ISC2 Certified in Cybersecurity CC (CC) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

During a disaster recovery test, the team discovers that the backup generator fails to start. What is the BEST immediate action?

A.Continue the test with manual procedures
B.Cancel the test
C.Document the issue and proceed
D.Shut down the data center
AnswerC

Documenting allows the test to continue while capturing the failure for later analysis.

Why this answer

Option C is correct because the immediate priority during a disaster recovery test is to document the failure and continue the test to evaluate the remaining components of the DR plan. The backup generator failure is a specific issue that should be logged for post-test remediation, but aborting the test prematurely would lose valuable data on other failover mechanisms, such as UPS runtime, network redundancy, or application recovery. Proceeding with documentation ensures the test's integrity while capturing the incident for root cause analysis.

Exam trap

ISC2 often tests the misconception that any hardware failure during a DR test automatically invalidates the entire test, tempting candidates to choose 'Cancel the test' (Option B) instead of recognizing that documentation and continuation preserve the test's value for other critical components.

How to eliminate wrong answers

Option A is wrong because continuing the test with manual procedures bypasses the automated failover that the generator was supposed to support, invalidating the test's ability to measure true recovery time objectives (RTOs) and recovery point objectives (RPOs). Option B is wrong because canceling the test discards the opportunity to validate all other DR components (e.g., storage replication, DNS failover, load balancer health checks) that are independent of the generator; a partial test with documented issues is more valuable than no test. Option D is wrong because shutting down the data center is an extreme, unnecessary action that would cause a full outage, violating the principle of minimizing disruption during a test; the generator failure alone does not indicate an immediate safety or data loss risk.

152
MCQmedium

An organization is implementing a patch management program. Which of the following is the BEST approach to minimize risk while maintaining operational stability?

A.Skip patches that are not related to security.
B.Apply patches to all systems simultaneously.
C.Only patch systems that are internet-facing.
D.Deploy patches to a test environment before production.
AnswerD

Testing identifies compatibility issues before production deployment.

Why this answer

Option A is correct because testing patches in a staging environment reduces the chance of adverse impacts. Option B is risky without testing. Option C leaves many systems vulnerable.

Option D ignores important security patches.

153
MCQeasy

A network administrator needs to provide secure remote access to internal resources for employees working from home. The solution must encrypt all traffic and authenticate users before granting access. Which protocol should be used?

A.SSH
B.IPsec
C.SSL/TLS VPN
D.SNMPv3
AnswerC

SSL/TLS VPN provides encrypted remote access with user authentication, suitable for this requirement.

Why this answer

C is correct because SSL/TLS VPNs (e.g., Cisco AnyConnect) provide encrypted tunnels over HTTPS (port 443) and support user authentication via certificates, RADIUS, or LDAP. This allows secure remote access to internal resources without requiring a persistent IPsec tunnel, making it ideal for home workers with dynamic IPs.

Exam trap

ISC2 often tests the distinction between site-to-site IPsec (which is network-layer and device-oriented) and remote-access SSL/TLS VPNs (which are user-oriented and firewall-friendly), leading candidates to pick IPsec for any 'secure remote access' scenario.

How to eliminate wrong answers

Option A is wrong because SSH provides encrypted remote shell access but is not designed to tunnel all traffic or authenticate users for broad internal resource access; it typically requires a separate VPN solution for full network-layer encryption. Option B is wrong because IPsec VPNs require client software and often complex configuration (e.g., IKEv1/IKEv2, pre-shared keys), and while they encrypt traffic, they are less flexible for user-based authentication over HTTPS and can be blocked by firewalls. Option D is wrong because SNMPv3 provides encrypted management of network devices (using AES/SHA) but is not a remote access protocol; it is used for monitoring, not for user authentication or tunneling traffic to internal resources.

154
MCQhard

During a penetration test, an analyst discovers that a company's internal network has a switch configured with port security that allows only one MAC address per port. However, the analyst is able to plug a rogue device into a wall jack and successfully gain network access. What is the most likely weakness in this configuration?

A.The administrator configured 'port-security maximum 1' but forgot to enable 'port-security' globally.
B.The switchport security violation mode is set to 'shutdown' instead of 'restrict'.
C.The switchport uses sticky MAC learning, and the attacker used a MAC spoofing attack to mimic an authorized device.
D.The switchport is configured as an access port but the rogue device is using a VLAN trunk.
AnswerC

Sticky MAC learns the first MAC; spoofing that MAC allows access.

Why this answer

Option C is correct because port security with sticky MAC learning records the first MAC address seen on a port and then restricts access to that address only. However, if an attacker spoofs the MAC address of an already-authorized device, the switch sees the spoofed MAC as valid and permits access, bypassing the one-MAC-per-port restriction. This is a common bypass when sticky MAC is used without additional protections like 802.1X or MAC authentication bypass (MAB).

Exam trap

ISC2 often tests the misconception that 'port-security maximum 1' alone prevents any unauthorized device, but the trap here is that sticky MAC learning does not prevent MAC spoofing—it only restricts the number of unique MACs, not the identity of the device using that MAC.

How to eliminate wrong answers

Option A is wrong because 'port-security maximum 1' is a per-interface command; port security does not require a global 'enable' command—it is enabled per interface with 'switchport port-security'. Option B is wrong because changing the violation mode from 'shutdown' to 'restrict' would still drop or log violations but not prevent the initial spoofing attack—the issue is that the spoofed MAC is not considered a violation at all. Option D is wrong because configuring the port as an access port with a rogue device using a VLAN trunk would cause a mismatch (native VLAN or DTP negotiation), but the question states the attacker gains access, implying successful communication; trunking does not bypass MAC address filtering.

155
MCQmedium

A company wants to ensure that a message received was not altered in transit. Which principle is of primary concern?

A.Availability
B.Authentication
C.Confidentiality
D.Integrity
AnswerD

Integrity ensures data is unaltered.

Why this answer

Correct: D - Integrity. Integrity ensures data has not been modified by unauthorized parties. Option A is wrong because confidentiality protects against disclosure.

Option B is wrong because availability ensures access. Option C is wrong because authentication verifies identity.

156
Multi-Selectmedium

Which TWO are primary objectives of a Business Continuity Plan (BCP)? (Select two.)

Select 2 answers
A.Comply with regulations
B.Ensure employee safety
C.Restore IT systems within RTO
D.Minimize financial loss
E.Protect brand reputation
AnswersB, D

Employee safety is the highest priority in any continuity plan.

Why this answer

BCP focuses on ensuring employee safety and minimizing financial loss. Restoring IT systems is part of disaster recovery, not the primary BCP goal.

157
MCQhard

A company has implemented a role-based access control (RBAC) system. A new employee in the finance department is granted the 'Finance User' role, which allows them to view invoices but not create payments. However, after a system upgrade, it is discovered that the 'Finance User' role now includes the ability to create payments due to a misconfiguration. The employee did not request this additional privilege and has not exploited it. The security team is notified. Which principle has been violated, and what is the most appropriate immediate action?

A.Separation of duties; disable the employee's account until an investigation is complete
B.Accountability; remove the 'Finance User' role from all employees
C.Least privilege; revoke the employee's access permanently
D.Least privilege; correct the role permissions to only what is necessary
AnswerD

This restores the principle without impacting the employee's legitimate duties.

Why this answer

Correct: Least privilege is violated because the employee has more permissions than needed. The immediate action is to correct the role permissions and revert the misconfiguration (C). Option A is wrong because the employee did not misuse the privilege; Option B is wrong because disabling the account prevents work; Option D is wrong because removing the role altogether is too broad.

158
MCQhard

An organization's security policy requires that all access to sensitive data must be approved by a data owner. An administrator configures a system to enforce this. Which principle is being implemented?

A.Accountability
B.Least privilege
C.Non-repudiation
D.Authorization
AnswerD

Authorization enforces permissions based on approval.

Why this answer

Correct: B - Authorization. Authorization determines what actions an authenticated user is permitted to perform, based on approval. Option A is wrong because least privilege is about limiting access to the minimum necessary, but does not mandate a separate approver.

Option C is wrong because accountability tracks actions. Option D is wrong because non-repudiation prevents denial.

159
Multi-Selecthard

Which TWO principles are essential for ensuring accountability in an information system? (Choose two.)

Select 2 answers
A.Confidentiality
B.Availability
C.Least privilege
D.Audit trails
E.Non-repudiation
AnswersD, E

Audit trails record actions, enabling traceability and accountability.

160
Drag & Dropmedium

Drag and drop the steps to recover a system from a verified backup after a ransomware attack into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Recovery requires isolation, backup verification, wiping, restoration, and scanning.

161
MCQhard

A system administrator accidentally grants a user full administrative rights instead of read-only. Which control would best detect this error?

A.Preventive control
B.Deterrent control
C.Corrective control
D.Detective control
AnswerD

Detective controls like audit logs can detect the misconfiguration.

Why this answer

Detective controls, such as audit logs and monitoring, identify misconfigurations after they occur. Option B (Preventive) blocks errors. Option C (Corrective) fixes issues.

Option D (Deterrent) discourages.

162
MCQhard

You are a security analyst at a medium-sized company with 500 employees. The company uses a centralized log management system that collects logs from all servers and network devices. For the past week, you have noticed a pattern: every night at 2:00 AM, a series of failed login attempts occurs on the domain controller from an internal IP address (10.10.50.100). The attempts use the username "Administrator" and are always from the same workstation in the accounting department. The accounting department operates 9 AM to 6 PM, so no one is in the office at 2 AM. You have checked the workstation's physical security; it is in a locked office with access only by authorized accounting staff. The workstation is running Windows 10 with up-to-date antivirus and has no signs of compromise. You also checked the network switch logs and see that the workstation is connected to a specific port. You suspect the workstation might be compromised or being used remotely. What is the most appropriate next step?

