ISC2 Certified in Cybersecurity CC (CC) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQhard

During a security audit, it is discovered that a contractor has access to customer databases that were not required for their project. Which step should be taken first to mitigate the risk?

A.Notify the contractor's manager
B.Revoke the contractor's access immediately
C.Perform a risk assessment
D.Log the access for evidence
AnswerB

Revoking access immediately stops the unauthorized access and reduces risk.

Why this answer

The immediate priority is to revoke the contractor's access to the unauthorized customer databases to stop any potential data exfiltration or misuse. Access controls follow the principle of least privilege, and any discovered over-provisioning must be corrected instantly to contain the risk. Delaying revocation for notification, assessment, or logging leaves the sensitive data exposed to an unauthorized user.

Exam trap

ISC2 often tests the candidate's ability to prioritize containment over investigation or notification, trapping those who choose risk assessment or logging first instead of immediate access revocation.

How to eliminate wrong answers

Option A is wrong because notifying the contractor's manager does not remove the active access; the contractor can still query or exfiltrate data while the notification is processed. Option C is wrong because performing a risk assessment is a secondary step that should occur after access is revoked; leaving access in place during assessment violates the security principle of containment. Option D is wrong because logging access for evidence is important for forensics but does not mitigate the ongoing risk; the access must be terminated first to prevent further unauthorized actions.

77
MCQhard

Refer to the exhibit. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] } ``` A security analyst reviews this AWS S3 bucket policy. The policy currently allows anyone to read objects. Which change would implement the principle of least privilege?

A.Remove the policy entirely.
B.Add a principal element with specific user ARNs.
C.Add a condition to require MFA.
D.Change "Allow" to "Deny".
AnswerB

Adding a principal restricts access to specific authorized users, implementing least privilege by limiting who can act.

78
MCQmedium

A SOC analyst is reviewing logs from a web server and sees the following entry: GET /../../../../etc/passwd HTTP/1.1 Which type of attack is being attempted?

A.Cross-site scripting
B.SQL injection
C.Directory traversal
D.Cross-site request forgery
AnswerC

The '..' sequence indicates an attempt to navigate directories.

Why this answer

The log entry shows a GET request with '../' sequences attempting to navigate outside the web root to access the '/etc/passwd' file. This is the classic signature of a directory traversal attack, which exploits insufficient path sanitization to read arbitrary files on the server. The correct answer is C because the attack targets the file system, not the application's data layer or client-side scripts.

Exam trap

ISC2 often tests directory traversal by including a file path like '/etc/passwd' in the URL, which candidates may mistakenly associate with SQL injection or XSS due to the presence of 'passwd' or the GET method, but the key indicator is the '../' sequence indicating file system navigation.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not manipulating file paths in HTTP requests. Option B is wrong because SQL injection targets database queries by inserting SQL commands into input fields, whereas this request is a simple GET with path traversal sequences and no SQL syntax. Option D is wrong because cross-site request forgery (CSRF) tricks a user's browser into making unintended requests on their behalf, but the log shows a direct attacker-controlled request, not a forged one.

79
MCQmedium

An organization wants to implement the principle of least privilege for its database administrators. Which approach best achieves this goal?

A.Implement mandatory access control (MAC) with labels for all data.
B.Use role-based access control (RBAC) to grant permissions specific to each administrator's duties.
C.Allow administrators to self-assign permissions as needed.
D.Assign each administrator full database admin rights for simplicity.
AnswerB

RBAC aligns with least privilege by scoping permissions to roles.

Why this answer

Role-based access control (RBAC) directly enforces the principle of least privilege by granting database administrators only the permissions required for their specific job functions. Unlike MAC, which focuses on data classification labels, RBAC maps roles (e.g., backup admin, security admin) to precise sets of privileges, ensuring no user has unnecessary access.

Exam trap

ISC2 often tests the distinction between MAC (which controls access based on data labels) and RBAC (which controls access based on job roles), and the trap here is that candidates mistakenly choose MAC because they associate 'least privilege' with strict classification systems, not realizing that RBAC is the practical, role-specific mechanism for limiting database administrator permissions.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) enforces system-wide security labels (e.g., Top Secret, Secret) and is typically used in military or high-security environments; it does not granularly restrict permissions based on an administrator's specific duties, and it can be overly complex for database administration. Option C is wrong because allowing administrators to self-assign permissions violates the principle of least privilege entirely, as it gives them unchecked authority to escalate their own access. Option D is wrong because assigning full database admin rights to every administrator directly contradicts least privilege by granting excessive, unrestricted access to all database resources, increasing the risk of accidental or malicious damage.

80
MCQmedium

A network administrator is configuring a wireless network for a small office. Security requirements include strong encryption and pre-shared key authentication. Which protocol should be used?

A.WPA2-PSK with AES
B.WPA3-Enterprise with 802.1X
C.Open with MAC address filtering
D.WEP with TKIP
AnswerA

Provides strong encryption with PSK.

Why this answer

WPA2-PSK with AES is the correct choice because it provides strong encryption (AES-CCMP) and uses a pre-shared key for authentication, meeting the requirements for a small office without a RADIUS server. WPA2-PSK is widely supported and offers robust security against common attacks when a strong passphrase is used.

Exam trap

ISC2 often tests the distinction between PSK and Enterprise modes, where candidates mistakenly choose WPA3-Enterprise because it is newer, ignoring the explicit requirement for pre-shared key authentication.

How to eliminate wrong answers

Option B is wrong because WPA3-Enterprise with 802.1X requires a RADIUS server for authentication, which is unnecessary and overcomplicated for a small office using pre-shared key authentication. Option C is wrong because Open with MAC address filtering provides no encryption and can be easily bypassed by MAC spoofing, failing the strong encryption requirement. Option D is wrong because WEP with TKIP is deprecated and insecure—WEP uses RC4 encryption that can be cracked in minutes, and TKIP is a legacy protocol that does not meet strong encryption standards.

81
MCQmedium

Refer to the exhibit. Which security principle is this policy primarily enforcing?

A.Non-repudiation
B.Defense in depth
C.Confidentiality
D.Least privilege
AnswerD

Granting only specific permissions from a specific IP is least privilege.

Why this answer

Correct: B - Least privilege. The policy allows only get access to a specific bucket from a specific IP range, granting the minimum necessary access. Confidentiality is addressed indirectly, but the design emphasizes least privilege.

Defense in depth and non-repudiation are not shown.

82
MCQeasy

An organization has multiple network segments for accounting, HR, and engineering. They want to prevent unauthorized traffic between segments while allowing necessary communication. Which security control should be implemented?

A.VLAN segmentation with ACLs
B.Intrusion Detection System (IDS)
C.Proxy server
D.Honeypot
AnswerA

VLANs logically segment networks, and ACLs enforce traffic rules between them, achieving the desired control.

Why this answer

VLAN segmentation with ACLs is the correct choice because VLANs create separate broadcast domains at Layer 2, isolating traffic between network segments (accounting, HR, engineering). ACLs applied to the Layer 3 interface (SVI) or trunk ports then enforce granular rules to permit only necessary inter-VLAN communication, such as allowing HR to access a shared server while blocking all other cross-segment traffic.

Exam trap

ISC2 often tests the distinction between passive detection (IDS) and active prevention (firewall/ACL), so candidates mistakenly choose IDS thinking it blocks traffic, but it only alerts.

How to eliminate wrong answers

Option B (Intrusion Detection System) is wrong because an IDS is a passive monitoring tool that detects and alerts on malicious activity but does not actively block or prevent unauthorized traffic between segments. Option C (Proxy server) is wrong because a proxy operates at Layer 7 (application layer) to mediate client-server requests, not to enforce Layer 2/3 segmentation or access control between network segments. Option D (Honeypot) is wrong because a honeypot is a decoy system designed to attract and analyze attackers, not a control to prevent unauthorized inter-segment traffic.

83
MCQmedium

A security administrator is concerned about MAC address spoofing on the network. Which technology can help mitigate this risk by associating a specific MAC address with a port?

A.Port security
B.Dynamic ARP inspection
C.DHCP snooping
D.VLAN hopping prevention
AnswerA

Port security limits the number of MAC addresses on a port and can associate specific MACs, preventing spoofing.

Why this answer

Port security is the correct answer because it directly mitigates MAC address spoofing by allowing an administrator to statically or dynamically associate a specific MAC address with a switch port. When a device with a different MAC address attempts to use that port, port security can either disable the port (errdisable) or drop the traffic, preventing unauthorized access. This is a Layer 2 security feature that enforces MAC-to-port binding.

Exam trap

ISC2 often tests the distinction between features that prevent MAC spoofing (port security) versus features that prevent ARP spoofing (DAI) or DHCP attacks (DHCP snooping), leading candidates to confuse the purpose of each technology.

How to eliminate wrong answers

Option B (Dynamic ARP inspection) is wrong because it validates ARP packets based on DHCP snooping bindings to prevent ARP spoofing, not MAC address spoofing on a port. Option C (DHCP snooping) is wrong because it filters DHCP messages to prevent rogue DHCP servers and builds a binding table, but it does not directly associate a MAC address with a specific switch port. Option D (VLAN hopping prevention) is wrong because it protects against attacks that allow a device to jump to a different VLAN (e.g., via DTP or double tagging), not against MAC address spoofing on a single port.

84
MCQmedium

A company deploys a new intrusion detection system (IDS) on the internal network. Which of the following best describes the primary purpose of this system?

A.Block malicious traffic in real time.
B.Detect and alert on potential security incidents.
C.Encrypt sensitive data at rest.
D.Prevent unauthorized access to the network.
AnswerB

The core function of an IDS is detection and alerting.

Why this answer

An intrusion detection system (IDS) is a passive monitoring technology that analyzes network traffic or system activity for signs of malicious behavior or policy violations. Unlike an intrusion prevention system (IPS), an IDS does not take inline action to block traffic; its primary purpose is to detect suspicious activity and generate alerts for security personnel to investigate and respond.

Exam trap

ISC2 often tests the distinction between IDS and IPS, where candidates mistakenly assume an IDS can block traffic because they conflate detection with prevention.

