Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

ISC2 CC Security Operations • Complete Question Bank

ISC2 CC Security Operations — All Questions With Answers

Complete ISC2 CC Security Operations question bank — all 0 questions with answers and detailed explanations.

128
Questions
Free
No signup
Certifications/ISC2 CC/Practice Test/Security Operations/All Questions
Question 1mediummultiple choice
Read the full Security Operations explanation →

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

Question 2easymultiple choice
Read the full Security Operations explanation →

A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?

Question 3hardmultiple choice
Read the full Security Operations explanation →

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

Question 4mediummultiple choice
Read the full Security Operations explanation →

During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?

Question 5easymultiple choice
Read the full Security Operations explanation →

A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?

Question 6mediummultiple choice
Read the full Security Operations explanation →

An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?

Question 7hardmultiple choice
Read the full Security Operations explanation →

A company's security policy requires that all incident response activities be logged and that evidence be preserved for potential legal action. During an incident, a responder mistakenly uses a personal USB drive to copy log files. Which principle of forensic evidence handling has been violated?

Question 8easymultiple choice
Read the full Security Operations explanation →

A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?

Question 9mediummultiple choice
Read the full Security Operations explanation →

An organization has implemented a SIEM solution. The security team wants to detect when a user attempts to access a file they do not have permission to read. Which log source is most important for this detection?

Question 10mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are common indicators of a phishing email? (Select TWO.)

Question 11hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are best practices for securing a network firewall? (Select THREE.)

Question 12easymulti select
Read the full Security Operations explanation →

Which TWO of the following are types of security controls used in defense in depth? (Select TWO.)

Question 13hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are essential components of an incident response plan? (Select THREE.)

Question 14hardmultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. The IDS alert indicates a possible SpyEye botnet check-in from an internal host. What immediate action should the analyst take?

Exhibit

Refer to the exhibit.

```
[IDS Alert] Signature: ET TROJAN Win32/SpyEye Checkin
Source IP: 10.10.10.5 -> Destination IP: 203.0.113.50
Time: 2023-03-15 14:32:45
Alert: Priority 1
```
Question 15mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. A security analyst reviews this log entry. What type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

```
[Windows Security Log]
Event ID 4625: An account failed to log on.
Account Name: jdoe
Source Network Address: 192.168.1.100
Failure Reason: Unknown user name or bad password.
Count: 15 occurrences in 5 minutes.
```
Question 16mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

Exhibit

Refer to the exhibit.

```
[Firewall Config]
access-list 100 permit tcp any host 10.0.1.10 eq 443
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
```
Question 17hardmultiple choice
Read the full Security Operations explanation →

A medium-sized e-commerce company operates a web application on three virtual servers behind a load balancer. The application handles credit card payments and stores customer data in a database server. The company has a security operations team that monitors logs from firewalls, IDS, and servers. One morning, the IDS generates a critical alert indicating a SQL injection attempt from an external IP to the web application. The alert shows that the injection string was ' OR '1'='1' -- . The web server logs confirm that the request returned a 200 OK status and a large response size. The database logs show a query that returned multiple rows. The security analyst needs to determine the best immediate course of action. The company has a documented incident response plan that includes containment, eradication, and recovery phases. Which action should the analyst take first?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution has a security operations center that monitors network traffic using a SIEM. The SIEM receives logs from all network devices, servers, and endpoints. One analyst notices an anomaly: a user account, 'jsmith', which is normally used during business hours (9 AM to 5 PM), has been logging in from a remote IP address at 2 AM every day for the past week. The logins are successful, and the user is accessing internal file shares. The user jsmith works in the accounting department and has access to sensitive financial reports. The analyst checks the user's workstation logs and finds that the workstation is powered off at the time of the remote logins. The company uses two-factor authentication, but the log entries show that only the password was used. Which of the following is the most likely explanation and the best immediate action?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A company's security operations center (SOC) receives an alert about suspicious outbound traffic from a server in the DMZ to an external IP address known for command-and-control activity. The SOC analyst reviews the logs and sees that the source port is 443 and the destination port is 8080. Which of the following actions should the analyst take FIRST?

