Name:     ID: 
 
Email: 

Chapter4DE_44ABC

Multiple Choice
Identify the choice that best completes the statement or answers the question.
 

 1. 
(1 point) An organization wants to reduce the risk of password spraying. Which login setting directly slows an attacker after several failed attempts?
a.
Require password complexity.
b.
Require a maximum password age.
c.
Require a lockout period after a specified number of invalid login attempts.
d.
Require the system to store previous passwords.
 

 2. 
(1 point) A school district requires student passwords to include at least one uppercase letter, one number, and one symbol. Which setting are they enabling?
a.
Require a minimum password length.
b.
Require a lockout period after invalid attempts.
c.
Require a maximum password age.
d.
Require complexity in passwords (multiple character sets).
 

 3. 
(1 point) You are hardening a lab workstation. Which change most increases the time needed for a brute force tool to crack a password?
a.
Disable password history storage.
b.
Decrease the maximum password age.
c.
Allow passwords with only lowercase letters.
d.
Increase the minimum password length requirement.
 

 4. 
(1 point) A company wants to prevent users from rotating between the same two passwords every time they are prompted to change it. Which setting should be configured?
a.
Store previous user passwords to prevent reuse (password history).
b.
Require location-based authentication.
c.
Enable account lockout after invalid attempts.
d.
Require a maximum password age.
 

 5. 
(1 point) Which password would meet a policy requiring uppercase, lowercase, a number, and a special character?
a.
RIVERSTONE1
c.
Riv3r!Stone
b.
Riverstone
d.
riverstone
 

 6. 
(1 point) A policy says: 'Lock accounts for 10 minutes after 5 failed logins.' Which two factors are being configured?
a.
Minimum password length and password history count.
b.
Password history count and lockout duration.
c.
Invalid-attempt threshold and lockout duration.
d.
Maximum password age and complexity rules.
 

 7. 
(1 point) An attacker is trying 1,000 random passwords per minute against a login portal. Which configuration best reduces this attack without changing password content?
a.
Allow shorter passwords to reduce resets.
b.
Enable account lockout after 35 invalid login attempts.
c.
Require password changes every 30 days.
d.
Disable password complexity rules.
 

 8. 
(1 point) A hospital wants to ensure users do not reuse any of their last 10 passwords. Which setting should the administrator configure?
a.
Lock out users after 10 failed attempts permanently.
b.
Set maximum password age to 10 days.
c.
Set minimum password length to 10 characters.
d.
Store at least the last 10 password hashes as password history.
 

 9. 
(1 point) Which configuration most directly addresses the weakness of passwords that use only one or two character sets?
a.
Require maximum password age of 90 days.
b.
Require password history of 5 passwords.
c.
Require password complexity across uppercase, lowercase, numbers, and symbols.
d.
Require a 15-minute lockout after failed attempts.
 

 10. 
(1 point) An organization has frequent account lockouts in a busy call center because users mistype passwords. Which adjustment can reduce false lockouts while still discouraging brute force attacks?
a.
Reduce minimum password length to 6 characters.
b.
Remove the requirement for special characters.
c.
Disable the lockout feature completely.
d.
Increase the allowed invalid attempts before lockout (e.g., from 3 to 5) while keeping a lockout period.
 

 11. 
(1 point) A users password might have been compromised. Which login setting helps limit how long a stolen password stays valid?
a.
Require a maximum password age (forced password change).
b.
Require password history storage.
c.
Require minimum password length.
d.
Require account lockout after invalid attempts.
 

 12. 
(1 point) Why does increasing password length generally improve security?
a.
Longer passwords remove the need for account lockout.
b.
Longer passwords automatically include special characters.
c.
Longer passwords take automated cracking tools longer to guess.
d.
Longer passwords prevent phishing.
 

