Practice Exam ยท Chapters 1โ€“5

Exam: Foundations of Security

Security Controls ยท CIA Triad ยท Non-Repudiation ยท AAA ยท Gap Analysis โ€” 20 scored questions + 2 scenario questions.

Chapters 1โ€“5 Practice Exam
๐Ÿ“ 20 scored questions โฑ๏ธ 25-minute target ๐ŸŽฏ Pass threshold: 80% (16/20)
Time remaining
25:00
Part A โ€” Multiple Choice (Questions 1โ€“20)
Ch 1 ยท Security Controls
Question 1 of 20
An organization deploys firewalls, IDS sensors, and endpoint antivirus across its infrastructure. Which control category do these represent?
โœ… C โ€” Technical controls are technology-based mechanisms: firewalls, IDS, antivirus, encryption. Managerial = policies & risk management. Operational = training & procedures. Physical = locks, cameras, guards.
Ch 1 ยท Security Controls
Question 2 of 20
A company displays a banner reading "Unauthorized access is prohibited and will be prosecuted" on its login page. The attacker can still attempt to log in โ€” the banner does not block them. What type of control is this?
โœ… D โ€” Deterrent. The banner discourages malicious behavior but does not technically prevent it. Key distinction: if the attacker can still proceed, it's a deterrent โ€” not preventive. Preventive controls actually block the action.
Ch 1 ยท Security Controls
Question 3 of 20
After a ransomware attack encrypts production data, the IT team restores from backup. What type of control is the backup restoration process?
โœ… C โ€” Corrective. Corrective controls restore systems to normal after an incident has occurred. Backup restoration is the textbook corrective control example. Preventive = stops the incident before it happens. Compensating = alternative control when primary is not feasible.
Ch 1 ยท Security Controls
Question 4 of 20
A company cannot afford to implement all required PCI-DSS controls for legacy systems. Instead they add additional monitoring and restrict network access to those systems. What type of control strategy is this?
โœ… C โ€” Compensating. When the primary required control is not feasible (often due to cost or legacy constraints), a compensating control provides an alternative means of achieving the same security objective. The additional monitoring + network restriction compensates for the missing primary control.
Ch 2 ยท CIA Triad
Question 5 of 20
An attacker intercepts a wire transfer instruction in transit and changes the destination account number before it reaches the bank. Which CIA principle is MOST directly violated?
โœ… C โ€” Integrity. The data was modified in transit without authorization โ€” the received message no longer accurately reflects what was sent. Integrity = data is exactly what it should be. Hashing or digital signatures would have detected the alteration.
Ch 2 ยท CIA Triad
Question 6 of 20
A DDoS attack takes down an e-commerce website for 4 hours during peak shopping. Which CIA principle is violated?
โœ… C โ€” Availability. A DDoS attack prevents legitimate users from accessing the service โ€” the system is unavailable. No data was read (Confidentiality) or altered (Integrity). Availability controls include redundancy, load balancing, rate limiting, and DDoS scrubbing services.
Ch 2 ยท CIA Triad
Question 7 of 20
An employee emails confidential customer records to their personal Gmail account. Which CIA principle is primarily violated?
โœ… C โ€” Confidentiality. The data was disclosed to an unauthorized recipient (the employee's personal account is outside the organization's authorized environment). Data loss prevention (DLP) is the primary technical control addressing this threat.
Ch 3 ยท Non-Repudiation
Question 8 of 20
Alice wants to digitally sign a contract so Bob can verify it came from her. Which key does Alice use to CREATE the signature?
โœ… C โ€” Alice's private key. Digital signing uses YOUR OWN private key to encrypt the hash. This proves identity โ€” only Alice has her private key, so only she could have produced this signature. Bob verifies with Alice's PUBLIC key (which is freely available). Encrypting with Bob's public key (B) is for confidentiality โ€” a different operation.
Ch 3 ยท Non-Repudiation
Question 9 of 20
A contract dispute arises: the vendor claims they never agreed to a discount that was in the signed purchase order. The purchase order was digitally signed. What property prevents the vendor from successfully denying they signed it?
โœ… D โ€” Non-repudiation. Digital signatures provide non-repudiation โ€” the mathematical proof that the holder of a specific private key signed the document. The vendor cannot deny signing because only their private key could have produced the verifiable signature. This is also why private key security is critical โ€” if someone else used your key, YOU may be held responsible.
Ch 3 ยท Non-Repudiation
Question 10 of 20
What does hashing a document ALONE prove โ€” without a digital signature?
โœ… B โ€” Integrity only. A hash proves the document hasn't changed since the hash was computed (the fingerprint matches). It does NOT prove who created it โ€” anyone can compute a hash. For both integrity AND authentication (authorship), you need a digital signature (hash + private key encryption).
Ch 4 ยท AAA
Question 11 of 20
A VPN concentrator challenges a user's credentials and passes them to a central RADIUS server for verification. The RADIUS server responds with "Access-Accept" and a list of authorized VLANs. Which AAA steps are occurring?
