CompTIA SY0-701 Security+  Exam Dumps and Practice Test Questions Set5 Q81-100

Visit here for our full CompTIA SY0-701 Security+ exam dumps and practice test questions.

Q81. A penetration tester discovers that a web application allows users to upload files, but it does not validate file types or sanitize file names. The tester is able to upload a malicious script and execute it on the server. Which type of vulnerability is this?

A. Cross-site scripting (XSS)
B. Remote file inclusion
C. Insecure direct object reference
D. Unrestricted file upload

Answer: D. Unrestricted file upload

Explanation:

1. Cross-site scripting (XSS) affects users by injecting malicious scripts into web pages they view. XSS does not allow attackers to execute server-side scripts directly; it is primarily a client-side attack.
2. Remote file inclusion (RFI) involves including remote files via user input, often exploiting server-side scripting functions. While similar, RFI specifically requires the inclusion of files hosted externally, not arbitrary file uploads.
3. Insecure direct object reference (IDOR) occurs when an application exposes internal objects (files, database entries) to unauthorized users. IDOR is about access control flaws, not uploading and executing files.
4. Unrestricted file upload is correct. This vulnerability arises when an application allows users to upload files without properly validating their type, content, or name. Key aspects include:

• Execution of malicious code: Uploaded scripts can execute on the server, potentially giving attackers shell access.

• Privilege escalation: Exploiting unrestricted uploads can lead to higher-level access if the server runs privileged processes.

• Data compromise: Attackers can access sensitive files, manipulate configurations, or exfiltrate data.

• Indicators: Presence of unexpected file types in web directories, suspicious POST requests with files, or execution errors after uploads.
  

Mitigation strategies include:

• File type validation: Restrict uploads to allowed MIME types and extensions.

• Sanitization of filenames: Prevent directory traversal or script execution through careful filename handling.

• Use of sandboxed directories: Store uploads outside the webroot and enforce strict permissions.

• Antivirus scanning: Scan uploaded files for known malware before processing.
  

Unrestricted file uploads remain a common vector for web-based compromises and often serve as a pivot point for deeper system exploitation.

Q82. A network administrator wants to prevent unauthorized devices from connecting to the corporate LAN. The administrator configures the network switches to allow only known devices based on their MAC addresses. Which security control is being implemented?

A. Port security
B. Network segmentation
C. VLAN tagging
D. MAC flooding

Answer: A. Port security

Explanation:

1. Network segmentation divides a network into multiple segments to reduce broadcast domains and isolate traffic. While beneficial for security, segmentation does not inherently restrict individual device access.
2. VLAN tagging identifies and separates traffic for different VLANs but does not prevent unknown devices from connecting to a switch port.
3. MAC flooding is an attack technique where the attacker overwhelms a switch’s MAC address table to force it into fail-open mode. This is malicious, not a preventive control.
4. Port security is correct. Port security is a Layer 2 control that allows network administrators to restrict switch ports to specific MAC addresses. Key elements include:

• The Limiting connected devices: Only pre-approved devices can communicate on the network through that port.

• The Violation actions: Administrators can configure the switch to shut down the port, drop traffic, or generate alerts when an unauthorized device connects.

• The Security benefits: Prevents rogue devices from accessing sensitive networks and mitigates risks from attackers introducing unauthorized endpoints.

• The Implementation considerations: Maintain an updated list of authorized MAC addresses, monitor port violations, and integrate with network access control (NAC) systems.

Port security provides an effective first line of defense against unauthorized LAN access but should be combined with strong authentication, monitoring, and endpoint security for comprehensive protection.

Q83. A company’s HR department stores sensitive employee data in a cloud service. To ensure that even the cloud provider cannot access the data, the organization manages encryption keys internally and controls all key generation, rotation, and storage. Which encryption model is being used?

1. Provider-managed encryption
   B. Customer-managed encryption with provider key storage
   C. Customer-managed encryption with customer key storage
   D. Provider-managed encryption with customer key storage

Answer: C. Customer-managed encryption with customer key storage

Explanation:

1. Provider-managed encryption allows the cloud provider to generate, store, and manage encryption keys. While this protects against casual exposure, the provider still has access to the keys.
2. Customer-managed encryption with provider key storage allows organizations to define encryption policies but still relies on the provider to store the keys, giving them potential access.
3. Provider-managed encryption with customer key storage is not feasible because the provider cannot manage keys that are fully outside its control.
4. Customer-managed encryption with customer key storage is correct. This model offers the highest level of data confidentiality and control:

• The Key generation: All keys are created internally by the organization.

