1Which principle of the CIA triad ensures that information is not disclosed to unauthorized individuals, entities, or processes?
Security Concepts
Easy
A.Integrity
B.Authentication
C.Availability
D.Confidentiality
Correct Answer: Confidentiality
Explanation:
Confidentiality is the security principle that controls access to information. It is designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it.
Incorrect! Try again.
2A Distributed Denial of Service (DDoS) attack is a direct assault on which element of the CIA triad?
Security Concepts
Easy
A.Non-repudiation
B.Availability
C.Integrity
D.Confidentiality
Correct Answer: Availability
Explanation:
A DDoS attack aims to overwhelm a system's resources, making it unavailable to legitimate users. This directly targets the principle of Availability, which ensures that systems and data are accessible when needed.
Incorrect! Try again.
3Which component of the CIA triad guarantees that data is trustworthy and has not been altered by unauthorized persons?
Security Concepts
Easy
A.Confidentiality
B.Availability
C.Integrity
D.Authorization
Correct Answer: Integrity
Explanation:
Integrity ensures the accuracy and reliability of data. It protects data from being modified in an unauthorized or undetected manner.
Incorrect! Try again.
4Putting a lock on a server room door is an example of what type of security control?
Security Controls
Easy
A.Physical Control
B.Administrative Control
C.Corrective Control
D.Technical Control
Correct Answer: Physical Control
Explanation:
Physical controls are security measures that are tangible and are designed to protect the physical environment where systems are located. Locks, fences, and security guards are all examples.
Incorrect! Try again.
5An organization's information security policy, which outlines rules for employees, is what kind of security control?
Security Controls
Easy
A.Technical Control
B.Administrative Control
C.Physical Control
D.Preventive Control
Correct Answer: Administrative Control
Explanation:
Administrative controls (also called managerial controls) are policies, procedures, and guidelines that dictate how an organization manages security and its employees' actions.
Incorrect! Try again.
6A firewall that blocks unauthorized network traffic is an example of which type of control?
Security Controls
Easy
A.Technical Control
B.Physical Control
C.Administrative Control
D.Deterrent Control
Correct Answer: Technical Control
Explanation:
Technical controls (also called logical controls) use technology to enforce security. Firewalls, intrusion detection systems, and antivirus software are all examples of technical controls.
Incorrect! Try again.
7What type of malware disguises itself as a legitimate program but performs malicious activities once executed?
Compare Threat Types
Easy
A.Spyware
B.Virus
C.Trojan Horse
D.Worm
Correct Answer: Trojan Horse
Explanation:
A Trojan Horse is a type of malware that looks harmless or even useful, but contains a hidden malicious function. Unlike viruses and worms, Trojans do not self-replicate.
Incorrect! Try again.
8Which type of malicious software is specifically designed to self-replicate and spread across a network without needing to attach to a host file?
Compare Threat Types
Easy
A.Worm
B.Ransomware
C.Adware
D.Virus
Correct Answer: Worm
Explanation:
A key characteristic of a worm is its ability to spread independently across networks by exploiting vulnerabilities. A virus, in contrast, requires a host program to spread.
Incorrect! Try again.
9What is the term for an attacker who uses pre-made tools and scripts to conduct attacks, but lacks deep technical expertise?
Threat Actors
Easy
A.Hacktivist
B.Script Kiddie
C.Insider Threat
D.Nation-State Actor
Correct Answer: Script Kiddie
Explanation:
A 'script kiddie' is a derogatory term for an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks.
Incorrect! Try again.
10Which threat actor is primarily motivated by a political agenda or social cause?
Threat Actors
Easy
A.Insider Threat
B.Hacktivist
C.Organized Crime
D.Script Kiddie
Correct Answer: Hacktivist
Explanation:
Hacktivists are individuals or groups who use hacking techniques to promote a political agenda, religious belief, or social ideology.
Incorrect! Try again.
11What does the term 'attack surface' refer to in cyber security?
Attack Surfaces
Easy
A.The physical area where a cyber attack took place.
B.The financial damage caused by an attack.
C.The sum of all potential entry points for an attacker into a system or network.
D.A specific type of firewall.
Correct Answer: The sum of all potential entry points for an attacker into a system or network.
Explanation:
The attack surface includes all the different points (attack vectors) where an unauthorized user can try to enter or extract data from an environment. A smaller attack surface means fewer security risks.
Incorrect! Try again.
12What is the primary goal of a 'phishing' attack?
Social Engineering
Easy
A.To install hardware keyloggers on a keyboard.
B.To trick a user into revealing sensitive information like credentials or financial details.
C.To physically steal a computer.
D.To disable a network server.
Correct Answer: To trick a user into revealing sensitive information like credentials or financial details.
Explanation:
Phishing is a social engineering technique that uses fraudulent emails, messages, or websites to deceive individuals into giving up personal information.
Incorrect! Try again.
13An attacker calls an employee pretending to be from the IT help desk to obtain their password. What is this attack called?
Social Engineering
Easy
A.Vishing
B.Smishing
C.Spoofing
D.Spamming
Correct Answer: Vishing
Explanation:
Vishing, or 'voice phishing', is a social engineering attack that occurs over the phone. Attackers try to trick the victim into revealing sensitive information.
Incorrect! Try again.
14What is the primary purpose of cryptography in cyber security?
Explain Cryptographic Solutions
Easy
A.To create backups of important data.
B.To protect information and communications through the use of codes.
C.To identify all network vulnerabilities.
