SPRING 2026

Revision Questions
1. Which statements correctly describe endpoint protection and malware defense?
A. Antimalware tools help detect, block, and quarantine malicious files and processes.
B. Host-based intrusion prevention can stop or limit suspicious activity on a device.
C. Regular patching reduces exposure to known vulnerabilities exploited by malware.
D. Disabling all logs improves endpoint security by reducing storage use.
E. Application allowlisting can reduce unauthorized code execution.

2. Which are common indicators of compromise (IoCs) on an endpoint?

A. Unexpected outbound network connections to unknown hosts.
B. Unexplained creation of new privileged accounts.
C. High CPU or disk activity with no known legitimate cause.
D. A clearly documented approved software update completed by IT.
E. Security tools being disabled without authorization.

3. Which statements about file integrity verification using hashes are correct?
A. A hash value can help determine whether a file has been altered.
B. Two identical files should produce the same hash under the same algorithm.
C. Hashing provides confidentiality by hiding the original content.
D. Comparing a current hash to a trusted baseline supports integrity checking.
E. Hashing is useful in evidence handling and malware analysis workflows.

4. Which statements correctly describe the CIA triad in relation to data protection?
A. Encryption primarily supports confidentiality of data.
B. Hashes and digital signatures can support integrity verification.
C. Backups and redundancy can support availability.
D. Availability means data should be public to everyone.
E. Least privilege can help protect confidentiality and integrity.

5. Which are examples of cybersecurity countermeasures?

A. Preventive controls such as MFA and system hardening.
B. Detective controls such as logging and alerting.
C. Corrective controls such as recovery from backups.
D. Administrative controls such as policies and awareness training.
E. Sharing administrator accounts among many users.
6. Which statements about cybersecurity operations management are correct?
A. Continuous monitoring helps organizations detect threats earlier.
B. Security operations rely on logs, alerts, and documented processes.
C. Policies and standards help guide consistent defensive actions.
D. Operations management means incidents should always be handled informally.
E. Prioritization is needed because not every alert has the same risk.

7. Which are valid examples of security policies, regulations, or standards in an

organization?
A. Password and authentication policy.
B. Acceptable use policy.
C. Incident response procedure.
D. A random personal preference with no security relevance.
E. Data handling standard for sensitive information.

8. Which measures are examples of system and network hardening?

A. Disabling unnecessary services and ports.
B. Applying secure configuration baselines.
C. Segmenting networks to reduce lateral movement.
D. Leaving default accounts and passwords enabled.
E. Updating firmware and software to supported versions.

9. Which statements about secure wireless hardening are correct?

A. Using WPA2/WPA3 with strong credentials improves wireless security.
B. Separating guest traffic from internal resources reduces risk.
C. Disabling WPS when not needed is a useful hardening step.
D. Open authentication is best for internal corporate networks.
E. Keeping access point firmware updated helps address vulnerabilities.

10. Which statements correctly describe access control?

A. Authentication verifies identity.
B. Authorization determines permitted actions after login.
C. Accounting records actions for audit and review.
D. Access control only applies to physical buildings, not systems.
E. Role-based access control can simplify permission management.

11. Which are sound account management practices?

A. Disabling unused and dormant accounts.
B. Reviewing privileges regularly.
C. Using shared administrator accounts for convenience.
D. Applying least privilege.
E. Removing access promptly when roles change.

12. Which statements about AAA services are correct?

A. RADIUS and TACACS+ can provide centralized authentication services.
B. Centralized AAA can improve consistency and auditing.
C. AAA eliminates the need for authorization policies.
D. Accounting logs can support investigations and compliance.
E. Server-based authentication can be preferable to purely local authentication in larger
environments.

13. Which statements about IPv4 ACLs are correct?

A. Standard ACLs filter mainly on source IPv4 addresses.
B. Extended ACLs can filter by protocol, source, destination, and ports.
C. ACLs are used to permit or deny traffic based on rules.
D. ACL rule order does not matter.
E. An implicit deny exists at the end unless traffic is explicitly permitted.

14. Which are good practices when implementing ACLs?

A. Test ACL effects after deployment.
B. Document the purpose of each rule.
C. Place extended ACLs close to the source where appropriate.
D. Use overly broad permits such as any-any without justification.
E. Review rules to remove obsolete entries.