A.Reimage the workstation with a clean OS image and reset all passwords.
B.Perform a forensic analysis of the workstation to identify any malware or remote access tools.
C.Increase the password complexity requirements for the domain.
D.Immediately block the IP address at the firewall and disable the administrator account.
AnswerB

Forensic analysis can uncover the source of the logins and determine if the workstation is truly compromised.

Why this answer

Option B is correct because the pattern of failed logins at 2 AM from a locked workstation with no signs of compromise strongly suggests a remote access tool (RAT) or hidden malware that is not detected by standard antivirus. Forensic analysis of the workstation is the most appropriate next step to identify the specific malware or remote access tool, its persistence mechanism, and the attacker's entry point, which is essential before taking any remediation actions. This aligns with the incident response process of identification and analysis before containment or eradication.

Exam trap

ISC2 often tests the candidate's ability to prioritize the incident response process; the trap here is that many candidates jump to containment (reimaging, blocking IP) or prevention (password complexity) without first performing forensic analysis to understand the scope and method of the compromise.

How to eliminate wrong answers

Option A is wrong because reimaging the workstation without first performing forensic analysis would destroy critical evidence needed to understand the attack vector, the malware's behavior, and the attacker's methods, potentially allowing the attacker to regain access through another compromised system. Option C is wrong because increasing password complexity does not address the root cause; the attacker is already using a valid username ('Administrator') and the failed logins are from a specific workstation, indicating a targeted attack rather than a brute-force password guessing issue. Option D is wrong because immediately blocking the IP address and disabling the administrator account is premature; the internal IP (10.10.50.100) belongs to a legitimate workstation, and disabling the account could disrupt business operations, while the attacker may have other access methods or accounts that would remain undetected.

163
MCQmedium

During a forensic investigation, it is crucial to preserve the original evidence. What is the first step the investigator should take when acquiring a hard drive?

A.Boot the drive to check for operating system errors
B.Turn off the computer and remove the hard drive
C.Create a forensic image using a write blocker
D.Calculate the hash of the original drive
AnswerC

A write-blocked forensic image ensures no data is altered during acquisition.

Why this answer

Option C is correct because creating a bit-for-bit forensic image (write blocker) preserves the original evidence. Hashing (A) verifies integrity but is done after imaging. Booting (B) modifies data.

Turning off (D) may be necessary but not the first acquisition step; the first step is to image with a write blocker.

164
Multi-Selectmedium

Which TWO of the following are methods to ensure non-repudiation? (Select two).

Select 2 answers
A.Audit logs
B.Biometric authentication
C.Digital signatures
D.Access control lists
E.Encryption
AnswersA, C

Correct. Audit logs provide evidence of actions, supporting non-repudiation.

Why this answer

Digital signatures provide cryptographic proof of origin, and audit logs provide a record of actions. Together they ensure that a party cannot deny involvement.

165
Multi-Selectmedium

According to the NIST incident response lifecycle, which three phases are considered the core phases?

Select 3 answers
A.Root cause analysis
B.Containment, Eradication, and Recovery
C.Incident declaration
D.Detection and Analysis
E.Preparation
AnswersB, D, E

This phase focuses on stopping the incident and restoring operations.

Why this answer

The NIST incident response lifecycle (SP 800-61) defines four phases: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity. The core phases that form the active response cycle are Preparation, Detection and Analysis, and Containment Eradication and Recovery. Option B correctly lists these three as the essential operational phases, while Post-Incident Activity is a follow-up phase.

Exam trap

ISC2 often tests the distinction between the core phases and sub-activities within them, so candidates mistakenly select root cause analysis or incident declaration as separate phases instead of recognizing they are tasks within the Post-Incident Activity or Detection and Analysis phases.

166
MCQhard

A multinational corporation has a policy that all sensitive emails must be digitally signed and encrypted. However, during a recent internal audit, it was discovered that many employees were not using digital signatures because the process was cumbersome. As a result, the company could not prove that certain emails were actually sent by the claimed sender. The security team needs to improve compliance without sacrificing security. Which of the following is the best approach?

A.Implement a mandatory training program emphasizing the importance of digital signatures.
B.Reduce the encryption strength to speed up the signing process.
C.Integrate the signing process seamlessly into the email client to reduce friction.
D.Allow employees to use personal signing certificates.
AnswerC

Seamless integration improves user compliance while maintaining security.

Why this answer

Integrating the signing process seamlessly into the email client reduces friction and increases compliance while maintaining security. Training alone does not address the cumbersome process, reducing encryption strength weakens security, and allowing personal certificates complicates management.

167
MCQeasy

A small business has a single server that hosts critical applications. The server's hard drive fails, and the most recent backup is 3 days old. The backup is stored on an external drive that is kept in the same room as the server. The server is also the domain controller and file server. After replacing the drive and restoring from backup, the IT administrator discovers that some user files are missing because they were created after the backup. The administrator needs to minimize data loss in the future. Which of the following should be implemented?

A.Use a cloud-based backup solution.
B.Perform daily backups and store them offsite.
C.Implement RAID 1 for disk redundancy.
D.Enable versioning on the file server.
AnswerA

Provides automated offsite backups with flexible scheduling, reducing data loss risk.

Why this answer

A cloud-based backup solution automatically stores backups offsite, ensuring that even if the local site is compromised or the backup drive fails, recent data is recoverable. This minimizes data loss by enabling more frequent backups (e.g., hourly or continuous) without relying on manual intervention or physical media rotation, directly addressing the 3-day gap in the scenario.

Exam trap

ISC2 often tests the distinction between high availability (RAID, redundancy) and backup/disaster recovery, leading candidates to mistakenly choose RAID 1 as a solution for data loss when it only protects against hardware failure, not data corruption or user error.

How to eliminate wrong answers

Option B is wrong because performing daily backups and storing them offsite still leaves a potential 24-hour data loss window, and the backup frequency (daily) does not address the need for more granular recovery of files created after the last backup. Option C is wrong because RAID 1 provides disk redundancy against a single drive failure but does not protect against data loss from accidental deletion, corruption, or the need to recover files created after a backup; it is not a backup solution. Option D is wrong because enabling versioning on the file server (e.g., Windows Previous Versions or Volume Shadow Copy) only protects against accidental modification or deletion of files that exist on the server, not against the loss of files that were created after the last backup and never existed in a previous version.

168
MCQmedium

A company experiences a data breach where customer PII was exfiltrated. The incident response team contains the breach and restores systems. Which step in the risk management process should the company prioritize next to prevent recurrence?

A.Risk mitigation
B.Risk communication
C.Risk assessment
D.Risk identification
AnswerA

Risk mitigation (treatment) is the next step to reduce the risk of recurrence.

Why this answer

After an incident, risk treatment involves implementing controls to reduce risk. Risk identification already occurred.

169
Multi-Selecthard

Which TWO are appropriate methods to test a disaster recovery plan?

Select 2 answers
A.Parallel test
B.Regression test
C.Acceptance test
D.Simulation test
E.Unit test
AnswersA, D

A common DR test method.

Why this answer

A parallel test is appropriate because it runs the DR site in parallel with the production environment, allowing validation of failover processes and data replication without impacting live operations. This method verifies that the backup systems can handle real workloads and that synchronization mechanisms (e.g., asynchronous replication or log shipping) are functioning correctly. It provides a high-confidence check of the DR plan's effectiveness while maintaining business continuity.

Exam trap

ISC2 often tests the distinction between DR testing methods (parallel, simulation, walkthrough) and software development testing types (unit, regression, acceptance), leading candidates to incorrectly select development tests as valid DR validation techniques.

170
MCQhard

A security analyst reviews firewall logs and notices a large number of outbound connections from a single internal IP to a known malicious IP on port 445. The analyst quarantines the workstation and runs an antivirus scan, which finds no malware. What should the analyst do next?

A.Conclude that the scan is clean and remove the quarantine.
B.Reimage the workstation immediately.
C.Block all outbound traffic on port 445 from the internal network.
D.Analyze network traffic to identify the process responsible for the connections.
AnswerD

Further investigation helps identify the root cause.

Why this answer

Option D is correct because the absence of malware detection does not rule out malicious activity; the connections could be caused by a legitimate process that has been abused (e.g., a vulnerable service or script) or by fileless malware that evades signature-based scans. Analyzing network traffic with tools like Wireshark or NetFlow can identify the source process (e.g., via Windows Event Logs or Sysmon), the exact data being sent, and whether the traffic is encrypted or uses SMB protocol specifics on port 445. This forensic step is essential before taking irreversible actions like reimaging or broad blocking.

Exam trap

ISC2 often tests the misconception that a clean antivirus scan means the system is secure, when in reality, fileless malware or living-off-the-land binaries (LOLBins) can evade traditional scans and require network-level forensics to detect.

How to eliminate wrong answers

Option A is wrong because a clean antivirus scan does not guarantee the system is safe—fileless malware, PowerShell-based attacks, or legitimate tools (e.g., PsExec) can generate malicious outbound connections without leaving traditional malware files. Option B is wrong because reimaging destroys forensic evidence and may be premature without understanding the root cause; the analyst should first confirm the process and data exfiltration to determine if containment or remediation is needed. Option C is wrong because blocking all outbound traffic on port 445 from the internal network could disrupt legitimate SMB-based services (e.g., file sharing, printer access) and does not address the specific compromised host; a more targeted block (e.g., only to the malicious IP) or process-level restriction is appropriate.

171
MCQmedium

An organization's backup strategy includes daily full backups. However, recovery tests show that restoring from tape takes 6 hours longer than expected. What is the most likely cause?

