ISC2 Certified in Cybersecurity CC (CC) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
Multi-Selecteasy

Which TWO of the following are principles of the CIA triad? (Select TWO.)

Select 2 answers
A.Confidentiality
B.Integrity
C.Non-repudiation
D.Accountability
E.Authorization
AnswersA, B

Correct. Confidentiality is part of CIA.

Why this answer

Confidentiality is a core principle of the CIA triad, ensuring that data is accessible only to authorized entities. This is typically enforced through encryption (e.g., AES-256) and access control mechanisms, preventing unauthorized disclosure.

Exam trap

ISC2 often tests candidates by listing security concepts like non-repudiation or authorization as distractors, expecting you to know that the CIA triad strictly includes only confidentiality, integrity, and availability.

2
MCQeasy

A company's security policy states that employees should only have access to the data necessary to perform their job functions. This is an example of which principle?

A.Defense in depth
B.Separation of duties
C.Fail-safe
D.Least privilege
AnswerD

Correct. Access is limited to what is needed.

Why this answer

The principle of least privilege dictates that users and systems should be granted only the minimum permissions necessary to perform their tasks. By restricting data access to job-required information, the company directly implements this security control, reducing the attack surface and limiting potential damage from compromised accounts.

Exam trap

ISC2 often tests least privilege by contrasting it with separation of duties, where candidates mistakenly choose separation of duties because both involve restricting access, but separation of duties specifically splits conflicting tasks among different people to prevent collusion, not to limit data access per role.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption) to protect assets, not a single access restriction policy. Option B is wrong because separation of duties divides critical tasks among multiple people to prevent fraud (e.g., one person requests a purchase, another approves it), not limiting data access per role. Option C is wrong because fail-safe ensures that a system defaults to a secure state upon failure (e.g., a firewall blocking all traffic when it crashes), not restricting user permissions to job-necessary data.

3
Multi-Selectmedium

An organization is implementing a new access control system based on the principle of least privilege. Which two of the following practices are essential to achieving least privilege? (Select TWO)

Select 2 answers
A.Review permissions regularly
B.Use role-based access control
C.Grant users default full access and restrict later
D.Enable accounts after use
E.Provide write access to all users
AnswersA, B

Regular reviews help maintain minimal permissions by revoking unnecessary access.

Why this answer

Option A is correct because regular permission reviews are essential to maintaining least privilege over time. Users' roles and responsibilities change, and without periodic audits, excessive permissions can accumulate, violating the principle. This aligns with the NIST SP 800-53 AC-6 control for least privilege, which requires organizations to review user access rights at defined intervals.

Exam trap

ISC2 often tests that candidates confuse the principle of least privilege with account management practices like enabling/disabling accounts, or mistakenly think starting with full access and restricting later is acceptable, when in fact least privilege requires a default-deny posture.

4
MCQeasy

The exhibit shows recent authentication logs. What type of attack is most likely indicated?

A.Man-in-the-middle attack
B.Brute-force attack
C.Phishing attack
D.Privilege escalation
AnswerB

Rapid failed logins then success suggests password guessing.

Why this answer

The exhibit shows repeated authentication attempts with different passwords for the same username, which is the hallmark of a brute-force attack. In authentication logs, a high frequency of failed login attempts (e.g., multiple 'Failed password' entries in quick succession) indicates an attacker systematically guessing credentials. This aligns with the CC domain of Access Controls, where brute-force attacks target weak password policies.

Exam trap

ISC2 often tests the distinction between brute-force and dictionary attacks; the trap here is that candidates may confuse repeated login attempts with a phishing attack, but phishing requires user interaction (e.g., clicking a link), whereas brute-force is automated against the authentication service.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack would show evidence of intercepted or modified traffic (e.g., ARP spoofing, SSL stripping), not repeated login failures. Option C is wrong because a phishing attack relies on tricking users into revealing credentials via deceptive emails or websites, not on direct login attempts against the authentication server. Option D is wrong because privilege escalation involves gaining higher-level access after initial compromise (e.g., exploiting SUID binaries or misconfigured sudo), not repeated password guessing.

5
MCQmedium

Refer to the exhibit. What does this indicate?

A.The source file changed during backup
B.The backup medium has errors
C.The verification algorithm is incorrect
D.The backup file is corrupt
AnswerA

File modification during backup leads to checksum mismatch.

Why this answer

The exhibit shows a backup verification failure where the checksum or hash of the source file does not match the backup copy. This typically occurs when the source file is modified during the backup process (e.g., an open file that is being written to), causing the verification algorithm to detect a mismatch. The correct answer is A because the backup software correctly identifies that the source changed, not that the backup medium or file is corrupt.

Exam trap

ISC2 often tests the distinction between backup file corruption and source file modification during backup, trapping candidates who assume any verification failure means the backup is corrupt, when the exhibit's wording or error message explicitly points to a source change.

How to eliminate wrong answers

Option B is wrong because backup medium errors (e.g., bad sectors on tape or disk) would typically manifest as read/write failures or CRC errors during the backup or verification process, not as a checksum mismatch specifically indicating a source file change. Option C is wrong because the verification algorithm (e.g., MD5, SHA-1, or SHA-256) is a standard cryptographic hash function; if it were incorrect, the backup software would fail to compute any valid hash, not produce a mismatch between source and backup. Option D is wrong because a corrupt backup file would usually fail verification with a hash mismatch, but the exhibit explicitly indicates the source file changed during backup, which is a distinct scenario from post-backup corruption.

6
MCQeasy

A security analyst is reviewing an alert from the IDS that shows a large number of TCP SYN packets sent to a single port on multiple internal hosts from a single external IP address. The analyst suspects a reconnaissance attack. Which type of attack is this most likely?

A.SYN flood
B.Ping sweep
C.Smurf attack
D.SYN scan
AnswerD

A SYN scan sends TCP SYN packets to determine which ports are open, characteristic of reconnaissance.

Why this answer

This is most likely a SYN scan (option D), a reconnaissance technique where an attacker sends TCP SYN packets to a specific port on multiple hosts to determine if the port is open. A SYN scan is stealthier than a full TCP connect scan because it never completes the three-way handshake, leaving fewer logs. The IDS alert describes the hallmark behavior of a SYN scan: a single external IP targeting the same port across many internal hosts.

Exam trap

ISC2 often tests the distinction between a SYN flood (DoS) and a SYN scan (reconnaissance), and the trap here is that candidates confuse the use of SYN packets in a volumetric attack versus a probing technique.

How to eliminate wrong answers

Option A is wrong because a SYN flood is a denial-of-service (DoS) attack that aims to overwhelm a single target with SYN packets, exhausting its connection table, not a reconnaissance scan across multiple hosts. Option B is wrong because a ping sweep uses ICMP Echo Request packets (ping) to discover live hosts, not TCP SYN packets to a specific port. Option C is wrong because a Smurf attack is a distributed DoS attack that sends ICMP Echo Requests with a spoofed source IP to a broadcast address, causing amplification, and does not involve TCP SYN packets or port scanning.

7
MCQhard

Refer to the exhibit. Which statement best describes compliance with the recovery objectives?

A.Compliant with both RTO and RPO
B.Compliant with RTO but not RPO
C.Compliant with neither
D.Compliant with RPO but not RTO
AnswerB

RTO likely achievable, but RPO is violated due to infrequent backups.

Why this answer

The exhibit shows that the actual Recovery Time Objective (RTO) is 4 hours, which meets the required RTO of 4 hours, so the system is compliant with RTO. However, the actual Recovery Point Objective (RPO) is 2 hours, which exceeds the required RPO of 1 hour, meaning data loss could be up to 2 hours instead of the acceptable 1 hour, thus failing RPO compliance. Therefore, the correct answer is B.

Exam trap

ISC2 often tests the distinction between RTO and RPO by presenting a scenario where one objective is met and the other is not, and the trap is that candidates confuse which metric measures downtime versus data loss, leading them to incorrectly select A or D.

How to eliminate wrong answers

Option A is wrong because it claims compliance with both RTO and RPO, but the actual RPO of 2 hours exceeds the required 1 hour, so RPO is not met. Option C is wrong because it states compliance with neither, but the actual RTO of 4 hours meets the required 4 hours, so RTO is compliant. Option D is wrong because it claims compliance with RPO but not RTO, which is the reverse of the actual situation: RTO is met and RPO is not.

8
MCQhard

A company's security policy requires that all sensitive data be encrypted at rest and in transit. However, a recent breach occurred because an attacker exploited a misconfigured web server that exposed a database directly. Which principle was most lacking in this scenario?

A.Least privilege
B.Fail securely
C.Complete mediation
D.Defense in depth
AnswerD

Defense in depth would have prevented single point of failure.

Why this answer

Defense in depth would have added additional controls such as network segmentation and access controls to prevent a single misconfiguration from compromising data. Option A (Fail securely) ensures secure state on failure. Option B (Complete mediation) checks every access.

Option D (Least privilege) is about permissions.

9
MCQmedium

An organization wants to detect and alert on potential network intrusions but does not want to risk blocking legitimate traffic. Which system should they deploy?

A.Network-based Intrusion Detection System (NIDS)
B.Unified Threat Management (UTM) appliance
C.Firewall with deep packet inspection
D.Network-based Intrusion Prevention System (NIPS)
AnswerA

A NIDS is passive and only alerts on potential intrusions without blocking traffic, avoiding false positives that block legitimate traffic.

Why this answer

A Network-based Intrusion Detection System (NIDS) passively monitors network traffic and generates alerts when suspicious patterns are detected, but it does not take any inline action to block traffic. This makes it the correct choice for an organization that wants to detect and alert on potential intrusions without any risk of blocking legitimate traffic, as the NIDS operates out-of-band and cannot drop packets.

