1Which component of the AAA framework is responsible for verifying the identity of a user or system?
A.Authorization
B.Accounting
C.Authentication
D.Auditing
Correct Answer: Authentication
Explanation:Authentication is the process of verifying who a user is (identity verification), whereas Authorization determines what they can do, and Accounting tracks what they did.
Incorrect! Try again.
2In the context of Multi-Factor Authentication (MFA), a fingerprint scan falls under which category?
A.Something you know
B.Something you have
C.Something you are
D.Something you do
Correct Answer: Something you are
Explanation:MFA factors are categorized as: Knowledge (know), Possession (have), and Inherence (are). Biometrics like fingerprints represent Something you are.
Incorrect! Try again.
3Which Access Control model assigns permissions based on security labels (e.g., Top Secret, Confidential) attached to subjects and objects?
A.Discretionary Access Control (DAC)
B.Mandatory Access Control (MAC)
C.Role-Based Access Control (RBAC)
D.Attribute-Based Access Control (ABAC)
Correct Answer: Mandatory Access Control (MAC)
Explanation:MAC uses security labels and clearance levels defined by a central authority to control access, often used in military environments.
Incorrect! Try again.
4In a Discretionary Access Control (DAC) system, who is responsible for determining access rights to an object?
A.The Security Administrator
B.The Operating System
C.The Data Owner
D.The Chief Information Security Officer
Correct Answer: The Data Owner
Explanation:In DAC, the owner of the resource (the creator) has the discretion to assign access rights to other users.
Incorrect! Try again.
5Which protocol is an open standard for token-based authentication and authorization, often used to allow websites to access information from other websites without sharing passwords?
A.LDAP
B.OAuth 2.0
C.RADIUS
D.TACACS+
Correct Answer: OAuth 2.0
Explanation:OAuth 2.0 is an industry-standard protocol for authorization that provides specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
Incorrect! Try again.
6What is the primary function of a De-Militarized Zone (DMZ) in enterprise network architecture?
A.To encrypt all internal traffic
B.To host internal databases securely
C.To expose public-facing services while isolating the internal network
D.To prevent Denial of Service attacks
Correct Answer: To expose public-facing services while isolating the internal network
Explanation:A DMZ is a physical or logical sub-network that contains and exposes an organization's external-facing services to an untrusted network (usually the Internet) while keeping the internal LAN secure.
Incorrect! Try again.
7Which of the following is considered a 'Type 2' error in biometric authentication?
A.False Rejection Rate (FRR)
B.False Acceptance Rate (FAR)
C.Crossover Error Rate (CER)
D.Processing Error Rate (PER)
Correct Answer: False Acceptance Rate (FAR)
Explanation:A Type 2 error is a False Acceptance, where an unauthorized user is incorrectly verified as a legitimate user.
Incorrect! Try again.
8Which network security appliance primarily focuses on inspecting traffic at Layer 7 (Application Layer) to protect web servers from attacks like SQL injection and XSS?
A.Stateful Firewall
B.Packet Filtering Router
C.Web Application Firewall (WAF)
D.VPN Concentrator
Correct Answer: Web Application Firewall (WAF)
Explanation:A WAF operates at the application layer to filter, monitor, and block HTTP traffic to and from a web application, protecting against specific web attacks.
Incorrect! Try again.
9What is the mathematical concept often used to calculate the entropy of a password, where is the length and is the size of the character set?
A.
B.
C.
D.
Correct Answer:
Explanation:Password entropy (in bits) is calculated as , where is the total number of possible combinations (). Therefore, .
Incorrect! Try again.
10Which Identity Management process ensures that a user's access rights are removed immediately upon termination of employment?
A.Provisioning
B.Deprovisioning
C.Federation
D.Attestation
Correct Answer: Deprovisioning
Explanation:Deprovisioning (or offboarding) is the process of removing identities and access rights from systems when they are no longer needed.
Incorrect! Try again.
