📚 Cyber Fundamentals

✅ Correct: B) Perfect Forward Secrecy (PFS)

Explanation: PFS ensures each session uses unique ephemeral keys (via ECDHE or DHE). If the server's long-term private key is later compromised, an attacker cannot derive session keys from captured traffic. Non-repudiation proves authorship. Key escrow stores keys with third parties. Certificate pinning validates specific certificates.

✅ Correct: B) Identical passwords produce identical hashes, enabling rainbow table attacks

Explanation: Without a salt, the same password always produces the same hash, allowing pre-computed rainbow table lookups and revealing users sharing passwords. SHA-256 is not broken or reversible, and its 256-bit output is sufficient. The fix: use bcrypt, scrypt, or Argon2 with unique salts per password.

✅ Correct: C) VM detection / sandbox evasion

Explanation: The malware checks for VMware-specific registry keys to determine if it's running in a virtual machine. If detected, it may exit or deliver benign behavior to fool analysts. This is a sandbox evasion technique. Anti-debugging detects debugger presence (different mechanism). Obfuscation makes code harder to read. Polymorphism changes code signatures.

✅ Correct: C) TTPs (Tactics, Techniques, and Procedures)

Explanation: The Pyramid of Pain (David Bianco) ranks IOCs from trivial to tough: Hash values are trivially changed (recompile). IP addresses and domains are easy to rotate. Network artifacts and tools require more effort. TTPs sit at the top — they represent the attacker's behavior and methodology, which are fundamentally hard to change without developing entirely new capabilities.

✅ Correct: B) Two factors (biometric + possession)

Explanation: A fingerprint is "something you are" (biometric factor) and a smart card is "something you have" (possession factor). Using two different categories constitutes true two-factor authentication (2FA). If both were biometrics (e.g., fingerprint + iris), it would be two methods but only one factor category.

✅ Correct: B) All access requests must be verified regardless of source location

Explanation: Zero Trust operates on "never trust, always verify." No implicit trust is granted based on network location, VPN status, or previous authentication. Every request is authenticated, authorized, and encrypted. This contrasts with perimeter-based security where internal traffic was trusted by default.

✅ Correct: B) Isolate affected systems to prevent lateral movement

Explanation: Containment is the immediate priority to stop ransomware spread. Isolate infected systems from the network while preserving evidence. Paying ransom is discouraged (no guarantee of recovery, funds criminal operations). Reimaging destroys forensic evidence. Media disclosure follows legal/regulatory timelines, not immediate reaction.

✅ Correct: C) RAM / memory contents

Explanation: Order of volatility (RFC 3227): Registers/cache → RAM → network state → disk → removable media → logs. RAM is highly volatile and contains running processes, encryption keys, network connections, and malware that may not exist on disk (fileless malware). While network state (D) is also volatile, RAM capture takes priority as it contains the most actionable forensic data.

✅ Correct: C) Parameterized queries / prepared statements

Explanation: Parameterized queries separate SQL code from data, making injection impossible regardless of input content. WAFs can be bypassed with encoding tricks. Input length validation doesn't prevent carefully crafted short payloads. Output encoding prevents XSS, not SQLi. Prepared statements are the definitive solution recommended by OWASP.

✅ Correct: C) Strict-Transport-Security (HSTS)

Explanation: HSTS forces browsers to use HTTPS for a set max-age period, preventing SSL stripping attacks. CSP controls allowed content sources (scripts, styles). X-Frame-Options prevents clickjacking (iframe embedding). X-Content-Type-Options prevents MIME type sniffing. HSTS with includeSubDomains and preloading provides the strongest transport protection.