ISC2 Certified in Cybersecurity CC (CC) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQeasy

A network technician is setting up a remote access VPN for employees using IPsec. The company's firewall is configured to allow IPsec traffic. Employees report that they can successfully establish the VPN connection (tunnel appears up), but they cannot ping or access any internal resources (e.g., file servers). The firewall logs show that packets from the VPN client IP addresses are being dropped at the firewall interface. Which of the following is the MOST likely cause of this issue?

A.The VPN client is not assigned a correct IP address from the pool.
B.The firewall's access control list does not permit traffic from the VPN subnet to the internal network.
C.The firewall's intrusion prevention system is blocking the traffic.
D.The IPsec encryption algorithm is incompatible between client and firewall.
AnswerB

The tunnel being up indicates IPsec negotiation succeeded, but the firewall still needs ACL to allow forwarded traffic.

Why this answer

The VPN tunnel is established, meaning Phase 1 and Phase 2 of IPsec are complete and the client has a valid IP from the pool. However, packets from the VPN subnet are being dropped at the firewall interface, which indicates that the firewall's access control list (ACL) does not include a permit statement for traffic sourced from the VPN client subnet destined to the internal network. Without this ACL entry, the firewall will drop the traffic even though the tunnel is up.

Exam trap

ISC2 often tests the distinction between tunnel establishment (IPsec Phase 1 and Phase 2) and traffic forwarding (ACL/permit rules), leading candidates to mistakenly blame encryption mismatches or client IP assignment when the real issue is a missing firewall rule.

How to eliminate wrong answers

Option A is wrong because if the VPN client were not assigned a correct IP address from the pool, the tunnel would not establish successfully (the client would fail Phase 2 or not receive a usable IP), and the logs would show authentication or address assignment failures, not dropped packets at the firewall interface. Option C is wrong because an intrusion prevention system (IPS) typically blocks traffic based on signatures or anomalies, not by default for all traffic from a VPN subnet; the logs would show IPS alerts, not simple drops at the interface. Option D is wrong because if the IPsec encryption algorithm were incompatible, the tunnel would fail to establish (Phase 2 would fail), and the VPN connection would not appear up.

302
MCQeasy

A small manufacturing company's IT infrastructure consists of a single server running ERP and file services, with a nightly backup to an external hard drive. The server fails due to hardware failure. The company's BCP states that the ERP system must be restored within 8 hours. The backup is 12 hours old. The IT administrator has a spare server of similar configuration. What is the BEST course of action?

A.Use cloud-based ERP temporarily.
B.Perform a bare-metal restore using the backup.
C.Install the backup onto the spare server and restore the data from the external hard drive.
D.Order a new server from the vendor (lead time 3 days).
AnswerC

Utilizes spare server and meets RTO.

Why this answer

Option C is correct because the spare server has a similar configuration, allowing the IT administrator to install the backup software and restore the ERP system and file data from the external hard drive. This approach meets the 8-hour RTO by leveraging the existing backup, even though it is 12 hours old, as the restore process is straightforward and does not require ordering new hardware or migrating to a cloud platform.

Exam trap

The trap here is that candidates may confuse 'bare-metal restore' with a simple file restore, assuming the backup contains a full system image, when in fact the backup is to an external hard drive and likely file-level, making a bare-metal restore impossible without a compatible system image.

How to eliminate wrong answers

Option A is wrong because using a cloud-based ERP temporarily would require significant setup time, data migration, and potential licensing changes, which likely exceeds the 8-hour RTO and introduces complexity not aligned with the existing BCP. Option B is wrong because a bare-metal restore requires the backup to be in a specific format (e.g., system image) and the spare server to have identical hardware; the backup is to an external hard drive, likely file-level, not a full system image, making a bare-metal restore impractical. Option D is wrong because ordering a new server with a 3-day lead time far exceeds the 8-hour RTO, and the spare server is already available, making this the slowest and least effective course of action.

303
Multi-Selecthard

An organization is planning to implement a security operations center (SOC) and is considering different monitoring strategies. Which THREE of the following are essential components of a tiered SOC model? (Choose three.)

Select 3 answers
A.A SOC manager who oversees daily operations and reporting
B.A dedicated threat intelligence team that provides context on indicators
C.Tier 2 analysts who conduct in-depth analysis and incident response
D.Tier 1 analysts who monitor alerts and perform initial triage
E.Tier 3 analysts who focus on threat hunting and advanced forensics
AnswersC, D, E

Tier 2 handles escalated incidents and performs root cause analysis.

