ISC2 Certified in Cybersecurity CC (CC) — Questions 676750

984 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQeasy

Which principle of the CIA triad ensures that data is not disclosed to unauthorized individuals?

A.Authentication
B.Confidentiality
C.Integrity
D.Availability
AnswerB

Confidentiality protects data from unauthorized access and disclosure.

Why this answer

Confidentiality is the principle that prevents unauthorized disclosure of information.

677
MCQhard

A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?

A.The switch is now using a different certificate that is not trusted by the clients
B.The switch is not forwarding EAP packets properly due to a firmware bug
C.The RADIUS shared secret was changed during the firmware update
D.The authentication server (NPS) is overloaded and dropping requests
AnswerA

The firmware update may have changed the certificate presented by the switch, and clients do not trust it.

Why this answer

The error 'Unknown CA certificate' indicates that the client does not trust the certificate presented by the RADIUS server during PEAP-MSCHAPv2 authentication. After a switch firmware update, the switch may have been reconfigured to use a different server certificate (e.g., a self-signed or internally issued certificate) that is not in the trusted root store of the affected workstations. Since PEAP requires the client to validate the server certificate, a mismatch causes intermittent authentication failures.

Exam trap

ISC2 often tests the distinction between authentication failures caused by certificate trust issues versus RADIUS shared secret mismatches, trapping candidates who confuse server-side RADIUS configuration with client-side certificate validation.

How to eliminate wrong answers

Option B is wrong because if the switch were not forwarding EAP packets properly, the authentication would fail consistently for all clients, not intermittently, and the error would likely be a timeout or EAP failure, not a certificate-specific error. Option C is wrong because the RADIUS shared secret is used for encrypting RADIUS traffic between the switch (NAS) and the authentication server; changing it would cause authentication failures for all users, not just some workstations, and the error would be a RADIUS authentication failure, not a certificate error. Option D is wrong because an overloaded NPS would result in timeouts or dropped requests, not a specific 'Unknown CA certificate' error, which is a client-side certificate validation issue.

678
MCQhard

A financial institution requires near-instantaneous recovery of its trading platform after a disaster. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which recovery site strategy best meets these requirements?

A.Reciprocal agreement
B.Warm site
C.Cold site
D.Hot site
AnswerD

Hot sites have real-time replication and can achieve RTO of hours and RPO of minutes.

Why this answer

A hot site mirrors the production environment continuously, allowing recovery within hours and minimal data loss.

679
MCQmedium

A company experiences a ransomware attack that encrypts all files on a critical server. The backup strategy includes nightly backups stored on a separate network. What should be the first action during recovery?

A.Restore all files from the most recent backup.
B.Isolate the affected server from the network.
C.Verify the integrity and availability of the backup data.
D.Report the incident to law enforcement.
AnswerC

Ensures the backup is not compromised before restoring.

Why this answer

Option C is correct because before any recovery action, you must verify that the backup data is intact, uncorrupted, and free from the ransomware. If the backup itself is encrypted or compromised, restoring it would re-infect the environment. This step aligns with the 3-2-1 backup rule and ensures the recovery point is clean.

Exam trap

ISC2 often tests the misconception that the first recovery step is to restore data, but the trap is that you must first confirm the backup is clean to avoid restoring the ransomware itself.

How to eliminate wrong answers

Option A is wrong because restoring immediately from the most recent backup risks restoring encrypted files if the backup was taken after the ransomware began encrypting, or if the backup itself is compromised. Option B is wrong because isolating the server is a containment step, not the first action during recovery; containment should have already occurred before recovery begins. Option D is wrong because reporting to law enforcement is a post-recovery or parallel action, not the first step in technical recovery, and does not address data restoration.

680
MCQeasy

Based on the incident log, at which step did the incident response team contain the threat?

A.14:30 - Scanned system, detected Trojan.Downloader
B.14:45 - Removed malware via AV
C.14:25 - Isolated WKS-045 from network
D.14:35 - Escalated to incident handler
AnswerC

Isolation prevents further spread, containing the threat.

Why this answer

Option C is correct because containment is the immediate step to prevent the threat from spreading, and isolating WKS-045 from the network at 14:25 achieves this by cutting off its network connectivity. This aligns with the NIST SP 800-61 incident response lifecycle, where containment is prioritized before eradication or recovery. The log shows isolation occurred before scanning or removal, making it the correct containment action.

Exam trap

ISC2 often tests the distinction between containment and eradication, where candidates mistakenly choose removal (Option B) as containment, but containment must stop the spread before any cleanup occurs.

How to eliminate wrong answers

Option A is wrong because scanning the system and detecting Trojan.Downloader at 14:30 is a detection and analysis step, not containment; containment must happen before or concurrently with analysis to stop lateral movement. Option B is wrong because removing malware via AV at 14:45 is an eradication step, which occurs after containment to eliminate the threat from the isolated system. Option D is wrong because escalating to the incident handler at 14:35 is a communication and coordination step, not a technical containment action; it does not directly stop the threat from spreading.

681
MCQmedium

A company implements a visitor management policy requiring all visitors to sign in, wear a badge, and be escorted. Which access control principle does this primarily support?

A.Separation of duties
B.Defense in depth
C.Need-to-know
D.Least privilege
AnswerB

Multiple controls (sign-in, badge, escort) create layered security.

Why this answer

Visitor management controls physical access and supports defense in depth by adding layers.

682
MCQmedium

A security engineer is designing a network for a small business that needs to segregate guest Wi-Fi from the internal corporate network. The guest network should have internet access only, with no access to internal resources. Which of the following is the BEST design approach?

A.Implement MAC address filtering on the access point to allow only known devices.
B.Connect the guest Wi-Fi to the internet through a separate router that does not have routes to the internal network.
C.Use a single VLAN with a DHCP server that assigns different IP ranges to guests and employees.
D.Place the guest Wi-Fi on a separate VLAN with a firewall rule blocking traffic to internal subnets.
AnswerD

This creates logical isolation and allows granular control over traffic between VLANs.

Why this answer

Option D is the best approach because placing the guest Wi-Fi on a separate VLAN and applying a firewall rule to block traffic to internal subnets provides both logical segmentation and access control. This ensures that guest traffic is isolated at Layer 2 (VLAN) and Layer 3/4 (firewall), preventing any unauthorized access to the corporate network while still allowing internet connectivity through a default route.

Exam trap

ISC2 often tests the misconception that simply using different IP subnets on the same VLAN provides security, when in fact true isolation requires separate VLANs or firewall rules to prevent Layer 2 communication.

How to eliminate wrong answers

Option A is wrong because MAC address filtering only controls which devices can associate with the access point; it does not prevent those devices from accessing internal resources once connected, nor does it scale or provide security against MAC spoofing. Option B is wrong because using a separate router for guest Wi-Fi is unnecessarily complex and costly for a small business; it also fails to leverage existing infrastructure and can lead to routing misconfigurations if not carefully managed, whereas a single router with VLANs and firewall rules achieves the same goal more efficiently. Option C is wrong because a single VLAN with different IP ranges does not provide Layer 2 isolation; devices on the same VLAN can communicate directly via ARP and broadcasts, so guests could still reach internal hosts if they are on the same broadcast domain.

683
MCQmedium

A company's security policy requires that all employees use strong passwords and change them every 90 days. An employee writes their password on a sticky note and attaches it to their monitor. Another employee sees it and uses it to log into the first employee's account to send a fake email. The security team is conducting a post-incident review. Which security principle failed, and what is the most effective long-term solution to prevent this type of incident?

A.Integrity; conduct annual security awareness training
B.Accountability; implement multi-factor authentication
C.Availability; prohibit sticky notes in the office
D.Confidentiality; enforce 15-character passwords
AnswerB

MFA ensures that a password alone is not sufficient for access.

Why this answer

Correct: The failure is in enforcement of policy and user behavior (accountability). The most effective solution is to implement multi-factor authentication (MFA) (B), which reduces reliance on passwords. Option A is wrong because shorter passwords are weaker; Option C is wrong because training alone is often insufficient; Option D is wrong because disabling sticky notes is hard to enforce.

684
Multi-Selectmedium

Which TWO of the following are examples of administrative security controls? (Choose two.)

