Which statement best distinguishes a Host-Based Intrusion Detection System (HIDS) from a Network-Based Intrusion Detection System (NIDS)?
Network-Based is installed on an individual endpoint to monitor all inbound/outbound traffic of that device.
Host-Based is installed on an individual endpoint to monitor all inbound/outbound traffic of that traffic.
Host-Based directly integrates with the endpoint and is known as the last line of defense.
Network-Based directly integrates with the endpoint and is known as the last line of defense.
A HIDS directly integrates with an endpoint or host and monitors activity on that system. It can evaluate logs, file changes, processes, authentication activity, configuration changes, and local indicators that may not be visible on the network. This makes it a last line of defense because it can detect suspicious activity after traffic has reached the host or when malicious activity occurs locally. A NIDS monitors traffic on a network segment rather than being installed on each individual endpoint. Answer A incorrectly describes network-based detection as endpoint-installed. Answer B is awkwardly worded and less precise than answer C. Answer D incorrectly assigns endpoint integration to NIDS. HIDS and NIDS are complementary. NIDS provides broad network visibility, while HIDS provides deep host-level visibility. Security teams use both types of telemetry to understand attack scope and confirm whether suspicious network behavior resulted in endpoint compromise. Reference/topics: Cybersecurity 1.4, IDS, HIDS, and NIDS; Endpoint Security 4.3, host-based controls.
What is a function of an Intrusion Detection System (IDS)?
Rejecting connections deemed anomalous
Filtering outbound malicious TCP packets
Monitoring network traffic for specific patterns
Dropping inline network packets
An Intrusion Detection System monitors traffic or host activity and generates alerts when it identifies suspicious patterns. The correct answer is monitoring network traffic for specific patterns because detection is the central IDS function. An IDS can use signatures, anomaly detection, protocol analysis, or behavioral indicators to identify potential attacks. However, unlike an IPS, a traditional IDS is not usually placed inline to block traffic. Rejecting connections, filtering malicious packets, and dropping inline packets are prevention or enforcement actions more closely associated with an IPS or firewall. IDS alerts are valuable to security operations because they create visibility into attempted attacks, policy violations, scanning activity, or suspicious behavior that may require investigation. A NIDS monitors network traffic, while a HIDS monitors activity on a specific host. The certification expects candidates to distinguish detection systems from prevention systems and understand where each operates. Reference/topics: Cybersecurity 1.4, IDS, HIDS, and NIDS; Cybersecurity 1.5, threat prevention systems.
How does antivirus software contribute to endpoint security?
By enforcing strong password security policies for user account access
By filtering unsolicited commercial email from a user’s inbox
By scanning files and programs for known malware signatures
By creating secure, isolated environments for untested applications
Antivirus software contributes to endpoint security by scanning files, programs, and sometimes memory or processes for known malware signatures and suspicious patterns. Signature-based detection compares observed files or code characteristics against known malicious indicators. This helps identify viruses, trojans, worms, spyware, and other malicious software before or during execution. Antivirus may also include heuristic or behavioral detection, but the answer specifically identifies known malware signatures, which is a classic antivirus function. Strong password policies are part of identity security, not antivirus. Filtering unsolicited commercial email is a function of email security or spam filtering. Isolating untested applications describes sandboxing or application isolation rather than standard antivirus scanning. Antivirus remains a basic endpoint control, although modern endpoint protection platforms often add behavior analytics, exploit prevention, device control, and response capabilities. The objective is to reduce the chance that malicious files can execute or persist on user systems. Reference/topics: Endpoint Security 4.3, antivirus and endpoint security components; Cybersecurity 1.5, threat prevention practices.
Which metric measures how long it takes a security team to detect a cybersecurity incident?
MTTR
MTTD
MFA
NAT
MTTD, or mean time to detect, measures how long it takes a security team to discover a cybersecurity incident or suspicious activity. A lower MTTD indicates that detection controls, monitoring processes, alert quality, and analyst workflows are working effectively. MTTD is important because attackers often cause more damage the longer they remain undetected. MTTR, or mean time to respond or recover, measures how long it takes to respond to or recover from an incident after detection. MFA is multi-factor authentication, an identity security control used to strengthen login security. NAT is network address translation, which converts one IP address to another. Security operations teams use metrics such as MTTD and MTTR to evaluate SOC performance, improve alerting, tune detection logic, and reduce operational delays. Strong logging, SIEM correlation, endpoint telemetry, threat intelligence, and automation can help reduce detection time. Reference/topics: Security Operations, SOC metrics, MTTD, MTTR, incident detection and response.
