Question 1: A security team discovers that attackers can force their web application to use outdated SSL 3.0 encryption by intercepting and modifying handshake requests, potentially exposing sensitive data. Which mitigation strategy should they implement to prevent this downgrade attack?
Implementing certificate pinning
Continuing to support SSL 3.0 for legacy browser compatibility
Disabling HTTPS and reverting to HTTP
Strict TLS version 1.3 enforcement
Question 1 Explanation: Certificate pinning checks the authenticity of certificates presented by servers but does not prevent protocol downgrade attacks that force the use of weaker encryption like SSL 3.0.
Continuing to support SSL 3.0 for legacy browser compatibility maintains an outdated protocol which is weak to exploits.
Disabling HTTPS and reverting to HTTP removes encryption entirely.
Strict TLS version 1.3 enforcement prevents downgrade attacks by refusing to use older vulnerable protocols like SSL 3.0.
Question 2: An organization's directory services are currently transmitting authentication credentials in cleartext, exposing sensitive operations to network eavesdropping. Which secure protocol configuration should they implement to encrypt directory access?
LDAPS on port 636
LDAP on port 389
SNMPv3
SFTP
Question 2 Explanation: LDAPS (Lightweight Directory Access Protocol Secure) on port 636 provides TLS encryption for directory access.
LDAP on port 389 transmits data in cleartext, including authentication credentials, making it vulnerable to interception and unauthorized access to directory information.
SNMPv3 is designed for network device management, not directory services.
SFTP is a secure file transfer protocol using SSH encryption and is not designed for directory service queries.
Question 3: A network administrator discovers that their monitoring tools are using community strings "public" and "private" to query device statistics, sending this data across the network without encryption or authentication. Which protocol version should they migrate to?
SNMPv3
SNMPv2c
SNMPv1 with IP-based access restrictions
Telnet for device management
Question 3 Explanation: SNMPv3 provides mandatory authentication and encryption capabilities using usernames and cryptographic keys protecting management traffic from eavesdropping and unauthorized access unlike earlier versions.
SNMPv2c relies on community strings like "public" and "private" transmitted in cleartext without encryption or authentication making it vulnerable to interception and unauthorized device configuration.
SNMPv1 with IP-based access restrictions still uses cleartext community strings and lacks encryption leaving management data exposed to network sniffing regardless of IP restrictions.
Telnet for device management transmits all data including credentials in cleartext and does not provide the monitoring and querying capabilities of SNMP for device statistics.
Question 4: A healthcare organization needs to transfer large patient database files via a secure channel. Which solution should they implement to ensure both authentication credentials and file contents remain confidential during transmission?
SFTP over port 22 using SSH encryption
Standard FTP with anonymous authentication
TFTP for simplified file transfers
HTTP POST requests with basic authentication
Question 4 Explanation:SFTP over port 22 using SSH encryption requires authentication credentials and provides strong encryption for the entire session, including commands and data.
Standard FTP transmits all data and credentials in cleartext over port 21, exposing patient information to interception.
TFTP for simplified file transfers lacks authentication mechanisms and encryption, making it unsuitable for sensitive healthcare data.
HTTP POST requests with basic authentication transmit credentials using base64 encoding, which is easily decoded and provides no encryption for the data.
Question 5: A company's email server is currently accepting messages without requiring encryption, allowing credentials and message content to be intercepted. Which configuration should they implement as a solution?
STARTTLS on port 587 for message submission
SMTPS on port 465 with implicit SSL
Unencrypted SMTP on port 25 with SPF records only
POP3 on port 110 for message delivery
Question 5 Explanation: STARTTLS on port 587 upgrades plaintext connections to encrypted TLS.
SMTPS on port 465 is deprecated, because it uses SSL, which is a weaker form of encryption.
Unencrypted SMTP on port 25 leaves credentials and message content vulnerable to interception, as no encryption is used.
POP3 on port 110 is the wrong protocol because it is used for downloading messages from mailboxes, not for submitting messages, and operates without encryption exposing credentials and content.
Question 6: A large hospital uses email for communication. However, to ensure security, they want to ensure that sensitive information like Excel spreadsheets cannot leave the hospital's network and be exposed to the public. What security function would accomplish this need?
SNMP
FTP
SFTP
DLP
Question 6 Explanation: SNMP (Simple Network Management Protocol) is a network management protocol for monitoring device status, not for preventing data exfiltration.
FTP is a file transfer protocol that facilitates data movement, but does not inspect or prevent sensitive data from leaving the network.
SFTP provides secure encrypted file transfer but does not analyze content for sensitive information.
DLP or Data Loss Prevention inspects email content and attachments for sensitive information, and blocks unauthorized transmissions.
Question 7: An organization is experiencing widespread phishing attacks where attackers are spoofing their domain to send malicious emails that appear to originate from legitimate company addresses. Which email authentication framework should they implement to specify handling policies for messages that fail sender verification and enable reporting of authentication failures?
