CS0-003 — CySA+ Study Guide

A security analyst is reviewing network traffic and notices unusual outbound connections to multiple IP addresses on port 443 with very short connection durations. Which of the following is the most likely explanation?

• A Routine DNS resolution failures being retried over HTTPS
• B A data exfiltration attempt using encrypted tunnels ✓ Correct
• C A port scanning activity probing for open HTTPS services
• D Normal SSL/TLS certificate validation checks across multiple servers

During a vulnerability assessment, an analyst discovers that a web application is vulnerable to XXE (XML External Entity) injection. What is the primary risk associated with this vulnerability?

• A Unauthorized file system access and potential information disclosure ✓ Correct
• B Loss of session tokens through cross-site scripting attacks
• C Denial of service through resource exhaustion only
• D SQL injection leading to database compromise

A company implements a Web Application Firewall (WAF) and wants to establish a baseline for normal traffic patterns. Which metric should the security team prioritize when tuning WAF rules to minimize false positives?

• A The geographic distribution of incoming traffic sources
• B The number of blocked requests per hour
• C The average response time for all processed requests
• D The ratio of legitimate requests flagged versus actual malicious requests identified ✓ Correct

An organization detects a rootkit on a critical production server. Which of the following actions should be prioritized FIRST in the incident response process?

• A Perform a full disk image and memory dump for forensic analysis before any remediation
• B Immediately disconnect the server from the network to prevent lateral movement ✓ Correct
• C Attempt to remove the rootkit using antivirus software while the system remains online
• D Restore the server from the most recent backup available

A penetration tester discovers that a target application accepts user input and passes it directly to a database query without parameterization. What vulnerability does this represent, and what is the primary risk?

• A LDAP Injection; authentication bypass and directory enumeration
• B Cross-Site Request Forgery; unauthorized state-changing actions
• C SQL Injection; unauthorized data access, modification, or deletion ✓ Correct
• D Command Injection; remote code execution on the application server

During threat modeling, an analyst identifies that an application stores sensitive data in client-side JavaScript variables. Which attack vector is most likely to exploit this vulnerability?

• A Brute force attack against weak encryption algorithms
• B Privilege escalation through kernel vulnerabilities
• C Man-in-the-Middle attack compromising the HTTPS connection
• D Cross-Site Scripting (XSS) attack extracting data from browser memory ✓ Correct

A security analyst is tasked with reducing the attack surface of a multi-tier application. Which approach best aligns with the principle of least privilege?

• A Granting all developers full administrative access to accelerate development cycles
• B Disabling all security features to improve application performance
• C Allowing all services to communicate freely on any port within the internal network
• D Implementing role-based access control with minimal required permissions for each user role ✓ Correct

An organization experiences a data breach where credentials were exfiltrated. The attacker used these credentials to access systems weeks later. Which security control would have most effectively prevented the lateral movement phase of this attack?

• A Network segmentation and access controls between different security zones ✓ Correct
• B Multi-factor authentication on all systems and applications
• C Mandatory password changes every 30 days
• D Regular security awareness training for all employees

While performing log analysis, an analyst notices multiple failed login attempts followed by a successful login from the same source IP within seconds. What type of attack does this pattern indicate?

• A Insider threat attempting to cover tracks through log manipulation
• B Man-in-the-Middle attack intercepting authentication tokens
• C Distributed Denial of Service attack targeting authentication services
• D Credential stuffing or brute force attack with successful compromise ✓ Correct

A vulnerability scanner reports a service running on a non-standard port with an outdated SSL/TLS version. During remediation, the security team discovers the service cannot be updated. What is the most appropriate compensating control?

• A Restrict network access to this service through firewall rules and network segmentation ✓ Correct
• B Implement additional encryption at the application layer to compensate
• C Disable TLS certificate validation on the client side to reduce compatibility issues
• D Configure the service to use HTTP instead of HTTPS for better performance

An analyst reviews firewall logs and sees a sudden spike in DNS queries to unusual domains with suspicious characteristics. What is the next step in the incident response process?

• A Investigate which internal systems originated these queries and determine if malware is present ✓ Correct
• B Contact the domain registrar to take down the suspicious domains immediately
• C Document the findings and schedule a security review meeting for next week
• D Immediately block all DNS traffic to prevent further data exfiltration

A company wants to implement a Zero Trust security model. Which of the following architectural principles is fundamental to Zero Trust?

