ISC2 Certified in Cybersecurity CC (CC) — Questions 901975

984 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQhard

A company's network has multiple VLANs. An attacker on VLAN 10 sends a frame with a forged source MAC address to a switch, hoping to intercept traffic intended for the default gateway. Which attack is being executed?

A.ARP spoofing
B.IP spoofing
C.VLAN hopping
D.MAC flooding
AnswerA

Correct. ARP spoofing forges MAC-IP associations.

Why this answer

ARP spoofing (or ARP poisoning) involves sending forged ARP messages to associate the attacker's MAC with the IP of another device (e.g., default gateway), enabling traffic interception.

902
MCQeasy

Which port number is associated with HTTPS, and what protocol encrypts the communication?

A.Port 80, SSL/TLS
B.Port 8080, SSL/TLS
C.Port 443, SSL/TLS
D.Port 443, SSH
AnswerC

Correct. HTTPS on 443 uses SSL/TLS.

Why this answer

HTTPS uses port 443 and is encrypted using SSL/TLS.

903
MCQeasy

Which protocol is used to resolve IP addresses to MAC addresses on a local network?

A.DNS
B.DHCP
C.ICMP
D.ARP
AnswerD

ARP resolves IP to MAC.

Why this answer

ARP (Address Resolution Protocol) maps IP to MAC addresses.

904
MCQmedium

The exhibit shows an AWS S3 bucket policy. What is the net effect for a user with IP 10.1.1.1 trying to read the object 'executive/salary.xlsx'?

A.Allowed because the IP matches the Allow condition
B.Denied because the Deny statement explicitly blocks access to the executive prefix
C.Allowed only if the user is authenticated with MFA
D.Denied only if the request originates from outside 10.0.0.0/8
AnswerB

The Deny statement explicitly denies all actions on the executive prefix, overriding the Allow.

Why this answer

The policy has an Allow for GetObject from IP range 10.0.0.0/8 (including 10.1.1.1) but also a Deny for all actions on the 'executive/' prefix. Deny overrides Allow (explicit deny). So the read is denied.

Option B is correct. Option A is wrong because the Deny applies. Option C and D are wrong.

905
MCQmedium

Refer to the exhibit. An administrator configures the above ACLs on a router. The goal is to allow internal users (192.168.1.0/24) to browse the web, and to allow SSH management from the internet to a server at 10.0.0.10. However, users report that they cannot browse external websites. What is the most likely reason?

A.ACL 100 is applied outbound on the internal interface, so it does not filter outbound traffic from internal users
B.ACL 100 does not permit DNS traffic, so users cannot resolve domain names
C.ACL 110 blocks the return traffic from the internet
D.The implicit deny at the end of ACL 100 blocks established connections
AnswerA

The access-group is applied outbound on Gi0/1; traffic from internal users to the internet exits Gi0/1 inbound, so ACL 100 is not checked.

Why this answer

ACL 100 is applied outbound on the internal interface (e.g., GigabitEthernet0/0). Outbound ACLs filter traffic leaving the interface, but internal users' web traffic originates from the internal network and must be allowed inbound on the internal interface (or outbound on the external interface). Since ACL 100 is applied outbound on the internal interface, it only filters traffic that has already been routed out of that interface, which is not the path for internal users' outbound web requests.

The correct approach is to apply the ACL inbound on the internal interface or outbound on the external interface.

Exam trap

ISC2 often tests the concept that ACL direction is relative to the interface, not the traffic source; the trap here is that candidates assume an outbound ACL on the internal interface will filter traffic leaving the internal network, but it actually filters traffic leaving the router through that interface, which is the opposite direction for internal users' outbound traffic.

How to eliminate wrong answers

Option B is wrong because DNS traffic (UDP/TCP port 53) is not explicitly required for web browsing if users use IP addresses or if a separate DNS resolver is configured; the issue is about ACL placement, not missing DNS permit statements. Option C is wrong because ACL 110 is likely applied inbound on the external interface to permit SSH from the internet to 10.0.0.10, and it does not block return traffic for web sessions because return traffic is matched by established connections or stateful inspection, not by ACL 110. Option D is wrong because the implicit deny at the end of ACL 100 would only affect traffic that is evaluated by that ACL; since ACL 100 is applied outbound on the internal interface, it does not evaluate the outbound web traffic from internal users at all, so the implicit deny is irrelevant to the problem.

906
MCQmedium

An analyst reviews the firewall log exhibit. The source IP 10.0.1.100 is an internal web server. The destination IP 203.0.113.50 is an external host. What does this log pattern MOST likely indicate?

A.A denial-of-service (DoS) attack from the internal server to the external host
B.A port scan from the internal server to the external host
C.Normal web traffic from the server to the external host
D.An attempted SQL injection attack from the external host to the internal server
AnswerA

Multiple SYN packets without completion indicate a SYN flood, a type of DoS attack.

Why this answer

The log pattern shows the internal web server (10.0.1.100) sending traffic to an external host (203.0.113.50). In a typical network, internal web servers serve content to internal users, not initiate outbound connections to external hosts. This anomalous outbound traffic pattern, especially if it involves a high volume of packets or connections, is characteristic of a denial-of-service (DoS) attack where the internal server is used as a source to flood the external target, potentially due to compromise or misconfiguration.

Exam trap

ISC2 often tests the candidate's ability to interpret traffic direction and normal vs. anomalous behavior, and the trap here is assuming that any traffic from a web server is legitimate, ignoring that internal servers should not typically initiate outbound connections to external hosts.

How to eliminate wrong answers

Option B is wrong because a port scan typically involves a single source sending packets to multiple ports on a target to discover open services, but the question does not mention multiple ports or a scanning pattern; it describes a general log pattern that is more indicative of a flood. Option C is wrong because normal web traffic from a server to an external host would be unusual for an internal web server, which is designed to serve internal clients; outbound connections from a server to an external host are not standard and suggest malicious activity. Option D is wrong because an SQL injection attack originates from an external host targeting an internal database or web server, not from the internal server to an external host; the direction of traffic in the log is reversed.

907
MCQhard

During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?

A.Spoof the source IP address of the attacker's machine
B.Launch a denial-of-service attack against the target
C.Perform a stealth scan using a zombie host to hide the attacker's identity
D.Evade a firewall by fragmenting packets
AnswerC

Idle scan uses IP ID to map a zombie's activity and infer port states.

Why this answer

Setting the IP ID field to 0 and the DF flag in packets is characteristic of an idle scan (also known as a stealth scan). This technique uses a zombie host (with an incremental IP ID) to probe a target; by sending packets with DF set and IP ID 0 to the zombie, the attacker can observe changes in the zombie's IP ID to infer open ports on the target, thereby hiding the attacker's true IP address.

Exam trap

ISC2 often tests the idle scan by focusing on the combination of IP ID 0 and DF flag, leading candidates to mistakenly think it is about fragmentation evasion or simple spoofing, rather than the stealthy reconnaissance technique using a zombie host.

How to eliminate wrong answers

Option A is wrong because spoofing the source IP address does not require setting the IP ID to 0 or the DF flag; spoofing simply falsifies the source address field in the IP header. Option B is wrong because a denial-of-service attack aims to overwhelm a target with traffic, not to stealthily probe ports using a zombie's IP ID behavior. Option D is wrong because evading a firewall by fragmenting packets would involve setting the MF (More Fragments) flag or using small fragment sizes, not setting DF (which prevents fragmentation) and IP ID 0.

908
MCQhard

An organization wants to implement a system that enforces access decisions based on a user's attributes (e.g., department, clearance, time) and environmental conditions. Which model is best?

A.Role-based access control (RBAC)
B.Attribute-based access control (ABAC)
C.Discretionary access control (DAC)
D.Mandatory access control (MAC)
AnswerB

ABAC uses attributes and policies for fine-grained, context-aware decisions.

Why this answer

Attribute-based access control (ABAC) is the correct model because it evaluates access decisions based on a combination of user attributes (e.g., department, clearance), resource attributes, and environmental conditions (e.g., time of day, location). Unlike RBAC, which relies solely on predefined roles, ABAC uses policies that can incorporate dynamic factors like current time or threat level, making it ideal for fine-grained, context-aware enforcement.

