Domain 4: Security Operations Review — 41 of 61

Domain 4 – Section A Review: Secure Computing

Security+ Domain 4 — Security Operations Section A — Secure Computing Review 10 Questions

This section integrates:

  • Secure Baselines and Hardening
  • Wireless and Mobile Security
  • Asset Management
  • Vulnerability Management

Security+ expects you to establish and maintain secure configurations, protect diverse endpoints, track assets, and manage vulnerabilities across the environment.

1. Secure Baselines and System Hardening

A secure baseline is the minimum security configuration for a system before it enters production:

Harden before you deploy. Baseline before you monitor.
Any deviation from the baseline is a potential security event.
  • Remove unnecessary services and ports.
  • Disable default accounts and change default passwords.
  • Apply the latest patches before deployment.
  • Use CIS benchmarks or DISA STIGs as configuration guides.
  • Document the baseline and monitor for drift.

Configuration drift occurs when systems change over time without documented approval. Automated configuration management tools prevent drift.

2. Wireless and Mobile Security

Wireless and mobile devices extend the network perimeter beyond physical walls:

  • WPA3 — current standard for wireless encryption. WPA2 is acceptable; WEP is never acceptable.
  • Evil twin — a rogue access point mimicking a legitimate network.
  • MDM (Mobile Device Management) — enforces security policies on mobile devices.
  • BYOD risks — personal devices may not meet corporate security standards.
  • Remote wipe — erases data on lost or stolen devices.
The wireless network is only as secure as its weakest authentication method.
Mobile devices are endpoints that require the same rigor as workstations.

3. Asset Management Fundamentals

You cannot protect what you do not know exists:

  • Asset inventory — comprehensive list of all hardware, software, and data assets.
  • Asset classification — categorizing assets by sensitivity and criticality.
  • Lifecycle management — procurement, deployment, maintenance, decommissioning.
  • Data sanitization — securely erasing data before disposal (degaussing, cryptographic erasure, physical destruction).

Unmanaged assets are shadow IT. Shadow IT bypasses security controls and creates unknown risk.

4. Vulnerability Management Process

Vulnerability management is a continuous cycle, not a one-time scan:

  • Discover — scan systems and applications for known vulnerabilities.
  • Assess — evaluate severity using CVSS scores and business context.
  • Prioritize — critical and exploitable vulnerabilities first.
  • Remediate — patch, reconfigure, or apply compensating controls.
  • Verify — rescan to confirm remediation was effective.
A vulnerability scan finds weaknesses. A penetration test proves they are exploitable.
Prioritize by risk, not just by CVSS score alone.

Section A Decision Pattern

When unsure in Domain 4 Section A:

  1. Start with the secure baseline — was the system hardened before deployment?
  2. Check for configuration drift when systems behave unexpectedly.
  3. Apply MDM controls for mobile and BYOD scenarios.
  4. Verify the asset inventory before assessing vulnerabilities.
  5. Follow the vulnerability management lifecycle: discover, assess, prioritize, remediate, verify.

Section A – Practice Questions

Question 1

A new server is deployed with default credentials and unnecessary services running. What security practice was skipped?

A. System hardening
B. Vulnerability scanning
C. Penetration testing
D. Incident response

Answer & reasoning

Correct: A

System hardening includes removing unnecessary services, changing default credentials, and applying secure configurations before deployment. A server deployed with defaults has not been hardened.

Question 2

An employee connects to a wireless network at a coffee shop that has the same SSID as the corporate guest network. The employee unknowingly transmits credentials to the attacker. What type of attack is this?

A. Rogue access point
B. Evil twin
C. Bluetooth hijacking
D. War driving

Answer & reasoning

Correct: B

An evil twin is a malicious access point that mimics a legitimate network's SSID to trick users into connecting. Once connected, the attacker can intercept credentials and other traffic. This is distinct from a rogue access point, which is unauthorized but not necessarily impersonating a legitimate network.

Question 3

A vulnerability scan reports a critical finding with a CVSS score of 9.8 on a development server that contains no sensitive data and is isolated from production. How should this be prioritized?

