ISC2 Certified in Cybersecurity CC (CC) — Questions 976984

984 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQhard

During an incident, the IR team identifies that the root cause is a zero-day vulnerability. Which of the following is the best immediate action?

A.Report to CERT/CC
B.Rebuild all affected systems
C.Apply a vendor patch
D.Implement compensating controls
AnswerD

Compensating controls reduce risk by blocking or detecting exploitation of the vulnerability.

Why this answer

When a zero-day vulnerability is the root cause, no vendor patch exists yet (option C is impossible). Rebuilding systems (option B) without addressing the vulnerability leaves them re-exposed. The best immediate action is to implement compensating controls—such as firewall rules, IDS/IPS signatures, or application-layer filtering—to mitigate the risk until a permanent fix is available.

This aligns with incident response containment strategies that prioritize reducing impact while preserving forensic evidence.

Exam trap

ISC2 often tests the misconception that 'rebuilding systems' or 'applying a patch' are immediate actions for a zero-day, when in reality the absence of a patch and the need for containment make compensating controls the only viable first step.

How to eliminate wrong answers

Option A is wrong because reporting to CERT/CC is a post-incident coordination step, not an immediate containment action; it does not stop the ongoing attack. Option B is wrong because rebuilding affected systems without first containing the vulnerability will result in immediate re-infection, as the zero-day exploit vector remains active. Option C is wrong because a zero-day vulnerability, by definition, has no vendor patch available at the time of discovery; applying a non-existent patch is impossible.

977
MCQeasy

Which of the following is an example of a physical access control at the building entrance?

A.Password complexity requirements
B.Access badges
C.Biometric reader on a server room door
D.Account lockout policy
AnswerB

Access badges are used at building entrances to authenticate individuals.

Why this answer

Access badges are a common physical control at building entrances.

978
MCQmedium

Which security control would best mitigate the risk of network sniffing on a wired LAN segment?

A.Using encryption protocols (e.g., IPsec, TLS)
B.Implementing VLANs
C.Disabling unused ports on the switch
D.Deploying an intrusion detection system
AnswerA

Correct. Encryption renders sniffed data confidential.

Why this answer

Encrypting traffic (e.g., using HTTPS, VPN) makes sniffed data unreadable.

979
MCQhard

An IAM policy is shown in the exhibit. Which action is permitted for the attached user?

A.Get an object from bucket2
B.Get an object from bucket1
C.List the objects in bucket1
D.Delete an object from bucket2
AnswerB

s3:GetObject on bucket1/* is explicitly allowed.

Why this answer

The IAM policy grants the `s3:GetObject` action on the ARN `arn:aws:s3:::bucket1/*`, which permits retrieving objects from bucket1. The `Deny` effect for `s3:DeleteObject` on bucket2 does not affect the `Allow` for `s3:GetObject` on bucket1. Therefore, the attached user can get an object from bucket1.

Exam trap

ISC2 often tests the distinction between object-level actions (like `s3:GetObject`) and bucket-level actions (like `s3:ListBucket`), trapping candidates who assume that reading an object implies the ability to list the bucket's contents.

How to eliminate wrong answers

Option A is wrong because the policy only allows `s3:GetObject` on bucket1, not bucket2; bucket2 is only referenced in a Deny statement for `s3:DeleteObject`, which does not grant any read access. Option C is wrong because the policy does not include the `s3:ListBucket` action, which is required to list objects in a bucket; `s3:GetObject` only permits reading individual objects, not listing. Option D is wrong because the policy explicitly denies `s3:DeleteObject` on bucket2, and an explicit Deny overrides any Allow.

980
MCQmedium

A small business with limited budget wants to ensure critical business functions can resume within 24 hours of a disaster. Their data changes infrequently. Which recovery solution is MOST cost-effective?

A.Warm site with daily backups
B.Cloud backup with instant restore
C.Cold site with monthly backups
D.Hot site with real-time replication
AnswerB

Cost-effective and can meet RTO if restore time is fast.