 13. 
(1 point) You are configuring a Windows domain policy. Which setting would you select to stop users from choosing 'PasswordFall2028' patterns?
a.
Allow password reuse after 1 password change.
b.
Set maximum password age to 30 days.
c.
Disable password complexity requirements.
d.
Do not require periodic password changes unless there is evidence of compromise.
 

 14. 
(1 point) A policy requires: minimum 12 characters, complexity enabled, lockout after 5 invalid attempts for 15 minutes, and remember last 8 passwords. Which goal is NOT directly addressed by these settings?
a.
Reducing password reuse.
b.
Reducing the success of brute force attacks.
c.
Encrypting network traffic between devices.
d.
Limiting repeated login guessing attempts.
 

 15. 
(1 point) Which option is the best example of a special character set item for password complexity policies?
a.
@
c.
Z
b.
m
d.
9
 

 16. 
(1 point) A student account policy currently requires only 'at least 6 characters'. Which single change adds the most protection against dictionary attacks?
a.
Require complexity (uppercase, lowercase, number, symbol).
b.
Lock out after 20 invalid attempts.
c.
Store the last 2 passwords.
d.
Require maximum password age of 365 days.
 

 17. 
(1 point) A small business wants to prevent an attacker from continually guessing passwords overnight. Where should you place a detective or corrective control? (Choose the best login setting.)
a.
Disable password history to simplify resets.
b.
Allow passwords with fewer requirements to reduce help desk calls.
c.
Require password changes every 14 days.
d.
Configure account lockout after repeated invalid login attempts.
 

 18. 
(1 point) Which configuration is most likely to reduce successful credential stuffing if users reuse passwords across sites?
a.
Allow password reuse.
b.
Disable account lockout.
c.
Shorten minimum password length.
d.
Enable MFA (not a login setting listed here) and require strong, unique passwords with complexity and length.
 

 19. 
(1 point) An administrator sets the following rules: (1) deny all logins after 3 failures, (2) allow login attempts. What is the main issue with this configuration?
a.
Minimum length is too high.
b.
Password history is too large.
c.
Rule order/precedence is incorrect; the first rule blocks users before a valid attempt can be processed.
d.
Complexity is too strict.
 

 20. 
(1 point) Which setting specifically helps prevent a user from changing their password back to the same value immediately after a forced reset?
a.
Require a maximum password age.
b.
Store previous user password hashes and block reuse.
c.
Require a lockout period.
d.
Require a minimum password length.
 

 21. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Disable the laptops screen brightness to save battery.
b.
Turn off the laptops Bluetooth only.
c.
A student laptop is on a public WiFi network at a coffee shop. Which configuration best adds protection even if the WiFi network is compromised?
d.
Enable a host-based firewall on the laptop with rules to allow only needed services.
 

 22. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Software on a single device that allows or denies traffic into or out of that device based on rules.
b.
A physical appliance that filters traffic for an entire LAN at the network edge.
c.
A tool that encrypts wireless frames between a device and an access point.
d.
Which statement best describes a host-based firewall?
 

 23. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
The first rule that matches the traffic is applied, and later rules are ignored for that traffic.
b.
Rules apply only after traffic is blocked by the router first.
c.
A host-based firewall uses an access control list (ACL). What does rules are typically implemented top-to-bottom mean?
d.
All rules are applied to the same traffic and then averaged.
 

 24. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Allow all inbound traffic so apps work without troubleshooting.
b.
Block inbound traffic by default and allow only required inbound services (if any).
c.
Block all outbound traffic so no data can leave the device.
d.
A school wants to reduce risk on a student Windows computer that only needs web browsing and email. Which firewall approach best matches the guidance to block services not needed?
 

 25. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Deny inbound HTTPS traffic to the workstation.
b.
An organization suspects an attacker gained remote access to a workstation and is trying to upload stolen files using FTP. Which host-based firewall rule best helps stop this exfiltration method?
c.
Allow inbound FTP traffic to the workstation.
d.
Deny outbound FTP traffic from the workstation.
 