15. Which statements about IPv6 ACLs are correct?

A. IPv6 ACLs can be used to filter IPv6 traffic.
B. IPv6 ACLs are configured differently from IPv4 ACLs in syntax and application details.
C. IPv6 networks never require filtering because IPv6 is secure by default.
D. ACLs can help mitigate unwanted access and some network attacks.
E. Verification is necessary after applying IPv6 ACL rules.

16. Which statements correctly describe firewalls?

A. Firewalls enforce traffic control policies between network zones.
B. Firewall placement affects how well a network is protected.
C. Firewalls can be part of defense-in-depth.
D. A firewall alone guarantees complete security.
E. Stateful inspection can improve traffic filtering decisions.

17. Which are design considerations for firewall technologies?

A. Identifying trust boundaries and security zones.
B. Allowing required business traffic while blocking unnecessary traffic.
C. Planning rule management and change control.
D. Ignoring performance and availability requirements.
E. Considering logging and monitoring needs.

18. Which statements about zone-based policy firewalls (ZPF) are correct?
A. ZPF policies are based on traffic moving between defined zones.
B. Traffic between zones can be inspected according to configured policies.
C. Interfaces are assigned to zones in a ZPF design.
D. ZPF removes the need for ACLs, logging, or any other controls.
E. Misconfiguration of zones or policies can interrupt legitimate traffic.

19. Which are important cloud security considerations?

A. Protecting cloud data with proper access controls and encryption.
B. Understanding shared responsibility between provider and customer.
C. Securing virtual machines and cloud workloads.
D. Assuming cloud services automatically meet all compliance needs without review.
E. Monitoring configurations and exposure of internet-facing services.

20. Which statements about cryptography are correct?

A. Encryption helps protect confidentiality.
B. Hashing supports integrity checking.
C. Digital signatures can support authenticity and non-repudiation goals.
D. Plaintext storage of sensitive passwords is a best practice.
E. PKI helps manage digital certificates and trust relationships.

21. Which are appropriate uses of hashing in cybersecurity?

A. Verifying file integrity.
B. Supporting password storage when combined with appropriate salting and secure algorithms.
C. Generating a fixed-length digest from input data.
D. Reversibly decrypting files back to their original plaintext.
E. Supporting evidence verification in investigations.
22. Which statements about security monitoring and alerts are correct?
A. Logs from hosts and networks support detection and investigation.
B. Not every alert is equally severe or credible.
C. Alert triage helps prioritize response efforts.
D. Monitoring should stop once baseline controls are deployed.
E. Correlating events from multiple sources can improve analysis.

23. Which are common sources of security data for monitoring?

A. Firewall and IDS/IPS logs.
B. Endpoint protection alerts.
C. Authentication and access logs.
D. Packet captures and network flow records.
E. A user’s lunch menu unless it is part of a relevant case file.

24. Which statements about Governance, risk, and compliance (grc) are correct?
A. Risk assessment considers likelihood and impact.
B. Policies and standards support governance.
C. Compliance requirements may come from laws, regulations, or contracts.
D. Risk can always be eliminated completely.
E. Controls may be selected based on assessment results.

25. Which are valid examples of risk treatment options?

A. Mitigate the risk with controls.
B. Transfer some risk through contracts or insurance.
C. Accept the risk when justified and approved.
D. Avoid the risky activity entirely in some cases.
E. Ignore the risk without review or documentation.

26. Which statements correctly describe vulnerability assessment?

A. It identifies weaknesses that may require remediation.
B. Findings should be prioritized based on severity and context.
C. Vulnerability assessment is the same as active exploitation in all cases.
D. Results can inform patching and control selection.
E. False positives may need validation.

27. Which actions are appropriate when interpreting vulnerability scan results?
A. Validate critical findings before major remediation decisions.
B. Consider asset value and exposure when prioritizing.
C. Document remediation status and ownership.
D. Assume every finding is equally urgent.
E. Track exceptions and compensating controls where necessary.