Exam trap

ISC2 often tests the distinction between detection (IDS) and prevention (IPS) by emphasizing that an IDS is passive and out-of-band, while an IPS is inline and can block traffic, so the trap here is confusing the alert-only capability of NIDS with the active blocking of NIPS or UTM appliances.

How to eliminate wrong answers

Option B is wrong because a Unified Threat Management (UTM) appliance typically includes intrusion prevention, antivirus, and content filtering that can actively block traffic, which introduces the risk of blocking legitimate traffic. Option C is wrong because a firewall with deep packet inspection (DPI) is an inline device that can drop or reject packets based on application-layer analysis, which could inadvertently block legitimate traffic. Option D is wrong because a Network-based Intrusion Prevention System (NIPS) is an inline device that actively drops or resets malicious traffic, directly contradicting the requirement to avoid blocking legitimate traffic.

10
MCQmedium

A company's security policy requires that all sensitive data be encrypted both at rest and in transit. This is an example of applying which security principle?

A.Separation of duties
B.Need to know
C.Least privilege
D.Defense in depth
AnswerD

Encrypting data at rest and in transit provides multiple layers of protection, a key element of defense in depth.

11
MCQeasy

A system administrator is configuring permissions for a new file server. To adhere to the principle of least privilege, which approach should the administrator take?

A.Grant permissions only to the IT department.
B.Grant permissions based on the user's department membership.
C.Grant each user only the permissions necessary to perform their job duties.
D.Grant all users full control to simplify management.
AnswerC

This directly implements least privilege by limiting access to what is required for the job.

12
MCQmedium

During a security incident, the incident response team needs to preserve evidence. Which of the following actions should be performed first?

A.Notify law enforcement
B.Capture a memory dump
C.Power off the system
D.Run antivirus scan
AnswerB

Memory dump captures volatile data crucial for forensic analysis.

Why this answer

Capturing a memory dump (volatile data) is the first priority because it contains critical evidence such as running processes, network connections, and encryption keys that will be lost when the system is powered off. The order of volatility dictates that volatile data must be collected before any non-volatile data, and before any actions that could alter system state.

Exam trap

ISC2 often tests the principle of order of volatility, and the trap here is that candidates mistakenly think powering off the system preserves evidence, when in fact it destroys the most volatile and valuable forensic data.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a procedural step that should occur after evidence has been secured, not before, and it does not directly preserve volatile evidence. Option C is wrong because powering off the system destroys volatile memory (RAM) and may cause loss of critical forensic data, such as active network connections and malware in memory. Option D is wrong because running an antivirus scan modifies the system state (e.g., quarantining files, altering timestamps) and can destroy or contaminate evidence, violating forensic integrity.

13
Multi-Selecthard

Which THREE are examples of administrative access controls?

Select 3 answers
A.Mantraps
B.Password complexity requirements
C.Guard patrols
D.Security policies
E.Background checks
AnswersB, D, E

These are procedural rules, hence administrative.

Why this answer

Password complexity requirements are administrative access controls because they are defined in security policies and enforced through user behavior and organizational rules, not through hardware or software mechanisms. They fall under the administrative category of access control, which includes policies, procedures, and guidelines that govern user actions and access rights.

Exam trap

ISC2 often tests the distinction between administrative, technical, and physical access controls, and the trap here is that candidates may confuse password complexity requirements (administrative) with technical controls like password filters or account lockout mechanisms.

14
MCQhard

A security team discovers that an internal database server is sending large amounts of data to an unknown external IP address. The server is not supposed to communicate externally. Which security control should be implemented to prevent such data exfiltration?

A.Implement a VPN for all external communications
B.Install an intrusion detection system (IDS) on the network segment
C.Configure a firewall to deny all outbound traffic from the database server except to specific authorized destinations
D.Deploy a data loss prevention (DLP) system on the server
AnswerC

Egress filtering blocks unauthorized outbound connections, preventing data exfiltration.

Why this answer

Option A is correct because a restrictive firewall egress rule blocks unauthorized outbound traffic. IDS (C) only detects, not prevent. DLP (B) monitors content but may not block at network level.

VPN (D) would not stop exfiltration; it could even facilitate it.

15
MCQhard

Which of the following is the best practice for managing cryptographic keys in a large organization?

A.Embed keys in application code to ensure availability.
B.Distribute keys to administrators via email for convenience.
C.Use a single key for all encryption to simplify management.
D.Store keys in a centralized hardware security module (HSM) with strict access controls.
AnswerD

HSM provides tamper-resistant key storage and management.

Why this answer

Option D is correct because a centralized Hardware Security Module (HSM) provides tamper-resistant, dedicated hardware for secure key generation, storage, and cryptographic operations. Strict access controls (e.g., role-based access, multi-factor authentication) ensure that only authorized personnel can manage keys, while the HSM prevents key extraction even if the host system is compromised. This aligns with NIST SP 800-57 guidelines for key management in large organizations.

Exam trap

ISC2 often tests the misconception that convenience (e.g., embedding keys in code or using a single key) is acceptable for key management, when in fact security and compartmentalization are paramount in enterprise environments.

How to eliminate wrong answers

Option A is wrong because embedding keys in application code exposes them to static analysis, reverse engineering, and version control leaks, violating the principle of key separation and making key rotation nearly impossible. Option B is wrong because distributing keys via email transmits them in cleartext over potentially insecure channels, exposing them to interception and violating confidentiality requirements (e.g., PCI DSS, GDPR). Option C is wrong because using a single key for all encryption violates key separation and compartmentalization; if that key is compromised, all encrypted data is exposed, and it prevents granular access control and rotation without massive re-encryption.

16
MCQhard

A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?

A.Job rotation
B.Need-to-know
C.Separation of duties
D.Least privilege
AnswerD

Least privilege requires minimal permissions; write access is excessive.

Why this answer

The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. Granting write access when only read access is required violates this principle by providing unnecessary and potentially harmful capabilities. This is a core access control concept in the CC exam.

Exam trap

ISC2 often tests least privilege by contrasting it with need-to-know, where candidates mistakenly choose need-to-know because both involve limiting access, but least privilege focuses on the permission level (read vs. write) while need-to-know focuses on the data scope.

How to eliminate wrong answers

Option A is wrong because job rotation is a security practice where users periodically switch roles to reduce fraud risk, not a principle about limiting permissions. Option B is wrong because need-to-know restricts access to specific data based on necessity, but the violation here is about the level of privilege (read vs. write), not the data itself. Option C is wrong because separation of duties ensures no single user has conflicting responsibilities (e.g., creating and approving transactions), which is not the issue in this scenario.

17
MCQeasy

A security administrator needs to ensure that a user cannot view the contents of a file but can execute it. Which access control principle should be applied?

A.Enforce separation of duties
B.Apply least privilege
C.Use defense in depth
D.Implement need-to-know
AnswerB

Least privilege grants only the permissions required for the task, which is execute without read.

Why this answer

Least privilege grants only the permissions necessary to perform a task. The user only needs execute, not read. Option C is correct because it restricts access to the minimum required.

Option A (need-to-know) limits access to sensitive info but not execution. Option B (separation of duties) divides tasks among different people. Option D (defense in depth) uses multiple layers of security.

18
MCQmedium

A company's BCP requires that critical systems be restored within 2 hours of disruption. Which metric defines this?

A.Mean Time to Repair (MTTR)
B.Recovery Time Objective (RTO)
C.Service Level Agreement (SLA)
D.Recovery Point Objective (RPO)
AnswerB

RTO specifies the maximum acceptable downtime for a system.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable time that a system or application can be unavailable after a disruption. In this scenario, the requirement to restore critical systems within 2 hours directly specifies the RTO. It is a key metric in business continuity planning that drives the design of failover and recovery strategies.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates confuse the time to restore service (RTO) with the acceptable data loss window (RPO).

How to eliminate wrong answers

Option A is wrong because Mean Time to Repair (MTTR) measures the average time taken to repair a failed component, not the maximum allowable downtime for a business process. Option C is wrong because a Service Level Agreement (SLA) is a contractual commitment between a provider and customer, often including uptime percentages, but it does not define the specific recovery time target for a BCP. Option D is wrong because Recovery Point Objective (RPO) defines the maximum acceptable data loss measured in time (e.g., how far back in time data may be lost), not the time to restore service.

19
MCQhard

In a typical Windows environment, which access control model is used for managing file permissions?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerA

File owners can grant or deny permissions to others.

Why this answer

In a typical Windows environment, file permissions are managed using Discretionary Access Control (DAC), where the owner of a resource (e.g., a file or folder) can grant or deny access to other users or groups. This is implemented via NTFS permissions, which allow the owner to set ACLs (Access Control Lists) on objects, giving them discretion over who can read, write, or execute. Windows does not enforce a system-wide policy beyond the owner's decisions, which is the hallmark of DAC.

Exam trap

ISC2 often tests the misconception that Windows uses RBAC because of Active Directory groups, but AD groups are merely a convenience for assigning DAC permissions, not a role-based system; the key distinction is that DAC gives discretion to the resource owner, while RBAC assigns permissions based on organizational roles defined by an administrator.

How to eliminate wrong answers

Option B (RBAC) is wrong because Windows does not natively use Role-Based Access Control for file permissions; RBAC is typically implemented in enterprise applications or databases (e.g., SQL Server) and assigns permissions based on job functions, not owner discretion. Option C (MAC) is wrong because Mandatory Access Control is not used in standard Windows; it is a feature of high-security systems like SELinux or Trusted Solaris, where a central authority (e.g., a security label) overrides owner decisions. Option D (ABAC) is wrong because Attribute-Based Access Control is not the default model for Windows file permissions; ABAC evaluates policies based on attributes (e.g., time, location) and is more common in modern cloud or network access control systems (e.g., AWS IAM), not in the NTFS permission system.