What is the primary purpose of an Intrusion Prevention System (IPS)?
Detecting malicious traffic before reaching trusted network
Filtering malicious traffic before reaching trusted network
Building code for server infrastructure
Deploying scanners for server infrastructure
An Intrusion Prevention System is designed to inspect traffic and actively stop malicious activity before it reaches protected systems. The key distinction is prevention: an IPS can block, drop, reset, or otherwise filter traffic that matches known exploit patterns, malicious signatures, protocol anomalies, or policy violations. Answer A describes detection, which is closer to the function of an IDS. An IDS monitors and alerts, while an IPS operates inline and can enforce a blocking decision. Building code for server infrastructure and deploying scanners are not IPS functions. In practice, IPS capabilities are often integrated into next-generation firewalls so that threat prevention occurs at network enforcement points. IPS is especially important for reducing exploit exposure against servers, applications, and internal systems because it can interrupt attacks in transit. However, IPS does not replace patching; it reduces risk while vulnerabilities are being fixed or when unknown exposure exists. Reference/topics: Cybersecurity 1.5, intrusion prevention systems; Cybersecurity 1.4, IDS/HIDS/NIDS comparison.
What does continuous integration and continuous delivery/deployment (CI/CD) improve for an organization?
Network threat alert potential
API interaction optimization
Secure development pipeline
Storage quotas for code
CI/CD improves the secure development pipeline by making software build, test, delivery, and deployment processes more automated, repeatable, and controlled. Continuous integration encourages developers to merge code frequently into a shared repository where automated tests and checks can run. Continuous delivery keeps software in a deployable state, while continuous deployment can automatically release changes that pass required tests. Security can be embedded into this pipeline through static analysis, dependency scanning, container image scanning, secrets detection, infrastructure-as-code checks, and policy gates. The goal is not merely faster software delivery, but safer and more reliable delivery. Network threat alert potential is a SOC concern, not the primary CI/CD outcome. API interaction optimization may occur in development, but it is too narrow. Storage quotas for code are repository management settings. Secure CI/CD reduces late-stage security surprises and helps organizations detect weaknesses earlier when they are cheaper and easier to fix. Reference/topics: Cloud Security 5.6, CI/CD; Identity Security 7.4.2, CI/CD pipeline secrets.
What is commonly associated with endpoint security?
Antivirus
Syslog
Virtual Machine (VM)
Data Loss Prevention (DLP)
Antivirus is commonly associated with endpoint security because it protects user devices and hosts from known malicious software. It scans files, applications, and sometimes active processes for malware signatures or suspicious behavior. Endpoint security controls are deployed on or near devices such as laptops, desktops, mobile devices, and servers. Syslog is a logging protocol used to transmit events to collectors and is more closely associated with security operations. A virtual machine is a cloud or virtualization concept and may be protected by endpoint tools, but it is not itself an endpoint security component. DLP can protect data on endpoints, networks, and cloud services, but in the course objective structure, antivirus is the clearest endpoint security component. Endpoint security is critical because endpoints are where users interact with applications, open files, browse websites, and authenticate to services. They are often the first point of compromise and the last line of defense. Reference/topics: Endpoint Security 4.3, antivirus; Endpoint Security 4.2, endpoint security objectives.
What is a desired outcome of automation in a security operations center (SOC)?
Increased number of alerts
Increased MTTR
Increased efficiency
Increased false positives
The desired outcome of SOC automation is increased efficiency. Automation allows repetitive, time-sensitive, and well-defined tasks to be executed consistently without requiring manual analyst effort every time. Examples include indicator enrichment, alert deduplication, ticket creation, endpoint isolation, user notification, or evidence collection. Automation should reduce workload, improve response speed, and help analysts spend more time on judgment-heavy investigation. Increasing the number of alerts is not desirable; alert volume should be reduced or better prioritized. Increasing MTTR is also undesirable because mean time to respond or recover should decrease as processes mature. Increasing false positives is harmful because it consumes analyst time and can cause alert fatigue. In a mature SOC, automation is often paired with playbooks and SOAR tooling so that repeatable response steps can be executed reliably while still allowing analyst approval for sensitive actions. Reference/topics: Security Operations 6.2, automation and AI; Security Operations 6.6, SOAR and SIEM.