11In the context of Role-Based Access Control (RBAC), permissions are assigned to:
A.Users directly
B.Groups based on location
C.Roles, which are then assigned to users
D.Attributes of the data
Correct Answer: Roles, which are then assigned to users
Explanation:In RBAC, permissions are associated with roles (e.g., Manager, Admin), and users are assigned to those roles, simplifying management.
Incorrect! Try again.
12Which network segmentation technique allows grouping hosts logically regardless of their physical location on the network?
A.Subnetting
B.VLAN (Virtual Local Area Network)
C.NAT (Network Address Translation)
D.VPN (Virtual Private Network)
Correct Answer: VLAN (Virtual Local Area Network)
Explanation:VLANs allow network administrators to group hosts together even if they are not on the same network switch, improving traffic management and security.
Incorrect! Try again.
13Which protocol is widely used for directory services to query and modify items in directory service providers like Active Directory?
A.SAML
B.Kerberos
C.LDAP
D.SNMP
Correct Answer: LDAP
Explanation:Lightweight Directory Access Protocol (LDAP) is the industry standard for accessing and maintaining distributed directory information services.
Incorrect! Try again.
14What distinguishes a Stateful Inspection Firewall from a Packet Filtering Firewall?
A.It only looks at the header of the packet.
B.It tracks the operating state and context of active network connections.
C.It operates exclusively at Layer 7.
D.It cannot block UDP traffic.
Correct Answer: It tracks the operating state and context of active network connections.
Explanation:A Stateful Inspection Firewall keeps track of the state of network connections (e.g., TCP streams) and makes decisions based on the context of the traffic, not just individual packets.
Incorrect! Try again.
15Which Single Sign-On (SSO) standard is XML-based and typically used for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP)?
Explanation:SAML is an XML-based open standard for exchanging authentication and authorization data between parties, specifically an identity provider and a service provider.
Incorrect! Try again.
16In a 'Zero Trust' network architecture, the core principle is:
A.Trust but verify
B.Never trust, always verify
C.Trust internal traffic, verify external traffic
D.Verify only administrative access
Correct Answer: Never trust, always verify
Explanation:Zero Trust assumes that there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., inside the perimeter).
Incorrect! Try again.
17Which cryptographic protocol uses Port 22 and provides a secure channel over an unsecured network, commonly used for remote command-line login?
A.Telnet
B.FTP
C.SSH (Secure Shell)
D.RDP
Correct Answer: SSH (Secure Shell)
Explanation:SSH replaces insecure protocols like Telnet and uses encryption to secure the connection, operating by default on Port 22.
Incorrect! Try again.
18What is the primary difference between an IDS and an IPS?
A.IDS is hardware, IPS is software.
B.IDS detects and alerts, while IPS detects and actively blocks.
C.IPS is for internal networks, IDS is for external.
D.IDS encrypts data, IPS does not.
Correct Answer: IDS detects and alerts, while IPS detects and actively blocks.
Explanation:An Intrusion Detection System (IDS) monitors and alerts on suspicious activity. An Intrusion Prevention System (IPS) sits inline and can actively block or drop malicious packets.
Incorrect! Try again.
19Which authentication protocol relies on a Key Distribution Center (KDC) and uses 'Tickets' to allow nodes to communicate over a non-secure network?
A.CHAP
B.Kerberos
C.PAP
D.NTLM
Correct Answer: Kerberos
Explanation:Kerberos is a network authentication protocol that works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another.
Incorrect! Try again.
20In Attribute-Based Access Control (ABAC), access decisions are based on:
A.Only the user's role
B.Only the security clearance level
C.Attributes of the user, resource, action, and environment
D.The physical port the user connects to
Correct Answer: Attributes of the user, resource, action, and environment
Explanation:ABAC evaluates a complex set of attributes (User, Resource, Environment/Context) to make dynamic access control decisions.
Incorrect! Try again.
21What is a 'Honeypot' in network security?
