ISC2 Certified in Cybersecurity CC (CC) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

In a defense-in-depth strategy, which access control mechanism provides the most granular control over user permissions?

A.Network segmentation
B.Access control lists (ACLs) on files
C.Physical security controls
D.Firewall rules
AnswerB

ACLs provide fine-grained control over who can read, write, or execute individual files.

Why this answer

Access control lists (ACLs) on files provide the most granular control because they allow permissions to be set at the individual file or object level, specifying exactly which users or groups can read, write, execute, or modify that specific resource. This is in contrast to broader mechanisms like network segmentation or firewall rules, which operate at the network or subnet level and cannot distinguish between individual files within a system. ACLs are a fundamental component of discretionary access control (DAC) and are implemented in file systems such as NTFS, ext4, and ZFS.

Exam trap

ISC2 often tests the distinction between network-level controls (like firewall rules and segmentation) and system-level controls (like file ACLs), leading candidates to mistakenly choose a network mechanism when the question asks for the most granular control over user permissions on a resource.

How to eliminate wrong answers

Option A is wrong because network segmentation divides a network into smaller segments to limit lateral movement, but it does not control permissions on individual files or objects—it operates at Layer 2/3 and cannot enforce user-level granularity on a file. Option C is wrong because physical security controls (e.g., locks, biometrics, guards) protect the physical environment and assets, but they cannot differentiate between users accessing specific files on a system; they are a coarse, perimeter-level control. Option D is wrong because firewall rules filter traffic based on IP addresses, ports, and protocols at Layers 3/4 (and sometimes Layer 7), but they do not manage permissions on files or objects within an operating system—they control network access, not user permissions on resources.

227
MCQhard

You are a security analyst at a mid-sized financial firm. The company has a policy that all remote access must be secured using a VPN. Recently, an employee reported that they were able to connect to the internal network from a coffee shop without using the VPN client. The employee accidentally left the client running but it was not authenticating. Upon investigation, you find that the network administrator had configured a rule on the firewall to allow RDP traffic from any public IP to a specific internal server for maintenance purposes. The rule was supposed to be temporary but was never removed. The server contains sensitive customer data. The incident has been reported to management. Which of the following is the most immediate corrective action you should take?

A.Remove the temporary firewall rule that allows RDP from any public IP
B.Disable RDP access on all servers
C.Conduct a full audit of all firewall rules
D.Implement a security awareness training program for all employees
AnswerA

This immediately closes the unauthorized access path.

Why this answer

Correct: Removing the temporary firewall rule closes the unauthorized access path. Option A is wrong because disabling RDP entirely may disrupt legitimate maintenance; Option C is wrong because a security awareness training is long-term, not immediate; Option D is wrong because conducting an audit does not remove the immediate risk.

228
Multi-Selecthard

A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)

Select 2 answers
A.Contact law enforcement immediately.
B.Isolate the workstation from the network.
C.Analyze the macro code in a sandbox.
D.Block the malicious domain at the email gateway.
E.Delete the phishing email from all mailboxes.
AnswersB, D

Isolation contains the threat and prevents spread.

Why this answer

Option B is correct because isolating the workstation from the network is a critical containment step in incident response. It immediately stops the compromised system from communicating with the attacker's command-and-control server, preventing further data exfiltration or lateral movement. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread of an incident before deeper analysis.

Exam trap

ISC2 often tests the distinction between immediate containment actions (isolate, block at gateway) and later forensic or administrative steps (analyze macro, contact law enforcement, delete emails) to see if candidates understand the priority of stopping the threat first.

229
MCQhard

A cloud security engineer reviews the following S3 bucket policy. What is the primary security risk?

A.The bucket does not have encryption enabled
B.The bucket policy permits deletion of objects by anyone
C.The bucket allows unauthorized users to write objects
D.The bucket is publicly readable, allowing anyone to access its contents
AnswerD

Principal: * allows anonymous access, and GetObject permits reading.

Why this answer

Option A is correct because the policy allows any anonymous user to read any object in the bucket (Principal: * without condition). Option B is wrong because write access is not granted. Option C is wrong because the risk is unauthorized read, not deletion.

Option D is wrong; encryption is not addressed here.

230
MCQhard

You are a security analyst investigating a potential insider threat incident. An employee from the finance department has been behaving suspiciously: printing large volumes of sensitive financial reports, accessing files outside their normal work hours, and attempting to bypass the company's data loss prevention (DLP) controls by renaming files before emailing them. The employee has been with the company for 10 years and has a clean record. The company's policy requires that any investigation be conducted discreetly to avoid alerting the employee. You need to gather evidence to confirm or refute the suspicion. Which of the following actions should you take FIRST?

A.Confront the employee directly to ask for an explanation.
B.Review the employee's system logs and DLP alerts in detail to establish a pattern.
C.Disable the employee's network access immediately to prevent data exfiltration.
D.Notify the employee's manager about the suspicion.
AnswerB

Logs provide objective data; this step is non-intrusive and evidence-gathering.

Why this answer

Option B is correct because the first step in any insider threat investigation is to gather and analyze available evidence discreetly, as required by policy. Reviewing system logs (e.g., Windows Event Logs, file server audit logs) and DLP alerts allows you to establish a behavioral pattern—such as anomalous access times, file rename operations, and email attachments—without alerting the employee. This evidence-based approach ensures you can confirm or refute the suspicion before taking any disruptive or confrontational actions.

Exam trap

ISC2 often tests the principle that investigative actions must be non-disruptive and evidence-driven first, tempting candidates to jump to containment (Option C) or escalation (Option D) before analysis.

How to eliminate wrong answers

Option A is wrong because confronting the employee directly violates the policy of conducting the investigation discreetly, may tip off a potential insider, and could lead to evidence tampering or escalation. Option C is wrong because immediately disabling network access is a reactive containment step that should only be taken after sufficient evidence is gathered; it also alerts the employee and may be premature if the behavior is benign. Option D is wrong because notifying the employee's manager without first establishing a pattern of suspicious activity could breach confidentiality, cause unnecessary alarm, and potentially compromise the investigation if the manager inadvertently alerts the employee.

231
MCQmedium

A security engineer is configuring a firewall to allow web traffic but block all other inbound connections. The firewall is set to deny all traffic by default and only allow specific ports. Which security principle is being applied?

A.Default deny
B.Defense in depth
C.Fail-safe
D.Least privilege
AnswerA

Correct. The firewall denies everything by default.

Why this answer

The correct answer is A, Default deny. The scenario describes a firewall configured to deny all traffic by default and then explicitly allow only specific ports (e.g., TCP 80/443 for web traffic). This directly implements the default deny security principle, where any traffic not explicitly permitted is blocked.

This contrasts with a default allow posture, which would permit all traffic unless explicitly denied.

Exam trap

ISC2 often tests the distinction between 'default deny' (a firewall ACL posture) and 'least privilege' (a user/process access control model), causing candidates to confuse network-level traffic filtering with user-level permissions.

How to eliminate wrong answers

Option B is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewall, IDS, antivirus), not a single rule about default traffic handling. Option C is wrong because fail-safe ensures a system defaults to a secure state upon failure (e.g., a firewall blocking all traffic if it crashes), not the initial configuration of allowing only specific ports. Option D is wrong because least privilege grants users or processes only the minimum access needed to function, which applies to user permissions, not to firewall rule sets that control network traffic.

232
MCQeasy

An organization is developing a security policy that defines the rules for acceptable use of company resources. Which principle should guide the creation of this policy to ensure it is enforceable and effective?

A.Non-repudiation
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerC

Least privilege ensures users have only necessary access, making policy enforceable.

Why this answer

Least privilege minimizes risk by granting only necessary access. Other principles are less relevant for policy enforcement.

233
MCQeasy

A security analyst notices that an internal web server is receiving a high volume of TCP SYN packets from a single external IP address, but the server is not sending SYN-ACK replies. The server's CPU and memory usage are normal. What is the most likely cause?

A.A firewall rule is blocking inbound SYN-ACK packets
B.The server is under a SYN flood attack, filling the connection queue
C.The server's TCP/IP stack has crashed
D.The server is experiencing a distributed denial-of-service (DDoS) attack
AnswerB

SYN flood attacks fill the server's half-open connection queue, preventing it from sending SYN-ACKs.

Why this answer

The correct answer is B because a SYN flood attack works by sending a high volume of TCP SYN packets to a server, filling its half-open connection queue (the backlog) and preventing it from completing the three-way handshake. Since the server's CPU and memory are normal, the issue is not resource exhaustion but rather the queue being saturated, causing the server to stop sending SYN-ACK replies to new connection requests.

Exam trap

ISC2 often tests the distinction between a SYN flood (which fills the connection queue) and a DDoS (which involves multiple sources), so candidates mistakenly choose D when the key detail is the single external IP address.

