ISC2 Certified in Cybersecurity CC (CC) — Questions 826900

984 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

In a MAC environment implementing Bell-LaPadula, a subject with Secret clearance attempts to read an object classified as Confidential and write to an object classified as Top Secret. Which operations are permitted?

A.Read denied, write allowed
B.Both read and write allowed
C.Read allowed, write denied
D.Both read and write denied
AnswerB

Read down (Secret→Confidential) and write up (Secret→Top Secret) are both permitted.

Why this answer

In Bell-LaPadula, the Simple Security Property (no read up) prevents a subject from reading an object at a higher classification, but reading down is allowed. The *-Property (no write down) prevents writing to a lower classification, but writing up is allowed. Since the subject has Secret clearance, reading Confidential (lower) is permitted, and writing to Top Secret (higher) is permitted, so both operations are allowed.

Exam trap

ISC2 often tests the misconception that both read and write must be at the same clearance level, but Bell-LaPadula actually allows reading down and writing up, not the reverse.

How to eliminate wrong answers

Option A is wrong because it claims read is denied, but reading down (Secret reading Confidential) is allowed by the Simple Security Property. Option C is wrong because it claims write is denied, but writing up (Secret writing to Top Secret) is allowed by the *-Property. Option D is wrong because it claims both are denied, but both operations are actually permitted under Bell-LaPadula rules.

827
MCQmedium

Which common port is used by DNS and which transport layer protocol does it primarily use?

A.Port 53, UDP only
B.Port 161, UDP
C.Port 53, both UDP and TCP
D.Port 53, TCP only
AnswerC

Correct. DNS uses UDP for queries and TCP for zone transfers.

Why this answer

DNS uses port 53 and primarily uses UDP for queries, though TCP is used for zone transfers.

828
MCQhard

An organization enforces a password policy requiring a minimum of 15 characters with no complexity requirements, and does not force periodic changes. This policy aligns with which current best practice?

A.Passwords should be exactly 8 characters with at least one special character
B.Passwords should be changed every 30 days
C.Complexity requirements are more important than length
D.Length over complexity and no periodic changes
AnswerD

NIST SP 800-63 recommends longer passwords and only forced changes upon compromise.

Why this answer

NIST SP 800-63 recommends favoring length over complexity and avoiding frequent forced changes unless compromised.

829
Multi-Selecthard

A network administrator is implementing a defense-in-depth strategy. Which THREE of the following are considered network security controls? (Select THREE)

Select 3 answers
A.Virtual Private Network (VPN)
B.Intrusion Detection System (IDS)
C.Full disk encryption
D.Network firewall
E.Antivirus software
AnswersA, B, D

VPN provides encrypted tunnels for secure communication over untrusted networks, a network security control.

Why this answer

A Virtual Private Network (VPN) is a network security control because it creates an encrypted tunnel (using protocols such as IPsec or TLS) between a remote user and the corporate network, ensuring data confidentiality and integrity over untrusted networks like the internet. This protects data in transit and authenticates endpoints, which is a core network-layer security function.

Exam trap

ISC2 often tests the distinction between network-layer controls (VPN, IDS, firewall) and host/endpoint controls (disk encryption, antivirus), so the trap is that candidates mistakenly classify host-based security measures as network security controls.

830
MCQhard

You are implementing a security control to prevent unauthorized devices from connecting to the corporate wired network. Which network access control method should be used?

A.VLAN segmentation
B.MAC address filtering
C.Network Access Control (NAC) only
D.802.1X authentication
AnswerD

802.1X authenticates devices at the port level, checking credentials before allowing network access.

Why this answer

Option C is correct because 802.1X authentication requires devices to authenticate before gaining network access, providing port-level security. MAC filtering (A) can be bypassed by spoofing. NAC (B) is a broader concept, but 802.1X is the specific technology.

VLAN segmentation (D) separates traffic but does not authenticate devices.

831
Multi-Selectmedium

An organization is evaluating recovery site options. Which TWO factors are most critical when selecting between a hot site and a warm site? (Select TWO.)

Select 2 answers
A.Cost
B.Geographic diversity
C.Number of employees
D.Recovery time objective (RTO)
E.Regulatory compliance
AnswersA, D

Cost differences are significant: hot sites require dedicated resources; warm sites are less expensive.

Why this answer

The primary factors are recovery time objective (RTO) and cost. Hot sites provide fast RTO but are expensive; warm sites are cheaper but have longer RTO.

832
Multi-Selectmedium

A security analyst wants to detect and analyze attacker behavior by deploying a decoy system. Which three characteristics apply to a honeypot? (Choose THREE.)

Select 3 answers
A.It is a decoy system to attract attackers
B.It provides early warning of attacks
C.It contains sensitive production data
D.It is used for legitimate network traffic
E.It allows analysis of attacker tactics
AnswersA, B, E

Correct. Honeypots lure attackers away from real assets.

Why this answer

Honeypots are decoy systems designed to attract attackers, provide early warning, and allow analysis of attacker techniques. They do not contain real production data and are not used for legitimate traffic.

833
Multi-Selecteasy

Which THREE are phases of the incident response process according to NIST SP 800-61?

Select 3 answers
A.Containment, Eradication, and Recovery
B.Risk Assessment
C.Detection and Analysis
D.Preparation
E.Vendor Management
AnswersA, C, D

Third phase.

Why this answer

Option A is correct because NIST SP 800-61 defines the incident response process as four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The 'Containment, Eradication, and Recovery' phase is explicitly grouped together as a single phase in the standard, making A a correct choice.

Exam trap

ISC2 often tests whether candidates recognize that 'Containment, Eradication, and Recovery' is a single phase in NIST SP 800-61, not three separate phases, and that 'Risk Assessment' and 'Vendor Management' are common distractors because they appear in other security frameworks but are not part of the incident response process.

834
MCQmedium

Which type of log should be monitored to detect a user account that has been granted administrative privileges unexpectedly?

A.Authentication logs
B.Application logs
C.System logs
D.Firewall logs
AnswerA

Authentication logs track login events and privilege escalations.

Why this answer

Authentication logs typically record privilege escalation events, such as when a user is added to an admin group or granted elevated rights.

835
MCQmedium

Which transport layer protocol is used by voice over IP (VoIP) applications that require low latency and can tolerate some packet loss?

A.ICMP
B.SCTP
C.TCP
D.UDP
AnswerD

UDP is low-latency and suitable for real-time traffic.

Why this answer

UDP is connectionless and faster, making it suitable for real-time applications like VoIP where occasional packet loss is acceptable.