Exam trap

ISC2 often tests the misconception that RBAC can handle dynamic conditions like time or location, but RBAC only maps users to roles with static permissions, whereas ABAC explicitly evaluates environmental attributes as part of the access decision.

How to eliminate wrong answers

Option A is wrong because RBAC assigns permissions based on static roles, not on user attributes or environmental conditions, so it cannot enforce time-based or clearance-level decisions dynamically. Option C is wrong because DAC allows resource owners to set permissions at their discretion, lacking centralized policy control and the ability to incorporate environmental attributes like time. Option D is wrong because MAC enforces access based on fixed security labels (e.g., classification levels) and system-wide rules, not on user-specific attributes or environmental conditions, making it inflexible for attribute-driven policies.

909
MCQmedium

A company uses a backup strategy where on Monday a full backup is taken, and on Tuesday only data changed since Monday is backed up. On Wednesday, the backup includes all data changed since Monday. What type of backup is the Wednesday backup?

A.Incremental backup
B.Synthetic full backup
C.Full backup
D.Differential backup
AnswerD

Differential includes all changes since last full backup.

Why this answer

Differential backup includes changes since last full backup.

910
MCQmedium

Which of the following best describes a vulnerability in the context of risk management?

A.A potential cause of an unwanted incident
B.The likelihood of a threat exploiting a weakness
C.A measure that reduces risk
D.A weakness that can be exploited
AnswerD

Correct. A vulnerability is a weakness.

Why this answer

A vulnerability is a weakness that can be exploited by a threat to cause harm.

911
MCQeasy

Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?

A.The ACL is applied to the wrong interface or direction.
B.The implicit deny at the end of the ACL blocks HTTPS traffic.
C.The ACL is missing a permit statement for TCP port 443 return traffic.
D.The ACL explicitly denies TCP port 443.
AnswerA

If the ACL is applied inbound on the internal interface, it should work; if applied outbound on the external interface, it may block return traffic. The most likely issue is misapplication.

Why this answer

The exhibit shows an ACL that permits HTTP (TCP 80) but does not explicitly permit HTTPS (TCP 443). However, the question states that HTTP works and HTTPS does not, which suggests the ACL is correctly filtering inbound traffic on the outside interface. The most likely cause is that the ACL is applied to the wrong interface or direction, because if it were applied inbound on the inside interface, it would block outbound HTTPS traffic from the 192.168.1.0/24 network.

The implicit deny at the end of the ACL would block any traffic not explicitly permitted, but since HTTP works, the issue is not the implicit deny itself but rather the placement of the ACL.

Exam trap

ISC2 often tests the concept that an ACL applied to the wrong interface or direction can cause selective service failures, leading candidates to mistakenly focus on missing permit statements or the implicit deny rather than the ACL placement.

How to eliminate wrong answers

Option B is wrong because the implicit deny at the end of the ACL blocks all traffic not explicitly permitted, but that alone would also block HTTP if the ACL were correctly placed; the fact that HTTP works indicates the ACL is not blocking outbound traffic from the inside, so the implicit deny is not the root cause. Option C is wrong because HTTPS uses TCP port 443 for the initial outbound connection, and return traffic is statefully allowed by the Cisco IOS firewall or router if the ACL is applied correctly; the issue is not missing return traffic rules but the ACL's application direction. Option D is wrong because the exhibit does not show an explicit deny for TCP port 443; the ACL only permits HTTP, so HTTPS is implicitly denied, not explicitly denied.

912
MCQhard

A security analyst is reviewing logs and finds that a user accessed files outside of their department. The user claims it was necessary for a project. Which principle should the analyst use to assess whether this was appropriate?

A.Need to know
B.Accountability
C.Separation of duties
D.Least privilege
AnswerA

Correct. Access should be based on necessity for the task.

Why this answer

The 'need to know' principle restricts access to information based on the specific requirements of a user's role or project. In this scenario, the analyst must verify if the user's project actually required access to those specific files, not just if the user had the technical ability to access them. This principle is a subset of least privilege, focusing on data access rather than system permissions.

Exam trap

ISC2 often tests the distinction between 'least privilege' (permissions assigned to a role) and 'need to know' (justification for accessing specific data at a specific time), causing candidates to pick 'least privilege' when the scenario involves a user who already has the permission but needs to justify the access.

How to eliminate wrong answers

Option B (Accountability) is wrong because accountability refers to the ability to trace actions back to an individual (e.g., via audit logs), not to determine if the access was justified. Option C (Separation of duties) is wrong because it prevents a single individual from performing conflicting tasks (e.g., initiating and approving a payment) to reduce fraud risk, which is unrelated to cross-departmental file access. Option D (Least privilege) is wrong because while it grants the minimum permissions needed for a role, the user already had access; the question is about whether that access was appropriate for a specific task, which is the definition of 'need to know'.

913
MCQmedium

A company implements redundant servers to ensure that if one server fails, another can take over immediately. Which security principle is primarily being addressed?

A.Authentication
B.Integrity
C.Availability
D.Confidentiality
AnswerC

Redundancy ensures systems remain accessible despite failures.

Why this answer

Redundancy supports availability by minimizing downtime.

914
Multi-Selecthard

A financial institution is implementing data classification to protect customer information. They have identified data that includes medical records and financial account numbers. Which three labels are most appropriate for this data? (Choose three.)

Select 3 answers
A.Restricted
B.Sensitive
C.Confidential
D.Internal
E.Public
AnswersA, B, C

Restricted is often the highest classification, appropriate for extremely sensitive data like medical records.

Why this answer

Medical records and financial account numbers are considered sensitive PII and should be classified as confidential or restricted. Common classification labels include 'Confidential', 'Restricted', and 'Sensitive'. In many frameworks, 'Confidential' and 'Restricted' are used for highly sensitive data. 'Sensitive' is also a common label. 'Public' and 'Internal' are not appropriate for this level of sensitivity.

915
Multi-Selectmedium

A security professional is advising a company on adherence to the (ISC)² Code of Ethics. Which two of the following actions align with the Code's canons? (Choose two.)

Select 2 answers
A.Using a vendor's software without a license to test its security
B.Sharing a colleague's password with a manager without the colleague's consent to improve efficiency
C.Reporting a discovered vulnerability to the software vendor promptly
D.Refusing to share a confidential client password with an unauthorized third party
E.Concealing a security breach to avoid negative publicity
AnswersC, D

This protects society and the infrastructure by allowing fixes to be developed.

Why this answer

The (ISC)² Code of Ethics includes four canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure; Act honorably, honestly, justly, responsibly, and legally; Provide diligent and competent service to principals; and Advance and protect the profession. Reporting vulnerabilities to the vendor protects society. Refusing to share confidential credentials demonstrates honorable behavior.

916
MCQmedium

A security manager is designing a policy to prevent one person from both approving and disbursing payments. Which principle is being applied?

A.Separation of duties
B.Need to know
C.Least privilege
D.Defense in depth
AnswerA

Separation of duties ensures that no single individual has control over multiple critical tasks, reducing fraud risk.

Why this answer

Separation of duties ensures that no single individual has control over two or more phases of a critical transaction, such as both approving and disbursing payments. By splitting these responsibilities, the organization reduces the risk of fraud or error because collusion between two or more people would be required to bypass controls. In payment systems, this is often enforced through dual-authorization workflows in ERP or financial management software.

Exam trap

ISC2 often tests separation of duties by pairing it with 'least privilege' in the same question, and the trap is that candidates confuse the two because both limit access, but separation of duties specifically prevents conflicting task combinations, not just reducing permissions.

How to eliminate wrong answers

Option B (Need to know) is wrong because it restricts access to information only to those who require it for their job, not to prevent a single person from completing conflicting tasks. Option C (Least privilege) is wrong because it limits users to the minimum permissions necessary to perform their role, but does not inherently separate conflicting duties like approval and disbursement. Option D (Defense in depth) is wrong because it describes a layered security approach using multiple controls, not the specific segregation of incompatible functions.