Question 20hardmultiple choice
Read the full Security Operations explanation →

A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?

Question 21easymultiple choice
Read the full Security Operations explanation →

A security operations team is implementing a new SIEM solution. They want to ensure that logs from all critical systems are collected and analyzed in real time. Which of the following is the MOST important consideration when designing the log collection architecture?

Question 22mediummultiple choice
Read the full NAT/PAT explanation →

A company has implemented a security information and event management (SIEM) system. The SOC team notices that the SIEM is generating a high volume of false positive alerts from a specific web application firewall (WAF). The WAF logs show many requests with SQL injection patterns, but the application is not vulnerable. Which of the following actions would BEST reduce false positives without compromising security?

Question 23mediummulti select
Read the full VPN explanation →

A SOC analyst is reviewing a security alert about a potential brute-force attack on the company's VPN server. The analyst sees multiple failed login attempts from different IP addresses within a short time frame. Which TWO actions should the analyst take to verify and respond to this incident? (Choose two.)

Question 24hardmulti select
Read the full Security Operations explanation →

An organization is planning to implement a security operations center (SOC) and is considering different monitoring strategies. Which THREE of the following are essential components of a tiered SOC model? (Choose three.)

Question 25mediummultiple choice
Read the full NAT/PAT explanation →

An analyst reviews the firewall log exhibit. The source IP 10.0.1.100 is an internal web server. The destination IP 203.0.113.50 is an external host. What does this log pattern MOST likely indicate?

Exhibit

Refer to the exhibit.

```
EdgeRouter# show firewall log
Log for firewall-in
Fri Aug 18 14:23:45 2023 : IN=eth0 OUT=eth1 MAC=00:1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f SRC=10.0.1.100 DST=203.0.113.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12345 DF PROTO=TCP SPT=34567 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Fri Aug 18 14:23:46 2023 : IN=eth0 OUT=eth1 MAC=00:1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f SRC=10.0.1.100 DST=203.0.113.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12346 DF PROTO=TCP SPT=34568 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Fri Aug 18 14:23:47 2023 : IN=eth0 OUT=eth1 MAC=00:1a:2b:3c:4d:5e:6f:7a:8b:9c:0d:1e:2f SRC=10.0.1.100 DST=203.0.113.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12347 DF PROTO=TCP SPT=34569 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
```
Question 26hardmultiple choice
Read the full Security Operations explanation →

You are the lead SOC analyst for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers and cloud services (AWS). The SIEM is Splunk Enterprise, collecting logs from firewalls, IDS/IPS, endpoints (Windows and Linux), and AWS CloudTrail. Recently, the company experienced a ransomware attack that encrypted critical file servers. The initial infection vector was a phishing email that led to the download of a malicious macro-enabled document. The document was executed on a Windows workstation, which then established a C2 connection to an external IP. The C2 traffic was over HTTPS, and the workstation was part of the domain. After the attack, the forensic team found that the workstation had Windows Event Logs cleared, and the local admin account had been used to disable the antivirus. The C2 IP was later blocked, but the ransomware had already spread to file servers via SMB. As part of the lessons learned, you need to recommend improvements to prevent and detect such attacks in the future. Which of the following is the BEST course of action to address the specific weaknesses exploited in this incident?

Question 27easymultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing an alert from the IDS that shows a large number of TCP SYN packets sent to a single port on multiple internal hosts from a single external IP address. The analyst suspects a reconnaissance attack. Which type of attack is this most likely?

Question 28hardmulti select
Read the full NAT/PAT explanation →

A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)

Question 29mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. A security analyst is reviewing firewall logs and notices repeated denied TCP packets from 192.0.2.10 to internal hosts. The packets are being denied by the access-group "OUTSIDE_IN". What is the most likely reason for these denials?