A.Improperly documented recovery procedures
B.Tape drive failure
C.Inadequate storage capacity
D.Insufficient bandwidth
AnswerA

Poor documentation can cause steps to be missed or performed incorrectly, leading to delays.

Why this answer

Improperly documented recovery procedures can lead to incorrect steps or delays during restoration, which is a common cause of extended recovery times.

172
Multi-Selecteasy

Which THREE are core components of the CIA triad? (Choose three.)

Select 3 answers
A.Confidentiality
B.Integrity
C.Accountability
D.Availability
E.Non-repudiation
AnswersA, B, D

Confidentiality is one of the three core CIA goals.

173
MCQhard

Refer to the exhibit. What is the effect of this ACL?

A.All HTTPS traffic is permitted
B.Only hosts from 10.0.1.0/24 can access HTTPS on 192.168.2.100
C.HTTPS traffic from 10.0.1.0/24 to 192.168.2.100 is permitted; all other HTTPS is denied
D.The ACL is invalid due to ordering
AnswerC

This accurately describes the combined effect of the permit and deny statements.

Why this answer

The ACL explicitly permits HTTPS (TCP port 443) traffic from source network 10.0.1.0/24 to destination host 192.168.2.100. Since ACLs have an implicit deny all at the end, any HTTPS traffic not matching this permit statement is denied. Option C correctly states that only this specific traffic is permitted and all other HTTPS is denied.

Exam trap

ISC2 often tests the implicit deny any at the end of ACLs, causing candidates to forget that even if a permit statement exists, all other traffic is denied unless explicitly permitted.

How to eliminate wrong answers

Option A is wrong because the ACL only permits HTTPS from 10.0.1.0/24 to 192.168.2.100, not all HTTPS traffic. Option B is wrong because it incorrectly implies that only hosts from 10.0.1.0/24 can access HTTPS on 192.168.2.100, but the ACL does not restrict other traffic types or deny other sources from accessing HTTPS on that host—it simply permits this specific flow and denies all other HTTPS implicitly. Option D is wrong because the ACL is valid; the order of a single permit statement does not make it invalid, and there is no rule requiring a specific order for a single entry.

174
MCQmedium

An analyst reviews the exhibit. Which security principle is being violated by allowing root login via SSH?

A.Fail-safe
B.Least privilege
C.Defense in depth
D.Separation of duties
AnswerB

Correct. Root should not be allowed to log in directly.

Why this answer

Allowing root login via SSH violates the principle of least privilege because it grants unrestricted administrative access to the system, bypassing any need for privilege escalation. In a properly secured SSH configuration, root login should be disabled (e.g., `PermitRootLogin no` in `/etc/ssh/sshd_config`), forcing administrators to log in as a regular user and then use `sudo` or `su` to elevate privileges only when necessary. This minimizes the attack surface and ensures that actions are auditable and tied to a specific user account.

Exam trap

ISC2 often tests the distinction between least privilege and defense in depth, where candidates mistakenly choose defense in depth because they think multiple security layers are involved, but the question specifically targets the principle of granting only the minimum necessary access.

How to eliminate wrong answers

Option A is wrong because fail-safe refers to a system defaulting to a secure state upon failure (e.g., a firewall dropping all traffic if it crashes), not to restricting root access. Option C is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption), whereas disabling root login is a single access control measure. Option D is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error, which is unrelated to the SSH root login configuration.

175
Drag & Dropmedium

Drag and drop the steps to configure a wireless access point with WPA2-PSK security into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

WPA2-PSK requires setting SSID, security mode, and PSK.

176
MCQeasy

A network administrator is troubleshooting a connectivity issue between two segments separated by a firewall. The firewall rule allows traffic from 10.1.1.0/24 to 10.2.2.0/24 on TCP 443. Users in 10.1.1.0/24 can access the web server at 10.2.2.10, but users in 10.2.2.0/24 cannot access a web server in 10.1.1.0/24. What is the most likely cause?

A.The web server in 10.1.1.0 is blocking the IP range of 10.2.2.0/24.
B.The firewall rule is incorrectly applied to the wrong interface.
C.The subnet masks are misconfigured, causing routing issues.
D.The firewall is not stateful and does not automatically allow return traffic; a separate rule is needed.
AnswerD

Without stateful inspection, each direction requires an explicit rule. The existing rule only covers one direction.

Why this answer

The firewall rule only permits traffic from 10.1.1.0/24 to 10.2.2.0/24 on TCP 443. When users in 10.2.2.0/24 initiate a connection to the web server in 10.1.1.0/24, the firewall sees a new session that does not match the existing rule (source/destination reversed). If the firewall is not stateful, it will not automatically allow the return traffic for the reverse direction, and no separate rule exists to permit that traffic, causing the connectivity failure.

Exam trap

ISC2 often tests the misconception that a single firewall rule allowing traffic in one direction automatically permits the return traffic, but in stateless firewalls or when stateful inspection is disabled, you must explicitly create a rule for the reverse direction.

How to eliminate wrong answers

Option A is wrong because the web server in 10.1.1.0/24 is not blocking the IP range; the issue is at the firewall, not the server's access control. Option B is wrong because the rule is correctly applied to allow traffic from 10.1.1.0/24 to 10.2.2.0/24, and the problem is the missing rule for the reverse direction, not an interface misapplication. Option C is wrong because subnet mask misconfiguration would cause routing issues for both directions, but users in 10.1.1.0/24 can reach 10.2.2.10 successfully, indicating routing is working; the issue is specifically the lack of a firewall rule for the reverse traffic.

177
MCQeasy

A security administrator notices that a user's account has been used to access sensitive files at unusual hours. Which security principle would most effectively help detect this type of activity?

A.Non-repudiation
B.Availability
C.Integrity
D.Accountability
AnswerD

Accountability tracks user activities and enables detection.

Why this answer

Accountability enables tracking of user actions through logs and monitoring. Option A (Non-repudiation) prevents denial of actions but does not focus on detection. Option B (Integrity) ensures data accuracy.

Option C (Availability) ensures data is accessible.

178
MCQmedium

During a security incident, the incident response team needs to preserve evidence for potential legal action. Which of the following is the most important action to take when collecting volatile data from a compromised server?

A.Capture the contents of RAM.
B.Make a bit-for-bit copy of all storage.
C.Create a forensic image of the hard drive.
D.Review system logs.
AnswerA

RAM is the most volatile data; it must be collected before power is removed.

Why this answer

Volatile data in RAM is lost when power is removed. Capturing RAM preserves evidence that might contain running processes, network connections, and encryption keys. Disk images are non-volatile and can be collected later.

179
Multi-Selectmedium

Which THREE elements are essential components of a business continuity plan (BCP)?

Select 3 answers
A.Data backup schedules and procedures
B.Business impact analysis (BIA) results
C.Incident response team roster
D.Emergency contact lists
E.Detailed network topology diagrams
AnswersA, B, D

Backup procedures ensure data availability.

Why this answer

Data backup schedules and procedures are essential because they ensure that critical data can be restored after a disruption. A BCP must specify the frequency of backups (e.g., daily incremental, weekly full), the retention policy, and the recovery point objective (RPO) to meet business requirements. Without defined schedules and procedures, data loss or corruption could render the recovery process ineffective.

Exam trap

ISC2 often tests the distinction between a BCP and an incident response plan, where candidates mistakenly include incident-specific elements like team rosters or forensic procedures as BCP components.

180
Multi-Selectmedium

A SOC analyst is reviewing a security alert about a potential brute-force attack on the company's VPN server. The analyst sees multiple failed login attempts from different IP addresses within a short time frame. Which TWO actions should the analyst take to verify and respond to this incident? (Choose two.)

Select 2 answers
A.Implement an account lockout policy after a certain number of failed attempts
B.Review the VPN server logs for any successful logins following the failed attempts
C.Notify all users to change their passwords immediately
D.Block all source IP addresses that appeared in the failed attempts
E.Disable VPN access until the attack source is identified
AnswersA, B

Lockout policies mitigate brute-force attacks by limiting attempts.

Why this answer

Options B and C are correct. Checking the VPN server logs for successful logins after the attempts helps determine if the attack succeeded. Implementing account lockout policies is a preventive measure to slow down brute-force attacks.

Option A is wrong because blocking all IPs may include legitimate users. Option D is wrong because notifying all users is premature and may cause unnecessary alarm. Option E is wrong because disabling the VPN service would disrupt all remote access.

181
MCQmedium

During a disaster recovery test, backup tapes fail to restore data due to format incompatibility. Which element of the Business Continuity Plan should be updated?

A.Plan testing and maintenance
B.Business Impact Analysis (BIA)
C.Recovery strategies
D.Communication plan
AnswerA

This phase includes reviewing test results and updating the plan to fix discovered problems.

Why this answer

The failure of backup tapes to restore data due to format incompatibility indicates that the recovery procedures and tools were not validated during testing. This directly points to a deficiency in the 'Plan testing and maintenance' element, which ensures that backup media formats, restoration tools, and procedures are regularly verified and updated to match the current production environment. Without scheduled testing and maintenance, format drift between backup software versions or hardware changes can render tapes unreadable.

Exam trap

ISC2 often tests the distinction between 'plan testing and maintenance' (which validates technical execution) and 'recovery strategies' (which are high-level design choices), leading candidates to mistakenly select recovery strategies when the root cause is a failure in validation and upkeep.

How to eliminate wrong answers

Option B is wrong because the Business Impact Analysis (BIA) identifies critical business functions, recovery time objectives (RTOs), and recovery point objectives (RPOs), but it does not address the technical compatibility of backup media or the validation of restoration procedures. Option C is wrong because recovery strategies define the high-level approach to restoring operations (e.g., hot site, cold site, cloud failover), not the specific testing of backup tape formats or restoration tools. Option D is wrong because the communication plan covers notification and escalation procedures during an incident, not the technical verification of backup media compatibility or the maintenance of restoration capabilities.