Select 2 answers
A.Intrusion detection system
B.Security awareness training
C.Firewall
D.Encryption
E.Background checks for employees
AnswersB, E

Training is an administrative control that educates users on security policies.

685
MCQhard

An organization is implementing a new system that processes financial transactions. To reduce the risk of fraud, they ensure that no single individual can both initiate and approve a transaction. Which security principle is this?

A.Need to know
B.Separation of duties
C.Accountability
D.Least privilege
AnswerB

Correct. Initiation and approval are separate duties.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from having conflicting responsibilities, such as both initiating and approving a financial transaction. By splitting these tasks across different roles, the organization reduces the risk of fraud or error because collusion would be required to bypass controls. This is a core internal control mechanism in financial systems and aligns with the principle of dual control.

Exam trap

ISC2 often tests the distinction between 'separation of duties' and 'least privilege' by presenting a scenario where a user has too many permissions, tempting candidates to choose least privilege, but the core issue is the conflict of having both initiation and approval authority, not the amount of access.

How to eliminate wrong answers

Option A is wrong because 'need to know' restricts access to information based on job requirements, not the division of conflicting tasks. Option C is wrong because 'accountability' ensures actions can be traced to an individual, but does not inherently prevent a single person from performing both initiation and approval. Option D is wrong because 'least privilege' limits permissions to the minimum necessary for a role, but does not address the conflict of having both initiation and approval capabilities within the same role.

686
MCQhard

A security analyst discovers that an organization's firewall rule set allows all inbound traffic on TCP port 443 from any source to a single web server. Additionally, the server has a known critical vulnerability in its TLS implementation. Which principle of security architecture is most directly violated by this configuration?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Fail-safe defaults
AnswerA

The rule allows any source, which is the broadest possible privilege, violating the principle of least privilege.

Why this answer

Least privilege requires restricting access to only what is necessary. Allowing inbound from any source (0.0.0.0/0) violates least privilege because it is broader than necessary. Option B is correct.

Option A (defense in depth) would be violated if no other controls exist, but the question asks the most direct violation. Option C (separation of duties) is about task division. Option D (fail-safe) is about default deny.

687
MCQeasy

A company uses encryption to protect data at rest and in transit. This primarily addresses which aspect of the CIA triad?

A.Integrity
B.Authentication
C.Confidentiality
D.Availability
AnswerC

Correct. Encryption protects data confidentiality by making it unreadable to unauthorized parties.

Why this answer

Encryption prevents unauthorized access to data, thereby maintaining confidentiality. While encryption can support integrity, its primary role in this context is confidentiality.

688
Matchingmedium

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data Link: frames and MAC addresses

Network: routing and IP addresses

Transport: end-to-end reliability

Application: user interface and protocols

Why these pairings

OSI model layers are referenced in network security.

689
Multi-Selectmedium

Which TWO actions are most effective in reducing the mean time to detect (MTTD) a security incident?

Select 2 answers
A.Requiring multi-factor authentication for all remote access
B.Implementing a SIEM with centralized logging from critical systems
C.Conducting annual security awareness training for all employees
D.Deploying endpoint detection and response (EDR) agents on all workstations
E.Standardizing firewall rules across all network segments
AnswersB, D

SIEM correlates events and alerts analysts, reducing detection time.

Why this answer

Option B is correct because a SIEM with centralized logging aggregates and correlates logs from critical systems, enabling real-time analysis and automated alerting. This drastically reduces MTTD by surfacing indicators of compromise (IoCs) within minutes rather than hours or days, as manual log review would require.

Exam trap

The trap here is that candidates confuse preventive controls (MFA, training, firewall rules) with detective controls, failing to recognize that only logging and monitoring tools directly reduce the time to detect an incident.

690
MCQhard

A company’s disaster recovery plan specifies an RTO of 4 hours and an RPO of 1 hour for its critical database. The database is backed up every hour using incremental backups. After a catastrophic failure, restoration takes 3 hours, but the database must be rolled forward using transaction logs. The total time to make the database fully operational is 5 hours. Which statement is correct?

A.Both RTO and RPO are exceeded
B.RPO is exceeded but RTO is met
C.Both RTO and RPO are met
D.RTO is exceeded but RPO is likely met
AnswerD

Total recovery took 5 hours > RTO 4 hours; RPO is likely met because the backup was within 1 hour.

Why this answer

The RTO was exceeded (5 hours > 4 hours), but the RPO may still be met if the last backup was within 1 hour; the scenario does not indicate data loss beyond 1 hour.

691
MCQmedium

A security administrator is implementing controls to prevent a single employee from approving and disbursing payments. Which principle is being applied?

A.Need-to-know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerD

Separation of duties prevents fraud by dividing critical functions.

Why this answer

Separation of duties ensures no single person can complete a high-risk action alone.

692
MCQeasy

You are the cybersecurity lead for a mid-sized retail company. One morning, employees report that they cannot access files on the shared drive, and a ransom note appears on several screens demanding $50,000 in Bitcoin. The company has a formal incident response plan that was last updated two years ago and has never been tested. Backups are taken nightly to an on-premises tape library and also replicated to a cloud storage service but have not been verified recently. The CEO is insisting on paying the ransom to avoid business disruption. Which of the following is the MOST appropriate first course of action?

A.Delete all infected files and rebuild the file server from scratch without involving backups.
B.Ignore the incident and continue operations, assuming it will resolve on its own.
C.Pay the ransom immediately to minimize downtime and recover data quickly.
D.Isolate the infected systems from the network, then restore data from the most recent verified backup.
AnswerD

Isolation stops the spread, and restoring from verified backups is the standard incident response procedure.

Why this answer

Option D is correct because the first priority in any ransomware incident is containment: isolating infected systems prevents lateral movement and further encryption. Restoring from the most recent verified backup ensures data integrity and avoids paying the ransom, which does not guarantee decryption and funds criminal activity. The incident response plan should then be activated and updated based on lessons learned.

Exam trap

ISC2 often tests the misconception that paying the ransom is the fastest way to recover data, but the correct answer emphasizes containment and verified backups as the primary incident response steps.

How to eliminate wrong answers

Option A is wrong because deleting infected files and rebuilding from scratch without involving backups discards all data, including potentially unencrypted files, and ignores the need for verified clean backups to restore operations. Option B is wrong because ignoring the incident allows ransomware to spread, encrypt more systems, and cause greater business disruption, violating basic incident response containment principles. Option C is wrong because paying the ransom does not guarantee decryption keys will be provided, encourages further attacks, and bypasses proper forensic investigation and recovery procedures.

693
Multi-Selecthard

Which TWO of the following are examples of detective security controls? (Choose two.)

Select 2 answers
A.Data backup and restoration procedures.
B.Security logging and monitoring.
C.Intrusion detection system (IDS) alerts.
D.Encryption of sensitive data.
E.Firewall rules that block certain traffic.
AnswersB, C

Log analysis and monitoring detect incidents.

Why this answer

Intrusion detection systems (B) and security logging and monitoring (D) are detective controls. Firewalls (A) and encryption (C) are preventive. Data backup (E) is corrective/recovery.

694
MCQeasy

Which of the following is a key function of a Security Information and Event Management (SIEM) system?

A.Blocking malicious network traffic
B.Correlating log data from multiple sources to identify security incidents
C.Enforcing password complexity requirements
D.Patching vulnerabilities in operating systems
AnswerB

Correct. Correlation is a core SIEM function.

Why this answer

SIEM aggregates and correlates logs from various sources to detect patterns and generate alerts.

695
MCQmedium

A company experiences a ransomware attack that encrypts all files on a server. Which security control would MOST effectively allow recovery without paying the ransom?

A.Firewall
B.Regular backups
C.Intrusion detection system
D.Antivirus software
AnswerB

Correct. Backups are the primary recovery mechanism against ransomware.

Why this answer

Regular backups enable restoration of encrypted data from a clean copy, bypassing the need to pay the ransom. Other controls help prevent or detect but do not directly facilitate recovery.

696
Multi-Selecthard

Which THREE are valid methods for authenticating a user in an access control system?

Select 3 answers
A.User ID
B.Fingerprint scan
C.Password
D.Smart card
E.Access control list
AnswersB, C, D

Fingerprint is inherence factor.

