Practice Exam ยท Chapters 19โ€“25

Exam: Threats & Social Engineering

Threat Actors ยท Social Engineering ยท Threat Vectors ยท Phishing ยท Impersonation ยท Watering Hole ยท Other Social Attacks โ€” 20 scored questions + 2 scenario questions.

Chapters 19โ€“25 Practice Exam
๐Ÿ“ 20 scored questions โฑ๏ธ 25-minute target ๐ŸŽฏ Pass threshold: 80% (16/20)
Time remaining
25:00
Part A โ€” Multiple Choice (Questions 1โ€“20)
Ch 19 ยท Threat Actors
Question 1 of 20
A threat intelligence team attributes a series of intrusions to a group that has maintained undetected access to a defense contractor's network for 14 months, exfiltrating engineering documents. The group uses custom-built malware and appears to operate during business hours in a specific time zone aligned with a foreign government. Which threat actor category BEST describes this group?
โœ… B โ€” Nation-state APT. The defining markers are all present: 14-month dwell time (APT = Advanced Persistent Threat), custom malware (high sophistication requiring significant resources), targeting of national-security-relevant intellectual property (espionage motivation), and business-hours operation in a foreign time zone (state-employed actors). Hacktivists (A) are motivated by ideology and prefer visible disruption, not quiet 14-month espionage. Organized crime (C) monetizes data quickly; this pattern indicates intelligence gathering. Unskilled attackers (D) lack the capability to develop custom malware or maintain undetected long-term access.
Ch 19 ยท Threat Actors
Question 2 of 20
A long-tenured IT administrator, frustrated after being passed over for promotion, begins copying proprietary source code to personal cloud storage over several weeks. Meanwhile, a junior developer accidentally emails a spreadsheet containing customer PII to the wrong recipient. Which classification correctly describes each actor?
โœ… B. The critical distinction is intent. The administrator deliberately and repeatedly exfiltrates proprietary data โ€” this is a malicious insider acting with intent to harm or benefit from the organization's assets. The developer made an error with no intent to cause harm โ€” this is a negligent insider, also called an accidental insider. Both represent serious data loss incidents, but the risk profile, detection approach, and organizational response differ significantly. Negligent incidents are addressed through training and process controls; malicious insider incidents require investigation, legal action, and behavioral monitoring programs.
Ch 19 ยท Threat Actors
Question 3 of 20
During a red team engagement, analysts observe that after initial compromise the attacker uses only built-in Windows tools โ€” PowerShell, WMI, PsExec, and certutil โ€” to move laterally and exfiltrate data, with no custom malware deployed. What technique does this describe, and why do sophisticated attackers prefer it?
โœ… B โ€” Living Off the Land (LOTL). LOTL attacks use the tools already present on the system โ€” PowerShell, WMI, certutil, PsExec are all legitimate Windows administration tools. Antivirus and EDR products that rely on signature matching look for known-malicious binaries. When the attacker uses only trusted Windows components, those signatures don't trigger. The attacker's activity blends in with legitimate administrative traffic. This is why endpoint detection increasingly uses behavioral analytics rather than purely signature-based detection โ€” to catch LOTL attacks by identifying patterns of tool use (e.g., PowerShell downloading encoded scripts to unusual locations) rather than specific file hashes.
Ch 20 ยท Social Engineering
Question 4 of 20
An attacker calls an employee claiming to be the CIO and says: "We have a critical board meeting in 20 minutes and I need you to process an emergency wire transfer of $180,000 right now. Legal has already approved it but they're unreachable โ€” I need you to act immediately or we'll lose the contract." Which two social engineering psychological principles is the attacker primarily exploiting?
โœ… B โ€” Authority and Urgency. Authority: the attacker impersonates the CIO โ€” a figure with organizational power the employee is conditioned to obey. Employees are reluctant to challenge or verify requests from senior leadership. Urgency: "20 minutes" and "right now" create artificial time pressure that prevents the target from following verification procedures (calling back on a known number, checking with colleagues). The "legal has already approved it" adds a false consensus element, but authority + urgency are the primary drivers. This is a classic Business Email Compromise (BEC) / vishing pattern. The defense: establish out-of-band verification procedures for all financial transactions regardless of who requests them.
Ch 20 ยท Social Engineering
Question 5 of 20
A social engineering auditor tests physical security by standing outside a secure door while holding two large boxes of supplies. When an authorized employee badged in and held the door open out of politeness, the auditor walked in. What technique did the auditor use, and what defense specifically addresses it?
โœ… C โ€” Tailgating / Piggybacking. Tailgating exploits politeness and social norms โ€” people instinctively hold doors for those carrying items or appearing to belong. The authorized employee did nothing wrong by their normal social instincts; the attack exploits those instincts. The boxes are a classic prop โ€” they make the attacker look like a delivery person and provide a justification the target feels awkward challenging. Defenses: (1) Mantrap / airlock โ€” requires each person to badge independently; physically prevents following. (2) Security awareness training โ€” explicitly telling employees it is expected and required to challenge unknown individuals, even those with their hands full. The norm must be: politeness does not override access control.