A.A high-value database containing passwords
B.A decoy system designed to attract and study attackers
C.A software tool for cracking passwords
D.A type of firewall configuration
Correct Answer: A decoy system designed to attract and study attackers
Explanation:A Honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
Incorrect! Try again.
22When utilizing IPsec for a VPN, which mode encapsulates the entire original IP packet (header and payload) into a new IP packet?
A.Transport Mode
B.Tunnel Mode
C.Bridge Mode
D.Switch Mode
Correct Answer: Tunnel Mode
Explanation:Tunnel Mode encrypts the entire original IP packet and wraps it in a new IP header, making it suitable for Site-to-Site or Remote Access VPNs.
Incorrect! Try again.
23Which of the following describes the 'Principle of Least Privilege'?
A.Users should have the highest level of access needed to prevent workflow blockages.
B.Users should be granted only the minimum access necessary to perform their job functions.
C.All users should have administrator rights on their local machines.
D.Access is determined by the length of employment.
Correct Answer: Users should be granted only the minimum access necessary to perform their job functions.
Explanation:The Principle of Least Privilege (PoLP) dictates that a subject should be given only those privileges needed for it to complete its task.
Incorrect! Try again.
24Which network appliance consolidates multiple security functions (Firewall, AV, IDS/IPS, VPN, etc.) into a single hardware device?
A.Router
B.Switch
C.UTM (Unified Threat Management)
D.Load Balancer
Correct Answer: UTM (Unified Threat Management)
Explanation:UTM appliances provide a comprehensive security solution by integrating multiple security features into a single device.
Incorrect! Try again.
25In the context of Federated Identity Management, what is the role of the Identity Provider (IdP)?
A.To provide the service or resource the user wants to access
B.To manage the network infrastructure
C.To authenticate the user and issue security tokens
D.To act as a firewall
Correct Answer: To authenticate the user and issue security tokens
Explanation:The Identity Provider (IdP) is responsible for verifying the identity of the user and issuing assertions or tokens that the Service Provider (SP) trusts.
Incorrect! Try again.
26Which secure communication protocol creates a secure pipe between two distinct networks over the Internet?
A.VLAN
B.Site-to-Site VPN
C.WEP
D.Telnet
Correct Answer: Site-to-Site VPN
Explanation:A Site-to-Site VPN connects entire networks to each other, for example, connecting a branch office network to a headquarters network.
Incorrect! Try again.
27What is the main security risk associated with 'Split Tunneling' in a remote access VPN?
A.It slows down the connection speed significantly.
B.It prevents the user from accessing corporate resources.
C.It allows traffic destined for the internet to bypass the corporate firewall/VPN, potentially exposing the client.
D.It requires two different passwords.
Correct Answer: It allows traffic destined for the internet to bypass the corporate firewall/VPN, potentially exposing the client.
Explanation:Split Tunneling allows a user to access the internet directly while simultaneously accessing the corporate network via VPN. This bypasses corporate security controls for internet traffic.
Incorrect! Try again.
28Which authentication factor uses GPS or network triangulation to verify a user?
A.Something you know
B.Something you are
C.Somewhere you are
D.Something you have
Correct Answer: Somewhere you are
Explanation:Somewhere you are (Location) is a context-based authentication factor that verifies the user's physical location.
Incorrect! Try again.
29Which of the following is an example of an 'Implicit Deny' policy in a firewall?
Explanation:Implicit Deny (often implemented as an explicit 'Deny All' at the bottom of a list) ensures that if traffic does not match any specific 'Allow' rule, it is blocked by default.
Incorrect! Try again.
30In 802.1X Port-Based Network Access Control, what is the role of the 'Supplicant'?
A.The authentication server (e.g., RADIUS)
B.The network switch or wireless access point
C.The device/user attempting to access the network
D.The database storing user credentials
Correct Answer: The device/user attempting to access the network
Explanation:In 802.1X, the Supplicant is the client device (software or hardware) that requests access to the network.
