduce risk by implementing MFA, user education, and proactive monitoring.

Q65. A company implements strict access control so that users can only perform operations required for their specific role. For example, HR staff can view employee data but cannot modify system configurations, while IT staff can manage servers but cannot access payroll information. Which security principle is being enforced?

A. Least privilege
B. Role rotation
C. Separation of duties
D. Mandatory vacation

Answer: A. Least privilege

Explanation:

Least privilege is correct. The principle of least privilege ensures that users have only the minimum permissions required to perform their job functions. Implementing least privilege reduces risk by:

Limiting the attack surface if an account is compromised.

Preventing accidental or malicious misuse of resources.

Supporting regulatory compliance by ensuring sensitive operations are restricted to authorized personnel.

Role rotation involves periodically changing employee responsibilities to prevent collusion or fraud. While beneficial, it does not enforce minimal access rights.

Separation of duties divides responsibilities among multiple employees to prevent single points of failure or fraud. While complementary, the scenario specifically enforces access restrictions based on necessity rather than distributing tasks.

Mandatory vacation requires employees to take time off to detect anomalies in processes or prevent continuous fraudulent activity. This principle is unrelated to access permissions.

Best practices for implementing least privilege include:

Role-based access control (RBAC): Assign permissions based on job roles.

Regular access reviews: Audit accounts periodically to remove unnecessary privileges.

Temporary elevation mechanisms: Provide elevated access only when required and for a limited duration.

Automation: Use identity and access management (IAM) solutions to enforce policies consistently.

Enforcing least privilege is critical in modern security frameworks, including zero-trust architectures, and minimizes potential damage in case of insider threats or account compromise.

 Q66. During a security assessment, a penetration tester discovers that a web application accepts file uploads from users without validating the file type or scanning for malicious content. Attackers could upload scripts that execute on the server, potentially compromising sensitive data and taking control of the application. What type of vulnerability does this represent?

A. Cross-site scripting (XSS)
B. File inclusion
C. Unrestricted file upload
D. SQL injection

Answer: C. Unrestricted file upload

Explanation:

Cross-site scripting (XSS) involves injecting client-side scripts into web pages that other users view. XSS affects the client browser and does not typically provide direct server control or data exfiltration capabilities. While dangerous, it does not match the scenario of arbitrary file execution on the server.

File inclusion vulnerabilities, such as local file inclusion (LFI) or remote file inclusion (RFI), allow attackers to include files into a web application’s execution context. While inclusion can lead to code execution, the vulnerability in this scenario stems from unvalidated file uploads rather than file inclusion mechanisms.

Unrestricted file upload is correct. This vulnerability occurs when web applications allow users to upload files without proper validation of file types, extensions, size limits, or content scanning. Key risks and consequences include:

Execution of malicious scripts, leading to server compromise.

Upload of web shells that provide persistent remote access to attackers.

Storage of malware or ransomware within the server environment.

Potential lateral movement if the server has network privileges.

Mitigation strategies include:

File type validation: Restrict uploads to specific MIME types and enforce extension checks.

Antivirus scanning: Integrate malware detection for uploaded content.

Storage in isolated directories: Prevent direct execution of uploaded files and ensure web server processes cannot execute files in upload directories.

Content sanitization: Remove any embedded scripts or executable content.

Access control: Ensure uploaded files have restricted permissions and cannot overwrite system files.

SQL injection occurs when unvalidated input is used to construct SQL queries, allowing attackers to manipulate databases. While SQL injection is critical, it does not describe a scenario involving file uploads and server-side execution.

Unrestricted file upload is one of the most overlooked but severe vulnerabilities in web applications. Organizations should prioritize secure development practices, enforce strict upload policies, and continuously test web applications for unsafe file handling mechanisms.

Q67. A cybersecurity team notices that an employee’s account has accessed several sensitive databases at unusual hours and downloaded large volumes of data, which seems inconsistent with normal job responsibilities. Which security threat is most likely occurring?