How to eliminate wrong answers

Option A is wrong because blocking malicious traffic in real time is the function of an intrusion prevention system (IPS), not an IDS; an IDS operates out-of-band and cannot actively block traffic. Option C is wrong because encrypting sensitive data at rest is a data protection mechanism typically handled by encryption tools, file-level encryption, or full-disk encryption, not by an IDS. Option D is wrong because preventing unauthorized access to the network is the role of firewalls, access control lists (ACLs), or authentication systems, whereas an IDS only monitors and alerts on potential threats without enforcing access controls.

85
MCQeasy

An organization implements an access control system where users are assigned to groups, and permissions are granted to groups rather than individuals. This is known as:

A.Mandatory Access Control (MAC)
B.Role-Based Access Control (RBAC)
C.Discretionary Access Control (DAC)
D.Attribute-Based Access Control (ABAC)
AnswerB

RBAC uses roles/groups to manage permissions efficiently.

Why this answer

Role-Based Access Control (RBAC) assigns permissions to roles (or groups) rather than to individual users. Users are then made members of these roles, inheriting the permissions associated with the role. This matches the description in the question, where users are assigned to groups and permissions are granted to those groups.

Exam trap

ISC2 often tests the distinction between RBAC and ABAC by describing group-based assignment (RBAC) versus policy-based evaluation of multiple attributes (ABAC), leading candidates to confuse the two when the question mentions 'attributes' or 'policies'.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) enforces access based on system-wide security labels (e.g., classification levels) and is not based on user group membership. Option C is wrong because Discretionary Access Control (DAC) allows individual resource owners to set permissions on their objects, typically using Access Control Lists (ACLs), not by assigning users to groups with predefined permissions. Option D is wrong because Attribute-Based Access Control (ABAC) evaluates policies based on multiple attributes (user, resource, environment) at the time of access, not on static group membership.

86
MCQhard

During a tabletop exercise, the IT team realizes that the backup tapes are stored in the same building as the servers. Which risk does this highlight?

A.Insufficient off-site storage
B.Single point of failure
C.Lack of redundancy
D.Inadequate segregation of duties
AnswerA

Backups should be stored off-site to survive a site-level disaster; storing them on-site creates a single point of failure.

Why this answer

Storing backup tapes in the same building as the primary servers violates the fundamental principle of geographic separation for disaster recovery. If a fire, flood, or physical security breach destroys the building, both the primary data and the backup tapes are lost simultaneously, rendering the backups useless. This directly indicates a lack of off-site storage, which is a core requirement for a viable backup strategy.

Exam trap

ISC2 often tests the distinction between 'lack of redundancy' (duplicate hardware) and 'insufficient off-site storage' (geographic separation of backups), trapping candidates who confuse high-availability concepts with disaster recovery requirements.

How to eliminate wrong answers

Option B is wrong because 'single point of failure' typically refers to a component (like a power supply or network link) whose failure stops the entire system, not to the physical co-location of backups. Option C is wrong because 'lack of redundancy' implies missing duplicate components (e.g., a second server or disk array), whereas the issue here is the absence of geographic separation for existing backups. Option D is wrong because 'inadequate segregation of duties' is a security control related to separating administrative roles (e.g., backup operator vs. system admin), not a physical storage location problem.

87
MCQeasy

An employee reports receiving a suspicious email with an attachment from an unknown sender. What is the first action the employee should take?

A.Open the attachment to check its content.
B.Report the email to the security team.
C.Forward the email to all employees as a warning.
D.Delete the email immediately.
AnswerB

Ensures proper handling of the potential security incident.

Why this answer

Reporting the email to the security team allows professionals to analyze and respond appropriately. Deleting the email or opening the attachment can be dangerous; forwarding may spread the threat.

88
MCQhard

A system administrator runs `iptables -L INPUT` and sees this rule. What is the immediate effect on the system?

A.All SSH traffic is blocked, including established sessions.
B.New SSH connections are blocked, but current SSH sessions remain active.
C.The rule has no effect because the policy is ACCEPT.
D.All outbound SSH connections are blocked.
AnswerB

The rule drops NEW packets for SSH, so new connections are blocked; established connections are unaffected.

Why this answer

The rule drops all new TCP connections to port 22 (SSH) from any source, preventing new SSH connections.

89
MCQeasy

A help desk technician needs to reset a user's password, but the security policy requires that the technician does not know the new password. Which access control concept prevents the technician from knowing the password?

A.Discretionary access control (DAC)
B.Need to know
C.Least privilege
D.Separation of duties
AnswerB

Need to know ensures users only access information required for their job tasks.

Why this answer

The 'need to know' concept restricts access to information based on whether the user requires that information to perform their job functions. In this scenario, the technician must reset the password but does not need to know the new password itself, so the policy enforces that the technician cannot view or retain the new password. This is distinct from least privilege, which limits permissions to the minimum necessary, but does not inherently prevent knowledge of the password if the technician has the reset permission.

Exam trap

ISC2 often tests the distinction between 'least privilege' and 'need to know' by presenting a scenario where a user has permissions but should not know the data, leading candidates to mistakenly choose least privilege because it sounds similar, when 'need to know' specifically addresses knowledge of the information itself.

How to eliminate wrong answers

Option A is wrong because discretionary access control (DAC) allows the resource owner to set permissions, which does not inherently prevent the technician from knowing the password; it focuses on owner-based control, not on limiting knowledge. Option C is wrong because least privilege ensures the technician has only the minimum permissions needed (e.g., the ability to reset passwords), but it does not specifically prevent the technician from seeing the new password; a technician with reset rights could still view it unless a separate control like 'need to know' is applied. Option D is wrong because separation of duties divides critical tasks among multiple people to prevent fraud (e.g., one person resets, another sets the password), but the scenario describes a single technician performing the reset, not a split of responsibilities.

90
MCQeasy

Refer to the exhibit. Based on the exhibit, why was the packet denied?

A.Source IP is internal
B.The packet was blocked by an outbound access list
C.Destination IP is external
D.The packet was blocked by an inbound access list
AnswerD

The message specifies 'due to access-group INTERNET_IN', which is applied inbound.

Why this answer

The exhibit shows an inbound access list applied to the interface, and the packet is denied because its source IP matches a deny entry in that inbound ACL. Inbound access lists filter traffic before it is processed by the router, so the packet is dropped upon arrival. The correct answer is D because the packet was blocked by an inbound access list, as indicated by the ACL configuration and the deny action.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACLs, and the trap here is that candidates may confuse the direction of the ACL application (inbound vs. outbound) or assume that a packet is denied because of the source or destination IP alone, rather than focusing on the ACL rule that explicitly denies the traffic.

How to eliminate wrong answers

Option A is wrong because the source IP being internal is not a reason for denial; ACLs filter based on configured rules, not the mere fact that an IP is internal. Option B is wrong because the packet was blocked by an inbound access list, not an outbound one; outbound ACLs filter traffic leaving the interface, but the exhibit shows the ACL is applied inbound. Option C is wrong because the destination IP being external is irrelevant; ACLs can permit or deny traffic regardless of destination being internal or external, and the denial is due to the ACL rule, not the destination's location.

91
MCQhard

A financial firm has a data center with strict access controls. Employees must use smart cards and PINs to enter a mantrapped entrance. Recently, an unauthorized person gained access by following an employee through the mantrapped door (tailgating). The security team reviews logs and finds that the door was opened twice in quick succession, indicating tailgating occurred. The firm wants to implement a solution that prevents tailgating without slowing down authorized access. Which action should they take?

A.Require employees to log access requests in advance
B.Install a biometric scanner that requires fingerprint and retina scan
C.Implement a turnstile that allows only one person per smart card authentication
D.Increase the number of security guards at the entrance
AnswerC

Turnstiles physically enforce one person per credential, directly preventing tailgating.

Why this answer

Option C is correct because a turnstile physically enforces one-person-per-authentication by rotating only after a valid smart card read and allowing a single passage, then locking until the next authentication. This directly prevents tailgating without adding delay, as each authorized user passes through at their own pace without needing additional steps like biometric scans or pre-approval.

Exam trap

ISC2 often tests the distinction between detection (e.g., logs, cameras) and prevention (e.g., turnstiles, mantrap doors), so candidates mistakenly choose biometric or procedural options that only detect or deter rather than physically block tailgating.

How to eliminate wrong answers

Option A is wrong because requiring advance access logs does not physically prevent tailgating; it only creates an audit trail after the fact, and the unauthorized person could still follow an employee through the door. Option B is wrong because biometric scanners (fingerprint and retina) add significant authentication time and user friction, slowing down authorized access, and they still do not prevent a second person from slipping through immediately after the first is authenticated. Option D is wrong because increasing security guards is a personnel-based solution that is costly, inconsistent, and still relies on human vigilance to spot tailgating, which can fail during busy periods or distraction.

92
MCQeasy

A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?

A.Deploying a web application firewall
B.Enabling verbose logging for authentication events
C.Increasing password complexity requirements
D.Implementing account lockout policies
AnswerD

Account lockout policies limit the number of failed attempts, preventing continued brute-force attacks.

Why this answer

Option D is correct because account lockout policies directly mitigate brute-force attacks by temporarily disabling an account after a defined number of failed login attempts (e.g., 5 failures within 15 minutes). This prevents the attacker from continuing to guess passwords for multiple user accounts from a single external IP, without affecting legitimate users who can be unlocked after a lockout duration or via an administrative reset.

Exam trap

ISC2 often tests the misconception that a WAF (Option A) can stop brute-force attacks, but the trap is that WAFs operate at Layer 7 for web traffic and do not control authentication attempts against native OS or directory service logins.

How to eliminate wrong answers

Option A is wrong because a web application firewall (WAF) inspects HTTP/HTTPS traffic for application-layer attacks (e.g., SQL injection, XSS), not authentication brute-force attempts against a directory service or operating system login. Option B is wrong because enabling verbose logging for authentication events only improves visibility and forensic analysis; it does not prevent the attack from succeeding. Option C is wrong because increasing password complexity requirements makes passwords harder to guess but does not stop an attacker from making unlimited login attempts; brute-force tools can still try millions of complex passwords over time.

93
MCQhard

A company's security policy requires that all incident response activities be logged and that evidence be preserved for potential legal action. During an incident, a responder mistakenly uses a personal USB drive to copy log files. Which principle of forensic evidence handling has been violated?