• A Assuming breach and verifying every access request regardless of source or location ✓ Correct
• B Trusting all traffic on the internal network while blocking external traffic at the perimeter
• C Allowing users full network access after initial authentication
• D Implementing strong passwords as the primary security control

During a security assessment, an analyst identifies that the organization uses hardcoded credentials in configuration files stored in a code repository. What is the primary risk of this practice?

• A The application will not function correctly in production environments
• B Credentials can be compromised if the repository is breached or accessed by unauthorized personnel ✓ Correct
• C Compliance audits cannot verify the security of the application
• D Developers cannot collaborate effectively on the codebase

A security analyst is reviewing process execution logs and notices a legitimate application spawning unusual child processes with system-level privileges. What does this behavior suggest?

• A Normal application behavior requiring elevated privileges for specific functions
• B A scheduled task running maintenance operations as expected
• C User error in attempting to run administrative commands
• D Potential process injection or privilege escalation exploit being leveraged against the application ✓ Correct

An organization implements endpoint detection and response (EDR) technology. Which of the following is a primary advantage of EDR over traditional antivirus solutions?

• A EDR provides behavioral analysis and threat hunting capabilities to detect evasive malware ✓ Correct
• B EDR prevents all malware infections with 100% certainty without false positives
• C EDR eliminates the need for network monitoring and firewall controls
• D EDR is significantly less expensive to deploy and maintain across the organization

While analyzing a security incident, an investigator discovers that the attacker gained initial access through a phishing email with a malicious attachment. What is the most effective control to prevent this attack vector in the future?

• A Implement advanced email filtering and sandboxing of attachments before delivery ✓ Correct
• B Require all employees to use the same antivirus software on their systems
• C Disable email functionality for all non-essential personnel
• D Monitor all employee emails for suspicious keywords and phrases automatically

A penetration tester uses a tool to intercept and modify HTTPS traffic from a client to a web server. Which of the following conditions would allow this attack to succeed?

• A The server uses an outdated but still valid SSL/TLS certificate
• B The client has a compromised or malicious certificate authority installed in its trust store ✓ Correct
• C The user enables HSTS (HTTP Strict Transport Security) headers
• D The server implements perfect forward secrecy (PFS) in its TLS configuration

An organization's intrusion detection system (IDS) generates a high volume of alerts daily, but the security team determines that most are false positives. What is the best approach to improve the situation?

• A Replace the IDS with a more expensive commercial solution that guarantees zero false positives
• B Tune IDS rules based on normal network baselines to reduce false positives while maintaining detection sensitivity ✓ Correct
• C Disable the IDS entirely to eliminate false positive alerts and reduce noise
• D Lower the alert threshold to increase detection sensitivity regardless of false positive rates

During a vulnerability assessment, a penetration tester discovers that a web application reflects user input back in HTTP response headers without sanitization. What vulnerability could this enable?

• A HTTP Response Splitting or Header Injection attacks allowing cache poisoning or session fixation ✓ Correct
• B Privilege escalation to administrative accounts
• C SQL Injection attacks directly compromising the database
• D Denial of service through resource exhaustion

A security analyst is implementing a vulnerability management program. Which of the following metrics should be prioritized when prioritizing remediation efforts?

• A Number of days since each vulnerability was discovered in the scan
• B The total number of vulnerabilities on each asset regardless of severity
• C The specific version number of the vulnerable software component
• D CVSS score combined with asset criticality and exploitability in the wild ✓ Correct

An organization discovers that an employee accidentally shared sensitive data in a public GitHub repository. Which immediate action would best limit potential damage?

• A Notify all customers that a data breach has occurred
• B Immediately revoke any credentials or keys that were exposed in the repository ✓ Correct
• C Delete the employee's GitHub account to prevent further incidents
• D Monitor the repository for any evidence of the data being accessed

A security team is evaluating cloud security posture management (CSPM) tools. What is the primary benefit of CSPM in a cloud environment?

• A CSPM eliminates the need for user authentication and access controls
• B CSPM continuously monitors cloud infrastructure for misconfigurations and compliance violations ✓ Correct
• C CSPM prevents all cloud-based data breaches through encryption
• D CSPM replaces the need for traditional firewalls and network segmentation controls

While investigating a suspected insider threat, an analyst reviews file access logs and observes an employee accessing files outside their normal job responsibilities before copying them to external storage. What is the most appropriate next step?

