1. A Vantex analyst identifies that port 23 is open on a critical server. Which action reflects BOTH attack surface reduction AND the principle of least privilege?

• Configure Telnet to require a stronger password
• Close port 23 entirely and use SSH (port 22) with key-pair authentication instead
• Move the server to the DMZ where Telnet is more appropriate
• Add a firewall rule permitting only the admin subnet to use port 23

2. At which OSI layer does a switch make forwarding decisions based on MAC address tables?

• Layer 1 (Physical)
• Layer 2 (Data Link)
• Layer 3 (Network)
• Layer 4 (Transport)

3. Vantex runs a port scan on a newly deployed server and finds 14 open ports. After hardening, only 3 remain. A junior analyst says ‘closing those ports just makes things less convenient.’ Which rebuttal is MOST accurate?

• The analyst is correct — open ports do not contribute to risk unless they have known CVEs
• Each open port is a potential entry point for attack; 11 fewer ports means 11 fewer attack vectors to monitor, patch, and defend
• Closing ports only reduces risk if the closed services had known vulnerabilities
• Port hardening only matters for internet-facing servers, not internal systems

4. Vantex detects that all traffic from Finance workstations is routing through an unknown device before reaching the gateway. The most likely attack and its primary CIA impact is:

• DNS spoofing — targeting Availability
• DDoS — targeting Availability
• ARP poisoning enabling MitM — primarily targeting Confidentiality of intercepted traffic
• Packet sniffing — targeting Integrity of routing tables

5. A SYN flood sends thousands of TCP SYN packets to Vantex's web server without completing the handshake. The server runs out of memory for half-open connections. This attack PRIMARILY targets:

• Confidentiality — the attacker reads SYN packet contents
• Integrity — the SYN packets corrupt the TCP state table permanently
• Availability — the server cannot serve legitimate users when connection tables are exhausted
• Authentication — SYN packets bypass login controls

6. Which combination of controls BEST prevents both ARP poisoning and DNS spoofing on Vantex's internal network?

• Stateful firewall + IDS
• Dynamic ARP Inspection (DAI) on switches + DNSSEC validation on DNS resolver
• HTTPS everywhere + WPA3 on Wi-Fi
• Port-based ACLs + packet filtering

7. A firewall ACL has these rules in order: (1) Permit TCP any to 10.0.1.5 port 443. (2) Deny TCP 10.20.0.0/16 to 10.0.1.5. (3) Deny all. A host at 10.20.5.10 tries to connect to port 443 on 10.0.1.5. What happens?

• Rule 2 denies it because the source is in 10.20.0.0/16
• Rule 1 permits it because rule 1 matches first and first-match wins
• Rule 3 denies it as the default
• Rules 1 and 2 conflict, so traffic is permitted by default

8. Vantex's DMZ web server is compromised. The attacker tries to pivot to the internal HR database (192.168.10.50). Which DMZ design principle DIRECTLY limits this lateral movement?

• The DMZ web server uses HTTPS which prevents internal connections
• The firewall between DMZ and internal network denies all traffic initiated from the DMZ to the internal network
• The web server's antivirus detects and blocks internal connection attempts
• The HR database's password prevents unauthorized access from the DMZ

9. Vantex creates Finance (VLAN 10) and Guest (VLAN 20) on the same switch but does not configure inter-VLAN routing. A guest device tries to access a Finance server. What prevents this?

• The Finance server's firewall blocks guest IPs
• VLANs are isolated broadcast domains — without inter-VLAN routing, the guest device cannot communicate with any device outside VLAN 20
• The switch physically blocks cross-VLAN cables
• The guest device does not have a DNS entry for the Finance server

10. Micro-segmentation is deployed at Vantex such that each server is in its own security zone with default-deny rules. An attacker who compromises the Payments server attempts to access the HR database. Which statement is TRUE?

• The attacker can pivot freely since both servers are on the internal network
• The attacker is blocked unless there is an explicit firewall rule permitting Payments-to-HR traffic
• Micro-segmentation only restricts external connections, not internal server-to-server traffic
• The HR database's own authentication prevents the pivot

11. Vantex's IPS blocks a large batch of legitimate database queries, causing a finance report to fail. Investigation shows the queries matched an anomaly rule (5x normal volume due to quarter-end processing). This is a:

• True positive — the database was under attack during quarter-end
• False negative — the IPS missed the real attack
• False positive — the IPS blocked legitimate traffic based on anomaly detection
• True negative — no attack occurred and the IPS correctly allowed the traffic

12. Vantex's SIEM correlates these events across 3 hours: 200 unique user accounts with 1 failed login each, all from IP 198.51.100.100. No single-account threshold is exceeded. Which rule would have caught this?