Why this answer

A fingerprint scan is a valid authentication method because it falls under 'something you are' (biometric authentication). In access control systems, biometrics like fingerprint scans provide a high level of assurance by verifying a unique physical characteristic of the user, making it a strong factor for authentication.

Exam trap

ISC2 often tests the distinction between identification (e.g., User ID) and authentication (e.g., password, biometric, smart card), and the trap here is that candidates mistakenly treat a User ID as an authentication factor rather than just an identifier.

697
MCQeasy

A company's primary data center is located in a region prone to hurricanes. The IT team is designing a disaster recovery plan to ensure critical applications resume within 4 hours of a declared disaster. Which of the following is the MOST appropriate recovery strategy?

A.Hot site with synchronous replication (RTO 1 hour, RPO near zero)
B.Colocation with tape backups shipped offsite (RTO 24 hours, RPO 24 hours)
C.Cold site with weekly full backups (RTO 48 hours, RPO 7 days)
D.Warm site with daily incremental backups (RTO 6 hours, RPO 4 hours)
AnswerA

Meets RTO and RPO requirements.

Why this answer

A hot site with synchronous replication is the most appropriate strategy because it provides an RTO of 1 hour (well within the 4-hour requirement) and an RPO near zero, ensuring critical applications resume quickly with minimal data loss. Synchronous replication writes data to both primary and replica storage simultaneously, so in a hurricane scenario, the hot site is fully operational and ready to take over immediately.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates may choose a warm site (Option D) because its RTO of 6 hours seems close to 4 hours, but they overlook that the RTO must be strictly less than or equal to the requirement, and synchronous replication at a hot site is the only option that meets both the 4-hour RTO and near-zero RPO for critical applications.

How to eliminate wrong answers

Option B is wrong because colocation with tape backups shipped offsite has an RTO of 24 hours and RPO of 24 hours, far exceeding the 4-hour RTO requirement, and tape restoration is slow and prone to media errors. Option C is wrong because a cold site with weekly full backups has an RTO of 48 hours and RPO of 7 days, meaning applications would be down for two days and up to a week of data could be lost, completely failing the 4-hour RTO. Option D is wrong because a warm site with daily incremental backups has an RTO of 6 hours, which exceeds the 4-hour requirement, and the RPO of 4 hours still risks losing up to 4 hours of transactions, whereas synchronous replication offers near-zero data loss.

698
Multi-Selectmedium

Which THREE are best practices for password management according to modern guidelines? (Select THREE.)

Select 3 answers
A.Enforce a minimum password length of 8 characters
B.Use a password manager to generate and store complex passwords
C.Require at least one uppercase, one lowercase, one digit, and one special character
D.Check passwords against lists of known compromised passwords
E.Require passwords to be changed every 30 days
AnswersA, B, D

Length is favored over complexity; 8+ is minimum.

Why this answer

Modern guidelines (NIST SP 800-63) recommend length over complexity, no frequent changes, and checking against breach lists.

699
MCQhard

An organization has a legacy system that cannot be patched due to vendor end-of-life. Which compensating control is most effective at reducing the risk of exploitation via network-based attacks?

A.Increasing log retention for the system
B.Implementing strict password policies
C.Deploying a Web Application Firewall (WAF) in front of the system
D.Conducting regular security awareness training
AnswerC

Correct. A WAF can filter malicious traffic and mitigate attacks.

Why this answer

A Web Application Firewall (WAF) can block malicious traffic targeting known vulnerabilities, providing a layer of defense for unpatched systems.

700
Multi-Selecthard

Which THREE of the following are best practices for securing a network firewall? (Select THREE.)

Select 3 answers
A.Disable unused services and ports
B.Allow all traffic by default and block specific threats
C.Implement rule change management and review
D.Place the firewall outside the network perimeter
E.Use strong, complex passwords for firewall administration
AnswersA, C, E

Reduces the attack surface.

Why this answer

Disabling unused services and ports reduces the attack surface by eliminating potential entry points for attackers. A firewall should only have necessary ports (e.g., TCP 80/443 for web traffic) open, as each open service represents a vector for exploitation. This aligns with the principle of least privilege and is a fundamental hardening step.

Exam trap

ISC2 often tests the misconception that a firewall should be placed outside the network perimeter for better visibility, but the correct placement is at the perimeter to filter traffic before it enters the internal network.

701
MCQhard

After a security breach, investigators find that an attacker exploited a vulnerability in a publicly accessible application to gain access to internal databases. Which security principle would have most effectively limited the impact?

A.Accountability
B.Confidentiality
C.Defense in depth
D.Non-repudiation
AnswerC

Defense in depth would have layered controls (e.g., segmentation, IDS) to limit the attacker's lateral movement.

702
Multi-Selectmedium

Which two of the following are best practices to mitigate man-in-the-middle attacks? (Select TWO.)

Select 2 answers
A.Disable SSL/TLS on web servers
B.Use HTTPS with proper certificate validation
C.Use ARP spoofing detection tools
D.Implement a VPN for remote connections
E.Use Telnet for remote administration
AnswersB, D

HTTPS encrypts and validates server identity.

Why this answer

HTTPS with certificate validation ensures secure communication, and VPNs encrypt traffic between endpoints. Disabling encryption increases risk, and using Telnet sends data in cleartext.

703
MCQhard

A network engineer wants to mitigate ARP spoofing attacks. Which of the following is the most effective technique?

A.Implement Dynamic ARP Inspection
B.Enable STP
C.Use static ARP entries
D.Disable ICMP
AnswerA

DAI uses DHCP snooping to validate ARP.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets to prevent spoofing.

704
Multi-Selectmedium

Which THREE of the following are common mitigation techniques against Denial of Service (DoS) attacks?

Select 3 answers
A.Implementing rate limiting on servers
B.Disabling all firewall rules
C.Allowing all inbound traffic to avoid blocking legitimate users
D.Filtering traffic based on IP reputation
E.Using a Content Delivery Network (CDN) to absorb traffic
AnswersA, D, E

Rate limiting restricts the number of requests from a source.

Why this answer

DoS mitigation includes using DDoS protection services, rate limiting, and filtering traffic based on IP reputation.

705
MCQmedium

Refer to the exhibit. An administrator notices that external access to the MySQL database (port 3306) is blocked, but internal access should be allowed. What change should be made?

A.Change the DROP rule to ACCEPT for port 3306
B.Allow port 3306 in the FORWARD chain
C.Create a rule to allow traffic from internal IP range to port 3306
D.Remove the DROP rule for port 3306
AnswerC

A specific allow rule for internal IPs overrides the default DROP, enabling internal access.

Why this answer

The correct answer is C because the exhibit shows a DROP rule for port 3306 in the INPUT chain, which blocks all incoming traffic to the MySQL database. To allow internal access while keeping external access blocked, a specific rule must be added to ACCEPT traffic from the internal IP range to port 3306, placed before the DROP rule. This ensures that internal packets are matched first and permitted, while external packets hit the DROP rule and are rejected.

Simply modifying or removing the DROP rule would allow all traffic, violating the requirement to block external access.

Exam trap

ISC2 often tests the distinction between INPUT and FORWARD chains, and the trap here is that candidates mistakenly think adding a rule to the FORWARD chain will fix the issue, not realizing that traffic to the local MySQL service is processed by the INPUT chain.

How to eliminate wrong answers

Option A is wrong because changing the DROP rule to ACCEPT for port 3306 would allow all traffic (both internal and external) to the MySQL database, which violates the requirement to block external access. Option B is wrong because the FORWARD chain is used for traffic passing through the firewall, not for traffic destined to the local system; MySQL traffic arriving at the firewall's own interface is processed by the INPUT chain, not FORWARD. Option D is wrong because removing the DROP rule for port 3306 would remove the block entirely, allowing all traffic (including external) to reach the MySQL database, which does not meet the requirement to block external access.

706
MCQhard

You are a forensic analyst responding to a reported compromise of a Linux web server. The server hosts a public-facing web application and is part of a DMZ. The initial investigation shows that unauthorized outbound connections were made to a known malicious IP address during the previous night. The server is still running and connected to the network, but the web application has been taken offline for maintenance. The incident response team wants to preserve evidence for potential legal action. You have a forensic workstation with tools like dd, netcat, and memory acquisition tools. Which of the following should be your FIRST step in the forensic acquisition process?