A. Insider threat
B. Phishing
C. Brute-force attack
D. Cross-site scripting

Answer: A. Insider threat

Explanation:

Insider threat is correct. Insider threats originate from within an organization, usually from employees, contractors, or partners who have legitimate access to systems. The scenario involves behavior inconsistent with normal duties, including:

Accessing data outside the scope of the employee’s role.

Downloading unusually large amounts of information.

Activity during abnormal hours.

Insider threats can be categorized as:

Malicious insiders: Intentionally exfiltrate data for personal gain, sabotage, or corporate espionage.

Negligent insiders: Cause unintentional harm through policy violations, such as sharing credentials or mishandling data.

Compromised insiders: Accounts hijacked by external attackers who use legitimate access to perform malicious activities.

Mitigation strategies for insider threats include:

Behavioral analytics: Implement User and Entity Behavior Analytics (UEBA) to detect anomalous patterns.

Role-based access control (RBAC): Limit access strictly based on job responsibilities.

Data loss prevention (DLP): Monitor and restrict sensitive data exfiltration.

Regular audits: Conduct periodic reviews of user activity logs.

Employee training and awareness: Educate employees on security policies, insider risks, and proper handling of sensitive data.

Phishing is an external attack technique where users are tricked into revealing credentials. While phishing could lead to an account compromise, the scenario involves legitimate credentials performing unusual internal activity rather than credential theft.

Brute-force attack attempts to guess passwords to gain unauthorized access, but it does not describe abnormal behavior of a legitimate account.

Cross-site scripting (XSS) is an attack targeting client-side execution of scripts and does not involve unauthorized data access on a server.

Insider threats are particularly challenging because they involve trusted users who already have access privileges. Combining technical controls, auditing, behavioral analytics, and strong access policies is essential to detect and mitigate such risks proactively.

Q68. During a security review, an administrator identifies that several systems are connected directly to the internet with default passwords and outdated software versions. Which control weakness is primarily being exploited if an attacker compromises these systems?

A. Lack of network segmentation
B. Poor patch and configuration management
C. Weak encryption
D. Insufficient logging

Answer: B. Poor patch and configuration management

Explanation:

Lack of network segmentation allows attackers to move laterally once they gain access but does not directly relate to exploiting default credentials or outdated software.

Poor patch and configuration management is correct. This weakness encompasses the failure to maintain system updates, misconfigured settings, and use of default credentials. Key aspects include:

Unpatched software: Systems running outdated operating systems, applications, or firmware are vulnerable to known exploits.

Default or weak credentials: Attackers can gain unauthorized access easily if defaults are not changed.

Misconfiguration: Open services, unnecessary ports, or incorrect permissions increase attack surface.

Consequences include:Rapid compromise of exposed systems using automated attack tools.

Propagation of malware, ransomware, or unauthorized access.
Regulatory non-compliance due to failure to enforce baseline security configurations.

Mitigation strategies:

Patch management program: Regularly update operating systems, applications, and firmware.

Configuration baselines: Define secure configurations for systems and enforce them across the environment.

Change default credentials: Implement unique, strong passwords for all devices and accounts.

Continuous monitoring: Use vulnerability scanners to detect outdated software or misconfigurations.

Weak encryption pertains to data protection but does not enable attackers to compromise systems directly via default credentials or unpatched software.

Insufficient logging hinders detection and forensics but is not the direct weakness exploited during system compromise.

Effective patch and configuration management is a foundational element of cybersecurity hygiene. Attackers routinely exploit these weaknesses in automated campaigns, such as botnets scanning for vulnerable IoT devices or outdated servers. Proactive management reduces exposure and ensures timely remediation of high-risk systems.

Q69. A penetration tester discovers that a network device allows all IP addresses from the internal network to access administrative interfaces without authentication or filtering. Which type of vulnerability is present?

A. Insecure network services
B. Weak passwords
C. Unencrypted communication
D. Insufficient access control

Answer: D. Insufficient access control

Explanation:

Insecure network services refers to services exposed to the network that may be vulnerable to attacks, such as outdated protocols. While related, the vulnerability here is more specific to permissions rather than the service itself.

