CompTIA A+ Core 2 Domain 2: Security

Ransomware is malware designed to encrypt files on a device so they become unusable, after which the actors demand a ransom in exchange for decryption, matching the encrypted documents and cryptocurrency demand described.

• AThis guess fixes on data theft, but spyware is software secretly installed to covertly gather information without the user's knowledge, not to encrypt files and openly demand a payment to restore them.
• BThis choice assumes stealthy persistence, yet a rootkit conceals an attacker's activity and maintains privileged access; it does not lock files behind encryption and post a visible ransom demand.
• DThis option focuses on rapid spreading, but a worm is defined by self-propagation across networks; encrypting local files and demanding payment is not what characterizes a worm by itself.

A rootkit conceals the attacker's activities and lets the attacker maintain root-level access by intercepting and changing standard operating-system processes, so the host can no longer be trusted to report itself accurately.

• AThis pick assumes harmless advertising behavior, but adware displays unwanted ads and does not subvert operating-system reporting or grant an attacker long-term concealed administrative control over the host.
• CThis option narrows to captured keystrokes, yet a keylogger records typed input rather than hiding processes from the OS and preserving stealthy root-level access across long periods of time.
• DThis choice expects encrypted files and a payment demand; concealment of processes and persistent hidden privileged access is not how ransomware announces itself to its victim.

A Trojan appears to have a useful function while hiding a malicious one and, unlike viruses, cannot spread on its own, matching the disguised utility that quietly grants the attacker remote access.

• AThis answer assumes self-propagation, but a worm spreads itself across networks without help; the described program cannot copy itself on its own, which rules a worm out.
• BThis choice expects code that attaches to and infects other files; the described program does not attach to other files, so the defining behavior of a virus is absent here.
• CThis option points to code that infects the startup sector and runs before the OS loads, which does not match a downloaded application that merely poses as a useful PDF tool.

A worm self-replicates and propagates through a network onto other computer systems without requiring a host program or any user intervention, which matches the unattended LAN-wide spread described.

• BThis pick overlooks that a virus cannot run by itself and requires its host program to be executed; the unattended spread without any user action does not fit a virus.
• CThis choice assumes a disguised application, but a Trojan cannot spread on its own and relies on being downloaded or installed, so it cannot account for automatic LAN-wide propagation.
• DThis option describes code that triggers on a condition or date to deliver a payload; it explains timing, not the self-propagation across many networked computers seen here.

A keylogger is a form of spyware that records the keystrokes a user types and is secretly installed to gather information without the user's knowledge, matching the captured credentials described.

• AThis choice emphasizes hiding from the operating system, but the defining purpose here is capturing typed input, not concealing processes and maintaining covert privileged access to the host.
• BThis pick expects encrypted files and an extortion demand; silently recording keystrokes and exfiltrating them is not the openly disruptive behavior that defines ransomware.
• DThis option assumes stolen processing power used to mine cryptocurrency, which consumes resources rather than recording typed credentials and quietly transmitting them to an attacker as described.

Phishing uses email or malicious websites to solicit personal information by posing as a trustworthy organization, exactly matching the spoofed bank email and the credential-harvesting link described.

• AThis choice names a voice-based approach, but the scenario uses an email and a fraudulent website rather than a phone call, so it does not fit the voice-communication channel that vishing relies on.
• CThis option exploits SMS text messages, but the described attack arrives by email with a malicious web link rather than a text message, so smishing does not fit the channel used here.
• DThis pick names malware that conceals an attacker's activity on a host; it is not a social-engineering email campaign that tricks users into entering credentials on a fake site.

Vishing is the social-engineering approach that leverages voice communication, often with a spoofed caller ID, to entice a victim to divulge sensitive information such as a password by phone.