917
MCQhard

A medium-sized company uses a network with three VLANs: VLAN 10 (Users, 192.168.10.0/24), VLAN 20 (Servers, 192.168.20.0/24), and VLAN 30 (DMZ, 192.168.30.0/24). A Layer 3 switch with an ACL is used for inter-VLAN routing. The company has a web server in the DMZ that must be accessible from the internet (via a public IP mapped to 192.168.30.10). Users in VLAN 10 need to access the web server on its private IP (192.168.30.10) for internal testing. The ACL is applied inbound on the VLAN 10 SVI. The ACL currently has the following entries: permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255; deny ip any 192.168.20.0 0.0.0.255; permit ip any any. Recently, the security team noticed that users can access the web server on its private IP, but they cannot access the web server via the public IP (which goes through the firewall and then to the DMZ). The firewall logs show that traffic from the users to the public IP is allowed and reaches the DMZ web server, but the return traffic is blocked. The web server's default gateway is the Layer 3 switch (192.168.30.1). Which of the following is the most likely cause of the problem?

A.The web server's default gateway should be set to the firewall, not the Layer 3 switch
B.The ACL on the DMZ SVI (VLAN 30) is blocking the return traffic from the web server to the firewall
C.The ACL on the VLAN 10 SVI is blocking the traffic to the public IP because it only allows private IP ranges
D.The firewall is blocking the return traffic due to a stateful inspection rule
AnswerB

The return traffic from the web server to the firewall must traverse the DMZ SVI. If the ACL on that SVI does not permit the firewall's IP or the traffic, it will be blocked.

Why this answer

The correct answer is B. The web server's default gateway is the Layer 3 switch (192.168.30.1). When users access the web server via the public IP, traffic enters the DMZ through the firewall, but the web server sends return traffic to its default gateway (the Layer 3 switch) instead of back to the firewall.

The ACL applied inbound on the VLAN 30 SVI (the DMZ SVI) blocks this return traffic because the source is the web server (192.168.30.10) and the destination is the user's IP (192.168.10.x), which is not explicitly permitted by the ACL (the ACL only permits traffic from VLAN 10 to DMZ, not the reverse).

Exam trap

ISC2 often tests the concept of asymmetric routing and the importance of ACL directionality, where candidates mistakenly focus on the inbound ACL on the user VLAN (VLAN 10) instead of realizing that the return traffic is blocked by the ACL on the DMZ SVI (VLAN 30) due to the web server's default gateway pointing to the Layer 3 switch.

How to eliminate wrong answers

Option A is wrong because the web server's default gateway should remain the Layer 3 switch for internal routing; changing it to the firewall would break internal access from VLAN 10 to the web server's private IP, which is currently working. Option C is wrong because the ACL on the VLAN 10 SVI permits traffic from 192.168.10.0/24 to 192.168.30.0/24, which includes the public IP traffic that is NATed to the private IP; the issue is not with the inbound ACL on VLAN 10 but with the return path. Option D is wrong because the firewall logs show that traffic from users to the public IP is allowed and reaches the DMZ web server, and the firewall is stateful, so it would expect return traffic; the blockage is occurring after the traffic leaves the firewall, specifically on the Layer 3 switch's DMZ SVI ACL.

918
MCQmedium

A security team identifies a vulnerability in a web application that could allow attackers to steal customer data. The team decides to accept the risk because the cost to fix exceeds the potential loss. This is an example of:

A.Risk transfer
B.Risk avoidance
C.Risk acceptance
D.Risk mitigation
AnswerC

The team consciously accepted the risk after evaluating costs.

Why this answer

Risk acceptance means acknowledging the risk and choosing not to mitigate it, often due to cost-benefit analysis.

919
Multi-Selecteasy

Which two of the following are characteristics of a stateful firewall? (Choose TWO.)

Select 2 answers
A.Inspects application-layer data
B.Tracks connection state
C.Operates only at Layer 3
D.Filters packets based on static rules only
E.Blocks unsolicited inbound traffic by default
AnswersB, E

Correct. Stateful firewalls maintain a state table.

Why this answer

A stateful firewall tracks the state of active connections and can block unsolicited inbound traffic. Packet filtering is stateless, and application inspection is typical of proxy firewalls.

920
Multi-Selecthard

A company is experiencing a distributed denial-of-service (DDoS) attack that is overwhelming the network bandwidth. Which THREE mitigation techniques are most effective?

Select 3 answers
A.Enable rate limiting on network devices
B.Disable ICMP on all devices
C.Change the public IP address of the server
D.Use a content delivery network (CDN) to absorb traffic
E.Implement traffic filtering at the perimeter
AnswersA, D, E

Rate limiting restricts the amount of traffic from a source.

Why this answer

Traffic filtering, rate limiting, and using a CDN can help absorb DDoS traffic. Changing IP addresses is reactive and not a standard mitigation; disabling ICMP may help against some attacks but is not a primary mitigation.

921
Multi-Selecteasy

Which THREE are essential elements of a disaster recovery plan? (Select THREE.)

Select 3 answers
A.Recovery time objectives (RTOs)
B.Communication plan for employees
C.Business impact analysis results
D.Alternate processing site details
E.Backup procedures and schedules
AnswersA, D, E

Define target restoration times.

Why this answer

Recovery time objectives (RTOs) define the maximum acceptable downtime for a system or application after a disaster. They are essential because they directly drive the design of the recovery strategy, including resource allocation and technology choices, ensuring that critical services are restored within the business's tolerance for interruption.

Exam trap

ISC2 often tests the distinction between a disaster recovery plan (which focuses on IT systems and data recovery) and a business continuity plan (which includes broader organizational elements like employee communication and crisis management), causing candidates to mistakenly select the communication plan as a DRP essential.

922
MCQmedium

A company is evaluating a new cloud service provider and performs a thorough investigation of the provider's security practices and compliance with industry standards. This activity is best described as:

A.Due diligence
B.Risk transfer
C.Risk avoidance
D.Due care
AnswerA

Correct. Due diligence is the investigation and assessment of risks.

Why this answer

Due diligence involves investigating and assessing risks before making decisions, such as vendor selection.

923
MCQeasy

Which type of recovery site is pre-configured with hardware and software, but does not have live data, typically requiring days to become operational?

A.Warm site
B.Cloud-based recovery
C.Cold site
D.Hot site
AnswerA

Warm site has hardware/software but no live data, RTO days.

Why this answer

A warm site has partially configured infrastructure but no current data, leading to RTO of days.

924
MCQeasy

Which of the following is an example of Type 2 (possession) authentication?

A.PIN
B.Smart card
C.Password
D.Fingerprint scan
AnswerB

Smart card is something you have.

Why this answer

A smart card is a physical item you possess, making it Type 2.

925
MCQmedium

A company deploys a web application that stores user passwords using a salted hash. During a security review, an auditor recommends switching from SHA-1 to SHA-256. What is the primary security benefit of this change?

A.It improves system availability
B.It provides encryption of the passwords at rest
C.It increases collision resistance
D.It enhances non-repudiation
AnswerC

SHA-256 offers stronger collision resistance than SHA-1, reducing the risk of two different inputs producing the same hash.

Why this answer

SHA-1 is considered weak due to collision vulnerabilities, while SHA-256 is more resistant. The change improves integrity protection for stored passwords. Option B (collision resistance) is correct.

Option A (encryption) is wrong because hashing is not encryption. Option C (availability) is not directly related. Option D (non-repudiation) requires digital signatures, not just hashing.

926
MCQhard

In a cloud environment, the security team discovers that a misconfigured S3 bucket has made customer data publicly accessible. After securing the bucket, what is the most important next step?

A.Delete the data
B.Review logs to determine access
C.Notify affected customers
D.Change the bucket policy
AnswerC

Breach notification is legally required in many jurisdictions and prioritizes customer protection.

Why this answer

Option C is correct because after securing a misconfigured S3 bucket that exposed customer data, the most important next step is to notify affected customers. This aligns with incident response best practices and regulatory requirements (e.g., GDPR, HIPAA) that mandate timely disclosure of data breaches to impacted individuals. Without notification, the organization may face legal penalties and loss of trust, even if the data is now secure.

Exam trap

ISC2 often tests the misconception that technical remediation (e.g., changing policies or deleting data) is the most important step, when in fact incident response frameworks prioritize communication and legal/regulatory obligations over purely technical actions.