• The Key storage: Keys reside in secure on-premises hardware security modules (HSMs) or controlled vaults.

• The Key rotation and revocation: Organizations define policies for rotation, backup, and destruction.

• The Data confidentiality: Even if the provider’s infrastructure is compromised, data remains inaccessible without the keys.

This model is particularly important for highly regulated industries like finance, healthcare, or government, where compliance requirements demand cryptographic autonomy and minimal reliance on third parties.

Q84. An attacker gains access to multiple employee accounts by using usernames and passwords obtained from a previous breach. Automated tools are attempting logins across internal systems to see which accounts have reused credentials. What type of attack is this?

A. Brute-force attack
B. Credential stuffing
C. Password spraying
D. Keylogging

Answer: B. Credential stuffing

Explanation:

1. Brute-force attack attempts every possible password combination for a single account. Brute-force is time-intensive and does not rely on stolen credentials.
2. Password spraying involves attempting a small set of common passwords across many accounts, without using credentials from breaches. It differs from credential stuffing, which uses known valid credentials.
3. Keylogging involves malware that captures keystrokes to steal credentials, not automated reuse of stolen credentials.
4. Credential stuffing is correct. This attack relies on the fact that users often reuse passwords across multiple accounts. Key elements include:

• Automation: Attackers use tools to attempt thousands or millions of login attempts quickly.

• Use of leaked credentials: Stolen usernames and passwords from prior breaches are applied to other services.

• Indicators: High login attempts from multiple IPs, often failing repeatedly but occasionally succeeding if users reuse passwords.

• Mitigation: Multi-factor authentication, monitoring login anomalies, enforcing unique passwords per system, and alerting users to compromised credentials.
  

Credential stuffing is effective because human behavior often leads to password reuse. Organizations must implement proactive defenses, including MFA and credential monitoring, to prevent account compromise.

Q85. During a security assessment of a Linux server, a penetration tester identifies a root-owned cron job that executes a script every few minutes. The script is writable by all users. Which attack can the tester perform next?

A. Privilege escalation
B. Lateral movement
C. Credential harvesting
D. Pivoting

Answer: A. Privilege escalation

Explanation:

1. Lateral movement involves moving from one compromised system to other systems on a network. While privilege escalation could facilitate lateral movement later, the immediate attack is local elevation of privileges.
2. Credential harvesting targets the collection of passwords or tokens. Writable cron scripts do not inherently reveal credentials.
3. Pivoting is using a compromised host to attack other systems. It depends on having elevated access first.
4. Privilege escalation is correct. In this scenario:

• The Writable cron job: A root-owned cron job executes a script that any user can modify.

• The Exploitation: The tester can insert malicious commands into the script. When the cron job executes, it runs with root privileges, granting administrative access.

• The Implications: Root access allows full control over the system, installation of persistent backdoors, and potential lateral movement.

• The Mitigation: Restrict file permissions, ensure root-owned scripts are only writable by root, enforce least privilege, and monitor cron job configurations.
  

Misconfigured cron jobs represent a frequent vulnerability in Linux environments. Proper file permissions, auditing, and automated configuration management reduce the risk of privilege escalation and subsequent exploitation.

Q86. A security analyst observes multiple login attempts from various global IP addresses targeting numerous employee accounts within minutes. Each attempt uses username-password pairs obtained from previous data breaches. What type of attack is being conducted?

A. Brute-force attack
B. Password spraying
C. Credential stuffing
D. Phishing

Answer: C. Credential stuffing

Explanation:

1. Brute-force attack involves systematically attempting every possible password combination for a single account. It is highly resource-intensive and usually slower than attacks using pre-leaked credentials. Brute-force attacks target one account at a time and often trigger lockouts quickly, making them less effective at scale.
2. Password spraying differs in approach. Attackers use a small set of common passwords across many accounts, relying on the probability that users select weak passwords. It does not require stolen credentials and is less targeted than credential stuffing.
3. Phishing relies on social engineering, tricking users into providing credentials through deceptive emails, websites, or messages. While it can result in account compromise, it does not involve automated login attempts with known username-password pairs.
4. Credential stuffing is correct. Key characteristics include:

• Use of stolen credentials: Attackers leverage usernames and passwords from prior breaches.

