Free Practice Exam 1

Correct Answer: B. Anomaly-based detection Explanation: The IPS detects and blocks traffic based on anomalies, or deviations from normal behavior, which is indicative of anomaly-based detection (B). This method is effective against zero-day attacks, which do not have predefined signatures. Option A, Signature-based detection, relies on known attack patterns and cannot detect new or unknown threats. Option C, Behavior-based detection, monitors the behavior of traffic but is broader and not specific to anomalies. Option D, Heuristic-based detection, evaluates patterns or rules but does not explicitly involve baseline anomaly comparison.

Correct Answer: B Explanation: The correct answer is B because physically destroying the hard drives using shredding or degaussing methods ensures that the data cannot be recovered. This approach is a widely accepted standard for secure disposal. Option A (A) is incorrect because a quick format does not erase data securely; it only removes file pointers. Option C (C) is incorrect because deleting files manually and reinstalling the OS does not guarantee the data is irretrievable. Option D (D) is incorrect because encryption alone is not sufficient for secure disposal, as encryption keys could potentially be retrieved.

Correct Answer: A) Guards should be rotated frequently to prevent complacency Explanation: Frequent rotation of guards (A) is critical to prevent complacency, which can lead to security lapses or reduced vigilance. Guards who are stationed in the same location for long periods may become less alert and overlook potential security threats. Giving guards unrestricted access to all parts of the facility (B) could create security risks, as it increases the chances of unauthorized access or misuse of their position. Having guards on the same shift schedule (C) may lead to fatigue, reducing the overall effectiveness of the monitoring. Assigning guards to multiple tasks (D) may reduce the focus on critical security functions, which is a key issue when managing access control.

Correct Answer: B. Enable MAC address filtering Explanation: The correct answer is (B) because enabling MAC address filtering allows the network administrator to control which devices can connect to the network by specifying a list of allowed MAC addresses. (A) Disabling SSID broadcasting is ineffective because attackers can still discover the network using WiFi sniffing tools. (C) Using static IP addresses does not prevent unauthorized devices from connecting; it only assigns specific IPs to devices. (D) Implementing a guest WiFi network separates guest traffic but does not address unauthorized devices on the primary corporate network.

Correct Answer: B. Configure the PaaS environment to enforce authentication and access control Explanation: Configuring the PaaS environment to enforce authentication and access control (B) is the correct answer because it addresses the specific vulnerability by securing API endpoints. Network segmentation (A) is useful for isolating components but does not directly secure API endpoints. Requesting the PaaS provider to encrypt API traffic (C) is insufficient without proper authentication and access controls. Moving the API endpoints to an on-premises server (D) is unnecessary and contradicts the benefits of using PaaS. Authentication and access control within the PaaS environment effectively secure the exposed endpoints.

Correct Answer: B. False positive Explanation: A false positive (B) occurs when an IDS mistakenly flags legitimate activity as malicious. In this scenario, the legitimate data backup operation was incorrectly identified as a potential threat. Option A, False negative, would involve the IDS failing to detect actual malicious activity. Option C, Zero-day detection, refers to identifying previously unknown threats, unrelated to this situation. Option D, Log correlation error, involves incorrect analysis of log data but is not the issue here as the detection relates to an IDS alert.

Correct Answer: B. Distributed Denial-of-Service (DDoS) attack Explanation: The scenario describes a situation where an overwhelming number of HTTP requests from thousands of IP addresses caused an outage, which is characteristic of a Distributed Denial-of-Service (DDoS) attack (B). DDoS attacks aim to disrupt service availability by overloading systems with traffic. Option A, SQL injection attack, targets databases through web applications but does not involve overwhelming traffic. Option C, Cross-site scripting (XSS) attack, injects malicious scripts into web pages but does not cause service outages due to high traffic. Option D, Phishing attack, attempts to steal user information via deceptive communication, unrelated to traffic overload on servers.

Correct Answer: B. It helps the organization recover operational capabilities effectively. Explanation: The importance of incident response lies in its ability to mitigate the impact of a security incident and restore operational capabilities efficiently (B). This highlights how a well-executed incident response minimizes disruption and financial losses. Option A (avoiding breaches entirely) is incorrect because no system is immune to breaches; incident response deals with minimizing damage, not complete avoidance. Option C (guaranteeing no data loss) is unrealistic since some data may be lost depending on the breach's nature. Option D (removing the need for cybersecurity insurance) is incorrect, as incident response complements risk mitigation strategies, including insurance, rather than replacing them.

Correct Answer: B. Granting write access only to the specific file the employee needs to update. Explanation: The principle of least privilege ensures users have only the access they need to perform their duties, minimizing potential misuse or accidental damage. (A) is incorrect because granting write access to all shared folders exceeds the specific need and increases risk. (B) is correct as it limits the access to just the file needed, aligning with the principle. (C) is incorrect because assigning an administrator role grants excessive privileges, violating the principle. (D) is incorrect as it denies the necessary permissions and introduces inefficiency instead of addressing the need securely.

Correct Answer: C Explanation: The correct answer is C because requesting authorization to downgrade the label ensures compliance with the organization's data labeling policy while verifying that the content is appropriate for external sharing. Option A (A) is incorrect because changing the label without review violates the data labeling process and may expose sensitive information. Option B (B) is incorrect because sharing labeled data without policy adherence undermines security, regardless of perceived trustworthiness. Option D (D) is incorrect because encryption alone does not address the inappropriate sharing of content labeled as "Confidential."

Correct Answer: B Explanation: This attack exploits authority (B), as the email appears to come from HR, a trusted internal department. Training employees to verify the sender's identity ensures they do not blindly trust the request based on its perceived authority. Urging quick action (A) reinforces the attacker’s tactic and increases vulnerability. Advising employees to avoid interacting with links (C) entirely is unrealistic for business processes and ignores the need for proper verification. While curiosity (D) might sometimes be exploited in social engineering, it is not the main tactic in this case. Verification training specifically targets authority exploitation effectively.

Correct Answer: A. Install cable trays and label all cables Explanation: Installing cable trays and labeling all cables (A) is the correct answer because it ensures proper organization and management of cables, allowing for easier identification and preventing airflow obstruction caused by tangled or cluttered cables. Using shorter cables (B) is incorrect because it does not address the root issue of organization and could lead to stretching or disconnections. Placing cables on the floor (C) is highly discouraged as it introduces tripping hazards, impairs airflow, and compromises cable integrity. Disconnecting and rerouting cables during troubleshooting (D) is a reactive approach and does not solve the underlying problem. Cable trays and labeling offer a proactive and systematic solution to ensure both accessibility and efficient cooling in the data center.

Correct Answer: B. Blocking malicious traffic Explanation: The IPS actively blocks the SQL injection attack before it reaches the database, fulfilling its primary role of preventing malicious traffic (B). Option A, Detecting malicious activity, describes an Intrusion Detection System (IDS), which does not block traffic. Option C, Monitoring network performance, is unrelated to the described functionality of the IPS. Option D, Logging security events, is a secondary function of an IPS, as its primary purpose is prevention.