How to eliminate wrong answers

Option A is wrong because a firewall rule blocking inbound SYN-ACK packets would not prevent the server from sending SYN-ACK replies; it would only block those replies from reaching the client, and the server would still generate them. Option C is wrong because if the server's TCP/IP stack had crashed, the server would likely stop all network communication, not just SYN-ACK replies, and CPU/memory usage would typically be abnormal. Option D is wrong because a DDoS attack involves multiple sources, but the question specifies a single external IP address, making it a simple SYN flood rather than a distributed attack.

234
MCQmedium

A company implements two-factor authentication (2FA) for all remote access. Which primary security goal is this enhancing?

A.Availability
B.Integrity
C.Confidentiality
D.Non-repudiation
AnswerC

2FA ensures only authorized users access data, protecting confidentiality.

Why this answer

2FA strengthens authentication, ensuring only authorized users access data, thereby protecting confidentiality. Option B (Integrity) is about data accuracy. Option C (Availability) is about uptime.

Option D (Non-repudiation) is about proof of actions.

235
MCQeasy

A security analyst receives an alert indicating multiple failed login attempts from a single IP address targeting a user account. Which action should the analyst take FIRST?

A.Disable the user account immediately
B.Verify the alert and check if the account is compromised
C.Escalate the alert to law enforcement
D.Block the IP address at the firewall
AnswerB

Verification ensures the alert is not a false positive.

Why this answer

Option B is correct because the first step in incident response is to validate the alert. The analyst must verify that the failed login attempts are not a false positive (e.g., a user mistyping their password) and then check if the account has been compromised by reviewing logs for successful logins from the same IP or anomalous behavior. Prematurely disabling the account or blocking the IP could disrupt legitimate access or alert an attacker, while escalation to law enforcement is premature without confirmation of a breach.

Exam trap

ISC2 often tests the principle that verification and analysis must precede any containment or eradication action, tempting candidates to jump to blocking the IP or disabling the account as a quick fix without confirming the alert's validity.

How to eliminate wrong answers

Option A is wrong because disabling the user account immediately without verifying the alert could lock out a legitimate user and does not address the root cause; the account may not be compromised. Option C is wrong because escalating to law enforcement is a drastic step that should only occur after confirming a security incident and following organizational policy, not as a first action. Option D is wrong because blocking the IP address at the firewall may be a reactive measure, but it could block a legitimate user (e.g., a shared IP) and does not confirm whether the account is compromised; verification must come first.

236
MCQmedium

An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?

A.Denial of service attack
B.Brute-force attack
C.Credential theft or session hijacking
D.Man-in-the-middle attack
AnswerC

Logins from impossible travel locations indicate that credentials may be used by an attacker.

Why this answer

The SIEM rule detects impossible travel — a user authenticating from two geographically distant locations within a time window too short for physical travel. This behavior strongly indicates that an attacker has stolen the user's credentials (credential theft) or taken over an active session (session hijacking) and is using them from a different location. The SIEM correlates authentication logs (e.g., from Active Directory, VPN, or web apps) with geolocation data (IP-to-location mapping) to flag this anomaly.

Exam trap

ISC2 often tests the concept of 'impossible travel' as a specific indicator of credential theft or session hijacking, and candidates mistakenly associate any unusual login pattern with brute-force attacks, failing to recognize that brute-force focuses on failed attempts, not successful logins from distant locations.

How to eliminate wrong answers

Option A is wrong because a denial of service attack aims to overwhelm a system with traffic or requests, not to generate geographically disparate login events; the rule focuses on authentication patterns, not resource exhaustion. Option B is wrong because a brute-force attack involves repeated login attempts from a single or few IPs, not two successful logins from distant locations; the rule triggers on successful authentications, not failed attempts. Option D is wrong because a man-in-the-middle attack intercepts communications between two parties without necessarily producing distinct login events from two far-apart IPs; the rule detects post-compromise lateral movement or credential misuse, not active interception.

237
MCQhard

An organization is designing a security architecture for a cloud-based application. They implement firewalls, intrusion detection systems, and encryption, and also conduct regular security awareness training. This approach demonstrates which security principle?

A.Defense in depth
B.Security through obscurity
C.Least privilege
D.Separation of duties
AnswerA

Defense in depth uses multiple layers of security controls, both technical and administrative.

Why this answer

Defense in depth uses multiple layered controls. The combination of technical and administrative controls is key.

238
MCQmedium

A security operations center (SOC) analyst notices unusual outbound network traffic from a server that typically only receives connections. The traffic is encrypted and goes to an unknown external IP. Which step should the analyst perform FIRST?

A.Check the server's running processes and connections
B.Power off the server
C.Block the outbound traffic at the firewall
D.Notify the system owner
AnswerA

Local investigation helps confirm compromise.

Why this answer

Option D is correct because the analyst needs to gather more information before containing. Option A is too aggressive without confirmation. Option B is premature.

Option C is reactive but less critical than investigation.

239
Multi-Selectmedium

Which THREE are commonly defined in a disaster recovery plan? (Select exactly 3.)

Select 3 answers
A.Recovery point objective
B.Business impact analysis
C.Recovery time objective
D.Cost-benefit analysis
E.Annual loss expectancy
AnswersA, B, C

RPO defines the maximum acceptable data loss.

Why this answer

Recovery point objective (RPO) is a core metric defined in a disaster recovery plan because it specifies the maximum acceptable amount of data loss measured in time. For example, an RPO of 1 hour means backups must be taken at least every hour to ensure no more than 60 minutes of data is lost. This directly drives backup frequency and replication technology choices, such as synchronous vs. asynchronous replication.

Exam trap

ISC2 often tests the distinction between the DR plan components (RPO, RTO, BIA) and risk management calculations (ALE, cost-benefit analysis), trapping candidates who confuse the outputs of a BIA with separate financial analysis tools.

240
MCQhard

An organization's backup strategy includes daily full backups and hourly incremental backups. During a restoration, they discover that a critical file was corrupted 6 hours ago. Which backup set is required for the restoration?

A.The most recent incremental backup only.
B.The most recent full backup only.
C.The most recent full backup plus the incremental backups from the last 6 hours.
D.The most recent full backup plus all incremental backups since.
AnswerC

Restores the state just before corruption.

Why this answer

The correct answer is C because restoring a file that was corrupted 6 hours ago requires the most recent full backup as the base, plus all incremental backups taken in the last 6 hours. Incremental backups only store changes since the last backup (full or incremental), so to reconstruct the file as it existed 6 hours ago, you need the full backup and every incremental backup from that point forward until the corruption time. Without all those increments, the file state cannot be fully reconstructed.

Exam trap

ISC2 often tests the misconception that only the most recent incremental backup is needed, or that all increments since the full backup are required, when in fact the correct set is determined by the specific point in time to which you are restoring.

How to eliminate wrong answers

Option A is wrong because an incremental backup alone contains only changes since the last backup, not the complete file data; without the full backup as a base, the file cannot be restored. Option B is wrong because the most recent full backup alone does not include changes made in the last 6 hours, so the file would be restored to its state at the time of the full backup, not 6 hours ago. Option D is wrong because it includes incremental backups taken after the corruption occurred (i.e., the last 6 hours plus later increments), which would overwrite the corrupted state with even newer changes, failing to restore the file to the exact point 6 hours ago.

241
MCQhard

Which statement best describes a warm site in disaster recovery?

A.It has replicated data but no active systems
B.It is fully operational with real-time data synchronization
C.It has hardware and network equipment but requires data restoration from backups
D.It has no hardware or infrastructure installed
AnswerC

Warm site has equipment but not live data, so restore is needed.

Why this answer

A warm site is a middle-ground disaster recovery option that has hardware and network infrastructure pre-installed but does not have live, synchronized data. Instead, data must be restored from backups (e.g., tape or disk snapshots) before operations can resume. This contrasts with a hot site, which maintains real-time data replication and fully active systems.

Exam trap

ISC2 often tests the distinction between warm and hot sites by making candidates confuse 'pre-installed hardware' (warm) with 'real-time data synchronization' (hot), so the trap is assuming that any site with hardware must also have live data.

How to eliminate wrong answers

Option A is wrong because a site with replicated data but no active systems describes a cold site with data replication, not a warm site; warm sites have hardware but require data restoration. Option B is wrong because a fully operational site with real-time data synchronization defines a hot site, which has zero recovery time objective (RTO) and continuous replication (e.g., synchronous SAN replication). Option D is wrong because a site with no hardware or infrastructure installed is a cold site, which requires full setup before recovery can begin.

242
MCQmedium

An organization deploys firewalls at the network perimeter, antivirus on endpoints, and encryption for data at rest. This approach best exemplifies which security principle?

A.Separation of duties
B.Diversity of defense
C.Least privilege
D.Defense in depth
AnswerD

Defense in depth uses multiple, overlapping controls.

Why this answer

Correct: A - Defense in depth. Defense in depth uses multiple, overlapping security controls. Option B is wrong because least privilege limits access.

Option C is wrong because separation of duties divides responsibilities. Option D is wrong because diversity of defense is not a standard principle.

243
MCQmedium

Refer to the exhibit. A security analyst sees these logs from a Linux server. Which security control should the analyst recommend to address this pattern?