• Automation: Attack scripts or tools attempt logins across multiple accounts rapidly, often from multiple IP addresses to evade detection.

• Indicators: Rapid login failures across multiple accounts, login attempts from unusual geographic locations, and repeated success when users reuse credentials.

• Impact: Unauthorized access, potential data exfiltration, account takeover, and lateral movement within the organization.

• Mitigation: Enforcing multi-factor authentication (MFA), monitoring anomalous login attempts, educating users about unique passwords, and implementing login rate-limiting.
  

Credential stuffing exploits human tendencies to reuse passwords, making it one of the most common initial access techniques in cyberattacks. Organizations must combine user training, strong password policies, and adaptive authentication to mitigate this risk effectively.

Q87. A company wants to ensure that only devices meeting security standards, such as up-to-date patches and antivirus installation, can access its cloud resources. Which access control model should be implemented?

A. Role-based access control
B. Discretionary access control
C. Mandatory access control
D. Attribute-based access control

Answer: D. Attribute-based access control

Explanation:

1. Role-based access control (RBAC) grants access based on the user’s role in the organization. While RBAC is effective for managing role-specific permissions, it does not consider contextual factors like device health, location, or compliance status.
2. Discretionary access control (DAC) allows resource owners to decide who can access their resources. This lacks centralized enforcement and cannot enforce conditional access based on device attributes.
3. Mandatory access control (MAC) enforces strict security policies determined by a central authority, often using labels for classification. MAC is rigid and does not dynamically adjust access based on device conditions.
4. Attribute-based access control (ABAC) is correct. ABAC evaluates access using multiple attributes, including:

• User attributes: Role, department, clearance level.

• Environmental attributes: Location, time of access, risk level.

• Device attributes: Security patch status, antivirus installation, encryption status.
  

Key benefits of ABAC include:

• The Granular control: Decisions are made based on real-time attributes rather than static roles.

• The Dynamic enforcement: Access policies can change automatically if device or user context changes.

• The Integration with Zero Trust: ABAC supports conditional access principles, ensuring that sensitive resources are accessible only from compliant devices.
  

ABAC is increasingly critical in cloud environments where diverse endpoints and varying device health pose security risks. Implementing ABAC helps mitigate threats from compromised or non-compliant devices.

Q88. During a penetration test, a tester discovers that a web application accepts user input without validation, allowing the tester to execute system-level commands on the server. Which vulnerability does this represent?

A. Cross-site scripting
B. SQL injection
C. Command injection
D. Directory traversal

Answer: C. Command injection

Explanation:

1. Cross-site scripting (XSS) targets end-users by injecting malicious scripts into web pages. XSS is client-side and does not allow execution of commands on the server operating system.
2. SQL injection exploits vulnerabilities in database queries to exfiltrate or manipulate data. While critical, SQL injection does not directly allow operating system command execution.
3. Directory traversal involves accessing files outside intended directories, usually through path manipulation. It does not permit arbitrary OS command execution.
4. Command injection is correct. This vulnerability occurs when user input is passed to system-level commands without proper validation. Key points include:

• Exploitation: Attackers can run arbitrary commands, potentially escalating privileges, modifying files, or creating backdoors.

• Indicators: Unexpected command execution, abnormal process creation, or unauthorized changes to system files.

• Mitigation: Input validation, using safe API functions, least privilege for executing services, and monitoring system calls.
  

Command injection is highly dangerous because it provides attackers with direct control over the server, enabling data theft, persistence mechanisms, and lateral movement opportunities.

Q89. A company requires employees to log in to cloud applications using a password and a time-based one-time password (TOTP) generated by an authenticator app. What type of authentication is being enforced?

A. Single-factor authentication
B. Two-factor authentication
C. Biometric authentication
D. Certificate-based authentication

Answer: B. Two-factor authentication

Explanation:

1. Single-factor authentication uses only one type of credential (e.g., password). It is insufficient for protecting sensitive systems in modern environments.
2. Biometric authentication relies on fingerprints, facial recognition, or other physical traits, which is not part of this scenario.
3. Certificate-based authentication uses digital certificates and cryptographic keys to verify identity, which is not described here.
4. Two-factor authentication (2FA) is correct. In this case:

• Something you know: Password.

• Something you have: TOTP generated by an app.

• Benefits: Even if an attacker steals a password, access is denied without the TOTP.

