Sample questions
ISC2 Certified in Cybersecurity CC practice questions
A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?
Trap 1: Perform a forensic analysis of the user's workstation
Forensic analysis is a later step in incident response; first, the incident must be declared and the response team mobilized.
Trap 2: Reset the user's password and enforce multi-factor authentication
These are remediation steps that would follow the initial incident response actions like containment.
Trap 3: Disable the user account immediately
Disabling the account is a containment step that should be part of the incident response plan, but it is not the first process to initiate. First, the incident should be reported and triaged.
- A
Perform a forensic analysis of the user's workstation
Why wrong: Forensic analysis is a later step in incident response; first, the incident must be declared and the response team mobilized.
- B
Reset the user's password and enforce multi-factor authentication
Why wrong: These are remediation steps that would follow the initial incident response actions like containment.
- C
Disable the user account immediately
Why wrong: Disabling the account is a containment step that should be part of the incident response plan, but it is not the first process to initiate. First, the incident should be reported and triaged.
- D
Initiate the incident response process
The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.
An organization wants to ensure that data remains unaltered during transmission over the internet. Which security goal is being addressed?
Trap 1: Non-repudiation
Non-repudiation prevents denial of actions, not data modification.
Trap 2: Availability
Availability ensures data is accessible, not unaltered.
Trap 3: Confidentiality
Confidentiality protects data from unauthorized access, not alteration.
- A
Non-repudiation
Why wrong: Non-repudiation prevents denial of actions, not data modification.
- B
Availability
Why wrong: Availability ensures data is accessible, not unaltered.
- C
Confidentiality
Why wrong: Confidentiality protects data from unauthorized access, not alteration.
- D
Integrity
Integrity ensures data is not altered during transmission.
A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?
Trap 1: Job rotation
Job rotation is a security practice to rotate roles, not directly related to permission levels.
Trap 2: Need-to-know
Need-to-know is about data access based on necessity, but here the issue is unnecessary write ability.
Trap 3: Separation of duties
Separation of duties divides tasks among multiple people, not about permission levels.
- A
Job rotation
Why wrong: Job rotation is a security practice to rotate roles, not directly related to permission levels.
- B
Need-to-know
Why wrong: Need-to-know is about data access based on necessity, but here the issue is unnecessary write ability.
- C
Separation of duties
Why wrong: Separation of duties divides tasks among multiple people, not about permission levels.
- D
Least privilege
Least privilege requires minimal permissions; write access is excessive.
A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?
Trap 1: The switch is not forwarding EAP packets properly due to a firmware…
The error message indicates a certificate issue, not packet forwarding.
Trap 2: The RADIUS shared secret was changed during the firmware update
A shared secret mismatch would cause 'Access-Reject' or 'Authentication failed' without certificate-specific errors.
Trap 3: The authentication server (NPS) is overloaded and dropping requests
Overload would cause timeouts, not certificate errors.
- A
The switch is now using a different certificate that is not trusted by the clients
The firmware update may have changed the certificate presented by the switch, and clients do not trust it.
- B
The switch is not forwarding EAP packets properly due to a firmware bug
Why wrong: The error message indicates a certificate issue, not packet forwarding.
- C
The RADIUS shared secret was changed during the firmware update
Why wrong: A shared secret mismatch would cause 'Access-Reject' or 'Authentication failed' without certificate-specific errors.
- D
The authentication server (NPS) is overloaded and dropping requests
Why wrong: Overload would cause timeouts, not certificate errors.
During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?
Trap 1: Spoof the source IP address of the attacker's machine
The attacker's IP is not spoofed; the zombie's IP is used.
Trap 2: Launch a denial-of-service attack against the target
Idle scan is not a DoS; it's a stealth scan.
Trap 3: Evade a firewall by fragmenting packets
DF flag prevents fragmentation.
- A
Spoof the source IP address of the attacker's machine
Why wrong: The attacker's IP is not spoofed; the zombie's IP is used.
- B
Launch a denial-of-service attack against the target
Why wrong: Idle scan is not a DoS; it's a stealth scan.
- C
Perform a stealth scan using a zombie host to hide the attacker's identity
Idle scan uses IP ID to map a zombie's activity and infer port states.
- D
Evade a firewall by fragmenting packets
Why wrong: DF flag prevents fragmentation.
A security operations team is implementing a new SIEM solution. They want to ensure that logs from all critical systems are collected and analyzed in real time. Which of the following is the MOST important consideration when designing the log collection architecture?