836
Multi-Selectmedium

A company is classifying data and wants to ensure that personally identifiable information (PII) receives appropriate protection. Which two of the following are considered PII? (Choose two.)

Select 2 answers
A.Social Security Number
B.Email address
C.Employee ID number
D.Job title
E.Department name
AnswersA, B

SSN is a classic example of PII.

Why this answer

PII includes any data that can identify an individual. Social Security Number (SSN) and email address are both considered PII because they can be used to identify a person.

837
MCQeasy

Which of the following is an example of a Type 2 authentication factor?

A.Smart card
B.PIN
C.Password
D.Fingerprint
AnswerA

Smart card is a possession factor (Type 2).

Why this answer

Type 2 factors are something you have, such as a physical token.

838
MCQeasy

Which phase of the incident response process involves restoring systems to normal operations and confirming they are functioning correctly?

A.Recovery
B.Detection
C.Containment
D.Eradication
AnswerA

Recovery restores operations and verifies functionality.

Why this answer

Recovery is the phase after eradication where systems are restored and tested.

839
MCQhard

An organization wants to implement a physical access control that requires two different credentials to enter a high-security server room. Which concept does this best represent?

A.Defense in depth
B.Separation of duties
C.Need-to-know
D.Least privilege
AnswerA

Correct. Using multiple layers of security (e.g., badge + biometric) is defense in depth.

Why this answer

Defense in depth involves multiple overlapping controls, such as requiring both a badge and a biometric scan.

840
MCQeasy

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

A.ARP
B.DHCP
C.DNS
D.ICMP
AnswerA

ARP resolves IP addresses to MAC addresses.

Why this answer

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses, operating at Layer 2/3 boundary.

841
Multi-Selectmedium

Which TWO of the following are examples of multi-factor authentication? (Select TWO.)

Select 2 answers
A.Smart card and RSA token
B.Password and SMS one-time code
C.Biometric and PIN
D.Fingerprint and retina scan
E.Password and security question
AnswersB, C

Correct. Combines knowledge and possession.

Why this answer

MFA requires two or more different factor types. Password (knowledge) + SMS code (possession) and smart card (possession) + fingerprint (inherence) qualify.

842
Multi-Selecthard

After a security incident, an investigator needs to analyze logs to determine the timeline of events. Which TWO types of logs are most likely to provide evidence of lateral movement within the network?

Select 2 answers
A.DNS logs
B.Authentication logs
C.Firewall logs
D.System logs
E.Application logs
AnswersB, C

Failed and successful logins can indicate lateral movement.

Why this answer

Authentication logs show user logins to different systems (lateral movement), and firewall logs show connections between internal hosts. System logs may show service creation but are not as direct.

843
Multi-Selecthard

A company is implementing risk management for a new project. Which THREE of the following are valid risk treatment options? (Select THREE.)

Select 3 answers
A.Risk acceptance
B.Risk transfer
C.Risk communication
D.Risk mitigation
E.Risk analysis
AnswersA, B, D

Correct. Acknowledging and tolerating risk.

Why this answer

Risk treatment options include mitigation, transfer, avoidance, and acceptance. All four are correct, but only three are listed.

844
Multi-Selectmedium

A security administrator is reviewing network security controls. Which TWO of the following are examples of network segmentation technologies? (Select TWO)

Select 2 answers
A.Proxy servers
B.Honeypots
C.Subnetting
D.VLANs
E.Firewalls
AnswersC, D

Subnetting divides a network into smaller IP subnetworks, providing Layer 3 segmentation.

Why this answer

Subnetting divides a larger network into smaller, logical subnetworks by manipulating the subnet mask (e.g., using VLSM or CIDR). This creates separate broadcast domains at Layer 3, allowing administrators to isolate traffic and apply distinct security policies between subnets, which is a core function of network segmentation.

Exam trap

ISC2 often tests the distinction between technologies that create segmentation (subnetting, VLANs) and technologies that enforce security policies between segments (firewalls, ACLs), leading candidates to mistakenly select firewalls as a segmentation technology.

845
MCQhard

During an incident, a security analyst detects unusual network traffic from a workstation that is exfiltrating data to an external IP address. The analyst isolates the workstation. Which incident response phase does the isolation action belong to?

A.Detection
B.Analysis
C.Containment
D.Eradication
AnswerC

Isolation is a containment strategy to prevent further damage.

Why this answer

Containment is the phase where actions are taken to stop the incident from spreading or causing further damage, such as isolating affected systems.

846
MCQhard

Refer to the exhibit. What type of event is this?

A.Account lockout
B.Successful remote login
C.Failed network login
D.Failed local login
AnswerC

Logon Type 3 confirms a network logon attempt.

Why this answer

Option C is correct because Logon Type 3 indicates a network logon (remote connection). Option A is wrong because it's a failed logon. Option B is wrong because Logon Type 3 is remote, not local (local is Type 2 or 10).

Option D is wrong because there is no account lockout event.

847
MCQeasy

What is the difference between identification and authentication?

A.Identification proves identity; authentication claims identity
B.They are the same thing
C.Identification uses passwords; authentication uses biometrics
D.Identification claims identity; authentication proves identity
AnswerD

Correct.

Why this answer

Identification is claiming an identity; authentication is proving that identity.

848
MCQmedium

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

A.The ACL is misconfigured because the deny for SSH is never reached
B.The ACL is properly ordered with most specific rules first
C.The ACL should have a deny any any at the end to be secure
D.The ACL correctly allows HTTPS and denies SSH, blocking other traffic
AnswerA

The permit any any after the deny SSH will match SSH traffic, allowing it.

Why this answer

Option A is correct because the ACL is evaluated top-down, and the first matching rule is applied. Since the 'permit tcp any any eq 443' rule appears before the 'deny tcp any any eq 22' rule, SSH traffic (TCP/22) is actually permitted by the implicit 'permit ip any any' that follows the explicit permit for HTTPS, or more accurately, the SSH deny is never reached because the permit for HTTPS matches all TCP traffic to port 443, but SSH traffic on port 22 is not matched by that rule; however, the key point is that the ACL lacks an explicit deny at the end, so any traffic not matching the first two rules (including SSH) is implicitly permitted by the default 'permit ip any any' at the end of the ACL, making the SSH deny rule ineffective.

Exam trap

ISC2 often tests the misconception that ACLs have an implicit 'deny any any' at the end, when in fact extended ACLs applied to interfaces have an implicit 'permit ip any any' unless a 'deny any any' is explicitly added.