Incorrect! Try again.
31Which attack involves an attacker trying a list of compromised username/password pairs against many different websites?
A.Brute Force
B.Dictionary Attack
C.Credential Stuffing
D.Rainbow Table Attack
Correct Answer: Credential Stuffing
Explanation:Credential Stuffing exploits the tendency of users to reuse passwords. Attackers use credentials stolen from one breach to try and log in to other unrelated services.
Incorrect! Try again.
32Network Access Control (NAC) systems generally assess which of the following before granting network access?
Correct Answer: The device's health/posture (OS patches, Antivirus status)
Explanation:NAC checks the security posture of the endpoint (patches, AV definitions, firewall status) before allowing it to connect to the network.
Incorrect! Try again.
33Which protocol works at the Data Link Layer (Layer 2) to translate IP addresses into MAC addresses, and is vulnerable to 'Poisoning' attacks?
A.DNS
B.DHCP
C.ARP
D.ICMP
Correct Answer: ARP
Explanation:Address Resolution Protocol (ARP) resolves IPs to MACs. ARP Poisoning (Spoofing) involves sending fake ARP messages to link the attacker's MAC with a legitimate IP.
Incorrect! Try again.
34If a user has a password , and the system stores where is a hash function and is a random value, what is ?
A.The Pepper
B.The Salt
C.The Initialization Vector
D.The Key
Correct Answer: The Salt
Explanation:A Salt () is random data added to the password () before hashing to protect against rainbow table attacks and ensure identical passwords have different hashes.
Incorrect! Try again.
35Which secure communication protocol is the successor to SSL and is currently the standard for securing web traffic (HTTPS)?
A.TLS (Transport Layer Security)
B.SET (Secure Electronic Transaction)
C.PGP (Pretty Good Privacy)
D.WEP (Wired Equivalent Privacy)
Correct Answer: TLS (Transport Layer Security)
Explanation:TLS succeeded SSL. While people often say 'SSL', modern secure web traffic actually uses TLS.
Incorrect! Try again.
36In the context of Identity Management, what does 'SSO' stand for?
A.Secure Socket Option
B.Single Sign-On
C.Simple Service Object
D.Standard Security Organization
Correct Answer: Single Sign-On
Explanation:Single Sign-On (SSO) is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.
Incorrect! Try again.
37An 'Air Gap' is a security measure that involves:
A.Using wireless technology instead of cables
B.Physically isolating a secure network from unsecured networks (like the Internet)
C.Leaving a gap in the firewall rules for testing
D.Cooling server rooms with air conditioning
Correct Answer: Physically isolating a secure network from unsecured networks (like the Internet)
Explanation:An Air Gap is a physical isolation measure ensuring a secure network is physically separated from unsecured networks.
Incorrect! Try again.
38Which authentication protocol uses a Challenge-Handshake mechanism where the password is never sent over the network?
Correct Answer: CHAP (Challenge-Handshake Authentication Protocol)
Explanation:CHAP authenticates a user or network host to an authenticating entity (e.g., a server) without sending the password over the network, using a 3-way handshake.
Incorrect! Try again.
39What is the primary purpose of a SIEM (Security Information and Event Management) system?
A.To block viruses on endpoints
B.To aggregate, correlate, and analyze log data from various sources
C.To route network traffic
D.To manage user passwords
Correct Answer: To aggregate, correlate, and analyze log data from various sources
Explanation:SIEM solutions provide real-time analysis of security alerts generated by applications and network hardware by collecting and correlating logs.
Incorrect! Try again.
40Which network architecture concept involves placing internal servers (like database servers) in a zone that cannot be directly accessed from the Internet, usually behind the DMZ?
A.Public Zone
B.Trusted/Internal Zone
C.Guest Zone
D.Extranet
Correct Answer: Trusted/Internal Zone
Explanation:High-value assets like databases are placed in the Trusted or Internal Zone, which is protected by internal firewalls and is not directly reachable from the outside.