Correct Answer: B. Implement a bring-your-own-key (BYOK) solution with the SaaS provider Explanation: Implementing a bring-your-own-key (BYOK) solution with the SaaS provider (B) is the correct answer because it allows the company to manage its own encryption keys, ensuring better control over data security. Using an on-premises CRM solution (A) may not be feasible due to cost and scalability issues. Encrypting data before uploading it (C) can limit the functionality of the SaaS platform, such as search and analytics. Requesting stronger encryption algorithms (D) does not address the lack of control over encryption keys. BYOK provides enhanced control and aligns with the company’s security requirements.

Correct Answer: B) Requiring two-factor authentication by combining badges with biometrics Explanation: Two-factor authentication (B), combining badges with biometrics (e.g., fingerprint or facial recognition), significantly enhances security by adding another layer of verification, making it harder for unauthorized individuals to gain access even if they possess a stolen or lost badge. Switching to a barcode system (A) does not inherently improve security as barcodes are easy to replicate and do not offer the same level of security as proximity cards. Reducing the number of card readers (C) could make the system more convenient but does not directly improve security. Increasing badge expiration frequency (D) may address the issue of expired credentials but does not directly protect against unauthorized access from valid badges.

Correct Answer: C Explanation: The correct answer is (C) because creating a comprehensive rollback plan ensures that the update can be reversed quickly and efficiently if it causes issues, which minimizes disruption. (A) is incorrect because documenting changes is important but does not address how to handle a failed implementation. (B) is incorrect because a post-implementation review happens after deployment and does not prevent or address immediate problems. (D) is incorrect because deploying outside business hours may reduce impact but does not mitigate the risks of failed changes. A rollback plan is essential for maintaining system stability.

Correct Answer: B) To determine the potential impact and likelihood of identified risks The "assessment" phase in the risk management process involves evaluating the identified risks by determining both the likelihood of occurrence and the potential impact on the organization if the risk occurs. This helps in prioritizing the risks based on their severity. Option (A) focuses on cost-effectiveness, which pertains more to the treatment phase, not the assessment phase. Option (C) refers to policy creation, which typically occurs before the actual risk management steps begin. Option (D) refers to the execution of treatment plans, which happens after the risk assessment has been completed.

Correct Answer: D Explanation: The correct answer is (D) because refusing to provide credentials and escalating the issue ensures compliance with the AUP and allows the IT department to address the request securely, such as through a temporary account. (A) is incorrect because sharing credentials, even temporarily, violates the AUP and creates a significant security risk. (B) is incorrect because exceptions to the AUP for credential sharing compromise the integrity of the policy. (C) is incorrect because setting up a separate account without IT oversight could lead to improper configuration or policy violations. Escalating the request ensures the appropriate security measures are applied.

Correct Answer: B. Spanning Tree Protocol (STP) Explanation: Spanning Tree Protocol (STP) (B) is the correct answer because it prevents network loops and ensures automatic failover to a backup switch when the primary switch becomes unavailable. Dynamic Host Configuration Protocol (DHCP) (A) is incorrect because it is used for assigning IP addresses, not managing redundancy. Border Gateway Protocol (BGP) (C) manages routing between autonomous systems but does not provide switch redundancy. Simple Network Management Protocol (SNMP) (D) is for monitoring and managing devices but does not facilitate failover mechanisms. STP ensures redundancy by automatically rerouting traffic in the event of a switch failure, making it the most appropriate solution.

Correct Answer: A. Vulnerability scan Explanation: The described scan matches system weaknesses against a database of known vulnerabilities, which defines a vulnerability scan (A). Vulnerability scans provide insights into exploitable flaws within systems. Option B, Port scan, focuses on identifying open ports and running services but does not assess vulnerabilities. Option C, Network mapping scan, discovers the layout and devices within a network, which is different from identifying vulnerabilities. Option D, Heuristic scan, analyzes patterns or behaviors but does not involve comparing findings to a vulnerability database.

Correct Answer: A) The system may fail to capture security incidents due to data overwriting Explanation: The most significant risk (A) is that the system may overwrite important footage before it can be reviewed, potentially causing crucial evidence to be lost. This is particularly problematic if security incidents occur just before the system overwrites older data. Storing footage in low resolution (B) would indeed reduce the usefulness of the footage, but this is not the primary issue in a system with limited storage capacity. While frequent maintenance (C) may be required to manage storage, it is not the most pressing risk compared to data overwriting. Wear and tear on CCTV cameras (D) is a consideration, but the storage configuration is the primary concern in this scenario.

Correct Answer: B) Investigate the failed attempts immediately to determine if they are part of a brute-force attack or unauthorized access attempt Explanation: Investigating the failed attempts immediately (B) is the best course of action, as it allows the security team to determine whether the attempts are part of a brute-force attack or other unauthorized access attempt. Ignoring failed attempts (A) increases the risk of allowing an attacker to gain access without being detected. Blocking user credentials (C) could be too drastic and might interfere with legitimate users, especially if they are simply making errors. Reviewing logs periodically (D) only after multiple failed attempts delays action, allowing an attack to proceed further.

Correct Answer: A. Use two-factor authentication (2FA) for VPN access Explanation: Using two-factor authentication (2FA) (A) is the correct answer because it adds an additional layer of security by requiring a second form of verification, making it more difficult for attackers to hijack a session even if they obtain login credentials. Deploying stronger encryption algorithms (B) enhances data security but does not directly prevent session hijacking. Configuring static IP addresses for remote users (C) provides consistent addressing but does not protect against session hijacking. Enabling split tunneling (D) is incorrect because it increases the risk by allowing non-VPN traffic, potentially exposing vulnerabilities. Two-factor authentication significantly reduces the likelihood of session hijacking by ensuring robust user verification.

Correct Answer: C) Barriers Explanation: The locked gates and security personnel are a form of physical barriers, which physically prevent unauthorized access to the secure area. Barriers are designed to control physical access to sensitive locations. (A) Access control involves systems like keycards or biometric scanners, but locked gates are specifically a physical barrier. (B) Surveillance, such as CCTV cameras, involves monitoring but does not provide a physical deterrent to entry. (D) Monitoring refers to the observation of activities, like using CCTV or logs, but physical barriers are the primary measure in this scenario.

Correct Answer: C) Risk transference Risk transference involves shifting the financial responsibility for a risk to a third party, in this case, through purchasing insurance. By doing so, the institution transfers the potential financial burden of a cyberattack to the insurance provider. Option (A) is incorrect because risk mitigation involves actively reducing the risk through controls, not transferring it. Option (B) is incorrect because risk avoidance would involve taking steps to eliminate the risk entirely, which is not the approach taken here. Option (D) is incorrect because risk acceptance would mean tolerating the risk without any attempt to mitigate or transfer it.