Ch 20 ยท Social Engineering
Question 6 of 20
An attacker spends three weeks monitoring a company's email traffic after compromising a mailbox, learning the names, relationships, writing styles, and ongoing projects of key personnel. They then craft a perfectly contextual request to accounts payable, appearing to come from the CFO, redirecting vendor payments to an attacker-controlled account. What attack is this, and what makes it distinct from generic phishing?
โœ… B โ€” Business Email Compromise (BEC). BEC is distinguished by the attacker's investment in reconnaissance before the attack. The 3-week email monitoring period is specifically to learn enough about the organization's internal communication patterns to craft an indistinguishable message. Generic phishing sends millions of identical messages and relies on volume. BEC sends one or a few highly customized messages to specific targets whose roles make them capable of executing financial transactions. BEC is the costliest social engineering attack type โ€” the FBI's Internet Crime Report consistently lists BEC as the highest-dollar cybercrime category, with losses exceeding $2.7 billion in a single year.
Ch 21 ยท Threat Vectors
Question 7 of 20
An attacker leaves several USB drives in the parking lot of a target organization. The drives contain a file named "Q3_Salary_Review.xlsx" which, when opened, executes a macro that installs a backdoor. Which threat vector is being exploited, and which human behavior does it depend on?
โœ… B โ€” Removable media / USB drop attack. The USB drop is a purely physical threat vector โ€” malware delivery through a physical medium left in a public area rather than sent over a network. It exploits curiosity (what's on this?) and the lure file name "Q3_Salary_Review.xlsx" triggers additional motivation (financial interest affects everyone). Studies have shown that 45โ€“90% of found USB drives are plugged in. The defense: disable AutoRun/AutoPlay on all endpoints; configure Group Policy to prevent unauthorized USB devices; train employees to report found drives to IT rather than plugging them in; use endpoint security that detects macro execution from removable media.
Ch 21 ยท Threat Vectors
Question 8 of 20
An attacker compromises a managed service provider (MSP) that administers networks for 200 small businesses. Through the MSP's remote management tools, the attacker deploys malware across all 200 client environments simultaneously. Why is an MSP an especially high-value supply chain target?
โœ… B. An MSP is a force multiplier for an attacker. MSPs maintain privileged remote access (RMM tools, domain admin credentials, VPN tunnels) to all their clients simultaneously. These connections are trusted โ€” client security controls are often configured to whitelist MSP traffic. Compromising one organization (the MSP) instantly provides authenticated, privileged access to all 200 clients with no need to phish, exploit, or authenticate into each one individually. This is the island-hopping / supply chain attack model: attack the trusted intermediary to reach all its downstream clients. This is why vendor risk management and MSP security standards are critical components of organizational security programs.
Ch 21 ยท Threat Vectors
Question 9 of 20
A penetration tester scans an organization's network and discovers an IP camera accessible from the internet with the login credentials admin/admin. The camera has never been configured beyond factory defaults. What threat vector does this represent, and what single action would eliminate this specific vulnerability?
โœ… B โ€” Default credentials. Factory default credentials (admin/admin, admin/password, root/root) are published publicly for all devices. Tools like Shodan scan the internet for devices accepting known default credentials. This is one of the most preventable attack vectors โ€” it requires no exploitation skill, just looking up the model's default password. The fix is a single configuration change: change the default credentials during initial deployment. Organizations should include "change all default credentials" as a mandatory step in every device provisioning checklist. Shodan searches reveal millions of internet-exposed devices still running factory defaults.
Ch 22 ยท Phishing
Question 10 of 20
A security engineer configures three email authentication records for a domain: (1) an SPF record listing authorized mail servers, (2) DKIM keys added to DNS for cryptographic signing, and (3) a DMARC policy set to "reject." How does DMARC use SPF and DKIM, and what does the "reject" policy enforce?
โœ… B. SPF publishes which servers may send email from the domain. DKIM cryptographically signs outbound messages so recipients can verify authenticity. DMARC is the policy layer: it tells receiving mail servers what to DO when SPF and/or DKIM fail, and it requires alignment (the From: domain must match the authenticated domain). "p=reject" is the strongest DMARC policy โ€” receiving servers must discard non-authenticating messages claiming to be from your domain. This makes it nearly impossible to spoof your domain in email. The three work together: SPF and DKIM are the verification mechanisms; DMARC is the enforcement policy that acts on their results.
Ch 22 ยท Phishing
Question 11 of 20
An attacker sends a carefully crafted phishing email to the CEO of a Fortune 500 company, referencing the CEO's recent keynote speech, the company's latest acquisition deal, and the CEO's executive assistant by name, in an attempt to steal wire transfer authorization credentials. What is this attack called, and what distinguishes it from standard spear phishing?