D.To increase network speed.
Correct Answer: To protect information and communications through the use of codes.
Explanation:
Cryptography is the practice of secure communication techniques that allow only the sender and intended recipient of a message to view its contents, primarily by converting plaintext into unreadable ciphertext.
Incorrect! Try again.
15Which type of encryption uses a single key for both the encryption and decryption processes?
Cryptographic Algorithms
Easy
A.Symmetric Encryption
B.Hashing
C.Asymmetric Encryption
D.Quantum Encryption
Correct Answer: Symmetric Encryption
Explanation:
Symmetric encryption algorithms use the same key (a shared secret) to both encrypt the plaintext and decrypt the ciphertext. Examples include AES and DES.
Incorrect! Try again.
16In asymmetric cryptography, also known as public-key cryptography, how many keys are used?
Cryptographic Algorithms
Easy
A.One key
B.Zero keys
C.Three keys
D.Two keys (a public key and a private key)
Correct Answer: Two keys (a public key and a private key)
Explanation:
Asymmetric cryptography uses a mathematically related key pair: a public key that can be shared with anyone, and a private key that must be kept secret. What one key encrypts, only the other can decrypt.
Incorrect! Try again.
17If you encrypt a message with someone's public key, what must be used to decrypt it?
Cryptographic Algorithms
Easy
A.Their corresponding private key
B.A shared session key
C.The same public key
D.Your own private key
Correct Answer: Their corresponding private key
Explanation:
In public-key cryptography, a message encrypted with a public key can only be decrypted with the matching private key. This ensures that only the intended recipient can read the message.
Incorrect! Try again.
18What is the main role of a Certificate Authority (CA) in a Public Key Infrastructure (PKI)?
Public Key Infrastructure
Easy
A.To generate private keys for users.
B.To monitor network traffic for threats.
C.To act as a trusted third party that issues and validates digital certificates.
D.To store all encrypted data for an organization.
Correct Answer: To act as a trusted third party that issues and validates digital certificates.
Explanation:
A Certificate Authority is a trusted entity that issues digital certificates, which are data files that bind a public key to a specific identity, thereby verifying that identity's ownership of the key.
Incorrect! Try again.
19A digital certificate is used to bind a public key to a(n) ____.
Public Key Infrastructure
Easy
A.IP address
B.Hardware device
C.Software application
D.Identity
Correct Answer: Identity
Explanation:
The core function of a digital certificate is to prove the identity of its owner. It links an identity (like a person or website domain) to a public key, with this link being certified by a Certificate Authority.
Incorrect! Try again.
20Which cryptographic process is one-way (irreversible) and is used to verify data integrity by creating a unique, fixed-size output?
Cryptographic Solutions
Easy
A.Decryption
B.Steganography
C.Encryption
D.Hashing
Correct Answer: Hashing
Explanation:
Hashing takes an input (of any size) and produces a fixed-size string of characters, called a hash value. It's a one-way function, making it impossible to reverse. If the data changes even slightly, the hash value changes completely, making it perfect for integrity checks.
Incorrect! Try again.
21A database administrator discovers that a critical financial record was modified by an unauthorized user. This unauthorized modification represents a failure of which component of the CIA triad?
Security Concepts
Medium
A.Authentication
B.Confidentiality
C.Availability
D.Integrity
Correct Answer: Integrity
Explanation:
Integrity ensures that data is trustworthy and has not been tampered with or altered by unauthorized persons. Since the financial record was modified, its integrity has been compromised. Confidentiality relates to secrecy, and Availability relates to the system being accessible.
Incorrect! Try again.
22A company wants to prevent unauthorized personnel from entering a secure data center. They install a mantrap that only allows one person to pass through at a time after successful authentication. What are the primary types of security controls represented by the policy requiring authentication and the mantrap itself, respectively?
Security Controls
Medium
A.Administrative and Technical
B.Technical and Physical
C.Physical and Administrative
D.Technical and Corrective
Correct Answer: Technical and Physical
Explanation:
The authentication system (e.g., a card reader or biometric scanner) is a Technical control that uses technology to control access. The mantrap is a Physical control, a physical barrier designed to restrict access. An Administrative control would be the written policy stating the access requirements.
Incorrect! Try again.
23A sophisticated, long-term cyberattack is discovered on a major defense contractor. The attackers used a zero-day exploit, moved laterally through the network over several months, and exfiltrated sensitive research data. The attack shows signs of significant funding and organization. Which type of threat actor is most likely responsible?
Threat Actors
Medium
A.Insider Threat
B.Advanced Persistent Threat (APT)
C.Script Kiddie
D.Hacktivist
Correct Answer: Advanced Persistent Threat (APT)
Explanation:
The characteristics described—high sophistication, significant resources (funding, zero-day exploits), long-term persistence, and a specific target—are all hallmarks of an Advanced Persistent Threat (APT), which is often a state-sponsored group.
Incorrect! Try again.
24An accountant receives an email that appears to be from the company's CEO, urgently requesting a wire transfer to a new vendor for a secret acquisition. The email uses a tone of authority and urgency, warning the accountant not to discuss the matter with anyone. This is a classic example of which social engineering technique?
Social Engineering
Medium
A.Baiting
B.Whaling
C.Tailgating
D.Vishing
Correct Answer: Whaling
Explanation:
Whaling is a specific type of phishing attack that targets high-profile employees, such as senior executives or accountants with financial authority. The use of a CEO as the supposed sender and the high-stakes request are characteristic of this technique.