• AThis choice assumes the email or malicious-website channel; the scenario is conducted entirely by telephone, so the email-based solicitation that characterizes ordinary phishing does not apply here.
• BThis pick relies on SMS text messages to deliver the lure, but the attacker here is speaking on a live phone call rather than sending a text, so smishing does not match the method.
• CThis option names software secretly installed to gather information; the attack described is a manipulative phone conversation, not malicious code running on the victim's device.

Combining something you know (the password) with something you have (the registered authenticator) presents two different factors, which is exactly what multi-factor authentication requires for successful authentication.

• BThis choice confuses convenience with assurance; single sign-on lets one login grant access to many applications, but it does not by itself require a second, different authentication factor.
• CThis pick names limiting a user's rights to only what their job needs; it governs authorization levels and does not describe requiring two distinct factors to verify identity at login.
• DThis option describes trusting identities across organizations or domains; it addresses where credentials are validated, not whether two separate authentication factors are presented when signing in.

WPA3 is mandatory for Wi-Fi CERTIFIED devices, requires use of Protected Management Frames, and increases protection against password-guessing attempts, making it the strongest currently certified wireless security choice.

• AThis choice selects the oldest scheme, which has well-known exploits dating to 2001 and is an outdated legacy protocol that modern Wi-Fi security explicitly disallows, so it is far from the strongest.
• BThis pick uses TKIP, an early protocol that bridged WEP's gap but later proved vulnerable; it is weaker than the AES-based successors and is not the strongest certified option available.
• DThis option is still strong with AES, but it predates WPA3 and lacks mandatory Protected Management Frames and WPA3's improved password-guessing resistance, so it is not the strongest option available.

BitLocker is a Windows security feature that provides encryption for entire volumes, addressing data theft or exposure from lost, stolen, or improperly decommissioned devices, matching the whole-volume requirement.

• AThis choice encrypts individual files on an NTFS volume, but it does not encrypt the entire volume, so unencrypted areas and system files can remain readable and the whole-drive requirement is unmet.
• CThis pick provides real-time antimalware protection that detects and removes threats, but scanning for malware is not the same as encrypting a drive, so it cannot protect data on a physically stolen disk.
• DThis option prompts for consent before administrative changes, but it governs privilege elevation rather than encrypting stored data, so it offers no protection if the drive is removed and read elsewhere.

EFS provides cryptographic protection of individual files on NTFS volumes using a public-key system, matching the need to encrypt selected files without encrypting the entire drive.

• AThis choice encrypts entire volumes to protect a lost or stolen device, but it is not aimed at protecting selected files from other users who log on interactively to the same running computer.
• BThis pick strengthens login by requiring two factors, but authentication verifies identity at sign-in and does not encrypt the contents of individual files at rest on the disk.
• CThis option prompts for administrative consent before system changes; it manages privilege elevation and provides no cryptographic protection for specific files a user wants to keep private.

Microsoft Defender Antivirus is built into Windows and is a major component of next-generation protection, providing real-time protection that detects and removes malware, satisfying the built-in requirement.

• BThis choice encrypts entire volumes to protect data at rest on a lost device, but it is a drive-encryption feature and does not scan for or remove viruses and worms in real time.
• CThis pick prompts for consent before administrative changes to limit malicious code's privileges, but it is not an antivirus engine and does not detect or remove malware files.
• DThis option cryptographically protects individual files on NTFS, yet it provides no malware detection or removal, so it cannot supply the real-time anti-malware protection the user requires.

User Account Control protects the operating system from unauthorized changes by requiring consent or credentials, so apps run as a standard user unless the user approves elevation to administrative rights.

• AThis choice protects data by encrypting entire volumes; it secures data at rest on a lost device and does not generate consent prompts before system configuration changes are allowed.
• BThis pick detects and removes malware in real time, but it is a scanning engine and is not the component that prompts for consent or credentials before privileged system changes are made.
• DThis option encrypts individual files on NTFS using a public-key system; it secures file contents and does not display elevation prompts when system-level changes are attempted.