โœ… B โ€” Whaling. All phishing that is personally targeted is spear phishing. Whaling is a specific subset of spear phishing where the target is a senior executive (C-suite: CEO, CFO, CTO, COO). The distinction matters because: (1) executives have authority to authorize transactions and access that regular employees don't, making them higher-value targets; (2) executives are often less subject to standard security procedures (they can override approval workflows); (3) the potential financial impact of a successful whaling attack is much higher. The level of personal detail in the attack (keynote reference, acquisition deal, assistant's name) confirms the attacker invested significant OSINT research โ€” characteristic of whaling against a high-value executive target.
Ch 22 ยท Phishing
Question 12 of 20
Users at an organization begin reporting that when they type their bank's legitimate URL directly into their browser (not from a link), they are redirected to a convincing fake banking site that harvests their credentials. No phishing email was involved. What attack type is this, and what has likely been compromised?
โœ… C โ€” Pharming. The key distinguishing fact is that users typed the legitimate URL directly โ€” no phishing link was involved. Despite entering the correct address, they land on a malicious site. This is only possible if the DNS resolution process has been corrupted: the domain name resolves to the wrong IP address. Attack vectors: (1) poisoned local hosts file (malware modified C:\Windows\System32\drivers\etc\hosts), (2) DNS cache poisoning of the organization's recursive resolver, or (3) compromise of the DNS server itself. Pharming is more dangerous than phishing because even security-aware users who never click links are vulnerable โ€” their correct behavior (typing URLs manually) does not protect them.
Ch 23 ยท Impersonation
Question 13 of 20
An attacker on the same network as a target injects forged ARP responses, associating their own MAC address with the IP address of the default gateway. All traffic from the target machine destined for the internet now flows through the attacker's machine first. What attack is this, and what network-level control prevents it?
โœ… C โ€” ARP Spoofing, prevented by Dynamic ARP Inspection (DAI). ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. It has no authentication โ€” any machine can claim any IP. An attacker who broadcasts "I am 192.168.1.1 (the gateway), my MAC is AA:BB:CC:DD:EE:FF" poisons the ARP caches of all hosts on the segment. All their traffic is then forwarded to the attacker (man-in-the-middle). Dynamic ARP Inspection (DAI) is a switch-level control that validates ARP responses against a trusted DHCP snooping binding table โ€” if an ARP response claims a MAC/IP binding not in the table, DAI drops it. This prevents ARP poisoning at the network infrastructure level.
Ch 23 ยท Impersonation
Question 14 of 20
An attacker calls a mobile carrier's customer support, impersonates a victim using OSINT-gathered personal information (name, address, last 4 of SSN found in data breaches), and convinces the representative to transfer the victim's phone number to a SIM card the attacker controls. What attack is this, and which authentication method does it compromise?
โœ… B โ€” SIM Swapping. SIM swapping is a social engineering attack against the mobile carrier, not the victim directly. Once successful, the attacker receives all calls and SMS messages to the victim's number โ€” including SMS-based two-factor authentication codes. This is why SMS MFA is considered the weakest form of MFA and why phishing-resistant MFA (hardware tokens, FIDO2 passkeys) is recommended for high-value accounts. High-profile SIM swap victims have included Twitter CEO Jack Dorsey and numerous cryptocurrency holders who lost funds when attackers swapped their SIM to intercept 2FA codes and take over exchange accounts.
Ch 23 ยท Impersonation
Question 15 of 20
A finance employee receives a video call from what appears to be their company's CFO and three other executives, all of whom instruct her to transfer $25 million to a new vendor account. The call is convincing โ€” she recognizes the faces and voices. She makes the transfer. Later, she learns the CFO and executives were all AI-generated deepfakes in real time. What is the primary defense an organization should implement to prevent this attack?
โœ… B โ€” Out-of-band verification. The employee verified identity using the same channel as the request (the video call itself). A deepfake can perfectly spoof that channel. Out-of-band verification uses a completely separate, pre-established channel to confirm the request โ€” calling the CFO's known mobile number, or using a pre-shared code word. This attack cannot be defeated by technology alone (deepfake detection improves but so do deepfakes), and email (D) is also spoofable. The defense is procedural: no financial transaction above a defined threshold is executed based solely on any single communication channel, regardless of how convincing the identity appears. This is the same principle as dual authorization for large transactions.
Ch 24 ยท Watering Hole
Question 16 of 20
A threat actor targeting aerospace companies compromises an industry-specific job board and conference website frequently visited by aerospace engineers. They inject a browser exploit into the site. When engineers visit the legitimate site during their normal workflow, the exploit silently installs a backdoor. No phishing email was sent. What attack type is this, and why is it effective against security-aware targets?