Weak passwords indicates authentication issues, but in this scenario, there is no authentication enforced, so passwords are irrelevant.

Unencrypted communication refers to transmitting data without encryption, which can lead to eavesdropping. The primary issue in this scenario is not confidentiality but unauthorized access.

Insufficient access control is correct. Access control mechanisms restrict who can interact with resources. Key indicators in this scenario:

Administrative interfaces accessible without authentication: Attackers can gain control with no credentials.

Unrestricted network access: Any device within the internal network can exploit the interface.

Potential for privilege abuse: Attackers could modify configurations, escalate access, or disrupt network operations.

Mitigation strategies include:

Network segmentation: Limit access to administrative interfaces to management VLANs or specific IP addresses.

Authentication and authorization: Enforce strong authentication methods, such as multifactor authentication, for all administrative access.

Logging and monitoring: Track administrative access attempts and alert on anomalies.

Least privilege: Restrict administrative rights only to necessary personnel.

Insufficient access control is a critical vulnerability because it allows attackers to gain privileged access with minimal effort. Organizations should implement strict authentication, network controls, and audit trails to safeguard critical infrastructure.

Q70. A cloud security team implements a policy where sensitive data is encrypted using keys managed entirely by the organization, while the cloud provider cannot access the keys. Users can still perform authorized operations on the data through applications. Which security model does this describe?

A. Provider-managed encryption
B. Customer-managed encryption with provider key storage
C. Customer-managed encryption with customer key storage
D. Hybrid encryption

Answer: C. Customer-managed encryption with customer key storage

Explanation:

Provider-managed encryption relies on the cloud provider to generate, store, and manage encryption keys. While convenient, the provider could theoretically access or decrypt sensitive data, which does not meet the scenario requirements.

Customer-managed encryption with provider key storage allows the organization to manage policies but stores keys within the provider’s infrastructure. The provider may still have access to keys and could decrypt data if compromised.

Customer-managed encryption with customer key storage is correct. In this model:

The organization retains full control over encryption key generation, storage, and rotation.

Keys are stored independently of the cloud provider’s systems, ensuring the provider cannot decrypt data.

Users can perform authorized operations through controlled applications without exposing keys.

This model is highly suitable for compliance-driven industries, such as finance, healthcare, or government, where confidentiality must be guaranteed regardless of cloud provider control.

Mitigation and implementation considerations include:

Key lifecycle management: Generate, rotate, revoke, and securely store keys.

Access control: Ensure only authorized personnel or applications can access keys.

Backup and recovery: Protect against data loss due to key mismanagement.

Audit and compliance: Maintain detailed logs of key access and usage.

Hybrid encryption typically combines symmetric and asymmetric encryption for efficiency and key distribution but does not describe exclusive customer control over keys.

Customer-managed encryption with customer key storage provides maximum assurance of data confidentiality in the cloud. Organizations adopting this model can confidently meet regulatory obligations, protect sensitive information, and maintain operational autonomy over encryption keys.

Q71. During a security assessment, a penetration tester identifies that an internal web application fails to properly encode output before displaying user-supplied data. An attacker can inject scripts that execute in other users’ browsers when they view the affected pages. What type of vulnerability is this?

A. SQL injection
B. Cross-site scripting (XSS)
C. Command injection
D. LDAP injection

Answer: B. Cross-site scripting (XSS)

Explanation:

SQL injection involves injecting malicious input into SQL queries to manipulate backend databases. SQL injection allows attackers to retrieve, modify, or delete database content but does not execute scripts in other users’ browsers, which is the key distinction in this scenario.

Cross-site scripting (XSS) is correct. XSS occurs when applications include untrusted input in web pages without proper encoding or validation. The main characteristics and consequences of XSS include:

• Client-side code execution: Malicious scripts run in the context of another user’s browser.

• Session hijacking: Attackers can steal session tokens, allowing account impersonation.

• Credential theft: Malicious scripts can capture login information or autofill forms.