A.Integrity
B.Chain of custody
C.Availability
D.Confidentiality
AnswerB

Using unapproved media and not documenting the transfer violates chain of custody.

Why this answer

The chain of custody is a documented record that tracks the seizure, control, transfer, analysis, and disposition of evidence. By using a personal USB drive to copy log files, the responder introduces an unverified and uncontrolled storage medium, breaking the documented chain and making it impossible to prove that the evidence was not tampered with or contaminated. This directly violates the requirement to preserve evidence for potential legal action.

Exam trap

ISC2 often tests the distinction between chain of custody and integrity by presenting a scenario where evidence is copied to an unauthorized device, leading candidates to mistakenly choose 'Integrity' because they focus on potential data alteration rather than the lack of documented control over the evidence.

How to eliminate wrong answers

Option A is wrong because integrity refers to the assurance that data has not been altered or destroyed in an unauthorized manner; while using a personal USB drive could potentially affect integrity, the core violation here is the lack of documented control over the evidence, not the alteration of the data itself. Option C is wrong because availability concerns ensuring that data and systems are accessible when needed; the responder was able to copy the log files, so availability was not compromised. Option D is wrong because confidentiality involves preventing unauthorized disclosure of information; although using a personal USB drive might raise confidentiality concerns, the primary forensic principle violated is the broken chain of custody, not the exposure of the data.

94
MCQmedium

A company recently experienced a DoS attack targeting their web server. They want to implement a solution that can differentiate between legitimate traffic and attack traffic based on behavior patterns. Which technology should they deploy?

A.Web Application Firewall (WAF)
B.Load balancer
C.Intrusion Prevention System (IPS)
D.Stateful firewall
AnswerC

An IPS can perform deep packet inspection and behavioral analysis to detect and block DoS patterns inline.

Why this answer

An Intrusion Prevention System (IPS) is the correct choice because it can analyze traffic patterns and behavior in real time, using signature-based and anomaly-based detection to distinguish legitimate traffic from DoS attack traffic. Unlike a WAF, which focuses on application-layer threats like SQL injection, an IPS can inspect network and transport layers to identify volumetric or protocol-based DoS patterns and actively block malicious flows.

Exam trap

ISC2 often tests the distinction between a WAF and an IPS, where candidates mistakenly choose WAF because they associate all web server attacks with application-layer defenses, but DoS attacks often operate at lower layers where IPS behavior analysis is required.

How to eliminate wrong answers

Option A is wrong because a Web Application Firewall (WAF) is designed to protect against application-layer attacks (e.g., SQLi, XSS) and cannot effectively differentiate behavior patterns at the network or transport layer for DoS attacks. Option B is wrong because a load balancer distributes traffic across servers for availability and performance, but it lacks the deep packet inspection and behavioral analysis needed to identify and block DoS attack patterns. Option D is wrong because a stateful firewall tracks connection states and enforces rules based on IP/port/protocol, but it does not perform behavioral or anomaly-based analysis to distinguish legitimate traffic from DoS traffic.

95
MCQmedium

A security architect is designing access controls for a new application. The requirement is that only managers can approve expense reports above $10,000. Which control model best fits this requirement?

A.Role-based access control (RBAC)
B.Discretionary access control (DAC)
C.Mandatory access control (MAC)
D.Rule-based access control (RuBAC)
AnswerD

RuBAC uses rules (e.g., conditions) to determine access, matching the requirement.

Why this answer

Rule-based access control (RuBAC) uses a set of rules or conditions to determine access decisions, such as the expense report amount exceeding $10,000. In this scenario, the access control decision depends on a dynamic attribute (the expense amount) rather than a static role or identity, making RuBAC the best fit. RuBAC is often implemented using access control lists (ACLs) or policy-based engines that evaluate conditions like 'if amount > 10000 then require manager approval'.

Exam trap

ISC2 often tests the distinction between RBAC and RuBAC by presenting a scenario with a conditional rule (like a dollar threshold), leading candidates to mistakenly choose RBAC because they focus on the 'manager' role rather than the rule that triggers the approval requirement.

How to eliminate wrong answers

Option A is wrong because RBAC grants permissions based on a user's job role (e.g., 'Manager'), but it does not inherently evaluate dynamic conditions like the expense amount; RBAC would allow any manager to approve any expense, not just those above $10,000. Option B is wrong because DAC allows the resource owner to control access at their discretion, which does not enforce a mandatory policy that only managers can approve high-value expenses. Option C is wrong because MAC enforces access based on system-wide labels (e.g., security clearance levels) and is typically used in classified environments, not for application-level business rules like expense thresholds.

96
MCQeasy

A security operations center (SOC) analyst receives an alert for a potential malware infection on a workstation. Which of the following is the first action the analyst should take?

A.Reimage the workstation
B.Run a full antivirus scan
C.Isolate the workstation from the network to prevent spread
D.Notify law enforcement
AnswerC

Immediate containment limits damage and buys time for analysis.

Why this answer

When a potential malware infection is detected, the immediate priority is containment to prevent lateral movement and further compromise. Isolating the workstation from the network (e.g., disabling the network interface or disconnecting the cable) stops the malware from communicating with command-and-control servers or spreading to other hosts. This aligns with the NIST incident response framework's containment phase, which precedes eradication and recovery actions.

Exam trap

ISC2 often tests the principle that containment (isolation) must come before eradication (scanning or reimaging), and candidates mistakenly choose a remediation step like running a scan or reimaging as the first action.

How to eliminate wrong answers

Option A is wrong because reimaging the workstation destroys forensic evidence and is a recovery step that should only occur after containment and investigation. Option B is wrong because running a full antivirus scan while the system is still connected to the network may alert the malware, trigger destructive behavior, or allow continued data exfiltration during the scan. Option D is wrong because notifying law enforcement is a post-containment, post-investigation step that is not the first action; it is typically reserved for incidents involving sensitive data or legal requirements, not initial triage.

97
MCQhard

Refer to the exhibit. An IDS generates this alert for traffic from an internal server (10.1.1.50) to an external IP on port 443. The security team investigates and finds that the server is a web application that normally uses TLS 1.2. What does this alert most likely indicate?

A.An attacker is performing an SSL stripping attack, downgrading the connection to SSLv3
B.The server is experiencing a buffer overflow attack
C.The server's certificate has expired and the client is falling back to SSLv3
D.The server has been misconfigured to use SSLv3 instead of TLS
AnswerA

The alert signature suggests SSL stripping, and the use of SSLv3 is a red flag.

Why this answer

The alert indicates a downgrade from TLS 1.2 to SSLv3, which is the hallmark of an SSL stripping attack. In this attack, an adversary intercepts the client's TLS handshake request and forces the connection to use the weaker SSLv3 protocol, often by manipulating the ClientHello message to remove TLS options. This allows the attacker to exploit known vulnerabilities in SSLv3, such as POODLE, to decrypt or hijack the session.

Exam trap

ISC2 often tests the distinction between a server-side misconfiguration (which would cause consistent use of SSLv3) and an active downgrade attack (which shows a change from TLS to SSLv3), tricking candidates into choosing the misconfiguration answer when the evidence points to an attack.

How to eliminate wrong answers

Option B is wrong because a buffer overflow attack typically involves sending malformed data to exploit memory corruption, not a protocol version downgrade, and would not generate an alert specifically about SSLv3 usage. Option C is wrong because certificate expiration causes browser warnings or handshake failures, not a fallback to SSLv3; modern clients do not automatically downgrade to SSLv3 due to expired certificates. Option D is wrong because if the server were misconfigured to use SSLv3, it would consistently use that protocol, not suddenly switch from TLS 1.2 to SSLv3, and the alert would not indicate a downgrade event.

98
MCQeasy

A healthcare organization uses smart cards and PINs to control access to patient records. An employee loses their smart card and reports it immediately. The security administrator revokes the lost smart card. However, the next day, someone attempts to use the lost smart card at a different facility, and the access is denied because the card was revoked. Which security principle is demonstrated by the fact that access was denied?

A.Integrity
B.Confidentiality
C.Accountability
D.Non-repudiation
AnswerC

The system held the individual accountable by revoking the card and preventing unauthorized use.

Why this answer

Correct: Accountability is demonstrated because the revocation and denial show that actions are traceable to individuals and controls are enforced. Option A is wrong because confidentiality is about secrecy; Option B is wrong because integrity is about data accuracy; Option D is wrong because non-repudiation prevents denial, but here the system proved the card was revoked.

99
Multi-Selecthard

A security operations center (SOC) analyst is investigating a potential data exfiltration. Which two indicators are most likely signs of data exfiltration?

Select 2 answers
A.Large number of failed login attempts
B.Frequent DNS queries to known malicious domains
C.Unexpected large file transfers via FTP
D.Multiple antivirus alerts
E.Unusual outbound traffic to a foreign IP
AnswersC, E

Large file transfers out of the network are a classic exfiltration sign.

Why this answer

Unexpected large file transfers via FTP are a classic indicator of data exfiltration because FTP is a clear-text protocol often used to move bulk data out of a network. A sudden spike in outbound FTP traffic, especially to an unfamiliar external IP, suggests an attacker is compressing and uploading stolen files. This behavior directly matches the exfiltration phase of the Cyber Kill Chain.

Exam trap

ISC2 often tests the distinction between indicators of compromise (IOCs) for different attack phases—candidates confuse C2 beaconing (DNS queries) with data exfiltration (large file transfers), or mistake authentication failures for exfiltration activity.

100
MCQmedium

A company is implementing a security information and event management (SIEM) system. Which data source is most critical for detecting an ongoing brute-force attack?

A.DNS logs.
B.Authentication logs.
C.Firewall logs.
D.Application logs.
AnswerB

Directly contain login attempt records.

Why this answer

Authentication logs record successful and failed login attempts, which are directly indicative of brute-force attacks. Other logs may provide supporting information but are not as directly tied to the attack.

101
MCQmedium

An organization has detected a ransomware infection. What is the FIRST step in the incident response process?

A.Isolate affected systems
B.Pay the ransom
C.Run antivirus scans
D.Report to law enforcement
AnswerA

Isolation prevents the ransomware from spreading to other systems.

Why this answer

Containment is the immediate priority to prevent further spread of the ransomware.

102
Multi-Selecthard

Which THREE of the following are examples of implementing defense in depth? (Select THREE.)