What will secure connections from a company’s remote employees when they want to access sensitive documents at a branch office?
Public FTP servers using RADIUS authentication
VPN clients on compatible devices
Attachments transferred via unsecured email
Websites using steganography
VPN clients on compatible devices secure remote employee connections by creating encrypted tunnels to company resources. This allows employees outside the office to access sensitive documents at a branch office while protecting traffic over untrusted networks such as home internet, public Wi-Fi, or cellular networks. Public FTP is not appropriate for sensitive documents because FTP is traditionally plaintext unless secured by additional protocols, and public exposure increases risk. Unsecured email attachments are unsafe for sensitive data because they can be intercepted, misdirected, or forwarded without control. Steganography hides information inside other files but is not a standard enterprise access method. VPN access should be paired with strong authentication, device compliance checks, least privilege, logging, and segmentation. The encrypted tunnel protects data in transit, while access policy determines which users and devices are allowed to reach the branch resources. Reference/topics: Network Security 3.3, VPNs; Identity Security 7.1.2, MFA.
What is a self-contained operating environment that behaves like a computer separate from the physical host?
WAN accelerator
Virtual Machine (VM)
Hypervisor
Container
A virtual machine is a self-contained operating environment that behaves like a separate computer while running on a physical host. A VM includes its own guest operating system, virtual CPU, memory, storage, and network interfaces. Multiple VMs can run on a single physical server through a hypervisor, which allocates and manages physical resources. A hypervisor enables virtualization, but it is not the guest operating environment itself. A container packages an application and dependencies while sharing the host operating system kernel, making it lighter than a VM. A WAN accelerator improves performance over wide area links and is unrelated to virtualization. VMs are foundational to cloud computing because they allow providers to abstract physical hardware and offer flexible compute resources to customers. Security teams must secure VMs by hardening guest operating systems, patching, controlling access, monitoring activity, and applying cloud network policies. Reference/topics: Cloud Security 5.4, virtualization and virtual machine; Cloud Security 5.2, IaaS.
Which device operates at OSI Layer 2?
Hub
Switch
Router
Modem
A switch operates primarily at OSI Layer 2, the Data Link layer. It forwards Ethernet frames based on MAC addresses and builds a MAC address table to determine which port should receive traffic. This makes switching more efficient than a hub, which operates at Layer 1 and repeats signals without understanding frames. A router operates at Layer 3 by forwarding packets based on IP addresses and routing tables. A modem is generally associated with physical or access-layer signal conversion rather than Layer 2 switching. Layer 2 switching is important for local network communication, VLAN segmentation, and broadcast domain control. Security teams need to understand Layer 2 because attacks such as MAC flooding, VLAN hopping, and ARP spoofing can occur at this level. While switches are not the same as firewalls, proper switch configuration supports network segmentation and reduces unnecessary traffic exposure. Reference/topics: Network Fundamentals 2.7, devices operating Layers 1 through 4; Network Security 3.1, VLANs.
What is a self-sufficient executable package that encompasses all necessary components for running a piece of software including the code, runtime, libraries, and system tools?
Container
Host
Server
Virtual machine (VM)
A container is a self-sufficient executable package that includes application code and the dependencies needed to run consistently across environments. Containers usually package code, runtime, libraries, and system tools, while sharing the underlying host operating system kernel. This makes them lighter and faster to start than virtual machines. A host is the physical or virtual system that runs workloads. A server provides services to clients, but the term does not specifically describe packaged application dependencies. A virtual machine is a full isolated operating environment with its own guest OS, making it heavier than a container. Containers are central to cloud-native application design because they support portability, scalability, microservices, and automated deployment. From a security perspective, containers must be scanned for vulnerabilities, configured securely, run with least privilege, and monitored at runtime. Container security also depends on image integrity, registry controls, orchestration policy, and secrets handling. Reference/topics: Cloud Security 5.4, container and virtual machine; Cloud Security 5.5, CNSP.
What will cause an unusually high number of false positive alerts?
Post-breach recovery plan is well defined.
User privilege is configured to be strict.
Device is unable to receive an IP address.
Traffic match criteria is too generalized.