20
Multi-Selecteasy

Which two of the following are examples of physical access controls? (Select TWO)

Select 2 answers
A.Security guards
B.Encryption
C.Password policies
D.Firewall rules
E.Biometric door locks
AnswersA, E

Security guards monitor and control physical access to premises.

Why this answer

Security guards are a physical access control because they provide a human barrier to unauthorized entry, monitoring and challenging individuals who attempt to access restricted areas. They enforce physical security policies through observation, verification, and intervention, making them a classic example of a deterrent and preventive physical control.

Exam trap

ISC2 often tests the distinction between physical, administrative, and logical/technical controls, and the trap here is that candidates confuse encryption or firewall rules as 'physical' because they are tangible in implementation, but they are actually logical controls that protect data, not physical assets or premises.

21
MCQhard

Refer to the exhibit. Based on the exhibit, which statement best describes the effect of this policy?

A.Allows all actions on EC2 instances from 10.0.0.0/16
B.Allows DescribeInstances action from any IP but with a condition
C.Denies DescribeInstances action from IPs outside 10.0.0.0/16
D.Allows DescribeInstances action only from IPs within 10.0.0.0/16
AnswerD

The Effect is Allow, the Action is ec2:DescribeInstances, and the Condition restricts the source IP to the 10.0.0.0/16 range.

Why this answer

The policy uses an 'Allow' effect with a condition that restricts the source IP to the 10.0.0.0/16 range. Since IAM policies default to implicit deny, only requests matching both the action (DescribeInstances) and the condition (source IP within 10.0.0.0/16) are allowed. This effectively permits DescribeInstances only from the specified CIDR block.

Exam trap

ISC2 often tests the distinction between an explicit 'Allow' with a condition and an explicit 'Deny' — candidates mistakenly think a conditional allow is equivalent to a deny for non-matching sources, but the actual behavior is that non-matching requests are implicitly denied, not explicitly denied.

How to eliminate wrong answers

Option A is wrong because the policy does not allow 'all actions' on EC2 instances; it only allows the DescribeInstances action. Option B is wrong because the policy does not allow DescribeInstances from 'any IP'; it explicitly restricts the source IP to 10.0.0.0/16 via a condition. Option C is wrong because the policy uses an 'Allow' effect, not a 'Deny' effect; it allows the action from the specified range rather than denying it from outside that range.

22
MCQeasy

An organization implements a rule that an employee cannot approve their own expenses. This is an example of which security principle?

A.Least privilege
B.Separation of duties
C.Defense in depth
D.Accountability
AnswerB

Separation of duties prevents a single individual from having conflicting roles.

Why this answer

Correct: B - Separation of duties. Separation of duties prevents a single individual from having conflicting roles. Option A is wrong because least privilege limits access to only necessary resources.

Option C is wrong because defense in depth uses multiple layers. Option D is wrong because accountability tracks actions to individuals.

23
Multi-Selectmedium

Which TWO of the following are fundamental security principles? (Select TWO.)

Select 2 answers
A.Fail-open
B.Need to share
C.Defense in depth
D.Least privilege
E.Complexity
AnswersC, D

Correct. Defense in depth is a key principle.

Why this answer

Defense in depth is a fundamental security principle that implements multiple layers of security controls (e.g., firewalls, IDS/IPS, encryption, access controls) so that if one layer fails, others still provide protection. This layered approach ensures no single point of failure can compromise the entire system, aligning with the CC exam's emphasis on holistic security strategies.

Exam trap

ISC2 often tests the distinction between security principles (like defense in depth and least privilege) and design concepts (like fail-open or complexity), so candidates mistakenly select 'fail-open' because it sounds security-related, but it actually reduces security in a failure scenario.

24
MCQeasy

A security analyst notices that a user's account has been used to access sensitive files outside of normal working hours from an unknown IP address. Which security principle is most directly violated?

A.Availability
B.Non-repudiation
C.Integrity
D.Confidentiality
AnswerD

Confidentiality prevents unauthorized disclosure; the access compromised confidentiality.

Why this answer

The scenario describes unauthorized access to sensitive files from an unknown IP address outside normal hours, which directly violates the principle of confidentiality. Confidentiality ensures that data is accessible only to authorized users and systems, and this breach indicates that sensitive information may have been exposed to an unauthorized party.

Exam trap

ISC2 often tests the distinction between confidentiality and integrity by presenting a scenario where data is accessed (not modified), leading candidates to mistakenly choose integrity because they conflate 'unauthorized access' with 'data tampering'.

How to eliminate wrong answers

Option A is wrong because availability concerns ensuring systems and data are accessible when needed, not preventing unauthorized access; the account was still functional, so availability was not violated. Option B is wrong because non-repudiation relates to proving that a specific user performed an action (e.g., via digital signatures or audit logs), not preventing unauthorized access; the issue here is unauthorized use, not repudiation of actions. Option C is wrong because integrity focuses on protecting data from unauthorized modification or corruption; the scenario does not indicate any alteration of files, only access.

25
Multi-Selectmedium

A security policy requires that all changes to production systems be approved by a change management board. Which THREE of the following principles best support this requirement?

Select 3 answers
A.Non-repudiation
B.Defense in depth
C.Separation of duties
D.Accountability
E.Least privilege
AnswersA, C, D

Provides proof of approval to prevent denial.

Why this answer

Separation of duties ensures approval and implementation are done by different people. Accountability ensures actions are traceable. Non-repudiation provides proof of approval.

Least privilege and defense in depth are less directly related.

26
MCQeasy

A mid-sized e-commerce company has a primary data center in New York and a disaster recovery site in Dallas. The application stack includes a web server, application server, and a PostgreSQL database. The database uses synchronous replication to the DR site. During a routine failover test, the IT team discovers that after failing over to Dallas, the web servers in New York continue to attempt connections to the original database IP, causing application errors. The DNS records have been updated to point to the DR database IP, but the web servers are not refreshing their DNS cache. The company uses a standard TTL of 300 seconds. The IT manager needs a solution that ensures minimal disruption during future failovers. Which action should be taken?

A.Add a static host entry in the web servers' hosts file pointing to the DR database IP
B.Increase the DNS TTL to 86400 seconds to ensure all caches are updated quickly
C.Configure the web servers to use a different DNS resolver that does not cache
D.Implement a load balancer or proxy with a virtual IP that can be switched during failover, and update the web server configuration to connect to the virtual IP
AnswerD

A virtual IP (VIP) can be moved between data centers via BGP or similar, so web servers always connect to the same IP, avoiding DNS caching issues.

Why this answer

Option D is correct because it decouples the web servers from the database IP address by introducing a load balancer or proxy with a virtual IP (VIP). During failover, the VIP is simply moved to the DR database, and the web servers continue connecting to the same VIP without any DNS dependency or cache refresh issues. This eliminates the problem of stale DNS caches and ensures minimal disruption, as the connection endpoint remains constant.

Exam trap

ISC2 often tests the misconception that DNS TTL adjustments or cache clearing are sufficient for failover scenarios, but the trap here is that DNS-based solutions inherently introduce propagation delays and cache inconsistencies, whereas a virtual IP provides immediate, transparent failover without relying on DNS resolution.

How to eliminate wrong answers

Option A is wrong because adding a static host entry in the web servers' hosts file would require manual updates on every web server during each failover, which is not scalable and defeats the purpose of automation; it also does not address the DNS cache issue but rather bypasses it with a brittle workaround. Option B is wrong because increasing the DNS TTL to 86400 seconds would actually make the problem worse by causing DNS caches to hold stale records for longer, delaying the propagation of the updated IP address during failover. Option C is wrong because configuring the web servers to use a DNS resolver that does not cache would still require the resolver to query authoritative DNS servers, and the web servers themselves may still cache the result; moreover, it introduces unnecessary complexity and does not solve the fundamental issue of relying on DNS for a critical failover scenario.

27
MCQmedium

Based on the exhibit, which statement about the access control list is true?

A.All IP traffic is permitted except ICMP
B.HTTP traffic is denied
C.Only HTTP traffic is permitted
D.ICMP echo requests are permitted
AnswerA

Line 10 permits HTTP, line 20 denies ICMP, line 30 permits all other IP.

Why this answer

The exhibit shows an access control list (ACL) that explicitly denies ICMP traffic with the entry 'deny icmp any any' and then permits all other IP traffic with 'permit ip any any'. Since ACLs are processed sequentially and the 'permit ip any any' matches all IP protocols (including HTTP, HTTPS, etc.) except those already denied, the result is that all IP traffic is permitted except ICMP. This makes option A correct.

Exam trap

ISC2 often tests the sequential nature of ACLs and the fact that 'permit ip any any' permits all IP protocols except those explicitly denied earlier, leading candidates to mistakenly think ICMP is permitted or that only HTTP is allowed.

How to eliminate wrong answers

Option B is wrong because HTTP traffic (TCP port 80) is a subset of IP traffic and is explicitly permitted by the 'permit ip any any' entry; there is no deny statement for HTTP. Option C is wrong because the ACL permits all IP traffic (except ICMP), not just HTTP; HTTP is only one of many permitted protocols. Option D is wrong because ICMP echo requests are a type of ICMP traffic, and the ACL contains a 'deny icmp any any' statement that blocks all ICMP, including echo requests.

28
MCQmedium

A company's network uses 802.1X authentication for wired and wireless access. Which component authenticates the user credentials against an identity store?

A.Supplicant
B.Authenticator
C.Authentication server (RADIUS)
D.Access point
AnswerC

The authentication server performs the actual credential verification against the identity store.

Why this answer

In 802.1X, the authentication server (typically a RADIUS server) is the component that validates user credentials against an identity store such as LDAP, Active Directory, or a local database. The supplicant (client) provides credentials, the authenticator (switch or access point) relays EAP frames, but only the RADIUS server performs the actual authentication decision.