Select 3 answers
A.Enabling single sign-on for all applications
B.Using a firewall to filter traffic
C.Allowing all traffic by default
D.Implementing access control lists
E.Encrypting data at rest
AnswersB, D, E

Correct. Firewall is a layer.

Why this answer

Option B is correct because a firewall is a fundamental component of defense in depth, providing network-level traffic filtering based on rules. It acts as a first line of defense by blocking unauthorized access and malicious traffic, thereby reducing the attack surface. This layered security approach ensures that even if other controls fail, the firewall can still prevent or mitigate threats.

Exam trap

ISC2 often tests the concept that defense in depth requires multiple independent layers of security, so candidates mistakenly select options that improve convenience (like SSO) or violate security principles (like allowing all traffic) instead of recognizing that each correct option adds a distinct security control at a different layer.

103
MCQhard

A security engineer is reviewing logs and notices that an internal server is receiving excessive SYN packets from an external IP, but never completing the three-way handshake. What type of attack is likely occurring?

A.Smurf attack
B.Ping of death
C.ARP poisoning
D.SYN flood
AnswerD

SYN flood sends many SYN packets, leaving half-open connections.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target server without completing the handshake (i.e., not sending the final ACK). This exhausts the server's connection table resources, preventing legitimate connections. The log evidence—excessive SYN packets from an external IP with no handshake completion—is the classic signature of a SYN flood.

Exam trap

ISC2 often tests the distinction between attacks that use ICMP (Smurf, Ping of death) versus TCP (SYN flood), so candidates may confuse the protocol layer or misremember that a Smurf attack involves SYN packets instead of ICMP echo requests.

How to eliminate wrong answers

Option A is wrong because a Smurf attack uses ICMP echo requests (pings) sent to a network's broadcast address with a spoofed source IP, causing all hosts to reply to the victim, overwhelming it with ICMP traffic—not TCP SYN packets. Option B is wrong because a Ping of death involves sending a malformed ICMP packet larger than the maximum allowed size (65535 bytes) to cause a buffer overflow or crash, not excessive SYN packets. Option C is wrong because ARP poisoning is a local network attack that manipulates ARP tables to intercept traffic between hosts on the same subnet; it does not involve external IPs sending TCP SYN packets.

104
MCQeasy

Refer to the exhibit. A network administrator configured the above on a switch port. After connecting a single workstation, the port goes into err-disabled state within minutes. What is the most likely cause?

A.The workstation is sending traffic with multiple source MAC addresses.
B.The port-security maximum is set to 2, so it should allow up to 2 MACs; the issue is elsewhere.
C.Sticky MAC learning is disabled.
D.The violation mode should be 'restrict' instead of 'shutdown'.
AnswerA

Exceeding the maximum MAC count triggers violation shutdown.

Why this answer

The port-security configuration with a maximum MAC address count of 2 and violation mode 'shutdown' causes the port to err-disable when a single workstation sends traffic with multiple source MAC addresses. This is a classic symptom of a device (e.g., a virtual machine host or a switch behind the port) generating frames from different MACs, exceeding the allowed limit and triggering the violation.

Exam trap

ISC2 often tests the misconception that the maximum MAC count is the only factor, when in reality a single device can generate multiple MAC addresses (e.g., via virtualization or bridging), causing a violation even with a seemingly generous limit like 2.

How to eliminate wrong answers

Option B is wrong because the port-security maximum is set to 2, which should allow up to 2 MAC addresses, but the issue is that a single workstation is generating more than 2 MACs, so the maximum is not the problem—the violation occurs due to exceeding the limit. Option C is wrong because sticky MAC learning is not required for port-security to function; it only dynamically learns and remembers MAC addresses, but its absence does not cause err-disable—the violation mode and maximum count are the active controls. Option D is wrong because changing the violation mode to 'restrict' would not prevent the err-disable state; 'restrict' only drops offending traffic and increments a counter, while 'shutdown' err-disables the port, but the root cause is the multiple MAC addresses, not the violation mode.

105
Multi-Selecteasy

Which TWO of the following are types of security controls used in defense in depth? (Select TWO.)

Select 2 answers
A.Detective controls
B.Corrective controls
C.Compensating controls
D.Administrative controls
E.Preventive controls
AnswersA, E

Detective controls identify attacks, e.g., IDS.

Why this answer

Detective controls are a core type of security control in a defense-in-depth strategy, designed to identify and alert on ongoing or past security incidents. Examples include intrusion detection systems (IDS) like Snort or Suricata, which analyze network traffic for malicious patterns, and security information and event management (SIEM) systems that correlate logs to detect anomalies. These controls provide visibility into the security posture, enabling timely response to threats that bypass preventive measures.

Exam trap

ISC2 often tests the distinction between control categories by including 'Administrative controls' as a distractor, leading candidates to confuse governance-level controls (policies, awareness training) with the operational control types (preventive, detective, corrective) that form the core of defense in depth.

106
MCQmedium

A security operations center (SOC) analyst receives an alert for a high volume of outbound traffic from an internal server to a known malicious IP address. Which step should the analyst take next?

A.Shut down the server.
B.Disregard the alert as a false positive.
C.Block all outbound traffic from the server.
D.Isolate the server from the network.
AnswerD

Immediately contains the potential compromise.

Why this answer

Isolating the server stops the suspicious traffic and prevents further data exfiltration or lateral movement while the incident is investigated. Other actions are either too broad or premature.

107
Multi-Selectmedium

Which TWO of the following are core components of the ISC2 Code of Ethics? (Choose two.)

Select 2 answers
A.Advance and protect the profession.
B.Disclose all confidential information to law enforcement.
C.Protect society, the common good, necessary public trust and confidence, and the infrastructure.
D.Ensure maximum profitability for the organization.
E.Always follow orders from management.
AnswersA, C

This is the fourth canon.

Why this answer

Option A is correct because the ISC2 Code of Ethics explicitly requires members to 'advance and protect the profession' as one of its four mandatory canons. This means acting honorably, maintaining competence, and not engaging in conduct that brings discredit upon the profession. It is a core ethical duty for all certified professionals.

Exam trap

ISC2 often tests the distinction between ethical duties and legal obligations, where candidates mistakenly believe that always following management orders or maximizing profit are ethical requirements, when in fact the Code prioritizes societal protection and professional integrity.

108
MCQmedium

An organization is implementing a new logging policy. Which type of data should be excluded from logs to comply with privacy regulations?

A.System performance metrics
B.User authentication attempts
C.Personal identifiable information (PII)
D.Network traffic patterns
AnswerC

Logging PII violates privacy regulations and should be avoided.

Why this answer

Option C is correct because Personal Identifiable Information (PII) should be excluded from logs to comply with privacy regulations like GDPR. Options A, B, and D are typically safe to log and important for security monitoring.

109
MCQhard

A software developer is designing a web application that will store user credentials. What is the most secure method for storing passwords?

A.Hash passwords using a strong algorithm like bcrypt with a unique salt
B.Use a tokenization service to replace passwords with tokens
C.Encrypt passwords using AES-256 and store the key separately
D.Store passwords in a secure database with access controls
AnswerA

Hashing with salt makes passwords irreversibly stored and resistant to rainbow tables.

Why this answer

Hashing with salt protects passwords even if database is compromised. Encryption is reversible, so less secure for passwords.

110
MCQhard

A large organization has implemented a Security Operations Center (SOC) with a tiered incident response model. Tier 1 analysts triage alerts and escalate confirmed incidents to Tier 2 for deeper analysis. Recently, the SOC has been overwhelmed by a high volume of low-severity alerts from endpoint detection and response (EDR) tools, causing delays in handling true positive incidents. The SOC manager wants to reduce alert fatigue without missing critical threats. Which of the following strategies would be MOST effective?

A.Require Tier 2 analysts to review all alerts before Tier 1.
B.Increase the number of Tier 1 analysts to handle the volume.
C.Implement automated playbooks for low-severity alerts to perform initial investigation and closure if benign.
D.Disable all low-severity alert rules in the EDR.
AnswerC

Reduces manual triage and allows analysts to focus on critical threats.

Why this answer

Option B is correct because automating playbooks for low-severity alerts reduces the workload on analysts and allows them to focus on high-severity alerts. Option A is expensive and does not address the root cause. Option C could miss important indicators that might escalate.

Option D would overload Tier 2 and worsen the bottleneck.

111
MCQmedium

A network administrator needs to ensure that sensitive financial data remains confidential while in transit over the internet. Which technology should they implement?

A.Digital signatures
B.SHA-256
C.TLS 1.3
D.AES-256
AnswerC

TLS encrypts data in transit, providing confidentiality.

Why this answer

TLS encrypts data in transit. AES is encrypting at rest. SHA-256 is hashing.

VPN can also encrypt but TLS is more specific for web traffic.

112
MCQeasy

A user reports that they received a suspicious email with an attachment claiming to be an invoice. What should the user do?

A.Report the email to the security team without opening the attachment
B.Reply to the email and ask for confirmation
C.Delete the email immediately
D.Open the attachment to check what it contains
AnswerA

This allows security to investigate safely.

Why this answer

Option A is correct because the user should immediately report the suspicious email to the security team without opening the attachment. Opening the attachment could trigger a malicious payload, such as a macro-enabled document or executable, that exploits vulnerabilities in the email client or operating system. The security team can analyze the email headers, attachment hash, and sender domain using tools like sandboxing or threat intelligence feeds to determine if it is a phishing attempt or malware delivery.

Exam trap

ISC2 often tests the misconception that deleting a suspicious email is sufficient, but the correct incident response procedure requires preserving evidence and reporting to the security team for analysis and containment.

How to eliminate wrong answers

Option B is wrong because replying to the email confirms the user's email address as active to the attacker, potentially leading to targeted follow-up attacks or social engineering. Option C is wrong because deleting the email immediately removes forensic evidence (e.g., email headers, attachment metadata) that the security team needs to investigate and block the threat across the organization. Option D is wrong because opening the attachment risks executing malware, such as ransomware or a trojan, that could compromise the user's endpoint and spread laterally within the network.

113
Multi-Selecteasy

A network security team is implementing a defense-in-depth strategy. Which TWO of the following controls are examples of network segmentation? (Choose two.)