182
Multi-Selecthard

When designing a secure network, which TWO of the following are fundamental security principles that should be applied?

Select 2 answers
A.Fail secure
B.Complete mediation
C.Open design
D.Economy of mechanism
E.Least privilege
AnswersA, E

Fail secure ensures security during failures.

Why this answer

Fail secure ensures the system remains secure on failure. Least privilege restricts access to the minimum. The other options are important but less fundamental in network design.

183
Drag & Dropmedium

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The TCP three-way handshake establishes a connection: SYN, SYN-ACK, ACK.

184
MCQmedium

A company's security operations center (SOC) receives an alert about suspicious outbound traffic from a server in the DMZ to an external IP address known for command-and-control activity. The SOC analyst reviews the logs and sees that the source port is 443 and the destination port is 8080. Which of the following actions should the analyst take FIRST?

A.Notify the incident response team and management immediately
B.Isolate the server from the network and investigate further
C.Block the external IP address at the firewall
D.Modify the firewall rule to deny all outbound traffic from the DMZ
AnswerB

Isolation contains the threat and allows forensic analysis without risk of further damage.

Why this answer

The SOC analyst should first isolate the server from the network because the outbound traffic from a DMZ server to a known C2 IP address, using source port 443 (HTTPS) to destination port 8080 (HTTP alternate), indicates a potential compromise. Isolating the server stops the data exfiltration and prevents further C2 communication, allowing for a controlled forensic investigation without alerting the attacker. This aligns with the NIST SP 800-61 incident response process, where containment is prioritized before eradication or recovery.

Exam trap

ISC2 often tests the candidate's ability to prioritize containment over notification or broad blocking, trapping those who confuse 'first action' with 'escalation' or who apply overly aggressive firewall changes without considering service impact.

How to eliminate wrong answers

Option A is wrong because notifying the incident response team and management immediately is premature; the analyst must first contain the threat by isolating the server to prevent further damage, as notification can occur after initial containment. Option C is wrong because blocking the external IP address at the firewall is a reactive measure that does not stop the compromised server from communicating with other C2 IPs or using different ports, and it may alert the attacker to change tactics. Option D is wrong because modifying the firewall rule to deny all outbound traffic from the DMZ would disrupt legitimate services hosted in the DMZ (e.g., web servers, mail relays) and is an overly broad, non-surgical response that violates the principle of least disruption.

185
Multi-Selecthard

Which THREE security mechanisms should be implemented to secure a network against ARP spoofing attacks? (Choose three.)

Select 3 answers
A.IP Source Guard
B.Port security
C.Dynamic ARP Inspection (DAI)
D.MAC address filtering
E.DHCP Snooping
AnswersA, C, E

Prevents IP spoofing by filtering traffic based on DHCP snooping bindings.

Why this answer

IP Source Guard (A) is correct because it uses DHCP snooping binding table entries to filter traffic on a per-port basis, dropping packets where the source IP address does not match the binding. This prevents an attacker from spoofing a legitimate host's IP address in ARP spoofing attacks by ensuring only valid IP-to-MAC mappings are allowed on the port.

Exam trap

ISC2 often tests the misconception that port security or MAC filtering can prevent ARP spoofing, but these only control MAC addresses, not the IP-to-MAC bindings that ARP spoofing exploits.

186
MCQhard

The exhibit shows a syslog-ng client configuration and a firewall rule on the central logging server (IP 10.0.0.10). The client (192.168.1.100) is not sending logs to the server. What is the most likely cause?

A.The syslog-ng configuration uses TLS, but the firewall rule does not allow TLS traffic
B.The firewall rule restricts source port 6514, but the client uses a random ephemeral source port
C.The syslog-ng client uses UDP by default, but the firewall allows only TCP
D.The firewall rule does not include the client IP 192.168.1.100
AnswerB

The rule includes 'eq 6514' which matches only if source port is 6514; clients use dynamic ports.

Why this answer

The firewall rule on the central logging server (10.0.0.10) specifies a source port of 6514. However, syslog-ng clients, when sending over TCP or TLS, typically use a random ephemeral source port (e.g., above 1024) rather than a fixed source port. Since the firewall restricts the source port to exactly 6514, the client's packets are dropped, preventing logs from reaching the server.

Exam trap

The trap here is that candidates assume the firewall rule's source port 6514 is irrelevant or that the client must use the same port as the server, when in fact the client uses an ephemeral source port, making the rule overly restrictive and the cause of the failure.

How to eliminate wrong answers

Option A is wrong because the exhibit does not indicate that the syslog-ng client is configured to use TLS; the default transport for syslog-ng is TCP or UDP, and the firewall rule allows TCP on destination port 6514, which is the standard syslog-over-TLS port, but the issue is the source port restriction, not the protocol. Option C is wrong because the syslog-ng client does not use UDP by default when configured for TCP-based logging; the firewall rule explicitly allows TCP on destination port 6514, so if the client were using UDP, it would be blocked, but the client's configuration (not shown) would specify the transport, and the core problem is the source port mismatch. Option D is wrong because the firewall rule does not include a source IP restriction; it only specifies source port 6514 and destination port 6514, so the client IP 192.168.1.100 is not filtered out by the rule.

187
Multi-Selecteasy

Which TWO of the following are examples of security principles?

Select 2 answers
A.Encryption
B.Least privilege
C.Firewall
D.VLAN
E.Defense in depth
AnswersB, E

Least privilege is a security principle.

Why this answer

Least privilege is a foundational security principle that dictates users, processes, or systems should only be granted the minimum access rights necessary to perform their functions. This reduces the attack surface and limits potential damage from compromised accounts or insider threats. It is a design concept, not a specific technology, which is why it qualifies as a security principle.

Exam trap

ISC2 often tests the distinction between security principles (like least privilege and defense in depth) and security technologies (like encryption, firewalls, and VLANs), trapping candidates who confuse implementation tools with the underlying design concepts.

188
MCQeasy

Which of the following is the primary purpose of a security information and event management (SIEM) system?

A.Enforce access control policies.
B.Replace the need for manual log review.
C.Prevent malware infections.
D.Correlate and analyze log data to detect incidents.
AnswerD

SIEMs collect and correlate logs for threat detection.

Why this answer

The primary purpose of a SIEM system is to aggregate, correlate, and analyze log data from multiple sources (e.g., firewalls, servers, IDS/IPS) in real time to detect security incidents. By applying correlation rules and analytics, SIEM identifies patterns or anomalies that indicate malicious activity, enabling security teams to respond promptly.

Exam trap

ISC2 often tests the distinction between a SIEM's core function (correlation and detection) and other security tools' roles (prevention, enforcement, or replacement of manual tasks), leading candidates to mistakenly choose 'replace manual log review' because they overlook the primary purpose of incident detection.

How to eliminate wrong answers

Option A is wrong because enforcing access control policies is the function of dedicated systems like firewalls, identity and access management (IAM) solutions, or directory services (e.g., Active Directory), not a SIEM, which focuses on log analysis and monitoring. Option B is wrong because while SIEM automates log analysis and reduces manual effort, its primary purpose is not simply to replace manual log review but to provide correlation and incident detection; manual review is still needed for validation and complex investigations. Option C is wrong because preventing malware infections is the role of endpoint protection platforms (EPP), antivirus software, or intrusion prevention systems (IPS); a SIEM detects signs of infection through log correlation but does not actively block malware.

189
MCQhard

A medium-sized enterprise uses a Cisco ASA firewall configured with multiple security zones (Inside, Outside, DMZ). The DMZ hosts a web server that must be accessible from the Internet on TCP 443. The Inside network (10.0.0.0/24) hosts internal clients. The web server has IP 172.16.0.10. The firewall's current rules: allow any from Outside to DMZ on TCP 443; allow any from Inside to Outside; deny all else. Recently, the security team noticed that an attacker compromised the web server and used it to launch an attack against an internal database server at 10.0.0.50. The attack was successful because the firewall allowed traffic from the DMZ to the Inside. The firewall's default behavior is to deny traffic from lower security zones to higher security zones (DMZ is lower than Inside). What is the MOST likely reason this traffic was allowed?

A.The firewall has an explicit permit rule for traffic from DMZ to Inside on any destination.
B.The firewall was configured in transparent mode, allowing all traffic.
C.The attacker used a VPN connection that bypassed the firewall.
D.The firewall's default behavior permits traffic from lower security level to higher if the connection is initiated from the higher level.
AnswerA

An explicit rule would override the default deny and allow the attack traffic.

Why this answer

The correct answer is A because the firewall's default behavior is to deny traffic from a lower security zone (DMZ) to a higher security zone (Inside). For the attack to succeed, an explicit permit rule must have been configured to allow traffic from DMZ to Inside. The existing rules only permit Outside to DMZ on TCP 443 and Inside to Outside; without an explicit DMZ-to-Inside rule, the default deny would have blocked the attack.

Thus, the most likely reason is that an administrator inadvertently or intentionally added such a permit rule.

Exam trap

ISC2 often tests the misconception that the ASA's default behavior allows traffic from lower to higher security levels if the connection is initiated from the higher level, but in reality, the ASA only permits return traffic for established connections; new connections from lower to higher are always denied by default.

How to eliminate wrong answers

Option B is wrong because transparent mode (Layer 2) forwards traffic based on MAC addresses and does not inherently allow all traffic; it still applies access control lists (ACLs) and security policies, so it would not bypass the zone-based security. Option C is wrong because a VPN connection would terminate on the firewall or a dedicated VPN concentrator, and traffic from the VPN would be subject to the same security zone policies; it would not bypass the firewall's rules unless explicitly permitted. Option D is wrong because the firewall's default behavior is to deny traffic from lower to higher security levels regardless of connection initiation; stateful inspection tracks connections, but a new connection from DMZ to Inside is still denied by default unless an explicit rule exists.