How to eliminate wrong answers

Option A is wrong because deleting the data would destroy evidence needed for forensic analysis and could violate data retention policies; the data should be preserved for investigation. Option B is wrong because while reviewing logs is important, it is not the most critical next step—notification takes precedence to comply with breach notification laws and ethical obligations. Option D is wrong because changing the bucket policy is already part of securing the bucket, which was completed before this step; the question states the bucket has already been secured, so repeating this action is unnecessary and does not address the exposure.

927
MCQeasy

Which recovery site strategy provides the fastest recovery time, typically within hours, and is a fully mirrored environment ready to take over operations immediately?

A.Reciprocal agreement
B.Hot site
C.Warm site
D.Cold site
AnswerB

Hot site mirrors production and supports rapid recovery.

Why this answer

A hot site is fully configured with current data and systems, allowing recovery within hours.

928
Multi-Selecthard

An organization wants to implement layered physical security for its data center. Which THREE of the following controls would be considered part of a defense-in-depth physical security strategy?

Select 3 answers
A.Cable locks on laptop computers
B.Password complexity requirements
C.Visitor sign-in log
D.Biometric reader at the server room door
E.Fencing and bollards around the building
AnswersA, D, E

Equipment-level security is a final layer within the facility.

Why this answer

Defense in depth for physical security involves multiple layers: external perimeter controls (fencing, bollards, lighting), building entrance controls (guards, access badges, mantraps), and internal controls (server room biometric readers, equipment locks). Together they create overlapping barriers.

929
MCQeasy

What is the primary goal of data classification?

A.To improve data access speed
B.To comply with marketing requirements
C.To determine the appropriate level of security controls
D.To reduce storage costs
AnswerC

Correct. Classification drives handling requirements.

Why this answer

Data classification assigns sensitivity labels to enable appropriate protection.

930
MCQhard

Refer to the exhibit. A user from IP 10.0.1.5 attempts to download an object from example-bucket. What will happen?

A.Denied because the deny statement overrides
B.Access denied due to implicit deny
C.Allowed because the allow statement matches
D.Allowed because the deny statement is invalid
AnswerA

Correct. Explicit deny takes precedence over allow.

Why this answer

The policy includes both an allow for the 10.0.0.0/16 range and a more specific deny for the 10.0.1.0/24 subnet. Since 10.0.1.5 falls within the deny condition, the explicit deny overrides the allow, resulting in denied access.

931
Multi-Selecthard

Which THREE of the following are acceptable risk treatment options according to NIST risk management framework?

Select 3 answers
A.Risk mitigation
B.Risk duplication
C.Risk transfer
D.Risk identification
E.Risk acceptance
AnswersA, C, E

Risk mitigation involves implementing controls to reduce risk.

Why this answer

Risk avoidance, mitigation, transfer, and acceptance are standard. Risk identification is a step, not treatment. Risk duplication is not a term.

932
Multi-Selecteasy

Which TWO of the following are core components of the CIA triad?

Select 2 answers
A.Authentication
B.Non-repudiation
C.Confidentiality
D.Authorization
E.Availability
AnswersC, E

Confidentiality is one of the three CIA triad components.

Why this answer

Confidentiality, Integrity, and Availability are the three core principles. Authentication and Non-repudiation are additional security goals.

933
MCQmedium

Which of the following is an example of sensitive PII?

A.Phone number
B.Medical records
C.Social Security number
D.Name and email address
AnswerB

Correct. Medical records are classified as sensitive PII.

Why this answer

Sensitive PII includes information that, if disclosed, could cause significant harm, such as medical records, financial information, and biometric data.

934
Multi-Selectmedium

A system administrator is configuring account lockout policies to mitigate brute-force attacks. Which TWO settings are most critical for this purpose?

Select 2 answers
A.Requiring password changes every 90 days
B.Account lockout threshold (e.g., 5 failed attempts)
C.Lockout duration (e.g., 30 minutes) or administrator unlock
D.Password history of 10 remembered passwords
E.Password minimum length of 8 characters
AnswersB, C

Threshold triggers lockout after a set number of failures.

Why this answer

Account lockout policies typically include an attempt threshold (e.g., 3-10 failed attempts) and a lockout duration or manual unlock requirement to prevent continuous brute-force attempts. These settings directly limit an attacker's ability to guess passwords.

935
MCQmedium

Refer to the exhibit. An analyst sees these logs. What type of attack is occurring?

A.Phishing
B.SQL injection
C.Brute-force attack
D.Port scan
AnswerC

Multiple failed password attempts from a single source characterize a brute-force attack.

Why this answer

Option A is correct because repeated failed login attempts from the same IP indicate a brute-force attack. The other options do not match the pattern.

936
MCQmedium

An attacker captures network traffic using Wireshark and reads unencrypted emails. Which security goal is most directly compromised?

A.Integrity
B.Availability
C.Non-repudiation
D.Confidentiality
AnswerD

Confidentiality is breached when data is read by an unauthorized party.

Why this answer

Sniffing captures sensitive data, violating confidentiality.

937
MCQhard

Refer to the exhibit. A DBA is investigating a replication issue. What should be the FIRST action?

A.Restore table from backup
B.Verify data integrity on primary
C.Reseed replication
D.Fail over to standby
AnswerB

Check primary data to ensure it is not corrupted before taking further action.

Why this answer

Checksum mismatch indicates data corruption on one side. The first step is to verify data integrity on the primary to determine which copy is correct.

938
MCQmedium

A primary data center is destroyed. The disaster recovery plan calls for activation of a hot standby site. If the RTO is 2 hours, what is the expected recovery time?

A.Exactly 2 hours
B.More than 2 hours
C.Unknown, depends on the disaster
D.Less than 2 hours
AnswerD

Hot sites are designed to achieve RTOs; recovery is expected within the target.

Why this answer

The RTO (Recovery Time Objective) defines the maximum acceptable downtime, not the guaranteed recovery time. A hot standby site is fully operational and synchronized, so recovery can be completed in less than the RTO if the disaster does not cause additional complications. Option D is correct because the expected recovery time should be less than the 2-hour RTO, assuming the hot site functions as designed.

Exam trap

ISC2 often tests the misconception that RTO is a guaranteed recovery time rather than a maximum allowable downtime, leading candidates to incorrectly choose 'Exactly 2 hours' or 'More than 2 hours' when the correct answer is that recovery should be faster than the RTO.

How to eliminate wrong answers

Option A is wrong because the RTO is a target, not a precise prediction; actual recovery time depends on factors like data synchronization lag and failover automation, so it is not guaranteed to be exactly 2 hours. Option B is wrong because a properly configured hot standby site should recover in less than the RTO, not more; exceeding the RTO would mean the DR plan fails its objective. Option C is wrong because while the disaster type can affect recovery, the question asks for the expected recovery time under the assumption the hot standby site is activated per the DR plan, and the RTO defines the maximum allowable time, so the expectation is that recovery completes within that window.

939
MCQmedium

Which of the following is an example of a Type 2 authentication factor?

A.Fingerprint scan
B.Password
C.One-time passcode from a hardware token
D.PIN
AnswerC

Correct. A hardware token is a possession factor.

Why this answer

Type 2 (possession) factors include something the user has, such as a smart card, OTP token, or mobile authenticator app.

940
Multi-Selecthard

Which TWO actions are appropriate during the identification phase of incident response?

Select 2 answers
A.Conduct a post-mortem analysis.
B.Correlate alerts from multiple sources.
C.Review system logs for anomalies.
D.Restore data from backups.
E.Disconnect affected systems from the network.
AnswersB, C

Alert correlation aids in identifying incidents.

Why this answer

During the identification phase of incident response, the goal is to detect and confirm that an incident is occurring. Correlating alerts from multiple sources (e.g., IDS/IPS logs, firewall logs, and endpoint detection) helps reduce false positives and provides a clearer picture of the attack chain. Reviewing system logs for anomalies is a core detection technique that can reveal indicators of compromise (IoCs) such as unusual process execution or failed login bursts.