A.Enable account lockout after 5 failed attempts.
B.Disable root login via SSH.
C.Block the IP address 192.168.1.100 via firewall.
D.Implement two-factor authentication for SSH access.
AnswerD

2FA prevents unauthorized access even if passwords are compromised.

Why this answer

The logs show repeated failed SSH login attempts from a single IP (192.168.1.100) targeting the root account, which is a classic brute-force attack pattern. Two-factor authentication (2FA) for SSH access is the most effective control because it adds a second authentication factor (e.g., TOTP or hardware token) that an attacker cannot bypass even if they guess the password, thus neutralizing the brute-force attack regardless of the number of attempts or the account targeted.

Exam trap

ISC2 often tests the distinction between reactive controls (like blocking an IP or locking an account) and proactive controls (like 2FA) that address the root cause of authentication attacks, leading candidates to pick a quick fix like IP blocking instead of the more robust security measure.

How to eliminate wrong answers

Option A is wrong because account lockout after 5 failed attempts would only lock the root account, but root is a privileged account that should never be locked out for administrative access; also, an attacker could simply switch to another username or wait for the lockout timer to expire. Option B is wrong because disabling root login via SSH does not prevent the attacker from trying other usernames (e.g., admin, user) or from continuing the brute-force attack against non-root accounts; the logs show the attack is against root, but the underlying brute-force pattern remains. Option C is wrong because blocking the IP address 192.168.1.100 via firewall is a reactive, static measure that only stops that specific IP; attackers often rotate IPs or use botnets, so this does not address the broader brute-force pattern and can be easily bypassed.

244
MCQhard

During a forensic investigation, an analyst acquires a live system memory dump. Which tool is most appropriate for capturing the contents of volatile memory on a Windows system?

A.DumpIt
B.Wireshark
C.FTK Imager
D.dd
AnswerA

DumpIt is designed specifically for capturing volatile memory on Windows systems.

Why this answer

DumpIt is a lightweight, standalone tool designed specifically for capturing the full contents of volatile memory (RAM) on a Windows system. It creates a raw memory dump file without requiring installation or complex configuration, making it ideal for forensic acquisition of live system memory.

Exam trap

ISC2 often tests the distinction between tools for capturing volatile memory versus non-volatile storage, and candidates may mistakenly choose FTK Imager because it is a well-known forensic suite, but it is not the primary tool for live memory acquisition on Windows.

How to eliminate wrong answers

Option B is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic, not for acquiring system memory dumps. Option C is wrong because FTK Imager is primarily a disk imaging and forensic analysis tool; while it can capture a memory dump via a separate plugin (e.g., FTK Imager Lite), it is not the most appropriate or direct tool for live memory acquisition. Option D is wrong because dd is a Unix/Linux command-line utility for bit-for-bit disk cloning; it is not natively available on Windows and does not interface with Windows memory structures without additional drivers or wrappers.

245
MCQhard

A company is designing a new application that processes credit card payments. They want to ensure that no single administrator can bypass security controls to approve a fraudulent transaction. Which principle should be implemented?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need to know
AnswerA

Separation of duties ensures that no single individual has control over all parts of a critical transaction, reducing fraud risk.

Why this answer

Separation of duties ensures that no single administrator has the authority to both initiate and approve a credit card transaction. By dividing critical functions among multiple individuals, the company prevents a single compromised account from authorizing fraudulent payments. This principle directly addresses the risk of insider threats or credential misuse in payment processing systems.

Exam trap

ISC2 often tests separation of duties by presenting a scenario about preventing fraud or abuse, and the trap is that candidates confuse it with least privilege, thinking limiting permissions alone solves the problem, when in fact the core issue is splitting conflicting tasks across different people.

How to eliminate wrong answers

Option B (Defense in depth) is wrong because it refers to multiple layers of security controls (e.g., firewalls, IDS, encryption) rather than dividing administrative responsibilities. Option C (Least privilege) is wrong because it limits access rights to the minimum necessary for a role, but does not prevent a single administrator from having both the ability to create and approve a transaction. Option D (Need to know) is wrong because it restricts access to information based on job function, not the separation of conflicting duties in a transaction workflow.

246
MCQmedium

After a security audit, a company discovers that several employees have access to financial systems that are not required for their job roles. Which access control model would best prevent this issue in the future?

A.Mandatory access control (MAC)
B.Discretionary access control (DAC)
C.Role-based access control (RBAC)
D.Attribute-based access control (ABAC)
AnswerC

RBAC aligns permissions with job roles, preventing unnecessary access.

Why this answer

Role-based access control (RBAC) assigns permissions based on job roles, ensuring users have only the access needed for their role. DAC allows owners to give access arbitrarily, which could lead to over-provisioning. MAC is rigid and label-based, not ideal for dynamic business needs.

ABAC is flexible but more complex to implement than RBAC for this scenario.

247
MCQhard

In a Bell-LaPadula MAC model, which of the following operations is prohibited?

A.A Top Secret subject reads a Confidential object
B.A Top Secret subject reads a Top Secret object
C.A Top Secret subject writes to a Top Secret object
D.A Top Secret subject writes to an Unclassified object
AnswerD

Write down is prohibited.

Why this answer

In the Bell-LaPadula model, the *-property (star property) prohibits a subject from writing to an object at a lower classification level. A Top Secret subject writing to an Unclassified object would cause a downgrade of sensitive information, violating this property. Therefore, option D is the prohibited operation.

Exam trap

ISC2 often tests the misconception that the *-property (no write down) applies to writing to higher-level objects, when in fact it only restricts writing to lower-level objects, and candidates may confuse it with the simple security property (no read up).

How to eliminate wrong answers

Option A is wrong because the simple security property (no read up) allows a Top Secret subject to read a Confidential object, as it reads down. Option B is wrong because reading an object at the same classification level (Top Secret) is permitted under both the simple security property and the *-property. Option C is wrong because writing to an object at the same classification level (Top Secret) is allowed by the *-property, as it does not involve a downgrade.

248
MCQhard

A financial institution requires that no single employee can both initiate and approve a wire transfer. This policy enforces which security principle?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need to know
AnswerA

Separation of duties ensures no single person has control over all parts of a transaction.

Why this answer

Separation of duties prevents fraud by dividing critical tasks. Least privilege limits access, but here it's about task division.

249
Multi-Selecteasy

Which TWO of the following are fundamental principles of information security that form the CIA triad?

Select 2 answers
A.Confidentiality
B.Integrity
C.Privacy
D.Non-repudiation
E.Accountability
AnswersA, B

Confidentiality ensures data is accessible only to authorized parties.

Why this answer

Correct: Confidentiality and Integrity are part of the CIA triad. Option B (Non-repudiation) is not part of CIA; Option D (Accountability) is not; Option E (Privacy) is related but not a core CIA principle.

250
MCQmedium

An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?

A.Conduct the restore test only during annual disaster recovery drills.
B.Reduce the recovery point objective (RPO) to minimize data loss.
C.Increase the RTO to 6 hours.
D.Automate the configuration and validation steps after restore.
AnswerD

Automation reduces manual time, helping meet the 4-hour RTO.

Why this answer

The RTO is 4 hours, but the actual recovery time is 2 hours (restore) + 3 hours (reconfigure and test) = 5 hours, exceeding the RTO by 1 hour. Automating the configuration and validation steps (option D) reduces the post-restore manual effort, bringing the total recovery time closer to or within the 4-hour RTO. This directly addresses the gap without altering the RTO or neglecting testing.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates confuse reducing RPO (data loss) with fixing a time-based gap, or they incorrectly assume that simply increasing the RTO is an acceptable solution without considering process improvement.

How to eliminate wrong answers

Option A is wrong because conducting the restore test only during annual drills does not fix the daily operational gap; it merely postpones validation, leaving the recovery process untested and potentially non-compliant with the RTO. Option B is wrong because reducing the RPO (recovery point objective) addresses data loss tolerance, not recovery time; it does not reduce the 5-hour total recovery duration. Option C is wrong because increasing the RTO to 6 hours accepts the inefficiency rather than fixing it; best practice is to improve the process to meet the original RTO, not relax the requirement.

251
Multi-Selecteasy

Which TWO of the following are best practices for password management in a corporate environment?

Select 2 answers
A.Store passwords in plaintext in a shared document.
B.Enforce password complexity requirements.
C.Prohibit password changes more than once per year.
D.Share passwords among team members for shared accounts.
E.Implement multi-factor authentication.
AnswersB, E

Complex passwords are harder to guess or crack.

Why this answer

Option B is correct because enforcing password complexity requirements (e.g., minimum length, character types) reduces the risk of brute-force and dictionary attacks by increasing the effective keyspace. Option E is correct because multi-factor authentication (MFA) adds an additional layer of security beyond the password, mitigating credential theft or reuse. Together, they form a defense-in-depth approach to authentication security.

Exam trap

ISC2 often tests the misconception that frequent password changes improve security, but the CC exam expects candidates to know that NIST now recommends against mandatory periodic changes unless there is evidence of compromise, and that sharing passwords is never a best practice.