Select 2 answers
A.Implementing firewall rules between internal zones.
B.Deploying an intrusion detection system (IDS) on the core switch.
C.Configuring VLANs to separate departmental traffic.
D.Placing public-facing servers in a DMZ.
E.Using VPN for remote access.
AnswersA, C

Firewalls enforce segmentation by controlling traffic between zones.

Why this answer

Option A is correct because implementing firewall rules between internal zones is a form of network segmentation. By creating distinct security zones (e.g., inside, outside, DMZ) and applying access control lists (ACLs) or stateful firewall policies between them, traffic is restricted to only what is explicitly permitted, thereby isolating network segments and limiting lateral movement.

Exam trap

ISC2 often tests the distinction between segmentation (which actively isolates traffic) and other security controls like monitoring (IDS), placement (DMZ), or encryption (VPN), leading candidates to confuse architectural placement or tunneling with the actual act of segmenting the network.

114
MCQhard

A security analyst reviews firewall logs and sees a series of outbound connections from an internal server to a known command-and-control (C2) IP address at regular intervals. Which step should the analyst take first according to incident response best practices?

A.Isolate the server from the network immediately.
B.Check if the IP address is associated with known malware or threats.
C.Quarantine the server and begin forensic analysis.
D.Terminate the outbound connections by blocking the IP.
AnswerB

First, validate the alert; then take containment actions.

Why this answer

First, verify the alert is not a false positive by checking threat intelligence. Immediately isolating the server (B) might be too aggressive if it's a false positive. Terminating (C) or quarantining (D) without confirmation can cause unnecessary disruption.

115
MCQmedium

A company is developing a disaster recovery plan for its database server. The database is updated transactionally and cannot tolerate any data loss. Which backup strategy meets this requirement?

A.Log shipping with 15-minute intervals
B.Full backups nightly
C.Continuous database mirroring
D.Differential backups every 6 hours
AnswerC

Provides real-time replication with zero data loss.

Why this answer

Continuous database mirroring (C) is correct because it maintains a synchronous copy of the database on a secondary server, ensuring that every committed transaction is immediately written to both servers. This provides zero data loss (RPO=0) and automatic failover, which is required for a transactional database that cannot tolerate any data loss.

Exam trap

ISC2 often tests the distinction between synchronous and asynchronous replication methods, and the trap here is that candidates confuse log shipping or differential backups (which have inherent recovery point gaps) with true zero-data-loss solutions like continuous database mirroring.

How to eliminate wrong answers

Option A is wrong because log shipping with 15-minute intervals introduces a recovery point objective (RPO) of up to 15 minutes, meaning any transactions committed in that window would be lost if the primary fails. Option B is wrong because full backups nightly only capture the database state at the time of the backup, leaving all transactions since the last backup vulnerable to loss. Option D is wrong because differential backups every 6 hours still rely on a full backup and only capture changes since that full backup, resulting in an RPO of up to 6 hours and potential data loss.

116
Multi-Selecthard

Which TWO of the following are examples of implementing the principle of least privilege?

Select 2 answers
A.Installing a security camera at the data center entrance
B.Assigning a database administrator only the permissions required for their specific tasks
C.Requiring two-factor authentication for system administrators
D.Implementing a firewall to block all incoming traffic except on port 443
E.Granting a user read-only access to a file they need to view
AnswersB, E

This minimizes privileges to job duties.

Why this answer

Correct: Granting a user only read access to a file (A) and assigning a database administrator only the necessary permissions for their job (B) both restrict privileges to the minimum required. Option C is an example of defense in depth; Option D is a backup procedure; Option E is a physical control.

117
Multi-Selectmedium

Which TWO of the following controls are examples of defense in depth?

Select 2 answers
A.Single sign-on
B.Encryption at rest
C.Network firewall
D.Anti-malware software
E.Strong password policy
AnswersC, D

A network firewall is a perimeter security layer.

Why this answer

Defense in depth uses multiple layers. Firewalls and anti-malware are typical layers. Option A (firewall) is a network layer, Option C (anti-malware) is a host layer.

Option B (single sign-on) is a convenience feature, not a security layer. Option D (strong password policy) is a procedural control but not a layered defense. Option E (encryption) is a control but defense in depth focuses on overlapping controls; encryption alone is not a layer in the same sense.

However, encryption can be considered a layer, but typically defense in depth includes network, host, and application layers. For this question, firewall and anti-malware are clearest.

118
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A.Determine the cost of implementing security controls
B.List all IT assets
C.Identify critical business processes and their recovery priorities
D.Assign incident response roles
AnswerC

The BIA determines the impact of disruptions and prioritizes recovery.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the impact of their disruption, which directly determines recovery priorities and objectives (RTO/RPO). This output drives the business continuity and disaster recovery strategy, not asset inventory or cost estimation.

Exam trap

ISC2 often tests the distinction between a BIA (which identifies critical processes and their recovery priorities) and a risk assessment (which identifies threats and vulnerabilities), leading candidates to confuse the BIA's purpose with asset listing or cost analysis.

How to eliminate wrong answers

Option A is wrong because determining the cost of implementing security controls is a function of risk management and cost-benefit analysis, not the BIA, which focuses on impact quantification rather than solution pricing. Option B is wrong because listing all IT assets is an inventory management or configuration management task (e.g., CMDB), whereas the BIA prioritizes business processes and their dependencies, not a simple asset list. Option D is wrong because assigning incident response roles is part of the incident response plan (IRP) development, not the BIA, which identifies recovery priorities before any roles are assigned.

119
MCQeasy

Refer to the exhibit. Based on the log entries, what type of attack is most likely occurring?

A.Brute-force attack.
B.Dictionary attack.
C.Privilege escalation.
D.Denial of service.
AnswerB

Multiple usernames tried suggests a dictionary of common names.

Why this answer

The log entries show repeated failed login attempts using different usernames and passwords, which is characteristic of a dictionary attack where an attacker uses a list of common usernames and passwords to gain unauthorized access. Unlike a brute-force attack that tries all possible combinations, a dictionary attack uses a predefined list of likely credentials, making it more efficient and matching the pattern in the logs.

Exam trap

ISC2 often tests the distinction between a dictionary attack and a brute-force attack, where candidates mistakenly choose 'brute-force' because they see many failed logins, but the key is whether the attempts use a predefined list (dictionary) versus exhaustive character combinations (brute-force).

How to eliminate wrong answers

Option A is wrong because a brute-force attack systematically tries every possible combination of characters (e.g., aaa, aab, aac), which would generate a much higher volume of attempts and not be limited to a list of common words or names as seen in the logs. Option C is wrong because privilege escalation involves an attacker gaining higher-level permissions after initial access, not repeated login attempts from the start. Option D is wrong because a denial of service attack aims to overwhelm a system with traffic or requests to disrupt service, not to authenticate via repeated login attempts.

120
MCQmedium

An online retailer has a DR plan that includes active-active data centers. During a major DDoS attack, one data center's external connectivity is saturated. The internal network is operational. The security team has identified the attack traffic pattern and is working with the ISP to filter. To maintain service availability, what action should be taken?

A.Shut down the attacked data center and fail all traffic to the other data center.
B.Redirect all traffic to a cloud-based scrubbing center.
C.Implement rate limiting on the affected network segment.
D.Continue monitoring and let the ISP handle the attack.
AnswerB

Filters attack traffic and maintains service availability.

Why this answer

Option B is correct because a cloud-based scrubbing center (DDoS mitigation service) can filter malicious traffic before it reaches the retailer's network, preserving the active-active data center architecture. Since the internal network is operational, the attack only saturates external connectivity; redirecting traffic to the scrubbing center allows clean traffic to be re-injected into the data centers, maintaining service availability without taking any site offline.

Exam trap

ISC2 often tests the misconception that shutting down a data center is the safest failover action during a DDoS, but the trap here is that active-active designs require keeping both sites operational to maintain capacity and redundancy, and scrubbing centers are the correct mitigation technique for external saturation.

How to eliminate wrong answers

Option A is wrong because shutting down the attacked data center violates the active-active DR principle and would cause unnecessary downtime; the internal network is still functional, so the site can continue serving traffic once clean traffic is returned. Option C is wrong because rate limiting on the affected network segment would also drop legitimate traffic, degrading service availability rather than preserving it; it does not address the root cause of DDoS saturation. Option D is wrong because continuing to monitor while relying solely on the ISP is passive and insufficient; the ISP filtering may take time, and the retailer must take immediate action to maintain availability during the attack.

121
Multi-Selectmedium

Which TWO of the following are commonly used techniques to detect phishing emails? (Choose two.)

Select 2 answers
A.Scanning for specific file extensions.
B.Disabling automatic image loading.
C.Sandboxing email attachments in a secure environment.
D.Analyzing sender reputation and email headers.
E.Implementing DKIM and DMARC records.
AnswersC, D

Sandboxing can detect malicious attachments by executing them safely.

Why this answer

Sandboxing email attachments in a secure environment (Option C) is a common technique to detect phishing emails because it allows suspicious attachments to be executed and analyzed in an isolated virtual machine. This process observes the attachment's behavior for malicious activities, such as attempting to connect to a command-and-control server or dropping malware, without risking the actual endpoint. It is a core technology used in advanced email security gateways and threat intelligence platforms.

Exam trap

ISC2 often tests the distinction between email authentication protocols (DKIM/DMARC) and detection techniques, causing candidates to mistakenly select Option E as a detection method when it is actually a preventive authentication standard.

122
MCQmedium

During a phishing investigation, a security analyst identifies that an employee clicked a malicious link. The analyst isolates the workstation. What is the NEXT best step?

A.Capture a memory image of the workstation for analysis
B.Update the company's acceptable use policy
C.Notify all employees about phishing risks
D.Reimage the workstation
AnswerA

Memory forensics can reveal running malware.

Why this answer

After isolating the workstation, the next best step is to capture a memory image (RAM) to preserve volatile evidence such as running processes, network connections, and malware artifacts that would be lost on shutdown. This follows the order of volatility (RFC 3227) and is critical for forensic analysis to determine the scope of the compromise.

Exam trap

ISC2 often tests the order of volatility (RFC 3227) and the principle that volatile data (memory) must be captured before non-volatile data (disk), so the trap here is that candidates may choose to reimage the workstation immediately to 'clean' it, not realizing that destroys forensic evidence needed for attribution and prevention.