• Per-account threshold: alert on 5+ failed logins per account in 5 minutes
• Aggregate rule: alert if a single source IP attempts authentication on more than 20 distinct accounts within 1 hour
• Anomaly rule: alert if any user logs in from a new country
• Signature rule: alert on known SQL injection strings in login requests

13. An IDS generates an alert on real malware C2 traffic from a compromised Vantex workstation. The SOC analyst investigates 2 hours later. Which limitation does this scenario illustrate compared to an IPS?

• The IDS signature was outdated and should have caught the traffic earlier
• IDS is passive — it alerts but does not block. An IPS would have dropped the C2 traffic automatically at the moment of detection, limiting exfiltration time to near zero
• The SIEM should have correlated the alert faster
• IDS cannot detect C2 traffic — only IPS can identify it

14. Vantex switches from HTTP to HTTPS for all internal web applications. A colleague says ‘HTTPS means the sites are safe.’ Which precise correction is MOST accurate?

• HTTPS means the site's content has been verified as safe by the CA
• HTTPS encrypts the connection between client and server and authenticates the server — it does not guarantee the site's content is benign or that the server is not malicious
• HTTPS prevents all forms of MitM attack including ARP poisoning
• HTTPS is only needed for sites handling passwords, not all internal applications

15. Vantex uses site-to-site VPN between HQ and a branch office. The VPN uses IKEv1 and 3DES. What upgrade is MOST appropriate and why?

• Upgrade to IKEv2 with AES-256-GCM — IKEv1 has known vulnerabilities and 3DES is deprecated
• Downgrade to IPsec transport mode — it is simpler than IKEv1 tunnel mode
• Add a second VPN tunnel for redundancy — 3DES is secure enough with two tunnels
• Enable split tunneling — it reduces the load on the 3DES cipher

16. DNSSEC is configured on Vantex's domain. An employee's resolver validates DNSSEC. Which attack does this DIRECTLY prevent, and which does it NOT prevent?

• Prevents: DNS query interception (privacy). Does NOT prevent: DNS cache poisoning
• Prevents: DNS cache poisoning (forged responses are rejected). Does NOT prevent: an attacker reading which domains employees query
• Prevents: DDoS against Vantex's DNS servers. Does NOT prevent: DNS spoofing
• Prevents: Telnet-based DNS manipulation. Does NOT prevent: HTTPS certificate errors

17. A Vantex admin stores SSH private keys on their laptop without a passphrase. The laptop is stolen. What is the IMMEDIATE security impact?

• No impact — SSH private keys are encrypted by the operating system by default
• The attacker has immediate access to all servers the admin could reach via SSH, without needing any additional credentials
• The attacker must still brute-force the SSH server's password even with the private key
• The SSH server will detect and reject keys used from a new device automatically

18. Vantex implements the following controls: VLAN segmentation (Lesson 4), stateful firewall with default-deny (Lesson 3), IPS in the DMZ (Lesson 5), HTTPS everywhere (Lesson 6). An attacker breaches the DMZ web server via a zero-day. Which control MOST limits the blast radius?

• HTTPS — prevents the attacker from reading intercepted traffic after breaching the server
• The stateful firewall with default-deny blocking all DMZ-to-internal traffic
• The IPS — it blocks the C2 traffic once the zero-day signature is published
• VLAN segmentation — the web server VLAN is isolated from all other VLANs

19. A Vantex employee on Guest Wi-Fi (VLAN 20) launches an ARP poisoning attack to intercept Finance VLAN (VLAN 10) traffic. Which combination of controls prevents this attack?

• HTTPS on all Finance applications + DNSSEC
• Dynamic ARP Inspection on VLAN 20 + inter-VLAN firewall denying VLAN 20 to VLAN 10 + DAI on Finance VLAN
• IDS monitoring + employee security training
• Port scanning + default-deny firewall rule

20. After completing a Unit 3 security review, Vantex's CISO asks: ‘Which single action provides the broadest improvement to Vantex's network security posture?’ Given all Unit 3 topics, which answer is MOST defensible?

• Replace all HTTP with HTTPS — encrypting traffic addresses the widest range of attacks
• Implement a default-deny firewall policy with properly scoped rules — it enforces least privilege on all network traffic flows, reducing attack surface across all network zones simultaneously
• Deploy an IPS in front of every server
• Enable DNSSEC on the primary domain