Incorrect! Try again.
25A software development team needs to ensure that user passwords are not stored in plaintext. They need a cryptographic method that makes it impossible to reverse the process and retrieve the original password, but allows for verification. Which type of algorithm is most suitable for this purpose?
Cryptographic Algorithms
Medium
A.A cryptographic hashing algorithm like SHA-256
B.A stream cipher like RC4
C.A symmetric encryption algorithm like AES
D.An asymmetric encryption algorithm like RSA
Correct Answer: A cryptographic hashing algorithm like SHA-256
Explanation:
Hashing functions are one-way; they create a fixed-size string (the hash) from an input. It is computationally infeasible to reverse the process to get the original password. This allows the system to store the hash and compare it to the hash of a user's entered password for verification. Encryption algorithms (AES, RSA) are two-way and can be decrypted.
Incorrect! Try again.
26In a Public Key Infrastructure (PKI), what is the primary function of a Certificate Authority (CA)?
Public Key Infrastructure
Medium
A.To directly authenticate users attempting to log in to a network resource.
B.To generate and store the private keys for all users in the organization.
C.To maintain a list of all encrypted communications for later auditing.
D.To vouch for the identity of an entity and issue a digital certificate that binds a public key to that identity.
Correct Answer: To vouch for the identity of an entity and issue a digital certificate that binds a public key to that a specific identity.
Explanation:
The Certificate Authority (CA) is the trusted third party in a PKI. Its main role is to verify the identity of an entity (like a user or a website) and then issue a digital certificate, which it digitally signs. This certificate links the verified identity to a public key, creating a chain of trust.
Incorrect! Try again.
27Which of the following best distinguishes a computer worm from a computer virus?
Compare Threat Types
Medium
A.A worm only infects servers, while a virus only infects client workstations.
B.A worm can self-propagate across a network without user interaction, while a virus typically requires a host file and user action to spread.
C.A worm is designed to steal data, while a virus is designed to destroy it.
D.A virus is written in a low-level language, while a worm is written in a high-level scripting language.
Correct Answer: A worm can self-propagate across a network without user interaction, while a virus typically requires a host file and user action to spread.
Explanation:
The key difference is the propagation method. A virus attaches itself to a legitimate file or program and spreads when a user executes that file. A worm is a standalone piece of malware that exploits network vulnerabilities to spread from system to system automatically, without needing a host file or user intervention.
Incorrect! Try again.
28A company decides to allow employees to connect their personal mobile devices to the corporate Wi-Fi network to access email and internal documents. From a security perspective, this policy decision primarily increases the organization's:
Attack Surfaces
Medium
A.Social engineering susceptibility.
B.Digital attack surface.
C.Cryptographic vulnerability.
D.Physical attack surface.
Correct Answer: Digital attack surface.
Explanation:
The digital attack surface consists of all the hardware and software assets that are exposed and accessible from the network. By allowing unmanaged or less-managed personal devices (BYOD) onto the corporate network, the company increases the number of potential entry points for digital attacks.
Incorrect! Try again.
29Alice wants to send a message to Bob. She wants to ensure that only Bob can read the message (confidentiality) and that Bob can verify the message came from her (authenticity/non-repudiation). How can she achieve this using asymmetric cryptography?
Cryptographic Solutions
Medium
A.Encrypt the message with her private key and sign it with Bob's public key.
B.Encrypt the message with Bob's public key and sign it with her private key.
C.Encrypt the message with a shared secret key and sign it with her private key.
D.Encrypt the message with her public key and sign it with Bob's private key.
Correct Answer: Encrypt the message with Bob's public key and sign it with her private key.
Explanation:
To ensure confidentiality, the message must be encrypted with the recipient's (Bob's) public key, so only he can decrypt it with his private key. To ensure authenticity and non-repudiation, the sender (Alice) must create a digital signature by hashing the message and encrypting the hash with her own private key.
Incorrect! Try again.
30A system is designed to log all user actions. In the event of a dispute, these logs can be used to prove that a specific user performed a specific action, and the user cannot deny it. This capability is known as:
Security Concepts
Medium
A.Auditing
B.Accounting
C.Non-repudiation
D.Authorization
Correct Answer: Non-repudiation
Explanation:
Non-repudiation provides proof of the origin and integrity of data. In this context, it ensures that a user cannot deny having performed a transaction or action because there is cryptographic proof (like a digital signature) or a reliable audit trail linking them to the event.
Incorrect! Try again.
31A security audit reveals that a company's developers are using weak, default passwords for database service accounts. The security team implements a technical solution that enforces a strong password policy (minimum length, complexity, and history) for all service accounts. This solution is best described as which type of control?
Security Controls
Medium
A.Detective Control
B.Preventive Control
C.Corrective Control
D.Deterrent Control
Correct Answer: Preventive Control
Explanation:
A preventive control is designed to stop a security incident from happening in the first place. By enforcing a strong password policy, the system actively prevents the use of weak passwords, thus preventing a potential security breach.
Incorrect! Try again.
32An attacker installs malware on a victim's computer that encrypts all of their personal files. A message then appears on the screen demanding a payment in cryptocurrency in exchange for the decryption key. This type of malware is known as:
Compare Threat Types
Medium
A.Ransomware
B.A Trojan
C.Spyware
D.Adware
Correct Answer: Ransomware
Explanation:
Ransomware is a specific category of malware that denies access to a victim's data, most commonly by encrypting it, and then demands a ransom payment to restore access. The key elements are the data lockout and the monetary demand.