28. Which statements about incident response are correct?

A. Preparation is an important phase of incident response.
B. Containment aims to limit the spread or impact of an incident.
C. Eradication addresses root causes such as malware or persistence mechanisms.
D. Recovery includes restoring systems and monitoring for recurrence.
E. Incident response ends once a single alert is received, with no need for documentation.

29. Which are examples of good evidence-handling practices in basic forensics?

A. Documenting who collected the evidence and when.
B. Preserving integrity through hashing where appropriate.
C. Maintaining chain-of-custody records.
D. Changing files on a suspect system without recording actions taken.
E. Limiting unnecessary access to evidence.

30. Which statements about alert triage are correct?

A. Triage helps distinguish false positives from genuine incidents.
B. Context such as asset criticality influences prioritization.
C. Multiple low-level alerts may indicate a larger pattern when correlated.
D. Every alert should always be treated as a full-scale breach immediately.
E. Playbooks can support consistent triage decisions.

31. Which are examples of documents or artifacts commonly used in cybersecurity

governance and operations?
A. Security policy.
B. Incident response playbook.
C. Risk register.
D. Access control matrix.
E. An undocumented verbal rumor used as the only control reference.

32. Which statements about defense-in-depth are correct?

A. It uses multiple layers of controls rather than relying on one safeguard.
B. It can combine technical, administrative, and physical controls.
C. It remains relevant for endpoints, networks, cloud, and users.
D. It means a single firewall is sufficient for all situations.
E. Layered monitoring and prevention can improve resilience.

33. Which are examples of endpoint security measures appropriate for user devices?
A. Endpoint protection software.
B. Patch and update management.
C. Least privilege user accounts.
D. Disabling screen locks on portable devices.
E. Application control or allowlisting.

34. Which statements about malware investigation are correct?

A. Investigators may review indicators such as file hashes, processes, registry or startup
entries, and connections.
B. Baseline behavior helps analysts identify suspicious deviations.
C. Evidence should be documented carefully during analysis.
D. Analysts should ignore timestamps because they are never useful.
E. Containment decisions may depend on the host’s business criticality.

35. Which actions help secure access to systems and services?

A. Using MFA where feasible.
B. Reviewing and removing excessive privileges.
C. Enforcing strong password policies.
D. Reusing one administrator password across all devices.
E. Logging privileged activity.

36. Which statements about hardening checklists are correct?

A. Checklists help standardize baseline security configurations.
B. They can support audits and repeatable deployment.
C. They should be reviewed and updated over time.
D. They are unnecessary once a system is installed the first time.
E. They can reduce configuration drift across similar systems.

37. Which are examples of security monitoring use cases in an organization?

A. Detecting repeated failed login attempts.
B. Identifying unusual outbound traffic from a host.
C. Flagging unauthorized configuration changes.
D. Suppressing all alerts permanently to reduce analyst workload.
E. Recognizing malware detections across multiple endpoints.
38. Which statements correctly connect policy, controls, and incident response?
A. Policies define expectations and responsibilities.
B. Controls implement or enforce security requirements.
C. Incident response procedures guide action when controls fail or alerts occur.
D. Policies remove the need for technical controls.
E. Lessons learned after incidents can improve future policy and controls.

39. Which actions are appropriate during the initial response to a suspicious security alert?
A. Validate the alert using available logs and context.
B. Contain affected systems or accounts when risk justifies it.
C. Document actions taken, times, and observations.
D. Delete related logs immediately to avoid storing too much data.
E. Escalate according to the incident response procedure or playbook.

40. Which statements about combining ACLs, firewalls, and monitoring are correct?
A. ACLs can filter specific traffic based on defined criteria.
B. Firewalls can enforce broader policy between trust zones and may inspect state.
C. Logs from ACL hits and firewall events can support troubleshooting and incident analysis.
D. Once ACLs are configured, monitoring is no longer needed.
E. Layering these controls can improve overall network defense.
1. An organization has discovered several endpoints with suspicious outbound traffic and
disabled antivirus services. Develop an endpoint protection and investigation plan showing how
you would identify indicators of compromise, verify file integrity, contain the threat, and restore
secure operations. (5 marks)
2. A university department is reviewing its security governance posture. Explain how policies,
standards, risk assessment, and compliance requirements should work together to guide technical
controls and security operations. (5 marks)