• Phishing and social engineering: Scripts can display deceptive messages or redirect users to malicious websites.

• Browser-based malware delivery: XSS can be a vector for delivering drive-by downloads or exploits.

• Mitigation strategies for XSS include:
• Input validation: Restrict allowed input to safe characters and patterns.

• Output encoding: Encode data before rendering in HTML, JavaScript, or other contexts.

• Content Security Policy (CSP): Restrict the sources from which scripts can execute.

• Regular security testing: Perform static and dynamic application security testing to detect XSS flaws.

Command injection allows attackers to execute operating system commands through vulnerable server-side code. While potentially devastating, it does not target client browsers directly, unlike XSS.

LDAP injection involves manipulating Lightweight Directory Access Protocol queries to bypass authentication or extract directory data. LDAP injection affects backend directory services rather than client-side execution.

XSS vulnerabilities are extremely common and pose significant risks to web applications. Modern frameworks and secure coding practices emphasize context-aware output encoding and rigorous input validation to prevent such attacks.

Q72. A network administrator observes that multiple endpoints are communicating with an unknown external server, sending unusually large amounts of data. Malware analysis later confirms that sensitive corporate files were exfiltrated. Which type of attack does this scenario describe?

A. Denial-of-service attack
B. Data exfiltration
C. Man-in-the-middle attack
D. SQL injection

Answer: B. Data exfiltration

Explanation:

Denial-of-service attack aims to overwhelm system resources or network bandwidth to disrupt services. While high traffic is involved, DoS attacks do not typically involve targeted data theft.

Data exfiltration is correct. Data exfiltration is the unauthorized transfer of sensitive information from an organization’s network to an external entity. Key characteristics and considerations include:

• Insider or external attack vectors: Exfiltration can be conducted by malicious insiders, compromised accounts, or malware.

• Stealthy behavior: Attackers often disguise data transfer as normal traffic to evade detection.

• Techniques: May include FTP, HTTP/HTTPS uploads, email attachments, cloud storage uploads, or covert channels.

• Targets: Intellectual property, financial records, customer data, or credentials.

• Detection and mitigation strategies include:
• Network monitoring: Analyze outbound traffic for anomalies, unexpected destinations, or unusual data volumes.

• Data Loss Prevention (DLP): Implement policies to detect and block sensitive data leaving the network.

• Endpoint security: Deploy malware detection and behavioral analytics to identify exfiltration tools.

• Encryption and access control: Ensure sensitive data is encrypted and only accessible by authorized users.

• Incident response plan: Define procedures for containment, investigation, and remediation of exfiltration incidents.
  

Man-in-the-middle attack involves intercepting communications between two parties to eavesdrop or manipulate data. While MITM can facilitate data exfiltration, the scenario describes direct unauthorized transfer rather than interception.

SQL injection targets databases by injecting malicious SQL queries. While it can lead to data exposure, SQL injection alone does not describe ongoing outbound communication to an external server.

Data exfiltration remains one of the most critical threats to organizations due to its potential for regulatory penalties, financial loss, and reputational damage. Continuous monitoring, strong access policies, and encryption are essential defenses.

Q73. A penetration tester discovers that a corporate application allows users to manipulate URL parameters to access resources they should not be able to view. The tester can access other users’ data without authentication changes or administrative privileges. What type of vulnerability is present?

A. Broken access control
B. Cross-site scripting (XSS)
C. Directory traversal
D. SQL injection

Answer: A. Broken access control

Explanation:

Broken access control is correct. Broken access control occurs when applications fail to properly enforce user permissions or roles, allowing unauthorized access to resources. Characteristics include:

Insecure direct object references (IDOR): Accessing resources by changing identifiers in URLs or API requests.

Privilege escalation: Users can perform actions beyond their intended level of access.

Bypassing security mechanisms: Attackers exploit flaws in session handling or authorization checks.

Mitigation strategies include:

Enforce server-side authorization: Never rely solely on client-side controls.