How to eliminate wrong answers

Option B is wrong because updating the acceptable use policy is a long-term administrative control, not an immediate incident response step; it does not preserve evidence or contain the threat. Option C is wrong because notifying all employees about phishing risks is a general awareness activity that should occur after the investigation, not before evidence is collected, and it could cause unnecessary panic or tip off an attacker. Option D is wrong because reimaging the workstation destroys all volatile and non-volatile evidence, making it impossible to perform a root-cause analysis or identify indicators of compromise (IOCs) that could prevent future incidents.

123
MCQmedium

An organization has implemented a network-based intrusion prevention system (IPS) in inline mode. After deployment, users report that legitimate web traffic is being blocked. What is the most likely cause?

A.The IPS is not receiving traffic due to a tap failure.
B.The IPS is placed behind the firewall instead of in front.
C.The IPS is configured in promiscuous mode.
D.The IPS signature set is too aggressive or includes false positives.
AnswerD

Aggressive signatures can flag legitimate traffic as malicious, causing blocks.

Why this answer

An inline IPS actively inspects and can block traffic based on its signature database. If the signature set is too aggressive or contains false positives, legitimate traffic matching those signatures will be incorrectly blocked. This is the most direct cause of blocking legitimate web traffic after deployment.

Exam trap

ISC2 often tests the distinction between inline and promiscuous modes, where candidates mistakenly think promiscuous mode can block traffic, but only inline mode allows active blocking.

How to eliminate wrong answers

Option A is wrong because a tap failure would cause the IPS to not receive traffic at all, resulting in no blocking (legitimate or otherwise), not the selective blocking of legitimate web traffic. Option B is wrong because placing the IPS behind the firewall does not inherently cause false positives; it affects traffic flow and security posture, but the blocking of legitimate traffic is a signature issue, not a placement issue. Option C is wrong because promiscuous mode means the IPS monitors traffic passively without being inline, so it cannot block traffic at all; blocking requires inline mode.

124
MCQhard

A company's network uses a perimeter firewall and an internal firewall. The DMZ sits between them. A new application server needs to be accessible from the internet on TCP port 8443 and must be able to make outbound HTTPS connections to an external license server. Which firewall rules should be implemented? (Assume default deny)

A.Allow inbound from internet to server on 8443; allow outbound from server to internet on 443; allow inbound from internet to server on 443 for license server response
B.Allow inbound from internet to server on 8443; allow outbound from server to internet on 443 with stateful inspection
C.Allow inbound from internet to server on 8443; allow outbound from server to internet on 443
D.Allow inbound from internet to server on 8443 and 443; allow outbound from server to internet on any
AnswerB

Stateful inspection automatically allows return traffic for the outbound connection.

Why this answer

Option B is correct because it allows inbound traffic on TCP 8443 to the server and outbound traffic on TCP 443 from the server to the internet. Stateful inspection automatically tracks the outbound HTTPS connection and permits the return traffic (the license server's response) without needing an explicit inbound rule. This matches the requirement while maintaining a default-deny posture.

Exam trap

ISC2 often tests the misconception that return traffic for outbound connections requires an explicit inbound allow rule, when in fact stateful inspection automatically permits the reply packets.

How to eliminate wrong answers

Option A is wrong because it adds an unnecessary explicit inbound rule for TCP 443 from the internet to the server for license server responses; stateful inspection handles return traffic automatically, and this rule would expose the server to unsolicited inbound connections on 443. Option C is wrong because it lacks stateful inspection; without stateful tracking, the firewall would drop the return packets from the license server, breaking the outbound HTTPS connection. Option D is wrong because it opens inbound ports 8443 and 443 (unnecessarily exposing the server) and allows outbound traffic on any port, violating the principle of least privilege and default-deny.

125
MCQhard

An organization implements a role-based access control (RBAC) system. To maintain the principle of least privilege, what should the administrator do when a user changes roles?

A.Remove the previous role's access and assign the new role's access.
B.Keep all access and let the manager manually remove as needed.
C.Use a single role for all users to simplify management.
D.Add the new role's access while keeping the previous role's access.
AnswerA

This ensures the user has only the permissions needed for their new role, following least privilege.

126
MCQmedium

Refer to the exhibit. An administrator needs to restore a database file from two weeks ago, but the backup log shows success. What is the most likely reason the file cannot be restored?

A.The retention policy deleted it
B.The schedule was incorrect
C.The backup source did not include that file
D.The encryption key changed
AnswerC

Only files under /srv/db are backed up; the needed file might be elsewhere.

Why this answer

Option C is correct because the backup log only records the success or failure of the backup job as a whole, not the inclusion of every individual file. If the database file was not selected in the backup source configuration (e.g., a file-level backup job that excluded the database directory or a volume shadow copy that did not include the file), the backup would complete successfully without backing up that file. When the administrator attempts to restore, the file is missing from the backup set, even though the job log shows success.

Exam trap

ISC2 often tests the misconception that a successful backup log guarantees all intended data was backed up, when in reality the backup source configuration determines what is actually captured.

How to eliminate wrong answers

Option A is wrong because a retention policy deletes backup sets after a specified period, but the question states the backup log shows success from two weeks ago, implying the backup set still exists; if the retention policy had deleted it, the restore would fail with a 'backup set not found' error, not a missing file error. Option B is wrong because an incorrect schedule would cause the backup to run at the wrong time or not run at all, but the log shows a successful backup, so the schedule executed correctly. Option D is wrong because an encryption key change would affect the ability to decrypt the backup data, not the presence of the file in the backup; the restore would fail with a decryption error, not a missing file error.

127
MCQmedium

A security team is designing a network for a hospital. They need to ensure that patient data is accessible to doctors only when needed, but also protected from unauthorized access. Which principle BEST balances these requirements?

A.Defense in depth
B.Least privilege
C.Non-repudiation
D.Balancing the CIA triad
AnswerD

Balancing confidentiality and availability is key; doctors need timely access but unauthorized access must be prevented.

Why this answer

The question asks for the principle that best balances accessibility with protection. The CIA triad (Confidentiality, Integrity, Availability) is the foundational model for balancing these three competing priorities. In a hospital network, doctors need availability of patient data when needed, but confidentiality must protect against unauthorized access; balancing the triad means making trade-offs between these goals, such as using role-based access controls to ensure availability for authorized users while enforcing confidentiality.

Option D directly addresses this balancing act, whereas the other options focus on a single aspect.

Exam trap

ISC2 often tests the misconception that 'least privilege' is the best answer for balancing access and protection, but the trap is that least privilege is a component of confidentiality, not a principle for balancing all three CIA goals; the question specifically asks for the principle that 'best balances' the requirements, which is the CIA triad itself.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) that does not inherently balance accessibility with protection; it focuses on preventing breaches, not on ensuring data is available when needed. Option B is wrong because least privilege restricts access to the minimum necessary, which can hinder doctors' ability to access patient data in emergencies if not carefully implemented with break-glass mechanisms; it prioritizes confidentiality over availability. Option C is wrong because non-repudiation ensures that actions (e.g., accessing records) cannot be denied, typically via digital signatures or audit logs, but it does not address the balance between access and protection; it is about accountability, not availability.

128
MCQeasy

Which authentication factor does a smart card represent?

A.Something you know
B.Something you have
C.Somewhere you are
D.Something you are
AnswerB

Smart cards are physical tokens.

Why this answer

A smart card is a physical device that stores cryptographic keys or certificates, making it a classic 'something you have' factor. It requires possession of the card to authenticate, even if the user knows a PIN, because the PIN unlocks the card but does not replace the physical possession requirement.

Exam trap

ISC2 often tests the distinction between 'something you have' and 'something you know' by including a PIN as part of smart card usage, leading candidates to mistakenly classify it as 'something you know' instead of recognizing the card itself as the primary factor.

How to eliminate wrong answers

Option A is wrong because 'something you know' refers to knowledge-based factors like passwords or PINs, not a physical device. Option C is wrong because 'somewhere you are' is a location-based factor typically verified via GPS or IP geolocation, not a smart card. Option D is wrong because 'something you are' refers to biometric traits like fingerprints or iris scans, which are inherent to the user, not a separate physical token.

129
MCQeasy

A network engineer is configuring a firewall rule to allow inbound HTTPS traffic to a web server. Which port must be opened?

A.3389
B.22
C.80
D.443
AnswerD

Port 443 is the standard port for HTTPS traffic.

Why this answer

HTTPS (HTTP Secure) uses TLS/SSL encryption over TCP port 443 by default. To allow inbound HTTPS traffic to a web server, the firewall rule must permit TCP destination port 443. Port 80 is used for unencrypted HTTP, not HTTPS.

Exam trap

ISC2 often tests the distinction between HTTP (port 80) and HTTPS (port 443), and the trap here is that candidates confuse the two or assume HTTPS uses port 80 because both are web protocols.

How to eliminate wrong answers

Option A is wrong because port 3389 is used by Remote Desktop Protocol (RDP) for remote desktop access, not for web traffic. Option B is wrong because port 22 is used by SSH for secure remote administration, not for HTTPS. Option C is wrong because port 80 is used for HTTP (unencrypted web traffic), not HTTPS; HTTPS requires TLS encryption on port 443.

130
MCQeasy

A security operations team is implementing a new SIEM solution. They want to ensure that logs from all critical systems are collected and analyzed in real time. Which of the following is the MOST important consideration when designing the log collection architecture?

A.Ensure sufficient network bandwidth and storage capacity
B.Use a standardized log format for all systems
C.Encrypt all log transmissions in transit
D.Define a log retention policy of at least one year
AnswerA

Insufficient bandwidth can cause log loss, and inadequate storage can lead to data being overwritten before analysis.

Why this answer

The most critical factor in real-time log collection is ensuring that the network can handle the volume of log data without congestion and that storage can ingest and retain the data without dropping events. Without sufficient bandwidth, logs will be delayed or lost, defeating the purpose of real-time analysis. Storage capacity directly impacts the ability to retain and query logs for immediate and historical investigation.

Exam trap

ISC2 often tests the distinction between operational feasibility (bandwidth/storage) and security or compliance features, leading candidates to over-prioritize encryption or retention policies when the core requirement is real-time ingestion.