Exam trap

ISC2 often tests the distinction between identification and containment, so the trap here is that candidates mistake disconnecting systems (a containment step) for an identification action, when in fact identification must occur first to confirm the incident.

941
MCQeasy

Which of the following best describes the principle of confidentiality in the CIA triad?

A.Ensuring data is accurate and complete
B.Verifying the identity of users
C.Preventing unauthorized disclosure of information
D.Ensuring systems and data are accessible when needed
AnswerC

Correct. Confidentiality is about preventing unauthorized access or disclosure.

Why this answer

Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes. Encryption and access controls are primary mechanisms to enforce confidentiality.

942
MCQhard

An organization is implementing a new identity management system. They want to ensure that users can only access resources necessary for their job roles. Which principle should guide the access control design?

A.Separation of duties
B.Least privilege
C.Need to know
D.Defense in depth
AnswerB

Least privilege grants only necessary access for job roles.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions and nothing more. In an identity management system, this is implemented by assigning minimal access rights to resources, reducing the attack surface and limiting potential damage from compromised accounts. This directly aligns with the scenario of ensuring users can only access resources essential for their roles.

Exam trap

ISC2 often tests least privilege versus need to know, where candidates mistakenly choose need to know because it sounds more specific, but least privilege is the broader, correct principle for general access control design in identity management.

How to eliminate wrong answers

Option A is wrong because separation of duty is a principle that prevents fraud by requiring multiple users to complete a sensitive task (e.g., one user creates a purchase order, another approves it), not about limiting individual access to job-necessary resources. Option C is wrong because need to know is a subset of least privilege focused specifically on access to classified or sensitive information on a per-case basis, not the broader principle of limiting all resource access to job-role requirements. Option D is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS, encryption) to protect assets, not a principle for designing user access rights.

943
Multi-Selectmedium

A company is developing a business continuity plan (BCP). Which TWO of the following are essential components that must be included in a BCP?

Select 2 answers
A.Asset inventory
B.Vulnerability assessment
C.Business Impact Analysis (BIA)
D.Recovery Time Objective (RTO)
E.Network diagram
AnswersC, D

BIA is essential as it identifies critical processes, dependencies, and resource requirements for recovery.

Why this answer

A Business Impact Analysis (BIA) is essential in a BCP because it identifies critical business functions, their dependencies, and the impact of disruptions. It quantifies the financial and operational consequences of downtime, directly informing the selection of recovery strategies and resource allocation. Without a BIA, the BCP lacks a data-driven foundation for prioritizing recovery efforts.

Exam trap

ISC2 often tests the distinction between components that are 'essential' to the BCP itself versus supporting documents or risk management activities, causing candidates to select asset inventory or vulnerability assessment as core BCP elements.

944
MCQmedium

Refer to the exhibit. A security engineer applies this S3 bucket policy to restrict access. Users outside the 10.0.0.0/16 network report being denied access, which is expected. However, users inside that network also report access denied. What is the likely issue?

A.The condition syntax is incorrect and causes all requests to be evaluated incorrectly.
B.The Deny statement overrides the Allow statement for all requests.
C.The policy only allows GetObject; users likely need ListBucket or other actions.
D.The resource ARN includes a wildcard, causing a mismatch with the bucket name.
AnswerC

Only GetObject is allowed; any other action is implicitly denied.

Why this answer

Option C is correct because the S3 bucket policy only grants the s3:GetObject action, but users inside the 10.0.0.0/16 network are likely performing other actions such as s3:ListBucket (e.g., listing objects) or s3:PutObject. Even though the source IP condition allows access from the trusted network, the explicit Allow statement is scoped solely to GetObject. Any request for a different action (like listing the bucket) will be implicitly denied by default, as IAM and S3 policies are deny-by-default unless an explicit Allow exists for that specific action.

Exam trap

ISC2 often tests the misconception that a single Allow statement for one action (like GetObject) implicitly permits all other actions for users who satisfy the condition, when in reality each action requires its own explicit Allow.

How to eliminate wrong answers

Option A is wrong because the condition syntax (IpAddress with aws:SourceIp) is valid and correctly structured; an incorrect syntax would cause a policy parsing error, not a selective denial for both inside and outside users. Option B is wrong because the Deny statement only applies to requests originating outside the 10.0.0.0/16 network (due to the NotIpAddress condition), so it does not override the Allow for internal users; the Deny is scoped correctly and does not affect internal traffic. Option D is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' with a wildcard is standard for matching all objects in the bucket; it does not cause a mismatch with the bucket name, and the bucket name itself is explicitly stated.

945
Multi-Selecteasy

An organization experiences a denial-of-service (DoS) attack. Which TWO actions should the incident response team take during the containment phase? (Select two.)

Select 2 answers
A.Disconnect affected servers from the network
B.Filter malicious traffic at the firewall
C.Restore systems from backup
D.Notify law enforcement
E.Conduct a root cause analysis
AnswersA, B

This prevents further impact from the attack.

Why this answer

Containment aims to limit damage. Filtering traffic and disconnecting affected systems are typical containment actions for a DoS attack.

946
MCQhard

An organization deploys a network security device that inspects application-layer payloads, can block malicious HTTP requests, and uses OWASP rules. Which type of device is this?

A.Intrusion Detection System (IDS)
B.Next-Generation Firewall (NGFW)
C.Web Application Firewall (WAF)
D.Intrusion Prevention System (IPS)
AnswerC

Correct. A WAF inspects HTTP/HTTPS and uses OWASP rules.

Why this answer

A Web Application Firewall (WAF) is designed to filter and monitor HTTP/HTTPS traffic, often using OWASP rules to protect against web vulnerabilities.

947
MCQhard

Refer to the exhibit. The IDS alert indicates a possible SpyEye botnet check-in from an internal host. What immediate action should the analyst take?

A.Isolate the internal host from the network
B.Ignore the alert as it is a false positive
C.Block the destination IP at the firewall
D.Run a full antivirus scan on the internal host
AnswerA

Isolating the host stops the C2 traffic and prevents lateral movement.

Why this answer

Isolating the internal host immediately stops the potential command-and-control (C2) communication with the SpyEye botnet, preventing data exfiltration or further compromise. This is the first step in incident response (containment) before any forensic analysis or remediation, as per NIST SP 800-61 guidelines. Delaying containment could allow the botnet to receive new instructions or spread laterally.

Exam trap

ISC2 often tests the principle that containment (isolation) must precede remediation (scanning or blocking) in incident response, tricking candidates into choosing a reactive firewall block or a delayed scan instead of immediate host isolation.

How to eliminate wrong answers

Option B is wrong because ignoring the alert assumes a false positive without verification; SpyEye check-ins are rarely benign and require investigation. Option C is wrong because blocking the destination IP at the firewall only disrupts communication to that specific IP, but botnets often use domain flux or multiple fallback IPs, and the internal host remains compromised and could beacon to other C2 servers. Option D is wrong because running a full antivirus scan is a remediation step that should occur after containment; the immediate priority is to stop the active C2 traffic, not to scan while the host is still communicating with the botnet.

948
MCQmedium

During a vulnerability scan, the security team discovers a critical vulnerability on a public-facing server. According to best practices, what should the team do next?

A.Disable the server
B.Remediate immediately during business hours
C.Inform all users
D.Schedule a maintenance window
AnswerD

Scheduling a maintenance window allows for planned and tested remediation.

Why this answer

Option D is correct because, according to vulnerability management best practices, the first step after discovering a critical vulnerability is to schedule a maintenance window to apply a patch or mitigation in a controlled manner. This minimizes service disruption and allows for testing, ensuring the fix does not introduce new issues. Immediate remediation during business hours (Option B) could cause downtime or impact users, while disabling the server (Option A) is an extreme measure reserved for active exploitation with no available patch.

Exam trap

ISC2 often tests the misconception that 'critical' means 'act immediately without planning,' leading candidates to choose Option B, but the correct approach is to balance urgency with change control to avoid operational disruption.