How to eliminate wrong answers

Option B is wrong because the ACL is not properly ordered with most specific rules first; the 'deny tcp any any eq 22' rule is more specific than the 'permit tcp any any eq 443' rule in terms of port, but the order should place denies before permits to ensure they are evaluated, and here the deny for SSH is placed after a permit that does not match SSH, but the real issue is the missing explicit deny at the end. Option C is wrong because while adding a 'deny any any' at the end is a best practice for security, the primary misconfiguration is that the existing 'deny tcp any any eq 22' is never reached due to the implicit permit at the end, not just the lack of a final deny. Option D is wrong because the ACL does not correctly deny SSH; due to the implicit 'permit ip any any' at the end of the ACL, SSH traffic is actually permitted, not denied.

849
MCQmedium

During a security audit, you discover that a financial application stores passwords using MD5 hashing without salt. What is the primary security concern with this practice?

A.MD5 is reversible, allowing attackers to recover plaintext passwords
B.MD5 is too slow, causing performance issues during authentication
C.Without salting, the hashes are vulnerable to precomputed rainbow table attacks
D.Storing hashes violates PCI DSS compliance, but does not affect security
AnswerC

Rainbow tables can quickly find matching plaintext for unsalted MD5 hashes.

Why this answer

Option B is correct because MD5 is vulnerable to rainbow table attacks, and lack of salting makes it easy for attackers to precompute hashes. Reversibility is not the primary concern (hashing is one-way). Speed is actually a vulnerability, not a strength.

Compliance violation is a secondary issue.

850
MCQhard

A company wants to implement account lockout to prevent brute-force attacks. Which lockout threshold is most appropriate according to common best practices?

A.5 failed attempts
B.1 failed attempt
C.No lockout, only logging
D.20 failed attempts
AnswerA

5 attempts is within the recommended range.

Why this answer

Typical lockout thresholds are between 3 and 10 failed attempts to balance security and usability.

851
Multi-Selecteasy

An employee claims to have accessed a confidential document that is not related to their job role. The security team investigates and finds that the employee's account had read access to the folder containing the document. Which TWO access control concepts were likely violated?

Select 2 answers
A.Identification and authentication
B.Need-to-know
C.Separation of duties
D.Least privilege
E.Defense in depth
AnswersB, D

The employee accessed data not needed for their job.

Why this answer

Need-to-know restricts access to data required for job duties; the employee should not have accessed the document if it wasn't job-related. Least privilege ensures users have only necessary permissions; the employee likely had excessive rights if they could access unrelated data.

852
MCQhard

An analyst reviews the exhibit. What security principle is best demonstrated by this policy?

A.Separation of duties
B.Defense in depth
C.Non-repudiation
D.Least privilege
AnswerD

Correct. The policy grants only necessary access and denies all other actions.

Why this answer

The policy grants users only the permissions necessary to perform their job functions, which is the core definition of least privilege. By restricting access to only required resources, the policy minimizes the attack surface and limits potential damage from compromised accounts.

Exam trap

ISC2 often tests least privilege by describing a policy that restricts access to only what is needed, and the trap is confusing it with separation of duties because both involve limiting actions, but separation of duties focuses on dividing tasks among multiple people to prevent collusion, not on minimizing individual permissions.

How to eliminate wrong answers

Option A is wrong because separation of duty requires splitting critical tasks among multiple people to prevent fraud, not simply limiting individual permissions. Option B is wrong because defense in depth involves multiple layers of security controls (e.g., firewall, IDS, encryption), not a single access restriction policy. Option C is wrong because non-repudiation ensures that an action cannot be denied later, typically via digital signatures or logging, not by limiting permissions.

853
MCQmedium

An organization has implemented a SIEM solution. The security team wants to detect when a user attempts to access a file they do not have permission to read. Which log source is most important for this detection?

A.Windows security event logs
B.Web server access logs
C.DNS logs
D.Firewall logs
AnswerA

Security event logs include audit events for file access and can show access denied events.

Why this answer

Windows security event logs (specifically Event ID 4663) record every attempt to access an object, including files, and include the user's security identifier (SID) and the requested access mask. This allows the SIEM to correlate the user's identity with the file's discretionary access control list (DACL) to detect an 'Access Denied' result, making it the definitive source for detecting unauthorized file access attempts.

Exam trap

ISC2 often tests the misconception that network-level logs (firewall, DNS) or application-level logs (web server) can detect OS-level file access, when in fact only the operating system's security audit subsystem can capture such granular user-to-object access attempts.

How to eliminate wrong answers

Option B is wrong because web server access logs record HTTP requests to web resources, not local file system access on a Windows server or workstation; they cannot detect a user attempting to open a file via SMB or local Explorer. Option C is wrong because DNS logs only contain domain name resolution queries and responses, with no information about file paths, user identities, or access control decisions. Option D is wrong because firewall logs track network traffic based on IP addresses and ports, not user-level file access attempts within an operating system.

854
MCQmedium

Which of the following is considered sensitive personally identifiable information (PII)?

A.Date of birth
B.Telephone number
C.Medical records
D.Email address
AnswerC

Medical records are sensitive PII due to privacy laws and potential harm if disclosed.

Why this answer

Sensitive PII includes medical records, financial information, and biometrics, which require extra protection.

855
Multi-Selectmedium

A security analyst is reviewing physical security controls. Which TWO are examples of perimeter physical controls? (Select TWO.)

Select 2 answers
A.Access badges at building entrance
B.Biometric reader on server room door
C.Cable locks on laptops
D.Fencing around the property
E.Lighting in the parking lot
AnswersD, E

Fencing is a perimeter control.

Why this answer

Perimeter controls secure the outer boundary. Fencing and lighting are common perimeter controls; badges and biometrics are interior or point-of-entry controls.

856
MCQeasy

Which of the following best describes the purpose of due care in information security?

A.Implementing reasonable security measures to protect data
B.Prioritizing security incidents based on impact
C.Transferring risk to a third party
D.Investigating a vendor's background before contracting
AnswerA

Correct. Due care is about taking prudent steps to protect assets.

Why this answer

Due care means exercising a minimum standard of care to protect information assets, such as implementing basic security controls.

857
Multi-Selecteasy

Which TWO of the following are core principles of the CIA triad?

Select 2 answers
A.Integrity
B.Non-repudiation
C.Confidentiality
D.Authorization
E.Authentication
AnswersA, C

Integrity is one of the three CIA triad principles.

Why this answer

The CIA triad consists of Confidentiality, Integrity, and Availability. Options A and C are correct. Option B (Non-repudiation) is separate.

Option D (Authentication) is separate. Option E (Authorization) is separate.

858
MCQhard

Which of the following is a characteristic of a stateful firewall that distinguishes it from a stateless firewall?