Why this answer

Option C is correct because Tier 2 analysts in a tiered SOC model are responsible for in-depth analysis of escalated incidents, performing incident response actions, and determining the scope and impact of security events. This tier bridges the gap between initial triage and advanced threat hunting, ensuring that confirmed incidents are properly contained and remediated.

Exam trap

ISC2 often tests the distinction between SOC tiers and supporting roles; the trap here is that candidates mistake management or intelligence functions as part of the tiered analyst hierarchy, when only Tier 1, Tier 2, and Tier 3 analysts constitute the core escalation model.

304
MCQhard

An organization uses a warm site for disaster recovery. Which of the following is the MOST significant risk of this approach?

A.Data may not be synchronized with the primary site
B.The site may be too far away
C.The site may not have recent data
D.High cost of maintaining duplicate hardware
AnswerA

Lack of real-time replication means data loss up to the last backup.

Why this answer

A warm site has infrastructure and connectivity ready but does not maintain real-time data synchronization with the primary site. The most significant risk is that data may not be synchronized, meaning the Recovery Point Objective (RPO) could be hours or days old, leading to potential data loss during failover. Unlike a hot site with synchronous replication, a warm site typically uses periodic backups or asynchronous replication, creating a gap in data currency.

Exam trap

ISC2 often tests the distinction between hot, warm, and cold sites by focusing on data synchronization versus infrastructure readiness — the trap here is that candidates confuse 'data may not be recent' (Option C) with the more precise technical risk of 'data may not be synchronized,' which is the defining vulnerability of a warm site.

How to eliminate wrong answers

Option B is wrong because distance is a consideration for any DR site (hot, warm, or cold) and is not specific to the warm site model; latency can be mitigated with WAN optimization or replication tuning. Option C is wrong because it is essentially a restatement of the data synchronization issue but less precise — the core risk is lack of synchronization, not merely that data 'may not have recent data,' which is a symptom of the synchronization gap. Option D is wrong because high cost of maintaining duplicate hardware is a characteristic of a hot site, not a warm site; a warm site typically has lower hardware costs as it may not run full production-equivalent systems until activation.

305
MCQmedium

An organization experiences a ransomware attack that encrypts critical file servers. The backups are stored on a separate network segment but are also encrypted. The incident response team suspects the attacker compromised the backup system using stored credentials. Which best practice should have been implemented to prevent this?

A.Implement air-gapped backups stored offline
B.Enable multi-factor authentication (MFA) on backup system access
C.Encrypt backup data at rest and in transit
D.Use a separate VLAN for backup traffic
AnswerB

MFA mitigates the risk of credential theft, as the attacker would need an additional factor to authenticate.

Why this answer

Option B is correct because enabling multi-factor authentication (MFA) on backup system access would have prevented the attacker from using stored credentials to compromise the backup system. MFA requires an additional authentication factor beyond just a password or stored token, making credential theft or reuse insufficient for access. This directly addresses the attack vector described—stolen credentials—rather than relying solely on network segmentation or encryption.

Exam trap

ISC2 often tests the distinction between preventive controls that stop the attack vector (MFA on access) versus controls that mitigate damage after compromise (air gaps, encryption, VLANs), leading candidates to choose network segmentation or encryption instead of addressing the credential theft directly.

How to eliminate wrong answers

Option A is wrong because air-gapped backups stored offline would prevent encryption of the backup data during the attack, but the question specifically states the backups were on a separate network segment and were encrypted using stored credentials; an air gap does not address the root cause of credential compromise and reuse. Option C is wrong because encrypting backup data at rest and in transit protects the confidentiality of the data but does not prevent an attacker from accessing or encrypting the backup system itself using valid credentials. Option D is wrong because using a separate VLAN for backup traffic provides network segmentation but does not prevent an attacker who has compromised credentials from authenticating to the backup system from within that VLAN or from another compromised host.

306
MCQmedium

A company implements role-based access control (RBAC) to ensure users have only the permissions necessary for their job roles. This is an example of:

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Need-to-know
AnswerA

RBAC enforces least privilege by granting only required permissions.

Why this answer

RBAC enforces least privilege by granting permissions based on roles. Option A (Separation of duties) divides tasks. Option B (Need-to-know) restricts data access.

Option C (Defense in depth) is layering controls.

307
MCQhard

Refer to the exhibit. A user from the Auditors group is unable to access the folder. What is the most likely cause?