Activation Lock requires the owner's Apple Account password before anyone can turn off Find My, erase the device, or reactivate and use it, deterring reactivation even after a remote erase.

• AThis choice preserves a copy of data in the cloud, which aids recovery of information, but backing up data does not by itself stop a thief from reactivating and using the erased phone.
• CThis pick locks the screen against casual access, but a thief who fully erases the device would clear the existing passcode, so a passcode alone does not prevent later reactivation.
• DThis option keeps stored data confidential, yet encryption protects data rather than blocking reactivation; an erased, encrypted phone could still be set up as new without an ownership check.

Multiple compromised machines acting together to flood one target until legitimate users can no longer reach it is exactly what a distributed denial-of-service attack does.

• AThis choice describes secretly sitting between two parties to read or alter their traffic, but an on-path attack intercepts a conversation quietly and does not knock a public server offline with traffic volume.
• BThis option targets a database by passing crafted input into a query, yet SQL injection manipulates back-end data and is unrelated to overwhelming a server using junk traffic from many remote hosts.
• DThis guess focuses on guessing credentials by trying many combinations, but a brute-force attack aims to log in to an account and does not flood a server to deny service to everyone else.

Positioning between two parties to intercept and possibly alter data in transit, while each believes it talks directly to the other, defines an on-path attack.

• AThis option fixates on guessing credentials by trying many combinations, but a brute-force attack hammers a login and does not quietly relay and alter traffic flowing between two communicating endpoints.
• CThis choice describes making a service unavailable by flooding it with traffic from many hosts, which disrupts availability rather than secretly intercepting and modifying data passing between two parties.
• DThis guess injects browser-side scripts into a trusted web page so they run in a victim's browser, which is a web-application flaw and not an attacker relaying traffic between user and server.

Faking the sending address of a transmission so it appears to come from a trusted source, in order to gain illegitimate access or evade a filter, is spoofing.

• AThis option is a social-engineering email tactic that tricks a person into revealing information by posing as a trustworthy organization, not the act of forging a packet's source address to fool a network filter.
• BThis choice abuses unsanitized input to manipulate database queries, so SQL injection attacks a web application's data layer and has nothing to do with falsifying the source address inside network packets.
• CThis guess injects malicious scripts into a trusted website that execute in other users' browsers, which is unrelated to crafting packets with a fake source address to impersonate a trusted host.

Inserting a crafted SQL query through unsanitized input so the database executes attacker-controlled commands and returns or changes data is the definition of SQL injection.

• BThis option also involves injection, but cross-site scripting injects browser-side scripts that run in other users' browsers rather than SQL commands that manipulate the application's back-end database directly.
• CThis choice relays and alters traffic between two communicating parties, so an on-path attack intercepts data in transit instead of supplying malicious input that rewrites a server's predefined database query.
• DThis guess tries many credential combinations to log in, but brute forcing is about guessing passwords and not about feeding crafted SQL through an input field to manipulate the database.

Injecting a malicious script into a trusted website so it executes in other users' browsers and can steal cookies or session tokens is cross-site scripting.

• AThis option injects SQL into a database query, but here the malicious code runs inside victims' browsers to steal session cookies rather than manipulating data stored in the application's back-end database.
• BThis choice means faking a source address to impersonate a trusted system, which does not match planting a script in a web page so it executes inside other users' browsers.
• DThis guess overwhelms a target with traffic from many hosts to deny availability, which is unrelated to embedding a browser-side script in a page to compromise individual users' sessions.

Using a predetermined wordlist of likely passwords, such as common words and credentials from past breaches, to guess a password is a dictionary attack.

• AThis is the trap: a pure brute-force attack systematically tries every possible combination of characters, whereas the scenario uses a curated list of likely real words and leaked passwords instead.
• CThis choice fakes a transmission's source address to impersonate a trusted system, which has nothing to do with submitting a list of likely passwords to a login form to guess credentials.
• DThis guess tricks a user into handing over a password through a deceptive message, but the scenario describes an automated guessing program submitting wordlist entries rather than social-engineering the victim.

