50 IBM Security Foundations Practice Questions: Question Bank 2025

A security analyst is explaining the principle of least privilege to a new team member. Which example best demonstrates least privilege?

A user enters credentials on a phishing site and the attacker immediately logs in to the corporate VPN with the stolen username and password. Which control would MOST directly reduce the impact of this attack?

Which activity is the BEST example of a detective security control?

A security team wants to reduce the risk of unauthorized data access if a server hard drive is stolen from a data center. Which control MOST directly addresses this risk?

A company is designing remote access for contractors. The business requires contractors to reach only a single internal web portal and nothing else. Which approach BEST aligns with this requirement?

A security administrator is defining access for a user who needs to view reports but must not be able to modify report definitions. Which IAM concept BEST supports this requirement at scale?

An incident responder suspects a workstation is infected with malware that is beaconing to an external command-and-control (C2) host. What is the BEST immediate action to reduce risk while preserving evidence for investigation?

A company wants to reduce lateral movement between workloads hosted in the same data center network. Which design choice BEST supports this goal?

A SOC receives alerts indicating multiple successful logins to the same account from geographically distant locations within a short time. The user claims they did not travel. Which action is the BEST next step to balance containment and business continuity?

An organization is moving applications to a hybrid environment and wants consistent, centralized enforcement of authentication and authorization across multiple apps (some on-premises, some in cloud). Which architectural approach BEST meets this requirement?

A security analyst is explaining the principle of "least privilege" to a new team member. Which example BEST demonstrates least privilege in practice?

A team wants to validate that a downloaded software package was not modified in transit and comes from the expected publisher. Which control BEST addresses both integrity and authenticity?

An organization wants a simple way to reduce account compromise from stolen passwords for its cloud applications. Which improvement provides the MOST direct benefit?

A security manager is reviewing an incident where an attacker gained access through a compromised vendor account that was still active after the contract ended. Which IAM process failure MOST likely contributed?

A company is classifying data to determine appropriate controls. Which pairing is MOST appropriate for highly sensitive customer records?

A network engineer wants to reduce lateral movement if a workstation is compromised. Which network design approach BEST supports this goal?

An organization receives an alert for repeated failed logins followed by a successful login to a privileged account from an unusual location. What should be the FIRST response action according to common incident response best practices?

A SOC is tuning detection rules to reduce false positives without missing true attacks. Which approach is MOST effective?

A company wants to allow users to sign in once to access multiple SaaS applications and centralize access revocation. Which architecture BEST meets this requirement?

During incident response, an analyst wants to collect evidence from a potentially compromised server for possible legal action. Which practice is MOST important to ensure the evidence is admissible and trustworthy?

An organization wants to ensure that data stored on employee laptops remains protected if a device is lost. Which control most directly addresses this requirement?

A security analyst is asked to classify a newly discovered risk: an attacker could modify transaction records in a database without detection. Which security principle is primarily at risk?

A company wants to reduce the likelihood that compromised user passwords can be used to access corporate SaaS applications. Which control provides the most direct improvement?

A new application is being designed to run in multiple network zones (internet, DMZ, and internal). Which design best supports a defense-in-depth approach?

A SOC receives an alert that a user account successfully authenticated from two distant countries within 10 minutes. The password appears correct. What is the most appropriate immediate action?

An organization wants to enforce least privilege for administrators managing cloud resources. Which approach best meets this goal?

A network engineer observes that internal DNS queries are being answered by an unknown external IP, and users are being redirected to spoofed websites. Which issue is most likely occurring?

A security team needs to detect lateral movement inside the network after an initial compromise. Which logging/telemetry is most valuable for this specific goal?

A company uses an API gateway to publish internal APIs. They want to prevent token replay if an attacker steals a bearer token from a client. Which design choice most directly reduces replay risk?

A regulated enterprise must demonstrate that administrative actions on critical systems are attributable to a specific individual. Which approach best satisfies this requirement?

A project team is designing a new internal web application that will store customer contact details. Which security principle BEST reduces potential damage if the application server is compromised?

An organization wants to prevent sensitive records from being readable if a laptop is lost or stolen. Which control MOST directly addresses this requirement?

A help desk analyst needs to verify a caller's identity before resetting a password. Which approach is MOST aligned with strong identity proofing for this situation?

A security analyst receives an alert that a workstation is communicating with a known malicious domain. What is the BEST immediate action to limit potential spread while preserving evidence?

A company wants to secure API traffic between mobile apps and backend services. They require encryption in transit and assurance that clients are connecting to the legitimate server. Which solution BEST meets these requirements?

A team is building a security program and wants to prioritize controls based on reducing overall business risk. Which approach BEST supports this goal?

An organization uses role-based access control (RBAC) for a payroll system. A user moves from Finance to IT Support and should no longer approve payroll changes. What is the MOST effective practice to prevent privilege retention?

After a suspected compromise, an incident responder notices key logs are missing from several servers. Which control would BEST help ensure log integrity and availability in the future?

A company must allow a third-party vendor to access a specific internal application, but wants to avoid exposing the internal network broadly. Which design BEST minimizes exposure while enabling access?

An organization wants to reduce account takeover risk for remote access. They currently use passwords and are considering additional factors. Which option provides the STRONGEST improvement in assurance while remaining practical for most users?

An employee receives an email that appears to be from the IT help desk asking them to "confirm" their password using a link. Which security principle is MOST directly being targeted by this attack?

A security analyst needs to reduce the chance that a single compromised password will grant access to corporate applications. Which control best addresses this requirement?

A SOC receives an alert that a user is authenticating successfully from two countries within 10 minutes. What is the BEST initial action?

A company is moving a web application to the cloud. They want to minimize the risk of exposing the database to the internet while still allowing the application to query it. Which network design is BEST?

An organization wants to ensure that access to a finance application is granted based on job function, and that changes in a user’s role automatically update permissions. Which IAM approach BEST fits?

During an incident, responders suspect data exfiltration from a critical server. They need evidence that will be admissible for investigation and potential legal action. What is the MOST important procedural requirement?

A security team is tuning a SIEM and wants to reduce false positives without missing true attacks. Which approach is MOST effective?

A company wants to protect sensitive data stored on laptops in case devices are lost or stolen. Which control BEST addresses this requirement?

A company uses an on-premises directory as the authoritative identity store and wants users to access multiple SaaS apps with a single login while minimizing password reuse. Which architecture BEST meets the requirement?

After a malware outbreak, leadership asks for a preventive control that limits how far an attacker can move if one workstation is compromised, while still allowing required business communication. Which approach is BEST?