u/Deep_Butterfly1409

Here's a Domain 3 scenario for today.

A security architect is designing a protection strategy for a financial application. She plans to implement firewalls at the perimeter, intrusion detection systems on the internal network, endpoint antivirus, application-layer controls, and data encryption at rest. Which security principle does this layered strategy best represent?

A) Zero trust B) Separation of duties C) Defense in depth D) Secure by default

Take a moment to consider your answer before checking below.

Scroll slowly — answer below.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Answer: C

Explanation: Defense in depth involves implementing multiple, overlapping layers of security controls so that if one control fails, others remain to protect the asset. The described strategy applies controls at the perimeter, network, endpoint, application, and data layers.

Why the others don't fit: A: Zero trust focuses on explicit verification for every access request and is not specifically about stacking multiple control layers. B: Separation of duties divides tasks among multiple individuals to prevent fraud or error — it is a personnel/process control, not an architectural layering strategy. D: Secure by default means systems ship with secure configurations out of the box; it does not describe layering multiple controls across different tiers.

Here's a Domain 1 scenario for today.

An attacker intercepts network traffic and silently reads confidential emails without altering them or disrupting the service. Which core security principle is being violated?

A) Integrity B) Availability C) Confidentiality D) Non-repudiation

Take a moment to consider your answer before checking below.

Scroll slowly — answer below.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

---

Answer: C

Explanation: Confidentiality means protecting sensitive information from unauthorized access or disclosure. In this scenario, the attacker reads confidential emails, so the information has been exposed to an unauthorized party.

Why the others don't fit: A: Integrity is about preventing unauthorized modification of data. The attacker did not alter anything. B: Availability is about keeping systems and services accessible. The service was not disrupted. D: Non-repudiation is about proving that an action or transaction occurred and cannot be denied later. That is not the issue here.

Here's a Domain 4 scenario for today.

A security analyst discovers that a workstation has been communicating with a known command-and-control (C2) server. The analyst has confirmed the workstation is compromised. What should the analyst do NEXT?

A) Eradicate the malware from the workstation B) Contain the incident by isolating the workstation from the network C) Begin a full forensic analysis of the workstation D) Notify law enforcement about the breach

Take a moment to consider your answer before checking below.

Scroll slowly — answer below.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

---

Answer: B

Explanation: In the incident response process (Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned), after detection and confirmation, the next step is containment. Isolating the workstation prevents the attacker from pivoting to other systems or exfiltrating additional data.

Why the others don't fit: A: Eradication comes AFTER containment. If you eradicate before containing, the attacker may still have access through other compromised systems. C: While forensic analysis is important, it should not delay containment. The analyst can perform forensics after the system is isolated. D: Law enforcement notification may be required, but it is not the immediate next step when a compromised system is actively communicating with a C2 server.

Here's a Domain 3 scenario for today.

An enterprise allows employees to use cloud-based SaaS applications for collaboration. The security team needs visibility into which cloud services are being used, the ability to enforce data loss prevention policies, and the capability to detect abnormal user behavior across cloud applications. Which solution best addresses all of these needs?

A) Cloud Access Security Broker (CASB) B) Next-generation firewall (NGFW) C) Security Information and Event Management (SIEM) D) Web Application Firewall (WAF)

Take a moment to consider your answer before checking below.

 

 

 

 

 

 

 

 

 

 

 

 

Answer: A

Explanation:
A Cloud Access Security Broker sits between users and cloud service providers to give security teams visibility and control over SaaS usage. It can discover shadow IT, enforce DLP policies, monitor compliance, detect unusual cloud activity, and apply access controls across cloud applications.

Why the others don't fit: An NGFW can inspect and block traffic at the network perimeter, but it lacks SaaS-specific visibility and cloud app behavior context. A SIEM correlates logs for detection and investigation, but it does not directly enforce DLP policies between users and cloud apps. A WAF protects web applications from attacks like SQL injection or XSS, but it does not provide broad cloud app visibility or cloud DLP enforcement.

Here's a Domain 2 scenario for today.

A user reports that all files on their desktop have been renamed with a .locked extension and a text file demands payment in cryptocurrency to restore access. Which type of malware is MOST likely responsible?

A) Spyware B) Rootkit C) Ransomware D) Trojan

Take a moment to consider your answer before checking below.

 

 

 

 

 

 

 

 

 

 

 

 

Answer: C

Explanation: Ransomware encrypts or locks files and demands payment, often in cryptocurrency, for the decryption key. The .locked extension and ransom note are classic indicators.

Why the others don't fit: Spyware silently collects user information; it does not encrypt files or demand payment. Rootkits hide their presence to maintain persistent access. A trojan disguises itself as legitimate software to gain access, but file encryption plus a ransom demand is specifically ransomware behavior.

Here’s a Domain 5 scenario for today.

A company is evaluating the risk of a ransomware attack against a critical file server.

The security team estimates:

• Asset value: $200,000 • Exposure factor: 25% • Annualized rate of occurrence: 0.4

What is the Annualized Loss Expectancy?

A) $20,000 B) $50,000 C) $80,000 D) $200,000

Take a moment to calculate it before checking below.

 

 

 

 

 

 

 

 

 

 

 

 

Answer: A

Explanation: First calculate the Single Loss Expectancy:

SLE = Asset Value × Exposure Factor SLE = $200,000 × 0.25 = $50,000

Then calculate Annualized Loss Expectancy:

ALE = SLE × ARO ALE = $50,000 × 0.4 = $20,000

So the correct answer is A) $20,000.

Why the others don’t fit: B is the SLE, not the ALE. C incorrectly applies the ARO to the full asset value. D is the full asset value, not the expected annualized loss.

Here's a Domain 1 scenario for today.

A company transitions from a perimeter-based security model to zero trust. Which change would be MOST aligned with zero trust principles?

A) Removing all firewalls since perimeter security is no longer needed
B) Requiring continuous authentication and device health checks for all resource access
C) Allowing unlimited access for users once they pass initial authentication
D) Trusting all traffic from the corporate VPN

Take a moment to consider your answer before checking below.

 

 

 

 

 

 

 

 

 

 

 

 

Answer: B

Explanation:
Zero trust is built around “never trust, always verify.” The key idea is that access should be continuously evaluated based on identity, device health, context, and risk — not just granted once at login.

Why the others don’t fit: Removing firewalls is wrong because zero trust adds tighter controls; it doesn’t mean abandoning perimeter defenses. Unlimited access after login is the old “trust after authentication” model. Trusting all VPN traffic also violates zero trust because network location alone should not make something trusted.