Exam trap

ISC2 often tests the misconception that the authenticator (switch or AP) performs authentication, but in 802.1X the authenticator only controls port access based on the RADIUS server's decision, not the credential validation itself.

How to eliminate wrong answers

Option A is wrong because the supplicant is the client software (e.g., on a laptop) that initiates authentication by sending credentials, but it does not validate them against any identity store. Option B is wrong because the authenticator (e.g., a switch or wireless controller) acts as a middleman, forwarding EAP messages between supplicant and RADIUS server, but it does not perform credential validation. Option D is wrong because an access point can act as an authenticator in wireless 802.1X, but it still does not authenticate credentials; it only relays EAP traffic to the RADIUS server.

29
MCQmedium

During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?

A.Disable SSH on all servers
B.Notify the server owners and wait for their response
C.Document the finding and include it in the audit report
D.Modify the firewall rules to allow SSH only from specific management IPs
AnswerD

This directly mitigates the vulnerability by restricting access.

Why this answer

Option D is correct because the immediate priority is to eliminate the critical vulnerability by restricting inbound SSH access to only authorized management IPs. This aligns with the principle of least privilege and the immediate remediation steps in security incident response, as leaving the misconfiguration active even briefly exposes the servers to potential compromise.

Exam trap

ISC2 often tests the distinction between 'documenting' a finding and taking immediate remediation for a critical vulnerability, where candidates mistakenly choose documentation over action because they confuse audit procedures with incident response priorities.

How to eliminate wrong answers

Option A is wrong because disabling SSH entirely would disrupt legitimate administrative access and is an overly drastic measure that could cause operational outages; the correct approach is to restrict access rather than remove the service. Option B is wrong because waiting for server owners introduces an unacceptable delay in mitigating an active, critical vulnerability that exposes the servers to internet-wide brute-force attacks. Option C is wrong because merely documenting the finding without taking immediate corrective action violates the security analyst's duty to remediate critical risks promptly, as per standard incident response procedures.

30
MCQmedium

A security analyst is configuring an intrusion detection system (IDS) to detect SQL injection attacks. Which method is most effective?

A.Analyze DNS query patterns
B.Detect port scans from external IPs
C.Examine HTTP request parameters for SQL commands
D.Monitor bandwidth usage for spikes
AnswerC

This directly identifies SQL injection payloads in web requests.

Why this answer

Option D is correct because examining HTTP request parameters for SQL commands directly detects SQL injection attempts. The other options are unrelated or less effective.

31
MCQeasy

A security analyst notices repeated failed login attempts from a single external IP address targeting the company's VPN concentrator. Which type of attack is most likely occurring?

A.Spoofing
B.Brute force
C.Man-in-the-Middle (MITM)
D.Denial of Service (DoS)
AnswerB

Brute force attacks involve repeated guessing of credentials, matching this behavior.

Why this answer

Repeated failed login attempts from a single external IP targeting a VPN concentrator are the hallmark of a brute force attack. The attacker systematically tries many username/password combinations to gain unauthorized access, exploiting weak or common credentials rather than exploiting a protocol vulnerability.

Exam trap

ISC2 often tests the distinction between a brute force attack (focused on credential guessing) and a Denial of Service attack (focused on resource exhaustion), where candidates mistakenly choose DoS because repeated attempts seem to 'overwhelm' the system, but the core intent is unauthorized access, not service disruption.

How to eliminate wrong answers

Option A is wrong because spoofing involves falsifying the source IP address to impersonate a trusted host, not repeatedly attempting logins; the attack here originates from a single external IP, not a spoofed one. Option C is wrong because a Man-in-the-Middle (MITM) attack intercepts or alters communication between two parties, often requiring ARP spoofing or rogue certificates, not repeated login attempts against a VPN concentrator. Option D is wrong because a Denial of Service (DoS) attack aims to overwhelm the VPN concentrator with traffic to disrupt service, not to gain access via credential guessing; the repeated login attempts here are targeted at authentication, not resource exhaustion.

32
MCQhard

A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?

A.Identification phase
B.Eradication phase
C.Recovery phase
D.Preparation phase
AnswerB

Eradication includes containment actions like blocking IPs and removing malware.

Why this answer

Option B (Eradication phase) is correct because containment actions such as removing the malicious PowerShell script, terminating the outbound connections, and cleaning the affected system are part of the eradication phase. The incident response lifecycle (NIST SP 800-61) places containment, eradication, and recovery as sequential steps after identification; here, the alert has already been identified, so the most appropriate next step is to eradicate the threat by removing the script and blocking the external IP.

Exam trap

ISC2 often tests the distinction between identification and eradication by presenting a scenario where the alert is already received, leading candidates to mistakenly choose identification because they focus on the initial detection rather than the next logical step in the response process.

How to eliminate wrong answers

Option A is wrong because the identification phase involves detecting and confirming the incident (e.g., analyzing the alert and verifying the malicious script), which has already occurred when the SOC analyst receives the alert. Option C is wrong because the recovery phase focuses on restoring normal operations after the threat is removed, such as restoring data from backups or reimaging systems, not on containing or removing the active threat. Option D is wrong because the preparation phase occurs before any incident, involving creating policies, training staff, and deploying tools (e.g., endpoint detection and response agents), not responding to an active alert.

33
MCQeasy

A security administrator notices that a user with standard privileges was able to modify a system file. Which security principle has been violated?

A.Need to know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerC

The user had more privileges than needed, violating least privilege.

Why this answer

The principle of least privilege requires that users be granted only the permissions necessary to perform their job functions. A standard user modifying a system file indicates they have been assigned unnecessary administrative rights, violating this principle. This could occur if the user is a member of a group like Administrators or has been granted explicit write access to protected directories such as %SystemRoot%\System32.

Exam trap

ISC2 often tests least privilege by presenting a scenario where a user performs an action beyond their role, and the trap is confusing it with need to know (which focuses on data access, not system-level permissions) or separation of duties (which involves task division, not permission granularity).

How to eliminate wrong answers

Option A is wrong because need to know controls access to specific data based on job necessity, not the ability to modify system files; it is about information disclosure, not system-level permissions. Option B is wrong because defense in depth is a layered security strategy (e.g., firewalls, antivirus, IDS), not a principle that directly addresses user permission levels. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud, not to restrict a single user's system-level access.

34
MCQeasy

An organization decides to implement multiple security controls, including firewalls, intrusion detection systems, and antivirus software. Which security principle does this represent?

A.Least privilege
B.Defense in depth
C.Risk avoidance
D.Separation of duties
AnswerB

Defense in depth uses multiple layers of controls to protect assets.

Why this answer

Defense in depth uses multiple layers of security controls to protect assets. Option A (Least privilege) is about access permissions. Option B (Separation of duties) divides tasks.

Option D (Risk avoidance) eliminates risk.

35
Multi-Selecthard

Which THREE of the following are valid security control categories based on function? (Select three).

Select 3 answers
A.Corrective
B.Detective
C.Passive
D.Reactive
E.Preventive
AnswersA, B, E

Correct. Corrective controls remediate damage after an incident.

Why this answer

Preventive, detective, and corrective controls are standard functional categories. Reactive and passive are not recognized as primary control categories.

36
MCQhard

A security operations center (SOC) analyst is investigating an alert about a user downloading a suspicious file. The analyst opens the file on a sandboxed virtual machine and observes that it attempts to modify registry keys and establish persistence. This type of analysis is known as:

A.Dynamic analysis
B.Static analysis
C.Reverse engineering
D.Threat hunting
AnswerA

Running the sample in a sandbox to observe behavior is dynamic analysis.

Why this answer

Dynamic analysis involves executing a suspicious file in a controlled environment, such as a sandboxed virtual machine, to observe its runtime behavior. In this scenario, the analyst runs the file and directly observes registry modifications and persistence mechanisms, which are characteristic of dynamic analysis. This approach captures actual system interactions that static analysis cannot reveal.

Exam trap

ISC2 often tests the distinction between dynamic and static analysis, and the trap here is that candidates may confuse 'reverse engineering' (which includes both static and dynamic methods) with the specific act of executing a file to observe behavior, leading them to select reverse engineering instead of the more precise dynamic analysis.

How to eliminate wrong answers

Option B is wrong because static analysis examines the file without executing it, typically by inspecting its binary structure, strings, or metadata, not by observing runtime behavior like registry changes. Option C is wrong because reverse engineering is a broader process that often includes static and dynamic techniques to understand a program's logic, but the specific act of running the file in a sandbox to observe behavior is dynamic analysis, not reverse engineering itself. Option D is wrong because threat hunting is a proactive search for indicators of compromise across an environment, not the analysis of a single file in a sandbox.

37
MCQhard

An analyst is reviewing a series of failed login attempts from multiple IP addresses targeting a single user account. This pattern is indicative of what type of attack?

A.Password spraying
B.Keylogging
C.Brute force
D.Credential stuffing
AnswerA

Password spraying uses multiple sources and common passwords to avoid detection.

Why this answer

Password spraying involves an attacker attempting a small number of common passwords (e.g., 'Password123', 'Welcome1') against many user accounts, or in this case, multiple IP addresses targeting a single user account. This pattern avoids account lockout thresholds by keeping attempts per IP low, making it distinct from brute force attacks that hammer a single account with many passwords from one source.

Exam trap

ISC2 often tests the distinction between password spraying and brute force by describing the number of IPs versus the number of passwords tried, so the trap here is confusing a distributed low-rate attack (password spraying) with a high-rate single-source attack (brute force).

How to eliminate wrong answers

Option B is wrong because keylogging requires malware to capture keystrokes on the user's device, not failed login attempts from multiple IP addresses. Option C is wrong because a brute force attack typically targets a single account with many password attempts from one or few IPs, not a low number of attempts from many IPs. Option D is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a small set of common passwords tried across many IPs.