โœ… B โ€” Watering Hole Attack. Named after the predator tactic of waiting at a watering hole for prey to come to you rather than hunting them. The attacker doesn't send anything to the targets โ€” the targets come to the compromised site themselves, as part of normal behavior they trust and repeat. This is what makes it effective against security-aware users: they didn't click a suspicious link, didn't receive a phishing email, didn't do anything wrong by their training. They visited a legitimate site. The attack exploits trust in familiar, professional resources rather than exploiting gullibility. Defense: browser isolation / Remote Browser Isolation (RBI), keep browsers and plugins updated to eliminate the exploitable vulnerabilities, DNS filtering to block known compromised sites.
Ch 24 ยท Watering Hole
Question 17 of 20
In the SolarWinds SUNBURST attack, a nation-state threat actor inserted malicious code into the build process of the SolarWinds Orion software update. The malicious update was cryptographically signed by SolarWinds and delivered to approximately 18,000 organizations through the normal software update mechanism. What makes this attack particularly difficult to detect and prevent using standard security controls?
โœ… B. The SUNBURST attack targeted the build pipeline โ€” the process that compiles and packages software before distribution. By the time victims received the update, it was indistinguishable from a legitimate SolarWinds update: it came from SolarWinds' own distribution servers, and the code signing certificate was SolarWinds' actual certificate. Standard defenses that organizations rely on โ€” "only install signed updates from trusted vendors" โ€” provided no protection because the trust chain itself was compromised. The code signing certificate was genuine. This attack demonstrates the limits of code signing as a security control: it verifies the code came from the signer, but if the signer's build process is compromised, signing still occurs on malicious code. SBOM and reproducible builds are proposed mitigations.
Ch 24 ยท Watering Hole
Question 18 of 20
An attacker purchases advertising space through a legitimate ad network and embeds a browser exploit in the ad creative. The exploit executes when a user's browser renders the ad โ€” even on reputable, high-traffic websites. No user interaction beyond page load is required. What is this attack called, and which defense specifically addresses it?
โœ… C โ€” Malvertising. Malvertising uses legitimate ad infrastructure as the delivery mechanism. The website operator may be entirely unaware โ€” they contracted with a legitimate ad network that was itself compromised or tricked. Even major, trusted websites (news sites, tech sites) have served malvertising. The attack doesn't require the user to click anything โ€” the exploit executes when the browser parses and renders the malicious ad content. This is a drive-by download enabled through advertising. Defense: ad blockers prevent the malicious ad code from loading; browser updates patch the vulnerabilities the exploit targets; Content Security Policies (CSP) can restrict which domains may deliver executable content to a site.
Ch 25 ยท Other Social Attacks
Question 19 of 20
At a security conference, a researcher demonstrates a technique where she approaches a network engineer at a social event, mentions she works for a competing firm, and through what appears to be casual professional conversation โ€” asking about interesting technical challenges, new technologies they're evaluating, and "war stories" about outages โ€” gathers detailed information about the target company's network architecture, upcoming system changes, and a critical vulnerability that has not yet been patched. No deception was used; the engineer volunteered all information willingly. What technique is this?
โœ… C โ€” Elicitation. Elicitation is the art of extracting information through natural conversation rather than direct questioning. The target doesn't realize they're being exploited โ€” they believe they're having a peer-to-peer professional discussion. The researcher uses conversation techniques: flattery ("that sounds like a really complex challenge"), deliberate false statements the target feels compelled to correct, or open-ended questions about "war stories." The engineer volunteered sensitive internal information (unpatched vulnerabilities, architecture details) that would never have been approved for disclosure, simply because the conversation felt normal and collegial. Defense: security awareness training must specifically cover information handling at conferences and social events โ€” the risk of oversharing in informal settings is consistently underestimated.
Ch 25 ยท Other Social Attacks
Question 20 of 20
A security analyst investigating a disinformation campaign finds a network of 3,000 social media accounts that amplify fabricated news stories about a publicly traded company, causing stock price manipulation. Some stories contain a kernel of factual information mixed with false claims designed to damage the company's reputation. What term describes information that is intentionally false and harmful, and how does it differ from misinformation?
โœ… B โ€” Disinformation. Three categories: Misinformation = false information spread without intent to deceive (the sharer believes it's true). Disinformation = false information spread with deliberate intent to deceive, manipulate, or harm. Malinformation = accurate or real information used out of context or with harmful framing to damage someone (e.g., publishing private communications to embarrass a public figure). The stock manipulation campaign described here is disinformation โ€” deliberately fabricated content deployed through a coordinated account network with the specific intent to manipulate markets. The 3,000-account network is an "influence operation" โ€” a coordinated, inauthentic campaign to amplify false narratives at scale.
Part B โ€” Scenario Analysis (Unscored โ€” for practice)
Ch 19โ€“22 ยท Scenario
Scenario A โ€” Multi-Vector Attack Campaign