Incorrect! Try again.
33An application needs to encrypt large amounts of streaming video data in real-time. Performance and speed are critical. Which cryptographic algorithm would be the most appropriate choice for this task?
Cryptographic Algorithms
Medium
A.AES-256
B.RSA-4096
C.ECC P-256
D.SHA-512
Correct Answer: AES-256
Explanation:
AES (Advanced Encryption Standard) is a symmetric block cipher. Symmetric algorithms are significantly faster and more efficient for encrypting large volumes of data compared to asymmetric algorithms like RSA and ECC. SHA-512 is a hashing function, not an encryption algorithm, so it cannot be used for this purpose.
Incorrect! Try again.
34A web browser attempts to connect to an e-commerce site, but it displays a warning that the site's certificate is not trusted. The most likely reason for this is that the certificate was:
Public Key Infrastructure
Medium
A.Signed by an unknown or untrusted Certificate Authority (CA).
B.Using a public key that is too short.
C.Encrypted with a weak algorithm like DES.
D.Not accompanied by a valid private key.
Correct Answer: Signed by an unknown or untrusted Certificate Authority (CA).
Explanation:
Web browsers maintain a list of trusted root CAs. If a website presents a certificate that was signed by a CA not on this list (e.g., a self-signed certificate or one from a new, untrusted CA), the browser cannot verify the chain of trust and will warn the user that the certificate is not trusted.
Incorrect! Try again.
35A developer hard-codes a database password directly into the source code of a mobile application. What kind of vulnerability does this create, and on which attack surface?
Attack Surfaces
Medium
A.A configuration vulnerability on the digital/software attack surface.
B.A policy vulnerability on the administrative attack surface.
C.A social engineering vulnerability on the user attack surface.
D.A physical vulnerability on the server attack surface.
Correct Answer: A configuration vulnerability on the digital/software attack surface.
Explanation:
Hard-coding credentials is a poor security practice and a configuration vulnerability. It becomes part of the digital/software attack surface because anyone who can reverse-engineer or decompile the mobile application can easily extract the password, providing a direct entry point to the database.
Incorrect! Try again.
36An attacker calls an employee, pretending to be from the IT help desk. The attacker tells the employee that their account has been flagged for suspicious activity and that they need the employee to confirm their username and password to secure the account. This tactic is an example of:
Social Engineering
Medium
A.Pretexting
B.Quid pro quo
C.Baiting
D.Phishing
Correct Answer: Pretexting
Explanation:
Pretexting involves creating a fabricated scenario (the pretext) to build trust with a victim and persuade them to divulge information or perform an action. In this case, the pretext is the 'suspicious activity' and the attacker's fake identity as a help desk technician.
Incorrect! Try again.
37A disgruntled system administrator who is about to be fired uses their high-level privileges to delete critical backups and install a logic bomb set to erase servers a week after their departure. This individual is best classified as which type of threat actor?
Threat Actors
Medium
A.A Hacktivist
B.A Malicious Insider Threat
C.A Script Kiddie
D.An Organized Crime group
Correct Answer: A Malicious Insider Threat
Explanation:
An insider threat is a current or former employee, contractor, or partner who has or had authorized access and misuses it to compromise security. The 'disgruntled' nature and use of legitimate privileges for malicious purposes are key characteristics of this threat actor type.
Incorrect! Try again.
38What is the primary purpose of using a digital signature in an email communication?
Explain Cryptographic Solutions
Medium
A.To guarantee the delivery of the email to the recipient's inbox.
B.To provide the recipient with assurance of the sender's identity (authenticity) and that the message has not been altered (integrity).
C.To encrypt the entire content of the email so no one can read it.
D.To hide the sender's true email address from the recipient.
Correct Answer: To provide the recipient with assurance of the sender's identity (authenticity) and that the message has not been altered (integrity).
Explanation:
A digital signature is created by hashing the message and then encrypting the hash with the sender's private key. The recipient can use the sender's public key to decrypt the hash and compare it with their own hash of the message. A match proves the message hasn't been altered (integrity) and that it was signed by the holder of the corresponding private key (authenticity/non-repudiation).
Incorrect! Try again.
39What is the function of a Certificate Revocation List (CRL) or the Online Certificate Status Protocol (OCSP)?
Public Key Infrastructure
Medium
A.To check if a digital certificate has been invalidated before its scheduled expiration date.
B.To store a backup of private keys in case of loss.
C.To list all certificates that have passed their natural expiration date.
D.To provide a list of trusted Certificate Authorities.
Correct Answer: To check if a digital certificate has been invalidated before its scheduled expiration date.
Explanation:
A certificate may need to be revoked if the associated private key is compromised, the owner's information changes, or for other reasons. A CRL is a list of such revoked certificates, and OCSP is a protocol for checking a certificate's revocation status in real-time. This is crucial for ensuring that a certificate is still trustworthy, even if it has not yet expired.
Incorrect! Try again.
40Asymmetric cryptography, like RSA, uses a key pair. If a message is encrypted with a user's public key, what is the consequence?
Cryptographic Algorithms
Medium
A.Only the user who owns the corresponding private key can decrypt it.
B.The message cannot be decrypted; this is used for digital signatures.
C.The message can be decrypted by either the public or the private key.
D.Anyone with the public key can decrypt it.
Correct Answer: Only the user who owns the corresponding private key can decrypt it.