Deceiving a person by impersonating someone trustworthy to gain their confidence and trick them into revealing sensitive information such as a password is social engineering.

• AThis option overwhelms a system with traffic from many hosts to deny availability, which is a technical flooding attack and not a human deception used to talk an employee out of a password.
• BThis choice manipulates a database through crafted input in a web form, so it exploits software rather than persuading a person to voluntarily reveal their credentials over the phone.
• CThis guess tries many password combinations against a login automatically, but the scenario relies on building trust and a false identity to get the victim to disclose the password.

A fingerprint or facial scan is a measurable physical characteristic of a person, which is the authentication factor category described as something you are.

• BThis option refers to a physical possession such as a smart card, security key, or token device, but a fingerprint or face is an inherent body trait rather than an object you carry.
• CThis choice covers secrets you memorize like a password or PIN, whereas a biometric is read from your body and is not knowledge you recall and type in.
• DThis guess names a convenience method for accessing many applications with one login, which is not an authentication factor category and does not describe what a fingerprint or face scan is.

Using one account and its credentials to access multiple independent applications without re-authenticating for each is single sign-on.

• AThis option strengthens a single login by requiring two or more different factors, but it does not let one authentication carry across multiple separate applications without signing in again.
• CThis choice limits each user to only the minimum permissions needed for their tasks, which governs how much access someone has rather than letting one login span several applications.
• DThis guess is a list that enumerates which identities may access a resource and their rights, so it enforces permissions on a resource instead of carrying one sign-in across many apps.

Granting an account only the minimum access needed to accomplish its assigned task, and no more, is the principle of least privilege.

• AThis option lets a user reach many applications with one login, which is about sign-in convenience and does not describe restricting an account to only the minimum access its task requires.
• BThis choice requires two or more different factors to verify identity at login, which strengthens authentication but says nothing about how narrowly a user's permissions should be scoped afterward.
• DThis guess is the mechanism that lists who may access a resource, but the broader idea of granting only the minimum necessary rights to do the job is the principle being applied here.

Authoritative guidance favors length and uniqueness, with at least 14 to 16 characters per account and blocklists of easy-to-guess passwords, to resist guessing attacks.

• AThis is the classic trap: frequent forced changes plus heavy complexity rules push users toward predictable patterns, and reuse across systems means one breach exposes many accounts at once.
• BThis choice still permits a common word that a dictionary attack tries first, so adding a single digit does little to stop automated guessing of an easily predictable password.
• CThis guess sends the secret over an insecure channel where it can be intercepted or stored in mailboxes, which exposes the credential rather than strengthening the password policy itself.

A password is something you know and a hardware security key is something you have, so combining them uses two distinct factor categories as required.

• BThis option looks like two steps, but both a password and a PIN are secrets you memorize, so they belong to the same something-you-know category and do not form true multifactor authentication.
• CThis choice uses two checks, yet both a fingerprint and a face scan are biometric traits in the something-you-are category, so it fails to combine two different factor types.
• DThis guess simply doubles a single category, because each password is something you know, and stacking two knowledge secrets does not add a second, independent authentication factor.

A list of entities together with the access rights they are authorized to have on a resource is an access control list.

• AThis option is stored data representing a person's fingerprint or face used to verify identity, which has nothing to do with a list enumerating which accounts may access a particular resource.
• CThis choice is something issued so one login can reach many applications, so it concerns carrying authentication across apps rather than enumerating who may access one specific resource and how.
• DThis guess is a forged source address used to impersonate a trusted system, which is an attack technique and not a list that defines permitted access to a protected resource.

Media sanitization, such as a cryptographic erase that destroys the encryption keys, renders the stored data unrecoverable by both ordinary and laboratory techniques.