Correct Answer: B. Virus Explanation: The malicious code described alters legitimate files and spreads via USB drives, consistent with a virus (B). Viruses rely on spreading through infected files and user interaction, such as plugging in USB drives. Option A, Worm, spreads independently without attaching to files or requiring user action. Option C, Keylogger, records user keystrokes and does not involve file infection or spreading. Option D, Botnet, is a network of compromised devices used for large-scale attacks but does not describe the file-infecting and spreading characteristics mentioned.

Correct Answer: B. The development team, since they manage the application and its data Explanation: The development team, since they manage the application and its data (B), is the correct answer because in the PaaS model, the provider manages the infrastructure and platform, while the customer is responsible for securing their applications and data. The PaaS provider (A) ensures platform-level security but does not manage application-specific configurations. Encryption is not a shared responsibility (C) in this context, as data security is solely the customer’s responsibility. Hiring a third-party consultant (D) may assist in strategy, but the implementation responsibility lies with the development team. The PaaS model emphasizes customer responsibility for application and data security.

Correct Answer: C. Breach notification and remediation clause Explanation: The breach notification and remediation clause (C) is the correct answer because it outlines the actions the provider must take if they fail to meet security or compliance requirements, such as maintaining encryption. Service availability guarantees (A) focus on uptime and do not address security issues. Data retention policies (B) pertain to how data is stored and deleted, not compliance failures. Technical support response time (D) relates to addressing customer issues but does not cover security remediation. The breach notification and remediation clause ensures accountability and corrective action in case of non-compliance with SLA security terms.

Correct Answer: D. Horizontal scan Explanation: A horizontal scan (D) involves probing a range of ports on a single target to identify open services, as described in this scenario. Option A, OS fingerprinting scan, attempts to determine the operating system of a target based on its responses but does not focus on probing multiple ports. Option B, SYN scan, is a stealthy technique that checks specific ports using SYN packets but does not describe the broad range of port probing mentioned here. Option C, Full-connect scan, completes the TCP handshake on each port but is less commonly used due to its detectability and does not define the scenario.

Correct Answer: A. The NAC system is operating in monitor mode instead of enforcement mode Explanation: The NAC system operating in monitor mode instead of enforcement mode (A) is the correct answer because, in monitor mode, the NAC solution only observes and reports on compliance violations but does not actively block non-compliant devices. Lack of integration with directory services (B) would affect user authentication but not compliance checks. Devices connecting through secure VPN tunnels (C) would still undergo NAC policies unless explicitly excluded, which is not implied in this scenario. NAC systems do not differentiate between north-south and east-west traffic (D) for endpoint compliance. Switching the NAC system to enforcement mode ensures that only compliant devices can access the network.

Correct Answer: B. To monitor and alert on suspicious activities Explanation: The tool’s role in detecting modifications, logging the event, and sending alerts aligns with the primary purpose of a Host-based Intrusion Detection System (HIDS) (B), which focuses on monitoring and alerting security teams about suspicious activities. Option A, To block unauthorized modifications, describes a Host-based Intrusion Prevention System (HIPS), not HIDS. Option C, To prevent access to the server, pertains to access control mechanisms, not intrusion detection. Option D, To perform a vulnerability assessment, involves identifying system weaknesses but does not detect or alert on active modifications.

Correct Answer: A. Network Access Control (NAC) Explanation: Network Access Control (NAC) (A) is the correct answer because it ensures that only authorized devices that meet specific security policies can access the network, effectively preventing unauthorized devices from accessing sensitive data. A Virtual Private Network (VPN) (B) is incorrect because it secures connections over the internet but does not control which devices can access the network. A stateful firewall (C) is also incorrect because, while it tracks the state of active connections and enforces rules, it does not validate devices or enforce endpoint security policies. An Intrusion Prevention System (IPS) (D) detects and prevents threats but does not enforce access policies based on device compliance. NAC is specifically designed for controlling network access, making it the most appropriate solution in this scenario.

Correct Answer: A. Amplification attack Explanation: The description of a surge in network traffic overwhelming the organization's bandwidth is consistent with an Amplification attack (A), a DDoS technique where attackers exploit vulnerabilities in network protocols to generate a larger volume of traffic than they initiate. Option B, Malware injection attack, involves injecting malicious software but does not describe traffic generation. Option C, IP spoofing attack, is a tactic often used within DDoS attacks but is not the specific method of causing the surge described here. Option D, Credential stuffing attack, involves attempting to gain unauthorized access to accounts using leaked credentials, unrelated to overwhelming bandwidth.

Correct Answer: C Explanation: The correct answer is C because comprehensive training ensures that employees understand the data classification policy and know how to apply it effectively, reducing errors and improving compliance. Option A (A) is incorrect because audits identify issues but do not directly address the root cause of employee awareness gaps. Option B (B) is incorrect because while automation can help, it cannot replace the need for employee understanding of classification policies, particularly for complex or subjective decisions. Option D (D) is incorrect because eliminating data classification undermines security and compliance requirements, leaving sensitive data vulnerable.

Correct Answer: A) The security guard may become complacent, overlooking irregularities in the access logs Explanation: The significant limitation of having a security guard monitor access logs (A) is the potential for human error, such as complacency, which could lead to irregularities being overlooked. While the gate entry system may not always provide visual evidence (B), it is still helpful when combined with other security measures like CCTV. Real-time monitoring of access logs (C) is not an inherent limitation of a system with guards, but a lack of real-time monitoring could be a problem depending on how logs are reviewed. Storing access logs for historical analysis (D) is generally a good practice, but this limitation is not specific to the scenario described.

Correct Answer: A. Install a water detection system and implement raised flooring Explanation: Installing a water detection system and implementing raised flooring (A) is the correct answer because these measures provide early detection of water leaks and prevent water from reaching critical equipment. Water detection systems alert administrators to leaks before significant damage occurs, and raised flooring ensures that even in the event of a leak, water does not compromise the infrastructure. Placing equipment on elevated platforms and sealing floor gaps (B) is incorrect because it does not offer proactive detection or a comprehensive solution. Using waterproof enclosures for equipment racks (C) is impractical and costly, and it does not address the underlying issue of water leaks. Regular inspections (D) are useful but not sufficient as a standalone solution since they do not provide real-time detection or preventive measures. Water detection systems and raised flooring work together to minimize the risk effectively.

Correct Answer: C) Simplifies monitoring and identification of personnel entering and exiting the facility Explanation: Creating a single point of entry (C) simplifies monitoring and identification by funneling all personnel through a centralized checkpoint, making it easier to track access and detect unauthorized attempts. While it may reduce costs for security personnel (A), this is not the primary benefit. Unauthorized access prevention (B) depends on additional measures, such as access controls and surveillance. Enhancing aesthetic appeal (D) is unrelated to the primary goal of improving security through environmental design.

Correct Answer: B. Implement data hashing Explanation: The organization should prioritize implementing data hashing (B) to ensure the integrity of the employee records. Hashing generates a fixed-size, unique value for data, making it possible to detect unauthorized changes by comparing hashes. Option A (Encrypt database backups) protects confidentiality, not integrity. Option C (Strengthen user authentication) reduces unauthorized access but does not detect or prevent data alterations once accessed. Option D (Enable database replication) improves availability and fault tolerance but does not address unauthorized data modifications. Hashing ensures tampering is easily detected, addressing the root cause of the integrity breach.