How to eliminate wrong answers

Option A is wrong because disabling the server is a last-resort action typically taken only when the vulnerability is actively exploited and no patch or workaround exists; it unnecessarily disrupts services without following a structured response process. Option B is wrong because remediating immediately during business hours violates change management best practices, as it risks causing unplanned downtime and may bypass testing, which could lead to service outages or incomplete fixes. Option C is wrong because informing all users is premature and not a standard first step; disclosure should be controlled and communicated to relevant stakeholders (e.g., system owners, management) after a patch is ready or a mitigation plan is in place, to avoid unnecessary panic or security leaks.

949
Multi-Selectmedium

A security analyst is reviewing network traffic and needs to identify which of the following protocols are inherently insecure because they transmit data in cleartext. (Select TWO.)

Select 2 answers
A.DNS
B.HTTPS
C.FTP
D.Telnet
E.SSH
AnswersC, D

FTP transmits credentials and data in cleartext.

Why this answer

Telnet and FTP transmit data, including credentials, in cleartext. SSH and HTTPS encrypt all traffic.

950
Multi-Selectmedium

Which TWO are true about a differential backup? (Select two.)

Select 2 answers
A.It copies files changed since the last backup of any type
B.It requires a full backup to be restored first
C.It copies files changed since the last full backup
D.It resets the archive bit on backed-up files
E.It is faster to restore than a full backup
AnswersB, C

The full backup must be restored before applying the differential.

Why this answer

A differential backup copies all files that have changed since the last full backup. Because it does not contain the complete data set, you must first restore the most recent full backup and then apply the differential backup on top of it to recover the system. This makes option B correct.

Exam trap

ISC2 often tests the distinction between differential and incremental backups by making candidates confuse 'changed since last full' (differential) with 'changed since last backup of any type' (incremental), and by implying that differential backups reset the archive bit when they do not.

951
MCQeasy

A helpdesk technician receives a report that a user in the finance department cannot access a shared folder on the server. The same server is accessible from other departments. What is the most likely cause?

A.The server is down
B.A firewall rule is blocking traffic from the finance VLAN to the server
C.The network cable is unplugged
D.The user's account is disabled
AnswerB

This explains why only the finance department is affected.

Why this answer

The scenario describes a user in the finance department unable to access a shared folder on a server that is reachable from other departments. This points to a segmentation or access control issue specific to the finance VLAN. A firewall rule blocking traffic from the finance VLAN to the server is the most likely cause because it would selectively prevent access for that subnet while allowing other VLANs to reach the server, matching the symptom of partial connectivity.

Exam trap

ISC2 often tests the concept of VLAN segmentation and firewall rules by presenting a symptom of partial connectivity, leading candidates to mistakenly focus on client-side issues (like a disabled account or cable problem) rather than network-layer access controls.

How to eliminate wrong answers

Option A is wrong because if the server were down, no users from any department would be able to access it, but the report states other departments can access the server. Option C is wrong because an unplugged network cable would cause a complete loss of network connectivity for the user, not just an inability to access a specific shared folder while other services might still work. Option D is wrong because a disabled user account would prevent authentication to the server entirely, affecting access from any location, not just the finance department, and the user can still reach the server (as implied by the scenario).

952
MCQeasy

An organization encrypts all sensitive data at rest and in transit. Which principle of the CIA triad is primarily being addressed?

A.Availability
B.Non-repudiation
C.Integrity
D.Confidentiality
AnswerD

Encryption prevents unauthorized access to data.

Why this answer

Encryption protects data from unauthorized disclosure, directly supporting confidentiality.

953
MCQmedium

A network administrator is configuring a DMZ for a company's web and email servers. Which firewall rule is most appropriate for traffic from the internet to the DMZ?

A.Deny all inbound traffic to DMZ but allow outbound
B.Allow inbound HTTP, HTTPS, SMTP, and DNS to DMZ
C.Allow inbound only to the web server on ports 80 and 443
D.Allow all inbound traffic to DMZ
AnswerB

These are the required services for web and email servers.

Why this answer

Option B is correct because a DMZ must selectively permit essential services from the internet to the public-facing servers while blocking all other inbound traffic. HTTP (80), HTTPS (443), SMTP (25), and DNS (53) are the standard protocols required for web and email servers to function. This rule implements the principle of least privilege by allowing only the necessary traffic to the DMZ.

Exam trap

ISC2 often tests the misconception that a DMZ should allow only web traffic (HTTP/HTTPS) and forget that email servers require SMTP and DNS, leading candidates to choose option C instead of the more complete option B.

How to eliminate wrong answers

Option A is wrong because denying all inbound traffic to the DMZ would prevent external users from accessing the web and email servers, defeating the purpose of a DMZ. Option C is wrong because it omits SMTP and DNS, which are required for email delivery and name resolution; a real-world DMZ hosting both web and email servers must allow SMTP (port 25) for inbound email and DNS (port 53) for queries. Option D is wrong because allowing all inbound traffic to the DMZ violates security best practices and would expose internal servers to attacks such as port scanning and exploitation of non-essential services.

954
MCQhard

After a data breach, an organization discovers that an attacker exploited a known vulnerability in an outdated web server. The organization had previously identified the vulnerability but decided not to patch it due to potential downtime. Which risk management strategy did the organization employ?

A.Risk transfer
B.Risk acceptance
C.Risk avoidance
D.Risk mitigation
AnswerB

By not patching despite knowing the vulnerability, the organization accepted the risk.

Why this answer

Risk acceptance means acknowledging the risk and its potential impact without taking action to reduce it.

955
MCQhard

A company is implementing a data loss prevention (DLP) solution. Which strategy BEST balances security and productivity when monitoring outgoing email?

A.Log all emails without any alerts
B.Block all emails containing keywords like 'confidential'
C.Encrypt all outgoing emails automatically
D.Alert on policy violations and allow user to override with manager approval
AnswerD

Balances security with business needs.

Why this answer

Option D is correct because it balances security and productivity by alerting on policy violations while allowing users to override the block with manager approval. This approach ensures that legitimate business communications are not disrupted, while still enforcing DLP policies through a secondary review process. In a DLP solution, this is often implemented via a 'justify and override' workflow, where the user must provide a reason and receive approval from a manager before the email is sent.

Exam trap

ISC2 often tests the concept that DLP is not just about blocking or encrypting data, but about applying policy with context and user feedback to balance security and productivity, leading candidates to mistakenly choose overly restrictive options like B.

How to eliminate wrong answers

Option A is wrong because logging all emails without any alerts provides no active enforcement or notification, failing to prevent data loss in real time and offering only passive auditing. Option B is wrong because blocking all emails containing keywords like 'confidential' is overly restrictive and lacks context, leading to high false positive rates that disrupt legitimate business communications and reduce productivity. Option C is wrong because encrypting all outgoing emails automatically does not prevent data loss; encryption protects data in transit but does not stop sensitive data from being sent to unauthorized recipients, which is the core function of DLP.

956
MCQhard

During a disaster, an organization activates a reciprocal agreement with another company. What is a primary risk associated with this strategy?

A.Potential lack of capacity when both parties need resources simultaneously
B.Long RTO due to data transfer
C.High cost of maintaining duplicate infrastructure
D.Incompatible hardware
AnswerA

Both may be affected or one may not have spare capacity.

Why this answer

Reciprocal agreements often fail because one party may lack capacity or resources when needed.

957
Multi-Selecthard

Which THREE are differences between a hot site and a cold site? (Select three.)

Select 3 answers
A.Hot site is more expensive to maintain
B.Cold site has pre-installed software and applications
C.Hot site has real-time data synchronization
D.Both have the same recovery time objective (RTO)
E.Cold site has no hardware or infrastructure installed
AnswersA, C, E

Hot sites require constant replication and active hardware, increasing costs.

Why this answer

A hot site is a fully operational, mirrored environment with real-time data synchronization, pre-installed hardware, and active network connectivity, making it significantly more expensive to maintain due to ongoing costs for power, cooling, bandwidth, and dedicated staff. In contrast, a cold site is a bare facility with no active infrastructure, requiring manual setup and provisioning before recovery can begin. The higher cost of a hot site is justified by its near-zero Recovery Time Objective (RTO), whereas a cold site's lower cost reflects its much longer RTO.

Exam trap

ISC2 often tests the misconception that a cold site has some pre-installed infrastructure or software, when in fact it is a completely empty facility with only power and cooling, and that RTO is identical across site types, whereas RTO is a key differentiator between hot, warm, and cold sites.