A.Create a bit-for-bit copy of the hard drive using dd and a write blocker.
B.Capture network traffic from the server for analysis.
C.Run a full antivirus scan to identify malware.
D.Capture the contents of volatile memory (RAM) using a memory acquisition tool.
AnswerD

Memory is most volatile and contains critical evidence.

Why this answer

Volatile memory (RAM) contains critical evidence such as running processes, network connections, encryption keys, and in-memory malware that would be lost when the system is powered off. In a forensic response, the order of volatility dictates that RAM must be captured first before any non-volatile data. Option D is correct because it follows the established forensic principle of preserving the most volatile data first.

Exam trap

ISC2 often tests the 'order of volatility' principle, and the trap here is that candidates mistakenly prioritize disk imaging (Option A) because it is a familiar step, ignoring that RAM holds the most ephemeral and critical evidence.

How to eliminate wrong answers

Option A is wrong because creating a bit-for-bit copy of the hard drive is important but should be done after volatile memory capture, as hard drive data is non-volatile and will not be lost on shutdown. Option B is wrong because capturing network traffic from the server is a live response step that can be performed after memory acquisition, but it is not the first priority since network traffic is also volatile but less critical than RAM contents. Option C is wrong because running an antivirus scan modifies the system state (e.g., file access times, writes to disk) and can destroy or alter evidence, violating forensic integrity.

707
MCQhard

A security engineer is designing a system that must ensure that any changes to a configuration file are logged with the identity of the person who made the change. Which principle is being implemented?

A.Accountability
B.Non-repudiation
C.Confidentiality
D.Integrity
AnswerB

Non-repudiation ensures that changes cannot be denied by the person who made them.

Why this answer

Non-repudiation provides proof of the identity of the person who performed an action, preventing denial. Option B (Accountability) is about tracking but not necessarily proof. Option C (Integrity) ensures data unchanged.

Option D (Confidentiality) protects from unauthorized access.

708
MCQeasy

The exhibit shows the current iptables rules. Which security principle is most clearly enforced by the default policy?

A.Fail-safe defaults
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerA

The default drop policy ensures that any unapproved traffic is blocked, which is a fail-safe default.

Why this answer

The default policy is DROP on the INPUT chain, meaning any traffic not explicitly allowed is denied. This is a 'fail-safe defaults' or 'default deny' principle. Option B is correct.

Option A (least privilege) is about minimal permissions, but the default policy is about default action. Option C (separation of duties) is not shown. Option D (defense in depth) is not directly demonstrated.

709
Multi-Selectmedium

An organization is choosing a backup strategy to minimize restore time. Which TWO backup types require only the most recent full backup and the latest differential backup to restore?

Select 1 answer
A.Full backup
B.Synthetic full backup
C.Incremental backup
D.Reverse incremental backup
E.Differential backup
AnswersE

Latest differential contains all changes since full.

Why this answer

Restore from full + latest differential is fastest, but incremental requires all incrementals. So full + differential is correct.

710
MCQhard

A financial institution is implementing a new transaction approval process. The process requires that for any transaction over $10,000, two managers must approve: one from the sales department and one from the finance department. However, due to a system configuration error, a single manager can approve the entire transaction if they are logged in from a specific IP address. This error is discovered during a routine audit. Which security principle has been circumvented, and what is the best remediation?

A.Separation of duties; fix the configuration to require approvals from two different managers
B.Defense in depth; add a third approval for transactions over $50,000
C.Accountability; log all approvals and audit monthly
D.Least privilege; reduce the transaction limit to $5,000
AnswerA

This restores the intended segregation of duties.

Why this answer

Correct: Separation of duties is circumvented. The best remediation is to correct the configuration to require two distinct approvals (B). Option A is wrong because it doesn't fix the flaw; Option C is wrong because it adds unnecessary complexity; Option D is wrong because it ignores the requirement for two different departments.

711
Multi-Selectmedium

A company is implementing a backup strategy. Which TWO of the following are characteristics of incremental backups? (Choose two.)

Select 2 answers
A.Backs up data changed since the last full backup
B.Fast restore process
C.Requires the least storage space of all backup types
D.Fast backup process
E.Backs up data changed since the last backup (any type)
AnswersD, E

Because only small changes are backed up.

Why this answer

Incremental backups back up data changed since the last backup (of any type), making them fast to perform but slow to restore because multiple backup sets may be needed.

712
MCQhard

Refer to the exhibit. A firewall rule set is shown (first match applies). An analyst reviews these rules. Which of the following best describes the traffic outcome for a packet from source IP 10.0.0.1 to destination 192.168.1.1?

A.The packet is permitted because the last rule permits any any.
B.The packet is denied because rule 1 matches and denies it.
C.The packet is permitted because rule 2 explicitly permits the traffic.
D.The packet is denied because there is no explicit permit for 10.0.0.0/8 to 192.168.1.0/24.
AnswerB

First-match logic: rule 1 matches and denies before rule 2 can permit.

Why this answer

Rule 1 matches the source IP 10.0.0.1 (which falls within the 10.0.0.0/8 range) and the destination 192.168.1.1 (within 192.168.1.0/24), and since the action is 'deny', the packet is denied immediately. Firewalls using 'first match applies' logic stop processing as soon as a matching rule is found, so subsequent rules are never evaluated. Therefore, the correct outcome is denial.

Exam trap

ISC2 often tests the 'first match applies' concept by placing a broad deny rule early in the rule set, leading candidates to incorrectly assume that a later permit rule will override it, when in fact the packet is denied immediately upon the first match.

How to eliminate wrong answers

Option A is wrong because the 'permit any any' rule is never reached; the packet is matched and denied by rule 1 before the last rule is evaluated. Option C is wrong because rule 2, even if it explicitly permits the traffic, is not evaluated since rule 1 already matched and denied the packet. Option D is wrong because the absence of an explicit permit for the specific source/destination pair is irrelevant; the packet is denied by an explicit deny rule (rule 1), not by a lack of a permit.

713
MCQeasy

A company wants to allow remote employees to securely access internal resources over the internet. Which technology is most appropriate?

A.NAT
B.VLAN
C.DMZ
D.VPN
AnswerD

VPN provides secure remote connectivity.

Why this answer

A VPN (Virtual Private Network) creates an encrypted tunnel over the internet, typically using protocols like IPsec or TLS, to securely connect remote users to internal resources. This ensures confidentiality, integrity, and authentication of data in transit, making it the standard solution for remote access security.

Exam trap

ISC2 often tests the misconception that NAT or a DMZ alone can secure remote access, but candidates must recognize that only VPN provides the required encryption and tunneling for secure internet-based connectivity.

How to eliminate wrong answers

Option A (NAT) is wrong because Network Address Translation only modifies IP addresses in packet headers to enable private-to-public address mapping; it does not provide encryption or secure remote access. Option B (VLAN) is wrong because a Virtual LAN segments a local network at Layer 2 to isolate traffic within a switch, but it cannot extend secure connectivity across the internet. Option C (DMZ) is wrong because a Demilitarized Zone is a perimeter network that hosts public-facing services (e.g., web servers) while isolating them from the internal LAN; it does not create encrypted tunnels for remote users.

714
Multi-Selectmedium

Which TWO of the following are essential elements of an incident response plan?

Select 2 answers
A.A list of compliance standards.
B.Personal phone numbers of executives.
C.Step-by-step procedures for each incident type.
D.Contact information for all employees.
E.Defined roles and responsibilities.
AnswersC, E

Provides guidance for consistent response.

Why this answer

Option C is correct because an incident response plan must include step-by-step procedures for each incident type to ensure consistent, repeatable actions during a security event. These procedures guide responders through detection, containment, eradication, and recovery phases, reducing errors and response time. Without predefined steps, teams risk ad-hoc actions that can worsen the incident or miss critical containment measures.

Exam trap

ISC2 often tests the distinction between 'essential operational elements' (like procedures and roles) and 'supporting documentation' (like compliance lists or full employee directories), causing candidates to mistake administrative details for core response components.

715
MCQmedium

Which of the following controls is primarily designed to ensure availability?

A.Redundant servers
B.Encryption
C.Digital signatures
D.Access control lists
AnswerA

Redundant servers provide failover capability, maintaining availability.