A.It can decrypt SSL traffic
B.It examines each packet in isolation
C.It uses a state table to track connections
D.It can filter based on application-layer data
AnswerC

Stateful firewalls track connection states.

Why this answer

A stateful firewall maintains a state table to track active connections, allowing it to make decisions based on the context of the traffic.

859
MCQhard

A company's IDS generates an alert for a potential SQL injection attack on a web application. The analyst reviews the log and sees the following: "SELECT * FROM users WHERE username = 'admin' OR 1=1 --'". Which action should the analyst take next?

A.Submit a change request to patch the application
B.Conduct a forensic analysis of the database
C.Verify if the WAF blocked the attack
D.Block the source IP immediately
AnswerC

First verify if the WAF mitigated the attack; IDS alerts often require correlation.

Why this answer

Option C is correct because the analyst's first priority is to determine whether the attack was actually successful or was already mitigated. A Web Application Firewall (WAF) sits in front of the web application and can inspect and block SQL injection payloads before they reach the database. By verifying the WAF logs, the analyst can confirm if the attack was blocked, which dictates the next steps—if blocked, no immediate escalation is needed; if not blocked, further investigation is required.

Exam trap

ISC2 often tests the candidate's ability to follow a proper incident response triage process—specifically, the trap is that candidates jump to a reactive action (like blocking IPs or patching) instead of first verifying whether existing controls (like a WAF) already mitigated the threat.

How to eliminate wrong answers

Option A is wrong because submitting a change request to patch the application is premature without first confirming that the attack was successful; patching is a long-term fix, not an immediate triage step. Option B is wrong because conducting a forensic analysis of the database is an invasive and time-consuming step that should only be taken if there is evidence that the attack actually reached and compromised the database, which is not yet known. Option D is wrong because blocking the source IP immediately could be an overreaction—the IP might be spoofed, part of a legitimate scan, or the attack might have already been blocked by the WAF; blocking without verification can cause unnecessary disruption and is not the standard first response in a security operations workflow.

860
Multi-Selecthard

A company is selecting a recovery site strategy. They need to balance cost and recovery time. Which THREE factors should they consider when choosing between hot, warm, and cold sites? (Select three.)

Select 3 answers
A.Geographic diversity
B.Vendor lock-in risks
C.Cost of the facility and equipment
D.Recovery time objective (RTO)
E.Data synchronization capabilities
AnswersC, D, E

Cost varies significantly among site types.

Why this answer

Key factors: cost, recovery time objective (RTO), and data synchronization capabilities. Geography and vendor lock-in are considerations but not primary for site type selection.

861
Multi-Selecteasy

Which THREE of the following are important steps in the incident response process as defined by the NIST framework? (Choose three.)

Select 3 answers
A.Detection and Analysis
B.Vulnerability scanning
C.Containment, Eradication, and Recovery
D.Preparation
E.Post-incident auditing
AnswersA, C, D

Detecting and analyzing incidents is a key phase.

Why this answer

Preparation (B), Detection & Analysis (C), and Containment, Eradication & Recovery (D) are the core phases. Vulnerability scanning (A) is part of ongoing security, not incident response. Auditing (E) is a compliance activity.

862
MCQmedium

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

A.Perform a forensic analysis of the user's workstation
B.Reset the user's password and enforce multi-factor authentication
C.Disable the user account immediately
D.Initiate the incident response process
AnswerD

The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.

Why this answer

Option D is correct because the scenario describes a potential security incident—unauthorized access to sensitive data from an unfamiliar IP address outside business hours—which requires immediate activation of the incident response process. The first step in any security operations workflow is to follow the organization's incident response plan (NIST SP 800-61) to contain, analyze, and remediate the threat. Jumping to forensic analysis, password resets, or account disabling without a coordinated incident response can destroy evidence or fail to address the root cause.

Exam trap

ISC2 often tests the misconception that immediate account disabling or password reset is the correct first response, but the CC exam emphasizes that initiating the incident response process is the foundational step to ensure proper handling, evidence preservation, and coordination.

How to eliminate wrong answers

Option A is wrong because performing forensic analysis of the user's workstation is a later step in the incident response process, not the first action; it could also be irrelevant if the compromise originated from a remote attacker without local artifacts. Option B is wrong because resetting the password and enforcing MFA addresses only credential hygiene but does not investigate the extent of the breach, identify the attack vector, or preserve evidence—potentially alerting the attacker prematurely. Option C is wrong because disabling the user account immediately might disrupt legitimate business operations and could tip off an attacker, whereas a coordinated incident response includes controlled containment actions based on investigation.

863
MCQeasy

Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental or differential backups?

A.Full backup
B.Synthetic full backup
C.Differential backup
D.Incremental backup
AnswerC

Differential copies changes since the last full backup.

Why this answer

A differential backup copies all changes since the last full backup, making it distinct from incremental which copies changes since the last backup of any type.

864
MCQmedium

During a security audit, it is discovered that a single employee can approve purchase orders and also receive the goods. Which security principle is being violated?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need-to-know
AnswerA

Separation of duties prevents conflicts by dividing critical tasks.

Why this answer

Separation of duties requires that conflicting tasks be divided among different individuals to prevent fraud. Option A (Least privilege) is about access levels. Option B (Need-to-know) restricts data access.

Option C (Defense in depth) is about layered controls.

865
MCQmedium

A company is designing a secure network architecture for its new headquarters. The security team proposes implementing multiple layers of security controls, including firewalls, intrusion detection systems, and access control lists. Which security principle is being primarily applied?

A.Defense in depth
B.Separation of duties
C.Least privilege
D.Need-to-know
AnswerA

Defense in depth employs multiple overlapping security controls to protect assets.

Why this answer

Correct: Defense in depth uses multiple layers of security to protect assets. Option A is wrong because least privilege limits access rights; Option B is wrong because separation of duties divides tasks among multiple people; Option D is wrong because need-to-know restricts access to information necessary for job functions.

866
MCQhard

An organization implements a policy where no single employee can approve a financial transaction over $10,000; a second manager must also approve. This is an example of which access control principle?

A.Separation of duties
B.Least privilege
C.Need-to-know
D.Defense in depth
AnswerA

Dual approval for high-risk actions exemplifies separation of duties.

Why this answer

Separation of duties requires multiple people to complete a critical task, reducing fraud risk.

867
Multi-Selectmedium

A financial services company is conducting a Business Impact Analysis (BIA) for its online banking platform. Which TWO of the following are correctly defined metrics used in BIA?