Correct Answer: B Explanation: The correct answer is B because digital signatures involve signing the document with the sender’s private key to prove authenticity and integrity. The recipient then verifies the signature using the sender’s public key, ensuring the document was not altered and came from the claimed sender. Option A (A) is incorrect because encrypting with the recipient's public key is used for confidentiality, not for creating digital signatures. Option C (C) is incorrect because encrypting with the sender's public key does not involve the use of the recipient’s private key in the signature verification process. Option D (D) is incorrect because the recipient’s private key is not used to sign documents; instead, private keys are used for either decryption or signing by their respective owners.

Correct Answer: B. Assign the new employee to the editor role. Explanation: The principle of least privilege mandates granting only the minimum access required for job functions. (A) is incorrect because admin access includes permissions beyond what is needed, violating the principle. (B) is correct as the editor role provides only the necessary permissions for modifying financial entries. (C) is incorrect as combining roles can result in redundant or unintended permissions. (D) is incorrect because shared credentials pose a security risk and do not limit privileges appropriately.

Correct Answer: A) Set up automated alerts to notify staff when a camera goes offline Explanation: Setting up automated alerts (A) is the most effective way to proactively address technical issues, as it immediately notifies staff when a camera goes offline. This allows for rapid response and ensures that the area covered by the camera is not left unmonitored. Allowing the camera to be repaired during the next maintenance cycle (B) creates a security gap in the meantime. Disabling the camera (C) when it malfunctions does not solve the problem of monitoring the area, and might go unnoticed until it is too late. Removing the camera entirely (D) removes a critical monitoring point and would leave the parking lot vulnerable.

Correct Answer: B. Use of the client’s digital signature Explanation: The use of the client’s digital signature (B) ensures non-repudiation by providing verifiable proof that the client authorized the transaction. Option A (Encrypted transaction data) ensures confidentiality but does not prevent denial of authorization. Option C (Secure storage of transaction logs) protects the records but does not provide direct evidence linking the client to the transaction. Option D (Role-based access control for system users) limits access to the system but does not ensure that a transaction was authorized by the client. Digital signatures uniquely bind the transaction to the client, ensuring they cannot repudiate their involvement.

Correct Answer: B. It reduces the attack surface by limiting lateral movement. Explanation: Network segmentation limits lateral movement within a network, thereby reducing the attack surface (B) and containing the impact of breaches. Option A, Preventing phishing attacks, is unrelated to network segmentation, as phishing primarily targets users via emails or communication channels. Option C, Enhancing password policies, involves access control but is not related to network segmentation. Option D, Ensuring encryption, pertains to securing data in transit, not network architecture.

Correct Answer: B. Assign a separate individual to review and approve salary payments prepared by the payroll administrator. Explanation: Segregation of duties ensures that no individual has end-to-end control of critical processes, such as payroll preparation and payment initiation. (A) is incorrect because a senior manager's approval still leaves preparation and initiation roles combined. (B) is correct because assigning approval to a separate individual ensures no single person can manipulate the process. (C) is incorrect as cross-checking after payments are made is a detective control rather than preventative. (D) is incorrect because supervision during preparation does not effectively separate the conflicting roles of preparation and initiation.

Correct Answer: B. Use separate subnets for the DMZ and the internal network, with firewalls controlling traffic flow Explanation: Using separate subnets for the DMZ and the internal network with firewalls controlling traffic flow (B) is the correct answer because this approach ensures physical and logical isolation between the networks, providing robust security. Placing all servers in the same subnet (A) is incorrect because it does not provide isolation, leaving the internal network exposed. Deploying a single firewall with different rules (C) offers less granular control and increases the risk of configuration errors. Implementing VLAN segmentation without firewalls (D) provides logical isolation but lacks the strong access control provided by firewalls, making it insufficient for securing a DMZ. Subnetting and firewalls together create an effective security architecture for DMZ deployment.

Correct Answer: A. Side-channel attack Explanation: The attacker is using electromagnetic emissions to extract cryptographic keys, which is a classic example of a side-channel attack (A). Side-channel attacks exploit physical emissions like electromagnetic radiation to gain unauthorized access to sensitive information. Option B, SQL injection, targets database vulnerabilities through web applications and does not involve physical emissions. Option C, Phishing attack, involves social engineering to deceive users into revealing sensitive information but is unrelated to hardware emissions. Option D, Denial-of-Service (DoS) attack, focuses on disrupting service availability and does not involve extracting sensitive data via physical means.

Correct Answer: B. It eradicates the malicious software to restore normal operations. Explanation: The purpose of incident response includes eradication of threats and recovery of normal operations. Deploying updated antivirus signatures to neutralize malware (B) directly serves this purpose by eliminating the immediate threat and enabling the organization to resume operations. Option A (ensuring compliance) may be a secondary outcome but does not define the action’s purpose. Option C (identifying vulnerabilities) is a valuable post-incident activity but is not the goal of immediate malware eradication. Option D (shifting responsibility) is incorrect because incident response focuses on resolving the issue within the organization rather than deflecting accountability.

Correct Answer: A Explanation: The correct answer is A because implementing access controls based on the principle of least privilege and role-based access ensures that each team can only access the data required for their specific responsibilities. This minimizes exposure and aligns with data handling best practices. Option B (B) is incorrect because unrestricted access increases the risk of data misuse and breaches. Option C (C) is incorrect because providing decryption keys to all team members contradicts the principle of limiting access. Option D (D) is incorrect because relying on a single administrator without delegating permissions can create bottlenecks and risks associated with centralized control.

Correct Answer: B Explanation: The correct answer is (B) because issuing a formal warning ensures that the employee is made aware of their violation and provides an opportunity for corrective action while adhering to the AUP. (A) is incorrect because blocking all social media platforms punishes all employees and may be excessive given the existing policy. (C) is incorrect because monitoring for an additional week wastes resources and delays addressing the issue. (D) is incorrect because updating the AUP to prohibit all personal use contradicts the current policy and penalizes compliant employees unnecessarily. A formal warning balances enforcement with fairness.

Correct Answer: B. Link-Local Address Explanation: The correct answer is (B) because Link-Local addresses in IPv6 (e.g., starting with "FE80::") are automatically assigned to interfaces and are used for communication within a single local link. They cannot be routed beyond the local network segment. (A) Global Unicast Addresses are routable on the internet and begin with "2000::/3," which is not suitable for local-only communication. (C) Unique Local Addresses (e.g., "FC00::/7") are used for internal private communication across multiple networks but can cross local links. (D) Multicast Addresses are used for group communication and do not assign an address to a single server.