Why this answer

Redundancy (e.g., backup servers, failover) ensures systems remain available even if one component fails.

716
MCQhard

An organization decides to implement an Intrusion Prevention System (IPS) to protect its network. Which statement about an IPS compared to an IDS is correct?

A.An IPS is placed inline and can automatically block malicious traffic.
B.An IPS is placed out of band and monitors traffic.
C.An IPS generates alerts but does not block traffic.
D.An IPS operates only at the application layer.
AnswerA

IPS can drop packets or reset connections in real time.

Why this answer

An IPS is inline and can actively block traffic, while an IDS is passive and only alerts.

717
Multi-Selecthard

Which TWO of the following are best practices for implementing the principle of least privilege?

Select 2 answers
A.Grant all users full administrative rights to reduce support calls
B.Assign permissions based on the minimum necessary to perform job functions
C.Use a single shared administrative account for all IT staff
D.Remove all default accounts from systems
E.Regularly review and revoke unnecessary privileges
AnswersB, E

This is the core of least privilege.

Why this answer

Options B and D are correct: assign minimal permissions and regularly audit privileges. Granting all permissions (A) violates least privilege. Using a single shared admin account (C) prohibits accountability.

Removing default accounts is good but not directly least privilege (E).

718
MCQhard

You are the network security lead for a medium-sized financial firm with 500 employees. The network consists of a core switch, distribution switches, and access switches. There are three main VLANs: VLAN 10 (Management - 192.168.10.0/24), VLAN 20 (Finance - 192.168.20.0/24), and VLAN 30 (Guest Wi-Fi - 192.168.30.0/24). The network uses a single firewall with three interfaces: inside (trusted), outside (untrusted), and DMZ. The firewall is configured with default-deny rules. Recently, the helpdesk reported that employees in the Finance VLAN cannot access a web-based accounting application hosted on a server at 10.0.0.5, which is in the DMZ. The server's default gateway is the firewall's DMZ interface (10.0.0.1). The accounting application runs on HTTPS (TCP 443). Employees in the Management VLAN can access the application without issue. You have verified that the Finance VLAN has connectivity to the firewall's inside interface (192.168.20.1). The firewall's inside interface has an IP of 192.168.20.1. There is no ACL on the inside interface. The firewall's DMZ interface has an ACL permitting TCP/443 from any to 10.0.0.5. The firewall's routing table shows a route to 10.0.0.0/24 via DMZ interface. What is the most likely cause of the issue?

A.The routing table on the firewall does not have a return route to the Finance subnet.
B.The firewall lacks a policy permitting traffic from the inside zone to the DMZ zone.
C.The DMZ ACL is blocking traffic from the Finance subnet because it only permits from Management subnet.
D.An ACL applied inbound on the inside interface is blocking Finance traffic but allowing Management traffic.
AnswerB

Firewall policies are zone-based; the inside-to-DMZ policy is missing, blocking Finance traffic.

Why this answer

The firewall uses a default-deny policy between zones. Even though the inside interface has no ACL and the DMZ ACL permits HTTPS from any source, the firewall still requires an explicit policy rule allowing traffic from the inside (Finance) zone to the DMZ zone. Without this policy, packets from VLAN 20 to the DMZ server are dropped by the firewall's stateful inspection engine, regardless of interface ACLs or routing.

Exam trap

ISC2 often tests the distinction between interface ACLs and zone-based firewall policies, trapping candidates into thinking that permissive ACLs alone allow traffic, when in fact a zone-pair policy is required for inter-zone communication.

How to eliminate wrong answers

Option A is wrong because the firewall's routing table already has a route to 10.0.0.0/24 via the DMZ interface, and the Finance VLAN can reach the inside interface; the issue is not a missing return route but a missing zone-based policy. Option C is wrong because the DMZ ACL permits TCP/443 from any to 10.0.0.5, so it does not restrict based on source subnet; the problem is not an ACL on the DMZ interface. Option D is wrong because the question explicitly states there is no ACL on the inside interface, so no inbound ACL is blocking Finance traffic while allowing Management traffic.

719
MCQmedium

Refer to the exhibit. Based on the backup log, what is the most likely corrective action?

A.Reschedule the backup for a later time
B.Check network connectivity
C.Replace the tape drive
D.Add more storage space to the backup target
AnswerD

The explicit error is 'insufficient storage space', so adding space directly addresses the issue.

Why this answer

The final error indicates insufficient storage space. Adding more storage space to the backup target would resolve the issue. The earlier tape error may be a symptom of full storage.

720
Multi-Selecthard

An organization is conducting a risk assessment. Which THREE of the following are considered assets? (Select THREE)

Select 3 answers
A.Probability of a data breach
B.Customer database
C.Vulnerability in software
D.Firewall
E.Employee expertise
AnswersB, D, E

Correct. Data is an asset.

Why this answer

Assets are items of value to the organization, including data, hardware, and personnel.

721
MCQeasy

Which incident category involves an attacker tricking an employee into revealing credentials?

A.Data breach
B.Social engineering
C.Malware
D.Denial of service
AnswerB

Social engineering exploits human psychology to gain access.

Why this answer

Social engineering includes phishing, pretexting, etc., to manipulate people.

722
MCQmedium

A system administrator needs to grant a contractor temporary access to a server for patching. The contractor should only have access during the patching window. Which access control implementation method is most appropriate?

A.Time-based ACL (rule-based access control)
B.Group-based permissions with a recurring schedule
C.Discretionary access control (DAC)
D.Mandatory access control (MAC)
AnswerA

Time-based ACLs restrict access to specific time windows, ideal for temporary access.

Why this answer

Time-based ACLs (rule-based access control) allow the administrator to define a specific time range during which the contractor's access is permitted. This directly matches the requirement for temporary access only during the patching window, as the ACL can be configured with a time-range object that automatically enables and disables the permit statement without manual intervention.

Exam trap

ISC2 often tests the distinction between rule-based access control (RBAC) with time-based ACLs and group-based permissions, where candidates mistakenly choose group-based permissions because they think 'recurring schedule' implies time control, but group-based permissions lack the precise time-range enforcement at the network layer.

How to eliminate wrong answers

Option B is wrong because group-based permissions with a recurring schedule typically apply to user group memberships and do not provide the granular, time-bound enforcement at the network or system level that a time-based ACL offers. Option C is wrong because discretionary access control (DAC) allows the resource owner to grant permissions arbitrarily, which does not inherently enforce a time-limited access window. Option D is wrong because mandatory access control (MAC) uses system-wide labels and security clearances, which are static and not designed for temporary, time-based access exceptions.

723
MCQeasy

An organization wants to ensure that data remains unaltered during transmission over the internet. Which security goal is being addressed?

A.Non-repudiation
B.Availability
C.Confidentiality
D.Integrity
AnswerD

Integrity ensures data is not altered during transmission.

Why this answer

Integrity ensures that data is not altered during transmission, typically verified through cryptographic hash functions (e.g., SHA-256) or message authentication codes (MACs) such as HMAC. Protocols like TLS use integrity checks to detect any unauthorized modification of packets in transit, directly addressing the requirement that data remains unaltered.

Exam trap

ISC2 often tests the distinction between confidentiality and integrity by presenting a scenario about data alteration, where candidates mistakenly choose confidentiality because they associate encryption with all security, ignoring that encryption alone does not prevent tampering.

How to eliminate wrong answers

Option A is wrong because non-repudiation prevents a party from denying an action, usually via digital signatures (e.g., RSA or ECDSA), not by ensuring data is unchanged during transit. Option B is wrong because availability ensures systems and data are accessible when needed, often through redundancy or DDoS mitigation, not by protecting against alteration. Option C is wrong because confidentiality protects data from unauthorized disclosure via encryption (e.g., AES), but does not guarantee that data has not been tampered with during transmission.

724
Multi-Selectmedium

A security analyst is designing a multi-factor authentication system for remote access. Which TWO of the following combinations represent true multi-factor authentication? (Select TWO)

Select 2 answers
A.Smart card and OTP token
B.Fingerprint and password
C.Password and smart card
D.Fingerprint and retina scan
E.Password and PIN
AnswersB, C

Correct. Fingerprint (Type 3) and password (Type 1) are different factors.