DMARC with policy set to quarantine or reject
SPF records alone without DKIM alignment
DKIM signing without SPF records
DNSSEC for email validation
Question 7 Explanation: DMARC (Domain-based Message Authentication, Reporting, and Conformance) prevents spoofed emails from reaching inboxes, by quarantining them.
SPF (Sender Policy Framework) specifies authorized mail servers but does not provide a policy for what to do with failed messages, unlike DMARC.
DKIM (Domain Keys Identified Mail) provides message integrity verification but does not authenticate senders.
DNSSEC for email validation validates DNS response integrity, but does not authenticate email senders or provide policies for handling spoofed messages.
Question 8: A large company uses Bluetooth technology for short-range personal area networking. The organization has a security concern with bluesnarfing. What is the attacker doing to the organization?
Sending unsolicited text messages or vCards to a discoverable device
Compromising any active and unpatched Bluetooth system
Stealing information from someone else's phone by using an exploit in Bluetooth
Launching highly effective attacks using a peripheral device with malicious firmware
Question 8 Explanation: Sending unsolicited text messages describes Bluejacking, which is harmless spam rather than data theft.
Compromising any active and unpatched Bluetooth system describes general Bluetooth exploitation.
Stealing information from someone else's phone by using an exploit in Bluetooth describes Bluesnarfing, which involves unauthorized access to data such as contacts, calendars, and messages.
Launching highly effective attacks using a peripheral device with malicious firmware describes a hardware-based supply chain attack.
Question 9: An attacker has poisoned a DNS cache, redirecting users to a malicious site when they attempt to access the company's legitimate banking portal. Which security component would prevent this kind of attack?
DNSSEC with signed zones
DNS filtering at the endpoint
LDAPS for DNS queries
TLS 1.3 for DNS over HTTPS
Question 9 Explanation: DNSSEC with signed zones provides cryptographic validation of DNS responses using digital signatures. This ensures that DNS answers originate from the authoritative zone, and prevents cache poisoning attacks that redirect users to malicious sites.
DNS filtering at the endpoint blocks access to malicious domains but does not prevent an attacker from poisoning the cache.
LDAPS is for directory services, not DNS.
TLS 1.3 encrypts DNS queries between the client and resolverm but does not validate the integrity of the zone data.
Question 10: A development team is releasing a new software update but users are receiving warnings that the publisher cannot be verified and the code may have been tampered with since distribution. Which security practice should they implement to verify software integrity?
Peer review of the source code
SAST scanning before release
Sandboxing the installer
Code signing with a trusted digital certificate
Question 10 Explanation: Peer review of the source code is a manual review that does not verify code integrity.
SAST (Static App Security Testing) identifies vulnerabilities in source code but does not establish trust in the distributed files or verify integrity.
Sandboxing the installer does not verify that the code has not been modified since distribution.
Code signing with a trusted digital certificate verifies software integrity by cryptographically signing executables, allowing operating systems to validate that the code has not been tampered with and confirming the publisher's identity.
Question 11: A company wants to identify security flaws in their web application before deployment by analyzing the source code for hardcoded credentials and vulnerabilities, without running the program. Which testing methodology should they implement?
SAST
DAST
Manual peer review only
Dynamic DNS filtering
Question 11 Explanation: SAST or Static Application Security Testing analysesof source code without executing the program, as specified in the question.
DAST (Dynamic App Security Testing) tests running applications through runtime analysis and simulated attacks, but requires a live, deployed application rather than analyzing source code directly.
Manual peer review relies on human inspection. which while valuable, does not provide automated comprehensive coverage.
Dynamic DNS filtering is a network security control, not a form of code analysis.
Question 12: During a penetration test, an attacker bypasses client-side JavaScript validation that restricts special characters in a form field and submits malicious SQL commands directly to the server. Which security control should be implemented to prevent this attack?
Client-side validation with obfuscated JavaScript
DNSSEC validation of form submissions
Code signing of web forms
Server-side input validation
Question 12 Explanation: Client-side validation can be easily bypassed using proxy tools.
DNSSEC is irrelevant as DNSSEC validates DNS responses, not web form input.
Code signing of web forms is not a standard practice for input validation and does not prevent injection attacks.
Server-side input validation acts as the authoritative security control that cannot be bypassed by client-side manipulation.
Question 13: An application is displaying detailed database error messages, including table names and column structures, to the public. This helps an attacker map the database schema for further attacks. Which secure coding practice should be implemented to prevent this information leakage?
Only displaying generic error messages to users
Displaying detailed error messages for debugging purposes
Client-side error handling only
Sandboxing the database connection
Question 13 Explanation: Only displaying generic (sanitized) error messages to users is standard best practice, while displaying detailed errors only for administrators or developers.
Displaying detailed error messages for debugging purposes exposes sensitive information, allowing attackers to map the database.
Client-side error handling does not prevent the server from leaking information in responses and can be bypassed.
Sandboxing the database connection does not address the information disclosure vulnerability in error messages.