A false positive occurs when a security tool generates an alert for activity that is actually benign. Overly generalized traffic match criteria can cause a high number of false positives because the detection rule captures too much normal behavior. For example, a rule that flags all encrypted outbound traffic as suspicious would produce excessive alerts because encrypted web traffic is common and expected. Effective detection criteria must be specific enough to identify meaningful risk while broad enough to catch real threats. A well-defined post-breach recovery plan improves response readiness but does not directly create false positives. Strict user privileges may reduce risk and are not a normal cause of noisy alerts. A device failing to receive an IP address is an operational connectivity issue, not a typical false-positive driver. SOC teams manage false positives through tuning, baselining, enrichment, severity adjustment, and better rule logic. Reference/topics: Security Operations 6.4, false positive and false negative alerts; Security Operations 6.2, SOC performance optimization.
What is a purpose of security operations?
Investigating security events
Tracking assets
Installing endpoint security software
Aligning applications to compliance standards
A core purpose of security operations is investigating security events to determine whether they represent real threats, policy violations, or benign activity. Security operations teams monitor alerts, analyze evidence, investigate suspicious behavior, contain incidents, and improve detection and response processes. Asset tracking is important for security and IT operations, but it is not the main purpose described here. Installing endpoint security software is a deployment task usually handled by endpoint, infrastructure, or IT teams, although the SOC may consume the telemetry. Aligning applications to compliance standards is part of governance, risk, and compliance activities. Security operations is the day-to-day defensive function that turns telemetry into decisions and action. It asks: what happened, what is affected, how severe is it, what should be done, and how can recurrence be reduced? Investigation is therefore central to the SOC mission. Reference/topics: Security Operations 6.1, Identify/Detect, Investigate, Mitigate, Improve; Security Operations 6.3, event and alert.
Which cloud computing model is appropriate for a company that requires an isolated environment which meets strict compliance requirements and maintains enhanced security?
Hybrid
Private
Public
Community
A private cloud is appropriate when a company requires an isolated environment, strict compliance support, and enhanced control over security. Private cloud infrastructure is dedicated to a single organization and can be hosted on-premises or by a provider. It allows greater control over data location, access, architecture, and security configuration than a general public cloud model. A hybrid cloud combines private and public resources, but the question emphasizes isolation rather than mixed deployment. A public cloud is shared provider infrastructure used by many customers and may not satisfy isolation requirements without additional controls. A community cloud is shared by organizations with common requirements, but it is not dedicated to one organization. Private cloud does not automatically guarantee security; it still requires strong identity controls, monitoring, patching, segmentation, and governance. Its advantage is control and dedicated use, which can support sensitive or regulated workloads. Reference/topics: Cloud Security 5.1, cloud deployment models; Cloud Security 5.3, shared responsibility.
What are two functions of VPN gateways? (Choose two.)
Certificate refresh
Site-to-Site connectivity
Remote access
URL filtering
VPN gateways commonly provide site-to-site connectivity and remote access. Site-to-site VPN connects networks across encrypted tunnels, such as branch office to headquarters or cloud network to data center. Remote access VPN allows individual users to securely connect to enterprise resources from outside the corporate network. Certificate refresh may support authentication infrastructure in some environments, but it is not a primary VPN gateway function in this question. URL filtering controls web access based on categories or reputation and is a separate network security function. VPN gateways terminate encrypted tunnels, authenticate peers or users, and route protected traffic into the appropriate network. They are important because they allow secure communication over untrusted networks, but they must be configured carefully. Weak authentication, overly broad access, split tunneling misconfiguration, or poor logging can turn VPN access into a major risk path. Reference/topics: Network Security 3.3, VPNs; Network Security 3.4, IKE and tunneling protocols.
Which two sets of actions are examples of multi-factor authentication (MFA)? (Choose two.)
Answering a security question and providing a thumbprint
Entering a PIN and scanning a smart card
Scanning the palm of one hand followed by the other hand
Answering three sequential security questions
Multi-factor authentication requires two or more different categories of authentication factors. The standard categories are something you know, something you have, and something you are. Answering a security question is something you know, while providing a thumbprint is something you are, so answer A is MFA. Entering a PIN is something you know, while scanning a smart card is something you have, so answer B is also MFA. Scanning the palm of one hand followed by the other hand uses the same factor category twice: biometrics, or something you are. That may be stronger biometric checking, but it is not multi-factor. Answering three sequential security questions also repeats the knowledge factor and therefore remains single-factor authentication. MFA improves identity security because stolen passwords alone are less useful to attackers when another independent proof is required. Strong MFA should use phishing-resistant methods where possible. Reference/topics: Identity Security 7.1.2, single-factor and multifactor authentication.