958
MCQmedium

After a security incident has been contained and eradicated, which of the following should be done to improve future incident response?

A.Conduct a post-incident review
B.Reinstall the operating system
C.Disable the affected user accounts
D.Delete all incident-related logs
AnswerA

The review captures lessons learned and updates procedures.

Why this answer

A post-incident review (also called a lessons-learned meeting) is the correct next step after containment and eradication because it systematically analyzes what went wrong, what worked, and what can be improved in the incident response plan. This review directly feeds into updating playbooks, refining detection rules, and adjusting security controls to prevent recurrence. Without this step, the organization misses the opportunity to close the loop on the incident lifecycle and may repeat the same mistakes.

Exam trap

Cisco often tests the order of incident response phases (NIST or SANS) and the trap here is that candidates confuse post-incident review with immediate remediation actions like reinstalling OS or disabling accounts, thinking they are 'improvements' rather than part of containment/eradication.

How to eliminate wrong answers

Option B is wrong because reinstalling the operating system is a remediation step that should have already been performed during the eradication phase, not after the incident is closed; doing it afterward indicates the incident was not properly contained. Option C is wrong because disabling affected user accounts is a containment action that should have been executed during the containment phase, not after eradication; leaving accounts enabled until after the incident is over would risk further compromise. Option D is wrong because deleting all incident-related logs destroys forensic evidence needed for legal proceedings, regulatory compliance, and the post-incident review itself; logs must be preserved per retention policies (e.g., NIST SP 800-61).

959
MCQmedium

You are the IT security officer for a hospital that handles protected health information (PHI). The hospital uses an electronic health record (EHR) system. You receive a report that a nurse accessed the medical records of a celebrity patient without a legitimate medical reason. The access was logged. The hospital policy requires all employees to access only the minimum necessary information for their job duties. The nurse claims they were just curious. This is a violation of which security principle, and what is the best course of action?

A.Confidentiality; encrypt all patient records
B.Accountability; disable access for all nurses to the EHR
C.Least privilege; revoke the nurse's access to the EHR system and initiate disciplinary proceedings
D.Least privilege; send a warning to the nurse
AnswerC

This enforces the principle and addresses the violation appropriately.

Why this answer

Correct: Violation of least privilege; the nurse should have only been granted access to records necessary for their job. The best course is to revoke access and follow disciplinary procedures (B). Option A is wrong because it doesn't address the root cause; Option C is wrong because encryption doesn't prevent unauthorized access; Option D is wrong because disabling access for all nurses is excessive.

960
MCQeasy

A company wants to segment its network into separate broadcast domains to improve performance and security. Which device should be used to achieve this?

A.Switch
B.Hub
C.Repeater
D.Router
AnswerD

Routers segment broadcast domains by forwarding packets based on IP addresses.

Why this answer

A router is the correct device because it operates at Layer 3 (Network layer) of the OSI model and can segment a network into separate broadcast domains by forwarding packets based on IP addresses while blocking broadcast traffic (e.g., ARP requests) from crossing between interfaces. This isolation improves performance by reducing broadcast overhead and enhances security by controlling traffic flow between segments.

Exam trap

ISC2 often tests the misconception that a switch with VLANs can create separate broadcast domains, but the trap is that a switch alone (without a Layer 3 device) cannot route between those VLANs—it still requires a router to forward traffic between broadcast domains.

How to eliminate wrong answers

Option A is wrong because a switch operates at Layer 2 and forwards frames based on MAC addresses, but it does not block broadcast traffic—all ports in the same VLAN belong to the same broadcast domain, so a switch alone cannot create separate broadcast domains without VLANs. Option B is wrong because a hub is a Layer 1 device that simply repeats electrical signals to all ports, creating a single collision domain and a single broadcast domain, offering no segmentation. Option C is wrong because a repeater is also a Layer 1 device that regenerates signals to extend cable distance but does not filter or segment traffic, so it cannot create separate broadcast domains.

961
Multi-Selecthard

A security team is investigating a potential ARP spoofing attack on the local network. Which two measures can effectively detect or prevent such attacks? (Choose two.)

Select 2 answers
A.Disable ICMP redirects on hosts.
B.Enable DHCP snooping with Dynamic ARP Inspection.
C.Use MAC address filtering on switches.
D.Enable STP BPDU guard.
E.Configure static ARP entries on critical servers.
AnswersB, E

DHCP snooping with DAI validates ARP packets against DHCP bindings.

Why this answer

Dynamic ARP Inspection (DAI) uses DHCP snooping binding tables to validate ARP packets, ensuring that only legitimate IP-to-MAC address mappings are accepted. This directly prevents ARP spoofing by dropping malicious ARP replies that do not match the binding table. Configuring static ARP entries on critical servers hardcodes the IP-to-MAC mapping, so the server will ignore any spoofed ARP replies attempting to redirect traffic.

Exam trap

ISC2 often tests the distinction between Layer 2 security features (like DAI and DHCP snooping) and Layer 3 or other mitigation techniques (like ICMP redirects or BPDU guard), leading candidates to confuse unrelated security controls with ARP-specific defenses.

962
Multi-Selecteasy

Which TWO of the following are examples of administrative security controls?

Select 2 answers
A.Firewall rule sets
B.Data encryption
C.Biometric access controls
D.Security policies and procedures
E.Security awareness training
AnswersD, E

Policies are administrative controls that govern behavior.

Why this answer

Options B and D are correct because security policies and security awareness training are administrative controls. Firewalls (A) are technical controls. Biometrics (C) is physical/technical.

Encryption (E) is technical.

963
MCQeasy

A small company has a single flat network with no segmentation. They recently experienced a malware outbreak that spread quickly across all devices. The IT manager wants to implement network segmentation to contain future outbreaks with minimal cost and complexity. The company currently has a single switch and a router/firewall appliance. The network consists of three departments: Sales, HR, and Engineering. After analyzing the requirements, what is the best course of action?

A.Deploy a next-generation firewall between the switch and the router to inspect traffic
B.Replace the single switch with multiple managed switches and create VLANs for each department, then connect them to the firewall
C.Implement 802.1X authentication on the switch to control device access
D.Install host-based firewalls on all endpoints
AnswerB

This provides logical segmentation using VLANs, containing outbreaks.

Why this answer

Option B is correct because VLANs logically segment the flat network into separate broadcast domains for Sales, HR, and Engineering, containing malware spread at Layer 2. Using multiple managed switches with VLANs and trunking to the firewall allows inter-VLAN traffic to be inspected and controlled by the firewall, providing segmentation with minimal cost and complexity. This approach leverages existing hardware (router/firewall) and avoids the expense of additional appliances.

Exam trap

ISC2 often tests the misconception that adding a firewall or security appliance alone provides segmentation, when in fact segmentation requires separating Layer 2 broadcast domains (via VLANs or physical separation) before applying access controls.

How to eliminate wrong answers

Option A is wrong because deploying a next-generation firewall between the switch and router inspects traffic but does not create network segmentation; the flat network remains, so malware can still spread laterally across all devices at Layer 2. Option C is wrong because 802.1X authentication controls device access to the network port but does not segment traffic between departments; once authenticated, devices are still on the same flat network and vulnerable to lateral movement. Option D is wrong because host-based firewalls on endpoints provide per-device protection but do not segment the network; malware can still propagate via broadcast traffic or direct Layer 2 communication between hosts.

964
MCQhard

An organization's BIA determines that the payroll system has a Maximum Tolerable Downtime (MTD) of 4 hours. The current recovery plan has an RTO of 2 hours and an RPO of 1 hour. What is the maximum Work Recovery Time (WRT) allowed to meet the MTD?

A.2 hours
B.3 hours
C.4 hours
D.1 hour
AnswerA

MTD = RTO + WRT → 4 = 2 + WRT → WRT = 2 hours.

Why this answer

MTD = RTO + WRT. Given MTD=4, RTO=2, so WRT ≤ 2 hours.

965
Multi-Selecthard

Which TWO of the following are recognized as benefits of network segmentation?