 26. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
A help desk tech adds these host-based firewall rules (top to bottom):
1) DENY outbound ALL
2) ALLOW outbound HTTPS (443)
What will happen to a user trying to browse secure websites?
b.
The users HTTPS traffic will be allowed because HTTPS is common.
c.
The users HTTPS traffic will be blocked because the first rule matches first.
d.
Only inbound HTTPS will be blocked, not outbound.
 

 27. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Which set of criteria is commonly used in host-based firewall rules to decide whether to allow or deny traffic?
b.
CPU speed, RAM size, and storage capacity.
c.
Keyboard type, screen size, and battery health.
d.
Source/destination IP, port, protocol, service, or application.
 

 28. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Allow inbound traffic to all ports so the project always works.
b.
A device runs a local web server for a class project on TCP port 8080. Which firewall action best supports the project while still limiting exposure?
c.
Deny all outbound traffic so attackers cannot connect.
d.
Allow inbound TCP traffic to port 8080 and deny other unnecessary inbound ports.
 

 29. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
A printer that only prints from USB drives.
b.
A laptop that moves between trusted and untrusted networks.
c.
A desktop that is never connected to any network.
d.
A host-based firewall is most useful for which situation?
 

 30. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
The device could accept unwanted inbound connections through that apps port or service.
b.
The device will stop sending any outbound traffic.
c.
The device will automatically encrypt all traffic.
d.
A student sets a host-based firewall to 'Allow inbound' for a file-sharing app but forgets to restrict it. What is the main security concern?
 

 31. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Which configuration best follows the principle Host firewalls should always block ports or services not needed for a given device?
b.
Open additional ports in case the user installs new apps later.
c.
Keep all ports open but enable a screen lock.
d.
Close unused ports and allow only the few services the device actually uses.
 

 32. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Allow inbound TCP traffic from 10.20.30.40 on port 80.
b.
Deny outbound UDP traffic to 10.20.30.40 on port 5432.
c.
Allow outbound TCP traffic to 10.20.30.40 on port 5432.
d.
A workstation needs to connect to an internal database at 10.20.30.40 on TCP port 5432. Which host firewall rule is the best match?
 

 33. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
DNS queries from the local subnet to the device.
b.
A host-based firewall rule says: ALLOW inbound TCP 22 from 192.168.1.0/24. What is this rule most likely trying to allow?
c.
SSH connections from the local subnet to the device.
d.
Web browsing to any website on the internet.
 

 34. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Disable the host firewall and rely only on WiFi encryption.
b.
Allow inbound connections by default and block outbound web traffic.
c.
A school wants to protect student laptops from unsolicited inbound connections while still allowing students to access the internet. Which strategy best fits?
d.
Block inbound connections by default and allow outbound connections needed for web and email.
 

 35. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
A technician is writing firewall rules. Which ordering is safer if the goal is 'allow only SSH inbound and deny other inbound TCP'?
b.
ALLOW inbound TCP ALL, then DENY inbound TCP 22.
c.
ALLOW inbound TCP 22, then DENY inbound TCP ALL.
d.
DENY inbound TCP ALL, then ALLOW inbound TCP 22.
 

 36. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
It can prevent the attacker from sending stolen data out using specific protocols or apps.
b.
It increases the devices screen resolution.
c.
A host-based firewall can block outbound traffic. Why might that matter if an attacker already has access to the device?
d.
It makes the WiFi signal stronger.
 

 37. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
A host-based firewall only protects routers; a network firewall protects phones.
b.
A host-based firewall protects one device; a network-based firewall filters traffic for a network segment.
c.
A student is deciding between a host-based firewall and a network-based firewall. Which statement is accurate?
d.
A host-based firewall works only on WiFi; a network firewall works only on Ethernet.
 

 38. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
A host-based firewall on the device.
b.
A screen privacy filter on the laptop.
c.
A device is connected to a compromised network. Which control provides a 'last line' filter for that devices traffic?
d.
A password manager installed on the device.
 