What are two components of a cloud-native security platform (CNSP)? (Choose two.)
Asset inventory
VPN
Endpoint security
Identity and access management (IAM)
A cloud-native security platform commonly includes asset inventory and identity and access management visibility or control. Asset inventory is essential because cloud environments are dynamic: workloads, containers, storage buckets, APIs, and services can appear or change rapidly. Security teams must know what exists before they can protect it. IAM is also critical because cloud access is heavily identity-driven. Overprivileged roles, exposed keys, weak permissions, and unmanaged service accounts can create major risk. A VPN may secure connectivity, but it is not a core CNSP component. Endpoint security protects user devices and hosts, but CNSP focuses on cloud-native assets, configurations, workloads, identities, and runtime risk. CNSP helps secure cloud applications across posture, workload, identity, and runtime layers. In practical terms, it answers questions such as: what cloud assets exist, who can access them, are they misconfigured, and are they behaving safely at runtime? Reference/topics: Cloud Security 5.5, CNSP; Identity Security 7.1, IAM components.
What is the primary responsibility of the cloud provider in the cloud shared responsibility model?
Configuring application-level security settings
Securing underlying physical servers and network infrastructure
Providing end-user training on application usage
Monitoring and managing user access and permissions
In the cloud shared responsibility model, the cloud provider is primarily responsible for the security of the cloud: the physical facilities, host servers, storage hardware, networking equipment, and foundational infrastructure used to deliver services. Therefore, securing underlying physical servers and network infrastructure is the provider responsibility. Customers are responsible for security in the cloud, which includes how they configure services, protect data, manage identities, and secure applications. Application-level settings are usually controlled by the customer or application owner. User access and permissions are identity-layer responsibilities and normally remain with the customer, even if the provider supplies IAM tools. End-user training is an organizational governance responsibility, not a provider obligation. The exact division changes by service model: SaaS shifts more operational responsibility to the provider, while IaaS leaves more configuration and workload security responsibility with the customer. Reference/topics: Cloud Security 5.3, cloud shared responsibility model; Cloud Security 5.2, SaaS, PaaS, IaaS, NaaS.
What is a benefit of SD-WAN versus traditional WANs?
Reliance on multiple different WAN connection types and licenses is removed.
All physical WAN components can be easily removed and replaced without network disruption.
Administrators can deploy WAN connection policies across an entire network at once.
WANs are physically connected and strengthened against electromagnetic interference.
SD-WAN provides centralized, software-defined control over wide area network connectivity. A major benefit is that administrators can create and deploy policies across many sites consistently, rather than manually configuring each traditional WAN device in isolation. SD-WAN can use multiple transport types, such as broadband, LTE, internet, and MPLS, so it does not remove reliance on diverse connection types; it manages them more intelligently. It also does not mean all physical WAN components disappear. Physical links, edge devices, and provider circuits still exist, but the control and policy model becomes more centralized and flexible. Electromagnetic interference is unrelated to the primary value of SD-WAN. SD-WAN is useful because it can steer application traffic based on performance, cost, availability, or security requirements. For security teams, centralized policy helps reduce configuration drift and supports consistent connectivity decisions across branches and cloud environments. Reference/topics: Network Fundamentals 2.1, WAN, LAN, SD-WAN; Network Security 3.3, VPNs and proxies.
Which OSI layer is used to determine how long communications are open between two devices?
Transport
Application
Session
Network
The Session layer of the OSI model manages the establishment, maintenance, and termination of sessions between communicating systems. It is associated with determining how long communications remain open, how sessions are coordinated, and how dialog control is maintained. The Transport layer provides end-to-end delivery functions such as segmentation, reliability, flow control, and port-based communication through protocols such as TCP and UDP. The Application layer supports user-facing network services and application protocols. The Network layer handles logical addressing and routing between networks. Although real-world TCP/IP implementations often combine upper-layer functions, the OSI model separates them conceptually to clarify responsibilities. In security analysis, session understanding matters because attackers may hijack sessions, abuse long-lived sessions, or maintain persistence through ongoing connections. Firewalls, proxies, and identity systems often enforce timeout, reauthentication, and session termination policies to reduce risk. Reference/topics: Network Fundamentals 2.6, OSI and TCP/IP models.