Why this answer

Multi-factor requires at least two different types. A password (Type 1) and smart card (Type 2) are different factors. A fingerprint (Type 3) and password (Type 1) are also different factors.

725
MCQeasy

Which metric defines the maximum acceptable amount of data loss measured in time?

A.Recovery Point Objective (RPO)
B.Mean Time Between Failures (MTBF)
C.Mean Time to Repair (MTTR)
D.Recovery Time Objective (RTO)
AnswerA

RPO defines the maximum data loss in terms of time.

Why this answer

The Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time, typically expressed in seconds, minutes, or hours. It represents the age of the most recent backup or replicated data that must be available to resume operations after a disaster, directly determining the frequency of backups or replication intervals.

Exam trap

ISC2 often tests the distinction between RPO and RTO, where candidates confuse 'data loss' (RPO) with 'downtime' (RTO); the trap is that both are time-based metrics, but RPO is about how far back in time you can recover data, while RTO is about how long it takes to restore service.

How to eliminate wrong answers

Option B is wrong because Mean Time Between Failures (MTBF) measures the average time between system failures, not data loss; it is a reliability metric used for hardware or component failure prediction. Option C is wrong because Mean Time to Repair (MTTR) measures the average time required to restore a failed system or component, not the acceptable data loss window. Option D is wrong because Recovery Time Objective (RTO) defines the maximum acceptable downtime after a disaster, not the amount of data loss measured in time; RTO focuses on service restoration speed, while RPO focuses on data currency.

726
MCQeasy

A security analyst notices unusual traffic from an internal workstation to an external IP address on port 25. Which protocol is most likely being used?

A.SMTP
B.FTP
C.DNS
D.HTTP
AnswerA

Correct. SMTP uses port 25 for email transmission.

Why this answer

Port 25 is the default port for SMTP (Simple Mail Transfer Protocol).

727
MCQeasy

A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?

A.The network is experiencing a denial of service attack
B.The user is streaming video from a blocked site
C.The workstation is performing a legitimate software update
D.The workstation is infected with malware that is beaconing to the attacker
AnswerD

C2 communication is a hallmark of malware infection.

Why this answer

The large volume of outbound traffic from a single workstation to a known command-and-control (C2) server is a classic indicator of malware beaconing. Beaconing involves the infected host periodically sending small packets or HTTP/HTTPS requests to the C2 server to receive instructions or exfiltrate data, which matches the observed behavior. This is distinct from legitimate traffic patterns because the destination IP is specifically associated with malicious activity.

Exam trap

ISC2 often tests the distinction between a single workstation's outbound traffic to a known malicious IP versus generic network anomalies like DoS or legitimate updates, trapping candidates who confuse high-volume traffic with beaconing or assume any outbound traffic to an external IP is benign.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack typically involves a flood of traffic from multiple sources targeting a single victim, not a single workstation sending outbound traffic to a known C2 server. Option B is wrong because streaming video from a blocked site would generate sustained, high-bandwidth traffic to a content delivery network or streaming service, not to a known C2 server, and would not match the beaconing pattern of periodic, low-volume requests. Option C is wrong because a legitimate software update would connect to the vendor's official update servers (e.g., Microsoft, Adobe) over HTTPS, not to an external IP address known to be associated with a C2 server, and would not exhibit the suspicious, periodic beaconing behavior.

728
Multi-Selectmedium

A security awareness trainer is developing material on USB drop attacks. Which TWO messages should be included in the training? (Choose two.)

Select 2 answers
A.Use the USB drive only on a non-networked computer.
B.Never plug in a USB drive that you found lying around.
C.Always scan a found USB drive with antivirus before using.
D.Report any discovered USB drives to the security team.
E.Format the USB drive before using it.
AnswersB, D

Unknown USB drives can contain malicious software.

Why this answer

Users should not plug in unknown USB drives as they may contain malware, and they should report found drives to security for safe handling.

729
MCQhard

Refer to the exhibit. Based on the JSON policy, what access does the SecurityAuditor role have?

A.No access to any S3 resources.
B.Read-only access to all objects in the critical-data bucket.
C.Write access to the critical-data bucket.
D.Full access to the S3 bucket critical-data.
AnswerB

GetObject grants read access.

Why this answer

The JSON policy grants the SecurityAuditor role the `s3:GetObject` action on the `arn:aws:s3:::critical-data/*` resource, which provides read-only access to all objects in the critical-data bucket. The `Effect` is set to `Allow`, and no other actions like `s3:PutObject` or `s3:DeleteObject` are included, so the role cannot write or delete objects. This matches the correct answer B.

Exam trap

ISC2 often tests the distinction between bucket-level and object-level permissions, where candidates mistakenly assume that `s3:GetObject` on `/*` implies full access or write capabilities, but it only grants read access to objects.

How to eliminate wrong answers

Option A is wrong because the policy explicitly allows `s3:GetObject` on the critical-data bucket, so the role does have access to S3 resources. Option C is wrong because the policy does not include any write actions such as `s3:PutObject` or `s3:DeleteObject`, so write access is not granted. Option D is wrong because the policy only allows `s3:GetObject`, not full access (which would require actions like `s3:*` or `s3:PutObject`, `s3:DeleteObject`, `s3:ListBucket`, etc.).

730
MCQhard

During a disaster recovery test, an organization uses a warm site. The site has partially configured servers and network infrastructure but lacks recent data. The recovery team expects to have the system operational within 2 days. Which recovery metric is most directly addressed by the warm site's capabilities?

A.Recovery Point Objective (RPO)
B.Recovery Time Objective (RTO)
C.Maximum Tolerable Downtime (MTD)
D.Work Recovery Time (WRT)
AnswerB

RTO is the targeted time to restore operations; a warm site with 2-day recovery aligns with an RTO of days.

Why this answer

A warm site typically has hardware and partial configuration, allowing recovery in days. This directly impacts the recovery time objective (RTO), which is the target time for restoring systems and data.

731
MCQhard

A security analyst reviews this firewall configuration. Which potential security issue exists?

A.Logging is not enabled at session start
B.Outbound traffic is not inspected for malicious content
C.The source is too restrictive
D.The policy does not specify a destination
AnswerB

SSL traffic is permitted without decryption or inspection.

Why this answer

Option B is correct because the firewall configuration shown only inspects inbound traffic (from the internet to the internal network) but does not apply any inspection to outbound traffic. Without outbound inspection, malicious content such as malware command-and-control traffic or data exfiltration can leave the network undetected. A security analyst should ensure that both inbound and outbound traffic are inspected for malicious content to provide comprehensive threat protection.

Exam trap

ISC2 often tests the misconception that only inbound traffic needs inspection because threats come from the internet, but the trap is that outbound traffic can carry malicious payloads or exfiltrate data, making outbound inspection equally important for a defense-in-depth strategy.

How to eliminate wrong answers

Option A is wrong because logging at session start is not a mandatory security requirement; logging at session end is typically sufficient for auditing and troubleshooting, and the absence of session-start logging does not represent a security issue. Option C is wrong because the source being too restrictive would actually reduce the attack surface, not create a security issue; overly permissive sources are the concern. Option D is wrong because the policy does specify a destination (the internal network), and a missing destination would cause the policy to fail to match traffic, not create a security issue.

732
MCQmedium

Your organization is implementing a new access control system to protect a highly sensitive research database. The security policy mandates that no single individual should have the ability to both approve and execute changes to the database. This is to prevent fraud and errors. Which security principle does this policy enforce, and which of the following best implements it?

A.Defense in depth; require both parties to authenticate
B.Accountability; log all changes and have an auditor review them
C.Separation of duties; require that one person submits a change request and another person implements it
D.Least privilege; assign the same person as approver and executor but with limited permissions
AnswerC

This ensures no single individual has complete control over the entire process.

Why this answer

Correct: Separation of duties; requiring two different people for approval and execution (B). Option A is wrong because it gives one person both roles; Option C is wrong because it combines roles; Option D is wrong because an auditor does not execute changes.

733
MCQmedium

You are a security engineer responsible for the company's intrusion detection system (IDS). The IDS has been generating an excessive number of false positive alerts related to a legitimate application that uses encrypted traffic. The alerts are based on network signatures that match certain patterns in the encrypted payload. The volume of alerts is overwhelming the SOC team, and they are beginning to ignore IDS alerts altogether. You have the ability to modify IDS signatures and tune the system. Which of the following is the BEST approach to reduce false positives while maintaining security?

