Domain 2: Threats, Vulnerabilities & Mitigations
15 questions · Instant feedback · 22% of the exam
A systems administrator is concerned about vulnerabilities within cloud computing instances. Which of the following is most important for the administrator to consider when architecting a cloud computing environment?
VM escape allows attackers to break out of a virtual machine and compromise the host system, making it a key concern in cloud computing.
A security administrator observed the following in a web server log while investigating an incident: \
Directory traversal attacks attempt to access restricted directories by manipulating file paths, such as accessing system files like /etc/passwd.
Multiple users in an organization sign up to use an enterprise collaboration application to increase productivity. The application is easier to use than the one provided by the company. Which of the following threat actors has been introduced in this situation?
Shadow IT refers to unsanctioned technology or applications adopted by users without formal approval, creating security gaps and compliance issues. These tools operate outside corporate oversight and introduce unvetted risks.
A company experiences a breach. The investigation reveals that the threat actor used a zero-day vulnerability to gain access and move laterally. Which of the following would best improve the company’s security posture and minimize the time to detect this type of incident?
User Behavior Analytics (UBA) detects anomalies in user activity patterns, enabling rapid identification of unusual lateral movements typical of zero-day exploits. By alerting on deviations from normal behavior, it shortens detection time and containment.
A company's gate access logs show multiple entries from an employee's ID badge within a two-minute period. Which of the following is this an example of?
RFID cloning involves copying the information from an employee's badge and using it to gain unauthorized access.
A penetration tester was able to gain unauthorized access to a hypervisor platform. Which of the following vulnerabilities was most likely exploited?
VM escape occurs when malicious code breaks out of a guest VM to execute on the host. It compromises the hypervisor and other VMs.
A user successfully logged in on the following dates:- 25-1-2025: success / 192.1.1.1.0 / USA - 26-1-2025: success / 192.1.1.1.0 / USA - 27-1-2025: success / 192.1.1.1.0 / Rome - 27-1-2025: success / 192.1.1.1.0 / Rome - What indicator of malicious activity would most likely trigger an alert?
Impossible travel alerts are triggered when a user logs in from distant geographical locations within a short time, making such travel physically impossible. In this case, the user accessed the system from the USA on consecutive days, then suddenly from Rome twice on the same day, indicating suspicious activity.
Which of the following is a use of CVSS?
The Common Vulnerability Scoring System (CVSS) assigns numeric severity scores to vulnerabilities. Organizations use these scores to rank and prioritize remediation efforts.
Which of the following is an advantage of a microservice-based architecture over traditional software architectures?
Microservices allow each component to be deployed and updated independently, enabling rapid patches—sometimes multiple times a day—without redeploying the entire application. This agility helps address security issues quickly and reduces downtime.
A company discovered its data was advertised for sale on the dark web. During the initial investigation, the company determined the data was proprietary data. Which of the following is the next step the company should take?
The next step after discovering proprietary data is being sold is to notify the applicable parties, such as affected customers, partners, or stakeholders.
The help desk receives multiple calls indicating that machines are running slowly when running enterprise applications. The help desk notes that the affected machines are out of compliance with the organization’s OS baselines. Several users also report receiving virus detection alerts. Which of the following mitigation techniques should the help desk consider first?
Isolating non-compliant or potentially infected machines prevents further spread of malware and limits impact until updates and remediation can occur. This containment step should precede patch deployment or deeper investigation.
During a recent log review, an analyst discovers evidence of successful injection attacks. Which of the following will best address this issue?
Validating and sanitizing all user input prevents malicious code from being executed on the backend. Input validation is a primary defense against injection flaws.
A security analyst identifies an employee who added an unauthorized wireless router to an office branch. After an investigation, the router is removed, and the employee is given mandatory retraining. Which of the following best describes this incident?
Shadow IT refers to technology deployed by users without official approval or oversight. Unauthorized hardware like a rogue router can introduce vulnerabilities and bypass security controls. Identifying and remediating Shadow IT is crucial to maintaining network integrity.
Which of the following techniques would attract the attention of a malicious attacker in an insider threat scenario?
The correct answer is B. Creating a false text file in /docs/salaries is a deception technique known as a honeyfile, intended to attract malicious insiders and detect unauthorized access.
While a user reviews their email, a host gets infected by malware that came from an external hard drive plugged into the host. The malware steals all the user's credentials stored in the browser. Which of the following training topics should the user review to prevent this situation from reoccurring?
Training on the proper use of removable media and cables can prevent malware infections from external devices.
Quiz Complete!
Domain 2: Threats, Vulnerabilities & Mitigations