Use access control lists (ACLs): Clearly define permissions for each resource.

Regular audits and testing: Conduct penetration tests and automated scans to identify broken access control issues.

Principle of least privilege: Grant users minimal necessary access to perform their job functions.

Cross-site scripting (XSS) affects client-side execution and does not directly allow unauthorized access to other users’ data.

Directory traversal involves accessing files outside intended directories through path manipulation (e.g., using ../ sequences). While serious, it differs from broken access control, which targets application-level authorization.

SQL injection allows attackers to manipulate database queries but is unrelated to exploiting user permission flaws in URL parameters.

Broken access control is one of the top security risks in web applications, often overlooked despite its potential for widespread data compromise. Proper server-side authorization, comprehensive testing, and strict adherence to the principle of least privilege are essential to secure applications.

Q74. A cloud administrator notices that several user accounts attempt to log in from unusual geographic locations almost simultaneously, triggering alerts. Which type of security incident is most likely occurring?

A. Brute-force attack
B. Credential stuffing
C. Phishing attack
D. Insider threat

Answer: B. Credential stuffing

Explanation:

Brute-force attack involves attempting all possible password combinations for a single account. Brute-force attacks are usually slow and detectable, unlike the high-speed, multi-account attempts described in this scenario.

Credential stuffing is correct. Credential stuffing leverages previously exposed username/password combinations from data breaches to attempt logins across multiple accounts. Indicators include:

High-volume login attempts: Automated tools attempt access on numerous accounts quickly.

Geographic anomalies: Accounts are accessed from IP addresses inconsistent with normal user behavior.

Failed logins followed by successful logins: Attackers often try multiple breached credentials until they succeed.

Mitigation strategies include:

Multi-factor authentication (MFA): Even if passwords are compromised, MFA prevents unauthorized access.

Rate limiting: Throttle login attempts per account or IP address to prevent automated attacks.

Password hygiene: Educate users to avoid reusing passwords and enforce strong policies.

Monitoring and alerts: Detect unusual login patterns and geographic anomalies.

Phishing attack could result in stolen credentials, but the scenario describes automated login attempts, not social engineering or credential harvesting through deceptive communication.

Insider threat involves malicious or negligent activity by legitimate users, not automated external login attempts from breached credentials.

Credential stuffing is increasingly common due to widespread password reuse. Organizations should enforce MFA, strong password policies, and continuous monitoring to reduce the risk of account compromise.

Q75. During a security audit, an administrator finds that all systems on the network share the same administrative credentials, which are widely known among staff. Which security principle is being violated?

Least privilege
B. Accountability
C. Defense in depth
D. Separation of duties

Answer: B. Accountability

Explanation:

Least privilege restricts users to only the access required for their role. While shared credentials undermine this principle indirectly, the core violation relates to traceability rather than minimal access.

Accountability is correct. Accountability ensures that all actions on systems can be traced back to individual users. Key risks of shared credentials include:

Loss of traceability: Administrators cannot determine which individual performed an action.

Difficulty in auditing: Compliance requirements such as PCI DSS, HIPAA, and SOX mandate traceable user activity.

Increased insider threat risk: Malicious actions cannot be attributed to a specific user.

Security gaps: Compromised credentials affect all systems sharing the same credentials.

Mitigation strategies include:

Unique user accounts: Ensure all employees have individualized credentials.

Role-based access controls: Assign permissions according to job responsibilities.

Strong authentication: Implement MFA to further secure accounts.

Audit trails: Maintain detailed logs to track user actions for compliance and forensic purposes.

Defense in depth refers to layered security mechanisms, which is a broader concept and not the immediate principle violated.

Separation of duties divides critical responsibilities among multiple users to prevent fraud or errors. Shared credentials violate traceability but do not necessarily involve task division.

Shared administrative credentials create significant risk by eroding accountability, making it impossible to attribute actions, enforce compliance, or conduct effective forensic investigations. Organizations must enforce unique identities, robust authentication, and strict access policies to uphold accountability and security.