38
MCQhard

An organization's incident response plan specifies containment, eradication, and recovery phases. During containment, the team isolates a compromised server from the network. However, the server is a domain controller. What is the PRIMARY risk of this action?

A.Data loss on the server
B.Violation of chain of custody
C.Propagation of malware to other systems
D.Loss of authentication services
AnswerD

Domain controllers provide authentication; isolating them disrupts network logins.

Why this answer

Isolating a domain controller from the network prevents it from processing authentication requests (Kerberos and NTLM), which halts user logins, resource access, and group policy updates across the domain. This loss of authentication services is the primary risk because the domain controller is the authoritative source for identity verification in Active Directory.

Exam trap

The trap here is that candidates may focus on the general containment goal of stopping malware spread (Option C) rather than recognizing that isolating a domain controller specifically cripples the authentication infrastructure, which is the most critical and immediate risk.

How to eliminate wrong answers

Option A is wrong because data loss on the server is not the primary risk; domain controllers store Active Directory databases (NTDS.dit), but isolation does not inherently cause data loss—it prevents replication and authentication. Option B is wrong because chain of custody relates to preserving evidence for forensic analysis, not to the immediate operational impact of isolating a domain controller. Option C is wrong because propagation of malware to other systems is the very risk containment aims to prevent; isolating the server stops further spread, not causes it.

39
MCQmedium

After a security breach, it was discovered that an attacker used a stolen certificate to sign malicious code. Which security principle was compromised?

A.Integrity
B.Non-repudiation
C.Confidentiality
D.Availability
AnswerB

Correct. The certificate's owner can deny signing the malicious code.

Why this answer

Non-repudiation ensures that an entity cannot deny having performed an action, such as signing code. When an attacker uses a stolen certificate to sign malicious code, the legitimate owner of the certificate cannot deny the signature, because the cryptographic proof (the digital signature) is bound to the certificate. This compromises the principle of non-repudiation, as the signature can no longer be reliably attributed to the intended signer.

Exam trap

ISC2 often tests the distinction between integrity and non-repudiation, where candidates mistakenly think that a stolen certificate only affects data integrity, but the core issue is the inability to prove who signed the code.

How to eliminate wrong answers

Option A is wrong because integrity ensures data has not been altered, but the breach here involves the misuse of a certificate for signing, not the modification of data. Option C is wrong because confidentiality protects data from unauthorized access, whereas the stolen certificate was used to sign code, not to read or expose secret information. Option D is wrong because availability ensures systems are accessible when needed, and the breach did not cause a denial of service or system unavailability.

40
MCQmedium

During a security assessment, a penetration tester captures unencrypted credentials over the network. Which protocol is most likely being used?

A.SMTPS
B.SSH
C.FTP
D.HTTPS
AnswerC

FTP sends username and password in plaintext over the network.

Why this answer

FTP (File Transfer Protocol) transmits data, including credentials, in cleartext over the network. When a penetration tester captures unencrypted credentials, FTP is a likely candidate because it does not encrypt the authentication process, making it vulnerable to packet sniffing attacks.

Exam trap

ISC2 often tests the distinction between protocols that use encryption (like HTTPS, SSH, SMTPS) and those that do not (like FTP, Telnet, HTTP), and the trap here is that candidates may confuse FTP with its secure variants (FTPS or SFTP) or assume all file transfer protocols are encrypted.

How to eliminate wrong answers

Option A is wrong because SMTPS (SMTP over SSL/TLS) encrypts the entire communication channel, preventing credentials from being transmitted in cleartext. Option B is wrong because SSH (Secure Shell) provides encrypted remote login and file transfer, ensuring credentials are never sent unencrypted. Option D is wrong because HTTPS (HTTP over SSL/TLS) encrypts HTTP traffic, including any form-based authentication, so credentials are protected from sniffing.

41
MCQmedium

You are a SOC analyst for a financial institution. At 2:00 AM, your SIEM generates a critical alert from the email security gateway indicating that an internal user received a phishing email with a malicious attachment. The email was delivered to the user's inbox, and the user's account activity logs show that the attachment was opened 10 minutes ago. The user is a junior accountant who works in the accounts payable department. You have access to endpoint detection tools, email logs, and network traffic data. The organization's incident response policy requires containment within 30 minutes of detection. Which action should you take FIRST?

A.Isolate the user's workstation from the network to prevent lateral movement.
B.Scan the user's workstation with antivirus software.
C.Block the sender's email address at the email gateway.
D.Send an email to the user instructing them to delete the email.
AnswerA

Isolation contains the incident quickly, as per policy.

Why this answer

The incident response policy requires containment within 30 minutes. Isolating the workstation (e.g., via network access control or disabling the switch port) immediately stops any ongoing malicious activity, such as command-and-control communication or lateral movement, which is the highest priority after detection. This aligns with the NIST SP 800-61 containment strategy and the SANS PICERL model, where containment precedes eradication and recovery.

Exam trap

ISC2 often tests the principle that containment must happen before any eradication or recovery steps, so candidates mistakenly choose scanning or blocking the sender because they focus on the email vector rather than the active compromise on the endpoint.

How to eliminate wrong answers

Option B is wrong because scanning with antivirus is an eradication step that should only occur after containment; the malware may already be executing, and scanning could trigger further malicious actions or alert the attacker. Option C is wrong because blocking the sender's email address is a preventive measure that does not address the already-opened attachment and active compromise on the user's workstation. Option D is wrong because instructing the user to delete the email is ineffective and dangerous—the attachment has already been opened, and the user may be compromised, so relying on user action wastes critical containment time.

42
Drag & Dropmedium

Drag and drop the steps for the incident response process according to NIST into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NIST incident response lifecycle: Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity.

43
Drag & Dropmedium

Drag and drop the steps to create a new VLAN on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation involves creating the VLAN, naming it, and assigning ports.

44
MCQhard

Your organization runs a critical e-commerce platform on a private cloud. The database server is located in a data center in a seismic zone. The current DR plan uses a warm site with daily differential backups and a 12-hour RTO. A recent earthquake caused a power outage but no physical damage. The database corruption was discovered after 6 hours. The backups from last night are intact but restoring involves applying transaction logs. The RTO is now at risk. What should be done FIRST?

A.Fail over to the warm site immediately without data restoration.
B.Perform a point-in-time recovery using the last full backup and all transaction logs.
C.Initiate the warm site recovery by restoring the latest differential backup onto standby servers.
D.Restore the last full backup and then apply all subsequent differential and log backups.
AnswerC

Fastest recovery option given the warm site setup.

Why this answer

Option C is correct because the immediate priority is to restore the latest differential backup onto the warm site's standby servers. This approach minimizes recovery time by applying only the changes since the last full backup, directly addressing the RTO risk. The warm site is already prepared, and restoring the differential backup is the fastest path to operational readiness without the overhead of full backup restoration or log replay.

Exam trap

ISC2 often tests the misconception that point-in-time recovery or full backup restoration is always the safest first step, but in a time-critical DR scenario with intact differential backups, the fastest recovery path is to restore the latest differential backup to meet RTO.

How to eliminate wrong answers

Option A is wrong because failing over without data restoration would result in a stale or inconsistent database state, likely causing data loss and application errors. Option B is wrong because performing a point-in-time recovery using the last full backup and all transaction logs is time-consuming and would exceed the RTO; it is not the first action when a faster differential restore is available. Option D is wrong because restoring the last full backup before applying differential and log backups adds unnecessary steps and time, increasing the risk of RTO breach when the latest differential backup alone can be restored directly.

45
MCQmedium

Refer to the exhibit. Given the ACL shown, which traffic is allowed to reach 10.0.0.1?

A.No traffic is allowed.
B.HTTP and HTTPS only.
C.Only traffic from the internal network.
D.All TCP traffic from any source.
AnswerB

Permit statements for ports 80 and 443 allow HTTP and HTTPS.

Why this answer

The ACL permits TCP traffic to destination 10.0.0.1 with destination port numbers 80 (HTTP) and 443 (HTTPS). Since the ACL ends with an implicit deny any, only HTTP and HTTPS traffic is allowed to reach 10.0.0.1. Option B is correct because the ACL explicitly permits these two services.

Exam trap

ISC2 often tests the implicit deny any at the end of ACLs, leading candidates to forget that only explicitly permitted traffic is allowed, and that the ACL does not block traffic based on source network unless specified.

How to eliminate wrong answers

Option A is wrong because the ACL does permit some traffic (HTTP and HTTPS), so it is not true that no traffic is allowed. Option C is wrong because the ACL does not filter based on source network; it permits traffic from any source as long as the destination and port match. Option D is wrong because the ACL only permits TCP traffic to ports 80 and 443, not all TCP traffic.

46
MCQmedium

A company uses a proxy server for internet access. Employees can browse websites (HTTP/HTTPS), but they cannot connect to external FTP servers using FTP client software (e.g., FileZilla). The proxy is configured to allow HTTP and HTTPS only. The security team wants to allow FTP while maintaining security (e.g., logging and filtering). The FTP traffic is used for occasional file transfers with partners. Which of the following is the BEST solution to meet both requirements?

A.Install a separate FTP proxy in the DMZ and adjust firewall rules to allow FTP traffic to that proxy.
B.Use SSH tunneling to encapsulate FTP traffic over SSH to a jump server.
C.Configure the proxy to allow FTP traffic by adding FTP as an allowed protocol.
D.Enable FTP passive mode on the proxy.
AnswerA

An FTP proxy can inspect and log FTP traffic, and being in the DMZ adds security; firewall rules can restrict access.

Why this answer

Option A is correct because deploying a dedicated FTP proxy in the DMZ allows the security team to inspect, log, and filter FTP traffic while keeping the existing HTTP/HTTPS proxy unchanged. Firewall rules can be tightened to permit FTP only to that proxy, which then forwards connections to external FTP servers, maintaining a secure, auditable chokepoint without exposing internal clients directly to FTP.