Exhibit

Refer to the exhibit.

=== syslog output ===
Jan 15 09:23:45 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3456 dst inside:10.0.0.5/22 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:46 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3457 dst inside:10.0.0.5/23 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:47 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3458 dst inside:10.0.0.5/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:48 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3459 dst inside:10.0.0.6/22 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:49 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3460 dst inside:10.0.0.6/23 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 30mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to create a new VLAN on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a basic VPN (site-to-site) between two routers into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 32mediummatching
Read the full Security Operations explanation →

Match each phase of the incident response process to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train and equip the team

Identify and scope the incident

Stop the spread and restore systems

Lessons learned and reporting

Question 33mediummatching
Read the full Security Operations explanation →

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data Link: frames and MAC addresses

Network: routing and IP addresses

Transport: end-to-end reliability

Application: user interface and protocols

Question 34easymultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert indicating multiple failed login attempts from a single IP address targeting a user account. Which action should the analyst take FIRST?

Question 35easymultiple choice
Read the full Security Operations explanation →

A company's backup strategy requires daily full backups of all servers. The backup window is 4 hours. What is the primary risk if backups consistently take longer than the window?

Question 36mediummultiple choice
Read the full Security Operations explanation →

During a phishing investigation, a security analyst identifies that an employee clicked a malicious link. The analyst isolates the workstation. What is the NEXT best step?

Question 37mediummultiple choice
Read the full Security Operations explanation →

A security operations center (SOC) analyst notices unusual outbound network traffic from a server that typically only receives connections. The traffic is encrypted and goes to an unknown external IP. Which step should the analyst perform FIRST?

Question 38hardmultiple choice
Read the full Security Operations explanation →

A company is implementing a data loss prevention (DLP) solution. Which strategy BEST balances security and productivity when monitoring outgoing email?

Question 39hardmultiple choice
Read the full Security Operations explanation →

After a security incident, the incident response team closes the case. What is the MOST important final step to improve future security posture?

Question 40easymultiple choice
Read the full Security Operations explanation →

An organization wants to ensure that a critical database can be restored within 2 hours after a failure. Which metric should the organization define?

Question 41mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst is reviewing logs from a web server and sees the following entry: GET /../../../../etc/passwd HTTP/1.1 Which type of attack is being attempted?

Question 42hardmultiple choice
Read the full Security Operations explanation →

During a forensic investigation, the analyst needs to acquire a memory image from a live Windows system without altering evidence. Which tool is MOST appropriate?

Question 43mediummulti select
Read the full Security Operations explanation →

Which TWO are key components of an effective incident response plan? (Select TWO.)

Question 44hardmulti select
Read the full Security Operations explanation →

Which THREE are common indicators of a compromised system? (Select THREE.)

Question 45easymulti select
Read the full Security Operations explanation →

Which THREE are essential elements of a disaster recovery plan? (Select THREE.)

Question 46hardmultiple choice
Read the full Security Operations explanation →

A security analyst reviews this firewall configuration. Which potential security issue exists?

Exhibit

Refer to the exhibit.
---
# firewall config snippet
policy id=10 name "Allow Web"
  from zone=Trust to zone=Untrusted
  source 192.168.1.0/24
  destination any
  application ssl
  action permit
  log end
---
Question 47mediummultiple choice
Read the full Security Operations explanation →

A security analyst observes these SSH logs. What is the MOST likely attack?

Exhibit

Refer to the exhibit.
---
$ cat /var/log/syslog | grep "sshd"
Apr 10 03:22:15 server1 sshd[12345]: Failed password for root from 10.0.0.99 port 22 ssh2
Apr 10 03:22:17 server1 sshd[12346]: Failed password for root from 10.0.0.99 port 22 ssh2
Apr 10 03:22:19 server1 sshd[12347]: Failed password for admin from 10.0.0.99 port 22 ssh2
Apr 10 03:22:21 server1 sshd[12348]: Failed password for admin from 10.0.0.99 port 22 ssh2
---
Question 48easymultiple choice
Read the full Security Operations explanation →

An AWS bucket policy is shown. What is the security implication?