Select 2 answers
A.Service Level Agreement (SLA) – the contractual uptime percentage guaranteed to customers.
B.Recovery Time Objective (RTO) – the maximum amount of time to restore a business function after a disruption.
C.Maximum Tolerable Downtime (MTD) – the total time a business function can be unavailable before causing irreparable harm.
D.Annualized Loss Expectancy (ALE) – the expected monetary loss per year from a risk.
E.Recovery Point Objective (RPO) – the maximum acceptable amount of data loss measured in time.
AnswersB, E

Correct. RTO is a BIA metric.

Why this answer

In BIA, RTO is the maximum time allowed to recover systems after a disaster, and RPO is the maximum acceptable data loss measured in time. MTD is also a BIA metric but is not one of the two correct answers in this question.

868
MCQeasy

During an incident, the incident response team discovers that an attacker has exfiltrated sensitive customer data. According to incident response best practices, whose approval is REQUIRED before contacting law enforcement?

A.CISO
B.CEO
C.Legal counsel
D.Public relations
AnswerC

Legal counsel ensures compliance and manages liability.

Why this answer

Legal counsel approval is required before contacting law enforcement because they ensure that the disclosure complies with data privacy laws (e.g., GDPR, CCPA) and does not violate chain-of-custody requirements or expose the organization to liability. The incident response team must coordinate with legal to determine the appropriate timing and scope of law enforcement involvement, as premature contact can compromise ongoing forensic investigations or breach legal agreements.

Exam trap

ISC2 often tests the misconception that the CISO or CEO has the final say on law enforcement contact, but the correct answer is always legal counsel because they are the only ones who can navigate the legal and regulatory implications of involving external authorities.

How to eliminate wrong answers

Option A is wrong because the CISO (Chief Information Security Officer) oversees the technical incident response but does not have the authority to approve external law enforcement contact; that decision requires legal review to avoid legal exposure. Option B is wrong because the CEO (Chief Executive Officer) may be informed but is not the required approver for law enforcement contact; legal counsel must assess the legal implications first. Option D is wrong because Public Relations handles external communications and reputation management but has no authority to approve law enforcement involvement; contacting law enforcement without legal approval could violate privacy regulations and damage the organization's legal standing.

869
MCQmedium

A security analyst observes these SSH logs. What is the MOST likely attack?

A.Brute force attack on SSH service
B.Session hijacking via SSH
C.Phishing attack targeting root and admin accounts
D.Denial of service attack on port 22
AnswerA

Multiple failed attempts from a single IP.

Why this answer

Option B is correct because repeated failed login attempts from the same IP indicate a brute force attack. Option A is phishing. Option C is SSH hijacking.

Option D is a DoS, but not evident.

870
Multi-Selecthard

After a major power outage, an organization needs to declare a disaster and activate its DRP. Which THREE elements should be included in the initial crisis communication?

Select 3 answers
A.A statement that a disaster has been declared
B.Details of the vulnerability exploited
C.Contact information for the incident response team
D.Instructions for employees to work remotely
E.Names of affected customers
AnswersA, C, D

Essential for awareness.

Why this answer

Initial communication should confirm the disaster, provide initial instructions, and outline next steps without revealing sensitive details.

871
Multi-Selecthard

A security analyst is reviewing data handling procedures. Which THREE of the following are considered sensitive PII?

Select 3 answers
A.Financial account numbers
B.Phone number
C.Name and email address
D.Biometric data
E.Medical records
AnswersA, D, E

Correct. Financial data is sensitive PII.

Why this answer

Sensitive PII includes medical records, financial account numbers, and biometric data. Name and phone number are general PII.

872
MCQmedium

According to modern password guidance from NIST SP 800-63, which of the following is the most important factor when setting password requirements?

A.Requiring a mix of uppercase, lowercase, numbers, and special characters
B.Using randomly generated passwords
C.Changing passwords every 30 days
D.Enforcing a minimum length of at least 8 characters
AnswerD

Length is prioritized, with 8 characters minimum (15+ for high assurance).

Why this answer

NIST SP 800-63 recommends favoring password length over complexity, with a minimum of 8 characters (or 15+ for high assurance) and avoiding frequent forced changes unless compromised.

873
MCQmedium

A company's security policy requires that all privileged access to critical servers be logged and monitored. The IT team has implemented a jump server (bastion host) for administrators to connect to critical servers. All SSH connections to the jump server are logged, and from there, administrators connect to target servers. The security team notices that some administrators are bypassing the jump server and connecting directly to critical servers from their workstations. The direct connections are not logged. The security team needs to enforce the policy without disrupting operations. Which of the following is the BEST solution?

A.Implement a host-based firewall on each critical server to block direct connections.
B.Send a warning email to all administrators reminding them of the policy.
C.Disable direct SSH access to critical servers at the network firewall level.
D.Revoke local administrator rights on workstations.
AnswerA

Specifically blocks unauthorized direct connections while allowing jump server traffic.

Why this answer

A host-based firewall on each critical server can enforce the security policy by blocking direct SSH connections (TCP port 22) from any source other than the jump server's IP address. This ensures that all administrative access must go through the jump server, where logging is already in place, without disrupting legitimate operations through the authorized path.

Exam trap

ISC2 often tests the distinction between network-based controls (like a perimeter firewall) and host-based controls, where candidates mistakenly choose a network firewall solution without realizing it does not block internal direct connections from the same subnet.

How to eliminate wrong answers

Option B is wrong because a warning email is a non-technical, administrative control that relies on user compliance and does not actually prevent the bypass; it fails to enforce the policy. Option C is wrong because disabling direct SSH access at the network firewall level would block all external SSH traffic to the critical servers, but it would not prevent direct connections from within the same subnet or from workstations on the internal network that are not subject to the firewall rule. Option D is wrong because revoking local administrator rights on workstations does not prevent users from using SSH clients to connect directly to critical servers; it only limits software installation privileges, not network connectivity.

874
MCQhard

A security professional is asked to ensure that a document has not been altered since it was signed. Which technology best supports this requirement?

A.Symmetric encryption
B.Digital signature
C.Access control list
D.Hashing
AnswerB

Digital signatures provide integrity and authentication.

Why this answer

Digital signatures provide integrity and non-repudiation.

875
MCQeasy

During which phase of the incident response process would the team identify the root cause of a security incident?

A.Eradication
B.Preparation
C.Analysis
D.Detection
AnswerC

Analysis determines the root cause and impact.

Why this answer

The analysis phase involves examining the incident to determine the root cause, scope, and impact.

876
MCQeasy

Which metric is used to define the maximum amount of data loss an organization can tolerate during a disaster?

A.RTO
B.RPO
C.SLA
D.MTBF
AnswerB

RPO defines the maximum acceptable data loss.

