1. A company filed a complaint with its IT service provider after the company discovered the service provider’s external audit team had access to some of the company’s confidential information. Which of the following is the most likely reason the company filed the complaint?
A. The MOU had basic clauses from a template.
B. A SOW had not been agreed to by the client.
C. A WO had not been mutually approved.
D. A required NDA had not been signed. Correct
Explanation
A required NDA had not been signed is the most likely reason because an NDA (Non-Disclosure Agreement) is the specific legal document that legally binds parties to keep shared confidential information secret and not misuse it. When an external audit team accesses sensitive company data without an NDA in place, there is no legal protection against potential leaks or misuse, which directly violates confidentiality expectations and is a common trigger for complaints in vendor relationships. The MOU having basic template clauses is not the issue because an MOU (Memorandum of Understanding) is only a high-level agreement about cooperation and intent, not a binding contract for protecting confidential data. A SOW not being agreed to is irrelevant because a Statement of Work defines the scope, deliverables, and timelines of the work, but it does not govern confidentiality protections. A WO not being mutually approved is also not the cause because a Work Order authorizes specific tasks under an existing contract, but it does not address access to or protection of confidential information.
2. A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO’s report?
A. Insider threat
B. Hacktivist
C. Nation-state
D. Organized crime Correct
Explanation
Organized crime best describes the threat actor because ransomware-as-a-service (RaaS) operates as a profitable criminal business model where developers sell or rent ransomware tools to affiliates on the dark web, allowing even non-technical criminals to launch attacks and share profits. These groups function like structured enterprises with customer support, affiliate programs, payment laundering through cryptocurrency, and reinvestment into new tools — all driven by financial gain. An insider threat is an employee or trusted person who misuses access for personal reasons like revenge or theft, not someone running or using public RaaS platforms. Hacktivists attack for political or ideological reasons such as making statements or leaking data, not for financial extortion through ransomware services. Nation-states typically conduct espionage, sabotage, or strategic operations for geopolitical advantage, not operate public RaaS models for profit.
3. After a company was compromised, customers initiated a lawsuit. The company's attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take?
A. Retain the emails between the security team and affected customers for 30 days.
B. Retain any communications related to the security breach until further notice. Correct
C. Retain any communications between security members during the breach response.
D. Retain all emails from the company to affected customers for an indefinite period of time.
Explanation
Retaining any communications related to the security breach until further notice is the correct action because a legal hold (litigation hold) is a formal preservation notice that requires the organization to immediately stop normal deletion or overwriting of all potentially relevant evidence (emails, logs, reports, memos, chats, documents) related to the incident. This must continue until the legal matter is resolved or the court lifts the hold to avoid spoliation of evidence penalties. Limiting retention to emails between the security team and affected customers for only 30 days is too narrow and time-limited — legal holds have no fixed short expiration. Keeping only internal security team communications during the breach response is also too limited because relevant evidence includes customer notifications, executive discussions, vendor correspondence, and more. Retaining all outbound emails to customers indefinitely is incorrect because legal holds are not permanent — they end when the case concludes, and it excludes other important breach-related records.
4. Which of the following technologies must be used in an organization that intends to automate infrastructure deployment?
A. IaC Correct
B. IaaS
C. IoC
D. IoT
Explanation
IaC (Infrastructure as Code) must be used because it allows organizations to define, provision, and manage infrastructure through machine-readable code files (e.g., Terraform, Ansible, CloudFormation) instead of manual configuration. This enables automation, repeatability, version control, and consistency when deploying servers, networks, databases, and entire environments quickly and reliably. IaaS (Infrastructure as a Service) provides virtualized computing resources in the cloud (like AWS EC2 or Azure VMs) but is a service model, not the technology that enables automation. IoC (Indicator of Compromise) refers to forensic artifacts that indicate a breach, unrelated to infrastructure automation. IoT (Internet of Things) involves connected devices and sensors, not automating server or network deployment.
5. Which of the following is a security implication of using SDN over traditional methods?
A. Network device configuration can be dynamically adjusted to react to a detected security threat. Correct
B. Network alerting and reporting is reduced due to lack of integration with analysis tools.
C. Network intrusion detection results in increased false positives or false negatives.
D. Network infrastructure is outsourced to a third-party vendor better suited to maintaining security.
Explanation
Network device configuration can be dynamically adjusted to react to a detected security threat is a key security implication because SDN (Software-Defined Networking) separates the control plane from the data plane and uses a centralized controller to programmatically manage the entire network. This allows automated, real-time responses like isolating compromised segments, redirecting traffic, or enforcing new policies instantly when threats are detected — a major improvement over traditional static, manual network configurations. SDN does not reduce network alerting and reporting — it often improves integration through APIs and centralized visibility. It does not inherently increase false positives/negatives in intrusion detection; better visibility can actually reduce them. SDN does not require outsourcing infrastructure to a third party — it can be fully on-premises or hybrid.