• A Quietly monitor the employee indefinitely without informing anyone
• B Alert management and initiate a formal investigation while preserving all evidence and monitoring the employee's activities ✓ Correct
• C Assume it was a mistake and take no action
• D Immediately fire the employee and escalate to law enforcement

A company implements certificate pinning in its mobile application to prevent man-in-the-middle attacks. Which of the following is a potential disadvantage of this approach?

• A Certificate pinning is not supported by any modern mobile operating systems
• B Certificate pinning increases the certificate renewal and replacement process complexity across all deployed instances of the application ✓ Correct
• C Certificate pinning eliminates the need for other security controls in the application
• D Certificate pinning prevents legitimate uses of proxies or monitoring tools

An analyst discovers that a legacy system cannot be patched due to vendor end-of-life constraints. The system processes non-sensitive operational data but is connected to the internal network. What is the most appropriate mitigation strategy?

• A Immediately disconnect the system from all networks to eliminate risk completely
• B Implement network segmentation to isolate the legacy system while maintaining necessary operational connectivity ✓ Correct
• C Deploy additional antivirus agents to compensate for the unpatched vulnerabilities
• D Increase monitoring and logging specifically for this system's network traffic and activities

A security analyst discovers that an attacker has been using a command and control (C2) server to exfiltrate data over several weeks. Which of the following should be the analyst's FIRST action?

• A Contact law enforcement before taking any defensive measures
• B Document current indicators of compromise (IOCs) and assess the scope of the breach ✓ Correct
• C Shut down all affected systems to prevent further data loss
• D Immediately block all traffic to the C2 server at the firewall

Which of the following best describes the purpose of threat modeling during the secure development lifecycle?

• A To establish baseline metrics for measuring security team performance
• B To identify potential security weaknesses before code is deployed to production ✓ Correct
• C To determine the cost of implementing security controls in an application
• D To create a list of all third-party vendors used by an organization

An analyst reviews firewall logs and notices an unusual pattern: multiple failed authentication attempts from a single source IP followed by a successful login using valid credentials from a different geographic location within seconds. What is the MOST likely explanation?

• A A man-in-the-middle (MITM) attack intercepting session tokens
• B Normal user behavior where the user tried multiple passwords before succeeding
• C A credential stuffing attack followed by account takeover ✓ Correct
• D A distributed denial of service (DDoS) attack targeting the authentication service

Which vulnerability assessment technique involves running automated tools to scan systems for known vulnerabilities and configuration weaknesses?

• A Penetration testing with manual exploitation attempts
• B Physical security assessment
• C Authenticated vulnerability scanning ✓ Correct
• D Code review and static application security testing (SAST)

A company experiences a security incident where ransomware encrypts critical files on a network share. During the forensic investigation, the analyst needs to determine the attack vector. Which of the following is the BEST place to begin investigating?

• A Review Windows Event Logs and endpoint detection and response (EDR) tool logs for process execution and lateral movement patterns ✓ Correct
• B Restore files from backup immediately to minimize business impact
• C Check the file modification timestamps and ownership metadata on encrypted files
• D Query the file access control lists (ACLs) to identify which users have permissions

Which of the following best represents a zero-day vulnerability?

• A A vulnerability that affects systems running outdated software that is no longer supported
• B A previously unknown vulnerability for which no vendor patch exists and exploitation occurs in the wild ✓ Correct
• C A vulnerability discovered internally by a company before public disclosure
• D A vulnerability that has been publicly disclosed but no patch has been released yet

An analyst is reviewing SIEM alerts and notices that a database administrator account performed multiple unusual activities: querying sensitive customer data outside normal business hours, exporting large datasets, and accessing systems they do not normally use. What is the MOST appropriate first response?

• A Isolate the affected systems from the network and preserve logs for forensic analysis
• B Increase monitoring on this user's account for the next 30 days before taking action
• C Immediately terminate the user's employment and revoke all access credentials
• D Interview the administrator to understand the business justification and collect details about the activities ✓ Correct

During a security assessment, an analyst discovers that several servers are running outdated SSL/TLS versions that are vulnerable to known attacks. Which of the following is the BEST remediation approach?

• A Document the vulnerability and schedule remediation for the next fiscal year
• B Implement a web application firewall (WAF) to block SSL/TLS-based attacks
• C Disable all SSL/TLS protocols and use only unencrypted HTTP connections
• D Upgrade to the latest TLS 1.3 version and disable older versions such as TLS 1.0 and 1.1 ✓ Correct

Which of the following scenarios represents a FALSE POSITIVE in the context of security alerting?

