1. A company's antivirus solution is effective in blocking malware but often has false positives. The security team has spent a significant amount of time on investigations but cannot determine a root cause. The company is looking for a heuristic solution. Which of the following should replace the antivirus solution?
A. SIEM
B. EDR Correct
C. DLP
D. IDS
Explanation
The current antivirus uses signature-based detection, which causes false positives because it flags harmless files that match known malware patterns. A heuristic solution looks at behavior, not just signatures. EDR (Endpoint Detection and Response) monitors real-time activity on devices and uses behavior analysis to detect suspicious actions—even if the file isn’t known malware. This reduces false positives and gives context for investigations. A (SIEM) is wrong—it collects logs but doesn’t replace antivirus or do heuristic detection. C (DLP) prevents data leaks, not malware. D (IDS) watches network traffic, not endpoint behavior.
2. During a penetration test in a hypervisor
A. the security engineer is able to use a script to inject a malicious payload and access the host filesystem. Which of the following best describes this vulnerability? Correct
B. VM escape
C. Cross-site scripting
D. Malicious update
E. SQL injection
Explanation
VM escape means an attacker breaks out of a virtual machine (guest) to access the host system (hypervisor). That’s exactly what happened—using a script to reach the host filesystem. B (XSS) is a web attack injecting code into a browser. C (malicious update) is fake software patches. D (SQL injection) targets databases. Only A matches the hypervisor breakout.
3. An administrator at a small business notices an increase in support calls from employees who receive a blocked page message after trying to navigate to a spoofed website. Which of the following should the administrator do?
A. Deploy multifactor authentication.
B. Decrease the level of the web filter settings.
C. Implement security awareness training. Correct
D. Update the acceptable use policy.
Explanation
Employees are clicking spoofed (fake) websites that look real—this is phishing. The web filter blocks them, which is good, but users keep trying. The root problem is lack of knowledge. Security awareness training teaches users to spot fake URLs, suspicious emails, and avoid clicking. A (MFA) helps login security, not phishing. B (lowering filter) would allow dangerous sites. D (AUP update) sets rules but doesn’t teach recognition.
4. Which of the following strategies most effectively protects sensitive data at rest in a database?
A. Hashing Correct
B. Masking
C. Tokenization
D. Obfuscation
Explanation
Data at rest means stored in the database. Hashing turns data into a fixed-length code (e.g., password → sha256 hash). It’s one-way—you can’t reverse it. This is best for passwords or sensitive fields where you only need to compare (not see) the original. B (masking) hides parts (e.g., XXXX-1234) but can be reversed. C (tokenization) replaces data with a token but needs a secure vault to retrieve original. D (obfuscation) scrambles but can often be undone. Hashing gives strongest protection with no recovery needed for verification.
5. An employee from the accounting department logs in to the website used for processing the company's payments. After logging in
A. a new desktop application automatically downloads on the employee's computer and causes the computer to restart. Which of the following attacks has occurred?
B. XSS Correct
C. Watering hole
D. Typosquatting
E. Buffer overflow
Explanation
A watering hole attack infects a trusted website (here, the payment site) so that when legitimate users visit, they get malware. The site was compromised—after login, a malicious app downloads and forces a restart. A (XSS) runs script in the browser, not downloads apps. C (typosquatting) is fake domain names. D (buffer overflow) is memory exploit, not automatic download.