โœ… B โ€” Authentication and Authorization. Authentication: verifying credentials (Access-Accept/Reject). Authorization: the returned VLAN list defines what the user is permitted to access. Accounting (logging session duration, bytes transferred) would require a separate Accounting-Request/Response exchange โ€” not described in this scenario.
Ch 4 ยท AAA
Question 12 of 20
An administrator enters their username at a login prompt. Which stage of the AAA process is this?
โœ… B โ€” Identification. Entering a username is the claim of identity โ€” "I am this person." Authentication is the PROOF of that claim โ€” providing the password, token, or biometric. The distinction matters: identification says who you claim to be; authentication verifies that claim.
Ch 4 ยท AAA
Question 13 of 20
A company wants to ensure it can audit which administrator made which configuration change, on which device, at what time. Which AAA component specifically supports this requirement?
โœ… C โ€” Accounting. Accounting (also called auditing) tracks who did what, where, when โ€” session start/end, commands issued, resources accessed. TACACS+ supports per-command accounting, making it common in network device management environments where granular command-level auditing is required.
Ch 4 ยท AAA
Question 14 of 20
An organization needs to authenticate 2,000 remote employees through a VPN. Requiring a password only is insufficient. Which factor type should be added to create two-factor authentication?
โœ… B โ€” TOTP (something you have). Two-factor authentication requires two DIFFERENT factor categories. A password is "something you know." A TOTP from an authenticator app is "something you have" (your phone/device). A second password (A) and a security question (C) are both "something you know" โ€” only one factor category, not true 2FA.
Ch 5 ยท Gap Analysis
Question 15 of 20
What is the primary output of a gap analysis?
โœ… B. A gap analysis compares where you ARE (current state) against where you need to BE (desired/target state defined by a framework or regulation). The output is the identified gaps PLUS a prioritized remediation roadmap. Knowing gaps without a plan to close them is incomplete.
Ch 5 ยท Gap Analysis
Question 16 of 20
A defense contractor must comply with NIST 800-171 to protect Controlled Unclassified Information (CUI). They conduct a gap analysis using this framework as the baseline. Before starting the analysis, what must be established first?
โœ… B โ€” The target state. Without defining where you need to be, you cannot identify gaps. The framework (NIST 800-171 in this case) defines the target state โ€” every control requirement in the framework is a potential gap if not currently satisfied. The current state inventory comes next; then the comparison reveals the gaps.
Ch 5 ยท Gap Analysis
Question 17 of 20
In a gap analysis traffic light report, a cell is marked RED. What does this indicate?
โœ… C โ€” RED = missing or critically deficient. Traffic light reporting: GREEN = compliant/implemented. YELLOW/AMBER = partially implemented. RED = missing or significantly deficient. RED items typically receive priority in the remediation roadmap โ€” they represent the most significant compliance and risk exposure.
Ch 1 ยท Security Controls
Question 18 of 20
Security policies, risk assessments, and business impact analyses are examples of which control category?
โœ… D โ€” Managerial. Managerial (administrative) controls are governance-focused: policies, risk assessments, security planning, BIAs. They define the framework within which all other controls operate. Technical = technology. Physical = tangible barriers. Operational = day-to-day procedures (training, change management).
Ch 2 ยท CIA Triad
Question 19 of 20
Which control mechanism primarily protects INTEGRITY of data in a database?
โœ… B โ€” Hashing with checksums. Hashing verifies that data hasn't been altered โ€” comparing the stored hash to the current hash detects unauthorized modification. Encryption (A) provides confidentiality. Backups (C) support availability and recovery. RAID (D) supports availability through redundancy.
Ch 4 ยท AAA
Question 20 of 20
A network administrator protocol for device management needs to encrypt the entire authentication payload AND individually authorize each command issued. Which protocol is specifically designed for this?
โœ… D โ€” TACACS+. TACACS+ encrypts the entire packet body (vs. RADIUS which only encrypts the password field) and separates authentication, authorization, and accounting into distinct exchanges โ€” allowing per-command authorization. RADIUS is optimized for network access (VPN, Wi-Fi). TACACS+ is optimized for device management (routers, switches, firewalls).
Part B โ€” Scenario Questions (unscored โ€” self-assess)
Ch 1โ€“2 ยท Scenario
Scenario Question A
A hospital network has only ONE control protecting patient records: a perimeter firewall. There is no MFA, no encryption at rest, no monitoring, and no backup validation. Describe the defense-in-depth principle and identify at least four additional controls the hospital should add, spanning at least three different CIA principles.
Defense in depth = layering multiple independent controls so that the failure of any single control does not result in a total compromise. No single control is relied upon exclusively.