Explanation:
The fundamental principle of asymmetric cryptography is that a message encrypted with a public key can only be decrypted by its corresponding private key. This one-to-one relationship is what provides confidentiality for data sent to the key pair's owner.
Incorrect! Try again.
41A system uses digital signatures to ensure that a sender cannot deny sending a message (non-repudiation) and that the message has not been altered (integrity). If an attacker manages to compromise the sender's private key but does not alter any previously signed messages, which security concept is most directly and immediately compromised from the moment of the key theft, even before the attacker uses the key?
Security Concepts
Hard
A.Non-repudiation, because the legitimate sender can now plausibly deny messages sent by the attacker using their key.
B.Confidentiality, because the private key is no longer secret.
C.Integrity, because the attacker can now alter future messages and sign them with the stolen key.
D.Availability, because the system's trust model is broken, requiring it to be taken offline.
Correct Answer: Non-repudiation, because the legitimate sender can now plausibly deny messages sent by the attacker using their key.
Explanation:
This is a question of principle. The moment the private key is compromised, the entire basis of non-repudiation is broken. The legitimate user can claim any message signed with that key (past, present, or future) could have been forged by the attacker. Thus, they can plausibly deny having sent a message, even one they genuinely sent. While integrity of future messages is at risk, the fundamental concept of non-repudiation is immediately undermined for all messages associated with that key.
Incorrect! Try again.
42A company implements a policy requiring all developers to attend mandatory annual security training. During a code review, a senior developer spots a critical SQL injection vulnerability. What is the relationship between these two security controls in this scenario?
Security Controls
Hard
A.The training is a deterrent control, and the code review is a recovery control designed to find bugs after deployment.
B.Both are preventive controls, but one is administrative (training) and the other is technical (code review).
C.The training is a preventive administrative control, while the code review is a detective technical control that acts as a compensating control for the failure of the training.
D.The training is a detective administrative control, and the code review is a corrective technical control.
Correct Answer: The training is a preventive administrative control, while the code review is a detective technical control that acts as a compensating control for the failure of the training.
Explanation:
This question requires analyzing and classifying multiple controls and their interaction. The training is an 'administrative' control (a policy/procedure) intended to 'prevent' vulnerabilities. The code review is a 'technical' control (a systematic process) designed to 'detect' vulnerabilities that were not prevented. Because the code review catches a failure of the primary preventive control (the training's effectiveness), it is functioning as a 'compensating' control in the defense-in-depth strategy.
Incorrect! Try again.
43A security analyst is examining a new malware sample. They observe that the malware's decryption routine changes with each new infection, and the core malicious payload is rearranged and recompiled. However, the logical function of the payload remains identical. This malware would be most accurately classified as:
Compare Threat Types
Hard
A.Polymorphic
B.A fileless virus
C.Metamorphic
D.Oligomorphic
Correct Answer: Metamorphic
Explanation:
This is a subtle but critical distinction. Polymorphic malware uses a variable decryptor to hide a static, encrypted payload. The payload itself does not change. Metamorphic malware, on the other hand, rewrites its own code with each iteration, changing its structure and appearance without altering its fundamental behavior. The key phrase is "payload is rearranged and recompiled," which is the defining characteristic of metamorphic malware, making it much harder for signature-based detection.
Incorrect! Try again.
44An attack is detected against a major energy grid. The TTPs (Tactics, Techniques, and Procedures) involve zero-day exploits for SCADA systems, custom-written C2 malware that uses steganography for communication, and a clear motivation to disrupt operations rather than steal data for financial gain. The operation is slow, methodical, and shows extreme patience over several months. This actor is most likely:
Threat Actors
Hard
A.An organized crime syndicate testing new capabilities.
B.A script kiddie who purchased a sophisticated attack toolkit.
Correct Answer: A state-sponsored Advanced Persistent Threat (APT).
Explanation:
The combination of high-level resources (zero-day exploits), custom tools, long-term persistence, and a non-financial, disruptive motive strongly points to a state-sponsored actor. Hacktivists typically lack the resources for zero-days and custom C2 frameworks. Organized crime is almost always financially motivated. A script kiddie would not have the skills or patience for such a prolonged, custom campaign, even with purchased tools.
Incorrect! Try again.
45A company is migrating its monolithic application to a microservices architecture hosted in Kubernetes. The new architecture involves dozens of internal APIs, a public-facing API gateway, multiple databases, and a service mesh for inter-service communication. How does this migration primarily affect the company's attack surface?
Attack Surfaces
Hard
A.It keeps the attack surface the same, as only the internal architecture has changed, not the public-facing entry points.
B.It significantly increases the attack surface by creating many more network endpoints and inter-service communication paths that must be secured.
C.It shifts the attack surface entirely to the API gateway, which simplifies security management.
D.It decreases the attack surface by containerizing workloads, which isolates them from the host OS.
Correct Answer: It significantly increases the attack surface by creating many more network endpoints and inter-service communication paths that must be secured.
Explanation:
While microservices offer benefits like scalability and resilience, they drastically increase the complexity and size of the attack surface. Instead of one large application to defend, the security team must now manage authentication, authorization, and network policies for dozens or hundreds of individual services and their APIs. Each new service, API, and communication path is a potential point of entry or lateral movement for an attacker.
Incorrect! Try again.