Correct Answer: B. Load balancing with active-passive failover Explanation: Load balancing with active-passive failover (B) is the correct answer because it ensures that if the primary server fails, a backup server seamlessly takes over, maintaining application availability. RAID 5 (A) is incorrect because it provides disk-level redundancy but does not address server failover. Hot-swappable power supplies (C) enhance hardware resilience but do not provide redundancy for servers themselves. Dual power feeds from the utility grid (D) address power redundancy but cannot ensure application continuity during server failure. Load balancing with active-passive failover provides the best solution for maintaining uninterrupted service during server hardware failures.

Correct Answer: C. Mitigation of unauthorized access Explanation: The account lockout policy mitigates unauthorized access (C) by limiting the effectiveness of brute force attacks, which rely on repeated login attempts. Option A, Threat detection, involves identifying malicious activities but does not directly prevent them. Option B, Risk avoidance, involves strategies to eliminate risks entirely, which does not apply to managing login attempts. Option D, Incident response, refers to actions taken after an incident, whereas account lockout policies aim to prevent incidents from occurring.

Correct Answer: B. Alternate site arrangements Explanation: The scenario demonstrates the implementation of alternate site arrangements, a critical component of disaster recovery, which provides options like hot and cold sites to maintain operations during and after a disaster (B). A data backup strategy (A) focuses on preserving data integrity but does not cover operational sites. Risk assessment (C) is conducted prior to disasters to identify vulnerabilities, not during the activation of recovery sites. Emergency response procedures (D) involve immediate actions to stabilize situations but do not specifically relate to the use of alternate sites. Thus, B is the correct choice.

Correct Answer: B. Incident documentation and reporting. Explanation: Logging and documenting all actions taken during an incident aligns with incident documentation and reporting (B), a vital component of an incident response plan. Accurate records ensure accountability, facilitate post-incident analysis, and support legal or regulatory requirements. Option A (forensic evidence collection) overlaps but focuses specifically on gathering data for investigations, not comprehensive documentation. Option C (containment strategies) involves limiting the threat’s spread but does not include documentation. Option D (escalation protocols) refers to notifying higher authorities when an incident exceeds predefined thresholds and is separate from documentation practices.

Correct Answer: B Explanation: Creating pre-configured virtual machine templates (B) ensures that all systems are deployed with consistent baseline configurations from the start, reducing the risk of misconfigurations. Training administrators (A) introduces variability and reliance on human compliance, leading to potential errors. Regular audits (C) are reactive, allowing non-compliant systems to exist until identified. Third-party monitoring tools (D) detect changes but do not ensure compliance during deployment. Pre-configured templates enforce security baselines proactively and efficiently in cloud environments.

Correct Answer: B Explanation: The correct answer is B because using the authorized personnel’s public key for encryption ensures that only those with the corresponding private key (the authorized personnel) can decrypt the documents. Option A (A) is incorrect because the cloud administrator’s private key is not involved in protecting documents for individual access. Option C (C) is incorrect because the cybersecurity analyst’s private key would not control access for authorized personnel. Option D (D) is incorrect because a symmetric key does not leverage the distinct advantage of public-private key pairs, which is the hallmark of asymmetric encryption.

Correct Answer: A. Assign IoT devices to a dedicated VLAN and restrict communication to necessary systems using ACLs Explanation: Assigning IoT devices to a dedicated VLAN and restricting communication to necessary systems using ACLs (A) is the correct answer because it isolates IoT traffic from the main network, minimizing the risk of lateral attacks. Placing IoT devices on the same network as user workstations (B) increases the attack surface and allows compromised devices to impact other systems. Configuring NAT (C) obfuscates IP addresses but does not provide true isolation or control over communication. Using a flat network topology (D) eliminates segmentation entirely, making it easier for attackers to move laterally. A dedicated VLAN with ACLs ensures proper segmentation and minimizes risk.

Correct Answer: A. To restore operations to a pre-defined acceptable level after a disruption Explanation: The correct answer is A because the primary purpose of business continuity is to ensure that critical business operations can continue or be restored to an acceptable level after a disruption. The secondary site activation is a classic business continuity measure designed to minimize downtime and maintain essential services. Option B is incorrect because reducing future outages is more aligned with risk mitigation rather than immediate continuity actions. Option C is incorrect because regulatory compliance might be a benefit but is not the direct purpose of business continuity. Option D is incorrect because while reputation protection is important, it is an indirect benefit rather than the main goal of the business continuity process.

Correct Answer: A. A private IP address range used within organizations. Explanation: The correct answer is (A) because 10.0.0.0/8 is a private IPv4 address range defined by RFC 1918, used within organizations for internal networks and not routable on the public internet. (B) is incorrect because public IP addresses are assigned by ISPs and do not include 10.0.0.0/8. (C) is incorrect because loopback addresses are in the range 127.0.0.0/8. (D) is incorrect because 10.0.0.0/8 is not reserved for broadcast traffic; broadcast addresses are based on subnet configurations.

Correct Answer: A. Transport Layer Explanation: The correct answer is (A) because encryption protocols like TLS (Transport Layer Security) or SSL (Secure Sockets Layer) operate at the Transport Layer of the TCP/IP model, securing data during transmission by encrypting it at this layer. (B) Application Layer manages user-facing protocols like HTTP and FTP, which may trigger the use of encryption but do not perform encryption directly. (C) Internet Layer deals with IP addressing and routing, which do not involve encryption. (D) Network Interface Layer concerns physical and data link aspects of transmission and does not handle encryption.

Correct Answer: A. Biometric access control and video surveillance Explanation: Biometric access control and video surveillance (A) are the correct answers because they provide a combination of strong access restriction and monitoring. Biometric systems ensure that only authorized personnel can access the equipment, while video surveillance records activity for auditing and deterrence. Keycard access and locked cabinets (B) are a good option but less secure than biometrics, as keycards can be lost or shared. Motion sensors and alarm systems (C) are useful for detecting unauthorized activity but lack the ability to prevent access proactively. A locked door and environmental monitoring (D) improve basic security and operational efficiency but are not sufficient to address advanced security needs. The combination of biometrics and surveillance offers a comprehensive approach to physical security.

Correct Answer: A Explanation: Evaluating the risk level of each vulnerability (A) and prioritizing critical patches ensures resources are focused on addressing the most significant threats first. Scheduling immediate downtime (B) may disrupt operations unnecessarily, especially if the vulnerabilities are not high-risk. Enabling automatic updates (C) can lead to unintended disruptions if patches are not tested. Deploying patches to production systems without prior testing (D) introduces the risk of operational failures. Risk assessment and prioritization are essential for a structured and effective patch management process.

Correct Answer: B Explanation: The correct answer is (B) because thorough testing in a staging environment replicates the production environment and allows for identifying issues before deployment, reducing the risk of system instability. (A) is incorrect because while rollback is a reactive measure, it does not address the root cause, which is the lack of pre-deployment testing. (C) is incorrect because informing end-users about downtime is important for communication but does not mitigate technical risks. (D) is incorrect because incremental deployment does not resolve issues if the update itself is faulty. Testing ensures that updates are stable and ready for deployment.