252
Multi-Selecteasy

Which TWO of the following are examples of physical access controls?

Select 2 answers
A.Encryption
B.Biometric scanners
C.Smart cards
D.Intrusion Prevention Systems (IPS)
E.Firewalls
AnswersB, C

Biometrics are physical attributes used for authentication.

Why this answer

Biometric scanners (Option B) are physical access controls because they authenticate individuals based on unique biological traits (e.g., fingerprints, iris patterns) to grant or deny entry to a physical space, such as a server room or data center. This is a tangible, hardware-based mechanism that directly controls physical access, aligning with the definition of physical access controls in the CC exam.

Exam trap

ISC2 often tests the distinction between physical controls (tangible, hardware-based mechanisms that restrict physical access) and logical/technical controls (software or network-based protections), causing candidates to mistakenly classify encryption or firewalls as physical controls.

253
MCQhard

A security professional is evaluating a system that uses a trust model where every component authenticates to each other before communicating. Which security principle does this model exemplify?

A.Least privilege
B.Separation of duties
C.Non-repudiation
D.Defense in depth
AnswerD

Mutual authentication adds a layer of security, exemplifying defense in depth.

Why this answer

Correct: A - Defense in depth. While zero trust is a model, defense in depth is the principle of multiple layers; mutual authentication is one layer. Option B is wrong because least privilege is about access rights.

Option C is wrong because separation of duties divides roles. Option D is wrong because non-repudiation prevents denial.

254
Multi-Selecthard

Which THREE are common indicators of a compromised system? (Select THREE.)

Select 3 answers
A.Unexpected software installations
B.Unusual outbound network connections
C.High CPU usage during business hours
D.System uptime greater than 30 days
E.Multiple failed login attempts leading to account lockout
AnswersA, B, E

Malware often installs without user consent.

Why this answer

Unexpected software installations are a common indicator of compromise because attackers often deploy malware, backdoors, or remote access tools (RATs) without user consent. In a CC context, this aligns with the principle that unauthorized software changes signal a breach, as legitimate installations typically follow change management processes. The presence of unknown executables or services in the system's process list or startup entries is a red flag.

Exam trap

ISC2 often tests the distinction between symptoms of normal operations (e.g., high CPU usage during business hours) and true indicators of compromise, tricking candidates into selecting benign metrics as signs of a breach.

255
MCQmedium

Refer to the exhibit. Based on the exhibit, which traffic will be permitted?

A.All traffic from 192.168.1.100
B.All traffic from 10.0.1.0/24
C.SSH traffic from any source to 192.168.1.100
D.HTTP traffic from any source to 192.168.1.100
AnswerD

The permit statement allows TCP port 80 (HTTP) traffic to host 192.168.1.100 from any source.

Why this answer

The exhibit shows an access control list (ACL) that permits TCP traffic from any source to destination host 192.168.1.100 on port 80 (HTTP). The ACL entry is `permit tcp any host 192.168.1.100 eq 80`, which matches only HTTP traffic. Therefore, only HTTP traffic from any source to 192.168.1.100 is permitted.

Exam trap

ISC2 often tests the distinction between source and destination in ACL statements, and the trap here is that candidates misread the ACL as permitting traffic from 192.168.1.100 (source) rather than to it (destination), or confuse the port number (80 for HTTP vs. 22 for SSH).

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all traffic from 192.168.1.100; it only permits inbound HTTP traffic to that host, and the source is 'any', not a specific source. Option B is wrong because the ACL does not reference the 10.0.1.0/24 network at all; the source is 'any', and the destination is a single host, not a subnet. Option C is wrong because SSH uses TCP port 22, not port 80; the ACL explicitly matches port 80 (HTTP), so SSH traffic would be denied.

256
MCQeasy

Refer to the exhibit. An AWS IAM policy is shown. Which action is permitted by this policy?

A.Upload objects to the bucket.
B.List all objects in the bucket.
C.Delete objects from the bucket.
D.Read objects from the bucket.
AnswerD

s3:GetObject allows reading (downloading) objects.

Why this answer

The IAM policy grants the `s3:GetObject` action, which allows reading objects from the specified S3 bucket. This action corresponds to downloading or retrieving the content of an object, making option D correct.

Exam trap

ISC2 often tests the distinction between read actions (`s3:GetObject`) and list actions (`s3:ListBucket`), trapping candidates who assume that reading objects also allows listing them.

How to eliminate wrong answers

Option A is wrong because uploading objects requires the `s3:PutObject` action, which is not listed in the policy. Option B is wrong because listing objects requires the `s3:ListBucket` action, which is not included in the policy. Option C is wrong because deleting objects requires the `s3:DeleteObject` action, which is absent from the policy.

257
MCQmedium

A user reports that they are unable to access a shared network drive that they previously could access. The administrator checks permissions and finds the user's account is still a member of the correct group. What should the administrator check next?

A.Group membership inheritance
B.User account lockout status
C.Check for explicit deny permissions on the folder
D.Effective permissions
AnswerC

Deny entries override allows and can cause access issues even with correct group membership.

Why this answer

Even if group membership is correct, explicit deny permissions can override allow permissions. Checking for deny entries on the folder is a logical next step. User lockout would affect all accesses.

Effective permissions would show the combined result but checking for denies is more direct. Password expiration is a login issue, not a permissions issue.

258
MCQmedium

Refer to the exhibit. Based on the report, which improvement is most appropriate?

A.Increase backup frequency
B.Reduce network failover time
C.Implement load balancing
D.Switch to synchronous replication
AnswerD

Synchronous replication guarantees transaction consistency across sites.

Why this answer

Asynchronous replication can lead to data inconsistency during failover. Switching to synchronous replication ensures data consistency at the cost of some latency.

259
Multi-Selectmedium

Which TWO are best practices for managing backup media?

Select 2 answers
A.Encrypt backup data
B.Keep backups on the same server for easy access
C.Store backups in a separate physical location
D.Use only tape media
E.Test backups annually
AnswersA, C

Encryption protects sensitive data from unauthorized access.

Why this answer

Encrypting backup data ensures confidentiality and integrity during transit and at rest, protecting against unauthorized access if media is lost or stolen. This is a critical best practice for compliance with standards like GDPR or HIPAA, and aligns with the principle of defense in depth. Without encryption, backup media becomes a significant security vulnerability.

Exam trap

ISC2 often tests the 3-2-1 backup rule (three copies, two different media, one offsite) to trick candidates into thinking that keeping backups on the same server is acceptable for convenience, when it actually violates the core principle of redundancy.

260
MCQeasy

A security team configures a system to record all user activities for audit purposes. Which principle is being applied?

A.Accountability
B.Integrity
C.Authentication
D.Confidentiality
AnswerA

Accountability ensures actions can be traced via logs.

Why this answer

Correct: A - Accountability. Accountability ensures actions can be traced to an individual through logging. Option B is wrong because authentication verifies identity.

Option C is wrong because confidentiality prevents unauthorized disclosure. Option D is wrong because integrity ensures data accuracy.

261
Multi-Selecthard

Which THREE are primary phases of the incident response lifecycle?

Select 3 answers
A.Containment
B.Forensic Analysis
C.Preparation
D.Data Archiving
E.Detection
AnswersA, C, E

Containment phase limits damage and prevents spread.

Why this answer

Containment is a primary phase of the incident response lifecycle because it focuses on stopping the spread of an incident and preventing further damage. In the NIST SP 800-61 framework, containment is explicitly listed as a core phase, following detection and analysis. This phase includes actions such as isolating affected systems, blocking malicious IPs via ACLs, or disabling compromised accounts to limit the blast radius.

Exam trap

ISC2 often tests the distinction between primary phases and supporting activities, so candidates mistakenly select 'Forensic Analysis' or 'Data Archiving' as primary phases when they are actually tasks performed within the Containment or Post-Incident phases.

262
MCQeasy

Which of the following is an example of a detective control?

A.Security awareness training
B.Firewall
C.Encryption
D.Intrusion Detection System (IDS)
AnswerD

IDS monitors and detects potential security breaches.

Why this answer

Option A is correct because an Intrusion Detection System (IDS) detects and alerts on suspicious activity. Option B is a preventive control. Option C is a preventive control.

Option D is a directive control.

263
MCQmedium

An organization wants to implement defense in depth for its web application. Which combination of controls best illustrates this principle?

A.A strict perimeter firewall without internal controls.
B.Encryption at rest only.
C.A firewall, intrusion detection system, and regular security awareness training.
D.A single strong password policy.
AnswerC

This combines technical, physical, and administrative controls at multiple layers, which is defense in depth.

264
MCQhard

A security incident report indicates that an employee used their access to view confidential records unrelated to their job. Which security principle was most likely violated?

A.Separation of duties
B.Availability
C.Least privilege
D.Non-repudiation
AnswerC

Least privilege requires limiting access to only what is necessary for job functions; the employee had excessive access.