A financial services firm is targeted in a sophisticated multi-week campaign. Week 1: Employees receive highly personalized phishing emails referencing their specific client accounts โ€” indicating the attacker has internal knowledge. Week 2: Three executives receive deepfake video calls requesting urgent wire authorizations. Week 3: A security researcher reports that the firm's external financial reporting portal has been seeded with a browser exploit targeting visitors. Analyze the likely threat actor profile, identify which attack types are being used, and design a unified defensive response that addresses all three attack vectors simultaneously.

Threat Actor Profile:
The sophistication level, multi-week planning, use of deepfake technology, and apparent access to internal client account data suggests an organized, well-resourced threat actor โ€” likely organized crime with financial motivation (wire fraud / BEC) or a nation-state conducting financial espionage. The internal knowledge in Week 1 emails indicates either: (a) a prior compromise providing internal data, (b) a malicious or negligent insider leak, or (c) extensive OSINT from prior data breaches. The watering hole targeting the financial reporting portal suggests prior reconnaissance to identify which sites the firm's clients and partners visit.

Attack Type Identification:
Week 1 โ€” Spear phishing / BEC: Highly personalized emails referencing internal account data. The personalization level suggests the attacker has already accessed some internal data. This is spear phishing at minimum; if targeting executives for financial fraud it escalates to BEC/whaling.
Week 2 โ€” Deepfake-assisted vishing / impersonation: Real-time deepfake video used to impersonate executives to authorize wire transfers. This is voice/video impersonation combined with BEC financial fraud tactics.
Week 3 โ€” Watering hole attack: The financial reporting portal is a site clients and partners routinely visit. Seeding it with an exploit targets the firm's network of counterparties, not just internal employees.

Unified Defensive Response:
Immediate containment: (1) Identify and quarantine the browser exploit on the financial reporting portal immediately โ€” take it offline if necessary, notify all users who accessed it in the past 30 days. (2) Issue an internal alert to all employees about the active campaign; suspend processing of all wire transfer requests received in the past week pending re-verification. (3) Reset credentials for any accounts that interacted with the phishing emails.