Select 2 answers
A.Reduced attack surface
B.Easier monitoring
C.Increased broadcast domains
D.Simplified IP address management
E.Containment of breaches
AnswersA, E

Segmentation limits access to sensitive resources, reducing the attack surface.

Why this answer

Option A (Reduced attack surface) and Option D (Containment of breaches) are correct. Segmentation limits the scope of attacks and reduces exposure. Option B (Increased broadcast domains) is not a security benefit; it can cause performance issues.

Option C (Simplified IP address management) is not directly related to security. Option E (Easier monitoring) is subjective and not a primary benefit.

966
MCQmedium

Based on the exhibit, what is the most likely result of the client's HTTP request?

A.The HTTP request is permitted because the ACL is applied to the wrong interface.
B.The HTTP request is permitted because the ACL only blocks traffic from the router's own IP.
C.The HTTP request is blocked, and all other traffic from the client is also blocked.
D.The HTTP request is blocked, but other traffic from the client is allowed.
AnswerD

The ACL denies TCP port 80, then permits all other IP traffic.

Why this answer

The exhibit shows an extended ACL applied inbound on the client's interface that permits TCP traffic from the client to the server on port 80 (HTTP) but denies all other IP traffic from the client. Therefore, the HTTP request is permitted, but any other traffic from the client (e.g., DNS, ICMP) is blocked. Option D correctly states that the HTTP request is blocked, but other traffic is allowed, which matches the ACL behavior.

Exam trap

ISC2 often tests the misconception that an ACL blocking all traffic from a client means no traffic is allowed, but here the ACL explicitly permits HTTP while denying other traffic, so candidates may incorrectly choose Option C thinking all traffic is blocked.

How to eliminate wrong answers

Option A is wrong because the ACL is applied to the correct interface (the client's ingress interface) and direction (inbound), so it does affect traffic from the client. Option B is wrong because the ACL does not block traffic from the router's own IP; it filters traffic based on source and destination IP addresses and ports, not the router's IP. Option C is wrong because the ACL specifically permits HTTP traffic (TCP port 80) from the client to the server, so not all traffic is blocked; only non-HTTP traffic is denied.

967
MCQmedium

An organization wants to implement a network security device that can block malicious traffic in real-time and must be placed inline. Which device should be chosen?

A.Vulnerability scanner
B.Packet sniffer
C.Intrusion Detection System (IDS)
D.Intrusion Prevention System (IPS)
AnswerD

An IPS is inline and can block traffic.

Why this answer

An Intrusion Prevention System (IPS) is inline and can actively block threats, unlike an IDS which only alerts.

968
Multi-Selectmedium

Which THREE of the following are recognized security principles according to NIST and ISC2?

Select 3 answers
A.Separation of duties
B.Security through obscurity
C.Least privilege
D.Defense in depth
E.Single point of failure
AnswersA, C, D

Separation of duties prevents fraud and error.

Why this answer

Least privilege, separation of duties, and defense in depth are fundamental. Security through obscurity is not a recognized principle.

969
MCQhard

A security engineer is evaluating different firewall architectures. Which firewall type can decrypt SSL/TLS traffic, inspect the contents, and then re-encrypt it?

A.Application proxy firewall
B.Packet filtering firewall
C.Next-generation firewall (NGFW)
D.Stateful inspection firewall
AnswerC

NGFWs can perform deep packet inspection including SSL decryption.

Why this answer

NGFWs often include SSL inspection capabilities to examine encrypted traffic for threats.

970
MCQmedium

An organization implements redundant servers and failover mechanisms to ensure continuous operation during a power outage. Which goal of the CIA triad is primarily being addressed?

A.Confidentiality
B.Integrity
C.Authentication
D.Availability
AnswerD

Redundancy and failover enhance availability.

Why this answer

Redundancy and failover ensure systems remain accessible, which supports availability.

971
MCQeasy

Which of the following protocols provides secure remote administration of a network device over an untrusted network?

A.SNMPv1
B.Telnet
C.HTTP
D.SSH
AnswerD

SSH provides encrypted remote access, securing the session.

Why this answer

SSH (Secure Shell) is correct because it encrypts all traffic, including authentication credentials and commands, using strong cryptographic algorithms, making it safe for remote administration over untrusted networks. It operates on TCP port 22 and provides confidentiality, integrity, and authentication, unlike cleartext protocols. SSH is the standard for secure CLI access to network devices such as routers and switches.

Exam trap

ISC2 often tests the distinction between 'secure' and 'insecure' protocols, and the trap here is that candidates may confuse Telnet with SSH because both provide remote CLI access, forgetting that Telnet lacks encryption entirely.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses community strings in cleartext and lacks encryption or authentication, making it insecure for remote administration over untrusted networks. Option B is wrong because Telnet transmits all data, including usernames and passwords, in plaintext, allowing anyone with packet capture access to intercept credentials and commands. Option C is wrong because HTTP transmits data unencrypted, and while HTTPS exists, the question specifies HTTP, which provides no security for remote administration.

972
MCQmedium

A hospital uses role-based access control (RBAC) for its electronic health records. Nurses can view patient records; doctors can view and edit; administrators can only view administrative data. Recently, a nurse was able to edit a patient's record, which should only be allowed for doctors. The investigation finds that the nurse's role was incorrectly assigned a 'doctor' role due to a misconfiguration. To prevent recurrence, the access control system should be reviewed. Which is the best long-term solution?

A.Implement mandatory access control (MAC) with security labels
B.Remove the nurse's ability to edit records
C.Implement user behavior analytics to detect anomalies
D.Conduct quarterly role reviews and recertification
AnswerD

Regular reviews ensure roles are correctly assigned, preventing misconfigurations over time.

Why this answer

Option D is correct because the root cause is a role misconfiguration, and the best long-term solution is to implement a process of periodic role reviews and recertification. This ensures that role assignments are regularly audited and validated against current job responsibilities, preventing role creep and unauthorized privilege accumulation. In RBAC, the principle of least privilege is maintained through ongoing governance, not through a one-time fix.

Exam trap

ISC2 often tests the distinction between reactive fixes (like removing a single user's permission) and systemic governance processes (like periodic recertification), trapping candidates who choose a quick technical fix instead of a long-term administrative control.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) uses system-enforced security labels (e.g., classification levels) and is not designed to fix a role misconfiguration in an RBAC system; it would require a complete architectural change and does not address the need for periodic role validation. Option B is wrong because removing the nurse's ability to edit records is a reactive, short-term fix that does not prevent future misconfigurations or other role assignment errors; it treats the symptom, not the systemic issue. Option C is wrong because user behavior analytics (UBA) can detect anomalous activity after it occurs, but it does not prevent the underlying misconfiguration or ensure correct role assignments; it is a detective control, not a preventive or corrective control for role management.

973
MCQeasy

Which of the following is a best practice for securing physical access to a data center?

A.Allow employees to use personal badges for entry.
B.Implement mantrap entry with biometric verification.
C.Install CCTV only at the main entrance.
D.Use a single-factor authentication for all doors.
AnswerB

Mantraps prevent tailgating and biometrics provide strong authentication.

Why this answer

Option D is correct because mantrap entry with biometric verification provides strong physical access control. Option A weakens security by allowing personal badges. Option B does not cover all areas.

Option C single-factor is insufficient.

974
MCQeasy

Which layer of the OSI model is responsible for routing packets across networks?

A.Network layer
B.Physical layer
C.Transport layer
D.Data Link layer
AnswerA

The Network layer routes packets.

Why this answer

The Network layer (Layer 3) handles routing and logical addressing (IP addresses).

975
MCQmedium

Refer to the exhibit. ``` -rw-r-x--- 1 user1 developers 1024 Apr 12 10:00 config.cfg ``` The security policy states that only the file owner (user1) and members of the developers group should be able to read the file. Which change is necessary to align with the principle of least privilege?

A.Add world read permission.
B.Change group permissions to rw-r--.
C.Change the file mode to 640.
D.Change the owner to user2.
AnswerC

640 (rw-r-----) removes the execute permission that is not required for read-only access, adhering to least privilege.

Page 12

Page 13 of 14

Page 14
ISC2 Certified in Cybersecurity CC CC Questions 901–975 | Page 13/14 | Courseiva