 39. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
The rule can allow or block traffic based on which program is generating it (e.g., browser vs. FTP client).
b.
The rule encrypts the apps data automatically.
c.
The rule can only block traffic if the user closes an app window.
d.
A host-based firewall rule filters by application. What does that mean in practice?
 

 40. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Allow inbound RDP from ALL IP addresses.
b.
Deny outbound HTTPS traffic from the computer.
c.
Allow inbound RDP only from the IT subnet and deny other inbound RDP.
d.
A teachers computer needs Remote Desktop from the IT subnet only. Which rule best fits?
 

 41. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
A host firewall has these rules (top to bottom):
1) ALLOW inbound TCP 80 from ALL
2) DENY inbound TCP 80 from 203.0.113.0/24
What is the outcome for traffic from 203.0.113.5 to port 80?
b.
It will be denied because the second rule is more specific.
c.
It will be blocked only if it is UDP traffic.
d.
It will be allowed because the first rule matches and is applied first.
 

 42. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Change the desktop wallpaper to a warning message.
b.
Create and order allow/deny rules so only necessary inbound and outbound traffic is permitted.
c.
Which action best describes configure a host-based firewall in a real-world task?
d.
Install new RAM to improve performance.
 

 43. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
Block inbound traffic to file-sharing ports/services and allow only needed outbound traffic.
b.
Allow inbound file-sharing traffic so classmates can connect easily.
c.
A student laptop does not need file-sharing services. Which change best reduces attack surface using the host firewall?
d.
Disable the firewall so the laptop runs faster.
 

 44. 
(1 point) 2.A Identify security controls, and explain how they could mitigate a given risk; 2.D Implement mitigations.
a.
SSH traffic on TCP port 22.
b.
Web traffic on HTTPS port 443.
c.
A host-based firewall rule says: DENY inbound UDP 53 from ALL. What kind of traffic is most likely being blocked?
d.
DNS responses to the device on UDP port 53.
 

 45. 
(1 point) A Windows laptop is suspected of being compromised. Which log type would BEST help reconstruct what happened right before the incident?
a.
A list of installed fonts because malware often changes fonts
b.
Only the DNS cache because it shows all websites visited
c.
System and user activity logs that record login attempts, actions, downloads, and processes/settings changes
d.
Only the screen brightness settings because they show user behavior
 

 46. 
(1 point) Which statement BEST describes an indicator of compromise (IoC)?
a.
Evidence that suggests an adversary has compromised a device or network
b.
A network diagram showing device connections
c.
Any security tool used to block malware
d.
A password rule that prevents weak passwords
 

 47. 
(1 point) A teacher wants to see every attempted login on a Linux server. Which log should they review first?
a.
Browser history logs
c.
Authentication (auth) logs
b.
Printer queue logs
d.
Battery usage logs
 

 48. 
(1 point) Which finding is MOST clearly a host-based IoC from log and configuration review?
a.
A student forgets their password and requests a reset
b.
A new service starts automatically at boot even though no admin approved it
c.
The device clock is set to the correct time
d.
A file is saved to the Desktop by the user
 

 49. 
(1 point) A security analyst calculates the SHA-256 hash of an executable and it matches a known malware hash. This is an example of what type of IoC?
a.
Network-only IoC
c.
Behavior-based IoC
b.
File-based IoC
d.
Physical IoC
 

 50. 
(1 point) Which event is MOST likely a behavior-based IoC found in auth/access logs?
a.
A printer runs out of paper
b.
Hundreds of failed logins for one account in a short time window
c.
A monitor is set to sleep after 10 minutes
d.
A USB cable is plugged into a phone to charge
 

 51. 
(1 point) A server shows repeated 'invalid user' messages followed by a successful login. Why are auth logs useful in this situation?
a.
They automatically remove malware from the system
b.
They store backups of all user files for recovery
c.
They record attempted logins, helping identify password attacks and the timing of a compromise
d.
They encrypt network traffic between the server and clients
 