Email defenses (Week 1): Enforce DMARC p=reject to prevent domain spoofing. Deploy email security scanning with attachment/link sandboxing. Implement security awareness training specific to BEC โ€” especially for finance and accounts payable staff. Establish out-of-band callback procedures for ANY payment request modification regardless of source.

Deepfake / impersonation defenses (Week 2): Implement a firm-wide policy: no financial authorization based solely on a video or phone call. All wire transfers above a threshold require callback to pre-registered numbers AND dual approval from a second authorized officer. Establish pre-shared code words for executive authentication in sensitive transactions. Train executives and finance staff specifically on deepfake capabilities.

Watering hole defenses (Week 3): Deploy Remote Browser Isolation (RBI) for employees accessing external financial portals. Ensure all endpoint browsers are fully patched. Use DNS filtering to block newly flagged malicious domains. Notify all clients and partners who use the portal about the compromise.

Investigation: Engage incident response to determine how the attacker obtained internal client account data. Audit access logs for the CRM and account management systems. Look for signs of prior compromise, insider activity, or credential theft that gave the attacker the internal knowledge used in Week 1.
Ch 23โ€“25 ยท Scenario
Scenario B โ€” Supply Chain & Insider Threat Response

A healthcare organization's IT security team detects unusual outbound data transfers from a server managed by an external IT vendor with privileged admin access. Investigation reveals the vendor's management platform was compromised six weeks ago; the attacker used the vendor's credentials to access patient records and HR data. Concurrently, a departing senior network engineer was found to have copied network topology diagrams and firewall rule documentation to personal cloud storage in her final week of employment. Design the immediate incident response, the vendor risk remediation, and the insider threat controls to prevent recurrence of both situations.

Immediate Incident Response (Supply Chain / Vendor Compromise):
(1) Immediately revoke all credentials and access for the compromised vendor. Terminate all active sessions from vendor IP ranges. Disable all API keys and service accounts associated with the vendor. (2) Isolate the affected server from the network to prevent further data exfiltration. Preserve all logs and volatile memory for forensic analysis. (3) Identify the full scope of access: what data was accessed, for how long, and what was exfiltrated. Pull six weeks of access logs for all systems the vendor had privileges on. (4) Notify affected patients per HIPAA Breach Notification Rule (within 60 days of discovery; within 60 days requires HHS notification if >500 records). Document the timeline for regulatory reporting. (5) Engage external incident response to conduct forensics independently of the vendor.

Vendor Risk Remediation:
Short term: Before reinstating any vendor access, require the vendor to demonstrate remediation of the compromise โ€” new credentials, MFA enforcement, endpoint security on the management platform. Implement just-in-time (JIT) access: vendor credentials are issued on-demand for specific maintenance windows rather than persistent standing access. Restrict vendor network access to only the specific systems they manage โ€” no lateral movement capability.
Long term: Implement a vendor risk management program. Require annual security assessments of all vendors with privileged access. Include contractual requirements for breach notification within 24โ€“72 hours. Evaluate whether this vendor's access model can be redesigned to eliminate persistent privileged credentials. Monitor all vendor activity via a PAM (Privileged Access Management) solution that records sessions and alerts on anomalous activity.

Insider Threat Response (Departing Engineer):
Immediate: Preserve evidence โ€” logs of cloud storage upload activity, timestamps, file names, and destination account. Engage legal counsel before interviewing the employee; document the chain of custody. Assess the data stolen: network topology and firewall rules are sensitive โ€” an attacker with this information has a map of the organization's defenses. Evaluate whether firewall rules need to be changed and whether network re-architecture is required.

Insider Threat Prevention Controls:
(1) Offboarding procedure: all access (including cloud accounts, VPN, remote tools) should be revoked on the last day of employment before the employee's final departure. DLP (Data Loss Prevention) monitoring should be triggered at notification of resignation to flag unusual data access or uploads. (2) DLP policy: classify sensitive documents (network diagrams, firewall configs, security architecture) and configure DLP to alert on upload to personal cloud storage or email to personal addresses. (3) Least privilege: network documentation should not be universally accessible โ€” restrict access to those with current operational need. (4) Separation of duties: network diagrams and security documentation should require approval to access, creating an audit trail. (5) Exit procedures: structured exit interview with security team; physical media check of workstation before return.
โ† Exam: Ch 16โ€“18 All Chapters
โ€”
Pass threshold: 80% (16 / 20 correct)
โ† Ch 16โ€“18 Exam All Chapters