Exam trap

ISC2 often tests the misconception that a standard HTTP/HTTPS proxy can be extended to handle FTP by simply enabling a setting, when in reality FTP requires a separate application-layer proxy due to its distinct control/data channel architecture and protocol semantics.

How to eliminate wrong answers

Option B is wrong because SSH tunneling encapsulates FTP traffic but does not provide native logging or filtering of FTP commands and data; it bypasses the proxy and creates an encrypted tunnel that the security team cannot inspect, defeating the requirement for logging and filtering. Option C is wrong because standard HTTP/HTTPS proxies cannot natively proxy FTP protocol; they lack support for FTP command channels and data connections, and simply adding 'FTP as an allowed protocol' is not technically feasible without an FTP-specific proxy module or separate FTP proxy. Option D is wrong because enabling FTP passive mode on the proxy does not solve the core issue; passive mode is a client-server configuration that changes how data connections are established, but the proxy still cannot proxy FTP traffic unless it is specifically designed to handle FTP protocol.

47
MCQeasy

Which of the following is a primary goal of security operations?

A.Minimize user complaints
B.Increase network speed
C.Reduce attack surface
D.Ensure compliance with marketing standards
AnswerC

Security operations aim to reduce vulnerabilities and exposure.

Why this answer

Reducing the attack surface is a primary goal of security operations because it minimizes the number of potential entry points an attacker can exploit. By disabling unnecessary services, applying strict access controls, and segmenting networks, the organization lowers its risk of compromise. This directly supports the core security operations objective of protecting assets and maintaining confidentiality, integrity, and availability.

Exam trap

ISC2 often tests the misconception that security operations is about user satisfaction or performance optimization, when in fact its primary goal is risk reduction through attack surface minimization.

How to eliminate wrong answers

Option A is wrong because minimizing user complaints is a usability or helpdesk goal, not a primary security operations objective; security operations may even increase user friction (e.g., requiring MFA) to enforce security. Option B is wrong because increasing network speed is a performance goal typically handled by network engineering, not security operations; security controls like deep packet inspection can actually reduce speed. Option D is wrong because ensuring compliance with marketing standards is unrelated to security operations; compliance with security standards (e.g., PCI DSS, HIPAA) is relevant, but marketing standards are not a security concern.

48
MCQeasy

A system administrator needs to grant a user the ability to read files in a specific folder but not modify them. Which access control principle should be applied?

A.Role-Based Access Control (RBAC)
B.Least Privilege
C.Separation of Duties (SoD)
D.Mandatory Access Control (MAC)
AnswerB

Least privilege grants only the permissions necessary for the job, such as read-only access.

Why this answer

The principle of Least Privilege dictates that a user should be granted only the minimum permissions necessary to perform their job functions. In this scenario, granting read-only access to a specific folder (e.g., using NTFS 'Read' permission or Linux 'r--' on the directory) ensures the user cannot modify files, directly applying Least Privilege. This prevents accidental or intentional data alteration while still allowing necessary access.

Exam trap

ISC2 often tests the distinction between an access control *model* (like RBAC or MAC) and a security *principle* (like Least Privilege), causing candidates to confuse the mechanism with the overarching goal of minimizing permissions.

How to eliminate wrong answers

Option A is wrong because RBAC is an access control model that assigns permissions based on roles, not a principle that specifically limits permissions to the minimum required; it could still grant excessive permissions if the role is poorly defined. Option C is wrong because Separation of Duties (SoD) is a principle that prevents a single individual from having conflicting responsibilities (e.g., both authorizing and executing a transaction), not a method for limiting file permissions to read-only. Option D is wrong because Mandatory Access Control (MAC) enforces system-wide policies (e.g., using SELinux labels or Windows Integrity Levels) that users cannot override, but it is a model, not the specific principle of granting only the minimum necessary access for a given task.

49
MCQmedium

Refer to the exhibit. An analyst sees many alerts from this IDS rule. What is a likely cause?

A.A web application is vulnerable to SQL injection
B.An attacker is scanning for SQL injection
C.The rule is missing the "flow" keyword
D.The rule is poorly written generating false positives
AnswerD

The rule matches common SQL keywords in normal traffic, causing false positives.

Why this answer

Option D is correct because the IDS rule is likely generating excessive alerts due to poor signature design, such as using overly broad content matches or lacking proper contextual filters. Without the 'flow' keyword to establish session state (e.g., 'to_server, established'), the rule may trigger on any packet containing the SQL pattern, including non-exploit traffic like error messages or benign queries, resulting in false positives.

Exam trap

ISC2 often tests the distinction between a rule triggering due to actual malicious activity versus poor rule design, and the trap here is assuming that many alerts always indicate a real attack (like SQL injection scanning) rather than considering signature quality issues.

How to eliminate wrong answers

Option A is wrong because the alerts are from the IDS rule itself, not from confirmed exploitation; SQL injection vulnerability would require evidence of successful data extraction or error-based responses, not just rule hits. Option B is wrong because scanning for SQL injection typically involves sending multiple crafted payloads to probe endpoints, which would generate fewer, more targeted alerts rather than a high volume of false positives. Option C is wrong because while missing the 'flow' keyword can contribute to false positives, the question asks for the 'likely cause' of many alerts, and a poorly written rule (Option D) is the broader, more direct reason—missing 'flow' is just one specific example of poor rule writing.

50
MCQeasy

A company requires employees to use biometric authentication to access the data center. This is an example of which security principle?

A.Authentication
B.Availability
C.Integrity
D.Non-repudiation
AnswerA

Authentication verifies identity; biometrics is a method.

Why this answer

Correct: D - Authentication. Authentication is the process of verifying the identity of a user, and biometrics is one method. Option A is wrong because non-repudiation ensures actions cannot be denied, not identity verification.

Option B is wrong because availability ensures systems are accessible. Option C is wrong because integrity ensures data accuracy.

51
MCQeasy

Which security control is most effective in preventing unauthorized physical access to a data center?

A.Mantraps.
B.Video surveillance.
C.Biometric door locks.
D.Security guards.
AnswerA

Physically restricts entry to one person at a time.

Why this answer

Mantraps create a double-door system that prevents tailgating, making them highly effective. Other controls like video surveillance and guards are deterrents but less direct at preventing unauthorized entry.

52
MCQmedium

Refer to the exhibit. What is the effect of this ACL?

A.Allows only HTTPS to 10.0.1.100
B.Denies HTTP and HTTPS to 10.0.1.100
C.Allows all traffic to 10.0.1.100
D.Allows HTTP and HTTPS traffic to server 10.0.1.100, denies all other traffic
AnswerD

Correct. The two permit lines allow those protocols; the deny all blocks everything else.

Why this answer

The ACL permits HTTP (port 80) and HTTPS (port 443) traffic from any source to host 10.0.1.100, and explicitly denies all other traffic.

53
Multi-Selectmedium

Which TWO technologies provide network segmentation? (Choose two.)

Select 2 answers
A.Firewalls
B.Hubs
C.Routers with ACLs
D.Switches
E.VLANs
AnswersC, E

Routers can segment networks based on IP addresses and ACLs.

Why this answer

Routers with ACLs (Access Control Lists) provide network segmentation by filtering traffic based on Layer 3 (IP addresses) and Layer 4 (port numbers) criteria, effectively dividing a network into separate security zones or subnets. VLANs (Virtual Local Area Networks) segment a network at Layer 2 by logically grouping devices into separate broadcast domains, even if they share the same physical switch. Both technologies isolate traffic to enforce security policies and reduce attack surfaces.

Exam trap

ISC2 often tests the misconception that switches inherently segment networks, but without VLANs, a standard switch creates a single broadcast domain; the trap is that candidates confuse switching (forwarding) with segmentation (isolation).

54
MCQeasy

Refer to the exhibit. A security analyst sees this log entry from a firewall. What is the most likely reason for this denial?

A.The destination port is not allowed
B.The source IP is blacklisted
C.The access-group is misconfigured
D.The packet is malformed
AnswerA

The access-group denies traffic to the destination port 33456.

Why this answer

The firewall log entry indicates a packet was denied due to a policy violation, and the most common reason for such a denial in a stateful firewall is that the destination port is not permitted by the configured access control list (ACL) or security policy. Firewalls evaluate traffic against rules that specify allowed source/destination IPs, ports, and protocols; if the destination port is not explicitly allowed, the packet is dropped. This is a standard security practice to restrict unauthorized services.

Exam trap

ISC2 often tests the concept that a firewall's default implicit deny will drop traffic if no explicit permit exists for the destination port, leading candidates to incorrectly assume the source IP is blacklisted or the packet is malformed.

How to eliminate wrong answers

Option B is wrong because a blacklisted source IP would typically generate a log with a specific reason such as 'blacklist' or 'reputation', not a generic denial, and the log entry does not indicate a blacklist match. Option C is wrong because a misconfigured access-group would likely cause broader connectivity issues or permit unintended traffic, not a single specific denial; the log entry shows a targeted drop, not a configuration error. Option D is wrong because a malformed packet would usually be dropped by the firewall's stateful inspection or TCP/IP stack with a different log message (e.g., 'invalid packet' or 'TCP flags violation'), not a standard policy denial.

55
MCQeasy

A security administrator needs to ensure that only authorized personnel can access the server room. Which physical control is most appropriate?

A.Mantrap with card reader
B.Keypad lock with a shared code
C.Biometric access control system
D.Video surveillance cameras
AnswerC

Biometric systems authenticate based on unique physical characteristics, ensuring only authorized personnel gain access.

Why this answer

A biometric access control system uses unique biological traits for authentication, providing strong physical security. Keypad locks (A) are less secure because codes can be shared. Video surveillance (C) is detective, not preventive.