Trap 1: Use a standardized log format for all systems
Standardization helps parsing but is not as critical as ensuring the logs can be collected reliably.
Trap 2: Encrypt all log transmissions in transit
Encryption is a security requirement but does not affect the ability to collect logs.
Trap 3: Define a log retention policy of at least one year
Retention policy is for storage, not for the collection architecture itself.
- A
Ensure sufficient network bandwidth and storage capacity
Insufficient bandwidth can cause log loss, and inadequate storage can lead to data being overwritten before analysis.
- B
Use a standardized log format for all systems
Why wrong: Standardization helps parsing but is not as critical as ensuring the logs can be collected reliably.
- C
Encrypt all log transmissions in transit
Why wrong: Encryption is a security requirement but does not affect the ability to collect logs.
- D
Define a log retention policy of at least one year
Why wrong: Retention policy is for storage, not for the collection architecture itself.
A company's security operations center (SOC) receives an alert about suspicious outbound traffic from a server in the DMZ to an external IP address known for command-and-control activity. The SOC analyst reviews the logs and sees that the source port is 443 and the destination port is 8080. Which of the following actions should the analyst take FIRST?
Trap 1: Notify the incident response team and management immediately
Notification is important but should come after taking immediate containment actions.
Trap 2: Block the external IP address at the firewall
Blocking the IP is reactive and may not address the root cause; the server could still be compromised.
Trap 3: Modify the firewall rule to deny all outbound traffic from the DMZ
This could affect other legitimate services in the DMZ and should be done after analysis.
- A
Notify the incident response team and management immediately
Why wrong: Notification is important but should come after taking immediate containment actions.
- B
Isolate the server from the network and investigate further
Isolation contains the threat and allows forensic analysis without risk of further damage.
- C
Block the external IP address at the firewall
Why wrong: Blocking the IP is reactive and may not address the root cause; the server could still be compromised.
- D
Modify the firewall rule to deny all outbound traffic from the DMZ
Why wrong: This could affect other legitimate services in the DMZ and should be done after analysis.
A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?
Trap 1: The volume of data transferred makes it difficult to determine what…
Volume is a challenge but not primary; the main issue is the user's ability to obscure actions due to privileges.
Trap 2: The data was transferred over HTTPS, which cannot be decrypted by…
HTTPS encryption prevents content inspection but does not stop detection of the transfer; it is a challenge but not primary.
Trap 3: BitLocker encryption prevents access to the hard drive for forensic…
BitLocker can be unlocked with the recovery key, so it is not insurmountable; it complicates but does not prevent analysis.
- A
The user has administrative privileges, which could allow them to cover their tracks
Administrative access allows modification of logs, deletion of evidence, and use of tools to hide malicious activity.
- B
The volume of data transferred makes it difficult to determine what was exfiltrated
Why wrong: Volume is a challenge but not primary; the main issue is the user's ability to obscure actions due to privileges.
- C
The data was transferred over HTTPS, which cannot be decrypted by the SOC
Why wrong: HTTPS encryption prevents content inspection but does not stop detection of the transfer; it is a challenge but not primary.
- D
BitLocker encryption prevents access to the hard drive for forensic analysis
Why wrong: BitLocker can be unlocked with the recovery key, so it is not insurmountable; it complicates but does not prevent analysis.
A company is implementing an access control system to protect sensitive data. Employees in the finance department must access financial records, but only during business hours and from company-issued devices. Which access control model best supports these requirements?
Trap 1: Attribute-Based Access Control (ABAC)
ABAC can handle this but is more complex; RuBAC is more appropriate for simple rule enforcement.
Trap 2: Discretionary Access Control (DAC)
DAC allows users to control access, not enforce time/device rules.
Trap 3: Mandatory Access Control (MAC)
MAC uses labels like Top Secret, not time or device restrictions.
- A
Attribute-Based Access Control (ABAC)
Why wrong: ABAC can handle this but is more complex; RuBAC is more appropriate for simple rule enforcement.
- B
Rule-Based Access Control (RuBAC)
RuBAC enforces access based on rules including time and device.
- C
Discretionary Access Control (DAC)
Why wrong: DAC allows users to control access, not enforce time/device rules.
- D
Mandatory Access Control (MAC)
Why wrong: MAC uses labels like Top Secret, not time or device restrictions.
A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)
Trap 1: Identification
Identification is a step before authentication, not a separate AAA component.
Trap 2: Non-repudiation
Non-repudiation is a security objective, not part of AAA.
Trap 3: Auditing
Auditing is part of accounting but not a separate AAA component.