 52. 
(1 point) During an investigation, you need to know which processes were running and whether system settings were changed. Which data source is MOST appropriate?
a.
Only email inbox messages
b.
Only a list of open browser tabs
c.
System process and configuration logs
d.
Only the device's wallpaper history
 

 53. 
(1 point) An endpoints configuration shows that Remote Desktop was enabled overnight without a change ticket. Which IoC category does this BEST fit?
a.
Host-based IoC (unauthorized configuration change)
b.
Network IoC (malicious IP)
c.
Physical IoC (tampered lock)
d.
File-based IoC (hash match)
 

 54. 
(1 point) A user account logs in successfully at 2:13 a.m. from a location never seen before. Which IoC type is this MOST likely?
a.
Behavior-based IoC (unusual login time/location)
b.
File-based IoC (malware filename)
c.
Environmental IoC (power surge)
d.
Hardware IoC (bad RAM)
 

 55. 
(1 point) Which evidence is BEST described as a file-based IoC?
a.
A WiFi signal is weak in one classroom
b.
A network switch reports high CPU usage
c.
An executable named 'svchosts.exe' appears in an unusual folder known to be used by malware
d.
An employee reports seeing a suspicious person near the server room
 

 56. 
(1 point) Why do defenders look for IoCs during incident response?
a.
To replace the need for user training
b.
To confirm or refute whether a compromise occurred and guide containment and remediation
c.
To increase internet speed on the network
d.
To reduce the cost of hardware upgrades
 

 57. 
(1 point) A workstation log shows a new admin account was created and added to the local Administrators group. What does this MOST likely indicate?
a.
Normal operating system patching
b.
A harmless user preference update
c.
Routine printer driver installation
d.
Unauthorized privilege escalation or account creation (host-based IoC)
 

 58. 
(1 point) Which combination of logs would BEST support reconstructing a timeline of an attack on a laptop?
a.
Only WiFi password history
b.
Only application crash logs
c.
Authentication logs + user activity logs + system process/configuration logs
d.
Only keyboard language settings
 

 59. 
(1 point) A student claims they never tried to log in after school. Which evidence can MOST directly confirm whether their account had login attempts?
a.
Screen resolution history
b.
Authentication logs showing timestamps and success/failure
c.
List of installed printers
d.
CPU temperature readings
 

 60. 
(1 point) A file server shows repeated access attempts to a restricted folder by a non-admin account. Which IoC category is this MOST likely?
a.
Hardware IoC (failing disk)
b.
Behavior-based IoC (unauthorized access attempts)
c.
Environmental IoC (humidity spike)
d.
File-based IoC (hash collision)
 

 61. 
(1 point) A security tool flags a file because its hash is identical to a known ransomware sample. What is the BEST immediate conclusion?
a.
The file must be safe because hashes cant be compared
b.
The file is malicious only if it is larger than 1 GB
c.
The file is harmless unless it was downloaded over WiFi
d.
The file is very likely malicious and should be isolated for further analysis
 

 62. 
(1 point) nan
a.
nan
c.
nan
b.
nan
d.
nan
 

 63. 
(1 point) An auth log shows one username with 45 failed password attempts in 2 minutes from the same IP address. What is the most likely explanation?
a.
An online password attack against one account
b.
A normal password reset process
c.
A successful software update
d.
An offline password attack taking place on the attackers computer
 

 64. 
(1 point) A servers auth log shows repeated failed login attempts for the same user followed by one successful login. What should be included in the incident report first?
a.
Evidence of DNS poisoning
b.
Proof that the user forgot their password
c.
A confirmed hardware failure
d.
Possible online password attack against that user account
 