• AThis is a common misconception, because a quick format only clears the file table while the underlying data remains on the platters and is readily recoverable with ordinary tools.
• BThis choice only removes pointers to the files, so the actual contents persist on the media until overwritten and can be retrieved with widely available recovery utilities.
• DThis guess merely changes names and locations, leaving the full data intact on the drive where anyone with file access or recovery tools can still read it.

Exploiting a previously unknown software vulnerability before any official patch is available, while the vendor may be unaware of it, is a zero-day exploit.

• AThis option guesses passwords from a wordlist of likely values, so it targets weak credentials rather than exploiting an unknown, unpatched software flaw that the vendor has not yet fixed.
• BThis choice floods a target with traffic from many hosts to deny availability, which disrupts service rather than leveraging a previously unknown vulnerability for which no patch exists.
• CThis guess intercepts and alters traffic between two parties, so it operates on data in transit and does not describe exploiting an unpatched, vendor-unknown software vulnerability.

A valid certificate with the HTTPS padlock signals an authenticated, encrypted connection, and an invalid-certificate warning may indicate interception, so the user should stop rather than continue.

• BThis option overstates a pop-up blocker, which only suppresses unwanted windows and provides no assurance about a site's identity or whether the connection to it is actually encrypted.
• CThis choice confuses controls, because password strength protects the account if the site is real but does nothing to verify the website's identity or the security of the connection.
• DThis guess misuses SSO, which streamlines logins across applications but offers no guarantee that a particular destination site presents a valid certificate or an encrypted channel.

A logically separated guest WLAN with its own SSID keeps customer devices from reaching internal hosts, exactly the external-versus-internal separation recommended for this scenario.

• AReducing transmit power only shrinks the coverage area and signal strength; it does nothing to stop a connected customer device from reaching the internal terminals on the same network.
• BWPS only simplifies how a device joins the wireless network; once joined, the customer device still sits on the same LAN and can reach the point-of-sale terminals.
• DSuppressing the SSID broadcast only stops the name from appearing in scans; connected customers remain on the same subnet and tools can still discover the hidden network.

WPA3 is the newest certified protocol and is described as the strongest available wireless encryption, delivering increased cryptographic strength and stronger protection against password guessing.

• AWEP is a deprecated, easily cracked legacy protocol; choosing it for compatibility leaves wireless traffic exposed and is the opposite of selecting the strongest available encryption.
• COriginal WPA with TKIP is an older, weaker protocol kept only for legacy support; it does not provide the strongest available encryption that the technician is asked to choose.
• DA captive portal only gates access with a login page; traditional open networks transmit data without encryption, so this choice provides no strong over-the-air protection at all.

A RADIUS server performs centralized authentication, authorization, and accounting for 802.1X wireless, validating each user's unique credentials against the directory rather than a shared key.

• BA pre-shared key gives every device the same secret and identifies no individual user, which is exactly the shared-passphrase model the enterprise is trying to replace.
• CMAC filtering only checks a device's hardware address against an allow list; it authenticates hardware, not the person, and provides no per-user domain credential validation.
• DDHCP reservations only assign predictable IP addresses to devices; they have nothing to do with verifying user identities or centralizing authentication for wireless access.

Traditional open networks carry traffic in the clear, so an attacker within range can use sniffing tools to read passwords or other sensitive data sent over them.

• AA captive portal only intercepts the browser to force a login or acceptance page; it performs no malware inspection and gives no assurance about the safety of traffic.
• BCompleting a portal login does not negotiate any encryption; a traditional open network stays unencrypted before and after sign-in, so this reassurance is false.
• CHiding an SSID only removes the name from beacons; the radio frames are still broadcast in the clear and can be captured by anyone within range.

Credential Guard uses virtualization-based security to move NTLM hashes and Kerberos TGTs into the isolated LSA process, where the running operating system and its malware cannot reach them.