Q76. A penetration tester discovers that a web application allows attackers to manipulate user-controlled input to access files outside the intended directory structure, potentially exposing sensitive system files. What type of vulnerability is this?

A. SQL injection
B. Cross-site scripting (XSS)
C. Path traversal
D. Command injection

Answer: C. Path traversal

Explanation:

SQL injection targets database queries and allows attackers to manipulate backend SQL statements to extract or modify data. While severe, SQL injection does not provide direct access to the file system or operating system files in the way described.

Cross-site scripting (XSS) affects the client-side execution of scripts in a user’s browser and does not enable attackers to access server files directly.

Path traversal is correct. Path traversal, also known as directory traversal, occurs when an application fails to properly sanitize input used in file path references, allowing attackers to navigate outside the intended directories. Characteristics and implications include:

Access to sensitive files: Attackers can read configuration files, password files, or system secrets.

Exploitation vectors: Often involves user input in URL parameters, form fields, or HTTP headers.

Techniques: Attackers may use sequences like ../ (dot-dot-slash) to move up the directory hierarchy.

Potential for further compromise: Exposure of sensitive files may allow attackers to escalate privileges or plan further attacks.

Mitigation strategies include:

Input validation: Restrict input to allowed file names or patterns.

Canonicalization: Convert input to a standardized format to detect traversal attempts.

Least privilege: Ensure applications run with minimal permissions, limiting the impact of any compromise.

Logging and monitoring: Detect unusual file access patterns to alert administrators of potential attacks.

Command injection allows execution of operating system commands through unsanitized user input but does not inherently involve navigating file paths outside of the intended directory.

Path traversal vulnerabilities are common in web applications that dynamically reference files. Proper input validation, controlled directory access, and secure coding practices are essential to prevent exploitation and protect sensitive server data.

Q77. A security team discovers that attackers have implanted malware on several endpoints within the network. The malware can monitor keystrokes, capture screenshots, and exfiltrate data to an external server without user knowledge. Which type of malware is this?

A. Trojan
B. Spyware
C. Worm
D. Adware

Answer: B. Spyware

Explanation:

Trojan is malicious software disguised as legitimate software to trick users into executing it. While Trojans often deliver spyware, ransomware, or other payloads, the defining characteristic is the disguise and delivery method rather than the monitoring behavior itself.

Spyware is correct. Spyware is malicious software designed to secretly gather information about users and systems. Key characteristics include:

• Monitoring user activity: Captures keystrokes, screenshots, browser activity, and application usage.

• Data exfiltration: Sends collected information to an attacker-controlled server.

• Persistence: Often installed stealthily to maintain access over time.

• Potential vectors: Can be delivered via phishing emails, malicious downloads, or bundled software.

• Mitigation strategies include:
• Endpoint protection: Use anti-spyware and anti-malware solutions with behavioral detection.

• User awareness training: Educate users to avoid suspicious links, attachments, and downloads.

• Application whitelisting: Limit installation of unapproved software.

• Network monitoring: Identify unusual outbound connections indicative of data exfiltration.

Worm propagates automatically across networks and systems without user intervention. While worms can be highly destructive, they are primarily focused on spreading rather than stealthy data collection.

Adware displays unwanted advertisements and may track user activity for marketing purposes. Unlike spyware, it is typically less malicious, does not target sensitive data, and usually lacks covert exfiltration functionality.

Spyware is particularly dangerous due to its ability to remain hidden, continuously monitor activities, and exfiltrate sensitive information without detection. Organizations must implement layered defenses including endpoint monitoring, strict access controls, and user education to minimize the risk of spyware infections.

Q78. A security auditor finds that an organization does not have a formal procedure for applying patches to software and operating systems. Updates are performed irregularly, and critical systems remain unpatched for months. What is the primary security risk in this scenario?

A. Weak access control
B. Lack of configuration baseline
C. Absence of a patch management program
D. Poor vendor management

Answer: C. Absence of a patch management program

Explanation:

Weak access control involves inadequate user authentication and authorization measures. While it is a significant security concern, it does not relate to the timely application of software updates.

