Domain 4 – Full Cross-Topic Review: Security Operations
This review integrates:
- System and Endpoint Hardening
- Wireless and Mobile Device Security
- Asset Management and Inventory
- Vulnerability Management and Scanning
- Security Monitoring, Logging, and SIEM
- Firewalls, IDS/IPS, and Network Security Appliances
- Endpoint Detection and Response (EDR)
- Identity and Access Management (IAM) and MFA
- Security Automation and Orchestration (SOAR)
- Incident Response and Digital Forensics
This is the largest domain. Expect wide-ranging scenarios that connect operational decisions across hardening, detection, response, and recovery.
Question 1
A security analyst receives a SIEM alert indicating that a server is making outbound connections to a known command-and-control IP address. The EDR agent on the server shows a newly created scheduled task running an unknown executable.
What is the FIRST incident response step?
A. Contain the threat by isolating the server from the network while preserving evidence
B. Reimage the server immediately
C. Delete the scheduled task and unknown executable
D. Notify law enforcement before taking any action
Answer & reasoning
Correct: A
Containment is the priority after identification. Network isolation prevents further C2 communication and lateral movement while preserving forensic evidence. Reimaging destroys evidence, deleting artifacts hinders investigation, and law enforcement notification is important but secondary to stopping active compromise.
Question 2
A vulnerability scan reveals 2,000 findings across the organization. The security team has limited remediation capacity. The scan shows 50 critical vulnerabilities on internet-facing servers, 200 high vulnerabilities on internal servers, and 1,750 medium/low findings across endpoints.
How should remediation be prioritized?
A. Remediate all findings alphabetically by hostname
B. Address the 50 critical vulnerabilities on internet-facing servers first based on risk (severity + exposure)
C. Focus on the 1,750 medium/low findings first because they are the largest count
D. Ignore all findings until the next quarterly scan
Answer & reasoning
Correct: B
Vulnerability prioritization is risk-based: critical severity on internet-facing (highest exposure) systems represents the greatest risk. Volume alone does not determine priority. Medium/low findings on internal endpoints, while numerous, present lower immediate risk than critical vulnerabilities on externally accessible systems.
Question 3
An organization's MDM policy requires full-disk encryption, screen lock after 60 seconds, and remote wipe capability on all corporate mobile devices. An employee's phone is stolen from a restaurant.
What is the MOST appropriate immediate response?
A. Wait for the employee to purchase a replacement device
B. File a police report and take no technical action
C. Initiate a remote wipe of the device and disable the associated corporate account
D. Send a message to the stolen device requesting its return
Answer & reasoning
Correct: C
Remote wipe eliminates corporate data from the stolen device, and disabling the corporate account prevents unauthorized access even if encryption is bypassed. Full-disk encryption provides protection if the wipe command cannot reach the device. A police report may be appropriate but does not protect corporate data. Waiting creates unnecessary exposure.
Question 4
A hardening checklist requires disabling unnecessary services on production servers. A system administrator disables a service and a critical business application stops working.
What hardening process was missing?
A. A dependency mapping and testing phase should precede production hardening changes
B. The server should not have been hardened since it runs a critical application
C. Hardening should only disable services listed in vendor documentation
D. The administrator should have restored from backup instead of investigating
Answer & reasoning
Correct: A
Hardening must include dependency mapping (understanding which services the application requires) and testing in a non-production environment before production changes. All servers should be hardened, including those running critical applications, but the process must account for application dependencies. Vendor documentation may not cover all dependencies.
Question 5
An IDS generates 500 alerts per day. After investigation, the security team determines that 480 are false positives caused by a misconfigured signature for internal backup traffic.
What is the MOST appropriate action?
A. Disable the IDS to eliminate alert fatigue
B. Tune the IDS signature to exclude known backup traffic patterns while maintaining detection capability
C. Ignore all IDS alerts going forward
D. Replace the IDS with a firewall
Answer & reasoning
Correct: B
Signature tuning reduces false positives while maintaining detection capability. Excluding known-good backup traffic patterns from the signature (or creating an exception) addresses the specific cause. Disabling the IDS or ignoring alerts eliminates detection entirely. A firewall and IDS serve different purposes and are not interchangeable.