 65. 
(1 point) A company learns that its user:password hash database was stolen. According to the framework, what should the security team assume?
a.
The database can be restored, so the passwords are safe
b.
Only admin passwords are at risk
c.
No action is needed because hashes cannot be cracked
d.
All passwords in the database should be considered insecure and all users should reset them
 

 66. 
(1 point) Which response best fits a report after a compromised password hash database is discovered?
a.
Recommend increasing screen timeout settings only
b.
Recommend deleting all authentication logs
c.
Recommend forcing password resets for all affected users
d.
Recommend ignoring the incident because the attacker does not know the plaintext passwords
 

 67. 
(1 point) A teacher normally logs in from Ohio between 7:00 a.m. and 4:00 p.m. The auth log shows a successful login from another country at 2:13 a.m. What is the best interpretation?
a.
The account was locked out due to failed attempts
b.
The teacher probably changed their keyboard settings
c.
The hash database was definitely stolen
d.
The password may be compromised because the login time and location are unusual
 

 68. 
(1 point) Which auth log pattern is most likely to suggest that a valid password is being used by someone other than the real user?
a.
A successful login from an unfamiliar IP address at an unusual time
b.
A scheduled login from the schools normal network
c.
A student account accessing a printer
d.
A failed login followed by a password reset request
 

 69. 
(1 point) A user successfully logs in from two distant locations within 15 minutes. What should a report say?
a.
This proves an offline password attack was detected
b.
This is expected for all remote workers
c.
This is a likely indicator that the account password has been compromised
d.
This shows the user enabled MFA successfully
 

 70. 
(1 point) A company notices repeated successful logins to one account from a residential IP never seen before, always after midnight. Which attack-related concern is strongest?
a.
The systems disk drive is failing
b.
The network firewall is blocking too much traffic
c.
The account password is too long
d.
The account password may have been stolen and is being used by an adversary
 

 71. 
(1 point) An auth log shows 120 usernames each making one failed login attempt from the same IP address within 90 seconds. Which password attack does this most likely indicate?
a.
Credential stuffing with default credentials
b.
Ransomware
c.
Password spraying
d.
Offline brute-force cracking
 

 72. 
(1 point) Why is the following log pattern suspicious: many users each have one failed login from the same unusual IP address?
a.
It matches the behavior of password spraying
b.
It shows that the users forgot their passwords at the same time
c.
It proves the accounts were all reset by IT
d.
It is evidence that the Wi-Fi signal is weak
 

 73. 
(1 point) A report needs to explain why one failed login per user across many accounts can still be dangerous. Which explanation is best?
a.
Password spraying tries a common password on many accounts to avoid lockouts on any single account
b.
Credential stuffing always uses only one username
c.
Offline attacks create no auth log entries, so this must be harmless
d.
Password spraying always shows many passwords for one user
 

 74. 
(1 point) Which log detail best helps distinguish password spraying from a single-user brute-force login attempt?
a.
One file hash matches known malware
b.
One username has many failed passwords from the same IP
c.
One user changes their password after a reset
d.
Many different usernames are targeted from the same IP in a short time
 

 75. 
(1 point) A device log shows attempts for admin:admin, admin:password, root:root, and user:user in quick succession from one IP. What attack is most likely being attempted?
a.
A normal login test
b.
Credential stuffing using default or commonly reused credentials
c.
Password spraying
d.
Offline dictionary cracking
 

 76. 
(1 point) Which report statement best matches credential stuffing behavior in logs?
a.
A stolen password hash database was detected in auth logs
b.
Many default or leaked user:password combinations were tried quickly from the same IP address
c.
A user logged in late at night from their usual IP address
d.
One password was tried against many user accounts from one IP address
 

 77. 
(1 point) How is credential stuffing different from password spraying in the logs?
a.
Credential stuffing can only be seen in offline attacks
b.
Credential stuffing never uses the same IP address twice
c.
Credential stuffing shows many user:password combinations being tried, often default or stolen credentials
d.
Credential stuffing shows one password tried against many accounts
 