265
MCQmedium

A medium-sized company uses a SIEM solution to collect logs from firewalls, servers, and endpoints. The security team receives an alert indicating a possible data exfiltration: an employee's workstation is sending large amounts of data to an external IP address outside business hours. The employee works in the finance department and has access to sensitive financial records. The SIEM shows the connection is ongoing. The security team must respond immediately to contain the incident while preserving evidence. The company's incident response plan designates the security team as first responders. Which of the following is the BEST first action?

A.Block the external IP address at the firewall and disconnect the workstation from the network.
B.Notify the employee's manager and wait for further instructions.
C.Call the employee to ask if they are transferring files for a legitimate business purpose.
D.Take a forensic image of the workstation's hard drive before anything else.
AnswerA

Stops data exfiltration and isolates the system, following incident response best practices.

Why this answer

Option B is correct because it stops the data flow and isolates the system, containing the incident. Option A could tip off an attacker if malicious and delays containment. Option C is important but should be performed after containment to preserve evidence.

Option D delays response and may allow further damage.

266
MCQmedium

Refer to the exhibit. A security analyst observes repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port. What is the MOST likely interpretation?

A.The server is being used for remote desktop access
B.The server is performing a port scan
C.The server is a legitimate mail server
D.The server is infected with malware
AnswerD

Beaconing to multiple external IPs on a non-standard port is a common malware behavior.

Why this answer

Repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port are a classic indicator of malware command-and-control (C2) activity. Malware often uses non-standard ports to evade detection and establish outbound communication with an external attacker. This behavior is not typical of legitimate services, which use well-known ports and protocols.

Exam trap

ISC2 often tests the distinction between outbound connection attempts (indicative of malware C2) and inbound connection attempts (indicative of remote access or scanning), leading candidates to mistakenly choose remote desktop or port scanning.

How to eliminate wrong answers

Option A is wrong because remote desktop access (e.g., RDP) uses TCP port 3389 by default, not a non-standard port, and would typically involve inbound connections, not repeated outbound attempts. Option B is wrong because a port scan involves sending packets to multiple ports on a target to discover open services, not repeated outbound connection attempts from a single server to external IPs on a single non-standard port. Option C is wrong because a legitimate mail server uses standard ports such as TCP 25 (SMTP), 587 (submission), or 993 (IMAPS), and would not repeatedly connect to arbitrary external IPs on a non-standard port.

267
Multi-Selectmedium

Which TWO of the following are core principles of information security?

Select 2 answers
A.Authentication
B.Integrity
C.Confidentiality
D.Non-repudiation
E.Availability
AnswersB, C

Integrity ensures data is accurate and not modified improperly.

Why this answer

The core principles of information security are the CIA triad: Confidentiality, Integrity, and Availability. Integrity (B) ensures data has not been altered or tampered with, typically verified through hashing algorithms like SHA-256 or HMAC. Confidentiality (C) protects data from unauthorized access, often enforced via encryption (e.g., AES-256).

These three form the foundational security model, while other options are supporting mechanisms.

Exam trap

ISC2 often tests whether candidates can distinguish between core principles (CIA triad) and supporting security services (authentication, non-repudiation), leading many to incorrectly select authentication or non-repudiation as core principles instead of availability.

268
Multi-Selecteasy

Which two of the following are common types of security controls?

Select 2 answers
A.Corrective
B.Preventative
C.Detective
D.Predictive
E.Reactive
AnswersB, C

Preventative controls block attacks before they occur.

Why this answer

Detective and Preventative controls are foundational security control categories. Corrective is also a category but not listed as one of the two most common; Reactive and Predictive are not standard categories.

269
MCQeasy

A small business wants to protect its customer data by ensuring that only employees who need access to perform their jobs can view it. Which security principle is being applied?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need-to-know
AnswerC

Least privilege ensures users have only necessary permissions.

Why this answer

Least privilege grants users only the permissions necessary to perform their job functions. Option A (Separation of duties) divides critical tasks among multiple people. Option C (Defense in depth) uses multiple layers of security.

Option D (Need-to-know) restricts access to specific data required for a role, but least privilege is the overarching principle.

270
MCQmedium

A healthcare organization uses a legacy application that stores patient records in plain text. The IT team is planning to upgrade the system but needs to ensure compliance with HIPAA. The new system will be hosted on-premises and accessed by doctors and nurses via a web portal. The security team proposes implementing a VPN for remote access, but the CEO wants to allow access from any device without VPN for convenience. Which principle should guide the decision?

A.Defense in depth
B.Least privilege
C.Security is an enabler
D.Risk acceptance
AnswerA

Defense in depth emphasizes multiple layers; a VPN alone is insufficient.

Why this answer

Defense in depth emphasizes multiple layers of security; a VPN alone is insufficient to protect sensitive health records. The CEO's request sacrifices security for convenience, and risk acceptance is not the best approach when stronger controls are feasible.

271
MCQhard

Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?

A.The condition is evaluated as OR instead of AND.
B.The time condition is evaluated as BETWEEN 09:00 and 17:00 exclusive.
C.The policy is misconfigured with effect Deny.
D.The user's device attribute is incorrectly set to Windows.
AnswerD

If the device OS attribute is wrong, the condition might be satisfied.

Why this answer

Option D is correct because the policy likely includes a device attribute condition (e.g., device.os == 'Windows') that must be satisfied for the Deny effect to apply. Since the user is on a macOS device, the condition evaluates to false, so the Deny is not enforced, and the default Allow (or a broader Allow rule) permits write access. This is a common misconfiguration where the device attribute is set incorrectly, causing unintended access.

Exam trap

ISC2 often tests the nuance that a Deny rule with unmet conditions does not block access—candidates mistakenly assume a Deny rule always denies, but in policy engines, a rule only applies if all its conditions are true; otherwise, the engine falls through to the next rule or default action.

How to eliminate wrong answers

Option A is wrong because the exhibit shows a single condition block; if multiple conditions were present, they would be ANDed by default in Cisco ISE or similar policy engines, not ORed, so this does not explain the behavior. Option B is wrong because the time condition 'BETWEEN 09:00 and 17:00' in Cisco policy engines is inclusive of both endpoints (09:00 and 17:00), not exclusive; 10:00 AM falls within the inclusive range, so the Deny would apply if time were the only factor. Option C is wrong because the policy is configured with effect Deny, but the issue is that the Deny is not being triggered due to a condition mismatch; the policy itself is not misconfigured in terms of effect—it is the condition that fails to match.

272
MCQeasy

Refer to the exhibit. An SOC analyst pulled this log snippet. Which type of attack is most likely in progress?

A.Phishing
B.DDoS attack
C.Man-in-the-middle
D.Insider threat
AnswerB

Coordinated traffic from many sources to a single target is characteristic of DDoS.

Why this answer

The log snippet shows a massive volume of incoming traffic from multiple source IPs targeting a single destination, which is characteristic of a distributed denial-of-service (DDoS) attack. The high packet rate and diverse source addresses indicate an attempt to overwhelm the target's resources, such as bandwidth or server capacity, making services unavailable to legitimate users.

Exam trap

ISC2 often tests the distinction between DDoS and DoS by including logs with multiple source IPs, where candidates might mistakenly focus on the high traffic volume alone and overlook the distributed nature, leading them to choose a generic 'DoS' or another attack type.

How to eliminate wrong answers

Option A is wrong because phishing involves deceptive messages (e.g., emails) to trick users into revealing credentials or installing malware, not a flood of network traffic from many sources. Option C is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, which would show unusual traffic patterns or certificate anomalies, not a high-volume flood from multiple IPs. Option D is wrong because an insider threat originates from within the organization, typically involving unauthorized access or data exfiltration, not a distributed traffic flood from external sources.

273
MCQhard

You are the lead SOC analyst for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers and cloud services (AWS). The SIEM is Splunk Enterprise, collecting logs from firewalls, IDS/IPS, endpoints (Windows and Linux), and AWS CloudTrail. Recently, the company experienced a ransomware attack that encrypted critical file servers. The initial infection vector was a phishing email that led to the download of a malicious macro-enabled document. The document was executed on a Windows workstation, which then established a C2 connection to an external IP. The C2 traffic was over HTTPS, and the workstation was part of the domain. After the attack, the forensic team found that the workstation had Windows Event Logs cleared, and the local admin account had been used to disable the antivirus. The C2 IP was later blocked, but the ransomware had already spread to file servers via SMB. As part of the lessons learned, you need to recommend improvements to prevent and detect such attacks in the future. Which of the following is the BEST course of action to address the specific weaknesses exploited in this incident?

A.Increase the frequency of vulnerability scans and patch all systems within 24 hours of patch release.
B.Implement application whitelisting, disable macros by default, enforce strong local administrator passwords, and segment the network to restrict SMB traffic between workstations and servers.
C.Deploy additional IDS/IPS sensors and tune the SIEM to detect C2 traffic patterns.
D.Require multi-factor authentication (MFA) for all remote access and privileged account use.
AnswerB

These controls directly address the attack vectors: macro execution, local admin abuse, and lateral movement via SMB.