Exhibit

Refer to the exhibit.
---
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::company-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}
---
Question 49easymultiple choice
Read the full Security Operations explanation →

A security analyst notices repeated failed login attempts to a critical server from a single external IP address. Which immediate action should the analyst take?

Question 50mediummultiple choice
Read the full Security Operations explanation →

During a security incident, the incident response team isolates a compromised workstation from the network. What is the primary purpose of this action?

Question 51hardmultiple choice
Read the full Security Operations explanation →

An organization's backup strategy includes daily full backups and hourly incremental backups. During a restoration, they discover that a critical file was corrupted 6 hours ago. Which backup set is required for the restoration?

Question 52easymultiple choice
Read the full Security Operations explanation →

Which security control is most effective in preventing unauthorized physical access to a data center?

Question 53mediummultiple choice
Read the full Security Operations explanation →

A company is implementing a security information and event management (SIEM) system. Which data source is most critical for detecting an ongoing brute-force attack?

Question 54hardmultiple choice
Read the full Security Operations explanation →

During a disaster recovery test, the recovery time objective (RTO) for a critical application is 4 hours, but the actual recovery takes 6 hours. Which of the following best describes the impact?

Question 55easymultiple choice
Read the full Security Operations explanation →

An employee reports receiving a suspicious email with an attachment from an unknown sender. What is the first action the employee should take?

Question 56mediummultiple choice
Read the full Security Operations explanation →

A security operations center (SOC) analyst receives an alert for a high volume of outbound traffic from an internal server to a known malicious IP address. Which step should the analyst take next?

Question 57hardmultiple choice
Read the full Security Operations explanation →

Which of the following is the best practice for managing cryptographic keys in a large organization?

Question 58easymulti select
Read the full Security Operations explanation →

Which TWO of the following are common indicators of a ransomware attack?

Question 59mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are essential elements of an incident response plan?

Question 60hardmulti select
Read the full VPN explanation →

Which THREE of the following are best practices for securing a remote access VPN?

Question 61easymultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. Based on the log entries, what type of attack is most likely occurring?

Exhibit

Feb 12 10:23:45 server1 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Feb 12 10:23:47 server1 sshd[1234]: Failed password for admin from 192.168.1.100 port 22 ssh2
Feb 12 10:23:49 server1 sshd[1234]: Failed password for test from 192.168.1.100 port 22 ssh2
Feb 12 10:23:51 server1 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 62mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. Given the ACL shown, which traffic is allowed to reach 10.0.0.1?

Exhibit

access-list 100 permit tcp any host 10.0.0.1 eq 80
access-list 100 permit tcp any host 10.0.0.1 eq 443
access-list 100 deny ip any any
Question 63hardmultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. Based on the JSON policy, what access does the SecurityAuditor role have?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::critical-data/*",
      "Principal": {"AWS": "arn:aws:iam::123456789012:role/SecurityAuditor"}
    }
  ]
}
Question 64easymultiple choice
Read the full Security Operations explanation →

A security analyst notices repeated failed login attempts from a single IP address targeting multiple user accounts. Which security control should be implemented to mitigate this attack?

Question 65mediummultiple choice
Read the full Security Operations explanation →

During a security incident, the incident response team needs to preserve evidence for potential legal action. Which of the following is the most important action to take when collecting volatile data from a compromised server?

Question 66hardmultiple choice
Read the full Security Operations explanation →

An organization wants to ensure that its backup strategy can recover data within 2 hours after a system failure. Which metric should be defined in the disaster recovery plan?

Question 67mediummultiple choice
Read the full Security Operations explanation →

A company deploys a new intrusion detection system (IDS) on the internal network. Which of the following best describes the primary purpose of this system?