46An attacker first calls an employee pretending to be from IT, stating they've detected malware and need the employee's computer name. The employee provides it. An hour later, a different attacker calls the same employee, claiming to be a senior IT manager. This attacker says, "Hi [Employee Name], this is Bob from IT. I'm following up on the malware ticket for computer [Computer Name]. To clean the device, I need you to navigate to this site and enter the code I provide." This multi-stage attack is a sophisticated example of:
Social Engineering
Hard
A.Pretexting, where the second call uses information from the first to establish legitimacy.
B.Baiting, where the attacker offers a free software update to remove malware.
C.Tailgating, as the attacker is following up on a previous interaction.
D.Quid pro quo, as the attacker is offering a service (malware removal) for an action.
Correct Answer: Pretexting, where the second call uses information from the first to establish legitimacy.
Explanation:
The core technique here is pretexting: creating a fabricated scenario to manipulate a target. The sophistication lies in the two-stage approach. The first call is purely for reconnaissance to gather a piece of information (the computer name). The second call then uses that specific, non-public information to build a highly credible pretext. This makes the second request seem far more legitimate than a generic cold call, significantly increasing the attack's chance of success.
Incorrect! Try again.
47A hardware security module (HSM) implements AES-256. A researcher discovers that the time required to perform an encryption operation is slightly correlated with the number of '1' bits in the secret key. What type of attack could exploit this vulnerability?
Cryptographic Algorithms
Hard
A.A brute-force attack.
B.A timing-based side-channel attack.
C.A differential cryptanalysis attack.
D.A man-in-the-middle attack.
Correct Answer: A timing-based side-channel attack.
Explanation:
This is a classic example of a side-channel attack. The attack doesn't break the mathematical properties of the AES algorithm itself. Instead, it exploits information leaked from the physical implementation of the cryptosystem. By precisely measuring the time taken for many encryption operations with chosen plaintexts, an attacker can statistically deduce information about the secret key based on the observed timing variations, eventually reconstructing the entire key.
Incorrect! Try again.
48A web server is configured to use OCSP Stapling. A client connects, and the server presents its certificate along with a time-stamped, CA-signed OCSP response indicating the certificate is 'good'. However, the Certificate Authority's OCSP responder has been offline for the past hour. Why would the client still accept the server's certificate?
Public Key Infrastructure
Hard
A.The client's browser is configured to 'soft-fail', meaning it will accept the certificate if the OCSP responder is unreachable.
B.The browser trusts the server's self-signed OCSP response.
C.The client falls back to checking the Certificate Revocation List (CRL) which is still valid.
D.OCSP Stapling allows the server to cache a valid OCSP response for a period (e.g., 24 hours), so a temporary outage at the CA does not affect validation for clients.
Correct Answer: OCSP Stapling allows the server to cache a valid OCSP response for a period (e.g., 24 hours), so a temporary outage at the CA does not affect validation for clients.
Explanation:
OCSP Stapling is designed specifically to solve the performance and privacy issues of live OCSP checks and the latency of CRLs. The server queries the OCSP responder itself at regular intervals and 'staples' the signed response to the certificate it serves to clients. This response has a validity period. As long as the cached response is still valid, the client can verify the certificate's status without contacting the CA directly, making the connection resilient to temporary CA outages.
Incorrect! Try again.
49A system uses a hybrid encryption scheme: it generates a random symmetric key (e.g., AES) to encrypt a large file, then encrypts the AES key using the recipient's public RSA key. The encrypted file and the encrypted AES key are sent to the recipient. If the recipient's private RSA key is compromised, what is the scope of the damage?
Cryptographic Solutions
Hard
A.Only future files sent to this recipient can be decrypted.
B.All past and future files sent to this recipient can be decrypted by the attacker.
C.No files can be decrypted without also breaking the AES algorithm.
D.Only past files for which the attacker also intercepted the ciphertext can be decrypted.
Correct Answer: Only past files for which the attacker also intercepted the ciphertext can be decrypted.
Explanation:
This scenario tests the concept of forward secrecy, which this scheme lacks. The compromise of the long-term RSA private key allows an attacker to decrypt the AES session key for any message they have previously captured. A new AES key is generated for each file, so future communications are not compromised unless the attacker can also intercept them. The key insight is that the damage is retrospective; an attacker who has been passively recording encrypted traffic can now go back and decrypt all of it.
Incorrect! Try again.
50In a multi-tenant cloud environment, a flaw in the hypervisor allows a virtual machine in Tenant A's network to read memory belonging to a virtual machine in Tenant B's network. This represents a failure of which fundamental security principle from Tenant B's perspective?
Security Concepts
Hard
A.Authentication
B.Availability
C.Confidentiality
D.Integrity
Correct Answer: Confidentiality
Explanation:
This is a classic side-channel or isolation failure attack in a virtualized environment. Confidentiality is the principle that information should not be disclosed to unauthorized individuals or systems. By reading Tenant B's memory, Tenant A is gaining unauthorized access to Tenant B's private data, which is a direct and severe breach of confidentiality. Integrity (unauthorized modification) and Availability (denial of service) are not the primary principles violated here.
Incorrect! Try again.
51A network's defense-in-depth strategy includes a firewall, an Intrusion Prevention System (IPS), and host-based anti-malware. An attacker uses a zero-day exploit encrypted with TLS to compromise a web server. The malicious payload then uses fileless techniques, operating only in memory to avoid detection by the anti-malware. Which statement best analyzes the failure of the security controls?
Security Controls
Hard
A.Only the IPS and anti-malware failed; the firewall operated correctly by allowing legitimate web traffic on port 443.