Why this answer

Option B directly addresses the attack chain: disabling macros by default prevents the initial infection vector, application whitelisting blocks unauthorized executables (including the ransomware), strong local admin passwords hinder credential abuse, and network segmentation restricts SMB lateral movement. This combination targets the specific weaknesses exploited (macro execution, antivirus disablement via local admin, and SMB propagation) rather than just detecting or patching after the fact.

Exam trap

ISC2 often tests the concept that prevention (whitelisting, macro control, segmentation) is more effective than detection (IDS/IPS tuning) or reactive measures (patching, MFA) when the attack chain exploits user behavior and local credentials, not external vulnerabilities.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning and patching do not prevent phishing-based macro execution or local admin abuse; the attack exploited user behavior and weak local credentials, not unpatched vulnerabilities. Option C is wrong because additional IDS/IPS and SIEM tuning for C2 traffic only improves detection, not prevention; the C2 traffic was over HTTPS (encrypted), making pattern detection difficult, and the ransomware had already spread before the C2 IP was blocked. Option D is wrong because MFA for remote access and privileged accounts does not address the local admin account used to disable antivirus on the workstation, nor does it prevent macro execution or SMB lateral movement within the internal network.

274
Matchingmedium

Match each phase of the incident response process to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train and equip the team

Identify and scope the incident

Stop the spread and restore systems

Lessons learned and reporting

Why these pairings

These phases are from NIST SP 800-61 and ISC2 CC.

275
MCQmedium

Refer to the exhibit. What action did the firewall take on the traffic from 10.0.1.15 to 10.0.2.10?

A.Logged and permitted
B.Denied the traffic
C.Permitted the traffic
D.Translated the source address
AnswerB

The syslog message explicitly states 'denied'.

Why this answer

The firewall denied the traffic from 10.0.1.15 to 10.0.2.10 because the access control list (ACL) or security policy explicitly denies the source IP 10.0.1.15, as shown in the exhibit. The firewall processes rules sequentially, and the first matching rule for this traffic is a deny entry, so the packet is dropped without further inspection or logging unless specified.

Exam trap

ISC2 often tests the sequential processing of ACLs, where candidates mistakenly think a later permit rule overrides an earlier deny rule, but the first match always wins.

How to eliminate wrong answers

Option A is wrong because the firewall did not log the traffic; the exhibit shows no log keyword on the matching deny rule, and logging is only triggered by a permit or explicit log action. Option C is wrong because the traffic was not permitted; the first matching rule is a deny, so the packet is dropped before any permit rule is evaluated. Option D is wrong because source NAT (translation) is not applied; NAT rules are typically evaluated after ACLs, and the traffic was denied before any translation could occur.

276
Multi-Selecthard

In incident response, which TWO are considered volatile data that should be collected first? (Select exactly 2.)

Select 2 answers
A.Hard drive contents
B.Network connections
C.Backup tapes
D.System logs
E.Memory contents
AnswersB, E

Active network connections are ephemeral and lost after reboot.

Why this answer

Network connections (option B) are volatile because they represent active communication channels that disappear when the system is powered off or disconnected. In incident response, collecting network connection data (e.g., using netstat -an) first preserves evidence of ongoing malicious activity, such as command-and-control (C2) traffic or lateral movement, before it is lost.

Exam trap

ISC2 often tests the distinction between volatile and non-volatile data, and the trap here is that candidates mistakenly classify system logs as volatile because they change frequently, but logs are stored on disk and are not lost on power-off, whereas network connections and memory are lost immediately.

277
MCQeasy

A government agency stores classified documents on a secure server. The server is connected to the internet, but access is restricted using a firewall and requires two-factor authentication. An auditor discovers that the server's operating system has not been patched for over a year, making it vulnerable to remote code execution attacks. Which security principle is most directly compromised by this missing patch, and what is the best corrective action?

A.Confidentiality; test the patch in a dev environment first before applying to production
B.Non-repudiation; disconnect the server from the internet
C.Integrity; apply the security patch immediately
D.Availability; use a load balancer to distribute traffic
AnswerC

Prompt patching restores the integrity of the system and closes the vulnerability.

Why this answer

Correct: Availability and integrity could be compromised by unpatched vulnerabilities. The best action is to apply the patch (B) as soon as possible. Option A is wrong because patching after testing is good but immediate application is needed; Option A delays; Option C is wrong because it doesn't fix the vulnerability; Option D is wrong because disconnecting all servers is excessive.

278
MCQmedium

Based on the backup schedule, what is the maximum potential data loss?

A.9 hours (since Tuesday 01:00)
B.2 days (data since Monday)
C.33 hours (data since Tuesday 01:00)
D.1 day (data since last full backup)
AnswerC

Last successful backup was Tuesday 01:00; failure at Wednesday 10:00 = 33 hours.

Why this answer

The maximum potential data loss is determined by the interval between the last successful backup and the point of failure. With a full backup on Monday at 01:00 and differential backups every 12 hours (Tuesday 01:00 and 13:00), the last backup before a failure at, say, Wednesday 10:00 is Tuesday 13:00. The data loss window spans from Tuesday 13:00 to Wednesday 10:00 (21 hours), but the question's correct answer of 33 hours indicates the failure occurs just before the next differential backup, meaning data since Tuesday 01:00 (the last full backup) is lost if differentials are not applied or the failure destroys the differential chain.

In this scenario, the maximum loss is from the last full backup (Monday 01:00) to the failure point, which is 33 hours if the failure occurs at Wednesday 10:00, but the answer explicitly states 'data since Tuesday 01:00'—this implies the differential backup chain is intact but the last differential was at Tuesday 01:00, and the failure occurs 33 hours later, losing all changes since that differential.

Exam trap

ISC2 often tests the distinction between full, differential, and incremental backups, and the trap here is confusing the last full backup as the recovery point when differential backups actually allow restoration to a much more recent point, causing candidates to overestimate data loss.

How to eliminate wrong answers

Option A is wrong because 9 hours (since Tuesday 01:00) represents only the interval from the last differential backup to a failure shortly after, not the maximum possible loss; the maximum loss must consider the full period since the last successful backup that can be restored. Option B is wrong because 2 days (data since Monday) overestimates the loss; with differential backups, you can restore from the last full backup plus the latest differential, so data loss is limited to the time since that differential, not the full two days. Option D is wrong because 1 day (data since last full backup) ignores that differential backups reduce the recovery point; the maximum loss is not from the full backup but from the last differential backup that was successfully taken before the failure.

279
Matchingmedium

Match each network security concept to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on rules

Segments public-facing servers

Maps private to public IPs

Encrypts data over public networks

Monitors for suspicious activity

Why these pairings

These are fundamental network security components.

280
Multi-Selecteasy

Which THREE of the following are considered fundamental security principles? (Select three).

Select 3 answers
A.Separation of duties
B.Single sign-on
C.Hashing
D.Least privilege
E.Defense in depth
AnswersA, D, E

Correct. Separation of duties is a key principle to prevent fraud and error.

Why this answer

Separation of duties is a fundamental security principle that prevents any single individual from having excessive control over critical processes by dividing responsibilities among multiple people. This reduces the risk of fraud, error, or abuse, as collusion would be required to bypass controls. It is a core concept in access control models and compliance frameworks like SOX and PCI DSS.

Exam trap

ISC2 often tests the distinction between a security principle (a high-level design guideline) and a security mechanism (a specific tool or technology), so candidates mistakenly select SSO or hashing because they are security-related, but they are not fundamental principles.

281
MCQeasy

During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?

A.Preserve forensic evidence from the isolated systems.
B.Wipe and rebuild all affected systems.
C.Notify law enforcement immediately.
D.Pay the ransom to restore operations quickly.
AnswerA

Preserving evidence supports investigation and potential legal action.

Why this answer

After isolating affected systems during a ransomware incident, the next best step is to preserve forensic evidence from those systems. This ensures that data such as memory dumps, logs, and encrypted files are captured intact for analysis, which is critical for understanding the attack vector, identifying the ransomware variant, and potentially recovering data without paying the ransom. Forensic preservation must occur before any remediation steps like wiping or rebuilding, as those actions would destroy the evidence needed for investigation and legal proceedings.

Exam trap

ISC2 often tests the misconception that containment (isolation) is the final step, but the trap here is that candidates skip forensic preservation and jump to remediation (wipe/rebuild) or external actions (law enforcement/payment), failing to recognize that evidence must be secured first to support both investigation and potential recovery.

How to eliminate wrong answers

Option B is wrong because wiping and rebuilding all affected systems destroys forensic evidence and prevents analysis of the ransomware's behavior, encryption keys, or entry point, which is essential for preventing future incidents and potentially recovering data. Option C is wrong because notifying law enforcement immediately is not the next operational step; while it may be required later, the immediate priority is preserving evidence to support any law enforcement investigation, and premature notification without evidence could hinder the response. Option D is wrong because paying the ransom does not guarantee data recovery, encourages further attacks, and violates many organizational policies and legal guidelines; the incident response team should never recommend payment as a first step.

282
Multi-Selecthard

Which THREE of the following are essential components of a security baseline configuration for a server?