Why this answer

RPO (Recovery Point Objective) defines the maximum acceptable amount of data loss measured in time, such as seconds, minutes, or hours. It determines the age of the backup or replication data that must be restored to resume normal operations after a disaster. For example, an RPO of 1 hour means the organization can tolerate losing up to 1 hour's worth of data.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates mistakenly select RTO because they confuse 'time to recover' with 'time of data loss' — remember RTO is about downtime, RPO is about data loss.

How to eliminate wrong answers

Option A (RTO) is wrong because RTO (Recovery Time Objective) defines the maximum acceptable downtime, not data loss; it measures how quickly systems must be restored after a disaster. Option C (SLA) is wrong because SLA (Service Level Agreement) is a contractual commitment between a provider and customer covering performance metrics like uptime, not a specific measure of tolerable data loss. Option D (MTBF) is wrong because MTBF (Mean Time Between Failures) is a reliability metric that predicts the average time between system failures, not a measure of data loss tolerance.

877
Multi-Selecteasy

An organization wants to implement multi-factor authentication (MFA) for remote access. Which two types of authentication factors would meet the definition of MFA? (Choose two.)

Select 2 answers
A.Password
B.Smart card
C.Retina scan
D.Fingerprint scan
E.OTP token
AnswersB, E

Smart card is Type 2 (possession) and when combined with a password (Type 1) creates MFA.

Why this answer

Multi-factor authentication requires at least two different types of factors. A password is Type 1 (knowledge) and a smart card is Type 2 (possession), so combining them qualifies as MFA.

878
MCQmedium

A company's Business Impact Analysis (BIA) determines that its online payment system can tolerate a maximum of 2 hours of downtime. The IT team estimates that restoring the system from backups will take 1 hour, and the team needs another 30 minutes to verify data integrity and resume normal operations. Which metric does the 30-minute verification period represent?

A.Recovery Point Objective (RPO)
B.Work Recovery Time (WRT)
C.Maximum Tolerable Downtime (MTD)
D.Recovery Time Objective (RTO)
AnswerB

WRT is the additional time after system restoration to return to normal operations.

Why this answer

Work Recovery Time (WRT) is the time needed after systems are restored to return to normal operations, distinct from RTO which is the time to restore functionality.

879
MCQeasy

A small business uses a cloud file storage service that allows sharing links. An employee mistakenly shared a folder containing customer data via a public link. The business wants to prevent such incidents in the future without blocking legitimate sharing. Which access control method should they implement?

A.Disable all external sharing
B.Require authentication for shared links
C.Use watermarking on documents
D.Encrypt all files
AnswerB

Authentication limits access to authorized users only, preventing public exposure.

Why this answer

Requiring authentication for shared links ensures that only intended recipients can access the data, reducing the risk of public exposure. Disabling all sharing is too restrictive. Watermarking and encryption do not prevent sharing to unauthorized users.

880
MCQhard

The exhibit shows a snippet of /var/log/auth.log on a Linux server. Which security principle is most likely violated if the failed attempts continue without action?

A.Non-repudiation
B.Separation of duties
C.Least privilege
D.Defense in depth
AnswerC

Allowing root login over SSH grants full privileges and is a violation of least privilege; it should be disabled.

Why this answer

The logs show repeated failed SSH attempts from the same IP, indicating a brute force attack. If no action is taken, availability could be compromised if the attacker locks out the root account, or confidentiality/integrity if they succeed. However, most directly, the principle of least privilege is violated because root login over SSH is allowed (root is a privileged account).

Option A is correct. Option B (defense in depth) would be violated if no other controls, but the question asks the principle most likely violated. Option C (separation of duties) not relevant.

Option D (non-repudiation) not directly.

881
MCQhard

A security analyst notices repeated failed login attempts from a single IP address. The account is locked after 10 failed attempts. This is an example of which type of control?

A.Logical access control
B.Compensating control
C.Physical access control
D.Administrative control
AnswerA

Account lockout is a software-based control to prevent unauthorized access.

Why this answer

Account lockout is a logical access control that detects and mitigates brute-force attacks.

882
Multi-Selectmedium

A security professional is reviewing authentication methods. Which TWO are examples of Type 2 (possession) factors? (Select TWO)

Select 2 answers
A.A PIN
B.A hardware OTP token
C.A fingerprint
D.A password
E.A smart card
AnswersB, E

A hardware token is a possession.

Why this answer

Type 2 factors are something you have; a smart card and a hardware token are physical devices.

883
MCQhard

According to the (ISC)² Code of Ethics, which of the following has the highest priority?

A.Provide diligent and competent service to principals
B.Act honorably, honestly, justly, responsibly, and legally
C.Protect society, the common good, necessary public trust and confidence, and the infrastructure
D.Advance and protect the profession
AnswerC

Correct. This is the first and highest priority canon.

Why this answer

The (ISC)² Code of Ethics has four canons in order of priority: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; Advance and protect the profession.

884
MCQmedium

A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?

A.Need-to-know
B.Separation of duties
C.Least privilege
D.Job rotation
AnswerB

Separation of duties requires multiple people to complete a sensitive task.

Why this answer

Separation of duties (SoD) is an access control concept that requires a critical task, such as a financial transaction, to be split into multiple steps performed by different individuals. This prevents any single employee from having the authority to both initiate and approve a transaction, thereby reducing the risk of fraud or error. In this scenario, the policy directly enforces SoD by ensuring that no one person can complete the entire process alone.

Exam trap

ISC2 often tests candidates by confusing separation of duties with least privilege, as both involve limiting user actions, but the key distinction is that separation of duties requires multiple people to complete a task, while least privilege only limits the permissions of a single user.

How to eliminate wrong answers

Option A is wrong because need-to-know restricts access to information based on an individual's job requirements, not on splitting tasks among multiple people. Option C is wrong because least privilege grants users only the minimum permissions necessary to perform their job, but it does not require a second person to approve an action. Option D is wrong because job rotation moves employees between roles over time to cross-train and reduce boredom, but it does not enforce a dual-authority requirement for a single transaction.

885
MCQeasy

Which of the following is considered sensitive Personally Identifiable Information (PII)?

A.Email address
B.Date of birth
C.Medical records
D.Phone number
AnswerC

Medical records are sensitive PII.

Why this answer

Medical records are sensitive PII because they can cause significant harm if disclosed.

886
Multi-Selectmedium

Which two of the following are common methods to secure a virtual private network (VPN) connection? (Choose two.)

Select 2 answers
A.ICMP
B.LDAP
C.SSL/TLS
D.SNMP
E.IPsec
AnswersC, E

SSL/TLS is used for secure web-based VPNs.