Question 6
During a forensic investigation, an analyst needs to examine a compromised server's hard drive. The server is still powered on.
What should the analyst do FIRST?
A. Power off the server immediately and remove the hard drive
B. Begin browsing files directly on the live system to find evidence
C. Reinstall the operating system to remove the compromise, then investigate
D. Capture volatile memory (RAM) before powering down, then create a forensic disk image
Answer & reasoning
Correct: D
Order of volatility dictates capturing the most volatile evidence first. RAM contains running processes, network connections, encryption keys, and malware that disappears when powered off. After volatile data capture, a forensic disk image preserves non-volatile evidence. Browsing directly contaminates evidence, and reinstalling destroys it entirely.
Question 7
A company implements WPA3-Enterprise for its corporate wireless network. A security consultant recommends also implementing 802.1X with RADIUS authentication.
What additional security benefit does 802.1X provide beyond WPA3 encryption?
A. Stronger wireless encryption than WPA3 provides
B. Physical security for wireless access points
C. Individual user authentication and per-session encryption keys, enabling granular access control and accounting
D. Automatic firmware updates for wireless clients
Answer & reasoning
Correct: C
802.1X with RADIUS provides individual user authentication (not just a shared passphrase), per-session unique encryption keys, granular access control based on user identity, and accounting logs. WPA3-Enterprise already uses 802.1X; the consultant is confirming proper RADIUS integration for these AAA benefits. 802.1X does not replace WPA3 encryption or provide physical security.
Question 8
An asset inventory audit reveals 15 servers that are not tracked in the organization's configuration management database (CMDB). These servers are running production workloads.
What is the PRIMARY risk of unmanaged assets?
A. Unmanaged assets may not receive patches, monitoring, or hardening, creating blind spots in the security posture
B. Unmanaged assets consume excess bandwidth
C. Unmanaged assets always contain malware
D. Unmanaged assets violate software licensing agreements
Answer & reasoning
Correct: A
Assets not in the CMDB are invisible to security operations: they may not receive vulnerability scans, patches, configuration hardening, or monitoring. This creates security blind spots where threats can persist undetected. While licensing may be a concern, the primary security risk is the gap in security controls coverage.
Question 9
A SOAR platform is configured to automatically block IP addresses after the SIEM detects 10 failed login attempts within 5 minutes. A legitimate business partner reports being locked out after a misconfigured service account generated rapid authentication failures.
What should be improved?
A. Disable all automated response actions permanently
B. Increase the threshold to 1,000 failed attempts to prevent false positives
C. Remove the SOAR platform entirely
D. Add context-aware exceptions (allowlists for known partner IPs) and implement human review for blocks affecting critical business relationships
Answer & reasoning
Correct: D
Automation must balance speed with accuracy. Context-aware exceptions (allowlisting known partner IPs or requiring human approval for certain blocks) prevent legitimate business disruption while maintaining automated defense. Disabling automation loses response speed, extremely high thresholds enable actual brute force attacks, and removing SOAR eliminates operational efficiency.
Question 10
An organization requires MFA for all remote access. A user reports that they approved an MFA push notification they did not initiate while distracted during a meeting.
What type of attack occurred, and what mitigation would prevent it?
A. Brute force attack; increase password length requirements
B. MFA fatigue (push bombing) attack; implement number-matching MFA that requires entering a displayed code
C. Session hijacking; implement certificate-based authentication
D. Credential stuffing; implement account lockout policies
Answer & reasoning
Correct: B
MFA fatigue (push bombing) floods the user with push notifications until they approve one. Number-matching MFA requires the user to enter a code displayed on the login screen, which they cannot do if they did not initiate the login. Simple push approve/deny is vulnerable to accidental or fatigued approval. This is not brute force, session hijacking, or credential stuffing.