Mantraps (D) are used for high-security areas but are more complex and expensive. Biometric access is the best fit for this requirement.

56
MCQhard

A system administrator configured the sudoers file as shown. What is the primary security risk of this configuration?

A.It enables privilege escalation for all users on the system
B.It logs all commands run by admin users, creating a privacy risk
C.It removes the password requirement for sudo, weakening authentication for privileged access
D.It allows any user in the admin group to run commands as any user without a password
AnswerC

The Defaults directive disables authentication, so any admin user can execute commands as root without a password.

Why this answer

Option D is correct because '!authenticate' removes the password requirement for the admin group, which violates the principle of least privilege and authentication. It does not grant passwordless sudo for all users (A) — only the admin group. (B) is a risk, but not as severe as no password. (C) is not implied by the config. The main risk is bypassing authentication.

57
MCQmedium

A company is implementing an access control system to protect sensitive data. Employees in the finance department must access financial records, but only during business hours and from company-issued devices. Which access control model best supports these requirements?

A.Attribute-Based Access Control (ABAC)
B.Rule-Based Access Control (RuBAC)
C.Discretionary Access Control (DAC)
D.Mandatory Access Control (MAC)
AnswerB

RuBAC enforces access based on rules including time and device.

Why this answer

Rule-Based Access Control (RuBAC) is the correct choice because it enforces access decisions based on a set of predefined rules, such as time-of-day restrictions and device compliance. In this scenario, the rules 'business hours only' and 'company-issued devices only' are static conditions that can be implemented as access control rules (e.g., using a firewall ACL or a policy engine) without requiring user attributes or labels. RuBAC is ideal when access is governed by operational policies that are not tied to user identity or data classification.

Exam trap

ISC2 often tests the distinction between RuBAC and ABAC by presenting a scenario with multiple conditions (time, device, location) that seems to require ABAC, but the trap is that if the conditions are static and predefined (not evaluated dynamically from user/object attributes), RuBAC is the simpler and correct model.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) evaluates access based on multiple dynamic attributes (e.g., user role, time, device type, location) using a policy engine, which is more complex than needed for simple static rules; while it could technically enforce these requirements, the question asks for the model that 'best supports' them, and RuBAC is simpler and more direct. Option C is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, which cannot enforce mandatory time-of-day or device restrictions. Option D is wrong because Mandatory Access Control (MAC) enforces access based on system-wide labels (e.g., security clearance and classification), not on time or device attributes, and is typically used in high-security environments like military systems.

58
MCQhard

Refer to the exhibit. The network administrator configured NAT as shown. Internal hosts can access the internet, but no external hosts can access the company's web server (192.168.1.10). What is the issue?

A.The static NAT is being overridden by the dynamic NAT
B.The outside interface should be the inside interface
C.The web server is not in the access-list
D.The pool includes the static IP causing conflict
AnswerD

The pool range includes 200.100.50.1, which is already used by the static NAT, causing a conflict.

Why this answer

The correct answer is D because the dynamic NAT pool includes the IP address 192.168.1.10, which is also used for the static NAT mapping to the web server. When a packet arrives from the internet destined for the static NAT address, the router first checks dynamic NAT entries and may assign that address from the pool to an internal host, causing a conflict and preventing the static translation from being applied. This is a classic IP address overlap issue where the pool should exclude the static NAT address.

Exam trap

ISC2 often tests the misconception that static NAT always overrides dynamic NAT, but the trap here is that an overlapping pool address causes a conflict that prevents the static translation from being installed, not a priority issue.

How to eliminate wrong answers

Option A is wrong because static NAT entries have higher priority than dynamic NAT entries in Cisco IOS; the static mapping is not overridden by dynamic NAT unless there is an address conflict, which is the actual issue. Option B is wrong because the outside and inside interface designations are correct for NAT operation: the inside interface connects to the internal network (192.168.1.0/24) and the outside interface connects to the internet; swapping them would break internal host access. Option C is wrong because the access-list is used to match traffic for dynamic NAT translation, not for static NAT; static NAT does not require an access-list to permit the web server's traffic.

59
MCQeasy

Which access control model allows the owner of a resource to decide who can access it?

A.Mandatory Access Control (MAC)
B.Role-Based Access Control (RBAC)
C.Attribute-Based Access Control (ABAC)
D.Discretionary Access Control (DAC)
AnswerD

DAC allows resource owners to set permissions at their discretion.

Why this answer

Discretionary Access Control (DAC) allows the owner of a resource to determine who can access it and with what permissions. In DAC, the resource creator or authorized owner can grant or revoke access rights to other subjects, typically through access control lists (ACLs) or file permissions. This model is commonly implemented in operating systems like Windows NTFS and Linux file systems, where the owner sets read, write, or execute permissions.

Exam trap

ISC2 often tests the distinction between DAC and MAC by presenting a scenario where a user can change permissions on their own files, and candidates mistakenly choose MAC because they confuse 'mandatory' with 'owner-controlled' or think MAC allows user discretion.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) enforces access decisions based on system-wide security labels (e.g., classifications like Top Secret) and does not allow resource owners to change permissions; only administrators or the system can. Option B is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'Manager' or 'Auditor'), not at the discretion of the resource owner. Option C is wrong because Attribute-Based Access Control (ABAC) uses policies that evaluate attributes of the user, resource, and environment (e.g., time of day, location) to grant access, and the resource owner does not have direct control over individual access decisions.

60
Multi-Selectmedium

Which THREE of the following are core principles of the CIA triad?

Select 3 answers
A.Confidentiality
B.Integrity
C.Non-repudiation
D.Accountability
E.Availability
AnswersA, B, E

Confidentiality ensures data is accessible only to authorized persons.

Why this answer

Options A, C, and D are correct: confidentiality, integrity, and availability are the three pillars. Accountability (B) and non-repudiation (E) are related but not part of the CIA triad.

61
Matchingmedium

Match each security control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Discourages potential attackers

Blocks unauthorized access

Identifies and logs incidents

Restores after an incident

Alternative control when primary is not feasible

Why these pairings

These are common categories of security controls per NIST and ISC2.

62
Multi-Selecthard

Which THREE of the following are characteristics of a stateful firewall? (Select exactly three.)

Select 3 answers
A.It can automatically allow return traffic for outbound connections
B.It maintains a state table of active connections
C.It inspects application-layer payloads
D.It filters packets based solely on source/destination IP and port
E.It makes filtering decisions based on the context of traffic flows
AnswersA, B, E

Stateful firewalls permit return traffic for established sessions.

Why this answer

A stateful firewall automatically allows return traffic for outbound connections because it tracks the state of each connection in a state table. When a packet from an internal host initiates an outbound TCP connection (e.g., SYN), the firewall creates an entry in the state table. When the corresponding return packet (e.g., SYN-ACK) arrives, the firewall checks the state table and permits it without needing an explicit inbound rule, as it recognizes the packet as part of an established session.

Exam trap

ISC2 often tests the distinction between stateful and stateless firewalls, and the trap here is that candidates confuse 'stateful' with 'application-layer inspection,' leading them to select option C, when in fact stateful firewalls only track session state at Layers 3 and 4, not the application payload.

63
Multi-Selecthard

Which TWO of the following are primary objectives of an incident response plan? (Choose two.)

Select 2 answers
A.Ensure business continuity during the incident
B.Return affected systems to normal operation
C.Collect evidence for legal proceedings
D.Minimize the impact of the incident
E.Identify the root cause of the incident
AnswersB, D

Recovery is a primary objective of IR.

Why this answer

Option B is correct because a primary objective of an incident response plan is to return affected systems to normal operation. This involves containment, eradication, and recovery steps to restore business functions after a security incident, ensuring the organization can resume operations securely.

Exam trap

ISC2 often tests the distinction between the incident response plan's primary objectives (containment and recovery) and the secondary or post-incident activities (root cause analysis, evidence collection), causing candidates to mistakenly select options like C or E as primary objectives.

64
Multi-Selecteasy

Which TWO are examples of technical access controls?

Select 2 answers
A.Security awareness training
B.Security policies
C.Encryption
D.ID badges
E.Access control lists
AnswersC, E

Encryption is a technical control that protects data confidentiality.

Why this answer

Encryption (C) is a technical access control because it uses cryptographic algorithms (e.g., AES-256, RSA) to transform data into an unreadable format, ensuring that only authorized entities with the correct decryption key can access the original information. This enforces confidentiality and access restrictions at the data level, independent of user behavior or administrative policies.

Exam trap

ISC2 often tests the distinction between administrative, physical, and technical controls, and the trap here is that candidates confuse 'security awareness training' or 'security policies' as technical controls because they are part of a security program, but they are not implemented through technology or code.

65
Multi-Selectmedium

Which TWO of the following are primary goals of the security principle of confidentiality?

Select 2 answers
A.Ensure data accuracy
B.Maintain system uptime
C.Provide user authentication
D.Protect data in transit
E.Prevent unauthorized disclosure
AnswersD, E

Protecting data in transit from interception is part of confidentiality.

Why this answer

Correct: A and C. Confidentiality ensures data is not disclosed to unauthorized parties, covering both storage and transmission. Data accuracy (integrity), system uptime (availability), and identity verification (authentication) are not confidentiality goals.

66
Matchingmedium

Match each cryptographic concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Same key for encrypt and decrypt

Key pair: public and private

One-way transformation to fixed size

Ensures authenticity and non-repudiation

Binds a public key to an identity

Why these pairings

These are core cryptography concepts for the CC exam.

67
MCQeasy

Which of the following is an example of a detective control in a security operations context?

A.Installing a security patch to fix a vulnerability.
B.Reviewing audit logs for suspicious activity.
C.Requiring multi-factor authentication for remote access.
D.Firewall rules blocking unauthorized traffic.
AnswerB

Audit log review detects incidents that have already happened.