Why this answer

SSL/TLS is a common method to secure VPN connections, typically used in SSL VPNs. It operates at the transport layer (Layer 4) and provides encryption, authentication, and integrity for data transmitted over the internet, often using port 443 to bypass firewalls. This makes it ideal for remote access VPNs where clients connect via a web browser or a lightweight client.

Exam trap

ISC2 often tests the distinction between VPN security protocols (IPsec, SSL/TLS) and unrelated network protocols (ICMP, SNMP, LDAP) to see if candidates confuse management or authentication protocols with encryption/tunneling mechanisms.

887
MCQmedium

A company's security policy states that all sensitive data must be encrypted both at rest and in transit. Which threat model does this control primarily address?

A.Data tampering
B.Unauthorized disclosure
C.Denial of service
D.Repudiation
AnswerB

Encryption prevents unauthorized parties from reading the data, thus preventing disclosure.

Why this answer

Encryption at rest and in transit primarily protects confidentiality against unauthorized access. Option B is correct. Option A (availability) is about uptime.

Option C (integrity) is about accuracy, though encryption can help, but primary is confidentiality. Option D (non-repudiation) is about proof of origin.

888
MCQeasy

A security engineer is configuring a network intrusion detection system (NIDS) to monitor traffic on a critical subnet. To minimize false positives, which of the following should the engineer baseline first?

A.The results of a recent vulnerability scan
B.The normal traffic patterns during peak business hours
C.The latest attack signatures from the vendor
D.The firewall logs from the past 24 hours
AnswerB

Baseline normal traffic to identify anomalies.

Why this answer

Baselining normal traffic patterns during peak business hours establishes a reference of legitimate network behavior, which is essential for a NIDS to distinguish benign anomalies from actual threats. Without this baseline, the NIDS may generate false positives by flagging legitimate peak-hour traffic spikes as malicious. This aligns with the principle that anomaly-based detection relies on a statistical model of normal activity to reduce noise.

Exam trap

ISC2 often tests the distinction between anomaly-based and signature-based detection, and the trap here is that candidates mistakenly think vulnerability scans or firewall logs provide a sufficient baseline, when in fact only observed normal traffic patterns during representative periods (like peak hours) can minimize false positives in an anomaly-based NIDS.

How to eliminate wrong answers

Option A is wrong because vulnerability scan results identify known weaknesses but do not define normal traffic behavior, so they cannot help the NIDS differentiate benign from malicious traffic patterns. Option C is wrong because attack signatures are used for signature-based detection, not for establishing a baseline to minimize false positives in anomaly-based detection; relying solely on signatures can miss novel attacks and still generate false positives if traffic matches signatures incorrectly. Option D is wrong because firewall logs from the past 24 hours provide only a limited snapshot of traffic and may not capture the full range of normal patterns, especially during peak hours, leading to an incomplete baseline.

889
MCQmedium

A vulnerability assessment reveals that a legacy system has unpatched software. The organization decides to accept the risk because the system is isolated and has compensating controls. This decision is an example of:

A.Risk avoidance
B.Risk acceptance
C.Risk mitigation
D.Risk transfer
AnswerB

The organization accepts the residual risk.

Why this answer

Risk acceptance is acknowledging the risk and deciding not to mitigate it.

890
MCQhard

A company implements a policy that after an employee leaves, their account must be disabled within 24 hours. Which principle is this policy primarily intended to support?

A.Availability
B.Integrity
C.Confidentiality
D.Accountability
AnswerD

Accountability requires that actions can be traced to individuals; disabling former accounts prevents untraceable actions.

Why this answer

Correct: C - Accountability. Disabling accounts ensures that actions are traceable to active employees, preventing unauthorized use and maintaining accountability. Option A is wrong because confidentiality is about data secrecy.

Option B is wrong because integrity is about data accuracy. Option D is wrong because availability is system accessibility.

891
MCQhard

A security team deploys a passive device that monitors network traffic and generates alerts when it detects suspicious patterns, but it does not take any action. This device is best described as a:

A.Web Application Firewall (WAF)
B.Intrusion Detection System (IDS)
C.Intrusion Prevention System (IPS)
D.Stateful firewall
AnswerB

Correct. IDS is passive, alerting only.

Why this answer

An Intrusion Detection System (IDS) is passive, monitoring and alerting without blocking traffic, unlike an IPS which is inline.

892
MCQmedium

A government agency uses a multi-level security system with mandatory access control (MAC). A user with Secret clearance attempts to write data to a file classified as Confidential. Under the Bell-LaPadula model, which rule applies and what is the outcome?

A.The simple security property (no read up) denies the operation
B.The *-property allows the operation because the user is writing down
C.The simple security property allows the operation because the user's clearance is higher
D.The *-property (no write down) denies the operation
AnswerD

The *-property prohibits high clearances from writing to lower classifications.

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) with two primary rules: the simple security property (no read up) and the *-property (no write down). In this scenario, a user with Secret clearance attempts to write to a Confidential file, which is a write-down operation. The *-property prohibits writing to a lower classification to prevent the leakage of higher-classified information, so the operation is denied.

Option D correctly identifies this rule and outcome.

Exam trap

ISC2 often tests the confusion between the simple security property (no read up) and the *-property (no write down), leading candidates to mistakenly apply the read rule to a write operation or assume that higher clearance allows writing down.

How to eliminate wrong answers

Option A is wrong because the simple security property (no read up) governs read operations, not write operations, and here the user is writing, not reading. Option B is wrong because the *-property does not allow write-down; it explicitly prohibits writing to a lower classification to maintain confidentiality. Option C is wrong because the simple security property allows read-down, not write-down, and it does not permit writing to a lower classification based on clearance level.

893
MCQmedium

A network administrator is designing a DMZ to host a public-facing web server and a database server that should only be accessible from the web server. Which of the following firewall rule sets best achieves this design?

A.Allow inbound HTTP/HTTPS to web server; allow web server to database on port 3306; deny all else
B.Allow web server to initiate outbound connections to internet; allow database to initiate connections to web server; deny all else
C.Allow inbound HTTP/HTTPS to web server; allow all traffic from web server to database; deny all else
D.Allow inbound HTTP/HTTPS to web server; allow inbound SQL from internet to database; deny all else
AnswerA

This permits necessary traffic and restricts database access to only the web server.

Why this answer

Option A is correct because it implements the principle of least privilege for a DMZ: it allows inbound HTTP/HTTPS traffic (ports 80/443) to the public-facing web server, then permits only the web server to initiate outbound connections to the database server on port 3306 (MySQL/MariaDB default), and denies all other traffic. This ensures the database is not directly accessible from the internet, reducing the attack surface while still supporting the required application flow.