Question 14: A development team is manually reviewing a critical codebase before merging it into the main application. They discover a logic flaw that could allow unauthorized access to administrative functions. Which secure development practice enabled this discovery?
Peer review
DAST
DNS filtering
SNMP monitoring
Question 14 Explanation: Peer review is the manual inspection of code changes by other developers, which is mentioned in the question.
DAST is runtime testing of "live" deployed applications, not a manual code review process.
DNS filtering is a network security control for blocking malicious domains, unrelated to code review.
SNMP monitoring is network monitoring for device status, not a software development practice.
Question 15: Which of the following statements is generally true of protocol security?
HTTP operates by default on port 443 and is encrypted
HTTPS operates by default on port 443 and is encrypted
SNMP operates by default on port 80 and is unencrypted
POP3S operates by default on port 995 and is encrypted
Question 15 Explanation: HTTP operates by default on port 80 not port 443, and transmits data unencrypted, making this statement incorrect.
HTTPS operates by default on port 443 and uses TLS encryption to protect data in transit, making this the correct statement.
SNMP operates by default on ports 161 and 162, not port 80.
POP3S does operate on port 995 and is encrypted, however HTTPS represents the more fundamental and commonly referenced secure protocol configuration. POP3S default port is often changed for security reasons, whereas most browsers will expect HTTPS to be found on 443.
Question 16: A penetration tester wishes to target a local DNS cache file on a Linux system, aiming to use their administrative privileges to edit the file and poison the DNS cache, redirecting users to a fake website. Which file would the penetration tester target?
LSASS.exe
bind
C:\Windows\System32\drivers\etc\hosts
/etc/hosts
Question 16 Explanation: LSASS.exe is the Windows Local Security Authority Subsystem Service, which handles authentication, not a DNS cache file, and it does not run on Linux systems.
Bind is DNS server software, not a target file for cache poisoning.
C:\Windows\System32\drivers\etc\hosts is the Windows hosts file location, not the Linux path.
/etc/hosts is the local DNS cache file on Linux systems that maps hostnames to IP addresses, and would be targeted by an attacker with administrative privileges to poison DNS entries and redirect users to fake websites.
Question 17: An organization needs to test their production web application for vulnerabilities by simulating attacks against the application live in real time, while it is running. Which security testing methodology should they employ to identify runtime vulnerabilities?
DAST
SAST
Peer review
Code signing verification
Question 17 Explanation: DAST or Dynamic Application Security Testing simulates attacks against running applications in real time.
SAST analyzes source code statically without executing the application and cannot identify runtime-specific vulnerabilities.
Peer review is manual code inspection, not automated runtime testing.
Code signing verification checks software integrity and publisher identity, but does not test for application vulnerabilities.
Question 18: An organization is told by its customers that many of the organization's emails end up in the "Spam" or "Junk" folders. What should the company's analysts check first?
Check the organization's email sender reputation with DNS-based Spam Blocklist companies
Contact the organization's Certificate Authority to make a complaint
Discover the validity period of the organization's cyber insurance
Implement immediate SNMP monitoring of DNS traffic
Question 18 Explanation: Checking the organization's email sender reputation with DNS-based Spam Blocklist companies is the first step. These companies maintain spammer reputation lists. Emails landing in spam folders typically indicate the sending IP or domain has been blocklisted due to previous spam complaints.
Contacting the Certificate Authority to make a complaint is irrelevant because TLS certificates do not affect email spam filtering decisions.
The validity period of cyber insurance does not address the technical delivery issues causing emails to be marked as spam.
SNMP monitoring does not address email reputation or spam filtering issues.
Question 19: An email gateway administrator notices a surge in messages claiming to be from the company's domain but originating from unauthorized IP addresses. Which DNS record type should they verify is properly configured to specify authorized mail servers for their domain?
SPF records in DNS TXT
DKIM public keys
DMARC policies
DNSSEC zone signing
Question 19 Explanation: SPF records in DNS TXT specify the authorized mail servers that are permitted to send email on behalf of the domain, preventing spoofing by validating the source IP address against a published list.
DKIM public keys provide cryptographic signatures for message integrity, but do not specify which servers are authorized to send mail.
DMARC policies define how to handle messages that fail authentication, but rely on SPF or DKIM to determine rules, and do not list authorized servers themselves.
DNSSEC zone signing validates the integrity of DNS records, but does not specify mail server authorization for email sending.
Question 20: A developer wishes to isolate a Linux process in a sandbox-like environment, ensuring that it is confined from the rest of the system to enhance security. Which command would be used?
ps -aux
ls -lah
sudo
chroot
Question 20 Explanation: ps -aux lists running processes on Linux systems but does not create an isolated environment.
ls -lah lists files with detailed information but provides no sandboxing capabilities.
sudo elevates privileges for command execution but does not isolate processes.
chroot changes the root directory for a process, creating a sandbox-like environment that confines the process, preventing access to the broader system and enhancing isolation.