• AUAC only asks users to approve actions that need administrative rights; it does not isolate stored secrets, so it cannot stop credential-theft tools from reading hashes in memory.
• CBitLocker encrypts volumes to protect data at rest on lost or stolen drives; it does not isolate live authentication secrets in memory from credential-dumping attacks.
• DThe firewall filters inbound and outbound network connections; it offers no protection for credential material held in the Local Security Authority's process memory.

The account lockout threshold sets the number of failed sign-ins that locks an account, directly limiting automated guessing by stopping further attempts once the limit is hit.

• AMinimum password length only forces longer passwords at creation time; it raises the cost of guessing but never disables an account after repeated failed sign-in attempts.
• BComplexity rules force a mix of character types when a password is set; they strengthen the secret itself but do not lock an account after bad attempts.
• DMaximum password age only forces users to change their password after a set number of days; it has no effect on locking accounts during a guessing attack.

Security updates close the specific vulnerabilities attackers exploit, and installing them as soon as possible, ideally automatically, is the most effective defense against known flaws.

• BTurning off the firewall removes a protective control and is unnecessary for updates; it widens the attack surface rather than addressing the published vulnerabilities at all.
• CAdding another administrator account does nothing to patch the flawed code and actually increases the number of privileged credentials an attacker could target.
• DDefragmentation only reorganizes files to improve disk performance; it has no relationship to fixing security vulnerabilities or blocking exploitation of unpatched software.

Disabling AutoRun and AutoPlay stops Windows from automatically running programs when media is inserted, removing the exact mechanism worms use to spread from USB drives.

• ABitLocker To Go encrypts data on removable drives so it cannot be read if lost; it protects confidentiality but does not stop inserted media from auto-executing programs.
• BThe lockout threshold only governs failed sign-in attempts against accounts; it has no influence on whether files on inserted removable media run automatically.
• CFirewall logging only records network connection events for later review; it neither inspects USB media nor prevents code on a drive from executing on insertion.

Kerberos issues renewable tickets from the Key Distribution Center and lets each party verify the other, providing the ticket-based mutual authentication described in the scenario.

• ANTLM uses a challenge-response exchange and assumes the server is genuine; it does not issue KDC tickets and does not let the client verify the server's identity.
• CPAP simply transmits a username and password, historically in clear text, with no tickets, no key distribution center, and no mutual verification of the server.
• DCHAP periodically re-verifies a peer with a hashed challenge over point-to-point links; it issues no Kerberos-style tickets and is not the domain ticketing protocol described.

A PIV smart card is a tamper-resistant device storing the private key and X.509 certificate, and combining the card with a PIN provides the certificate-based two-factor logon described.

• AA TOTP app produces rotating numeric codes from a shared seed; it involves no physical card, no stored private key, and no X.509 certificate as described here.
• BA synced FIDO2 passkey lives in software across devices rather than on a tamper-resistant issued card holding a certificate and PIN, so it does not match the description.
• DKnowledge questions and a password are both 'something you know' and involve no certificate or hardware token, so they cannot represent the card-and-PIN method described.

FIDO/WebAuthn hardware keys are the widely available phishing-resistant authenticator; they validate the real site and block attempts to authenticate against attacker-controlled fake pages.

• BSMS codes can be phished, intercepted, or defeated by SIM-swapping, so although better than no second factor they are explicitly weaker than phishing-resistant options.
• CKnowledge-based questions are 'something you know,' are easily researched or guessed from social media, and are not a possession factor at all, let alone phishing-resistant.
• DA stronger password is still a single knowledge factor that can be phished or harvested; it adds no second factor and does not deliver phishing resistance.

DLP inspects content to identify and monitor sensitive data and can block its unauthorized transmission, which is exactly what is needed to stop sensitive emails leaving.

• AAn IDS watches network traffic for attack signatures and anomalies and raises alerts; it is not built to inspect message content for sensitive data and block its transmission.
• BA host firewall allows or blocks connections based on ports, addresses, and applications; it does not analyze the content of files or emails for regulated personal information.
• CFull-disk encryption protects data at rest on a lost or stolen drive; it does not monitor outbound email or stop an authenticated user from sending sensitive files.