A.Create custom exceptions for the specific signatures that are causing false positives for the legitimate application.
B.Add the application's source IP addresses to a whitelist to suppress all alerts from that host.
C.Increase the threshold for alert generation so fewer alerts fire.
D.Disable all signatures that trigger on encrypted traffic.
AnswerA

This targeted approach reduces false positives while retaining overall detection capability.

Why this answer

Option A is correct because creating custom exceptions for the specific signatures that trigger false positives allows you to suppress alerts for the legitimate application without disabling broader detection capabilities. This targeted approach preserves the IDS's ability to detect actual threats in encrypted traffic while reducing noise for the SOC team. It is the most precise tuning method, as it only excludes the known benign traffic pattern rather than broadly disabling signatures or whitelisting entire hosts.

Exam trap

The trap here is that candidates often choose IP whitelisting (Option B) because it seems quick and easy, but Cisco tests the understanding that whitelisting entire hosts is overly broad and can hide malicious activity from the same source, whereas signature-specific exceptions are the correct, surgical tuning method.

How to eliminate wrong answers

Option B is wrong because whitelisting the application's source IP addresses suppresses all alerts from that host, including those for potentially malicious activity that might originate from the same IP (e.g., if the host is compromised or used for lateral movement). This creates a dangerous blind spot. Option C is wrong because increasing the alert threshold reduces the sensitivity of the IDS globally, which can cause true positive alerts for real threats to be missed, especially in low-volume attacks.

Option D is wrong because disabling all signatures that trigger on encrypted traffic eliminates the IDS's ability to detect threats that use encryption (e.g., malware C2 over TLS), which is a common evasion technique and would severely weaken security posture.

734
MCQhard

A security architect is designing a system that must ensure that a sender cannot later deny having sent a message. Which cryptographic mechanism should be implemented?

A.Symmetric encryption
B.Access control lists
C.Hashing
D.Digital signatures
AnswerD

Correct. Digital signatures ensure non-repudiation of origin.

Why this answer

Digital signatures provide non-repudiation by binding the sender's identity to the message using public key cryptography. The sender cannot deny because only they possess the private key used to sign.

735
MCQmedium

Which component of the AAA framework determines what resources an authenticated user can access?

A.Auditing
B.Accounting
C.Authorization
D.Authentication
AnswerC

Authorization determines access rights.

Why this answer

Authorization is the component of the AAA (Authentication, Authorization, Accounting) framework that determines what resources an authenticated user can access. After authentication verifies the user's identity, authorization enforces policies—such as those defined in a local database or via RADIUS/TACACS+—to permit or deny access to specific network services, commands, or resources.

Exam trap

ISC2 often tests the distinction between authentication and authorization by presenting a scenario where a user is successfully logged in but cannot access a resource, and candidates mistakenly blame authentication instead of recognizing that authorization is the missing step.

How to eliminate wrong answers

Option A is wrong because auditing is not a separate AAA component; it is often part of accounting or logging, and it reviews past actions rather than controlling real-time access. Option B is wrong because accounting tracks and logs user activities (e.g., session time, data transfer) for billing or auditing, but it does not decide what resources a user can access. Option D is wrong because authentication only verifies identity (e.g., via username/password, certificate, or token) and does not grant or deny access to specific resources.

736
MCQeasy

Which principle ensures that users are granted only the minimum permissions necessary to perform their job functions?

A.Defense in depth
B.Least privilege
C.Separation of duties
D.Need-to-know
AnswerB

Least privilege grants only the minimum permissions needed.

Why this answer

Least privilege limits permissions to the minimum required, reducing the blast radius of a compromise.

737
MCQhard

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

A.Intrusion detection system alerts
B.DNS query logs from internal DNS servers
C.Firewall deny logs
D.Authentication logs from domain controllers
AnswerB

DNS logs are less frequently used for real-time security monitoring and can be archived with lower priority.

Why this answer

DNS query logs from internal DNS servers are the least critical for ongoing security monitoring because they primarily contain name resolution requests, which are high-volume and low-signal data. While they can be useful for threat hunting or forensic analysis of malware command-and-control (C2) traffic, they are not essential for real-time alerting or immediate incident response. Archiving them first preserves storage for more actionable logs like IDS alerts, firewall denies, and authentication failures.

Exam trap

ISC2 often tests the misconception that DNS logs are critical for security monitoring because they can reveal C2 traffic, but the trap is that they are high-volume, low-signal data best suited for archival after more immediate security event sources are preserved.

How to eliminate wrong answers

Option A is wrong because intrusion detection system alerts are high-priority, actionable events that directly indicate potential security incidents; archiving them first would blind the SOC to ongoing attacks. Option C is wrong because firewall deny logs are critical for identifying reconnaissance scans, policy violations, and attempted breaches; they are often used in real-time correlation and incident triage. Option D is wrong because authentication logs from domain controllers are essential for detecting brute-force attacks, credential theft, and account compromise; they are a primary source for identity-based threat detection and compliance auditing.

738
Multi-Selecthard

An organization experiences a data breach involving personally identifiable information (PII) of European Union residents. According to GDPR, which THREE of the following are required actions?

Select 3 answers
A.Document the breach, its effects, and the remedial actions taken.
B.Restore all affected systems from the latest full backup.
C.Communicate the breach to affected data subjects without undue delay if it poses a risk to their rights and freedoms.
D.Conduct a Business Impact Analysis (BIA) to determine the financial impact.
E.Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
AnswersA, C, E

Correct. GDPR requires documentation of all breaches.

Why this answer

GDPR requires notification to the supervisory authority within 72 hours, communication to affected data subjects without undue delay, and documentation of the breach. Conducting a BIA is not a GDPR breach notification requirement, and restoring systems is part of recovery but not a specific GDPR requirement.

739
MCQmedium

Which of the following is classified as sensitive PII?

A.Medical records
B.Email address
C.Telephone number
D.Date of birth
AnswerA

Medical records are sensitive PII due to privacy laws.

Why this answer

Sensitive PII includes medical records, financial data, and biometrics.

740
MCQmedium

A network administrator needs to allow secure remote access for teleworkers. Which VPN protocol provides the best confidentiality and integrity while using a single UDP port?

A.PPTP
B.SSL/TLS (OpenVPN)
C.L2TP/IPsec
D.IKEv2
AnswerB

OpenVPN uses a single UDP port and provides strong encryption.

Why this answer

SSL/TLS (OpenVPN) is correct because it provides robust confidentiality and integrity through TLS encryption (e.g., AES-256-GCM) and HMAC authentication, while operating over a single UDP port (typically 1194). This makes it ideal for teleworkers as it can traverse NAT and firewalls easily, unlike protocols that require multiple ports or IPsec's complex port/protocol handling.

Exam trap

ISC2 often tests the misconception that L2TP/IPsec is the best for secure remote access because it is commonly used in site-to-site VPNs, but the key constraint here is 'single UDP port,' which eliminates L2TP/IPsec and IKEv2, and PPTP is insecure.

How to eliminate wrong answers

Option A (PPTP) is wrong because it uses MPPE for encryption, which is based on RC4 and is considered weak, and it does not provide strong integrity (no HMAC); it also uses TCP port 1723 and GRE protocol 47, not a single UDP port. Option C (L2TP/IPsec) is wrong because it requires two UDP ports (500 for IKE and 4500 for NAT-T) plus ESP (protocol 50) or AH, and while it offers strong security, it does not use a single UDP port. Option D (IKEv2) is wrong because it uses UDP ports 500 and 4500 for IKE and ESP for data, and although it can be efficient, it does not operate over a single UDP port; it also typically requires IPsec for encryption, not a standalone VPN protocol on one port.

741
MCQhard

An organization requires that two separate administrators approve and implement changes to firewall rules. This practice enforces which security principle?

A.Least privilege
B.Defense in depth
C.Need to know
D.Separation of duties
AnswerD

Requiring two administrators to approve changes is a classic example of separation of duties.

Why this answer

Requiring two separate administrators to approve and implement firewall rule changes enforces separation of duties. This principle ensures that no single individual has the authority to both authorize and execute a change, reducing the risk of unauthorized modifications or errors. In firewall management, this prevents a single admin from introducing malicious or misconfigured rules without oversight.