- A
Authorization
Authorization determines access rights; it is a core AAA component.
- B
Identification
Why wrong: Identification is a step before authentication, not a separate AAA component.
- C
Non-repudiation
Why wrong: Non-repudiation is a security objective, not part of AAA.
- D
Authentication
Authentication verifies identity; it is a core AAA component.
- E
Auditing
Why wrong: Auditing is part of accounting but not a separate AAA component.
Refer to the exhibit. What action did the firewall take on the traffic from 10.0.1.15 to 10.0.2.10?
Exhibit
Refer to the exhibit. syslog: 2025-03-15T10:23:45Z FW01 %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.0.1.15(54321) -> 10.0.2.10(23), 1 packet
Trap 1: Logged and permitted
The log indicates the packet was denied, not permitted.
Trap 2: Permitted the traffic
The log says 'denied', not permitted.
Trap 3: Translated the source address
There is no indication of NAT in the log.
- A
Logged and permitted
Why wrong: The log indicates the packet was denied, not permitted.
- B
Denied the traffic
The syslog message explicitly states 'denied'.
- C
Permitted the traffic
Why wrong: The log says 'denied', not permitted.
- D
Translated the source address
Why wrong: There is no indication of NAT in the log.
A security administrator notices that a user with standard privileges was able to modify a system file. Which security principle has been violated?
Trap 1: Need to know
Need to know restricts access to information, not system files.
Trap 2: Defense in depth
Defense in depth involves multiple layers of security, not user permissions.
Trap 3: Separation of duties
Separation of duties prevents a single person from completing critical tasks alone, not directly related to file modification.
- A
Need to know
Why wrong: Need to know restricts access to information, not system files.
- B
Defense in depth
Why wrong: Defense in depth involves multiple layers of security, not user permissions.
- C
Least privilege
The user had more privileges than needed, violating least privilege.
- D
Separation of duties
Why wrong: Separation of duties prevents a single person from completing critical tasks alone, not directly related to file modification.
An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?
Trap 1: High recovery point objective (RPO)
Synchronous replication yields low RPO, not high.
Trap 2: Data encryption overhead
Encryption may add processing delay but is not the primary risk from distance.
Trap 3: Insufficient bandwidth between sites
Bandwidth affects throughput but not necessarily latency.
- A
High recovery point objective (RPO)
Why wrong: Synchronous replication yields low RPO, not high.
- B
Data encryption overhead
Why wrong: Encryption may add processing delay but is not the primary risk from distance.
- C
Insufficient bandwidth between sites
Why wrong: Bandwidth affects throughput but not necessarily latency.
- D
Increased latency for write operations
Synchronous replication requires acknowledgment from backup, causing latency proportional to distance.
Based on the exhibit, what is the most likely result of the client's HTTP request?
Exhibit
Refer to the exhibit. Router# show running-config | section interface GigabitEthernet0/1 interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip access-group BLOCK_HTTP in ! ip access-list extended BLOCK_HTTP deny tcp any any eq 80 permit ip any any A client at 192.168.1.100 attempts to access a web server at 10.0.0.1. The router's interface IP is 192.168.1.1.
Trap 1: The HTTP request is permitted because the ACL is applied to the…
The ACL is correctly applied inbound on the client's subnet interface; it will filter traffic coming from clients.
Trap 2: The HTTP request is permitted because the ACL only blocks traffic…
The ACL does not filter based on source IP; it blocks TCP port 80 from any source.
Trap 3: The HTTP request is blocked, and all other traffic from the client…
The permit ip any any allows all other traffic.
- A
The HTTP request is permitted because the ACL is applied to the wrong interface.
Why wrong: The ACL is correctly applied inbound on the client's subnet interface; it will filter traffic coming from clients.
- B
The HTTP request is permitted because the ACL only blocks traffic from the router's own IP.
Why wrong: The ACL does not filter based on source IP; it blocks TCP port 80 from any source.
- C
The HTTP request is blocked, and all other traffic from the client is also blocked.
Why wrong: The permit ip any any allows all other traffic.
- D
The HTTP request is blocked, but other traffic from the client is allowed.
The ACL denies TCP port 80, then permits all other IP traffic.
Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?
Exhibit
Refer to the exhibit. ``` [Firewall Config] access-list 100 permit tcp any host 10.0.1.10 eq 443 access-list 100 deny tcp any any eq 22 access-list 100 permit ip any any ```
Trap 1: The ACL is properly ordered with most specific rules first
Order is correct, but the permit any any negates the deny.