Full-disk encryption renders the entire volume unreadable without the proper key or PIN, so data stays protected even if the drive is removed and attached elsewhere.

• AA logon or screen-saver password can be bypassed by removing the drive and reading it in another machine, because the data on the platters itself is left unencrypted.
• CA firewall only controls network connections to and from the device; it provides no protection for files when an attacker has the physical drive in hand offline.
• DAntivirus detects and removes malware on a running system; it does nothing to stop someone who has physically taken the drive from copying its unencrypted files.

A remote wipe erases the device's content and settings, removing the stored customer data so a finder or thief cannot access it after the loss.

• AChanging the account password protects future logons to corporate systems but does nothing about the customer data already stored locally on the missing phone.
• BSending an OS update would only patch software if the phone were recovered and online; it does not remove or protect the data sitting on the lost handset.
• DA shorter lock timeout is a preventive hardening setting; once the device is already lost it cannot be pushed reliably and does not remove the data at risk.

On modern phones the passcode feeds entropy into the device encryption keys, so setting a passcode turns on data protection and a stronger passcode yields stronger encryption.

• BLocking the screen does not turn off the cellular radio; the device keeps receiving calls, messages, and push notifications, so this stated benefit is simply incorrect.
• CA passcode controls unlock access only; operating-system and app updates are a separate process and are never triggered merely by configuring a screen lock.
• DA passcode has no effect on wireless connectivity; the phone can still join Wi-Fi networks normally whether or not a screen lock is configured.

Enrolling devices into MDM/EMM centralizes management so administrators can enforce screen-lock policies, distribute apps, and remotely wipe lost tablets from one console.

• AA VPN concentrator builds encrypted tunnels between networks; it does not enroll tablets or enforce per-device policies like screen locks, app deployment, and remote wipe.
• BA RADIUS server centralizes network authentication, authorization, and accounting for connections; it cannot push configuration policies or applications onto managed mobile devices.
• CA DLP appliance inspects traffic to stop sensitive data from leaving; it does not enroll devices or manage their lock settings, apps, and remote-wipe operations.

A VPN builds an encrypted tunnel to a trusted network, so even on untrusted public Wi-Fi the employee's data in transit cannot be read by anyone sniffing the link.

• ASignal strength only affects speed and reliability; a strong-but-open public network still carries traffic that an attacker within range can intercept and read.
• CRemoving the screen lock weakens physical security and does nothing to encrypt traffic; data crossing the public network would remain just as exposed to interception.
• DSuspending updates leaves known vulnerabilities unpatched and has no effect on protecting data as it moves across the untrusted wireless network.

EAP-TLS authenticates each client with an installed X.509 certificate over 802.1X, replacing phishable passwords with certificate-based credentials as the organization requires.

• APAP simply passes a reusable username and password and supports no certificate exchange, so it neither eliminates phishable credentials nor fits certificate-based 802.1X.
• BWPA2-Personal authenticates every device with one shared passphrase rather than per-client certificates, leaving a shared secret that can be captured or shared improperly.
• DMAC filtering only compares a device's hardware address to an allow list; it issues no certificates, verifies no user, and is easily defeated by address spoofing.

A fraudulent access point broadcasting a legitimate network's SSID with a stronger signal and a credential-harvesting portal is the textbook evil twin, exactly as described here.

• BA DDoS attack overwhelms a target with traffic to make it unavailable; it does not create a duplicate-named network or present a fake login page to capture credentials.
• CSQL injection inserts malicious database queries into a vulnerable web form on a server; it does not explain a second Wi-Fi network appearing with the same broadcast name.
• DA zero-day silently exploits an unpatched software flaw without user interaction; it would not surface as a duplicate visible SSID asking the user to type in credentials.

