10.4. Practice Exam Questions

1. A security architect is reviewing a proposed design for a financial trading platform. The design uses AES-128-ECB to encrypt trade records in the database. Which TWO concerns should the architect raise?

A) AES-128 key size is insufficient for financial data
B) ECB mode reveals patterns in identical plaintext blocks
C) AES is a symmetric algorithm and cannot be used for database encryption
D) ECB mode does not authenticate ciphertext, allowing undetected tampering
E) AES-128 is deprecated and must be replaced with 3DES

Correct: B, D. ECB is the primary problem: identical plaintext blocks produce identical ciphertext blocks, revealing data patterns. ECB also provides no integrity protection — GCM mode provides both confidentiality and authentication.

2. During a penetration test, a tester discovers they can retrieve another user's account information by changing the numeric ID in the URL from /api/account/1234 to /api/account/1235. What vulnerability does this represent?

A) SQL injection — the ID is being concatenated into a database query
B) Insecure Direct Object Reference — the application does not verify that the requesting user is authorized to access the referenced object
C) Session fixation — the session token is tied to the user ID
D) Privilege escalation — the attacker has gained administrative rights

Correct: B. IDOR is A01 in OWASP Top 10 (Broken Access Control). The application fails to check whether the requesting user has authorization to access the requested object.

3. A CISO is presenting a risk management update to the board. The organization has 15 open critical vulnerabilities, 3 of which are being actively exploited in the wild. The IT team requests 6 weeks to complete testing before deploying patches. What should the CISO recommend?

A) Approve the 6-week testing window — patch instability is a greater risk than exploitation
B) Invoke the emergency change process for the 3 actively exploited vulnerabilities; apply standard change process to the remaining 12
C) Defer all 15 patches to the next quarterly maintenance window to maintain system stability
D) Hire additional IT staff to reduce the testing timeline to 3 weeks

Correct: B. The 3 actively exploited vulnerabilities represent imminent, high-probability risk that justifies emergency change procedures.

4. An organization's forensic investigation reveals that an insider exported the complete employee database to a personal USB drive three months ago. Security logs confirm the export. However, the organization's attorney says this evidence may not be sufficient for prosecution. What is the most likely reason?

A) Digital evidence is not admissible in civil or criminal proceedings
B) The chain of custody for the log evidence has not been established and documented
C) The organization should have used DLP to prevent the export rather than relying on logs
D) The employee's access to HR data was authorized, so no crime occurred

Correct: B. Chain of custody — documented handling of evidence from collection through presentation — is required for admissibility.

5. A company is implementing zero trust. Their requirements for cloud application access include: user department, device posture assessment result, and time of day. Which access control model best meets these requirements?

A) RBAC — users are assigned to departmental roles
B) MAC — system enforces security labels
C) ABAC — policies evaluate multiple attributes including user, device, and environment
D) DAC — resource owners control their own permissions

Correct: C. ABAC is the only model that natively supports multi-attribute policy evaluation including environmental attributes (time of day, device posture).

6. A software development team argues that because all their code undergoes DAST scanning in the CI/CD pipeline, they don't need to conduct code reviews. Which vulnerability class does DAST FAIL to detect?

A) SQL injection — DAST sends malformed SQL to test inputs
B) Insecure cryptographic algorithm selection in source code — DAST cannot read source code
C) Authentication bypass via manipulated HTTP requests
D) Cross-site scripting via form field injection

Correct: B. DAST tests a running application from the outside — it cannot read source code. Insecure algorithm choices (using MD5 for password hashing, ECB mode, hard-coded keys) are invisible to DAST.

7. After a major data breach, a post-incident review determines that the attacker maintained access for 47 days before detection. Which operational security control failure most directly explains this dwell time?

A) The organization did not have a vulnerability management program
B) Endpoint security tools were present but detection alerts were not reviewed or acted upon
C) The organization did not encrypt data at rest, making exfiltration easier
D) Multi-factor authentication was not enforced, enabling initial access

Correct: B. Long dwell time is primarily an indicator of detection and response failure — the alerts were not reviewed. This is the "alert fatigue" problem.