• Implementation considerations: Secure delivery of TOTP seeds, user training, and backup recovery mechanisms.

2FA significantly reduces the risk of account compromise due to stolen credentials, phishing attacks, or password reuse. Modern cloud environments frequently mandate 2FA to protect sensitive data and comply with regulatory requirements.

Q90. A penetration tester finds a root-owned cron job on a Linux server that executes a script every few minutes. The script is writable by all users. Which attack technique could the tester perform next?

A. Privilege escalation
B. Lateral movement
C. Credential harvesting
D. Pivoting

Answer: A. Privilege escalation

Explanation:

1. Lateral movement occurs after an attacker gains access to a system and moves across the network. While privilege escalation enables lateral movement later, it is not the immediate attack.
2. Credential harvesting involves collecting passwords or tokens. Writable cron jobs do not directly expose credentials.
3. Pivoting is using a compromised host to attack other systems. Root access is often required first.
4. Privilege escalation is correct. Key aspects include:

• The Writable cron job: The root-owned script is modifiable by all users.

• The Exploitation: The tester can insert commands into the script. When the cron job executes, it runs as root, granting administrative privileges.

• The Implications: Root access allows full system control, installation of persistent backdoors, and manipulation of system configurations.

• The Mitigation: Restrict file permissions, enforce least privilege, conduct regular audits, and monitor cron job scripts for unauthorized modifications.

Privilege escalation through misconfigured cron jobs is a common Linux vulnerability. Organizations must combine permissions management, continuous auditing, and system hardening to prevent attackers from gaining administrative control.

Q91. A security analyst identifies repeated attempts from external IP addresses to access internal systems using multiple username-password combinations. Many of these accounts belong to employees who use the same credentials across different services. Which attack is most likely occurring?

A. Brute-force attack
B. Credential stuffing
C. Password spraying
D. Phishing

Answer: B. Credential stuffing

Explanation:

1. Brute-force attack involves attempting all possible combinations for a single account. Brute-force attacks are usually slow, target individual accounts, and often trigger lockout policies, making them less effective when targeting large numbers of accounts simultaneously.
2. Password spraying differs because it uses a small number of common passwords across many accounts, not stolen credentials. While it can bypass lockout policies, it is not as precise as credential stuffing and does not rely on previously exposed passwords.
3. Phishing is a social engineering attack where attackers trick users into disclosing credentials, typically via email or fake websites. While phishing is a common method of gaining credentials, it is not characterized by automated login attempts using known username-password pairs.
4. Credential stuffing is correct. Credential stuffing exploits the fact that users often reuse passwords across services. Attackers obtain username-password pairs from prior data breaches and use automated tools to test these credentials on multiple systems. Key aspects include:

• Indicators: Rapid login attempts across many accounts, often from multiple geographic locations or IP addresses.

• Impact: Account compromise, potential lateral movement, data exfiltration, and unauthorized access to sensitive systems.

• Detection: Monitoring login attempts, identifying unusual geographic or temporal patterns, and tracking failed login rates.

• Mitigation: Enforcing unique passwords, implementing multi-factor authentication (MFA), and educating users on password hygiene.
  

Credential stuffing is a highly effective attack vector due to the prevalence of password reuse. Organizations must implement robust monitoring and proactive security measures to defend against this threat.

Q92. A cloud service provider allows customers to manage encryption keys independently and store them outside the provider’s environment. Which encryption model is being applied?

A. Provider-managed encryption
B. Customer-managed encryption with provider key storage
C. Customer-managed encryption with customer key storage
D. Provider-managed encryption with customer key storage

Answer: C. Customer-managed encryption with customer key storage

Explanation:

1. Provider-managed encryption is where the cloud provider generates, stores, and manages the keys. While it protects data, the provider has access to the keys, which does not satisfy strict confidentiality requirements.
2. Customer-managed encryption with provider key storage allows customers to manage encryption policies, but keys remain within the provider’s infrastructure, leaving the provider with potential access.
3. Provider-managed encryption with customer key storage is not feasible because providers cannot manage keys stored entirely outside their control.
4. Customer-managed encryption with customer key storage is correct. This model offers maximum control over sensitive data:

• Exclusive control: Organizations generate, manage, and store keys in their own infrastructure, ensuring provider cannot decrypt data.

• Key lifecycle management: Includes secure generation, rotation, storage, backup, and destruction of keys.