Question 68easymultiple choice
Read the full Security Operations explanation →

An organization's security policy requires that all employees change their passwords every 90 days. This is an example of which type of security control?

Question 69hardmultiple choice
Read the full Security Operations explanation →

A security analyst reviews firewall logs and sees a series of outbound connections from an internal server to a known command-and-control (C2) IP address at regular intervals. Which step should the analyst take first according to incident response best practices?

Question 70easymultiple choice
Read the full Security Operations explanation →

Which of the following is the primary purpose of a security information and event management (SIEM) system?

Question 71mediummultiple choice
Read the full Security Operations explanation →

A company experiences a ransomware attack that encrypts all files on a critical server. The backup strategy includes nightly backups stored on a separate network. What should be the first action during recovery?

Question 72hardmultiple choice
Read the full Security Operations explanation →

A security operations center (SOC) analyst is investigating an alert about a user downloading a suspicious file. The analyst opens the file on a sandboxed virtual machine and observes that it attempts to modify registry keys and establish persistence. This type of analysis is known as:

Question 73mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are commonly used techniques to detect phishing emails? (Choose two.)

Question 74hardmulti select
Read the full Security Operations explanation →

Which TWO of the following are examples of detective security controls? (Choose two.)

Question 75easymulti select
Read the full Security Operations explanation →

Which THREE of the following are important steps in the incident response process as defined by the NIST framework? (Choose three.)

Question 76mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst sees these logs from a Linux server. Which security control should the analyst recommend to address this pattern?

Exhibit

Mar 15 10:30:22 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:30:27 server sshd[1235]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:30:32 server sshd[1236]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:30:37 server sshd[1237]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 77hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A firewall rule set is shown (first match applies). An analyst reviews these rules. Which of the following best describes the traffic outcome for a packet from source IP 10.0.0.1 to destination 192.168.1.1?

Exhibit

rule deny any 10.0.0.0/8 log
rule permit any 10.0.0.0/8 any
rule deny any any log
Question 78easymultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. An AWS IAM policy is shown. Which action is permitted by this policy?

Exhibit

{
  "s3:version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Question 79easymultiple choice
Read the full Security Operations explanation →

An organization wants to ensure that critical security events are not missed during off-hours. What is the best practice?

Question 80mediummultiple choice
Read the full Security Operations explanation →

During a security incident, the incident response team needs to preserve evidence. Which of the following actions should be performed first?

Question 81hardmultiple choice
Read the full Security Operations explanation →

A company's IDS generates an alert for a potential SQL injection attack on a web application. The analyst reviews the log and sees the following: "SELECT * FROM users WHERE username = 'admin' OR 1=1 --'". Which action should the analyst take next?

Question 82easymultiple choice
Read the full Security Operations explanation →

Which of the following is a primary goal of security operations?

Question 83mediummultiple choice
Read the full Security Operations explanation →

An organization is implementing a new logging policy. Which type of data should be excluded from logs to comply with privacy regulations?

Question 84hardmultiple choice
Read the full Security Operations explanation →

A security analyst notices that system logs are being overwritten before the retention period ends. What is the most likely cause?

Question 85easymultiple choice
Read the full Security Operations explanation →

Which of the following is an example of a detective control?

Question 86mediummultiple choice
Read the full Security Operations explanation →

During a vulnerability scan, the security team discovers a critical vulnerability on a public-facing server. According to best practices, what should the team do next?

Question 87hardmultiple choice
Read the full NAT/PAT explanation →

An analyst is reviewing a series of failed login attempts from multiple IP addresses targeting a single user account. This pattern is indicative of what type of attack?

Question 88easymulti select
Read the full Security Operations explanation →

Which two of the following are common types of security controls?

Question 89mediummulti select
Read the full Security Operations explanation →

According to the NIST incident response lifecycle, which three phases are considered the core phases?