Trap 2: The ACL should have a deny any any at the end to be secure
While a deny any any is good practice, the issue is the permit any any before it.
Trap 3: The ACL correctly allows HTTPS and denies SSH, blocking other…
The last line permits all traffic, so SSH is not blocked.
- A
The ACL is misconfigured because the deny for SSH is never reached
The permit any any after the deny SSH will match SSH traffic, allowing it.
- B
The ACL is properly ordered with most specific rules first
Why wrong: Order is correct, but the permit any any negates the deny.
- C
The ACL should have a deny any any at the end to be secure
Why wrong: While a deny any any is good practice, the issue is the permit any any before it.
- D
The ACL correctly allows HTTPS and denies SSH, blocking other traffic
Why wrong: The last line permits all traffic, so SSH is not blocked.
A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?
Trap 1: Deploying a web application firewall
A WAF protects web applications from HTTP-based attacks, not authentication brute-force attacks.
Trap 2: Enabling verbose logging for authentication events
Verbose logging aids detection but does not prevent attacks.
Trap 3: Increasing password complexity requirements
Complex passwords make guessing harder but do not prevent brute-force attempts; lockout does.
- A
Deploying a web application firewall
Why wrong: A WAF protects web applications from HTTP-based attacks, not authentication brute-force attacks.
- B
Enabling verbose logging for authentication events
Why wrong: Verbose logging aids detection but does not prevent attacks.
- C
Increasing password complexity requirements
Why wrong: Complex passwords make guessing harder but do not prevent brute-force attempts; lockout does.
- D
Implementing account lockout policies
Account lockout policies limit the number of failed attempts, preventing continued brute-force attacks.
A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?
Trap 1: The network is experiencing a denial of service attack
DoS attacks typically involve inbound traffic, not outbound from a single host.
Trap 2: The user is streaming video from a blocked site
Streaming video would not generate traffic to a known C2 server.
Trap 3: The workstation is performing a legitimate software update
Legitimate updates typically go to known, trusted domains, not known malicious IPs.
- A
The network is experiencing a denial of service attack
Why wrong: DoS attacks typically involve inbound traffic, not outbound from a single host.
- B
The user is streaming video from a blocked site
Why wrong: Streaming video would not generate traffic to a known C2 server.
- C
The workstation is performing a legitimate software update
Why wrong: Legitimate updates typically go to known, trusted domains, not known malicious IPs.
- D
The workstation is infected with malware that is beaconing to the attacker
C2 communication is a hallmark of malware infection.
Which TWO of the following are primary objectives of an incident response plan? (Choose two.)
Trap 1: Ensure business continuity during the incident
BCP handles continuity; IR focuses on response and recovery.
Trap 2: Collect evidence for legal proceedings
Evidence collection is secondary; containment and recovery are primary.
Trap 3: Identify the root cause of the incident
Root cause analysis is part of lessons learned, not an immediate objective.
- A
Ensure business continuity during the incident
Why wrong: BCP handles continuity; IR focuses on response and recovery.
- B
Return affected systems to normal operation
Recovery is a primary objective of IR.
- C
Collect evidence for legal proceedings
Why wrong: Evidence collection is secondary; containment and recovery are primary.
- D
Minimize the impact of the incident
Containment and mitigation are core IR objectives.
- E
Identify the root cause of the incident
Why wrong: Root cause analysis is part of lessons learned, not an immediate objective.
A company's primary data center experiences a complete power failure, and operations are shifted to a secondary site. The failover process takes 4 hours, but the recovery point objective (RPO) is set to 1 hour. Which of the following is the most likely consequence of this incident?
Trap 1: The failover process was unsuccessful.
Failover succeeded but with data loss beyond RPO.
Trap 2: No data loss occurred because the secondary site was available.
Data written during the 4-hour outage is lost if not replicated.
Trap 3: The recovery time objective (RTO) was not met.
The RTO is not defined; the problem is data loss beyond RPO.
- A
Data loss of up to 3 hours occurred.
The RPO is 1 hour but failover took 4 hours, causing up to 3 hours of data loss.
- B
The failover process was unsuccessful.
Why wrong: Failover succeeded but with data loss beyond RPO.
- C
No data loss occurred because the secondary site was available.
Why wrong: Data written during the 4-hour outage is lost if not replicated.
- D
The recovery time objective (RTO) was not met.
Why wrong: The RTO is not defined; the problem is data loss beyond RPO.
Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?
Exhibit
Refer to the exhibit. ! Configuration snippet from router R1 access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443 access-list 100 deny ip any any log ! interface GigabitEthernet0/0 ip access-group 100 in !