 78. 
(1 point) A network cameras auth log shows rapid attempts with common default credentials. What is the most likely risk if one attempt succeeds?
a.
An attacker may gain access by using common default credentials that were never changed
b.
The device will shut itself down safely
c.
The attack must be offline because it uses usernames
d.
The devices password hashes will automatically reset
 

 79. 
(1 point) Why cant offline password attacks be detected in auth logs?
a.
They are blocked automatically by account lockout
b.
They always use a valid username and password the first time
c.
They only target wireless networks
d.
They take place on the attackers own computer, not through the targets live login system
 

 80. 
(1 point) A security analyst says, 'We will detect the attacker cracking our stolen password database by watching login failures.' Why is this incorrect?
a.
Offline cracking is the same as password spraying
b.
Offline cracking happens away from the system, so the targets auth logs will not show those attempts
c.
Auth logs record all activity on every computer in the world
d.
The hash database cannot be attacked if passwords are long
 

 81. 
(1 point) A report should explain why there are no authentication log entries even though a stolen password database is being attacked. Which statement is best?
a.
The attacker is performing an offline attack on their own machine, so the target system does not log the guesses
b.
The system only records successful logins, not failures
c.
The attacker deleted the logs from the target system automatically
d.
The attacker is using MFA to hide the log entries
 

 82. 
(1 point) Which event would most likely happen without creating login attempts in the victims auth log?
a.
An offline password cracking attack against a stolen hash database
b.
Password spraying against a school portal
c.
A brute-force attack against a webmail portal
d.
Credential stuffing against a router login page
 

 83. 
(1 point) One account shows 80 failed passwords in five minutes from the same address. Which attack pattern best fits?
a.
Offline attack
b.
Password spraying
c.
Credential stuffing with defaults
d.
Online password attack targeting one user
 

 84. 
(1 point) Five hundred accounts each show exactly one failed login from the same address. Which attack pattern best fits?
a.
A file-based IoC
c.
Single-user brute force
b.
Offline hash cracking
d.
Password spraying
 

 85. 
(1 point) A router log shows a sequence like root:root, admin:admin, support:support, guest:guest. Which attack pattern best fits?
a.
Credential stuffing using default credentials
b.
Password spraying
c.
Offline dictionary attack
d.
Impossible travel
 

 86. 
(1 point) A user logs in successfully from their normal school IP every day, but one day a successful login appears from an unfamiliar IP in another state. What is the best explanation?
a.
This is evidence of an offline attack
b.
The password may be compromised because the location/IP is unusual
c.
This is normal because successful logins are never suspicious
d.
This proves a password spraying attack occurred
 

 87. 
(1 point) A school portal log shows one student account had 30 failed logins followed by a success. Which immediate action should be recommended in the report?
a.
Delete the auth logs to protect privacy
b.
Ignore the event because the correct password was eventually used
c.
Disable or reset the account and investigate possible compromise
d.
Treat it as an offline attack and take no portal action
 

 88. 
(1 point) A report notes that many staff accounts had one failed login from the same unusual IP within one minute. What should the analyst recommend first?
a.
Force a device reboot on all staff laptops only
b.
Rebuild the DNS server
c.
Block or investigate the source IP and review for password spraying
d.
Delete previous password history
 

 89. 
(1 point) If a password hash database is stolen, why is forcing a reset still necessary even before any cracked passwords are confirmed?
a.
Because all stored passwords should be treated as insecure once the hash database is compromised
b.
Because hashes automatically become plaintext after a breach
c.
Because the database theft can be detected only in auth logs
d.
Because stolen hashes prove every account was already logged into
 

 90. 
(1 point) Why is a login at an unusual time not always proof of compromise by itself?
a.
Context matters; it is an indicator that should be investigated along with other evidence
b.
Only failed logins can indicate password attacks
c.
Time-based log entries are never reliable
d.
Unusual times always mean the user forgot their password
 