190
Matchingmedium

Match each risk management term to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Weakness in a system

Potential cause of harm

Likelihood and impact of a threat exploiting a vulnerability

Control to mitigate risk

Why these pairings

These are fundamental risk management definitions.

191
MCQhard

A multinational financial services organization operates three data centers in different geographic regions. Each data center runs a mix of critical and non-critical applications. The DR plan specifies Recovery Time Objectives (RTOs) ranging from 4 hours for critical applications to 72 hours for non-critical. During a scheduled DR test, the team attempts to fail over the primary customer database to the secondary site. The failover fails because the replication link between sites was saturated due to a large data synchronization job running concurrently. The test is declared a failure, and senior management is concerned about the DR plan's reliability. The IT director suggests increasing bandwidth between sites. The security architect proposes implementing network prioritization for replication traffic. The business continuity manager recommends revising the RTOs to be more realistic based on current bandwidth. The system administrator thinks the issue will resolve if the test is repeated during off-peak hours. Which of the following is the BEST course of action to address the root cause of the failure?

A.Implement Quality of Service (QoS) policies to prioritize database replication traffic over other data transfers.
B.Increase the bandwidth on the replication link by ordering a faster circuit from the ISP.
C.Reschedule the next DR test to occur during a scheduled maintenance window with no other replication activity.
D.Revise the RTO for the customer database from 4 hours to 8 hours to account for current bandwidth limitations.
AnswerA

QoS ensures that critical DR replication traffic gets sufficient bandwidth, preventing saturation by low-priority jobs.

Why this answer

The root cause is that the replication link was saturated by a large data synchronization job, which delayed the critical database replication traffic needed to meet the 4-hour RTO. Implementing Quality of Service (QoS) policies directly addresses this by prioritizing database replication traffic over other data transfers, ensuring that critical replication gets the necessary bandwidth even during concurrent large jobs. This is the most effective solution because it resolves the contention without requiring additional bandwidth or changing RTOs.

Exam trap

ISC2 often tests the misconception that simply adding more bandwidth (Option B) solves all congestion issues, but the trap is that without traffic prioritization, the root cause of contention between different traffic types remains unaddressed.

How to eliminate wrong answers

Option B is wrong because simply increasing bandwidth does not guarantee that replication traffic will be prioritized; without QoS, other data transfers can still saturate the link, and it may not be cost-effective or timely. Option C is wrong because rescheduling the test avoids the problem rather than fixing it; the same issue could occur during a real disaster when other replication activity is unavoidable. Option D is wrong because revising the RTO to 8 hours accepts a degraded recovery capability instead of addressing the technical root cause of traffic prioritization, which could be solved with QoS.

192
MCQmedium

A mid-sized company has a network with 200 employees. The security team has implemented a policy that requires all employees to use complex passwords and change them every 60 days. However, the company has experienced multiple phishing attacks where employees have willingly provided their credentials to fake websites. The CEO wants to implement a more robust authentication method. The company uses Microsoft Active Directory and has a budget for new security tools. They also have a remote workforce. Which of the following is the BEST course of action to address the phishing risk?

A.Increase password complexity requirements and change frequency to every 30 days
B.Conduct annual phishing awareness training
C.Deploy multi-factor authentication (MFA) for all remote access and critical systems
D.Implement a password manager for all employees
AnswerC

Correct. MFA adds a second layer that phished passwords cannot bypass.

Why this answer

Multi-factor authentication (MFA) significantly reduces the risk of credential theft because even if a password is phished, the attacker cannot authenticate without the second factor. The other options either do not address phishing directly or are less effective.

193
MCQmedium

A company deploys a web application firewall (WAF), performs regular vulnerability scans, and implements strict access controls. Which security principle is being applied?

A.Defense in depth
B.Accountability
C.Risk management
D.Least privilege
AnswerA

Multiple layers of security controls exemplify defense in depth.

Why this answer

Defense in depth is the security principle of layering multiple independent security controls so that if one fails, others still provide protection. The question describes three distinct layers: a WAF (application-layer filtering), vulnerability scanning (proactive detection), and strict access controls (preventive policy). This stacking of different types of controls across the network, host, and application layers is the textbook definition of defense in depth.

Exam trap

ISC2 often tests defense in depth by listing multiple security tools and expecting candidates to recognize the layering concept, but the trap here is that candidates confuse 'defense in depth' with 'least privilege' because both involve multiple controls, when in fact least privilege is just one layer within a defense-in-depth strategy.

How to eliminate wrong answers

Option B (Accountability) is wrong because accountability refers to tracking user actions through logging and auditing (e.g., syslog, auditd) to hold individuals responsible, not to deploying multiple protective layers. Option C (Risk management) is wrong because risk management is the broader process of identifying, assessing, and mitigating risks (e.g., via risk matrices or quantitative analysis), not the specific architectural strategy of layering controls. Option D (Least privilege) is wrong because least privilege is a specific access control principle that grants only the minimum permissions needed to perform a task (e.g., using RBAC with minimal roles), not the combination of WAF, scans, and access controls.

194
MCQmedium

During a security audit, it is discovered that a single administrator can create user accounts, assign privileges, and review audit logs. Which principle is most likely being violated?

A.Separation of duties
B.Least privilege
C.Need to know
D.Defense in depth
AnswerA

Correct. The combination of account creation, privilege assignment, and audit review in one person violates separation of duties.

Why this answer

Separation of duties requires that conflicting critical tasks be performed by different individuals to prevent fraud or error. The administrator has both operational and oversight roles, violating this principle.

195
MCQhard

A security analyst receives an alert from the SIEM indicating a potential data exfiltration event. The alert shows a large volume of data being transferred to an external IP address during non-business hours. What is the MOST appropriate immediate action?

A.Verify whether the transfer is authorized.
B.Call the employee who owns the server.
C.Disconnect the affected server from the network.
D.Run an antivirus scan on the server.
AnswerA

Verification ensures that action is based on confirmed facts.

Why this answer

Option D is correct because verifying the transfer's authorization prevents unnecessary disruption. Option A is too drastic without confirmation. Option B is not efficient and may tip off the user.

Option C does not address exfiltration.

196
MCQeasy

Which control type is considered a physical security control?

A.Firewall rules
B.Security cameras
C.User training
D.Encryption
AnswerB

Security cameras are a physical control that monitors the environment.

Why this answer

Security cameras are a physical security control because they deter, detect, and record unauthorized physical access or activity in a facility. They are deployed as part of a layered physical security strategy, often integrated with access control systems and monitored by security personnel. Unlike logical or administrative controls, cameras directly protect tangible assets and premises.

Exam trap

ISC2 often tests the distinction between physical, administrative, and technical controls, and the trap here is that candidates confuse 'security cameras' as a monitoring/logging control (which is technical) rather than recognizing that the camera hardware itself is a physical asset deployed for physical security.

How to eliminate wrong answers

Option A is wrong because firewall rules are a logical/technical control that filters network traffic based on IP addresses, ports, and protocols; they do not physically prevent access to hardware or facilities. Option C is wrong because user training is an administrative control that educates personnel on security policies and procedures, not a physical barrier or monitoring mechanism. Option D is wrong because encryption is a technical/cryptographic control that protects data confidentiality during storage or transmission, but it does not physically secure hardware or locations.

197
Drag & Dropmedium

Drag and drop the steps to perform a password reset on a Windows user account into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password reset requires admin rights and is done via Local Users and Groups in Computer Management.

198
MCQmedium

Which is a key benefit of a cold site as a recovery location?

A.Real-time data synchronization
B.Low cost
C.Reduced need for testing
D.Fast recovery time
AnswerB

Cold sites require no equipment or data replication, making them the least expensive.

Why this answer

A cold site is a backup facility that provides only the physical infrastructure (power, cooling, and space) but no pre-installed hardware or live data. Because it lacks equipment and requires manual setup before recovery can begin, it has the lowest capital and operational costs among recovery site options, making low cost its key benefit.

Exam trap

ISC2 often tests the misconception that 'cold site' implies lower testing requirements, but in reality, cold sites demand more rigorous and frequent testing because the manual recovery process is error-prone and must be validated to avoid failure during an actual disaster.

How to eliminate wrong answers

Option A is wrong because real-time data synchronization requires active replication technologies like synchronous replication or database mirroring, which are not supported by a cold site that has no live systems or network connectivity until activated. Option C is wrong because cold sites actually increase the need for testing, as the recovery process involves manual installation and configuration of hardware and software, which must be validated through regular drills to ensure it works under pressure. Option D is wrong because cold sites have the slowest recovery time (often days or weeks) due to the absence of pre-configured equipment and data, whereas fast recovery is a benefit of hot or warm sites.

199
Multi-Selecteasy

Which THREE of the following are common components of a disaster recovery plan?

Select 3 answers
A.Backup procedures
B.Restoration of operations in a secondary site
C.Password policy
D.Employee background checks
E.Business impact analysis
AnswersA, B, E

Backups are essential for restoring data after a disaster.

Why this answer

Backup procedures are a core component of a disaster recovery plan (DRP) because they ensure that critical data can be restored after a disruptive event. This includes defining backup frequency, storage locations (e.g., off-site or cloud), and the specific data to be backed up. Without documented backup procedures, recovery of systems and data would be uncoordinated and unreliable.

Exam trap

ISC2 often tests the distinction between disaster recovery components (backup, BIA, alternate sites) and general security controls (password policies, background checks), so candidates mistakenly include the latter because they are also part of overall security operations.