Correct Answer: A. Deploying a firewall, installing antivirus software, and conducting security awareness training Explanation: Deploying a firewall, installing antivirus software, and conducting security awareness training (A) is the correct answer because it incorporates multiple layers of protection: network-level defense (firewall), endpoint defense (antivirus), and human defense (training). Defense in depth relies on layered security measures to protect against threats across different attack surfaces. Implementing a single advanced IDS (B) focuses on one layer and does not address other vulnerabilities. Using multi-factor authentication (C) strengthens account security but does not address network or endpoint vulnerabilities. Relying solely on endpoint protection and strong passwords (D) provides limited coverage, neglecting critical network and user education components. A combination of measures across different layers is the essence of defense in depth.

Correct Answer: A Explanation: The correct answer is (A) because restricting access immediately prevents further unauthorized exposure of the classified data, adhering to the principle of least privilege. (B) is incorrect because while training is valuable, it does not resolve the immediate risk posed by inappropriate access. (C) is incorrect because notifying the government agency may be premature and could damage trust if the organization has not yet taken corrective action. (D) is incorrect because escalating to senior management delays immediate remediation, which is critical to minimizing exposure risks. Immediate restriction aligns with best practices for securing sensitive data.

Correct Answer: B. Memorandum of Understanding (MOU) Explanation: A Memorandum of Understanding (MOU) (B) is the correct answer because it is a flexible, non-legally binding document that outlines mutual responsibilities and commitments, making it suitable for situations where adjustments may be necessary. A Contractual Agreement (A) is legally binding and less flexible, which is not suitable for the described scenario. A Service Level Agreement (SLA) (C) is specific to defining performance metrics and service obligations, typically within a legally binding framework. A Statement of Work (SOW) (D) provides detailed project deliverables and timelines but is often part of a legally binding agreement. An MOU is the best choice to facilitate collaboration while maintaining flexibility.

Correct Answer: B) The likelihood of occurrence and potential impact of each risk When prioritizing risks, the company should consider both the likelihood of occurrence and the potential impact of each risk. This helps determine which risks could cause the most harm and are most likely to happen, guiding the mitigation efforts effectively. Option (A) is important but not the primary factor in prioritization; resource availability should follow a risk-based assessment. Option (C) is too narrow in focus, as the impact on external stakeholders (such as customers and regulators) also needs to be considered. Option (D) is incorrect because although public relations concerns are important, they should not be the sole factor in risk prioritization.

Correct Answer: B Explanation: Testing patches in a staging environment (B) ensures they are compatible with the organization’s systems and minimizes the risk of disruptions when deployed to production. Deploying patches immediately (A) may lead to system instability or compatibility issues without proper testing. Applying only critical patches (C) overlooks non-critical vulnerabilities, which can still be exploited. Relying solely on vendor patch notes (D) does not account for unique system configurations and may lead to unexpected issues. Staging environments provide a controlled space to verify patches' effectiveness and safety before deployment.

Correct Answer: B) Administrative control Explanation: Security awareness training is an administrative control because it involves educating and training employees to adhere to security policies and practices. It is a preventive measure that relies on human behavior, rather than on technology or physical barriers. (A) Technical controls use technology to enforce security, such as firewalls or encryption, and are not related to training. (C) Physical controls involve security measures like locks or barriers that protect physical assets but do not address employee behavior. (D) Detective controls are designed to identify and respond to security incidents after they occur, like intrusion detection systems, but do not proactively educate users.

Correct Answer: B. Worm Explanation: The scenario describes a self-replicating program that spreads across devices by exploiting a vulnerability without requiring user action, which is characteristic of a worm (B). Worms are capable of propagating independently, often causing network congestion or consuming resources. Option A, Virus, also replicates but requires a host file and user interaction to spread, which is not the case here. Option C, Trojan horse, disguises itself as legitimate software but does not self-replicate or spread automatically. Option D, Spyware, collects user information covertly but does not exhibit self-replication or the ability to spread across a network.

Correct Answer: B. Lightning rods and uninterrupted power supplies (UPS) Explanation: Lightning rods and uninterrupted power supplies (UPS) (B) are the correct answers because they address the specific risks of lightning strikes and power outages. Lightning rods protect the facility by safely directing high-voltage surges from lightning into the ground, while UPS devices ensure continuous power delivery during outages, preventing interruptions to critical systems. Surge protectors and an emergency generator (A) are helpful but do not provide complete protection against lightning strikes or immediate backup power during brief outages. Power conditioners and redundant cooling systems (C) focus on power quality and temperature management but are not designed for storm-related risks. Grounding systems and HVAC upgrades (D) improve safety and environmental conditions but fail to address the immediate threats posed by lightning and outages. Lightning rods combined with UPS devices provide the most targeted and effective protection for the given scenario.

Correct Answer: B. Review and adjust the policy to include mandatory training assessments Explanation: The correct answer is (B) Review and adjust the policy to include mandatory training assessments because the existing policy may lack mechanisms to measure its effectiveness, such as assessments to ensure employees understand phishing risks. Revising the policy to incorporate training evaluations aligns with governance processes aimed at improving compliance and security awareness. (A) is incorrect because penalties may create fear but do not address the root issue of employee understanding. (C) is incorrect because technical solutions like spam filters are complementary but cannot replace the need for employee education and policy enforcement. (D) is also incorrect because eliminating the policy removes a vital governance element and would likely increase security risks. Policy refinement ensures that the training requirement meets its intended purpose.

Correct Answer: B Explanation: Reviewing the baseline configurations against the latest security benchmarks and standards (B) ensures they remain up-to-date and effective against emerging threats. Penetration testing (A) provides insights into vulnerabilities but does not evaluate the comprehensiveness of the baseline itself. Vulnerability scans (C) focus on identifying weaknesses but may not address systemic gaps in the baseline. Regular updates based on team input (D) may introduce inconsistencies without alignment to external security standards. Benchmarks provide authoritative guidance to evaluate and improve baseline configurations systematically.

Correct Answer: A. Network Intrusion Detection System (NIDS) Explanation: A Network Intrusion Detection System (NIDS) (A) is the correct answer because it monitors and analyzes network traffic to and from the DMZ for suspicious activities, providing visibility and alerting administrators to potential threats. A packet sniffer (B) can capture and analyze traffic but lacks the intelligence to detect or report suspicious patterns. An application firewall (C) focuses on filtering traffic at the application layer, such as HTTP/HTTPS, but does not provide comprehensive monitoring for all DMZ traffic. A Host-based Intrusion Prevention System (HIPS) (D) protects individual servers but does not monitor the entire DMZ’s network traffic. NIDS offers the broad traffic analysis and alerting capabilities necessary for monitoring the DMZ effectively.

Correct Answer: B Explanation: The primary purpose of security awareness training is to educate employees (B) on recognizing, avoiding, and reporting security threats such as phishing. While implementing stricter email filtering solutions (A) is a technical measure to reduce phishing emails, it does not empower employees to identify threats that bypass these filters. Mandating frequent password updates (C) is unrelated to addressing phishing directly and does not enhance awareness. Assigning IT staff to monitor email traffic (D) is a reactive measure and not a sustainable or scalable solution for employee awareness. By focusing on training employees, the organization builds a proactive defense mechanism against phishing.