Why this answer

Cloud backup with instant restore (Option B) is the most cost-effective solution because the business has a limited budget, data changes infrequently, and the RTO is 24 hours. Cloud backup eliminates the need for maintaining physical infrastructure, and instant restore from cloud snapshots can meet the 24-hour RTO without the high costs of a warm or hot site.

Exam trap

ISC2 often tests the misconception that a warm site is the 'middle ground' for cost and recovery, but they ignore that cloud backup can achieve the same RTO at a fraction of the cost when data changes infrequently.

How to eliminate wrong answers

Option A is wrong because a warm site requires pre-configured hardware and ongoing maintenance costs, which exceed a limited budget, and daily backups are overkill for infrequently changing data. Option C is wrong because a cold site with monthly backups cannot meet the 24-hour RTO, as provisioning hardware and restoring from month-old backups would take significantly longer. Option D is wrong because a hot site with real-time replication is the most expensive solution, designed for near-zero RTO and RPO, which is unnecessary for infrequently changing data and a 24-hour RTO.

981
MCQeasy

Which backup strategy requires the least amount of time to perform a daily backup but the most time to perform a full restore?

A.Differential backup
B.Full backup
C.Synthetic full backup
D.Incremental backup
AnswerD

Incremental is fastest to back up but slowest to restore.

Why this answer

Incremental backups only back up changes since the last backup (any type), making them fastest to perform but slowest to restore because all increments since the last full must be applied.

982
MCQeasy

An organization requires that two different administrators approve changes to firewall rules. This is an example of which security principle?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Need-to-know
AnswerC

Requiring two approvals divides the task, preventing a single person from making unauthorized changes.

Why this answer

Separation of duties requires multiple people to complete a sensitive task to reduce fraud and errors. Option B is correct. Option A (least privilege) limits permissions.

Option C (defense in depth) uses layers. Option D (need-to-know) restricts data access.

983
Multi-Selectmedium

Which TWO of the following are common indicators of a phishing email? (Select TWO.)

Select 2 answers
A.The email contains an attachment with a .txt extension
B.The email contains a sense of urgency, such as 'Your account will be closed.'
C.The email has a high-importance flag set by the sender
D.The email is sent to multiple recipients in the 'To' field
E.The sender's email address is similar but not identical to a legitimate domain
AnswersB, E

Urgency is a common social engineering tactic.

Why this answer

Option B is correct because phishing emails commonly exploit urgency to bypass rational decision-making. Attackers use phrases like 'Your account will be closed' to pressure recipients into clicking malicious links or providing credentials without verifying the source. This social engineering tactic is a hallmark of phishing campaigns.

Exam trap

ISC2 often tests the distinction between technical indicators (e.g., file extensions, headers) and behavioral indicators (e.g., urgency, domain spoofing), and the trap here is that candidates mistake common email features like high-importance flags or bulk addressing as phishing indicators when they are not inherently suspicious.

984
MCQeasy

A security team implements a policy that requires all access to sensitive data to be logged and audited. Which principle is being enforced?

A.Accountability
B.Non-repudiation
C.Integrity
D.Least privilege
AnswerA

Correct. Logging creates accountability.

Why this answer

Accountability is enforced because logging and auditing create a traceable record of who accessed sensitive data and what actions they performed. This allows security teams to hold individuals responsible for their actions by correlating log entries with specific user identities, typically via authentication systems like LDAP or SAML. The policy directly supports the principle that users must be answerable for their access to protected resources.

Exam trap

ISC2 often tests the distinction between accountability (tracking and attributing actions) and non-repudiation (cryptographic proof of origin), leading candidates to confuse logging with the stronger assurance provided by digital signatures.

How to eliminate wrong answers

Option B is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures or cryptographic proof (e.g., HMAC, RSA signatures), not through logging and auditing alone. Option C is wrong because integrity focuses on protecting data from unauthorized modification (e.g., via checksums, hashing like SHA-256, or access controls), not on tracking who accessed it. Option D is wrong because least privilege restricts access rights to the minimum necessary for a role, whereas logging and auditing are about monitoring and reviewing access after it has occurred, not about limiting permissions upfront.

Page 13

Page 14 of 14