200
MCQhard

An organization wants to implement a policy where employees must use a smart card and a PIN to access sensitive data. This is an example of:

A.Multi-factor authentication (two factors)
B.Single factor authentication
C.Two-factor authentication
D.Biometric authentication
AnswerA

Correct. This is MFA because it combines something you have (smart card) and something you know (PIN).

Why this answer

Multi-factor authentication (MFA) requires two or more different types of authentication factors. Here, the smart card (something you have) and PIN (something you know) constitute two factors, making it MFA.

201
MCQhard

A company uses a mandatory access control (MAC) system where all files are labeled 'Confidential', 'Secret', or 'Top Secret'. A user with 'Secret' clearance tries to read a 'Top Secret' file. What is the outcome?

A.Access is allowed because the user has a legitimate need
B.Access is denied because the user's clearance is lower than the file's classification
C.Access is denied only if the file also has a category
D.Access is allowed because the user has Secret clearance
AnswerB

The simple security property prohibits reading up.

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the user's clearance level with the file's classification label. Since the user has 'Secret' clearance and the file is labeled 'Top Secret', the clearance is lower than the file's classification, so access is denied. This follows the fundamental MAC principle of 'no read up' (simple security property) in Bell-LaPadula model.

Exam trap

ISC2 often tests the misconception that 'need to know' or user role overrides clearance in MAC, but MAC strictly enforces clearance versus classification without considering discretionary permissions or need.

How to eliminate wrong answers

Option A is wrong because MAC does not consider 'need to know' or legitimate need; access is strictly based on clearance versus classification labels. Option C is wrong because categories are optional in MAC and their presence does not change the fact that clearance must meet or exceed the classification; denial occurs regardless of categories. Option D is wrong because 'Secret' clearance is lower than 'Top Secret', so access is denied, not allowed.

202
Matchingmedium

Match each access control model to its key characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner sets permissions

System-enforced labels

Roles determine access

Attributes and policies

Why these pairings

These are standard access control models covered in CC.

203
MCQhard

During a forensic investigation, the analyst needs to acquire a memory image from a live Windows system without altering evidence. Which tool is MOST appropriate?

A.Volatility
B.EnCase
C.dd
D.FTK Imager
AnswerD

FTK Imager can acquire memory live with low footprint.

Why this answer

Option C is correct because FTK Imager can acquire memory with minimal impact. Option A is for disk imaging. Option B is a GUI tool but may alter memory.

Option D is a volatility framework, not acquisition.

204
Multi-Selecthard

Which THREE of the following are considered essential security principles according to ISC2?

Select 3 answers
A.Separation of duties
B.Encryption
C.Non-repudiation
D.Biometrics
E.Least privilege
AnswersA, C, E

Separation of duties prevents conflicts of interest.

Why this answer

Correct: A, B, D. Least privilege, non-repudiation, and separation of duties are key security principles. Biometrics and encryption are mechanisms, not principles.

205
MCQhard

A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?

A.The user has administrative privileges, which could allow them to cover their tracks
B.The volume of data transferred makes it difficult to determine what was exfiltrated
C.The data was transferred over HTTPS, which cannot be decrypted by the SOC
D.BitLocker encryption prevents access to the hard drive for forensic analysis
AnswerA

Administrative access allows modification of logs, deletion of evidence, and use of tools to hide malicious activity.

Why this answer

The primary challenge is that administrative privileges allow the user to tamper with logs, disable security monitoring, or use tools to cover their tracks, making forensic reconstruction difficult. Even with BitLocker and HTTPS, the SOC can still analyze network logs and endpoint telemetry, but admin rights directly undermine the integrity of evidence on the workstation.

Exam trap

ISC2 often tests the misconception that encryption (BitLocker or HTTPS) is the primary obstacle, when in fact administrative privileges pose a greater threat to evidence integrity and investigation success.

How to eliminate wrong answers

Option B is wrong because the volume of data transferred does not inherently prevent analysis; network logs, file metadata, and cloud storage audit trails can still indicate what was exfiltrated. Option C is wrong because HTTPS traffic can be decrypted if the SOC has a proxy with TLS inspection or access to the client's private keys, and the question does not state that decryption is impossible. Option D is wrong because BitLocker encryption only protects data at rest; if the workstation is powered on and the user is logged in, the drive is accessible for live forensic analysis, and the SOC can also acquire memory dumps or use pre-boot authentication recovery methods.

206
Multi-Selecthard

Which THREE of the following are essential components of an incident response plan? (Select THREE.)

Select 3 answers
A.Preparation
B.Containment, Eradication, and Recovery
C.Business continuity plan activation
D.Detection and Analysis
E.Vulnerability scanning schedule
AnswersA, B, D

Preparation includes training and tools.

Why this answer

Preparation is the foundational phase of the NIST SP 800-61 incident response lifecycle, ensuring policies, tools, and trained personnel are in place before an incident occurs. Without preparation, subsequent phases like detection and containment cannot be executed effectively. The CC exam emphasizes that preparation includes establishing communication plans, acquiring forensic tools, and conducting tabletop exercises.

Exam trap

ISC2 often tests the distinction between incident response phases and adjacent operational processes (like BCP or vulnerability management) to see if candidates confuse proactive security tasks with the reactive incident response lifecycle.

207
MCQmedium

During a security incident, the incident response team isolates a compromised workstation from the network. What is the primary purpose of this action?

A.To prevent further damage.
B.To comply with legal requirements.
C.To preserve forensic evidence.
D.To allow normal operations to continue.
AnswerA

Containment stops the attack from spreading.

Why this answer

Isolating a compromised workstation by disconnecting it from the network (e.g., disabling its switch port or unplugging the Ethernet cable) immediately stops all inbound and outbound traffic. This containment action prevents the attacker from moving laterally to other systems, exfiltrating data, or deploying additional malware, thereby limiting the scope and impact of the incident.

Exam trap

ISC2 often tests the distinction between containment (stopping the spread) and eradication (removing the threat); the trap here is that candidates confuse the secondary benefit of preserving evidence (Option C) with the primary purpose of isolation, which is to prevent further damage.

How to eliminate wrong answers

Option B is wrong because legal compliance (e.g., data breach notification laws) is a procedural requirement that follows containment, not the primary technical goal of isolation. Option C is wrong because while isolation can help preserve evidence by preventing tampering, the primary purpose is containment; forensic preservation is a secondary benefit and is better achieved by creating a forensic image before disconnection. Option D is wrong because isolation actually disrupts normal operations for the affected workstation; the goal is to stop malicious activity, not to allow continued normal operations.

208
MCQeasy

You are an IT administrator for a small business. The company has a backup system that performs nightly full backups of critical servers to an external hard drive. One morning, a user reports that they accidentally deleted an important file from a shared drive. You need to restore the file from last night's backup. However, when you connect the external hard drive to the backup server, the drive is not recognized, and you hear clicking sounds. The backup software shows that the most recent backup job completed successfully with no errors. What is the most likely cause of the problem?

A.The external hard drive has suffered a mechanical failure.
B.The backup software did not actually write the data.
C.The file was not included in the backup job.
D.The backup server has a driver issue.
AnswerA

Clicking sounds are a common symptom of a damaged hard drive read/write head.

Why this answer

The clicking sound from the external hard drive is a classic symptom of a mechanical failure, typically caused by a stuck read/write head or a failing spindle motor. Since the backup software reported a successful completion, the data was likely written to the drive, but the drive's physical components have since failed, preventing the system from recognizing it. This is a hardware-level issue that cannot be resolved by software or driver updates.

Exam trap

ISC2 often tests the distinction between software-reported success and actual hardware integrity, trapping candidates who assume a successful backup log guarantees recoverable data without considering post-backup physical failure.

How to eliminate wrong answers

Option B is wrong because the backup software logged a successful completion with no errors, indicating that the write process finished without issues; if the data had not been written, the software would have reported a failure or incomplete job. Option C is wrong because the user reported the file was on a shared drive, and the backup job was configured to perform full backups of critical servers, which typically includes all files on those drives; there is no evidence that the file was excluded. Option D is wrong because a driver issue would prevent the drive from being recognized but would not cause clicking sounds; clicking is a mechanical noise, not a software or driver symptom.

209
Multi-Selecthard

A security analyst is troubleshooting an access control issue where a user cannot access a file even though they seem to have the correct permissions. Which three of the following should the analyst investigate? (Select THREE)

Select 3 answers
A.File ownership
B.Password expiration
C.Group membership of the user
D.Deny permissions
E.Network connectivity
AnswersA, C, D

File ownership can affect permissions, especially in systems with owner-specific privileges.

Why this answer

File ownership (A) is correct because Linux and Windows access control models (POSIX ACLs, NTFS) check the file's owner and group before applying permissions. If the user is not the owner or in the owning group, the 'other' permissions apply, which may deny access even if the user has a seemingly matching permission entry. The analyst must verify the file's owner and group against the user's identity.

Exam trap

ISC2 often tests the misconception that 'effective permissions' are simply the sum of all allow entries, when in fact deny permissions explicitly override allows, and group membership must be checked recursively (including nested groups).

210
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address targeting multiple user accounts. Which security control should be implemented to mitigate this attack?

A.Implement account lockout after a threshold of failed attempts.
B.Enable single sign-on (SSO).
C.Require complex passwords.
D.Disable the accounts after one failed attempt.
AnswerA

Mitigates brute-force attacks by locking accounts after multiple failures.

Why this answer

Option A is correct because implementing an account lockout policy after a defined threshold of failed attempts (e.g., 5 failed attempts within 15 minutes) directly mitigates brute-force password guessing attacks from a single source. This control prevents an attacker from continuously trying different passwords across multiple accounts, effectively rate-limiting the attack at the authentication layer.

Exam trap

ISC2 often tests the distinction between preventive controls (like account lockout) and deterrent controls (like complex passwords), and the trap here is that candidates choose complex passwords because they think stronger passwords stop brute-force attacks, but they fail to recognize that unlimited attempts still allow eventual guessing regardless of password complexity.