Exam trap

ISC2 often tests the principle of least privilege by including options that allow overly broad access (like 'all traffic' from web to database) or reverse the direction of connections, so the trap here is assuming that any traffic between the web server and database is acceptable without specifying the exact protocol and port.

How to eliminate wrong answers

Option B is wrong because it allows the web server to initiate outbound connections to the internet, which is unnecessary and could be used for data exfiltration or command-and-control traffic; it also incorrectly allows the database to initiate connections to the web server, which violates the design requirement that the database should only be accessible from the web server. Option C is wrong because it allows all traffic from the web server to the database, not just the specific SQL port (3306), which could permit other protocols or services to reach the database, increasing the attack surface. Option D is wrong because it allows inbound SQL traffic from the internet directly to the database server, which directly contradicts the requirement that the database should only be accessible from the web server and exposes the database to external attacks.

894
Multi-Selectmedium

Which THREE of the following are examples of the principle of least privilege? (Select THREE.)

Select 3 answers
A.Granting a user only the permissions needed to perform their job
B.Giving all employees full access to the file server
C.Allowing a contractor access only during their contract period
D.Providing read-only access to a database for a reporting analyst
E.Assigning administrator rights to all employees by default
AnswersA, C, D

Correct. This is the essence of least privilege.

Why this answer

Option A is correct because the principle of least privilege dictates that a user should be granted only the permissions necessary to perform their job functions. This minimizes the attack surface and limits potential damage from accidental or malicious actions. In practice, this means assigning specific roles or access control lists (ACLs) rather than broad permissions.

Exam trap

ISC2 often tests the principle of least privilege by including options that sound reasonable but grant excessive access, such as 'full access to the file server' or 'administrator rights to all employees,' to see if candidates recognize that even temporary or role-based access must be strictly limited to the minimum necessary.

895
MCQmedium

An organization decides to implement a security control that can detect and block attacks in real-time by sitting inline in the network. Which of the following should be chosen to meet these requirements?

A.Intrusion Detection System (IDS)
B.Intrusion Prevention System (IPS)
C.Packet filtering firewall
D.Honeypot
AnswerB

Correct. IPS is inline and can block.

Why this answer

An IPS (Intrusion Prevention System) is inline and can block attacks. IDS is passive.

896
MCQhard

During a tabletop exercise for a data center outage, the IT manager realizes that the disaster recovery plan does not specify how to failover the database cluster. The primary data center fails completely. The standby site has a replica of the database, but the application team cannot promote it because they lack the necessary privileges. What is the most likely cause of this gap?

A.The standby site's network connectivity was not tested
B.The database replication configuration was incorrect
C.The database failover procedure was not documented
D.The DR plan did not include role-based access for failover operations
AnswerD

Proper DR planning should define who has the authority to perform failover and ensure credentials are available at the standby site.

Why this answer

The correct answer is D because the scenario explicitly states that the application team lacks the necessary privileges to promote the standby database. This indicates that the disaster recovery plan did not define role-based access controls (RBAC) or assign failover permissions to specific personnel or groups. Without documented roles and privileges, even a fully replicated standby database cannot be promoted, causing a failover gap.

Exam trap

ISC2 often tests the distinction between a missing procedure (documentation gap) and missing authorization (access control gap), leading candidates to pick 'procedure not documented' when the real issue is that the team lacks the privileges to execute any procedure.

How to eliminate wrong answers

Option A is wrong because network connectivity, while important for replication and access, is not the root cause here—the standby site has a replica, implying connectivity exists. Option B is wrong because the replication configuration is correct (the standby has a replica), so the issue is not with replication setup but with authorization to promote. Option C is wrong because while the failover procedure may not be documented, the core problem is the lack of privileges to execute any documented procedure—documentation alone does not grant access rights.

897
Multi-Selecteasy

Which TWO of the following are common methods to authenticate users on a wireless network? (Select TWO)

Select 2 answers
A.WEP
B.WPA3-SAE
C.802.1X with RADIUS
D.WPA2-PSK
E.MAC address filtering
AnswersB, C

WPA3-SAE provides secure password-based authentication for personal mode.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) is a common method to authenticate users on a wireless network because it replaces the pre-shared key (PSK) exchange with a secure password-based authentication protocol that is resistant to offline dictionary attacks. It uses a Diffie-Hellman key exchange combined with a shared password to derive a Pairwise Master Key (PMK), ensuring forward secrecy and mutual authentication.

Exam trap

ISC2 often tests the distinction between encryption protocols (like WEP and WPA2-PSK) and actual authentication methods, leading candidates to mistakenly select WPA2-PSK or MAC address filtering as user authentication mechanisms when they are only device-based access controls.

898
Multi-Selectmedium

Which TWO scenarios best illustrate the principle of least privilege?

Select 2 answers
A.Regular employees can install software on their workstations
B.The CEO has root access to all servers
C.An administrator uses a separate standard account for daily work and an admin account only when needed
D.All users have full control over shared folders
E.A user has only the permissions required to perform their job
AnswersC, E

Running with minimal privileges reduces risk.

Why this answer

Option C is correct because it demonstrates the principle of least privilege by using a separate standard user account for daily tasks and elevating to an administrative account only when necessary. This minimizes the attack surface by ensuring that administrative privileges are not active during routine activities, reducing the risk of accidental system changes or malware execution with elevated rights. In Windows environments, this is commonly implemented via User Account Control (UAC) and the use of a standard vs. administrator account.

Exam trap

ISC2 often tests the misconception that 'least privilege' means giving users the minimum permissions to do their job, but candidates may confuse it with 'separation of duties' or think that granting root access to executives is acceptable because they are trusted, which is a trap.

899
MCQhard

A healthcare organization suffers a data breach involving protected health information (PHI). The incident occurred on Monday, and the organization discovers it on Wednesday. Under GDPR, if the breach affects EU residents, what is the deadline for notifying the supervisory authority?

A.Wednesday (day of discovery)
B.Saturday
C.Thursday
D.Monday (day of breach)
AnswerB

72 hours from Wednesday awareness is Saturday.

Why this answer

GDPR requires notification within 72 hours of becoming aware of the breach.

900
MCQmedium

An LDAP distinguished name (DN) is formatted as: CN=John Smith,OU=Sales,DC=company,DC=com. Which component represents the organizational unit?

A.OU=Sales
B.DC=com
C.CN=John Smith
D.DC=company
AnswerA

OU represents the Organizational Unit.

Why this answer

OU stands for Organizational Unit in LDAP DNs.

Page 11

Page 12 of 14

Page 13
ISC2 Certified in Cybersecurity CC CC Questions 826–900 | Page 12/14 | Courseiva