Question 90hardmulti select
Read the full Security Operations explanation →

A security operations center (SOC) analyst is investigating a potential data exfiltration. Which two indicators are most likely signs of data exfiltration?

Question 91easymultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. A security analyst sees this log entry from a firewall. What is the most likely reason for this denial?

Exhibit

Apr 10 09:15:22 192.168.1.1 %ASA-4-106023: Deny tcp src outside:203.0.113.1/80 dst inside:10.0.0.5/33456 by access-group "INSIDE_IN" [0x0, 0x0]
Question 92mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. An analyst sees many alerts from this IDS rule. What is a likely cause?

Exhibit

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible SQL Injection"; content:"SELECT"; nocase; content:"FROM"; distance:0; within:10; classtype:web-application-attack; sid:1000001; rev:1;)
Question 93hardmultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. What type of event is this?

Exhibit

Event ID 4625: An account failed to log on. Subject: Security ID: NULL_SID, Account Name: - , Account Domain: -; Logon Type: 3; Account For Which Logon Failed: Security ID: NULL SID, Account Name: administrator; Failure Reason: Unknown user name or bad password; Workstation Name: PC123; Source Network Address: 10.0.0.99;
Question 94easymultiple choice
Read the full Security Operations explanation →

A help desk technician receives a report that a user cannot access a shared network drive. The technician checks the file server and sees that the disk is full. What is the most immediate action the technician should take?

Question 95mediummultiple choice
Read the full Security Operations explanation →

A security analyst is configuring an intrusion detection system (IDS) to detect SQL injection attacks. Which method is most effective?

Question 96hardmultiple choice
Read the full Security Operations explanation →

A company's security policy requires that all sensitive data be encrypted during transfer. A security administrator discovers that an internal web application is using a self-signed TLS certificate. What vulnerability does this introduce?

Question 97easymultiple choice
Read the full Security Operations explanation →

A security operations center (SOC) analyst receives an alert for a potential malware infection on a workstation. Which of the following is the first action the analyst should take?

Question 98mediummultiple choice
Read the full Security Operations explanation →

An organization implements a bring-your-own-device (BYOD) policy. Which security control is most important to enforce in the BYOD policy?

Question 99hardmultiple choice
Read the full Security Operations explanation →

During a security incident, a forensic analyst needs to acquire the contents of RAM from a live system. Which tool should be used?

Question 100easymultiple choice
Read the full Security Operations explanation →

A user reports that they received a suspicious email with an attachment claiming to be an invoice. What should the user do?

Question 101mediummultiple choice
Read the full NAT/PAT explanation →

An organization has a policy that all servers must have security patches applied within 30 days of release. Which of the following is the best practice for patching?

Question 102hardmultiple choice
Read the full Security Operations explanation →

A security analyst investigates a possible data exfiltration. The analyst sees a large amount of data being sent to an external IP address at regular intervals. Which of the following is the most likely technique being used?

Question 103easymulti select
Read the full Security Operations explanation →

Which THREE of the following are common components of a disaster recovery plan?

Question 104mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are types of security controls?

Question 105hardmulti select
Read the full wireless explanation →

Which THREE of the following are best practices for securing a wireless network?

Question 106mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. An analyst sees these logs. What type of attack is occurring?

Exhibit

Mar 24 10:23:45 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 24 10:23:47 server sshd[1235]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 24 10:23:50 server sshd[1236]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 107mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. An administrator notices that external access to the MySQL database (port 3306) is blocked, but internal access should be allowed. What change should be made?

