Cybersecurity Apprentice Intermediate Practice Exam: Medium Difficulty 2025

A small business reports that users can reach internal resources by IP address but not by hostname (for example, pinging 10.10.20.15 works, but pinging fileserver01 fails). Internet access is working. Which is the MOST likely root cause to investigate first?

A network engineer is troubleshooting why users in VLAN 20 cannot reach a server in VLAN 30. Both VLANs are on the same switch, and the server is confirmed up. The engineer can successfully ping the server from the VLAN 30 gateway interface but not from VLAN 20 clients. Which item is the BEST next check?

A company uses a stateful firewall. A security analyst wants to explain why return traffic from an internal user’s outbound HTTPS session is allowed back in even though there is no explicit inbound rule for that ephemeral source port. What is the BEST explanation?

A user receives an email that appears to be from the CFO asking them to urgently buy gift cards and reply with the codes. The sender address looks similar to the CFO’s real address but contains a subtle misspelling. Which type of attack is this scenario MOST consistent with?

A SOC analyst reviews an alert that a workstation is beaconing every 60 seconds to an external IP over TCP 443. DNS logs show random-looking subdomains were queried prior to the connections. The user was not browsing at the time. Which interpretation is MOST reasonable?

A company wants to reduce the risk of credential theft from phishing. They already use strong passwords, but users still sometimes enter credentials into fake sites. Which control provides the BEST additional protection if attackers steal a user’s password?

A security engineer is designing network segmentation. The goal is to prevent a compromised user workstation from directly reaching database servers while still allowing the application server tier to communicate with the databases. Which design BEST aligns with least privilege and practical enforcement?

A company is evaluating whether to prioritize deploying an IDS/IPS capability or adding more perimeter ACLs. They want to stop known exploit attempts against an internal web server and also gain visibility into suspicious traffic patterns. Which option BEST fits these goals?

A security team is hardening remote access. They want users to connect securely from untrusted networks and ensure confidentiality and integrity of traffic in transit. Which solution BEST addresses this requirement?

An analyst receives an endpoint alert indicating ransomware-like behavior (rapid file modifications and encryption). What is the BEST immediate next action in an incident response workflow to limit impact while preserving investigation options?