• Compliance: Ideal for organizations under strict regulations (e.g., GDPR, HIPAA, PCI DSS) where provider access must be restricted.

• Implementation considerations: Secure key storage, redundancy for key recovery, and strict access controls to prevent insider misuse.
  

Customer-managed encryption with customer key storage ensures true cryptographic autonomy while maintaining the flexibility of cloud storage. It mitigates the risk of unauthorized provider access or data exposure in the event of a provider compromise.

Q93. During a security assessment, a penetration tester discovers a Linux system with a cron job owned by root that executes every few minutes. The script is writable by all users. Which type of attack can the tester perform next?

A. Privilege escalation
B. Lateral movement
C. Credential harvesting
D. Pivoting

Answer: A. Privilege escalation

Explanation:

1. Lateral movement occurs after gaining access to a system and moving across the network. While root access can enable lateral movement, it is not the immediate technique here.
2. Credential harvesting targets stored passwords or tokens. Writable cron jobs do not provide direct access to credentials.
3. Pivoting involves using a compromised system to attack other systems in the network. This may follow privilege escalation but is not the initial attack.
4. Privilege escalation is correct. Key aspects include:

• Writable cron job vulnerability: The script is executed as root but can be modified by any user.

• Exploitation process: The tester inserts malicious commands into the script. When the cron job runs, commands execute with root privileges, granting full system control.

• Implications: Full administrative access, installation of persistent backdoors, modification of system files, and escalation to network-level attacks.

• Mitigation: Enforcing least privilege, restricting file permissions, monitoring cron jobs for unauthorized changes, and conducting regular audits.
  

This attack demonstrates how misconfigured file permissions in scheduled tasks create a critical security vulnerability that can lead to full system compromise. Proper configuration management and auditing are essential preventive measures.

Q94. A company wants to ensure that employees can access cloud applications only from devices that meet predefined security standards, such as updated OS, active antivirus, and encryption enabled. Which access control mechanism should be used?

A. Role-based access control
B. Discretionary access control
C. Mandatory access control
D. Attribute-based access control

Answer: D. Attribute-based access control

Explanation:

1. Role-based access control (RBAC) grants access based on the user’s role within the organization. It does not account for contextual factors such as device compliance, location, or security posture.
2. Discretionary access control (DAC) allows resource owners to manage permissions, lacking centralized enforcement and conditional access based on device attributes.
3. Mandatory access control (MAC) enforces strict policies based on labels or classification. While secure, MAC is inflexible and cannot dynamically respond to device compliance conditions.
4. Attribute-based access control (ABAC) is correct. ABAC evaluates multiple attributes for access decisions, including:

• User attributes: Role, department, security clearance.

• Device attributes: Patch status, antivirus presence, disk encryption, and device health.

• Environmental attributes: Location, time, risk profile.

• Policy enforcement: Real-time decisions allow or deny access based on current conditions, aligning with Zero Trust principles.

ABAC allows granular, adaptive control over cloud resources, ensuring that only compliant devices can access sensitive applications. It reduces the risk of data exposure from compromised or non-compliant devices and is widely used in modern cloud security architectures.

Q95. During an incident response, a security analyst observes that an attacker has modified system files, installed hidden processes, and maintained access even after reboots. Which type of malware is most likely responsible?

A. Trojan
B. Rootkit
C. Worm
D. Adware

Answer: B. Rootkit

Explanation:

1. Trojan is malicious software disguised as legitimate software. While it can deliver malware payloads, Trojans themselves do not inherently maintain persistent, hidden access across reboots.
2. Worm propagates autonomously across networks but does not typically hide its presence or modify system files for stealthy persistence.
3. Adware primarily displays unwanted advertisements and may track activity. It does not provide persistent, hidden system-level access.
4. Rootkit is correct. Rootkits are highly stealthy malware designed to:

• Modify kernel or firmware: Ensuring persistence across reboots.

• Hide processes, files, and network activity: Evading detection by antivirus and monitoring tools.

• Provide attackers with full system control: Allowing execution of arbitrary commands, creation of backdoors, and modification of security settings.

• Survive system reboots and security scans: Often using kernel-level hooks or firmware modification.
  

Rootkits are among the most dangerous malware due to their stealth and ability to maintain persistent access without user detection. Detection often requires specialized integrity-checking tools or full system restoration. Prevention involves maintaining least privilege, regularly patching systems, monitoring for anomalous activity, and using trusted software sources.

