Series 5 - Cybersecurity - Exam practice
Cybersecurity exam questions
Ten multiple choice questions covering all six lessons, followed by five written questions. Work through the MCQ first, then write full answers to the written questions before revealing the mark scheme.
Lesson 1
Malware
Lesson 2
Social Engineering
Lesson 3
Technical Attacks
Lesson 4
Technical Prevention
Lesson 5
Policies & Physical Security
Lesson 6
Layered Defence
Section 1: Multiple choice
Select one answer per question. Instant feedback and an explanation appear when you choose.
Lesson 1
Question 1 of 10
A piece of software secretly records every key pressed by a user and sends the data to an attacker. What type of malware is this?
A keylogger records every keystroke a user makes and transmits the data to the attacker. This allows the attacker to capture passwords, banking details, and private messages. A worm self-replicates across networks. Ransomware encrypts files and demands payment. Adware displays unwanted adverts.
Lesson 1
Question 2 of 10
Which of the following best describes a computer worm?
A worm is self-replicating malware that spreads independently across a network without needing to attach itself to a host file. It exploits network connections to copy itself to other devices. A Trojan disguises itself as legitimate software. Ransomware encrypts files for payment. A man-in-the-middle attack intercepts network traffic.
Lesson 2
Question 3 of 10
An attacker sends an email that appears to be from a bank, directing the recipient to a fake website to enter their login credentials. What type of attack is this?
Phishing uses fraudulent emails or messages designed to look legitimate, directing victims to fake websites where they enter credentials that are then stolen. Brute force systematically tries passwords. SQL injection targets database queries. A DoS attack floods a server with requests to make it unavailable.
Lesson 2
Question 4 of 10
An attacker calls a company's receptionist, pretending to be an IT support engineer, and convinces them to reveal a staff member's password. This is an example of:
This is social engineering through pretexting - the attacker creates a fabricated scenario (pretending to be IT support) to gain trust and extract information. While vishing is voice-based phishing, the defining feature here is the manipulation using a false identity and context, which is the essence of social engineering and pretexting specifically.
Lesson 3
Question 5 of 10
A web form accepts a username. An attacker types the following into the username field:
'; DROP TABLE users; --. What type of attack is this?SQL injection inserts malicious SQL code into an input field. The injected code manipulates the database query. In this example, the semicolon ends the original query, DROP TABLE users deletes the users table, and -- comments out the rest of the original query. This can corrupt, delete or extract data from the database.
Lesson 3
Question 6 of 10
A DDoS attack differs from a DoS attack primarily because a DDoS attack:
A DDoS (Distributed Denial of Service) attack uses many different machines - often thousands of compromised devices in a botnet - to flood the target simultaneously. Because requests come from many IP addresses, blocking them is far more difficult than blocking a single source. A DoS attack originates from one machine, making it easier to identify and block.
Lesson 4
Question 7 of 10
Which encryption method uses the same key to both encrypt and decrypt data?
Symmetric encryption uses one shared key for both encryption and decryption. Both parties must know the secret key. While this is fast and efficient, the challenge is securely sharing the key. Asymmetric (public key) encryption uses a matched key pair - a public key to encrypt and a private key to decrypt. Hashing is a one-way process and is not reversible.
Lesson 4
Question 8 of 10
A company configures its firewall to block all incoming connections on port 23. Which protocol/service are they most likely blocking?
Port 23 is the default port for Telnet, an unencrypted remote access protocol. Blocking it is common security practice because Telnet transmits data including passwords in plain text. SSH (port 22) is the secure replacement. HTTPS uses port 443. FTP uses ports 20 and 21.
Lesson 5
Question 9 of 10
A school stores students' files on a network. A student can access only their own files and shared class folders, but not staff files or other students' private files. This is an example of:
User access levels (access controls / permissions) restrict what each account can read, write, or modify. Applying the principle of least privilege, each user is given only the access they need for their role. 2FA verifies identity. Penetration testing finds vulnerabilities. An AUP is a document of rules, not a technical control.
