Option A: Runtime security policies (e.g., limiting system calls with seccomp) help mitigate exploitation

risks but do not eliminate vulnerabilities. The CVEs could still be exploitable under certain conditions.

Option B: NetworkPolicies help restrict access to malicious actors but do not fix the vulnerabilities

within the image itself. The risk remains if an attacker finds another vector of exploitation.

Option C: Updating the base image to a patched version is the most effective way to eliminate

vulnerabilities before runtime. Modern container security best practices recommend using minimal and

frequently updated base images to reduce attack surfaces.

Option D: Whitelisting vulnerabilities is risky, as even if the application is not directly affected today,

future changes in dependencies or attack methods could expose the vulnerability.

Option A: Detection mode allows Falcon to monitor and alert on threats, but it does not create a direct

privilege escalation risk. While switching to prevention mode enhances security, the misconfiguration in

this scenario is related to IAM permissions rather than Falcon sensor settings.

Option B: Restricting SSH access to specific IPs is a best practice for minimizing exposure. While open

SSH access is a security risk, a properly restricted IP range does not directly contribute to privilege

escalation.

Option C: Granting AdministratorAccess to an EC2 instance profile is a critical security

misconfiguration. It allows any process running on the instance to assume unrestricted administrative

privileges, potentially leading to privilege escalation and lateral movement by an attacker. This is a high-

risk practice that should be avoided by implementing least privilege principles.

Option D: Enforcing MFA enhances security by requiring an additional authentication factor. While

MFA alone does not prevent all privilege escalation risks, it does not contribute to misconfiguration or

high-risk practices.

Option A: Scheduled reports must be configured with specific parameters such as data sources (cloud

assets, compliance findings, threat detections), reporting frequency (daily, weekly, monthly), and delivery

methods (email, dashboard, or external integrations).

Option B: While admin-level users can configure reports, role-based access control (RBAC) in

CrowdStrike allows specific roles, such as security analysts, to set up and receive reports without full

platform access.

Option C: Scheduled reports do not perform automatic mitigation; they provide insights and

recommendations, but security teams must take action based on the findings.

Option D: Scheduled reports are automated, meaning that once configured, they are generated

periodically without requiring manual execution.

Option A: Disabling logging and monitoring violates HIPAA compliance and makes it impossible to

detect security incidents. Cloud security requires continuous monitoring, audit logging, and alerting to

ensure compliance and threat mitigation.

Option B: Adaptive security rules using behavioral analytics and threat intelligence allow for proactive

threat detection and dynamic policy enforcement, ensuring both security and compliance. This method

74/192

prevents anomalies and unauthorized access without disrupting legitimate operations.

Option C: Default security group settings from cloud providers are often overly permissive. These must

be hardened with least privilege rules to prevent unauthorized access and data exposure.

Option D: An allow-all policy is a major security risk as it removes all access controls, making cloud

resources vulnerable to unauthorized access and potential data breaches, violating HIPAA compliance.

Option A: There is no requirement to link AWS and Azure for Falcon integration. Each cloud provider

has its own independent registration process.

Option B: Falcon sensors are not required for cloud account registration. Sensors provide endpoint

protection, whereas registration integrates Falcon with AWS APIs for monitoring.

Option C: CrowdStrike Falcon requires a properly configured IAM role with the necessary permissions

8/192

and a trust policy allowing Falcon to assume the role. If the trust relationship is not set up correctly,

Falcon cannot access the account to complete registration.

Option D: The IAM role is not assigned to a Lambda function but is instead created for Falcon to

assume. Registering a cloud account does not require Lambda integration.

Option A: Applying actual changes, even to a limited set of resources, does not constitute a dry run. A

dry run explicitly avoids making changes to validate the workflow without risk.

Option B: A dry run simulates the actions of the remediation workflow without actually making any

changes to the resources. This process is crucial for validating the workflow's logic, ensuring it targets the

6/192

intended findings, and understanding potential impacts. Dry runs help reduce the risk of unintended

disruptions in production environments.

Option C: A dry run does not bypass permissions validation. In fact, testing permissions is an important

part of the dry run process to ensure the workflow has the necessary access.

Option D: Generating compliance reports is not the purpose of a dry run. While useful for audits,

compliance reports do not test the logic or simulate the outcomes of a workflow.

72/192

Option A: Default Falcon registry settings may not cover all organizational needs. Custom configurations

should be made to ensure alignment with security policies.

Option B: Allowing all registries without authentication increases security risks, as unauthorized or

malicious images can be pulled and deployed.

Option C: To ensure pre-runtime protection, administrators should define registry connection details,

specify the registry URL, enable authentication (if needed), and set image scanning policies for security

compliance.

Option D: Private repositories are not automatically secure. Vulnerabilities can still exist in private

images, making it critical to enable scanning even for internal sources.

Option A: Deleting accounts without assessing their purpose could lead to operational disruptions,

especially if service accounts or critical roles are affected. CIEM focuses on remediation, not immediate

deletion.

Option B: Revoking all permissions is overly disruptive and impractical. Instead, permissions should be

adjusted based on the principle of least privilege to allow users to perform their roles securely.

Option C: CIEM emphasizes the principle of least privilege and the enforcement of MFA as core

security practices. Adjusting permissions to align with job roles and enabling MFA significantly reduces

the attack surface and prevents unauthorized access.

Option D: Transferring ownership does not address the underlying issue of excessive permissions or

missing MFA. It is a superficial action that leaves the security risks unresolved.

Option A: It is not necessary for all users in the cloud account to be enrolled in Falcon platform

authentication. Only the role or user performing the integration needs access.

Option B: Administrator-level access is not required and is considered a poor security practice.

CrowdStrike's design uses least-privilege access to minimize exposure.

Option C: To register a cloud account with CrowdStrike Falcon, a dedicated IAM role (for AWS) or

service principal (for Azure) must be configured with the appropriate permissions for CrowdStrike

integration. This ensures secure, granular access to the necessary resources for monitoring without over-

provisioning access rights.

Option D: Installing the Falcon agent on virtual machines is not a prerequisite for account registration.

The registration process focuses on cloud API integration, not individual agent deployment.

Option A: Monitoring does not address the root cause and leaves the system vulnerable to exploitation.

Prevention is better than detection in this context.

Option B: This approach may ensure a fresh start, but it is unnecessarily drastic and inefficient.

Upgrading the vulnerable package within the existing image is typically sufficient and more practical.

Option C: This is the recommended practice for addressing vulnerabilities. Updating the specific

package ensures the image is secure while maintaining functionality. Re-scanning verifies the

vulnerability is resolved.

Option D: Postponing mitigation can leave your systems exposed to security risks. Critical vulnerabilities

should be addressed immediately.