How to eliminate wrong answers

Option B is wrong because single sign-on (SSO) centralizes authentication but does not prevent repeated failed login attempts; it may even increase the blast radius if the SSO provider is compromised. Option C is wrong because requiring complex passwords makes individual passwords harder to guess but does not stop an attacker from making unlimited login attempts; it addresses password strength, not attack frequency. Option D is wrong because disabling an account after a single failed attempt would cause massive denial of service for legitimate users due to typos or forgotten passwords, and it is not a standard security practice; account lockout requires a reasonable threshold to balance security and usability.

211
MCQeasy

Which of the following is a primary benefit of implementing network segmentation?

A.Reduced attack surface
B.Eliminates the need for firewalls
C.Increased bandwidth
D.Simplified IP address management
AnswerA

Limits scope of attacks.

Why this answer

Network segmentation divides a network into smaller, isolated segments, which limits an attacker's ability to move laterally after compromising a single host. By restricting traffic between segments using VLANs, ACLs, or firewall rules, the attack surface is reduced because fewer systems are exposed to potential threats. This is a primary security benefit, as it contains breaches and minimizes the impact of malware or unauthorized access.

Exam trap

ISC2 often tests the misconception that segmentation eliminates the need for firewalls, but in reality, segmentation and firewalls are complementary—firewalls enforce the segmentation policy, and segmentation reduces the attack surface by limiting exposure.

How to eliminate wrong answers

Option B is wrong because network segmentation does not eliminate the need for firewalls; instead, it often relies on firewalls (or ACLs on routers/L3 switches) to enforce segmentation policies and filter traffic between segments. Option C is wrong because segmentation does not increase bandwidth; it can actually introduce overhead from inter-segment routing and may require careful design to avoid bottlenecks. Option D is wrong because segmentation often complicates IP address management by requiring separate subnets or VLANs, not simplifying it.

212
Multi-Selecthard

Which THREE components are part of the AAA framework?

Select 3 answers
A.Authentication
B.Accountability
C.Auditing
D.Accounting
E.Authorization
AnswersA, D, E

Verifies user identity.

Why this answer

Authentication is correct because the AAA framework (Authentication, Authorization, and Accounting) uses authentication to verify the identity of a user or device before granting access. This is typically done via credentials such as username/password, digital certificates, or tokens, and is the first step in the AAA process.

Exam trap

ISC2 often tests the distinction between 'Accounting' and 'Auditing' — candidates confuse the two because both involve logs, but Accounting is the collection of data (e.g., start/stop records), while Auditing is the analysis of that data, which is not part of the AAA framework.

213
MCQeasy

An organization discovers a ransomware infection on a critical server. According to the incident response phases, what should be the first action after detection?

A.Notify law enforcement
B.Eradicate the malware from the server
C.Restore from backup
D.Contain the affected system
AnswerD

Containment stops the incident from spreading, which is the immediate priority.

Why this answer

Immediately after detection, the priority is to contain the ransomware to prevent it from spreading laterally to other systems. According to NIST SP 800-61 and standard incident response frameworks, containment is the first step after detection and analysis, as it limits damage and preserves evidence for forensic investigation.

Exam trap

The trap here is that candidates confuse the urgency of recovery actions (like restoring from backup) with the correct incident response sequence, forgetting that containment must always come first to stop the spread and preserve forensic evidence.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a post-containment step, typically done after the scope is understood and evidence is preserved; premature notification can disrupt the response. Option B is wrong because eradicating the malware before containment risks alerting the attacker or causing the ransomware to trigger encryption of additional data; containment must precede eradication. Option C is wrong because restoring from backup before containment can reintroduce the infection if the backup is compromised or if the ransomware is still active on the network; containment ensures the environment is clean before recovery.

214
MCQmedium

Refer to the exhibit. A security analyst is reviewing firewall logs and notices repeated denied TCP packets from 192.0.2.10 to internal hosts. The packets are being denied by the access-group "OUTSIDE_IN". What is the most likely reason for these denials?

A.An external host is performing a port scan against internal systems.
B.The firewall is misconfigured and blocking legitimate traffic.
C.An internal host has been compromised and is exfiltrating data.
D.An external host is launching a denial-of-service (DoS) attack.
AnswerA

The sequential source ports and different destination ports across multiple hosts indicate a scan.

Why this answer

The repeated denied TCP packets from 192.0.2.10 (an external IP) to multiple internal hosts indicate a port scan. The access-group 'OUTSIDE_IN' is applied to the outside interface, and the firewall is denying these packets because they match a deny ACE (access control entry) that blocks unsolicited inbound traffic. This pattern of multiple denied connections from a single external source to different internal destinations is characteristic of a reconnaissance scan, not a DoS attack or data exfiltration.

Exam trap

ISC2 often tests the distinction between a port scan and a DoS attack, where candidates mistakenly choose DoS because they see 'repeated denied packets' without recognizing the pattern of multiple destinations versus a single target flood.

How to eliminate wrong answers

Option B is wrong because the firewall is correctly blocking unsolicited inbound traffic as per the configured access-group; there is no misconfiguration indicated—the denials are expected behavior for a security policy that denies inbound connections by default. Option C is wrong because data exfiltration originates from an internal host sending data outbound, not from an external host sending packets inbound; the source IP 192.0.2.10 is external, so this is not an internal compromise scenario. Option D is wrong because a denial-of-service (DoS) attack typically involves a high volume of traffic aimed at overwhelming a single target, not repeated denied packets to multiple internal hosts; the pattern here is more consistent with a scan (low rate, multiple destinations) rather than a flood.

215
MCQhard

A security auditor discovers that during a VLAN hopping attack, a threat actor was able to send frames from a workstation on VLAN 10 to a target on VLAN 20. Which configuration flaw is most likely responsible?

A.Dynamic Trunking Protocol (DTP) is enabled on access ports
B.The trunk port is set to native VLAN 1
C.The switch is using default VLAN 1 for management
D.Port security is not configured
AnswerA

DTP allows an attacker to negotiate a trunk and access other VLANs.

Why this answer

Option A is correct because a VLAN hopping attack exploits the Dynamic Trunking Protocol (DTP) to negotiate a trunk link between the attacker's workstation and the switch. If DTP is enabled on an access port, the attacker can send DTP frames to form a trunk, allowing frames from VLAN 10 to be tagged and forwarded to VLAN 20. Disabling DTP on all access ports with the 'switchport nonegotiate' command prevents this attack.

Exam trap

ISC2 often tests the distinction between VLAN hopping via DTP (trunk negotiation) and double-tagging attacks (native VLAN manipulation), so candidates may confuse the two and incorrectly choose the native VLAN option.

How to eliminate wrong answers

Option B is wrong because setting the native VLAN to 1 is a default configuration, but it does not directly enable VLAN hopping; native VLAN attacks (e.g., double-tagging) require the attacker to be on the native VLAN and the trunk to forward untagged frames, which is a different attack vector. Option C is wrong because using default VLAN 1 for management is a security best practice violation (it should be changed to a dedicated VLAN), but it does not allow a workstation to send frames across VLANs; management VLAN misconfiguration does not enable trunk negotiation. Option D is wrong because port security limits MAC addresses on a port but does not prevent DTP-based trunk negotiation; VLAN hopping can occur even with port security enabled if DTP is active.

216
MCQeasy

A security analyst notices repeated failed login attempts to a critical server from a single external IP address. Which immediate action should the analyst take?

A.Enable two-factor authentication.
B.Disable the server's network interface.
C.Block the IP address at the firewall.
D.Change the server's IP address.
AnswerC

Immediate containment of the attack source.

Why this answer

Blocking the IP address at the firewall is the immediate action because it stops the ongoing brute-force attack at the network perimeter without affecting the server's availability or internal operations. Firewall rules can be applied quickly using access control lists (ACLs) to deny traffic from the specific external IP, which is a standard first response to mitigate a single-source attack.

Exam trap

ISC2 often tests the distinction between immediate containment actions (like blocking an IP at the firewall) and long-term security improvements (like enabling 2FA), trapping candidates who confuse proactive hardening with reactive incident response.

How to eliminate wrong answers

Option A is wrong because enabling two-factor authentication (2FA) is a long-term security improvement that does not stop the current attack in progress; it requires configuration and user enrollment, leaving the server exposed during the delay. Option B is wrong because disabling the server's network interface would deny service to all legitimate users, causing a denial of service (DoS) and violating the principle of maintaining availability. Option D is wrong because changing the server's IP address is a reactive measure that does not prevent the attacker from scanning and finding the new IP, and it disrupts legitimate DNS and client connections without addressing the root cause.

217
MCQmedium

A security engineer is designing a DMZ for a web server that must be accessible from the internet. The web server needs to query an internal database server. Which network security approach best limits exposure?

A.Use a single firewall with rules that allow all traffic from the internet to the internal network.
B.Place both servers in the same subnet with a firewall allowing all traffic.
C.Place the database server in the DMZ with the web server.
D.Place the web server in the DMZ and the database server in the internal network, with a firewall allowing only specific traffic from the web server to the database.
AnswerD

This provides proper segmentation and least privilege.

Why this answer

Option D is correct because it implements a true DMZ architecture: the web server resides in the DMZ (a semi-trusted zone) while the database server remains in the internal network, protected by a firewall that permits only specific traffic (e.g., TCP/3306 for MySQL or TCP/1433 for MSSQL) from the web server. This minimizes the attack surface by ensuring that even if the web server is compromised, the database server is not directly reachable from the internet, and the firewall enforces strict stateful inspection and access control.