What is the purpose of continuous deployment in the CI/CD lifecycle?
Maintaining a state in which any version of the software can be deployed to a production environment.
Merging code changes into a central repository
Packaging code into a Docker container for deployment
Automatically deploying every change that passes the automated tests to production, minimizing lead time
Continuous deployment is the CI/CD practice in which every code change that successfully passes automated tests and quality gates is automatically released to production. The purpose is to reduce lead time, accelerate delivery, and make deployments smaller, more frequent, and more repeatable. This differs from continuous delivery, where software is kept in a deployable state but production release may still require manual approval. Merging code changes into a central repository is continuous integration. Packaging code into a Docker container may be part of a pipeline, but it is not the defining purpose of continuous deployment. Maintaining a deployable state describes continuous delivery more closely than continuous deployment. From a security perspective, CI/CD must include guardrails such as code scanning, dependency checks, secrets detection, image scanning, and deployment policy enforcement. Rapid deployment without security checks can spread defects quickly, while secure CI/CD improves both speed and control. Reference/topics: Cloud Security 5.6, CI/CD; Identity Security 7.4, secrets management in CI/CD pipelines.
Which security control is best suited to block traffic based on the actual application being used rather than only the port number?
Hub
Next-generation firewall
DHCP server
Layer 2 switch
A next-generation firewall is best suited to block or allow traffic based on the actual application being used rather than only the port number. Traditional firewalls commonly rely on IP addresses, protocols, and ports, which is insufficient when many applications use common ports such as TCP 80 or TCP 443. A next-generation firewall adds application awareness, allowing it to identify traffic based on application behavior and enforce more precise security policy. A hub operates at OSI Layer 1 and simply repeats signals; it cannot inspect applications. A DHCP server assigns IP configuration information to clients and does not enforce application-based security policy. A Layer 2 switch forwards frames based on MAC addresses and does not determine whether a specific application should be allowed. Application-aware policy is important because attackers and risky applications often hide within allowed ports. NGFWs help security teams control traffic according to business intent, application risk, user identity, and threat context. Reference/topics: Network Security, stateful firewalls, next-generation firewalls, application awareness.
In which use case would URL filtering be an appropriate solution?
Redirecting malicious DNS traffic to a sinkhole
Blocking large file transfers over a network
Preventing employees from accessing social media sites during work hours
Encrypting outgoing emails containing confidential information
URL filtering controls access to websites based on URL categories, reputation, policy, or risk. Preventing employees from accessing social media sites during work hours is a direct URL filtering use case because social media domains can be categorized and allowed, blocked, coached, or logged according to organizational policy. Redirecting malicious DNS traffic to a sinkhole is a DNS security function, not URL filtering. Blocking large file transfers is more related to file control, application control, or data loss prevention. Encrypting outgoing emails containing confidential information is a DLP or email security function. URL filtering can also block phishing sites, malware distribution pages, newly registered risky domains, command-and-control URLs, and policy-prohibited categories. Its value is strongest when combined with user identity, application awareness, SSL/TLS inspection where appropriate, and logging. Reference/topics: Network Security 3.3, URL filtering, VPNs, and proxies; Network Security 3.5, DLP.
Batch 6 — Questions 71–85
What are two characteristics of data loss prevention (DLP)? (Choose two.)
Traffic shaping
Key logging
File-level encryption
Content-aware
Data Loss Prevention is designed to protect sensitive information from unauthorized exposure, transfer, or misuse. A strong DLP solution is content-aware, meaning it can inspect data patterns, file contents, classifications, labels, or contextual indicators to determine whether information is sensitive. File-level encryption is also associated with protecting data because it can render files unreadable to unauthorized parties if they are moved, copied, or intercepted. Traffic shaping controls bandwidth or prioritization and is not a core DLP characteristic. Key logging is malicious or invasive capture of keystrokes and is not a legitimate DLP feature. DLP controls may apply to data in motion, data at rest, or data in use. Examples include detecting payment card numbers in outbound email, preventing confidential files from being uploaded to unauthorized cloud services, or encrypting sensitive documents. The goal is to reduce accidental leakage and deliberate exfiltration of protected data. Reference/topics: Network Security 3.5, data loss prevention; Identity Security 7.2, least privilege.