Rootkits enable attackers to maintain a foothold within compromised systems for long durations, facilitating data exfiltration, lateral movement, and ongoing system compromise. Organizations must combine proactive monitoring, endpoint security, and incident response strategies to mitigate rootkit threats effectively.

Q96. A security administrator notices that an external attacker is repeatedly attempting to gain access to multiple accounts using a small set of common passwords, and no individual account is being targeted with repeated guesses. Which type of attack is occurring?

A. Brute-force attack
B. Password spraying
C. Credential stuffing
D. Keylogging

Answer: B. Password spraying

Explanation:

1. Brute-force attack is the process of systematically attempting every possible password for a single account. Brute-force attacks are slow, highly targeted, and often trigger account lockouts. They are resource-intensive and less effective for attacking multiple accounts simultaneously with a limited set of passwords.
2. Credential stuffing relies on using previously leaked credentials from breaches. It involves automated login attempts using known username-password combinations, rather than guessing common passwords. Credential stuffing specifically exploits password reuse across systems.
3. Keylogging captures keystrokes from a victim’s device to steal credentials, which is unrelated to repeated automated login attempts targeting multiple accounts with common passwords.
4. Password spraying is correct. This attack targets a wide array of user accounts using a small set of commonly used passwords, such as “Password123,” “Welcome2025,” or “Summer2025,” to avoid triggering account lockouts. Key characteristics include:

• Attack methodology: Attackers try one or a few passwords across many accounts rather than exhausting passwords on a single account.

• Avoiding detection: By limiting login attempts per account, password spraying bypasses account lockout thresholds and avoids triggering alerts in standard monitoring systems.

• Indicators: Repeated failed login attempts across multiple accounts, unusual login times, and login attempts from IPs not associated with normal user activity.

• Mitigation: Implementing multi-factor authentication (MFA) to prevent access even when passwords are compromised, enforcing strong password policies, monitoring authentication logs for abnormal activity, and deploying rate-limiting mechanisms to reduce automated attempts.
  

Password spraying is a widely used attack method against organizations with weak password policies and low employee awareness. The stealthy nature of the attack makes it particularly dangerous, and it is often used as a preliminary step for account compromise, phishing follow-ups, or lateral movement within networks.

Q97. A company is evaluating cloud service providers and wants assurance that sensitive data will remain inaccessible even to provider employees. The organization generates and manages all encryption keys, storing them in a secure on-premises HSM. Which cloud encryption model best describes this setup?

A. Provider-managed encryption
B. Customer-managed encryption with provider key storage
C. Customer-managed encryption with customer key storage
D. Provider-managed encryption with customer key storage

Answer: C. Customer-managed encryption with customer key storage

Explanation:

1. Provider-managed encryption relies on the provider to generate, store, and manage keys. While simple to implement, the provider has technical ability to decrypt data, which may not meet strict regulatory requirements.
2. Customer-managed encryption with provider key storage allows the customer to manage encryption policies, but the keys reside within the provider’s environment, allowing provider access if compelled.
3. Provider-managed encryption with customer key storage is not feasible because providers cannot manage keys stored entirely outside their control; the provider would have no way to perform encryption or decryption functions.
4. Customer-managed encryption with customer key storage is correct. This model gives the customer full control over key generation, storage, and lifecycle management. Key characteristics include:

• Key ownership: The organization fully owns and controls the keys, ensuring that provider personnel cannot access data.

• Key storage: Keys are stored in an on-premises Hardware Security Module (HSM) or equivalent secure repository, outside of the provider’s infrastructure.

• Compliance and security: Provides strong assurances for regulatory requirements such as GDPR, HIPAA, PCI DSS, and financial regulations where provider access to data must be restricted.

• Lifecycle management: Involves key creation, rotation, backup, recovery, and secure destruction, ensuring data remains protected throughout its lifecycle.
  

By using customer-managed encryption with customer key storage, organizations retain cryptographic autonomy while still leveraging cloud services, balancing convenience with strict data protection and regulatory compliance.

Q98. During a penetration test, a tester discovers a web application that executes user-provided input directly on the operating system without proper validation. The tester is able to run arbitrary commands with the application’s privileges. Which type of vulnerability is present?