Incorrect! Try again.
41What is 'East-West' traffic in a data center context?
A.Traffic entering the data center from the internet
B.Traffic leaving the data center to the internet
C.Traffic moving laterally between servers within the data center
D.Traffic between the data center and a branch office
Correct Answer: Traffic moving laterally between servers within the data center
Explanation:East-West traffic refers to data flow between servers within a data center, as opposed to North-South traffic which flows in and out of the data center.
Incorrect! Try again.
42Which Identity Management standard builds on top of OAuth 2.0 to provide identity verification (authentication) alongside authorization?
A.SAML
B.OpenID Connect (OIDC)
C.LDAP
D.Kerberos
Correct Answer: OpenID Connect (OIDC)
Explanation:OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of the end-user.
Incorrect! Try again.
43Which of the following is a physical security control that can support authentication?
A.Firewall
B.Smart Card
C.ACL
D.VLAN
Correct Answer: Smart Card
Explanation:A Smart Card is a physical token (Something you have) used for authentication, often combined with a PIN.
Incorrect! Try again.
44In a Public Key Infrastructure (PKI), which entity issues and signs digital certificates?
A.Registration Authority (RA)
B.Certificate Authority (CA)
C.Validation Authority (VA)
D.The End User
Correct Answer: Certificate Authority (CA)
Explanation:The Certificate Authority (CA) is the trusted entity that issues digital certificates, certifying the ownership of a public key by the named subject of the certificate.
Incorrect! Try again.
45Which firewall configuration creates a 'screened subnet' using two firewalls (one external, one internal)?
A.Bastion Host
B.Dual-homed gateway
C.DMZ (Demilitarized Zone)
D.Peer-to-Peer
Correct Answer: DMZ (Demilitarized Zone)
Explanation:A DMZ created with two firewalls is a secure architecture where the DMZ sits between the external firewall (facing the internet) and the internal firewall (facing the LAN).
Incorrect! Try again.
46The process of giving a user permission to do or have something is known as:
A.Identification
B.Authentication
C.Authorization
D.Accounting
Correct Answer: Authorization
Explanation:Authorization occurs after authentication and determines the privileges and resources the user is allowed to access.
Incorrect! Try again.
47Which VPN protocol is developed by Microsoft, uses TCP port 443, and tunnels PPP traffic through an SSL/TLS channel?
Explanation:SSTP uses the SSL/TLS protocol (Port 443), making it very effective at bypassing firewalls that might block other VPN protocols.
Incorrect! Try again.
48What is the main advantage of using a Jump Server (Jump Box)?
A.It increases internet speed.
B.It provides a single, hardened entry point for administrators to access sensitive internal zones.
C.It acts as a honeypot for attackers.
D.It distributes IP addresses.
Correct Answer: It provides a single, hardened entry point for administrators to access sensitive internal zones.
Explanation:A Jump Server is a hardened server used to access and manage devices in a separate security zone, reducing the attack surface by limiting entry points.
Incorrect! Try again.
49In biometric systems, the Crossover Error Rate (CER) describes:
A.The point where False Acceptance Rate and False Rejection Rate are equal.
B.The speed at which the system processes data.
C.The maximum number of users the system can handle.
D.The failure rate of the hardware sensor.
Correct Answer: The point where False Acceptance Rate and False Rejection Rate are equal.
Explanation:The CER (or EER - Equal Error Rate) is the point where the FRR and FAR intersect. A lower CER indicates a more accurate biometric system.
Incorrect! Try again.
50Which network device operates at Layer 3 and makes forwarding decisions based on IP addresses?
A.Hub
B.Switch
C.Router
D.Repeater
Correct Answer: Router
Explanation:A Router operates at Layer 3 (Network Layer) and routes packets between networks based on IP addresses.
Incorrect! Try again.
Give Feedback
Help us improve by sharing your thoughts or reporting issues.