Exam trap

ISC2 often tests separation of duties by describing a scenario involving multiple people for a single task, and the trap is confusing it with least privilege, which focuses on limiting permissions rather than splitting responsibilities.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user access rights to the minimum necessary for their role, but it does not require multiple approvals for a single action. Option B is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption), not administrative approval workflows. Option C is wrong because need to know limits access to information based on job requirements, not the process of approving changes.

742
MCQeasy

An organization implements a policy where users must swipe their ID card and enter a PIN to access a secure room. This is an example of which access control principle?

A.Biometric authentication
B.Single-factor authentication
C.Multifactor authentication
D.Role-based access control
AnswerC

Two factors: card (possession) and PIN (knowledge).

Why this answer

Option C is correct because the policy requires two distinct factors: something you have (the ID card) and something you know (the PIN). This combination of multiple authentication factors from different categories is the defining characteristic of multifactor authentication (MFA).

Exam trap

ISC2 often tests the distinction between authentication factors and authorization models, so the trap here is confusing multifactor authentication (which is about verifying identity) with role-based access control (which is about granting permissions after identity is verified).

How to eliminate wrong answers

Option A is wrong because biometric authentication relies on unique physical characteristics like fingerprints or iris scans, not on possession of an ID card or knowledge of a PIN. Option B is wrong because single-factor authentication uses only one type of credential, whereas this scenario uses two distinct factors. Option D is wrong because role-based access control (RBAC) governs authorization based on job roles, not the authentication method used to verify identity.

743
MCQeasy

Refer to the exhibit. The security principle demonstrated by the default policy is:

A.Separation of duties
B.Defense in depth
C.Need to know
D.Least privilege
AnswerD

Default deny restricts access to only what is explicitly allowed, embodying least privilege.

Why this answer

Correct: A - Least privilege. The default DROP policy denies all traffic by default, allowing only explicitly permitted services, which follows the principle of least privilege. Options B, C, and D do not describe default deny.

744
MCQmedium

A security policy requires that all changes to a production system go through a formal change management process with approval from a change control board. This is an example of which security principle?

A.Least privilege
B.Governance
C.Defense in depth
D.Separation of duties
AnswerB

Correct. The structured approval board and process exemplify security governance.

Why this answer

Governance involves establishing policies, processes, and oversight to ensure security aligns with business objectives. The formal change management process is a governance mechanism.

745
MCQeasy

Refer to the exhibit. A user with this policy tries to list objects in bucket1 but gets an access denied error. What is the most likely reason?

A.The policy does not grant s3:ListBucket permission
B.The resource ARN should include the bucket itself
C.The effect should be Deny
D.The user lacks encryption keys
AnswerA

Listing objects requires the ListBucket action, which is not included.

Why this answer

The policy shown grants s3:GetObject permission, which allows reading individual objects, but does not include s3:ListBucket permission. Listing objects in a bucket requires the s3:ListBucket action on the bucket resource. Without this permission, the user receives an access denied error when attempting to list objects, even if they can read objects directly.

Exam trap

ISC2 often tests the distinction between bucket-level and object-level S3 permissions, trapping candidates who assume that granting GetObject on objects automatically allows listing the bucket.

How to eliminate wrong answers

Option B is wrong because the resource ARN in the policy already specifies the bucket itself (arn:aws:s3:::bucket1/*), and adding the bucket without the wildcard would not grant ListBucket permission; the missing action is the core issue. Option C is wrong because changing the effect to Deny would explicitly block access, not resolve the denied error; the policy currently has an Allow effect, which is correct for granting permissions. Option D is wrong because encryption keys are unrelated to S3 bucket listing permissions; the error is due to missing IAM policy permissions, not encryption key access.

746
MCQhard

A small e-commerce company hosts its web application on a single server with a public IP address. The server runs a Linux OS with Apache, MySQL, and PHP. The company recently experienced a data breach where an attacker gained access to the customer database. The investigation reveals that the attacker exploited a vulnerability in the PHP application to execute arbitrary commands. The server logs show that the attacker used an unauthenticated HTTP POST request to a legacy script that should have been removed. Additionally, the server had default firewall rules allowing all inbound traffic on ports 80 and 443. The company wants to prevent future breaches without redesigning the entire application. Which course of action is the most effective?

A.Move the database to a separate internal server and require VPN access for administration.
B.Upgrade the PHP version to the latest release and enable SELinux.
C.Remove the legacy script and update the firewall to block all traffic except necessary IPs.
D.Implement a web application firewall (WAF) with virtual patching for the vulnerability.
AnswerD

A WAF can block the exploit and similar attacks without requiring code changes, providing immediate protection.

Why this answer

Option D is the most effective because it provides immediate protection against the exploited vulnerability without requiring application redesign. A WAF with virtual patching can inspect HTTP POST requests to the legacy script and block malicious payloads, even if the underlying code remains vulnerable. This approach addresses the root cause (the unauthenticated exploit) while allowing the company to maintain operations and plan a permanent fix.

Exam trap

ISC2 often tests the misconception that removing the vulnerable component (Option C) is sufficient, but the trap is that the question asks for preventing future breaches without redesigning the entire application, meaning a WAF provides ongoing protection against similar exploits in other parts of the application, whereas simply removing one script leaves other potential vulnerabilities unaddressed.

How to eliminate wrong answers

Option A is wrong because moving the database to a separate server and requiring VPN for administration does not prevent the attacker from exploiting the PHP application vulnerability to execute commands on the web server, which could still lead to database access via the application's credentials. Option B is wrong because upgrading PHP and enabling SELinux may reduce the attack surface but does not directly block the specific unauthenticated POST request to the legacy script; SELinux can restrict process capabilities but does not filter HTTP traffic. Option C is wrong because removing the legacy script and updating the firewall to block all traffic except necessary IPs is reactive and does not protect against future zero-day vulnerabilities or similar exploits in other scripts; the firewall only controls network-level access, not application-layer attacks.

747
MCQmedium

A security analyst observes the log entries on an SSH server as shown. What is the most likely type of attack in progress?

A.Dictionary attack
B.Privilege escalation
C.Brute-force attack
D.Denial-of-service (DoS) attack
AnswerC

Multiple rapid failures from the same IP indicate an automated brute-force attempt to guess the password.

Why this answer

Option B is correct because repeated failed password attempts for the same account (root) from the same IP in rapid succession is characteristic of a brute-force attack. Dictionary attack (A) uses a list of common passwords, but the log does not show different passwords; it could be either, but brute-force is more general. (C) is wrong because it's not a DoS (though it might degrade performance). (D) is wrong because there is no indication of privilege escalation beyond root attempts.

748
Multi-Selecthard

A security engineer is designing a patch management process. Which TWO steps are part of the standard patch lifecycle? (Select TWO)

Select 2 answers
A.Vulnerability disclosure by researcher
B.Decommissioning the vulnerable system
C.Testing the patch in a staging environment
D.Deploying the patch to production systems after approval
E.Immediately deploying patches to all systems
AnswersC, D

Correct. Testing ensures patches don't break functionality.

Why this answer

The patch lifecycle includes testing in a staging environment and deploying to production after approval.

749
MCQhard

A security analyst notices that system logs are being overwritten before the retention period ends. What is the most likely cause?

A.Malware is deleting logs
B.SIEM is consuming logs too quickly
C.Log rotation settings are misconfigured
D.Disk space is insufficient
AnswerC

Improper rotation settings (e.g., small file size) cause early overwriting.

Why this answer

Option B is correct because misconfigured log rotation settings can cause logs to be overwritten prematurely. Option A is wrong because insufficient disk space would cause log failure, not overwriting. Option C is wrong while possible, but less likely than configuration error.

Option D is wrong because SIEM consumption does not overwrite local logs.

750
Multi-Selecteasy

Which TWO are key outputs of a Business Impact Analysis (BIA)?

Select 2 answers
A.List of critical business processes
B.Password policy
C.Network diagram
D.Risk register
E.Recovery Time Objectives
AnswersA, E

BIA identifies and prioritizes critical processes.

Why this answer

BIA identifies critical business processes and determines their recovery requirements, such as Recovery Time Objectives (RTO).

Page 9

Page 10 of 14

Page 11