Select 3 answers
A.Disable unnecessary services.
B.Enable auditing and logging.
C.Apply the latest security patches.
D.Install all optional software for functionality.
E.Grant administrative rights to all users.
AnswersA, B, C

Reduces the number of potential entry points.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for exploitation. Services like Telnet, FTP, or unused web servers should be disabled via systemctl or service managers to prevent unauthorized access or privilege escalation.

Exam trap

ISC2 often tests the principle of least functionality by making candidates think that installing all optional software ensures compatibility, when in reality it violates the core security baseline goal of reducing the attack surface.

283
MCQhard

During a disaster recovery exercise, the team discovers that the backup site does not have the latest security patches applied. Which of the following steps should be taken FIRST?

A.Patch the backup site immediately
B.Shut down the backup site
C.Document the finding and assess risk
D.Continue the exercise and note the issue
AnswerC

Proper incident response documentation and risk assessment are critical first steps.

Why this answer

The first step in any incident or exercise finding is to document the issue and assess the risk it poses. Patching the backup site immediately (Option A) could introduce instability or conflicts with the current exercise, while shutting it down (Option B) would disrupt the DR test. By documenting and assessing risk first, the team can determine the appropriate remediation priority based on the backup site's role and the criticality of the missing patches.

Exam trap

ISC2 often tests the principle that 'document and assess' must precede any corrective action, even in an exercise, to avoid impulsive changes that could invalidate the test results or introduce new risks.

How to eliminate wrong answers

Option A is wrong because applying patches without first assessing the risk could break the backup site's configuration or introduce new vulnerabilities during the exercise, and it may not be the highest priority action. Option B is wrong because shutting down the backup site would halt the disaster recovery exercise and potentially leave the organization without any failover capability, which is counterproductive. Option D is wrong because simply continuing the exercise without documenting or assessing the issue ignores the security gap and could lead to a false sense of readiness, violating standard incident response procedures (NIST SP 800-61).

284
MCQeasy

A security analyst discovers that an employee's workstation has been infected with ransomware. Which security principle has been directly violated?

A.Availability
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Correct. The user likely had excessive permissions.

Why this answer

Ransomware directly violates the availability security principle because it encrypts files and systems, rendering them inaccessible to authorized users. While the infection may also impact confidentiality or integrity, the immediate and primary effect is denial of access to data and services, which is a breach of availability.

Exam trap

ISC2 often tests the distinction between the CIA triad principles, and the trap here is that candidates confuse the cause (ransomware) with the principle violated, mistakenly thinking 'least privilege' is the answer because the infection occurred, but the direct violation is availability, not least privilege.

How to eliminate wrong answers

Option A is wrong because availability is the principle that is violated, not the one that was directly violated by the ransomware; the question asks which principle has been directly violated, and availability is the correct answer, so this option is actually correct but the question expects the principle that was violated, not the one that was not. Option C is wrong because separation of duties is a control to prevent fraud or errors by dividing responsibilities among multiple people; it is not directly violated by ransomware, which is a technical attack on data access. Option D is wrong because defense in depth is a strategy of layering multiple security controls, not a security principle; the question asks for a security principle, and defense in depth is a design approach, not a principle like confidentiality, integrity, or availability.

285
MCQmedium

A healthcare organization experiences a ransomware attack that encrypts all files on file servers and workstations. The incident response team has isolated the infected systems. The backup policy includes daily incremental backups and weekly full backups stored on a separate network segment. The most recent full backup is 5 days old. The incremental backups from the past 4 days are available but are stored on the same backup server that might be compromised. To restore data with minimal loss, what should the team do?

A.Use the most recent incremental backup to restore files directly.
B.Assume all backups are compromised and rebuild systems from scratch.
C.First verify the integrity of the backups by scanning them on an isolated system, then restore the full backup and apply the most recent clean incremental backups.
D.Restore the weekly full backup and then apply all incremental backups from the past 5 days.
AnswerC

Ensures clean backups and minimal data loss.

Why this answer

Option D is correct. First, verify backup integrity on an isolated system to ensure no ransomware remnants. Then restore the full backup and apply the most recent clean incremental backups.

Option A could restore ransomware if backups are compromised. Option B uses only incremental, missing the full backup. Option C is too drastic if backups are clean.

286
MCQmedium

Refer to the exhibit. A network administrator configured the following firewall rules. After implementation, users from the internal network cannot browse the internet. Which element is causing the issue?

A.Rule id=30
B.Rule id=10
C.Rule id=20
D.The rule order
AnswerD

The deny rule should be after the allow rule to permit internal traffic first.

Why this answer

The issue is that firewall rules are processed in sequential order from top to bottom, and the implicit deny-all rule at the end blocks any traffic that does not match an explicit permit rule. Since rule id=10 permits HTTP/HTTPS from internal to external, but rule id=20 blocks all traffic from the internal network, the deny rule (id=20) is evaluated before any later permit rule (id=30) and thus blocks all internet-bound traffic. The correct answer is D because the rule order causes the deny to override the intended permit.

Exam trap

ISC2 often tests the concept that ACL rule order is critical — candidates mistakenly think that a permit rule later in the list can override an earlier deny, but the first-match principle means the deny is evaluated first and blocks the traffic permanently.

How to eliminate wrong answers

Option A is wrong because rule id=30 (permit from internal to DMZ) is irrelevant to internet browsing and would not cause the block. Option B is wrong because rule id=10 (permit HTTP/HTTPS from internal to external) is actually the intended permit rule, but it is placed before the problematic deny rule; however, the deny rule (id=20) still overrides it due to order. Option C is wrong because rule id=20 (deny all from internal) is the direct cause of the block, but the root issue is its placement before the permit rule (id=30) — the rule itself is not inherently wrong, but its position in the sequence is.

287
MCQmedium

During an incident, an organization needs to preserve volatile data. Which of the following should be collected FIRST?

A.Backup tapes
B.Memory contents
C.Hard drive contents
D.Network logs
AnswerB

Memory is volatile and disappears when the system is turned off.

Why this answer

Volatile data is lost when the system loses power. Memory content is the most volatile.

288
MCQmedium

A company's security policy requires that all data at rest be encrypted. Which of the following is the BEST approach to ensure compliance while maintaining performance?

A.Deploy full disk encryption on all endpoints and servers.
B.Use database encryption to protect sensitive data.
C.Apply network encryption using TLS for all data transfers.
D.Implement file-level encryption for sensitive files only.
AnswerA

Full disk encryption encrypts the entire drive, ensuring all data at rest is protected with minimal performance overhead when using hardware-based encryption.

Why this answer

Full disk encryption (FDE) encrypts the entire storage volume, including the operating system, applications, and all data at rest, ensuring compliance with a policy requiring all data at rest to be encrypted. FDE operates at the block level, typically using AES-256, with minimal performance overhead because encryption and decryption are handled by the disk controller or CPU with hardware acceleration (e.g., AES-NI), making it the best approach for maintaining performance while meeting the broad requirement.

Exam trap

ISC2 often tests the distinction between 'data at rest' and 'data in transit' encryption, and the trap here is that candidates may choose database or file-level encryption because they think it is more targeted, but they overlook the policy's explicit 'all data at rest' requirement, which only full disk encryption satisfies comprehensively.

How to eliminate wrong answers

Option B is wrong because database encryption only protects data within the database, leaving other data at rest (e.g., OS files, logs, temp files) unencrypted, failing the 'all data at rest' requirement. Option C is wrong because network encryption (TLS) protects data in transit, not data at rest, so it does not address the policy requirement at all. Option D is wrong because file-level encryption only encrypts specific files, leaving other data at rest (e.g., system files, swap space, unencrypted directories) exposed, and it often introduces higher performance overhead due to per-file cryptographic operations and key management.

289
MCQmedium

A company's primary data center experiences a complete power failure, and operations are shifted to a secondary site. The failover process takes 4 hours, but the recovery point objective (RPO) is set to 1 hour. Which of the following is the most likely consequence of this incident?

A.Data loss of up to 3 hours occurred.
B.The failover process was unsuccessful.
C.No data loss occurred because the secondary site was available.
D.The recovery time objective (RTO) was not met.
AnswerA

The RPO is 1 hour but failover took 4 hours, causing up to 3 hours of data loss.

Why this answer

The RPO of 1 hour means the company can tolerate losing up to 1 hour of data. Since the failover took 4 hours, any data written in the 3 hours before the power failure that had not yet been replicated to the secondary site would be lost. This results in a data loss window of up to 3 hours, exceeding the RPO.

Exam trap

ISC2 often tests the distinction between RPO (data loss tolerance) and RTO (downtime tolerance), and candidates mistakenly assume that a successful failover means no data loss, ignoring the replication lag.

How to eliminate wrong answers

Option B is wrong because the failover process completed successfully in 4 hours, as stated; the question does not indicate any failure in the failover itself. Option C is wrong because data loss can occur even if the secondary site is available, if the replication lag exceeds the RPO. Option D is wrong because the RTO is the maximum acceptable downtime, and the failover took 4 hours; without knowing the RTO value, we cannot conclude it was not met — the question only provides the RPO.