Question 11
A firewall rule review reveals a rule permitting "any source, any destination, any port" that was added two years ago as a temporary troubleshooting measure and never removed.
What operational practice would have prevented this?
A. Replacing the firewall with a newer model
B. Implementing a WAF instead of a network firewall
C. Periodic firewall rule reviews with expiration dates on temporary rules
D. Encrypting all firewall rules
Answer & reasoning
Correct: C
Firewall rule hygiene requires periodic reviews to identify and remove stale, overly permissive, or temporary rules. Temporary rules should have mandatory expiration dates or review triggers. An "any/any/any" rule effectively disables the firewall. This is a process and governance issue, not a technology replacement issue.
Question 12
An EDR solution detects that a process on a workstation is injecting code into a legitimate system process. The EDR quarantines the suspicious process and alerts the security team.
What technique was the malware using, and why is EDR effective against it?
A. DDoS attack; EDR blocks network floods
B. Process injection (living-off-the-land technique); EDR monitors process behavior beyond what traditional antivirus signature matching can detect
C. SQL injection; EDR validates database queries
D. ARP spoofing; EDR protects network layer communications
Answer & reasoning
Correct: B
Process injection is a living-off-the-land technique where malware injects code into legitimate processes to evade signature-based detection. EDR monitors process behavior (memory access patterns, process relationships, API calls) rather than relying solely on file signatures, making it effective against these techniques. EDR operates at the endpoint level, not at the network or database layer.
Question 13
An organization uses a privileged access management (PAM) solution that records all administrative sessions. An investigation reveals that a system administrator accessed a production database outside of an approved change window.
What PAM capability enabled this detection?
A. Password rotation
B. Just-in-time access provisioning
C. Multi-factor authentication enforcement
D. Session recording and audit logging
Answer & reasoning
Correct: D
Session recording and audit logging provide a complete record of administrative actions, including timing, commands executed, and resources accessed. This enables after-the-fact detection of policy violations. Password rotation prevents credential reuse, JIT access limits access windows, and MFA verifies identity, but session recording is what enabled the detection of unauthorized timing.
Question 14
A vulnerability scan of a newly deployed server shows that default credentials are active on the management interface, unnecessary ports are open, and a sample application is still installed.
What operational process failed?
A. The server was not hardened according to a secure baseline before deployment
B. Vulnerability scanning was not performed frequently enough
C. The server hardware is defective
D. The vulnerability scanner is producing false positives
Answer & reasoning
Correct: A
Default credentials, unnecessary open ports, and sample applications are all indicators that baseline hardening was not performed. A secure deployment process requires applying a hardening checklist (CIS benchmark or equivalent) before any server enters production. The scan correctly identified real issues, confirming the process failure rather than scanner inaccuracy.
Question 15
During incident response, the team determines that an attacker maintained persistence through a rogue user account created with domain administrator privileges. The account was created six months ago.
What detection gap allowed this to persist?
A. The firewall was not inspecting internal traffic
B. Endpoint antivirus was not updated
C. Insufficient monitoring of privileged account creation events and periodic access reviews
D. Network encryption prevented traffic inspection
Answer & reasoning
Correct: C
Creating a domain admin account should trigger SIEM alerts (privileged account creation is a high-priority event). Periodic access reviews would identify unknown accounts with elevated privileges. The six-month persistence indicates both real-time monitoring and periodic review processes failed. Firewall inspection and antivirus are not designed to detect rogue account creation.
Question 16
A security team implements a next-generation firewall (NGFW) that supports application-layer inspection. A user complains that a legitimate SaaS application is being blocked.
What is the MOST likely cause?
A. The NGFW cannot inspect encrypted traffic
B. NGFWs always block SaaS applications
C. The user's device is infected with malware
D. The application-layer policy has not been configured to allow the specific SaaS application or its traffic patterns
Answer & reasoning
Correct: D
NGFWs inspect traffic at the application layer and enforce policies based on application identification. If the SaaS application is not in the allowed policy or its traffic pattern is misidentified, it will be blocked. This requires updating the application-layer policy to explicitly permit the application. NGFWs can inspect encrypted traffic with TLS inspection, and they do not inherently block all SaaS.