Encrypting a victim's files and then demanding payment, often in cryptocurrency, to restore access is the defining behavior of ransomware, precisely matching the described symptoms.

• AA keylogger covertly captures typed input such as passwords and stays hidden; it does not encrypt files or post a visible note demanding cryptocurrency to release the data.
• BA rootkit conceals an attacker's presence and maintains stealthy persistence; its goal is to avoid detection rather than to advertise itself with an extortion message and locked files.
• DSpyware secretly gathers information about a user and sends it elsewhere without disrupting access; it does not render documents unusable or leave a ransom demand on the desktop.

Offline backups that ransomware cannot reach and encrypt, and that are tested for restorability, let an organization rebuild its systems without paying, which is the recommended recovery preparation.

• APaying offers no guarantee of a working decryptor, funds further crime, and is explicitly discouraged; it is a last resort, not a reliable recovery preparation an organization should plan around.
• CMany ransomware variants specifically locate and delete or encrypt accessible local shadow copies and backups, so copies on the same machine are commonly destroyed during the attack.
• DStronger passwords help prevent some intrusions but do nothing to restore already-encrypted files; this control addresses initial access, not the ability to recover data after an incident.

Factory default usernames and passwords are publicly documented and identical across a product line, so replacing them is the essential first hardening step to block trivial unauthorized access.

• AA static address makes the device easier to find and manage but provides no protection if anyone can still log in with the publicly documented factory username and password.
• BTurning on a guest network adds an additional access path and is unrelated to the immediate risk; it does nothing to close the well-known default-credential hole on the device.
• CDisabling the firewall removes a protective layer and widens the attack surface; weakening defenses during setup is the opposite of hardening and leaves the device more exposed online.

A vestibule places interlocking doors between an outer and inner area so only one authorized person passes at a time, which is purpose-built to stop piggybacking and tailgating.

• BA camera is a detective control that records who entered after the fact; it can document the tailgating but does nothing to physically stop the extra person from entering.
• CA perimeter fence controls who reaches the property boundary but offers no control at the interior server-room door, where the unauthorized following is actually occurring.
• DA stronger PIN only strengthens the credential of the authorized person; once that person opens the door, a follower can still walk in behind them before it closes.

When a drive cannot be sanitized by software, NIST's Destroy methods such as shredding or pulverizing the media render the data unrecoverable, which fits this dead, unwritable SSD.

• ADegaussing only disrupts magnetic media such as hard disks and tape; it has no effect on an SSD's flash memory cells, so the stored data would remain fully recoverable.
• BA failed, unresponsive SSD cannot accept write commands, and flash wear-leveling can leave copies of data in cells that a normal overwrite never addresses anyway.
• DA drive that no longer responds to the system cannot execute any firmware-based reset utility, and a simple factory reset may not purge data from every flash cell regardless.

Limiting installs to reviewed apps from the official or managed store, and blocking sideloading, directly applies mobile application vetting so unvetted malware-bearing apps cannot be loaded.

• AA screen-lock passcode protects data if a device is lost or stolen but does nothing to stop an authorized user from installing a malicious or unvetted application themselves.
• CRemote wipe is a recovery measure for missing devices; it removes data after the fact and provides no control over what applications a user chooses to install day to day.
• DA VPN protects data while it travels across untrusted networks but does not inspect or restrict which apps are installed, so a malicious app could still be downloaded and run.

An authenticator app generates codes on the device itself rather than transmitting them over the cellular network, so SIM-swap and SS7 interception of SMS do not apply to it.

• ASMS delivery is exactly the channel under concern, because codes sent by text can be intercepted through SS7 protocol exploitation or redirected to an attacker via a SIM-swap.
• BA stronger password is still a single 'something you know' factor; it adds no independent second factor and does not address interception of a delivered second-factor code at all.
• CA security question is another knowledge factor whose answer is often guessable or discoverable through research; it is not a 'something you have' factor and is unrelated to SMS risks.