How to eliminate wrong answers

Option B is wrong because while a standardized log format (e.g., syslog, CEF, JSON) simplifies parsing, it is not the most important consideration for real-time collection; the SIEM can normalize diverse formats after ingestion. Option C is wrong because encrypting log transmissions in transit (e.g., TLS) is a security best practice but does not directly affect the feasibility of real-time collection; it adds overhead but is not the primary bottleneck. Option D is wrong because a log retention policy defines how long logs are kept, not how they are collected in real time; retention is a compliance and storage planning concern, not an architectural design priority for ingestion.

131
Multi-Selecteasy

A security analyst is reviewing event logs and notices multiple failed login attempts from a single IP address followed by a successful login. Which TWO actions should the analyst take next?

Select 2 answers
A.Disable the user account immediately.
B.Escalate to the incident response team.
C.Investigate the source IP address for malicious activity.
D.Block the IP address at the firewall.
E.Reset the password for the affected account.
AnswersB, C

Escalation ensures proper handling and coordination, especially if the incident indicates a broader attack.

Why this answer

Options B and E are correct. Investigating the source IP and escalating to the incident response team are appropriate first steps. Disabling the account or resetting the password may be necessary later but should be done after investigation.

Blocking the IP may be done but escalation is more critical.

132
MCQmedium

A company's security policy mandates that all changes to the firewall configuration must be approved by two different administrators before implementation. This is an example of which security principle?

A.Defense in depth
B.Need to know
C.Separation of duties
D.Least privilege
AnswerC

Requiring two administrators for approval is a classic example of separation of duties.

Why this answer

Option C is correct because the requirement for two different administrators to approve firewall configuration changes enforces separation of duties. This principle ensures that no single individual has the authority to make unilateral changes, reducing the risk of unauthorized or malicious modifications. In firewall management, this prevents a single admin from bypassing security controls or introducing backdoors without oversight.

Exam trap

ISC2 often tests separation of duties by presenting scenarios that involve dual approval or task division, and the trap here is confusing it with least privilege, as both limit individual power but least privilege focuses on permissions scope rather than collaborative authorization.

How to eliminate wrong answers

Option A is wrong because defense in depth involves multiple layers of security controls (e.g., firewall, IDS, encryption) to protect assets, not administrative approval workflows. Option B is wrong because need to know restricts access to information based on job requirements, not the authorization process for changes. Option D is wrong because least privilege limits users to the minimum permissions necessary for their role, but does not inherently require dual approval for actions; separation of duties specifically addresses the division of critical tasks among multiple individuals.

133
MCQeasy

A network administrator configures the ACL on a router as shown. What is the effect of this access list?

A.Blocks Telnet traffic entering the interface, but allows all other traffic
B.Blocks SSH traffic (port 22) from entering the interface
C.Blocks Telnet traffic leaving the interface, but allows all other traffic
D.Blocks all TCP traffic except Telnet
AnswerA

The deny statement blocks port 23 (Telnet), and the permit any permits everything else.

Why this answer

Option A is correct because the ACL denies TCP traffic to port 23 (Telnet) and permits all other IP traffic. Option B is wrong because SSH is port 22. Option C is wrong because the ACL is applied inbound on Gig0/1, so it filters incoming traffic only, not outgoing.

Option D is wrong because it applies to all TCP traffic, not just Telnet.

134
MCQhard

A security analyst investigates a possible data exfiltration. The analyst sees a large amount of data being sent to an external IP address at regular intervals. Which of the following is the most likely technique being used?

A.DNS tunneling
B.SQL injection
C.Phishing
D.Man-in-the-middle
AnswerA

DNS tunneling encodes data in DNS requests, allowing stealthy exfiltration.

Why this answer

DNS tunneling encodes data within DNS queries and responses, allowing attackers to bypass network security controls by exfiltrating data through UDP port 53, which is often allowed through firewalls. The regular intervals of large data transfers to an external IP address are characteristic of a DNS tunnel, as the attacker segments data into multiple DNS queries to avoid detection.

Exam trap

ISC2 often tests DNS tunneling as a data exfiltration technique because candidates may overlook that DNS traffic is commonly allowed through firewalls, making it a stealthy channel compared to other attack methods.

How to eliminate wrong answers

Option B is wrong because SQL injection is an attack against a database via web application input fields, not a method for exfiltrating data over the network at regular intervals. Option C is wrong because phishing is a social engineering technique used to steal credentials or deliver malware, not a direct data exfiltration technique that sends large amounts of data to an external IP. Option D is wrong because a man-in-the-middle attack intercepts communications between two parties to eavesdrop or modify traffic, but it does not inherently involve sending large volumes of data to an external IP at regular intervals.

135
MCQmedium

A small company with 50 employees uses a flat network with no VLANs. They recently experienced a ransomware attack that spread from an infected workstation to a file server. The IT manager wants to implement network segmentation to prevent future lateral movement. The company uses a single /24 subnet (192.168.1.0/24) with a single switch and a router/firewall. They have three departments: Sales, HR, and IT. Each department has about 15-20 computers. The file server is in the IT department. The company has a limited budget and cannot purchase new hardware. Which of the following is the MOST effective and practical approach to segment the network given these constraints?

A.Replace the switch with three separate physical switches, each connected to a separate router interface.
B.Create three VLANs on the switch, one for each department, and configure ACLs on the router to allow only necessary inter-VLAN traffic.
C.Implement MAC address filtering on the switch to only allow authorized devices to communicate with the file server.
D.Install a software firewall on each workstation to block traffic from other subnets.
AnswerB

VLANs logically separate traffic, and ACLs enforce policy; uses existing hardware if the switch supports VLANs (most do).

Why this answer

Creating three VLANs on the existing switch segments the flat /24 network into separate broadcast domains, preventing lateral movement by default. Configuring ACLs on the router allows only necessary inter-VLAN traffic (e.g., Sales and HR can access the file server in IT), which stops the ransomware from spreading across departments without requiring new hardware.

Exam trap

ISC2 often tests the misconception that physical separation (Option A) is always required for segmentation, when in fact VLANs provide logical separation at no extra cost, and that MAC filtering (Option C) or host-based firewalls (Option D) can substitute for network-level segmentation, which they cannot because they fail to isolate broadcast domains or prevent Layer 2 attacks.

How to eliminate wrong answers

Option A is wrong because replacing the switch with three separate physical switches violates the budget constraint (no new hardware) and would require additional router interfaces or subinterfaces, which is more expensive and less practical than using VLANs. Option C is wrong because MAC address filtering only controls which devices can communicate with the file server at Layer 2, but it does not segment the network; all devices remain in the same broadcast domain, so ransomware can still spread laterally via ARP spoofing or broadcast-based attacks. Option D is wrong because installing a software firewall on each workstation is impractical to manage across 50 machines, does not prevent Layer 2 lateral movement within the same subnet, and adds no segmentation at the network level—traffic between departments still traverses the flat network without restriction.

136
MCQeasy

An organization's security policy mandates that data must be encrypted both at rest and in transit. Which combination of controls meets this requirement?

A.AES encryption for files and IPsec for network traffic
B.BitLocker and EFS
C.S/MIME for email and RBAC for file access
D.Full-disk encryption and TLS for network communications
AnswerD

Full-disk encryption secures data at rest, and TLS secures data in transit.

Why this answer

Option C is correct because full-disk encryption protects data at rest, and TLS encrypts data in transit. AES is an encryption algorithm, but not a protocol; IPsec encrypts in transit but not at rest. S/MIME is for email in transit, but doesn't cover other data.

RBAC manages access, not encryption.

137
MCQeasy

Refer to the exhibit. Which security control is MOST likely triggered?

A.Intrusion prevention system
B.Account lockout policy
C.Antivirus software
D.Firewall rule
AnswerB

Correct. The message 'account locked due to multiple failed attempts' directly indicates this.

Why this answer

The log shows an account lockout after multiple failed authentication attempts, indicating an account lockout policy is in effect.

138
MCQhard

A company's security policy states that sensitive data must be encrypted using AES-256. During an audit, it is found that some data is encrypted with AES-128. Which security objective is most directly compromised?

A.Integrity
B.Availability
C.Confidentiality
D.Non-repudiation
AnswerC

Correct. Weaker encryption undermines confidentiality by reducing the effort required to break the encryption.

Why this answer

AES-256 offers a higher security margin than AES-128. Using weaker encryption (AES-128) directly reduces the confidentiality protection, making it easier for an attacker to decrypt the data.

139
MCQeasy

A security administrator notices that an employee is able to access files in a project folder they should not have access to. Which security principle is being violated?

A.Least privilege
B.Non-repudiation
C.Separation of duties
D.Defense in depth
AnswerA

Least privilege means users get only necessary permissions; unauthorized access violates this.

Why this answer

The scenario describes an employee accessing files they should not have access to, which directly violates the principle of least privilege. This principle mandates that users and processes should be granted only the minimum permissions necessary to perform their job functions. The administrator's observation indicates that the employee's access rights exceed what is required, leading to unauthorized file access.

Exam trap

ISC2 often tests least privilege by presenting a scenario where a user has more access than needed, and candidates may confuse it with separation of duties because both involve access control, but the key distinction is that least privilege focuses on the level of access per user, while separation of duties focuses on dividing responsibilities among multiple users.

How to eliminate wrong answers

Option B is wrong because non-repudiation ensures that a party cannot deny the authenticity of their actions (e.g., via digital signatures or audit logs), but it does not address the assignment or restriction of access permissions. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error (e.g., one person requests access, another approves), but the issue here is excessive permissions for a single user, not a lack of task division. Option D is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) that provides multiple controls, but it does not specifically govern the granularity of user permissions; the violation is about over-provisioned access, not insufficient layers.

140
MCQeasy

A network administrator notices unusual traffic from an internal workstation to an external IP address on port 443. The workstation has no business reason for such communication. Which action should the administrator take first?

A.Disable the workstation's network port.
B.Block all outbound traffic from that workstation immediately.
C.Investigate the workstation for possible malware.
D.Configure a firewall rule to allow the traffic and log it.
AnswerC

Investigating helps determine if the traffic is malicious or a false positive.