B.All three controls failed: The firewall because it allowed encrypted traffic, the IPS because it couldn't inspect the encrypted payload, and the anti-malware because it was signature-based and the attack was fileless.
C.This scenario is impossible, as an IPS would have detected the anomalous behavior even if the payload was encrypted.
D.Only the anti-malware failed, as the other controls are not designed to detect zero-day exploits.
Correct Answer: All three controls failed: The firewall because it allowed encrypted traffic, the IPS because it couldn't inspect the encrypted payload, and the anti-malware because it was signature-based and the attack was fileless.
Explanation:
This question requires a holistic analysis of a layered security failure. The firewall is often configured to allow HTTPS (TLS) traffic, which becomes a tunnel for the attack. The IPS is blind to the exploit because it cannot decrypt and inspect the traffic (unless TLS inspection is configured, which has its own complexities). The host-based anti-malware, if primarily signature- or file-based, is bypassed by fileless techniques. This shows how a sophisticated attack can bypass multiple, seemingly independent layers of security controls.
Incorrect! Try again.
52A security firm observes an ongoing attack that has persisted for 18 months. The attackers use a custom remote access trojan (RAT), move laterally through the network using legitimate credentials obtained via phishing, and slowly exfiltrate small, encrypted chunks of intellectual property. The command-and-control (C2) servers are rotated weekly. The primary goal appears to be long-term espionage. This is characteristic of:
Compare Threat Types
Hard
A.A ransomware attack in its initial infiltration phase
B.A botnet focused on distributed denial-of-service (DDoS)
C.A polymorphic worm
D.An Advanced Persistent Threat (APT)
Correct Answer: An Advanced Persistent Threat (APT)
Explanation:
The defining characteristics described—long-term presence ('persistent'), use of sophisticated custom tools ('advanced'), and a clear, targeted objective ('threat')—are the hallmarks of an APT. Unlike worms that spread indiscriminately, botnets used for DDoS, or ransomware that aims for a quick payout, APTs are focused on stealth, long-term access, and specific espionage or sabotage goals.
Incorrect! Try again.
53An employee in the finance department clicks on a sophisticated spear-phishing email and their workstation becomes infected. The malware logs their keystrokes, capturing credentials for the accounting system, which are then used to initiate a fraudulent wire transfer. From the company's perspective, this employee is best classified as:
Threat Actors
Hard
A.A competitor.
B.A malicious insider.
C.An external threat actor.
D.An unintentional insider threat.
Correct Answer: An unintentional insider threat.
Explanation:
This question tests the nuanced definition of an insider threat. The employee is an 'insider' because they are a trusted user with legitimate access. However, their action was not malicious; they were tricked. Therefore, they represent an 'unintentional' or 'accidental' insider threat. Their authorized credentials and access were hijacked by an external actor, but the initial point of failure was an internal user making a mistake.
Incorrect! Try again.
54A developer exposes a new internal REST API endpoint (/api/v1/user/{id}/details) used by the front-end application to fetch user data. They forget to implement an authorization check, assuming that since the API is not public, it's safe. An authenticated but low-privileged user discovers they can change the {id} in the API call to view the details of any other user, including administrators. This vulnerability is best described as:
Attack Surfaces
Hard
A.An Insecure Direct Object Reference (IDOR) on a newly exposed internal attack surface.
B.A Cross-Site Scripting (XSS) vulnerability.
C.A failure of the external network firewall.
D.A SQL Injection vulnerability in the API backend.
Correct Answer: An Insecure Direct Object Reference (IDOR) on a newly exposed internal attack surface.
Explanation:
The creation of the new API endpoint expanded the application's internal attack surface. The vulnerability itself is a classic IDOR (now part of Broken Object Level Authorization in OWASP Top 10). The system uses a direct reference to an object (the user ID) and fails to verify that the authenticated user is authorized to access that specific object. The other options are incorrect as there is no evidence of script injection, SQL manipulation, or a network firewall failure.
Incorrect! Try again.
55An individual posts on social media about losing their company ID badge. An attacker creates a fake ID with the individual's picture and company logo, then waits by a secure entrance. When an employee approaches, the attacker pretends to be on a call and fumbles with their fake badge, saying "Ugh, my badge isn't working again! Can you let me in?" This technique, where an attacker makes themselves appear to be the one in need of help to exploit the target's desire to be helpful, is known as:
Social Engineering
Hard
A.Watering Hole Attack
B.Reverse Social Engineering
C.Shoulder Surfing
D.Phishing
Correct Answer: Reverse Social Engineering
Explanation:
Standard social engineering involves the attacker initiating contact to solicit information. Reverse Social Engineering is more subtle; the attacker creates a situation (a persona or a problem) where the target voluntarily offers help or information. By appearing to be a distressed fellow employee, the attacker manipulates the target into holding the door, effectively bypassing physical security. The attacker engineered the situation to make the target come to them.
Incorrect! Try again.
56The RSA algorithm relies on the mathematical difficulty of factoring the product of two large prime numbers. Let the public key be and the private key be , where . What would be the most direct consequence if an attacker discovered the value of Euler's totient function, , without discovering or themselves?
Cryptographic Algorithms
Hard
A.There would be no direct consequence, as and are still unknown.
B.The attacker could easily factor into and .
C.The attacker could efficiently calculate the private exponent from the public exponent .
D.The system would become vulnerable to a chosen-ciphertext attack.