290
Multi-Selecthard

Which THREE of the following are best practices for securing a remote access VPN?

Select 3 answers
A.Enable multi-factor authentication.
B.Keep VPN client software up to date.
C.Use pre-shared keys for authentication.
D.Enforce strong password policies.
E.Implement split tunneling by default.
AnswersA, B, D

Adds an extra layer of security beyond passwords.

Why this answer

Multi-factor authentication (MFA) adds an additional layer of security beyond just a password, requiring a second factor such as a one-time code from a token or biometric. For a remote access VPN, this mitigates the risk of credential theft or brute-force attacks against the VPN gateway. Even if an attacker obtains a user's password, they cannot authenticate without the second factor, significantly reducing the likelihood of unauthorized access.

Exam trap

ISC2 often tests the misconception that pre-shared keys are acceptable for remote access VPNs because they are simple to configure, but the exam expects you to recognize that PSKs are a weak, shared secret that should be replaced with certificate-based or EAP authentication for secure remote access.

291
MCQeasy

A system administrator must grant a help desk technician the ability to reset user passwords but not change user roles. Which security principle does this scenario enforce?

A.Accountability
B.Principle of least privilege
C.Need-to-know
D.Non-repudiation
AnswerB

The technician has only the necessary permissions (password reset) and no extra privileges (role changes).

Why this answer

Least privilege ensures users have only the permissions needed. Granting password reset but not role changes limits permissions to the job function. Option A is correct.

Option B (need-to-know) limits data access. Option C (accountability) tracks actions. Option D (non-repudiation) ensures actions can't be denied.

292
MCQeasy

After a ransomware attack, which team is primarily responsible for coordinating the response?

A.Executive Management
B.Incident Response Team
C.IT Support
D.Legal Department
AnswerB

The IRT is responsible for coordinating the response to security incidents.

Why this answer

The Incident Response Team (IRT) is primarily responsible for coordinating the response to a ransomware attack because it follows a predefined incident response plan (IRP) that includes containment, eradication, and recovery procedures. The IRT typically includes security analysts, forensic experts, and system administrators who execute technical steps such as isolating affected systems, analyzing the ransomware strain, and restoring from backups. This team operates under the NIST SP 800-61 framework, ensuring a structured and rapid response to minimize damage.

Exam trap

ISC2 often tests the misconception that Executive Management or Legal should lead the response due to their authority or compliance role, but the exam emphasizes that technical coordination belongs to the Incident Response Team as defined in the CC curriculum's incident response process.

How to eliminate wrong answers

Option A is wrong because Executive Management provides strategic oversight and approves budget/resource allocation, but they lack the technical expertise to coordinate hands-on incident response activities like network isolation or forensic analysis. Option C is wrong because IT Support focuses on routine user troubleshooting and system maintenance, not on executing the specialized containment and eradication steps required during a ransomware incident, such as analyzing malware indicators of compromise (IOCs) or applying firewall rules. Option D is wrong because the Legal Department handles regulatory compliance, breach notification, and liability issues, but they do not perform the technical coordination of response actions like system restoration or evidence preservation.

293
Multi-Selecthard

Which THREE of the following are best practices for securing a wireless network?

Select 3 answers
A.Disable SSID broadcast
B.Use WPA2 encryption
C.Enable MAC address filtering
D.Use a strong passphrase
E.Implement a captive portal
AnswersA, B, D

Disabling SSID broadcast hides the network from casual scanning, though it is not a strong security measure.

Why this answer

WPA2 encryption, disabling SSID broadcast (though not strong, often considered best practice in older materials), and using a strong passphrase are commonly recommended. MAC filtering and captive portals are not primary security controls.

294
MCQeasy

An AWS bucket policy is shown. What is the security implication?

A.The bucket allows anonymous write access
B.The bucket allows read access to anyone from a specific IP range
C.The policy contains a syntax error
D.The bucket is fully public
AnswerB

Principals '*' means anyone, but restricted by IP.

Why this answer

The bucket policy grants the `s3:GetObject` action (read access) to all principals (`"Principal": "*"`) but only if the request originates from the specified IP range (`"IpAddress": {"aws:SourceIp": "10.0.0.0/24"}`). This means anyone on the internet can read objects, but only if their source IP falls within that CIDR block. This is a common pattern for allowing read access to a trusted network without requiring AWS credentials.

Exam trap

ISC2 often tests the distinction between a bucket being 'public' (anyone can access) versus having a condition that restricts access to a specific IP range, causing candidates to mistakenly think any policy with `Principal: "*"` makes the bucket fully public.

How to eliminate wrong answers

Option A is wrong because the policy only grants `s3:GetObject` (read) access, not `s3:PutObject` or `s3:DeleteObject` (write) access; anonymous write access would require an explicit `Effect: Allow` for write actions. Option C is wrong because the policy syntax is valid — it uses the correct `Condition` block with `IpAddress` and `aws:SourceIp`, which is a standard AWS IAM policy element. Option D is wrong because the bucket is not fully public; access is restricted by the IP address condition, so only requests from the `10.0.0.0/24` range are allowed, not the entire internet.

295
MCQeasy

An administrator reviews the exhibit. Which security principle is being violated?

A.Non-repudiation
B.Separation of duties
C.Least privilege
D.Accountability
AnswerC

Correct. Write access may be excessive.

Why this answer

The user has write access to HR documents, which may not be necessary for their role, violating least privilege.

296
MCQhard

A security analyst reviews this firewall log entry. What type of activity is most likely being attempted?

A.A legitimate SMB file sharing connection from an internal client.
B.A potential SMB exploitation attempt from an external host.
C.A port scan attempt on port 445.
D.An outbound connection to an SMB server.
AnswerB

The SYN packet to port 445 from an external source is typical of SMB exploits such as EternalBlue.

Why this answer

The log shows a TCP SYN packet from a high source port to destination port 445 (SMB), commonly used in ransomware attacks like EternalBlue.

297
MCQmedium

A system administrator notices that a user has been granted read and write permissions to a folder but should only have read access. Which type of access control issue does this represent?

A.Excessive permissions
B.Segregation of duties conflict
C.Authorization creep
D.Incomplete revocation
AnswerA

Excessive permissions directly describe having more rights than required.

Why this answer

Excessive permissions occur when a user or group is granted more privileges than necessary for their role. In this scenario, the user has read and write access to a folder but should only have read access, meaning the write permission is unnecessary and violates the principle of least privilege. This is a classic example of excessive permissions, as the user has been over-provisioned beyond their job requirements.

Exam trap

ISC2 often tests the distinction between authorization creep (gradual accumulation over time) and excessive permissions (a one-time over-provisioning), so candidates may confuse the two when the scenario describes a single incorrect assignment.

How to eliminate wrong answers

Option B is wrong because segregation of duties conflicts involve splitting critical tasks among multiple users to prevent fraud or error, not a single user having extra permissions. Option C is wrong because authorization creep refers to the gradual accumulation of permissions over time due to role changes or transfers, not a one-time misassignment of write access. Option D is wrong because incomplete revocation occurs when permissions are not fully removed after a user no longer needs them, whereas here the user was never supposed to have write access in the first place.

298
MCQeasy

A company's security policy requires that employees must change their passwords every 90 days and passwords must be at least 12 characters. Which security principle is being enforced?

A.Integrity
B.Availability
C.Non-repudiation
D.Confidentiality
AnswerA

Regularly changing and strengthening passwords ensures that credentials remain valid and are not compromised, which upholds integrity.

Why this answer

Option B is correct because password complexity and expiration directly support the integrity of authentication by making it harder for attackers to guess or reuse credentials. Confidentiality (A) is about secrecy, but the primary goal here is ensuring that only authorized users can access systems (integrity of access control). Availability (C) and non-repudiation (D) are not the main focus.

299
MCQhard

During an incident response, a forensics analyst captures a memory dump from a compromised server. The analyst needs to ensure the dump is not altered during analysis. Which practice best maintains integrity?

A.Encrypt the memory dump file
B.Maintain a chain of custody log
C.Restrict access to the dump to authorized personnel only
D.Generate a cryptographic hash of the dump before analysis
AnswerD

A hash allows subsequent verification that the data has not been altered.

Why this answer

Creating a cryptographic hash (e.g., SHA-256) of the original dump and verifying it before and after analysis ensures integrity. Option D is correct. Option A (encryption) protects confidentiality, not integrity.

Option B (log access) is about monitoring. Option C (chain of custody) documents handling but doesn't prevent alteration by itself.

300
MCQhard

Refer to the exhibit. Which security principle is being supported by the logging of these events?

A.Availability
B.Authentication
C.Non-repudiation
D.Accountability
AnswerD

Logs allow tracing failures to an IP address and time, supporting accountability.

Why this answer

Correct: A - Accountability. Logging provides a record of events that can be traced to specific sources, enabling accountability. Non-repudiation involves proof of actions by a user, but these logs do not prove user identity.

Authentication and availability are not directly supported.

Page 3

Page 4 of 7

Page 5

All pages