Network Topology
0.0.0.0/0 0.0.0.0/0 tcp dpt:22ACCEPT tcp0.0.0.0/0 0.0.0.0/0 tcp dpt:800.0.0.0/0 0.0.0.0/0 tcp dpt:443DROP tcp0.0.0.0/0 0.0.0.0/0 tcp dpt:3306Chain INPUT (policy DROP)target prot opt source destination
Question 108hardmultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a medium-sized company with 500 employees. The company uses a centralized log management system that collects logs from all servers and network devices. For the past week, you have noticed a pattern: every night at 2:00 AM, a series of failed login attempts occurs on the domain controller from an internal IP address (10.10.50.100). The attempts use the username "Administrator" and are always from the same workstation in the accounting department. The accounting department operates 9 AM to 6 PM, so no one is in the office at 2 AM. You have checked the workstation's physical security; it is in a locked office with access only by authorized accounting staff. The workstation is running Windows 10 with up-to-date antivirus and has no signs of compromise. You also checked the network switch logs and see that the workstation is connected to a specific port. You suspect the workstation might be compromised or being used remotely. What is the most appropriate next step?

Question 109mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst detects a series of failed login attempts from a single external IP address targeting multiple user accounts within a short time. Which action should the analyst take FIRST?

Question 110easymultiple choice
Read the full Security Operations explanation →

Which of the following is a best practice for securing physical access to a data center?

Question 111hardmultiple choice
Read the full Security Operations explanation →

During a forensic investigation, an analyst acquires a live system memory dump. Which tool is most appropriate for capturing the contents of volatile memory on a Windows system?

Question 112easymultiple choice
Read the full Security Operations explanation →

An organization wants to ensure that system logs are tamper-proof after generation. Which control should be implemented?

Question 113easymultiple choice
Read the full Security Operations explanation →

Which of the following is an example of a detective control in a security operations context?

Question 114hardmultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert from the SIEM indicating a potential data exfiltration event. The alert shows a large volume of data being transferred to an external IP address during non-business hours. What is the MOST appropriate immediate action?

Question 115mediummultiple choice
Read the full NAT/PAT explanation →

An organization is implementing a patch management program. Which of the following is the BEST approach to minimize risk while maintaining operational stability?

Question 116easymulti select
Read the full Security Operations explanation →

Which TWO of the following are best practices for password management in a corporate environment?

Question 117mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are valid types of disaster recovery tests?

Question 118hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are essential components of a security baseline configuration for a server?

Question 119mediummultiple choice
Read the full Security Operations explanation →

You are a SOC analyst for a financial institution. At 2:00 AM, your SIEM generates a critical alert from the email security gateway indicating that an internal user received a phishing email with a malicious attachment. The email was delivered to the user's inbox, and the user's account activity logs show that the attachment was opened 10 minutes ago. The user is a junior accountant who works in the accounts payable department. You have access to endpoint detection tools, email logs, and network traffic data. The organization's incident response policy requires containment within 30 minutes of detection. Which action should you take FIRST?

Question 120hardmultiple choice
Read the full Security Operations explanation →

You are a forensic analyst responding to a reported compromise of a Linux web server. The server hosts a public-facing web application and is part of a DMZ. The initial investigation shows that unauthorized outbound connections were made to a known malicious IP address during the previous night. The server is still running and connected to the network, but the web application has been taken offline for maintenance. The incident response team wants to preserve evidence for potential legal action. You have a forensic workstation with tools like dd, netcat, and memory acquisition tools. Which of the following should be your FIRST step in the forensic acquisition process?

Question 121easymultiple choice
Read the full Security Operations explanation →

You are an IT administrator for a small business. The company has a backup system that performs nightly full backups of critical servers to an external hard drive. One morning, a user reports that they accidentally deleted an important file from a shared drive. You need to restore the file from last night's backup. However, when you connect the external hard drive to the backup server, the drive is not recognized, and you hear clicking sounds. The backup software shows that the most recent backup job completed successfully with no errors. What is the most likely cause of the problem?

Question 122mediummultiple choice
Read the full NAT/PAT explanation →

You are a security engineer responsible for the company's intrusion detection system (IDS). The IDS has been generating an excessive number of false positive alerts related to a legitimate application that uses encrypted traffic. The alerts are based on network signatures that match certain patterns in the encrypted payload. The volume of alerts is overwhelming the SOC team, and they are beginning to ignore IDS alerts altogether. You have the ability to modify IDS signatures and tune the system. Which of the following is the BEST approach to reduce false positives while maintaining security?