Correct Answer: C. It provides a structured approach to restoring critical operations Explanation: The scenario demonstrates the importance of a structured disaster recovery approach, where plans like cold site setups enable critical operations to be gradually restored after an event (C). A cold site does not provide an immediate switch to full operations (A); that is characteristic of a hot site. Detecting vulnerabilities post-disaster (B) is not the focus of this activity, as disaster recovery prioritizes restoration, not analysis. Minimizing long-term financial losses (D) is a potential benefit but not the direct purpose of the recovery plan. Hence, C is the most accurate answer.

Correct Answer: A. Implement input validation and parameterized queries. Explanation: The correct answer is (A) because input validation and parameterized queries are effective application-layer defenses against SQL injection attacks, ensuring that user inputs do not alter the structure of SQL commands. (B) Configuring a firewall may block traffic but does not directly address SQL injection vulnerabilities. (C) Monitoring IP addresses helps detect suspicious activity but does not prevent SQL injection. (D) Using a proxy server may provide an additional layer of filtering but is insufficient to address SQL injection vulnerabilities at the application layer.

Correct Answer: B. Trojan Explanation: The malware described was installed after the user opened an email attachment and created a backdoor while disabling antivirus protection, which is characteristic of a Trojan (B). Trojans often rely on users to execute them by disguising themselves as something trustworthy, like an invoice. Option A, Virus, spreads by attaching to files and does not necessarily involve backdoors or antivirus disabling. Option C, Worm, replicates independently without requiring user action to spread. Option D, Spyware, focuses on collecting information covertly rather than creating backdoors or disabling defenses.

Correct Answer: A Explanation: The correct answer is A because enabling logging for failed login attempts and implementing real-time alerts for suspicious patterns helps detect potential brute force attacks or unauthorized access attempts. This proactive approach enhances security monitoring. Option B (B) is incorrect because ignoring failed login attempts neglects a critical indicator of potential security threats. Option C (C) is incorrect because periodic reports without real-time logging delay the detection and response to security incidents. Option D (D) is incorrect because limiting logging to administrative accounts excludes valuable data on other potential points of attack, reducing overall visibility.

Correct Answer: B. Uninterruptible Power Supply (UPS) Explanation: The Uninterruptible Power Supply (UPS) (B) is the correct answer because it provides a temporary power source during an outage, ensuring continuity of operations until backup generators take over. It bridges the gap between utility power failure and the activation of backup systems. A surge protector (A) is incorrect because it only protects devices from voltage spikes and does not supply power. An Automatic Transfer Switch (ATS) (C) is responsible for switching between power sources but does not store or provide power. A Power Distribution Unit (PDU) (D) distributes power from a source to multiple devices but cannot maintain operations during a power outage. The UPS is specifically designed for the described scenario, making it the most appropriate choice.

Correct Answer: A. The provider’s compliance with relevant certifications and standards Explanation: The provider’s compliance with relevant certifications and standards (A) is the correct answer because it ensures that the SaaS provider adheres to regulatory requirements for data protection, such as GDPR or HIPAA. Built-in support for multi-factor authentication (B) enhances security but does not directly address regulatory compliance. The ability to customize the SaaS interface (C) is unrelated to compliance. Integration with existing infrastructure (D) improves functionality but does not ensure adherence to regulations. Compliance certifications provide assurance that the SaaS provider meets legal and industry standards for data protection.

Correct Answer: A Explanation: Security awareness training should emphasize avoiding dictionary words (A) in passwords, even when combined with numbers or special characters, as they are still vulnerable to attacks like dictionary and brute-force attacks. While frequent password changes (B) can be part of a broader strategy, short passwords are inherently weak regardless of change frequency. Using common phrases (C) may make passwords memorable but increases susceptibility to pattern-based attacks. Sharing passwords with anyone, even authorized personnel (D), directly violates best practices for password protection and increases the risk of unauthorized access. Teaching users to create complex, unique passwords is key.

Correct Answer: A Explanation: Monitoring the number of simulated phishing emails successfully identified by employees (A) is an effective metric for evaluating how well they apply the knowledge gained from training. This directly measures the program’s impact on reducing human vulnerabilities. An increase in penalties (B) does not reflect training effectiveness but may indicate poor communication or understanding. Reducing the number of cybersecurity tools (C) undermines overall security by oversimplifying defenses. Speed of system recovery (D) measures incident response, not training outcomes. Metrics tied to employee behavior and awareness, such as phishing simulations, provide meaningful insights into the program’s success.

Correct Answer: A) Install tall fences with clear warning signs around the perimeter Explanation: Installing tall fences with clear warning signs (A) is an effective environmental design approach to deter unauthorized personnel by creating a visible and physical barrier. This also communicates the seriousness of the security measures. Designing the entrance with glass windows (B) could improve visibility but does not effectively deter intrusions. Minimal landscaping (C) does not add significant deterrent value, and positioning the data center near high-traffic areas (D) may increase the risk of exposure to potential threats rather than reduce them.

Correct Answer: B. Network latency and limited bandwidth Explanation: Network latency and limited bandwidth (B) are the correct answer because site-to-site VPNs rely on the underlying internet connection for data transmission. High latency or insufficient bandwidth can degrade performance. Insufficient encryption strength (A) would affect data security but not cause slow performance. Incorrect VPN client configuration (C) does not apply here, as site-to-site VPNs do not involve end-user client software. Overlapping IP address ranges (D) could cause routing conflicts, but it would result in connectivity issues rather than performance degradation. Addressing latency and bandwidth constraints ensures optimal VPN performance.

Correct Answer: B. Configuring Virtual LANs (VLANs) with access control lists (ACLs) Explanation: Configuring Virtual LANs (VLANs) with access control lists (ACLs) (B) is the correct answer because VLANs logically separate network segments, and ACLs enforce controlled communication between them, ensuring sensitive systems remain isolated. Deploying separate physical networks (A) is incorrect because it is expensive and less flexible compared to VLANs, though it provides strong isolation. Implementing network address translation (NAT) (C) does not achieve segmentation as it is used for address translation, not isolating traffic. Using a flat network topology with enhanced firewall rules (D) does not provide the granular isolation needed for protecting sensitive systems. VLANs with ACLs are the most efficient and secure solution for isolating sensitive systems.

Correct Answer: B Explanation: The correct answer is B because implementing an automated data retention policy ensures that records are retained securely for the required duration and deleted afterward, meeting both compliance and operational efficiency requirements. Option A (A) is incorrect because retaining data indefinitely increases storage costs and the risk of non-compliance with regulations that mandate timely deletion. Option C (C) is incorrect because deleting records without adhering to the retention period risks regulatory violations. Option D (D) is incorrect because storing records on a local server without encryption violates best practices for securing sensitive data and may not meet compliance requirements.