What is responsible for securing web access for managed and unmanaged devices?
IDS
Cloud workload protection (CWP)
Enterprise browser
VLAN
An enterprise browser secures web access by applying organizational security controls directly within the browser experience. This is especially useful for both managed and unmanaged devices because browser-based controls can protect access to SaaS applications, web resources, and sensitive data even when the endpoint is not fully controlled by the organization. Enterprise browsers may enforce policy, isolate risky activity, control downloads and uploads, inspect web sessions, and reduce data leakage. An IDS detects suspicious activity but does not secure browser access. Cloud workload protection protects workloads such as servers, containers, or cloud runtime environments, not user web browsing. VLANs segment network traffic but do not provide browser-level controls for managed and unmanaged devices. As work increasingly happens through web and SaaS applications, securing the browser becomes an important way to control user interaction with enterprise resources. Reference/topics: Network Security 3.6, enterprise browsers; Network Security 3.3, URL filtering and proxies.
What are two areas in which AI can help Security Operations Center (SOC) teams with alerts? (Choose two.)
Vulnerability patching
Alert triage
SOC resource management
Incident response
AI can help SOC teams by improving alert triage and incident response. In alert triage, AI can cluster related alerts, summarize event context, identify likely severity, enrich indicators, and reduce analyst time spent on repetitive review. This helps analysts focus attention on the events most likely to represent real risk. In incident response, AI can support decision-making by summarizing timelines, suggesting next steps, mapping activity to known tactics, or helping execute defined workflows through automation. Vulnerability patching may be prioritized using analytics, but applying patches is not primarily an alert-handling function. SOC resource management may benefit from reporting and forecasting, but it is less directly tied to alert analysis than triage and response. AI is most useful when it augments analysts rather than replaces them: it speeds up repetitive work, improves correlation, and presents context in a usable form. Reference/topics: Security Operations 6.2, automation and AI for SOC performance; Security Operations 6.7, AI as it relates to alert analysis.
Which scenario is an example of east-west traffic?
A virtual machine (VM) communicates with a host on the internet.
A traffic pattern passes through perimeter-focused defense.
A host computer communicates with an infected offsite server.
A host computer communicates with a virtual machine (VM) in the same network.
East-west traffic refers to communication that occurs inside an environment, such as between internal hosts, workloads, virtual machines, or servers. A host computer communicating with a virtual machine in the same network is east-west because the traffic stays internal rather than entering or leaving through a perimeter. This type of traffic is especially important in modern data centers and cloud environments because attackers often move laterally after compromising one system. North-south traffic, by contrast, moves between an internal environment and an external network such as the internet. A VM communicating with a host on the internet is north-south. Traffic passing through perimeter-focused defenses is also typically north-south. A host communicating with an infected offsite server leaves the local environment and is therefore not east-west. Security designs increasingly inspect east-west traffic because perimeter defenses alone cannot stop lateral movement once an internal foothold exists. Reference/topics: Network Fundamentals 2.2, north-south and east-west traffic flow patterns.
What is a function of a Network-Based Intrusion Detection System (NIDS)?
Scanning and quarantining infected files on a host machine
Proxying traffic before reaching an internal network
Blocking malicious traffic from entering a network in real time
Monitoring network traffic and reporting results to an administrator
A Network-Based Intrusion Detection System monitors network traffic and reports suspicious findings to administrators or security tools. It observes packets traversing a network segment and compares activity against signatures, patterns, protocol anomalies, or behavior models. Because it is detection-focused, a NIDS typically alerts rather than blocks traffic inline. Scanning and quarantining infected files on a host machine is an endpoint security function. Proxying traffic before it reaches an internal network is a proxy function. Blocking malicious traffic in real time is more closely associated with an IPS or firewall. A NIDS is useful because it can provide visibility across multiple hosts without installing an agent on each one. However, encrypted traffic, high throughput, and east-west blind spots can limit visibility if sensors are not placed correctly. SOC teams use NIDS alerts as evidence during investigation and correlation. Reference/topics: Cybersecurity 1.4, NIDS and other threat detection systems; Security Operations 6.3, alerts and events.
TESTED 02 Jul 2026
Copyright © 2014-2026 DumpsTool. All Rights Reserved