 91. 
(1 point) Which log sequence would most strongly suggest credential stuffing rather than password spraying?
a.
One failed password each for 100 user accounts from one IP
b.
admin:admin, admin:1234, admin:password, root:root tried quickly on one device
c.
No auth log entries at all
d.
Fifty failed passwords for one user from one IP
 

 92. 
(1 point) A student writes, 'No suspicious auth log entries means no password attack happened.' How should this be corrected in a report?
a.
Credential stuffing never produces auth log entries
b.
Password spraying only happens after MFA is enabled
c.
Offline password attacks against stolen hashes would not appear in the targets auth logs
d.
Auth logs record every password guess anywhere on the internet
 

 93. 
(1 point) Your organization wants passwords that are 'harder to crack' without making users change them frequently. Which combination best fits?
a.
Require minimum length + require complexity.
b.
Require maximum password age of 30 days only.
c.
Require lockout only.
d.
Require password history only.
 

 94. 
(1 point) A password policy says: 'Users must change passwords every 90 days.' According to the note in the EK, what is a potential downside of this requirement?
a.
Users may create predictable patterns (e.g., PasswordFall2028).
b.
Hashes will no longer be used.
c.
Passwords will automatically become shorter.
d.
Account lockouts will be disabled.
 

 95. 
(1 point) Which login setting is most directly aimed at stopping automated tools from continuously trying random passwords?
a.
Account lockout after a specified number of invalid attempts.
b.
Minimum password length.
c.
Maximum password age.
d.
Password history storage.
 

 96. 
(1 point) An IT team is deciding between: (A) minimum length 14, no complexity, and (B) minimum length 8 with complexity. Which choice is generally stronger against brute force attacks, assuming users choose random passwords?
a.
Minimum length 14 (longer passwords generally take longer to crack).
b.
Neither matters because lockout is the only protection.
c.
Both are equally strong.
d.
Minimum length 8 with complexity is always stronger.
 

 97. 
(1 point) A device must allow outbound web browsing but should block outbound FTP. Which rule set best matches that requirement?
a.
ALLOW inbound TCP 443; ALLOW inbound TCP 80; DENY inbound TCP 21; DENY inbound TCP 20
b.
ALLOW outbound TCP 443; ALLOW outbound TCP 80; DENY outbound TCP 21; DENY outbound TCP 20
c.
DENY inbound TCP 443; DENY inbound TCP 80; ALLOW outbound TCP 21; ALLOW outbound TCP 20
d.
DENY outbound TCP 443; ALLOW outbound TCP 21; ALLOW outbound TCP 20; ALLOW outbound TCP 80
 

 98. 
(1 point) A host-based firewall is configured to deny inbound traffic for an app used for video calls. Users report they cannot receive calls. What is the most likely explanation?
a.
The WiFi password is too strong.
b.
The inbound deny rule is blocking the apps required inbound connections.
c.
The devices keyboard settings are incorrect.
d.
The device needs a larger hard drive.
 

 99. 
(1 point) An organization wants to allow SSH only from a specific admin computer (10.0.0.50). Which rule is best?
a.
DENY inbound TCP 22 from ALL; then ALLOW inbound TCP 22 from 10.0.0.50.
b.
ALLOW outbound TCP 22 to 10.0.0.50; then DENY outbound TCP 22 to ALL.
c.
ALLOW inbound TCP 22 from ALL; then DENY inbound TCP 22 from 10.0.0.50.
d.
ALLOW inbound TCP 22 from 10.0.0.50; then DENY inbound TCP 22 from ALL.
 

 100. 
(1 point) Which scenario best shows why a host-based firewall is different from a network firewall?
a.
A server encrypts a drive with full disk encryption.
b.
A router changes a public IP address to a private IP address for all devices.
c.
A switch forwards frames based on MAC addresses.
d.
A laptop blocks outbound traffic for one app even though the network firewall allows it.
 



 
         Start Over