Correct Answer: B. Side-channel attack Explanation: The attacker exploits power consumption patterns to deduce a private key, which is a characteristic of a side-channel attack (B). These attacks rely on indirect physical characteristics, such as power usage, to infer sensitive data. Option A, Social engineering, manipulates people to gain access but does not involve analyzing power patterns. Option C, Trojan horse, disguises malware as legitimate software and does not involve physical analysis. Option D, Malware injection, introduces malicious code but does not exploit physical side channels like power consumption.

Correct Answer: C Explanation: Simulated phishing tests are designed to measure how well employees apply knowledge (C) from security awareness training in real-world scenarios. This approach directly tests their ability to identify and respond to social engineering attacks, reinforcing practical skills. Assessing recall of policies (A) is not the main goal in this context, as the emphasis is on behavior rather than theoretical understanding. Evaluating email filtering systems (B) is a technical task unrelated to employee awareness. Ensuring compliance (D) may be a long-term benefit but is not the primary focus of this training activity. Testing knowledge in practical scenarios ensures the training has real impact.

Correct Answer: A. Presentation Layer Explanation: The correct answer is (A) because the Presentation Layer handles data encryption and decryption, including the SSL/TLS protocols used in HTTPS communication. (B) Application Layer facilitates communication between applications and users but does not handle encryption directly. (C) Transport Layer provides reliable data delivery but relies on the Presentation Layer for encryption processes. (D) Network Layer handles IP routing and addressing, which are unrelated to encryption at the application level.

Correct Answer: C. Signature-based IDS Explanation: The IDS in this scenario identifies attacks by comparing traffic to known attack signatures, which defines a signature-based IDS (C). This approach is effective for recognizing predefined threats like SQL injection. Option A, Host-based IDS (HIDS), monitors specific devices and their logs, not network traffic patterns. Option B, Network-based IDS (NIDS), monitors network traffic but does not specify the method (e.g., signature-based) used for detection. Option D, Anomaly-based IDS, detects unusual behaviors or deviations from a baseline, which is not described in the scenario.

Correct Answer: B. Ongoing training and testing. Explanation: Regular testing of incident response procedures, such as through tabletop exercises, falls under ongoing training and testing (B). This ensures the response team is well-prepared to handle incidents and identifies gaps in the plan. Option A (incident classification and triage) relates to assessing and categorizing incidents during active response, not preparation. Option C (incident reporting guidelines) pertains to documenting and reporting incidents but does not involve testing procedures. Option D (threat intelligence integration) focuses on incorporating external threat data into planning but does not directly involve testing the plan’s effectiveness.

Correct Answer: C. It reinforces the organization’s ability to recover quickly from disruptions Explanation: The correct answer is C because annual testing and updating of the business continuity plan highlight the importance of ensuring the organization can recover quickly and effectively from disruptions. Option A is incorrect because preventing disasters is not the focus of business continuity—it is about preparedness and recovery. Option B is incorrect because regulatory compliance, while important, is not the primary importance in this scenario. Option D is incorrect because reducing costs is not the key purpose; instead, the focus is on resilience and operational continuity.

Correct Answer: A. High availability clusters Explanation: High availability clusters (A) are the best solution to ensure the availability of production systems by providing failover capabilities, so operations can continue seamlessly even during hardware failures. Option B (Secure coding practices) enhances software security but does not address hardware reliability. Option C (Network access control) restricts unauthorized access but does not ensure system availability during failures. Option D (Biometric authentication) improves user identity verification but is unrelated to system reliability. High availability clusters provide redundancy and fault tolerance, ensuring minimal disruption to critical operations.

Correct Answer: B Explanation: The correct answer is B because customizing retention policies based on regional legal requirements ensures compliance with local laws while avoiding unnecessary storage costs and risks. Option A (A) is incorrect because applying the strictest retention requirement universally could lead to unnecessary data retention, increasing risks and storage costs. Option C (C) is incorrect because storing data indefinitely exposes the organization to significant security risks and regulatory non-compliance. Option D (D) is incorrect because a single global policy based on an average requirement may not meet specific legal mandates in certain regions, resulting in non-compliance.

Correct Answer: C. Ping Flood; limit ICMP traffic using access control lists (ACLs). Explanation: The correct answer is (C) because a Ping Flood attack involves overwhelming a device with excessive ICMP Echo Request packets, leading to resource exhaustion. Limiting ICMP traffic using ACLs is an effective immediate mitigation. (A) SYN Flood attacks target the TCP handshake, not ICMP traffic. (B) DNS Spoofing involves altering DNS responses, unrelated to ICMP packets. (D) Man-in-the-Middle attacks intercept and manipulate communication, and while deploying TLS secures communication, it does not address excessive ICMP traffic.

Correct Answer: B) A proactive approach, involving internal and external resources to identify risks This is a proactive approach because the company is actively seeking potential risks before any incidents occur, using a combination of internal (analyzing codebase) and external (consulting experts and reviewing feedback) resources to identify potential security vulnerabilities. Option (A) is incorrect because a reactive approach would involve waiting for issues to arise or be reported rather than proactively identifying risks. Option (C) is incorrect because the approach involves a variety of resources, not just technical assessments. Option (D) is incorrect because relying solely on customer feedback is insufficient for a comprehensive risk identification process, as it excludes other valuable sources like code reviews or expert consultations.

Correct Answer: D. Security label enforcement Explanation: Mandatory access control relies on security labels that enforce access restrictions based on predefined classifications and clearances. (A) is incorrect because need-to-know applies to contextual access but does not directly enforce MAC rules. (B) is incorrect because discretionary access is not used in MAC environments. (C) is incorrect because lattice-based access control, while related to MAC, focuses on hierarchical or compartmentalized access structures but does not explicitly define this scenario. (D) is correct as security label enforcement ensures the junior officer cannot access a document above their clearance level.

Correct Answer: A) Encrypt the logs and ensure they are stored in a write-once, read-many (WORM) storage device Explanation: Encrypting the logs and storing them in a write-once, read-many (WORM) storage device (A) is the best method for protecting the logs from unauthorized access and tampering, as it ensures that logs cannot be modified after they are written. Storing logs in an unencrypted format (B) exposes them to unauthorized access, and makes them vulnerable to tampering or theft. Storing logs on a shared file server (C) is better than unprotected storage, but it still introduces the risk of tampering or unauthorized access if access controls are not sufficiently robust. Regularly backing up logs to external hard drives (D) is a reasonable precaution, but it doesn't provide the same level of protection as encryption and WORM storage, and it could result in logs being exposed during the backup process.

Correct Answer: C Explanation: The correct answer is C because retaining logs for at least one year, ensuring they are tamper-proof, and maintaining accessibility aligns with typical regulatory requirements in the financial sector and supports effective incident response and audits. Option A (A) is incorrect because six months may not meet regulatory or forensic investigation needs. Option B (B) is incorrect because retention policies must comply with external regulations, not just internal policies. Option D (D) is incorrect because retaining only logs of known security events may overlook important context required for thorough investigations and compliance.