• A An alert fails to trigger when actual malicious activity occurs within the monitoring system
• B An alert triggers multiple times for the same security event, creating duplicate notifications
• C An alert correctly identifies an attempted SQL injection attack against a web application
• D An alert is generated for suspicious network traffic, but upon investigation, the activity is identified as legitimate scheduled backup traffic ✓ Correct

An organization uses certificate pinning in its mobile application to prevent man-in-the-middle attacks. Which statement BEST describes how certificate pinning enhances security?

• A It restricts the mobile app to trust only specific SSL/TLS certificates or certificate chains for server connections ✓ Correct
• B It encrypts all data transmitted between the mobile app and server using symmetric encryption algorithms
• C It replaces traditional SSL/TLS with an alternative encryption protocol that is faster and more secure
• D It prevents users from installing the mobile application on rooted or jailbroken devices

Which of the following is the PRIMARY benefit of implementing a bug bounty program?

• A To crowdsource vulnerability discovery from external researchers who may find issues the internal team missed ✓ Correct
• B To eliminate all possible vulnerabilities before software release
• C To transfer all liability for security vulnerabilities to external third parties
• D To reduce the cost of hiring full-time security researchers within the organization

An analyst is investigating a potential insider threat where an employee transferred sensitive intellectual property to a competitor. The employee had valid access credentials. Which of the following is the MOST important evidence to examine?

• A The competitor's financial records to determine if they paid the employee for the information
• B Data access logs, file transfer records, email communications, and USB device usage logs from the time of the suspected transfer ✓ Correct
• C The employee's social media accounts and personal device information
• D The employee's personnel file and performance review history

Which of the following best explains the difference between vulnerability scanning and penetration testing?

• A Penetration testing must be performed quarterly while vulnerability scanning is only recommended annually
• B Vulnerability scanning requires specialized credentials while penetration testing can be performed without any access to systems
• C Penetration testing is cheaper and faster than vulnerability scanning because it uses only automated tools
• D Vulnerability scanning identifies potential weaknesses using automated tools, while penetration testing involves manual exploitation attempts to assess impact ✓ Correct

During incident response, an analyst determines that a compromised server has been used to launch attacks against other internal systems. What is the BEST next action regarding the compromised server?

• A Restore the server from the most recent backup to resume normal operations
• B Reimage the server immediately with the latest operating system and patches
• C Isolate the server from the network while preserving its current state for forensic analysis ✓ Correct
• D Leave the server running but implement network segmentation to contain the threat

An organization discovers that an external contractor's credentials were used to access systems containing regulated data. Which of the following is the MOST important control to prevent this in the future?

• A Require all contractors to sign a non-disclosure agreement (NDA) annually
• B Request contractors to change their passwords every 30 days
• C Implement privileged access management (PAM) with time-limited access and multi-factor authentication for contractor accounts ✓ Correct
• D Conduct background checks on all contractors before granting system access

Which of the following describes the main purpose of security awareness training in an organization?

• A To educate employees about security policies, risks, and their individual responsibilities to reduce human-related security incidents ✓ Correct
• B To certify employees in cybersecurity best practices and make them eligible for security roles
• C To replace the need for technical security controls such as firewalls and intrusion detection systems
• D To fulfill compliance requirements for regulatory audits while having minimal impact on actual security posture

An analyst reviewing network traffic notices suspicious DNS queries resolving to IP addresses associated with known malware command and control servers. The queries are originating from an internal workstation. What should the analyst do FIRST?

• A Check the organization's DNS allowlist to see if these domains were approved by network operations
• B Deploy antivirus updates to the workstation and monitor for additional suspicious activity
• C Block all DNS requests from the workstation and escalate to the incident response team for isolation and forensics ✓ Correct
• D Contact the workstation owner to determine if they authorized the DNS activity

Which of the following is the BEST practice for managing security patches in a large enterprise environment?

• A Test patches in a non-production environment, prioritize critical vulnerabilities, and implement a phased rollout with rollback procedures ✓ Correct
• B Apply all security patches immediately upon release to eliminate vulnerabilities as quickly as possible
• C Defer patching for at least 90 days to ensure stability and allow other organizations to report issues
• D Patch only systems identified as vulnerable by annual penetration tests

An organization is implementing a data loss prevention (DLP) solution. Which of the following represents the PRIMARY benefit?