Correct Answer: The attacker could efficiently calculate the private exponent from the public exponent .
Explanation:
This question probes the mathematical foundation of RSA. The private exponent is the modular multiplicative inverse of the public exponent modulo . That is, . To calculate this inverse, one needs to know . If an attacker obtains , they can use the Extended Euclidean Algorithm to compute from the public value very quickly, thus compromising the entire system without ever needing to factor .
Incorrect! Try again.
57A mobile application uses HTTP Public Key Pinning (HPKP) to ensure it only connects to servers presenting a specific public key. The company's server certificate expires, and a new one is issued with a new key pair. Users with the old version of the app are now unable to connect. What is the core security concept that caused this operational failure?
Public Key Infrastructure
Hard
A.The pinned key was a 'leaf' key, and no 'backup' key from a different key pair was also pinned in the application's policy.
B.The app failed to check the OCSP status of the new certificate.
C.The new certificate was signed with an SHA-1 hash, which is deprecated.
D.The Certificate Authority used a different intermediate certificate to sign the new server certificate.
Correct Answer: The pinned key was a 'leaf' key, and no 'backup' key from a different key pair was also pinned in the application's policy.
Explanation:
HPKP was a powerful but brittle mechanism. If an application pins only the public key of the current ('leaf') server certificate, it creates a single point of failure. If that key is lost or the certificate needs to be reissued with a new key for any reason, all clients with the old pin set will reject the new, valid certificate. The best practice was to pin the leaf key AND one or more backup keys (whose private keys were stored securely offline) to allow for recovery.
Incorrect! Try again.
58Given the rise of practical quantum computing, which of the following cryptographic migration strategies is most logical and urgent for an organization that relies on TLS for data-in-transit security?
Cryptographic Solutions
Hard
A.Double the key length of all existing algorithms, for example, moving from RSA-2048 to RSA-4096, which provides quantum resistance.
B.Transition all digital signature algorithms to hash-based signatures, but keep RSA for key exchange.
C.Prioritize replacing asymmetric algorithms like RSA and ECDH with quantum-resistant alternatives, while AES-256 remains secure with a larger key size.
D.Immediately replace all symmetric algorithms like AES with a quantum-resistant one, as they are most vulnerable.
Correct Answer: Prioritize replacing asymmetric algorithms like RSA and ECDH with quantum-resistant alternatives, while AES-256 remains secure with a larger key size.
Explanation:
Shor's algorithm, for quantum computers, can efficiently break asymmetric algorithms like RSA, DSA, and ECDH which are based on integer factorization or the discrete logarithm problem. Grover's algorithm can speed up searches, effectively halving the key strength of symmetric algorithms like AES. Therefore, AES-256 is still considered relatively strong against a quantum computer (requiring a 128-bit security level search), whereas RSA-2048 is completely broken. The most urgent priority is to replace the public-key cryptography used for key exchange and digital signatures.
Incorrect! Try again.
59A hospital's electronic health record (EHR) system is targeted by two separate attacks in one week. Attack A is a DDoS attack that overwhelms the network, making the EHR system inaccessible to doctors. Attack B is a ransomware attack that encrypts all patient records, making them unreadable. Both attacks are a failure of which principle of the CIA triad, but for fundamentally different reasons?
Security Concepts
Hard
A.Integrity. The DDoS attack modifies network packets, and the ransomware modifies the files.
B.Availability. Both attacks are identical in that they just make the system unavailable.
C.Confidentiality. The DDoS attack exposes system vulnerabilities, and the ransomware exposes patient data.
D.Availability. The DDoS attack denies access to the system, while the ransomware attack denies access to the data itself.
Correct Answer: Availability. The DDoS attack denies access to the system, while the ransomware attack denies access to the data itself.
Explanation:
This question requires a nuanced understanding of Availability. Both attacks result in a loss of availability, but the mechanism is different. The DDoS attack is a network/system-level failure; the system and data are intact but unreachable. The ransomware attack is a data-level failure; the system is running, but the data has been transformed into an unusable state. Recognizing this distinction shows a deeper understanding of how the principle of availability can be violated in different layers of a system.
Incorrect! Try again.
60A corporate merger requires trusting certificates issued by the new parent company's PKI. The parent company's Root CA is offline and should not be added to the client trust stores directly. The parent provides a cross-signed intermediate certificate: (Parent Intermediate CA cert, signed by Child Root CA). What is the primary purpose of this specific object in establishing a trust path from a 'child' company client to a server with a cert from the 'parent' company?
Public Key Infrastructure
Hard
A.It is used to revoke all certificates from the child company's PKI.
B.It allows the parent company's servers to trust clients from the child company.
C.It replaces the need for the Parent Root CA certificate entirely.
D.It allows a client that trusts the 'Child Root CA' to build a valid certification path to a certificate issued by the 'Parent Intermediate CA', bridging the two PKIs.
Correct Answer: It allows a client that trusts the 'Child Root CA' to build a valid certification path to a certificate issued by the 'Parent Intermediate CA', bridging the two PKIs.
Explanation:
Cross-signing is a technique to establish trust between two different PKIs. By having the Child's Root CA sign the Parent's Intermediate CA certificate, it creates an alternative trust anchor. A client from the child company, which trusts its own Child Root CA, can now validate a certificate chain that goes Server Cert (signed by Parent Intermediate) -> Parent Intermediate CA Cert (signed by Child Root) -> Child Root CA. This builds a valid path to a trusted root without having to install the Parent's Root CA on every client.