Why this answer

Option C is correct because the first priority when encountering unexpected outbound traffic to an external IP on port 443 (HTTPS) is to investigate the workstation for possible malware. This traffic could indicate a command-and-control (C2) beacon or data exfiltration, and immediate investigation allows the administrator to gather forensic evidence before taking disruptive actions. Disabling the port or blocking traffic without investigation could destroy evidence or alert an attacker, while allowing the traffic would be negligent.

Exam trap

ISC2 often tests the principle of 'investigate before acting' to avoid destroying evidence, and the trap here is that candidates may choose a reactive security measure (like blocking or disabling) instead of following proper incident response procedures.

How to eliminate wrong answers

Option A is wrong because disabling the network port immediately may destroy volatile evidence (e.g., active network connections, running processes) and could alert an attacker if malware is present, preventing further forensic analysis. Option B is wrong because blocking all outbound traffic without investigation is overly disruptive and may also destroy evidence; a more targeted approach (e.g., using ACLs to log but not block) is preferred initially. Option D is wrong because configuring a firewall rule to allow the traffic and log it would permit potentially malicious communication to continue, increasing risk of data exfiltration or further compromise, and is not a secure first step.

141
MCQmedium

An AWS administrator attached this IAM policy to a user. What is the effect of this policy?

A.The user can delete the bucket if allowed by another policy.
B.The user can still delete objects inside the bucket.
C.The user can delete any bucket except critical-data.
D.The user cannot delete the bucket critical-data.
AnswerD

The Deny effect prevents deletion of the specified bucket.

Why this answer

The policy explicitly denies the s3:DeleteBucket action on the critical-data bucket, overriding any allow.

142
MCQeasy

Which concept ensures that a user cannot deny having performed a specific action?

A.Non-repudiation
B.Availability
C.Integrity
D.Authorization
AnswerA

Non-repudiation provides irrefutable evidence of an action, preventing denial.

Why this answer

Non-repudiation ensures that a user cannot deny having performed a specific action, typically by using cryptographic mechanisms such as digital signatures or audit logs. In the context of the CC exam, this is most commonly achieved through public key infrastructure (PKI) where a private key signs an action, and the corresponding public key verifies the signature, providing irrefutable proof of origin. This prevents a user from later claiming they did not send a message or perform a transaction.

Exam trap

ISC2 often tests the confusion between non-repudiation and integrity, where candidates mistakenly think that ensuring data hasn't changed (integrity) also proves who changed it, but non-repudiation specifically requires a binding identity proof like a digital signature.

How to eliminate wrong answers

Option B (Availability) is wrong because it ensures that systems and data are accessible when needed, often through redundancy and fault tolerance, not by preventing denial of actions. Option C (Integrity) is wrong because it guarantees that data has not been altered or tampered with, typically via hashing or checksums, but does not provide proof of who performed an action. Option D (Authorization) is wrong because it controls what resources a user can access or what actions they can perform, based on policies or permissions, but does not create an irrefutable record of those actions.

143
MCQeasy

A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?

A.Restore the workstation from a recent backup
B.Disconnect the workstation from the network
C.Reboot the workstation in safe mode
D.Run a full antivirus scan
AnswerB

Network isolation is the primary containment step to halt lateral movement.

Why this answer

The first step in the containment phase is to disconnect the workstation from the network. This immediately stops the ransomware from spreading laterally to other systems via SMB, RDP, or other network protocols. Containment prioritizes preventing further damage over remediation or analysis.

Exam trap

ISC2 often tests the distinction between containment and eradication/recovery phases, and the trap here is that candidates mistake a recovery action (restore from backup) or a detection action (antivirus scan) for the first containment step.

How to eliminate wrong answers

Option A is wrong because restoring from backup is a recovery-phase action, not a containment step; attempting recovery before containment risks re-infection if the ransomware is still active on the network. Option C is wrong because rebooting in safe mode may allow the ransomware to execute its payload during startup or trigger persistence mechanisms, and it does not stop network-based propagation. Option D is wrong because running a full antivirus scan is a detection/eradication step that can take significant time, during which the ransomware could encrypt additional shares or spread to other hosts.

144
Multi-Selectmedium

Which three of the following are best practices for securing a network switch? (Choose three.)

Select 3 answers
A.Enable Telnet for remote management.
B.Disable unused ports.
C.Use VLANs to segment traffic.
D.Enable STP protection features like BPDU guard.
E.Set all ports to trunk mode by default.
AnswersB, C, D

Reduces attack surface.

Why this answer

Disabling unused ports on a network switch prevents unauthorized physical access and eliminates the risk of an attacker connecting to an open port to launch attacks such as ARP spoofing or DHCP starvation. This is a fundamental security best practice that reduces the attack surface by ensuring that only necessary ports are active and can be administratively controlled.

Exam trap

ISC2 often tests the misconception that Telnet is acceptable for management if a password is set, but the exam expects you to recognize that Telnet lacks encryption and is therefore never a best practice for securing a switch.

145
MCQmedium

After a reorganization, a company using RBAC finds that many users have accumulated permissions that no longer align with their job functions. What is the best practice to address this?

A.Assign permissions directly to each user based on their manager's request
B.Create new roles for each new position and assign users to them
C.Conduct a quarterly review and recertification of role memberships and permissions
D.Delete all existing permissions and re-add them based on current job descriptions
AnswerC

Periodic recertification aligns RBAC with changing job functions.

Why this answer

Option C is correct because conducting a quarterly review and recertification of role memberships and permissions is the industry-standard practice for maintaining the principle of least privilege in an RBAC system. This process ensures that role assignments are periodically validated against current job functions, removing accumulated permissions that no longer align with user responsibilities. It directly addresses permission creep by enforcing a formal, auditable lifecycle for role membership.

Exam trap

ISC2 often tests the misconception that a one-time cleanup (Option D) or ad-hoc direct assignments (Option A) are sufficient, when the real requirement is a continuous, auditable recertification process to maintain least privilege over time.

How to eliminate wrong answers

Option A is wrong because assigning permissions directly to each user bypasses the RBAC model entirely, leading to user-specific permission assignments that are difficult to audit, manage, and revoke, which exacerbates permission creep rather than resolving it. Option B is wrong because creating new roles for each new position without reviewing existing roles leads to role explosion, increasing administrative overhead and making the RBAC model less scalable and harder to maintain. Option D is wrong because deleting all existing permissions and re-adding them based on current job descriptions is a disruptive, high-risk approach that can cause immediate access outages and does not provide a sustainable, recurring process for managing role membership changes.

146
Multi-Selectmedium

Which TWO of the following are best practices for securing a wireless network? (Select exactly two.)

Select 2 answers
A.Use WEP encryption for compatibility
B.Disable SSID broadcast
C.Implement MAC address filtering
D.Disable DHCP and use static IP addressing
E.Enable WPA3 encryption
AnswersC, E

MAC filtering can restrict which devices can connect, though it can be spoofed.

Why this answer

Option C is correct because MAC address filtering restricts network access to devices with pre-approved MAC addresses, adding a layer of access control. While not foolproof (MACs can be spoofed), it is a recognized best practice for reducing the attack surface in small or home networks.

Exam trap

ISC2 often tests the misconception that hiding the SSID or using static IPs are effective security measures, when in fact they are easily bypassed and do not protect against modern wireless attacks.

147
MCQmedium

After a ransomware attack, the company wants to ensure that critical data can be restored. Which principle is being addressed?

A.Integrity
B.Confidentiality
C.Availability
D.Non-repudiation
AnswerC

Availability ensures data is accessible when needed; backups support recovery.

Why this answer

Correct: C - Availability. Availability ensures data is accessible when needed, and backups are a key control. Option A is wrong because confidentiality prevents unauthorized disclosure.

Option B is wrong because integrity ensures data accuracy. Option D is wrong because non-repudiation ensures actions cannot be denied.

148
Matchingmedium

Match each security policy type to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Rules for using company assets

How long data is kept

Steps to restore IT after a disaster

Maintain operations during disruptions

Why these pairings

These policies are part of governance and compliance.

149
MCQhard

During a disaster recovery exercise, the system fails to achieve the RTO. Analysis shows that restoring the database from tape takes 3 hours, but the RTO is 2 hours. Which is the most effective solution?

A.Use differential instead of full backups
B.Switch from tape to disk-based backups
C.Implement a hot standby database replica
D.Increase the RTO to 3 hours
AnswerC

A hot replica is synchronized and can be activated immediately, meeting RTO.

Why this answer

The correct answer is C because the RTO (Recovery Time Objective) is a business requirement that cannot be changed by simply adjusting the backup method. A hot standby database replica (e.g., using synchronous replication or Oracle Data Guard) provides near-instant failover, reducing recovery time to minutes, which directly meets the 2-hour RTO. This solution addresses the root cause—the restore process is too slow—by eliminating the need to restore from backup entirely.

Exam trap

ISC2 often tests the misconception that improving backup speed (e.g., switching to disk or differential backups) is sufficient to meet RTO, when the real solution is to eliminate the restore process entirely with a high-availability replica.

How to eliminate wrong answers

Option A is wrong because differential backups reduce the amount of data to restore but still require a full restore from tape, which takes 3 hours; the bottleneck is the tape read speed, not the backup type. Option B is wrong because switching to disk-based backups improves restore speed but still involves restoring a full database from backup, which may not reduce the time below 2 hours if the database is large; the fundamental issue is the restore process itself, not the media. Option D is wrong because increasing the RTO to 3 hours violates the business requirement and is not a technical solution; RTO is a predefined objective, not a negotiable parameter in a disaster recovery exercise.

150
Multi-Selectmedium

Which TWO are essential elements of a business impact analysis (BIA)?

Select 2 answers
A.A network topology diagram
B.List of all employees
C.Identification of critical business functions
D.Assignment of IP addresses
E.Determination of maximum acceptable outage (MAO)
AnswersC, E

A core element of BIA.

Why this answer

Option C is correct because identifying critical business functions is a core element of a BIA. The BIA determines which systems and processes are essential for business operations, and without this identification, you cannot prioritize recovery efforts or allocate resources effectively during a disaster.

Exam trap

ISC2 often tests the distinction between BIA elements (like critical functions and MAO) and technical implementation details (like IP addresses or network diagrams), so candidates mistakenly choose options that sound technical but are irrelevant to the BIA process.

Page 1

Page 2 of 7

Page 3

All pages