A. Cross-site scripting
B. SQL injection
C. Command injection
D. Path traversal

Answer: C. Command injection

Explanation:

1. Cross-site scripting (XSS) targets end-users by injecting malicious scripts into web pages. XSS affects the client side and does not grant attackers direct access to server OS commands.
2. SQL injection exploits unsanitized input in database queries to manipulate or exfiltrate data. While potentially severe, SQL injection targets databases, not the operating system directly.
3. Path traversal allows attackers to access files outside intended directories by manipulating file paths, but it does not execute OS commands.
4. Command injection is correct. The application’s failure to properly validate or sanitize user input enables attackers to execute arbitrary commands on the underlying operating system. Key points include:

• Attack vector: User-supplied input is passed to system commands (e.g., shell scripts) without filtering or escaping.

• Consequences: Attackers can escalate privileges, modify system files, install persistent backdoors, or exfiltrate data.

• Indicators: Unexpected processes appearing on the server, altered system files, and anomalous network traffic originating from the web server.

• Mitigation: Implement input validation, use parameterized system calls or safe APIs, run applications with least privilege, and monitor system activity for anomalies.
  

Command injection vulnerabilities are extremely dangerous because they allow attackers to gain system-level control without exploiting authentication mechanisms. Preventing these vulnerabilities requires secure coding practices and robust application security testing.

Q99. A security operations team monitors network traffic for unusual behaviors, such as abnormal login patterns, unexpected data transfers, and suspicious application usage. Which type of security solution provides the best support for detecting these anomalies?

A. Static firewall
B. Intrusion prevention system
C. Behavior-based analytics
D. Packet filtering

Answer: C. Behavior-based analytics

Explanation:

1. Static firewall is a foundational network security control, designed to enforce predefined rules about which traffic is allowed or denied based on IP addresses, ports, and protocols. While firewalls are crucial for establishing the perimeter of a network and preventing unauthorized access, they are limited in scope because they operate primarily at the network layer and lack intelligence about user behavior or application-level anomalies. Static firewalls cannot differentiate between legitimate traffic and malicious activity if the traffic conforms to allowed rules. For instance, an internal user exfiltrating data using approved protocols or ports might go completely undetected by a static firewall.
2. Intrusion prevention system (IPS) is an advancement over basic firewalls, adding the ability to detect and block known attack signatures in real time. IPS systems are highly effective against well-documented threats such as malware communications, known exploit patterns, or protocol anomalies. However, IPS primarily relies on signature-based detection or predefined heuristics. Modern attackers often leverage novel or obfuscated methods, insider misuse, or sophisticated evasion techniques that do not match known signatures. Consequently, purely relying on IPS for anomaly detection may leave gaps in detecting subtle or emerging threats.
3. Packet filtering is a low-level mechanism that inspects network packets for header information like source and destination addresses, protocol types, and port numbers. Packet filtering is efficient for controlling basic network traffic and enforcing security policies, but it does not perform contextual analysis, correlate events, or understand behavioral deviations. Malicious activities hidden within legitimate packet flows, such as a compromised user uploading sensitive files to cloud storage, would likely go unnoticed by basic packet filtering.
4. Behavior-based analytics is correct. Behavior-based analytics focuses on understanding what “normal” activity looks like for users, devices, applications, and networks, and then detects deviations from that baseline. This approach provides the most advanced support for detecting subtle and sophisticated threats, including insider threats, account compromise, or early-stage malware infections. Key components and advantages of behavior-based analytics include:

• Baseline creation: Systems continuously monitor historical patterns of logins, file access, network communication, application usage, and transaction volumes. The system learns normal activity for each user or device, accounting for factors such as location, time of day, and device type.

• Anomaly detection: Once a baseline is established, behavior-based analytics can identify unusual patterns, such as a user accessing resources they typically do not use, performing bulk downloads outside of normal hours, or logging in from an unusual geographical location. These anomalies may indicate compromised credentials, insider threats, or misconfigured systems.

• Machine learning integration: Modern analytics platforms utilize machine learning algorithms to refine detection over time, distinguishing between true security incidents and false positives. ML models can adapt to changes in user behavior, such as a team starting a new project that involves higher volumes of data access, without generating unnecessary alerts.

• Contextual awareness: Behavior-based systems often correlate activity across multiple data sources, including network traffic, endpoint logs, application logs, and identity management systems. This correlation provides richer context for investigation, helping security teams prioritize high-risk alerts.