Exam trap

ISC2 often tests the misconception that placing both servers in the DMZ simplifies security, but the trap is that the database server should never be in the DMZ because it contains sensitive data and must be isolated behind an additional firewall layer to enforce defense in depth.

How to eliminate wrong answers

Option A is wrong because allowing all traffic from the internet to the internal network bypasses any security boundary, exposing the entire internal network to direct attack and violating the principle of least privilege. Option B is wrong because placing both servers in the same subnet with a firewall allowing all traffic eliminates network segmentation; if the web server is compromised, the database server is on the same broadcast domain and can be attacked laterally without any firewall restriction. Option C is wrong because placing the database server in the DMZ with the web server exposes the database to the internet (even if indirectly), as the DMZ is a less trusted zone; an attacker who compromises the web server can then directly access the database without traversing an additional firewall layer.

218
Multi-Selecteasy

Which TWO of the following are examples of preventive security controls?

Select 2 answers
A.Encryption
B.Backup
C.Antivirus software
D.Firewall
E.Intrusion detection system
AnswersC, D

Antivirus prevents malware execution.

Why this answer

Firewalls and antivirus software are preventive controls that block or stop attacks. IDS is detective, encryption is protective but not primarily preventive, and backup is corrective.

219
MCQmedium

Refer to the exhibit. A security analyst reviews this log entry. What type of attack is most likely occurring?

A.Pass-the-hash attack
B.Brute-force attack
C.Password spraying attack
D.Kerberos ticket attack
AnswerB

Repeated failed attempts on the same account indicate brute-force.

Why this answer

The log entry shows repeated failed authentication attempts from a single source IP (10.10.10.10) against multiple usernames (admin, root, test) in a short time window. This pattern of systematically trying different credentials against a target system is characteristic of a brute-force attack, where an attacker iterates through possible username/password combinations to gain unauthorized access.

Exam trap

ISC2 often tests the distinction between brute-force and password spraying attacks, where the trap is that candidates confuse the target pattern—brute-force focuses on a single user with many passwords, while password spraying uses one password across many users.

How to eliminate wrong answers

Option A is wrong because a pass-the-hash attack involves capturing and reusing NTLM or LM password hashes from a compromised system, not repeated login attempts from a single source. Option C is wrong because a password spraying attack uses a single common password against many usernames across multiple accounts, not multiple passwords against a few usernames as shown in the log. Option D is wrong because a Kerberos ticket attack (e.g., Golden Ticket or Silver Ticket) exploits forged or stolen Kerberos TGTs or service tickets, not repeated authentication failures against local or network logins.

220
MCQeasy

An organization wants to ensure that critical security events are not missed during off-hours. What is the best practice?

A.Rely on automatic responses
B.Assign on-call duties only to senior analysts
C.Schedule nightly scans
D.Configure a central SIEM with 24/7 monitoring
AnswerD

SIEM provides continuous monitoring and alerting for critical events.

Why this answer

A central SIEM with 24/7 monitoring ensures that security events are continuously analyzed and alerted upon, even during off-hours. This is the best practice because it provides real-time correlation and escalation of critical events, preventing them from being missed. Relying on automatic responses or periodic scans lacks the human oversight needed for complex threat validation.

Exam trap

ISC2 often tests the distinction between proactive security measures (like scheduled scans) and reactive monitoring practices (like 24/7 SIEM analysis), leading candidates to confuse vulnerability management with real-time event detection.

How to eliminate wrong answers

Option A is wrong because automatic responses (e.g., playbooks or auto-blocking) can only handle predefined, low-complexity events and may miss novel or nuanced threats that require human analysis. Option B is wrong because assigning on-call duties only to senior analysts creates a single point of failure and burnout risk; a layered on-call rotation with all qualified staff is more sustainable. Option C is wrong because scheduling nightly scans (e.g., vulnerability scans) is a proactive measure for finding weaknesses, not a reactive practice for detecting and responding to real-time security events during off-hours.

221
MCQhard

A financial institution has a security operations center that monitors network traffic using a SIEM. The SIEM receives logs from all network devices, servers, and endpoints. One analyst notices an anomaly: a user account, 'jsmith', which is normally used during business hours (9 AM to 5 PM), has been logging in from a remote IP address at 2 AM every day for the past week. The logins are successful, and the user is accessing internal file shares. The user jsmith works in the accounting department and has access to sensitive financial reports. The analyst checks the user's workstation logs and finds that the workstation is powered off at the time of the remote logins. The company uses two-factor authentication, but the log entries show that only the password was used. Which of the following is the most likely explanation and the best immediate action?

A.The user is working overtime from home; no action needed
B.The two-factor authentication system is malfunctioning; reconfigure the 2FA server
C.The user's credentials have been stolen and are being used by an attacker; disable the account
D.The user's workstation is infected with a remote access trojan; run antivirus
AnswerC

This matches the indicators: off-hours, remote IP, no 2FA, workstation off.

Why this answer

The anomaly—successful logins at 2 AM from a remote IP while the user's workstation is powered off and only a password (bypassing 2FA) is used—strongly indicates credential theft and account takeover. The SIEM logs show authentication without the second factor, which means the attacker either obtained the password and bypassed 2FA (e.g., through a phishing attack that captured both factors or a session cookie) or the 2FA was not enforced for this specific remote login. Disabling the account immediately stops the unauthorized access to sensitive financial shares.

Exam trap

ISC2 often tests the distinction between a compromised account (where credentials are stolen and used remotely) and a compromised endpoint (where malware is present), and the trap here is that candidates may assume the user's workstation is infected (Option D) because the logins are successful, but the powered-off workstation proves the attacker is authenticating directly from a different device.

How to eliminate wrong answers

Option A is wrong because the workstation is powered off during the logins, so the user cannot be working from home; the remote logins are from an attacker. Option B is wrong because a 2FA malfunction would likely affect all users or generate error logs, not selectively allow only password-based logins for a single account at odd hours; the issue is credential compromise, not a system misconfiguration. Option D is wrong because the workstation is powered off, so a remote access trojan cannot be active on it; the attacker is logging in directly with stolen credentials, not via malware on the user's machine.

222
Multi-Selecteasy

Which TWO are phases of the NIST incident response life cycle? (Select exactly 2.)

Select 2 answers
A.Preparation
B.Documentation
C.Assessment
D.Authorization
E.Containment
AnswersA, E

Preparation is the first phase.

Why this answer

Option A is correct because Preparation is the first phase of the NIST SP 800-61 incident response life cycle, focusing on establishing policies, tools, and training before an incident occurs. This phase ensures the organization is ready to detect and respond to security events effectively.

Exam trap

ISC2 often tests the distinction between the official NIST phase names and common but incorrect terms like 'Assessment' or 'Documentation', expecting candidates to recall that only 'Preparation' and 'Containment' (as part of Containment/Eradication/Recovery) are explicitly listed phases.

223
MCQeasy

An organization wants to ensure that system logs are tamper-proof after generation. Which control should be implemented?

A.Compress logs before archiving.
B.Use a write-once read-many (WORM) storage device.
C.Store logs on the local hard drive of each server.
D.Encrypt logs during transmission.
AnswerB

WORM devices ensure data cannot be overwritten or deleted.

Why this answer

Option C is correct because WORM storage prevents modification or deletion of logs. Option A local storage is not tamper-proof. Option B compression does not prevent tampering.

Option D encryption protects in transit but not at rest on the storage device.

224
MCQhard

A financial services firm has a data center that houses customer financial records. They have implemented a defense-in-depth strategy including firewalls, IDS/IPS, and encryption. Recently, an internal audit revealed that a junior administrator has been logging into the database server with a shared admin account and has made unauthorized changes to customer records. The company wants to prevent such incidents in the future while maintaining operational efficiency. The current environment uses Linux servers with PostgreSQL databases. There is no centralized authentication system. What is the BEST action to take?

A.Increase the frequency of password changes for the shared admin account
B.Disable all shared accounts and implement individual accounts with role-based access control and audit logging
C.Use database encryption to prevent unauthorized changes
D.Implement a network access control (NAC) solution to restrict database access to specific IP addresses
AnswerB

Correct. This enforces accountability and least privilege.

Why this answer

The core issue is the lack of accountability due to a shared admin account. Disabling shared accounts and implementing individual accounts with role-based access control (RBAC) and audit logging directly addresses this by ensuring each action is tied to a specific user, enabling non-repudiation and precise forensic analysis. This aligns with the principle of least privilege and is the most effective way to prevent unauthorized changes while maintaining operational efficiency through granular permission management.

Exam trap

ISC2 often tests the misconception that encryption or network controls can solve insider threats, when in reality, only user-level accountability and audit trails can prevent and trace unauthorized actions by authenticated users.

How to eliminate wrong answers

Option A is wrong because increasing password change frequency for a shared account does not solve the lack of accountability; multiple users still share credentials, making it impossible to trace who made specific changes. Option C is wrong because database encryption protects data at rest or in transit from external interception, but it does not prevent an authenticated user (the junior admin) from making unauthorized modifications. Option D is wrong because network access control (NAC) restricts which IP addresses can connect to the database, but it does not address the internal threat of an authorized user with a shared account making unauthorized changes from an allowed IP.

225
MCQmedium

A security engineer is designing a backup strategy for a critical database. The database must be recoverable within four hours in the event of a failure. Which security principle primarily drives this requirement?

A.Availability
B.Integrity
C.Non-repudiation
D.Confidentiality
AnswerA

The requirement specifies recovery within a time frame, which is a measure of availability.

Why this answer

Availability ensures that systems and data are accessible when needed. Recovery time objective (RTO) of four hours is an availability requirement. Option C is correct.

Option A (confidentiality) protects data secrecy. Option B (integrity) ensures data accuracy. Option D (non-repudiation) prevents denial of actions.

Page 2

Page 3 of 7

Page 4

All pages