• A It prevents users from accessing non-work-related websites during business hours
• B It reduces the need for regular security audits and compliance assessments
• C It monitors and blocks unauthorized transmission of sensitive data outside the organization ✓ Correct
• D It encrypts all data stored on employee workstations to prevent physical theft

During a security incident, an analyst needs to determine when a file was first created and when it was last modified. Which of the following artifacts would provide this information?

• A The email server logs showing when the file was sent as an attachment
• B The Windows Registry entries associated with recently opened files and shortcuts
• C The antivirus quarantine logs showing when the file was detected as malicious
• D The file's MAC times (Modification, Access, and Change times) stored in the file system metadata ✓ Correct

Which of the following best describes the purpose of a threat intelligence feed in a security operations center?

• A To notify employees about new security policies and required training courses
• B To provide real-time information about emerging threats, known malware signatures, and IOCs that can be used to enhance detection and response capabilities ✓ Correct
• C To provide detailed vulnerability reports for every software product in the organization
• D To eliminate the need for manual security monitoring by automatically blocking all suspicious network traffic

An analyst discovers that a company's web application is vulnerable to reflected cross-site scripting (XSS). Which of the following is the MOST effective remediation?

• A Advise users to disable JavaScript in their browsers to prevent XSS attacks
• B Implement a web application firewall (WAF) rule that blocks requests containing script tags
• C Update the application code to properly validate, filter, and encode user input before displaying it in responses ✓ Correct
• D Disable JavaScript functionality in the web application to prevent script execution

Which of the following statements is true regarding security metrics and key performance indicators (KPIs)?

• A They should measure the effectiveness of security controls and track trends in incidents, vulnerabilities, and risk reduction over time ✓ Correct
• B They eliminate the need for regular security risk assessments by providing complete visibility into organizational risk
• C They are only relevant for large enterprises and are not applicable to small organizations
• D They are primarily used to justify larger cybersecurity budgets to executive leadership

During a forensic investigation of a suspected data breach, the analyst discovers that the system's audit logs have been deleted. Which of the following is the BEST approach to reconstruct what occurred?

• A Assume the investigation cannot proceed and document the incident as inconclusive
• B Examine alternative evidence sources such as application logs, email records, network traffic captures, file system journals, and EDR tool logs ✓ Correct
• C Contact the operating system vendor to request backup copies of deleted audit logs
• D Restore the entire system from backup to recover the deleted audit logs

An organization implements endpoint detection and response (EDR) software on all workstations. Which of the following is a primary advantage of this approach?

• A It enables visibility into endpoint processes, behavioral analysis, and rapid threat hunting across the organization ✓ Correct
• B It provides complete protection against all forms of malware and eliminates the need for traditional antivirus software
• C It automatically patches all vulnerabilities on endpoints without requiring user intervention
• D It replaces the need for security awareness training by preventing user actions that lead to compromises

Which of the following best describes the LEAST privilege principle in access control?

• A Executive leadership should have full access to all systems regardless of business need
• B Privileges should be assigned based on the user's seniority level rather than actual job requirements
• C Users should be granted only the minimum permissions necessary to perform their assigned job functions ✓ Correct
• D All users should have administrator access to systems they work with to maximize productivity

An analyst is reviewing logs from a compromised server and observes multiple failed attempts to create user accounts followed by successful creation of an administrative account. What does this pattern suggest?

• A An attacker attempting privilege escalation and persistence through hidden administrative account creation ✓ Correct
• B Normal user account provisioning activity by the IT helpdesk
• C A denial of service attack targeting the user management system
• D A system administrator legitimately testing account creation procedures

A security analyst reviews firewall logs and identifies multiple failed SSH connection attempts from the same external IP address over a 2-hour period, followed by successful connections using valid credentials. What type of attack is most likely being conducted?

• A Credential stuffing attack using previously compromised username and password pairs ✓ Correct
• B Man-in-the-middle attack intercepting and modifying SSH handshake packets
• C Denial of service attack designed to exhaust server connection resources
• D Brute force attack attempting to guess valid credentials through systematic enumeration

Which of the following best describes the primary purpose of implementing network segmentation in a security architecture?