Lack of configuration baseline refers to the absence of standard configurations for systems. Although a baseline helps in maintaining secure settings, it does not address patching practices directly.

Absence of a patch management program is correct. Without a structured program to identify, test, and apply patches, systems remain vulnerable to known exploits. Characteristics and implications include:

Exposure to known vulnerabilities: Attackers can exploit unpatched software, leading to breaches or ransomware infections.

Inconsistent patch application: Manual or ad-hoc updates create gaps in protection.

Compliance risk: Many regulatory frameworks (PCI DSS, HIPAA, ISO 27001) mandate timely patching.

Best practices for patch management include:

Automated patch deployment: Use tools to identify missing updates and deploy them consistently.

Prioritization: Focus on critical patches that fix high-severity vulnerabilities.

Testing and rollback procedures: Ensure patches do not disrupt production environments.

Auditing and reporting: Maintain logs of applied patches and monitor for failures or exceptions.

Poor vendor management relates to evaluating and managing third-party suppliers and services, which is not the primary concern in this scenario.

The absence of a patch management program exposes organizations to a wide attack surface and increases the likelihood of successful exploits. Establishing a formalized patch management policy is critical to maintain system security and compliance.

Q79. During a forensic investigation, an analyst finds that a disk image has been altered unintentionally due to improper handling during acquisition. To ensure evidence integrity in future investigations, which technique should be implemented?

A. Hashing
B. Disk partitioning
C. Defragmentation
D. Sanitization

Answer: A. Hashing

Explanation:

Hashing is correct. Hashing involves generating a unique cryptographic fingerprint of a file or disk image using algorithms like SHA-256 or MD5. Key points include:

• Evidence integrity verification: By comparing hash values before and after analysis, investigators can confirm that data has not been altered.

• Tamper detection: Any modification, intentional or accidental, results in a different hash value.

• Chain of custody support: Hashes are recorded in forensic logs to maintain the integrity and admissibility of evidence in court.

• Implementation: Calculate hashes at the time of acquisition and after any subsequent handling.
  

Disk partitioning changes the structure of a disk and is not related to verifying integrity.

Defragmentation reorganizes files to improve storage efficiency but can alter the original data layout, invalidating forensic evidence.

Sanitization involves securely erasing data, which is counterproductive when preserving evidence.

Hashing is a foundational practice in digital forensics, ensuring that evidence remains tamper-proof and admissible in legal proceedings. Proper handling, documentation, and hashing are essential for maintaining forensic integrity.

Q80. A company’s security team implements continuous monitoring to detect abnormal user behavior such as unusual login times, large data downloads, or access from atypical locations. Which type of security solution best supports this requirement?

A. Static firewall
B. Intrusion prevention system
C. Behavior-based analytics
D. Packet filtering

Answer: C. Behavior-based analytics

Explanation:

Static firewall enforces predefined network traffic rules but cannot detect subtle deviations in user or system behavior.

Intrusion prevention system (IPS) primarily relies on known attack signatures and patterns to block threats. While useful for known exploits, IPS may not detect novel or insider threats characterized by anomalous behavior.

Behavior-based analytics is correct. Behavior-based analytics solutions continuously monitor activity to detect deviations from established baselines. Key aspects include:

User and entity behavior analytics (UEBA): Monitors login patterns, file access, and network behavior to identify anomalies.

Machine learning models: Detect subtle, evolving threats such as insider attacks or compromised accounts.

Real-time alerts: Provide security teams with actionable intelligence for rapid incident response.

Incident response integration: Supports automated containment and mitigation workflows.

Packet filtering inspects network traffic headers for rule compliance but does not analyze behavior patterns or detect anomalies in user actions.

Behavior-based analytics provides proactive security by identifying abnormal activity, reducing risk from insider threats, compromised credentials, or advanced persistent threats (APTs). Integrating UEBA with continuous monitoring, SIEM systems, and incident response enables organizations to respond rapidly to evolving threats.