Trap 1: The implicit deny at the end of the ACL blocks HTTPS traffic.
The permit for port 443 comes before the deny, so HTTPS is allowed.
Trap 2: The ACL is missing a permit statement for TCP port 443 return…
ACLs filter based on source/destination; return traffic is handled separately.
Trap 3: The ACL explicitly denies TCP port 443.
The ACL permits port 443.
- A
The ACL is applied to the wrong interface or direction.
If the ACL is applied inbound on the internal interface, it should work; if applied outbound on the external interface, it may block return traffic. The most likely issue is misapplication.
- B
The implicit deny at the end of the ACL blocks HTTPS traffic.
Why wrong: The permit for port 443 comes before the deny, so HTTPS is allowed.
- C
The ACL is missing a permit statement for TCP port 443 return traffic.
Why wrong: ACLs filter based on source/destination; return traffic is handled separately.
- D
The ACL explicitly denies TCP port 443.
Why wrong: The ACL permits port 443.
A network security team is implementing a defense-in-depth strategy. Which TWO of the following controls are examples of network segmentation? (Choose two.)
Trap 1: Deploying an intrusion detection system (IDS) on the core switch.
IDS monitors traffic but does not segment the network.
Trap 2: Placing public-facing servers in a DMZ.
DMZ is a result of segmentation, not the control itself.
Trap 3: Using VPN for remote access.
VPN extends the network, it does not segment it.
- A
Implementing firewall rules between internal zones.
Firewalls enforce segmentation by controlling traffic between zones.
- B
Deploying an intrusion detection system (IDS) on the core switch.
Why wrong: IDS monitors traffic but does not segment the network.
- C
Configuring VLANs to separate departmental traffic.
VLANs create separate broadcast domains, segmenting the network.
- D
Placing public-facing servers in a DMZ.
Why wrong: DMZ is a result of segmentation, not the control itself.
- E
Using VPN for remote access.
Why wrong: VPN extends the network, it does not segment it.
A security analyst is reviewing an alert from the IDS that shows a large number of TCP SYN packets sent to a single port on multiple internal hosts from a single external IP address. The analyst suspects a reconnaissance attack. Which type of attack is this most likely?
Trap 1: SYN flood
A SYN flood aims to overwhelm the target with half-open connections, not just scan.
Trap 2: Ping sweep
A ping sweep uses ICMP echo requests to identify live hosts, not TCP SYN packets.
Trap 3: Smurf attack
A Smurf attack uses ICMP echo replies to amplify traffic, not TCP SYN packets.
- A
SYN flood
Why wrong: A SYN flood aims to overwhelm the target with half-open connections, not just scan.
- B
Ping sweep
Why wrong: A ping sweep uses ICMP echo requests to identify live hosts, not TCP SYN packets.
- C
Smurf attack
Why wrong: A Smurf attack uses ICMP echo replies to amplify traffic, not TCP SYN packets.
- D
SYN scan
A SYN scan sends TCP SYN packets to determine which ports are open, characteristic of reconnaissance.
A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)
Trap 1: Contact law enforcement immediately.
Law enforcement contact is not an immediate step in initial containment.
Trap 2: Analyze the macro code in a sandbox.
Analysis is important but not immediate; containment takes priority.
Trap 3: Delete the phishing email from all mailboxes.
Deleting the email destroys evidence; preserve it.
- A
Contact law enforcement immediately.
Why wrong: Law enforcement contact is not an immediate step in initial containment.
- B
Isolate the workstation from the network.
Isolation contains the threat and prevents spread.
- C
Analyze the macro code in a sandbox.
Why wrong: Analysis is important but not immediate; containment takes priority.
- D
Block the malicious domain at the email gateway.
Blocking the domain prevents additional emails from reaching users.
- E
Delete the phishing email from all mailboxes.
Why wrong: Deleting the email destroys evidence; preserve it.
A security team implements a policy that requires all access to sensitive data to be logged and audited. Which principle is being enforced?
Trap 1: Non-repudiation
Non-repudiation is about denying actions, but logging supports both.
Trap 2: Integrity
Integrity is about data accuracy.
Trap 3: Least privilege
Least privilege is about access levels.
- A
Accountability
Correct. Logging creates accountability.
- B
Non-repudiation
Why wrong: Non-repudiation is about denying actions, but logging supports both.
- C
Integrity
Why wrong: Integrity is about data accuracy.
- D
Least privilege
Why wrong: Least privilege is about access levels.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.