Lesson 6
Question 10 of 10
A company uses firewalls, encryption, anti-malware software, access controls, and physical security together. This approach to security is best described as:
Defence in depth (also called layered security) is the strategy of combining multiple, independent security measures so that if one layer is bypassed, others still protect the system. No single control is relied upon alone. This is contrasted with a single-point solution where compromising one control breaks all security.
Section 2: Written questions
Write your answer in full before revealing the mark scheme. These are worth marks in the exam, so practice structuring your answer carefully.
Lessons 1 & 2
Explain the difference between a virus and a worm. In your answer, refer to how each spreads.
[4 marks]
A virus attaches itself to an existing file or program (host file required) - 1 mark
A virus spreads when an infected file is copied or shared by a user - 1 mark
A worm does not need a host file - it is a self-contained program - 1 mark
A worm spreads automatically across networks without user action - 1 mark
Award up to 4 marks. Accept equivalent correct statements. Both definitions must be present for full marks.
Lesson 2
Describe two features of a phishing email that might help a user identify it as fraudulent.
[4 marks]
A spoofed or suspicious sender address that looks similar to but is not the genuine domain (e.g. support@paypa1.com) - 1 mark + explanation of why this is suspicious - 1 mark
Urgent or threatening language designed to pressure the recipient into acting quickly (e.g. "Your account will be closed in 24 hours") - 1 mark + explanation - 1 mark
Other valid answers: generic greeting instead of recipient's name, hover link does not match destination, requests for passwords/personal information, poor spelling and grammar. Award 1 mark per feature identified, 1 mark per explanation. Max 4.
Lesson 3
A website does not validate user input before including it in database queries. Explain how an attacker could exploit this vulnerability and what damage could result.
[4 marks]
The attacker enters malicious SQL code into a text input field (e.g. a login box) - 1 mark
The code becomes part of the database query that the server executes - 1 mark
This could allow the attacker to bypass authentication / retrieve unauthorised data / delete or modify records - 1 mark (any one valid consequence)
For example, the attacker could log in as any user without knowing their password, or access a full database of user credentials - 1 mark (specific example)
This is an SQL injection question. Award marks for clear causal explanation: vulnerability, exploitation mechanism, consequence. Accept equivalent correct statements.
Lessons 4 & 5
A company stores sensitive customer data. Explain two different technical prevention measures and one policy-based measure they should implement. For each, explain how it reduces the risk of a security breach.
[6 marks]
Technical 1: Encryption - data is converted to ciphertext using an algorithm and key, so even if intercepted it cannot be read without the decryption key - up to 2 marks (1 for measure, 1 for how it reduces risk)
Technical 2: Firewall - monitors and filters incoming/outgoing network traffic based on rules, blocking unauthorised connections or suspicious packets - up to 2 marks
Other valid technical measures: anti-malware software, two-factor authentication, automatic software updates / patch management, network monitoring
Policy: Acceptable Use Policy / user access levels / staff training / regular backups - 1 mark for naming, 1 mark for explaining how it reduces risk
Award up to 2 marks per measure (1 for identification, 1 for clear explanation of how it reduces risk). Maximum 6. Must have two distinct technical measures and one policy measure for full marks.
Lesson 6
Explain what is meant by "defence in depth" and why it is considered a more effective approach to cybersecurity than relying on a single security measure.
[4 marks]
Defence in depth means using multiple layers of different security measures (not relying on one control) - 1 mark
If one layer is breached or bypassed, the remaining layers still protect the system - 1 mark
A single measure creates a single point of failure - if it is compromised, the entire system is exposed - 1 mark
Example: a firewall may be bypassed, but encryption, access controls and anti-malware still protect the data / attacker still faces further barriers - 1 mark
Award up to 4 marks. Must include the concept of multiple layers AND explain why this is better than a single measure. A specific example is required for the 4th mark.