Question 17
A digital forensics investigator creates an image of a suspect's hard drive. The investigator needs to verify that the image is an exact copy of the original.
What is the standard verification method?
A. Compare file sizes of the original and image
B. Check the creation timestamps on both drives
C. Open both drives and visually compare file listings
D. Generate and compare cryptographic hash values (SHA-256) of the original and the image
Answer & reasoning
Correct: D
Cryptographic hash verification (SHA-256) produces a unique fingerprint of the data. If the hash of the forensic image matches the hash of the original drive, the copy is verified as an exact bit-for-bit duplicate. This maintains chain of custody integrity and is admissible in legal proceedings. File sizes, visual comparisons, and timestamps are insufficient for forensic verification.
Question 18
An organization discovers that several employees are using unauthorized cloud storage services to share work files. The IT department was unaware of these services.
What operational concept does this represent, and what is the FIRST mitigation step?
A. Data loss prevention failure; encrypt all files at rest
B. Shadow IT; discover and inventory unauthorized services, then establish approved alternatives and enforce usage policies
C. Insider threat; terminate the employees using unauthorized services
D. Malware infection; scan all endpoints for cloud storage applications
Answer & reasoning
Correct: B
Shadow IT refers to technology used without organizational approval or oversight. The first step is discovery and inventory to understand the scope. Then provide approved alternatives that meet users' needs and enforce policies. Termination is disproportionate since employees may be using these tools to fill a legitimate gap. Shadow IT is an operational governance issue, not inherently malicious.
Question 19
An incident response team completes containment and eradication of a malware outbreak. Before declaring the incident resolved, they need to verify that the environment is clean.
What IR phase are they entering, and what actions are appropriate?
A. Preparation; update the incident response plan
B. Lessons learned; document what went wrong and close the incident
C. Recovery; restore systems, verify integrity, monitor for reinfection, and gradually return to normal operations
D. Identification; search for additional indicators of compromise
Answer & reasoning
Correct: C
After containment and eradication, the recovery phase restores affected systems, verifies they are clean through scanning and integrity checks, implements enhanced monitoring for reinfection, and gradually returns systems to normal operations. Lessons learned occurs after recovery is complete and the incident is fully resolved.
Question 20
A security team uses automated vulnerability scanning on a weekly schedule. Between scans, a critical zero-day vulnerability is disclosed for a widely used library present on many servers.
What operational response is MOST appropriate?
A. Initiate an emergency out-of-cycle scan targeting the specific library, assess exposure, and apply patches or compensating controls immediately
B. Wait for the next scheduled weekly scan to confirm the vulnerability
C. Assume the vulnerability is not present since the last scan was clean
D. Disable the affected library on all servers without testing
Answer & reasoning
Correct: A
Critical zero-day disclosures require immediate response outside the normal scan schedule. An emergency targeted scan identifies affected systems quickly, enabling rapid patching or deployment of compensating controls. Waiting for the weekly cycle creates unacceptable exposure. The previous scan's clean result does not account for newly disclosed vulnerabilities. Disabling without testing may cause outages.
Domain 4 Pattern Summary
In Security+ Domain 4:
- Incident response follows a sequence: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. Containment comes before eradication.
- Vulnerability prioritization is always risk-based: severity multiplied by exposure, not raw count.
- Forensic integrity requires volatile data first (order of volatility), forensic imaging, and hash verification for chain of custody.
- Hardening must happen before deployment; finding default credentials in production means the process failed.
- Automation (SOAR) requires context-aware tuning to avoid blocking legitimate activity.
- Unmanaged assets and shadow IT are visibility problems that create security blind spots.
- Alert fatigue from false positives is solved by tuning, not by disabling detection.
If an answer destroys evidence or skips containment during incident response, it is usually wrong.