Why this answer

Detective controls are designed to identify and alert on security incidents after they have occurred. Reviewing audit logs for suspicious activity is a classic detective control because it involves examining historical records to detect unauthorized access or anomalies. In contrast, preventive controls like patching, MFA, and firewall rules aim to stop incidents before they happen.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse 'blocking' or 'preventing' actions (like patching or firewalls) with detective controls that only monitor and alert after the fact.

How to eliminate wrong answers

Option A is wrong because installing a security patch is a corrective control that fixes a known vulnerability, not a detective control that identifies ongoing or past threats. Option C is wrong because requiring multi-factor authentication is a preventive control that verifies identity before granting access, not a detective measure. Option D is wrong because firewall rules blocking unauthorized traffic is a preventive control that enforces access policies at the network layer, not a detective control that reviews events after the fact.

68
Multi-Selecteasy

An organization wants to protect against man-in-the-middle attacks on a switched network. Which TWO measures should be implemented? (Choose two.)

Select 2 answers
A.BPDU guard
B.Port security
C.DHCP Snooping
D.Storm control
E.Dynamic ARP Inspection (DAI)
AnswersC, E

DHCP Snooping builds a binding table to prevent rogue DHCP servers.

Why this answer

C is correct because DHCP Snooping filters untrusted DHCP messages on access ports, preventing a rogue DHCP server from assigning malicious IP configurations that enable man-in-the-middle attacks. D is correct because Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP Snooping binding table, blocking spoofed ARP replies that would redirect traffic through an attacker.

Exam trap

ISC2 often tests the distinction between Layer 2 attack mitigation features, and the trap here is that candidates confuse BPDU guard or port security with ARP/DHCP protections, not realizing that MITM attacks specifically require validation of IP-to-MAC bindings.

69
MCQmedium

A company needs to enforce access based on attributes such as time of day and location. Which access control model is most appropriate?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerA

ABAC evaluates policies based on subject and object attributes.

Why this answer

Attribute-Based Access Control (ABAC) is the correct choice because it evaluates policies based on multiple attributes (e.g., time of day, location, user role, device type) at runtime. This allows fine-grained, context-aware access decisions, such as permitting access only during business hours from a corporate office. ABAC uses a policy engine to evaluate attribute-based rules, making it ideal for dynamic environments where access depends on environmental conditions.

Exam trap

ISC2 often tests the distinction between RBAC and ABAC by presenting a scenario with dynamic attributes (like time/location) — candidates mistakenly choose RBAC because they associate roles with access control, but RBAC cannot evaluate contextual attributes without additional mechanisms.

How to eliminate wrong answers

Option B (MAC) is wrong because it enforces access based on fixed security labels (e.g., classification levels like Top Secret) assigned by a central authority, not on dynamic attributes like time or location. Option C (DAC) is wrong because it allows resource owners to set permissions at their discretion, which lacks the centralized, attribute-driven policy enforcement needed for time- and location-based controls. Option D (RBAC) is wrong because it grants access based solely on predefined roles (e.g., manager, employee), not on contextual attributes such as time of day or geographic location.

70
MCQhard

A company uses a stateful firewall. A user reports that an application requiring multiple dynamic ports is not working. The firewall logs show that packets from the server are being dropped. What is the most likely cause?

A.The firewall is only allowing packets that match an established session, but the application's control channel is not being tracked correctly.
B.The firewall does not have a rule allowing inbound traffic for the application.
C.The firewall is not inspecting application-layer data.
D.The firewall's state table is full and cannot track new sessions.
AnswerA

The firewall may not associate the data channel with the control session if it does not inspect the application protocol.

Why this answer

A stateful firewall tracks sessions by monitoring the control channel. For applications like FTP that use dynamic ports, the firewall must inspect the control channel to dynamically open pinholes for data channels. If the control channel is not tracked correctly, the firewall will not recognize the data channel packets as part of an established session and will drop them, even if the initial control session was allowed.

Exam trap

ISC2 often tests the misconception that a stateful firewall automatically handles all dynamic port protocols, when in fact it requires proper ALG configuration to inspect control channel payloads for port negotiation.

How to eliminate wrong answers

Option B is wrong because if the firewall lacked a rule allowing inbound traffic for the application, the initial control channel packets would also be dropped, not just the data channel packets. Option C is wrong because while the firewall may not be inspecting application-layer data, the core issue is specifically about stateful tracking of the control channel; lack of application-layer inspection would affect other protocols like HTTP or SMTP, not the dynamic port negotiation. Option D is wrong because a full state table would prevent new sessions entirely, not selectively drop packets from an existing session's data channel.

71
MCQhard

An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?

A.Use a group managed service account with a 30-day password expiration.
B.Create a security group with a time-based membership that expires automatically after 30 days.
C.Assign each intern directly to the folder permissions and set a calendar reminder to revoke.
D.Create a security group, add interns, and manually remove them after 30 days.
AnswerB

Time-based group membership automates access lifecycle, aligning with least privilege.

Why this answer

Option B is correct because Active Directory supports time-based group membership via the `memberTimeToLive` attribute (introduced in Windows Server 2016 and later), which allows a security group to be configured so that members are automatically removed after a specified duration. This eliminates manual intervention and ensures the interns lose access exactly after 30 days without requiring password changes or calendar reminders.

Exam trap

ISC2 often tests the misconception that manual processes (like calendar reminders or manual removal) are acceptable for temporary access, when in fact Active Directory provides an automated, policy-driven mechanism (time-based group membership) that is both more efficient and more secure.

How to eliminate wrong answers

Option A is wrong because a Group Managed Service Account (gMSA) is designed for automated service identity management, not for granting user access to shared folders; password expiration on a gMSA does not control user permissions and is unrelated to folder access. Option C is wrong because assigning each intern directly to folder permissions violates the principle of least administrative effort and scalability; it also relies on a fallible calendar reminder rather than an automated, policy-driven mechanism. Option D is wrong because manually removing members after 30 days is inefficient, error-prone, and does not leverage Active Directory's built-in time-based membership feature, which is specifically designed to automate this exact scenario.

72
Multi-Selectmedium

Which THREE of the following are key objectives of a security risk management program?

Select 3 answers
A.Assess risks
B.Identify risks
C.Implement intrusion detection systems
D.Encrypt all data at rest
E.Mitigate risks
AnswersA, B, E

Risk assessment determines impact and likelihood.

Why this answer

Correct: Identify risks (A), assess risks (B), and mitigate risks (C) are core steps. Option D and E are specific controls, not overarching objectives.

73
MCQmedium

A financial company requires that any transaction over $10,000 must be approved by two different managers before being processed. This is an example of which access control principle?

A.Least Privilege
B.Need-to-Know
C.Dual Control
D.Separation of Duties
AnswerD

SoD ensures that no single individual has complete control over a sensitive process by requiring multiple approvals.

Why this answer

The requirement for two different managers to approve a transaction over $10,000 enforces Separation of Duties (SoD). This access control principle ensures that no single individual has the authority to execute a high-risk action alone, thereby preventing fraud or error by splitting critical tasks across multiple roles. In this scenario, one manager cannot both initiate and approve the transaction, which directly aligns with SoD's goal of distributing responsibility.

Exam trap

ISC2 often tests the distinction between Dual Control and Separation of Duties, where Dual Control implies simultaneous action (e.g., two keys turned together) while Separation of Duties implies sequential or divided responsibilities, causing candidates to mistakenly choose Dual Control when the question describes sequential approval.

How to eliminate wrong answers

Option A (Least Privilege) is wrong because it focuses on granting users only the minimum permissions needed to perform their job, not on requiring multiple approvals for a single action. Option B (Need-to-Know) is wrong because it restricts access to data based on necessity for a specific task, not on enforcing collaborative authorization for transactions. Option C (Dual Control) is wrong because while it involves two individuals, it is a subset of Separation of Duties that specifically requires simultaneous action (e.g., two keys turned at once), whereas the question describes sequential approval by two managers, which is classic Separation of Duties.

74
MCQhard

After a security incident, the incident response team closes the case. What is the MOST important final step to improve future security posture?

A.Revoke all compromised credentials
B.Patch all systems
C.Restore all systems from backup
D.Conduct a post-incident review and update policies
AnswerD

Ensures continuous improvement.

Why this answer

Option D is correct because the post-incident review (often called a lessons-learned meeting) is the final step that analyzes root causes, identifies gaps in detection or response, and drives updates to policies, playbooks, and security controls. Without this review, the same vulnerability or misconfiguration could be exploited again, even if immediate containment steps like credential revocation or patching were performed. The goal is to close the incident with a feedback loop that improves the overall security posture, not just restore operations.

Exam trap

ISC2 often tests the distinction between immediate remediation steps (like patching or credential revocation) and the final continuous improvement step (post-incident review), trapping candidates who confuse containment/recovery with the ultimate goal of preventing future incidents.

How to eliminate wrong answers

Option A is wrong because revoking compromised credentials is a containment step performed during the early stages of incident response, not the final step; it does not address underlying vulnerabilities or process improvements. Option B is wrong because patching all systems is a remediation action that may be necessary but is not the final step—it focuses on technical fixes without analyzing why the incident occurred or updating policies to prevent recurrence. Option C is wrong because restoring systems from backup is a recovery step that returns operations to normal but does not provide any insight into the incident's root cause or lead to long-term security improvements.

75
MCQeasy

A help desk technician receives a report that a user cannot access a shared network drive. The technician checks the file server and sees that the disk is full. What is the most immediate action the technician should take?

A.Reboot the file server
B.Free up space by deleting unnecessary files or moving data
C.Run antivirus scan
D.Increase disk quota
AnswerB

This directly addresses the root cause (disk full) and can quickly restore access.

Why this answer

Option B is correct because freeing up space restores access. The other options are either not immediate or do not directly address the disk full issue.

Page 1 of 7

Page 2

All pages