Question 123hardmultiple choice
Read the full Security Operations explanation →

You are a security analyst investigating a potential insider threat incident. An employee from the finance department has been behaving suspiciously: printing large volumes of sensitive financial reports, accessing files outside their normal work hours, and attempting to bypass the company's data loss prevention (DLP) controls by renaming files before emailing them. The employee has been with the company for 10 years and has a clean record. The company's policy requires that any investigation be conducted discreetly to avoid alerting the employee. You need to gather evidence to confirm or refute the suspicion. Which of the following actions should you take FIRST?

Question 124easymulti select
Read the full Security Operations explanation →

A security analyst is reviewing event logs and notices multiple failed login attempts from a single IP address followed by a successful login. Which TWO actions should the analyst take next?

Question 125mediummultiple choice
Read the full NAT/PAT explanation →

A medium-sized company uses a SIEM solution to collect logs from firewalls, servers, and endpoints. The security team receives an alert indicating a possible data exfiltration: an employee's workstation is sending large amounts of data to an external IP address outside business hours. The employee works in the finance department and has access to sensitive financial records. The SIEM shows the connection is ongoing. The security team must respond immediately to contain the incident while preserving evidence. The company's incident response plan designates the security team as first responders. Which of the following is the BEST first action?

Question 126hardmultiple choice
Read the full Security Operations explanation →

A large organization has implemented a Security Operations Center (SOC) with a tiered incident response model. Tier 1 analysts triage alerts and escalate confirmed incidents to Tier 2 for deeper analysis. Recently, the SOC has been overwhelmed by a high volume of low-severity alerts from endpoint detection and response (EDR) tools, causing delays in handling true positive incidents. The SOC manager wants to reduce alert fatigue without missing critical threats. Which of the following strategies would be MOST effective?

Question 127easymultiple choice
Read the full Security Operations explanation →

A small business has a single server that hosts critical applications. The server's hard drive fails, and the most recent backup is 3 days old. The backup is stored on an external drive that is kept in the same room as the server. The server is also the domain controller and file server. After replacing the drive and restoring from backup, the IT administrator discovers that some user files are missing because they were created after the backup. The administrator needs to minimize data loss in the future. Which of the following should be implemented?

Question 128mediummultiple choice
Read the full Security Operations explanation →

A company's security policy requires that all privileged access to critical servers be logged and monitored. The IT team has implemented a jump server (bastion host) for administrators to connect to critical servers. All SSH connections to the jump server are logged, and from there, administrators connect to target servers. The security team notices that some administrators are bypassing the jump server and connecting directly to critical servers from their workstations. The direct connections are not logged. The security team needs to enforce the policy without disrupting operations. Which of the following is the BEST solution?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

ISC2 CC Practice Test 1 — 10 Questions→ISC2 CC Practice Test 2 — 10 Questions→ISC2 CC Practice Test 3 — 10 Questions→ISC2 CC Practice Test 4 — 10 Questions→ISC2 CC Practice Test 5 — 10 Questions→ISC2 CC Practice Exam 1 — 20 Questions→ISC2 CC Practice Exam 2 — 20 Questions→ISC2 CC Practice Exam 3 — 20 Questions→ISC2 CC Practice Exam 4 — 20 Questions→Free ISC2 CC Practice Test 1 — 30 Questions→Free ISC2 CC Practice Test 2 — 30 Questions→Free ISC2 CC Practice Test 3 — 30 Questions→ISC2 CC Practice Questions 1 — 50 Questions→ISC2 CC Practice Questions 2 — 50 Questions→ISC2 CC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Access Controls ConceptsBusiness Continuity, DR & Incident ResponseSecurity PrinciplesNetwork SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsISC2 CC Practice Hub