• A To reduce bandwidth consumption and improve network performance metrics
• B To increase encryption overhead for all inter-segment communications
• C To limit lateral movement and contain breach impact by isolating critical assets from less sensitive systems ✓ Correct
• D To eliminate the need for firewall rules and access control lists entirely

During a vulnerability assessment, an analyst discovers that a web application fails to properly validate and encode user input before displaying it in search results. What is the primary risk associated with this finding?

• A Cross-site request forgery (CSRF) forcing users to perform unwanted administrative actions
• B Cross-site scripting (XSS) vulnerability allowing injection of malicious scripts into user browsers ✓ Correct
• C Buffer overflow attacks causing application memory corruption and denial of service conditions
• D SQL injection enabling direct manipulation of backend database queries and data extraction

A company's intrusion detection system (IDS) generates an alert for suspicious activity, but after investigation, the security team determines the activity was legitimate and part of normal business operations. What is this type of alert called, and what is the primary concern it creates?

• A True negative confirming that the monitoring system is functioning correctly and no threats exist
• B False negative where the system failed to detect actual attack activity that occurred unnoticed
• C False positive reducing analyst trust in the monitoring system and potentially leading to alert fatigue and missed real threats ✓ Correct
• D True positive indicating actual malicious activity that requires immediate remediation and threat hunting

An analyst is reviewing SIEM logs and notices that an employee accessed sensitive data repositories at 3 AM from an IP address in a different country than their normal location. The employee is currently scheduled to be on vacation. What is the most appropriate immediate response?

• A Disable the employee's account immediately and escalate to management for investigation of potential account compromise ✓ Correct
• B Allow the access to continue while monitoring for additional suspicious activities from that IP address
• C Document the finding for quarterly review since the employee's vacation schedule explains the unusual access patterns
• D Assume the employee is using a VPN and take no action unless additional anomalies are detected in the coming weeks

A security team is implementing a data loss prevention (DLP) solution. During the pilot phase, the system blocks legitimate business emails containing financial reports and customer contact information. What is the primary challenge this scenario illustrates?

• A The organization lacks sufficient encryption infrastructure to support DLP deployment
• B Employee training programs have failed to educate users about data handling practices and DLP policies
• C DLP solutions are ineffective and should be replaced with manual monitoring procedures
• D Balancing security controls with business functionality by properly tuning policies to prevent both data loss and operational disruption ✓ Correct

An organization discovers that an attacker has been using a zero-day vulnerability in a third-party software component to gain unauthorized access. The vendor has not yet released a patch. Which of the following represents the most effective compensating control?

• A Disable all antivirus and anti-malware tools to reduce false positives from the affected software
• B Schedule an immediate hardware upgrade to replace the vulnerable system with newer equipment
• C Increase the frequency of security awareness training for all employees to reduce social engineering risk
• D Implement network segmentation and access controls to restrict the affected system's connectivity and limit potential lateral movement if exploited ✓ Correct

A penetration tester uses a tool to capture network traffic and discovers several unencrypted passwords transmitted across the organization's internal network. The IT department states that internal network communication does not need encryption because it is behind the firewall. What is the primary flaw in this security assumption?

• A Encryption keys for internal networks are more expensive than external network encryption and should be avoided
• B Internal networks are still vulnerable to insider threats, compromised systems, and lateral movement attacks regardless of firewall protection ✓ Correct
• C The firewall hardware is not compatible with encrypted internal traffic and will cause performance degradation
• D Employee privacy regulations require that all communications be encrypted only for external transmission to partners

During threat modeling for a new application, a security team identifies that user session tokens are stored in browser local storage without httpOnly or Secure flags. What vulnerability does this create, and what is the primary attack vector?

• A Cross-site scripting attacks enabling malicious scripts to access session tokens from local storage for session hijacking ✓ Correct
• B Clickjacking attacks tricking users into revealing their session tokens through UI overlay manipulation
• C Server-side request forgery allowing attackers to make unauthorized requests on behalf of the server
• D Insecure deserialization allowing remote code execution through malformed session token objects

A security analyst reviews user access logs and observes that a contractor account has not been disabled 60 days after the contract end date, despite a policy requiring immediate access revocation. What is this finding primarily an example of?

• A Insufficient encryption of access control list files requiring encryption algorithm upgrade
• B A failure in access governance and lifecycle management controls allowing unauthorized persistent access ✓ Correct
• C Evidence of privilege creep requiring immediate password reset for all contractor accounts
• D Excessive privileged access that requires immediate escalation to the CISO