A. Immediate emergency patching
B. Decommission the server immediately
C. Lower priority due to limited business impact despite high CVSS
D. Ignore because it is a development server

Answer & reasoning

Correct: C

Vulnerability prioritization considers both the CVSS score and the business context. An isolated development server with no sensitive data has lower business impact than a production system. The vulnerability should still be remediated, but it does not require emergency action.

Question 4

A company implements a BYOD policy. An employee's personal phone is lost and contains corporate email and contacts. What MDM capability should be invoked?

A. Full-disk encryption
B. Geofencing
C. Application whitelisting
D. Remote wipe

Answer & reasoning

Correct: D

Remote wipe erases data on a lost or stolen device to prevent unauthorized access to corporate data. This is a core MDM capability for BYOD environments. Full-disk encryption protects data at rest but does not help if the device is physically compromised.

Question 5

During a quarterly review, the IT team discovers 23 workstations that are not in the asset inventory. These machines were purchased directly by a department without IT involvement. What is this an example of?

A. Shadow IT
B. Configuration drift
C. VM sprawl
D. Asset depreciation

Answer & reasoning

Correct: A

Shadow IT occurs when technology is deployed without the knowledge or approval of the IT department. These unmanaged assets bypass security controls, patching procedures, and monitoring, creating unknown risk.

Question 6

A security team completes vulnerability remediation on 50 servers. What is the NEXT step in the vulnerability management lifecycle?

A. Generate a compliance report
B. Rescan to verify remediation was effective
C. Notify executive leadership
D. Update the incident response plan

Answer & reasoning

Correct: B

After remediation, the next step is verification — rescanning the systems to confirm the vulnerabilities have been successfully addressed. Without verification, there is no assurance that patching was effective or that the fix did not introduce new issues.

Question 7

A company is decommissioning servers that stored classified government data. Which data sanitization method provides the HIGHEST assurance?

A. Deleting files and emptying the recycle bin
B. Reformatting the hard drives
C. Physical destruction of the storage media
D. Using a standard file shredding utility

Answer & reasoning

Correct: C

Physical destruction (shredding, incineration, or degaussing) provides the highest assurance that data cannot be recovered. File deletion, reformatting, and standard shredding utilities may leave recoverable data on the media. For classified data, physical destruction is typically required.

Question 8

A wireless network audit reveals that several access points are still using WEP encryption. What is the MOST appropriate action?

A. Add MAC filtering for additional security
B. Hide the SSID to prevent discovery
C. Upgrade immediately to WPA2 or WPA3
D. Reduce the wireless signal strength

Answer & reasoning

Correct: C

WEP is fundamentally broken and can be cracked in minutes. No compensating control (MAC filtering, hidden SSID, reduced power) makes WEP acceptable. The only appropriate action is upgrading to WPA2 or WPA3, which use strong encryption algorithms.

Question 9

An automated configuration management tool detects that a production web server's firewall rules have changed from the documented baseline. What has occurred?

A. A successful penetration test
B. Normal system aging
C. A DDoS attack
D. Configuration drift

Answer & reasoning

Correct: D

Configuration drift occurs when a system's configuration deviates from the documented baseline. This could be caused by manual changes, unauthorized modifications, or failed updates. The deviation must be investigated and the system returned to baseline or the baseline formally updated.

Question 10

A vulnerability scan identifies a critical vulnerability in a third-party application. The vendor has not released a patch. What is the BEST interim action?

A. Implement compensating controls to reduce the risk
B. Wait for the vendor to release a patch
C. Remove the application from all systems
D. Ignore the finding until a patch is available

Answer & reasoning

Correct: A

When a patch is not available, compensating controls (network segmentation, WAF rules, access restrictions, enhanced monitoring) reduce the risk until a permanent fix is released. Waiting or ignoring leaves the vulnerability exposed. Removing the application may not be feasible if it is business-critical.

Next Module Module 31: Security Monitoring and Log Analysis