• Real-time response and automation: Many behavior-based analytics platforms are integrated with Security Orchestration, Automation, and Response (SOAR) systems. Alerts can trigger automated responses, such as temporarily restricting an account, blocking unusual file transfers, or notifying the SOC team to perform a deeper investigation.

• Regulatory compliance support: Behavior-based monitoring is critical for sectors like finance, healthcare, and critical infrastructure, where compliance with standards such as PCI DSS, HIPAA, and GDPR requires monitoring and reporting on anomalous activity.

By continuously analyzing behavioral patterns rather than relying solely on predefined rules or signatures, behavior-based analytics enhances proactive threat detection. It allows organizations to detect emerging threats, insider risks, and account compromise events that would likely be missed by traditional signature-based solutions. Implementing behavior-based analytics provides organizations with situational awareness, rapid detection of abnormal activity, and actionable intelligence for security operations teams.

Q100. During a forensic investigation, an analyst wants to ensure that a disk image collected from a suspect’s system has not been tampered with. Which method provides the highest assurance of integrity?

A. Disk partitioning
B. Hashing
C. Defragmentation
D. Sanitization

Answer: B. Hashing

Explanation:

1. Disk partitioning is the act of dividing a storage device into separate logical sections, allowing multiple file systems or operating systems to coexist. While useful for system organization, partitioning modifies the disk structure and has no role in verifying integrity. Applying disk partitioning would alter the data layout, potentially compromising the forensic investigation and destroying the chain of custody.
2. Defragmentation is a process that reorganizes fragmented files to improve storage efficiency. This operation rewrites the physical location of data on a disk, which directly changes the underlying bits. Using defragmentation on a forensic copy would irreversibly modify the evidence, invalidating its reliability and legal admissibility.
3. Sanitization involves the secure removal of data to prevent recovery. While important for operational security, sanitization is counterproductive in a forensic investigation because the goal is preservation, not destruction. Using sanitization techniques would destroy or alter the evidence.
4. Hashing is correct. Hashing involves using a cryptographic function, such as SHA-256 or SHA-512, to generate a unique fixed-length string (hash) that represents the contents of the disk image. Hashing provides the highest assurance of integrity because even a single-bit alteration in the disk image produces a completely different hash value. This makes it an essential tool for digital forensics and evidence verification. Key aspects include:

• Cryptographic uniqueness: A properly designed hash function produces a unique output for each distinct input. Any modification, intentional or accidental, changes the hash, immediately signaling potential tampering.

• Verification: Analysts calculate the hash of the original disk image immediately after acquisition and again after any subsequent handling or analysis. Matching hash values confirm that the evidence has remained intact.

• Chain of custody: Hashing enables forensic teams to maintain legally defensible documentation proving that evidence has not been altered during transfer, duplication, or storage. Each copy of the evidence can be hashed independently to ensure integrity throughout the investigation.

• Best practices: Digital forensic investigators generate hashes at multiple stages, including the acquisition of the disk, the creation of working copies for analysis, and post-analysis verification. Hash values are logged and stored securely alongside evidence notes to maintain auditability and transparency.

• Legal admissibility: Courts and regulatory authorities frequently require cryptographic hash verification to accept digital evidence. Hashing provides objective proof that digital evidence is authentic, tamper-proof, and suitable for use in legal proceedings.

• Integration with forensic workflows: Hashing is often incorporated into forensic acquisition tools that support write-blocking, ensuring that the original media is never modified. Tools such as FTK Imager, EnCase, and Autopsy automatically calculate and document hashes during imaging.

Hashing is not only a technical safeguard but also a cornerstone of forensic methodology. It guarantees that digital evidence can be trusted for investigative purposes, regulatory audits, and court proceedings. Without hashing, investigators would have no reliable way to prove that evidence has not been altered, significantly weakening the integrity of the investigation and potential legal outcomes.

In  while traditional security controls like firewalls, IPS, or packet filtering offer protection against known threats, behavior-based analytics provides the intelligence necessary to detect subtle anomalies, suspicious behaviors, and novel attack patterns. Similarly, in forensic investigations, hashing remains the gold standard for evidence integrity, ensuring that disk images, logs, and other digital artifacts are preserved in their original, untampered form, supporting both internal investigations and legal proceedings. Together, these approaches exemplify modern security and forensic best practices, combining real-time detection with meticulous evidence preservation to protect organizational assets and ensure accountability.