- (Exam Topic 4)
A company is expanding its threat surface program and allowing individuals to security test the company's internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up?

1. A. Open-source intelligence
2. B. Bug bounty
3. C. Red team
4. D. Penetration testing

Correct Answer: B
A program that allows individuals to security test the company’s internet-facing application and compensates researchers based on the vulnerabilities discovered is best described as a bug bounty program. A bug bounty program is an incentive-based program that rewards ethical hackers for finding and reporting security flaws in software or systems6.

- (Exam Topic 1)
A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the BEST solution to prevent this type of incident from occurring again?

1. A. Enforce the use of a controlled trusted source of container images
2. B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers
3. C. Define a vulnerability scan to assess container images before being introduced on the environment
4. D. Create a dedicated VPC for the containerized environment

Correct Answer: A
Enforcing the use of a controlled trusted source of container images is the best solution to prevent incidents like the introduction of a zero-day vulnerability through container images from occurring again. References: CompTIA Security+ Study Guide by Emmett Dulaney, Chapter 11: Cloud Security, Container Security

- (Exam Topic 4)
An organization is having difficulty correlating events from its individual AV. EDR. DLP. SWG. WAF, MDM. HIPS, and CASB systems. Which of the following is the best way to improve the situation?

1. A. Remove expensive systems that generate few alerts.
2. B. Modify the systems to alert only on critical issues.
3. C. Utilize a SIEM to centralize logs and dashboards.
4. D. Implement a new syslog/NetFlow appliance.

Correct Answer: C
A SIEM (Security Information and Event Management) is a system that collects, analyzes, and correlates data from multiple sources, such as AV (antivirus), EDR (endpoint detection and response), DLP (data loss prevention), SWG (secure web gateway), WAF (web application firewall), MDM (mobile device management), HIPS (host intrusion prevention system), and CASB (cloud access security broker). A SIEM can help improve the situation by providing a centralized view of the security posture, alerts, and incidents across the organization.

- (Exam Topic 2)
A security administrator needs to block a TCP connection using the corporate firewall, Because this connection is potentially a threat. the administrator not want to back an RST Which of the following actions in rule would work best?

1. A. Drop
2. B. Reject
3. C. Log alert
4. D. Permit

Correct Answer: A
the difference between drop and reject in firewall is that the drop target sends nothing to the source, while the reject target sends a reject response to the source. This can affect how the source handles the connection attempt and how fast the port scanning is. In this context, a human might say that the best action to block a TCP connection using the corporate firewall is A. Drop, because it does not send back an RST packet and it may slow down the port scanning and protect against DoS attacks.

- (Exam Topic 1)
Which of the following is a cryptographic concept that operates on a fixed length of bits?

1. A. Block cipher
2. B. Hashing
3. C. Key stretching
4. D. Salting

Correct Answer: A
Single-key or symmetric-key encryption algorithms create a fixed length of bits known as a block cipher with a secret key that the creator/sender uses to encipher data (encryption) and the receiver uses to decipher it.