Additional controls to add:

Confidentiality:
โ€ข Full-disk encryption on all servers and laptops (BitLocker/FileVault) โ€” protects against physical theft
โ€ข Database column-level encryption for SSNs, diagnoses โ€” limits exposure even in an application breach
โ€ข TLS on all internal communication โ€” protects data in transit

Integrity:
โ€ข File integrity monitoring on EHR system files โ€” detects unauthorized modification
โ€ข Digital signatures on external documents โ€” non-repudiation for patient consents
โ€ข Database audit logging โ€” who changed what, when

Availability:
โ€ข Redundant servers and failover โ€” prevents single-server outage from taking down patient care
โ€ข Verified backup and restore procedures โ€” ransomware recovery
โ€ข DDoS protection for internet-facing services

Authentication/Access:
โ€ข MFA for all staff โ€” prevents credential theft from being sufficient for access
โ€ข Role-based access control โ€” nurses see patient data; billing sees billing; separation of duties
โ€ข Network segmentation โ€” clinical systems isolated from guest Wi-Fi and administrative networks
Ch 3โ€“5 ยท Scenario
Scenario Question B
A financial firm is beginning NIST 800-53 compliance for a government contract. The security manager says: "We'll just document what we're doing and say we're compliant โ€” the auditors won't check." Evaluate this approach using what you know about gap analysis, non-repudiation, and accountability. What are the specific risks?
This approach is both ineffective and legally dangerous.

Gap analysis failure: A proper gap analysis compares actual implemented controls against the NIST 800-53 control requirements. Simply documenting what exists as "compliant" without measuring against the target standard produces a gap analysis with no gaps โ€” a document that doesn't reflect reality. When auditors test the controls (not just read documentation), the gaps become apparent and the false documentation becomes evidence of fraud.

Non-repudiation risk: The security manager who signs compliance attestations creates a legally binding record โ€” a document that, once signed, they cannot deny having created or approved. Digital signing of compliance reports creates non-repudiation. If false statements are made in signed federal compliance submissions, the responsible party faces personal legal liability under FedRAMP, FCA (False Claims Act), or similar statutes.

Accounting/Audit risk: Federal contracts under NIST 800-53 typically require third-party assessment organizations (3PAOs) who test controls operationally โ€” not just review documentation. Log analysis, penetration testing, and interviews reveal gaps that documentation cannot hide.

Actual risk to the firm: Contract loss, debarment from future federal contracts, civil/criminal liability for false claims, reputational damage, and personal consequences for signatories.
Next Exam: Ch 6โ€“11 โ†’
โ€”
Pass threshold: 80% (16 / 20 correct)
Next Exam โ†’