A.The user is not a member of the Auditors group
B.A deny entry for Auditors overrides the allow
C.The Auditors group has only read permission, which is insufficient
D.The folder is encrypted
AnswerB

The deny entry explicitly blocks read access, causing the failure despite the allow.

Why this answer

In NTFS permissions, a Deny entry explicitly blocks access and takes precedence over any Allow entries, regardless of the order in which they are applied. Since the user is a member of the Auditors group, the Deny entry for that group overrides any Allow permissions the user might have individually or through other group memberships. This is the most likely cause of the access failure.

Exam trap

ISC2 often tests the principle that Deny entries override Allow entries in NTFS permissions, and the trap here is that candidates mistakenly think the order of permission entries or the most specific permission wins, rather than recognizing that Deny always takes precedence.

How to eliminate wrong answers

Option A is wrong because the user is explicitly stated to be from the Auditors group, so they are a member. Option C is wrong because even if the Auditors group has only Read permission, that would still allow the user to access the folder (read contents), but the user cannot access it at all, indicating a Deny is in effect. Option D is wrong because encryption (e.g., EFS) would not prevent access if the user has the proper decryption key; the scenario points to a permission conflict, not encryption.

308
MCQmedium

A company's remote access VPN uses IPsec with pre-shared keys. Employees report that they cannot connect from home. The VPN server logs show 'IKE authentication failed.' The help desk confirms the pre-shared keys are correct. Which of the following is the most likely cause?

A.The client is behind a NAT device that blocks IPsec traffic
B.The VPN server is not responding to IKE requests
C.The client's certificate has expired
D.The IKE phase 1 parameters (encryption, hash, DH group) do not match
AnswerD

Mismatched parameters cause authentication failure despite correct keys.

Why this answer

Option D is correct because 'IKE authentication failed' specifically indicates a failure during IKE phase 1, where the peers negotiate security parameters. Even if the pre-shared key is correct, mismatched encryption (e.g., AES vs. 3DES), hash (e.g., SHA-1 vs. SHA-256), or Diffie-Hellman group (e.g., group 2 vs. group 14) will cause the IKE SA to fail, preventing phase 1 authentication from completing.

Exam trap

ISC2 often tests the distinction between 'IKE authentication failed' (which points to phase 1 parameter mismatch or PSK error) and 'no response' (which points to firewall/NAT blocking), trapping candidates who assume NAT is always the culprit without reading the log message carefully.

How to eliminate wrong answers

Option A is wrong because NAT devices typically block ESP/AH traffic, which would cause 'no response' or 'timeout' errors, not 'IKE authentication failed' — IKE itself uses UDP port 500/4500 and can often traverse NAT with NAT-T. Option B is wrong because if the VPN server were not responding, the client would see 'no response' or 'timeout' messages, not a specific 'IKE authentication failed' log entry, which requires the server to have received and processed the IKE request. Option C is wrong because certificates are not used with pre-shared keys; the error message explicitly references IKE authentication, which for PSK uses the pre-shared key, not a certificate — certificate expiration would cause a different error like 'certificate validation failed'.

309
MCQmedium

An organization implements a bring-your-own-device (BYOD) policy. Which security control is most important to enforce in the BYOD policy?

A.Require complex passwords
B.Install a firewall on each device
C.Enable full disk encryption
D.Implement mobile device management (MDM) for remote wipe and policy enforcement
AnswerD

MDM allows IT to enforce security policies and remotely wipe devices if lost or stolen.

Why this answer

Mobile device management (MDM) is the most important control for a BYOD policy because it provides centralized policy enforcement, remote wipe capabilities, and device compliance monitoring. Unlike isolated controls like passwords or encryption, MDM allows the organization to enforce security policies dynamically and revoke access or wipe corporate data if a device is lost, stolen, or non-compliant.

Exam trap

ISC2 often tests the misconception that a single technical control (like encryption or passwords) is sufficient for BYOD security, when the real exam focus is on centralized management and the ability to enforce and revoke policies remotely via MDM.

How to eliminate wrong answers

Option A is wrong because requiring complex passwords alone does not protect data if the device is lost or stolen; passwords can be bypassed or guessed, and they do not provide remote wipe or policy enforcement. Option B is wrong because installing a firewall on each device is impractical in BYOD scenarios (users may disable it, and it does not protect against data leakage or device loss), and it does not address the core need for centralized control and data separation. Option C is wrong because full disk encryption protects data at rest but does not enable remote wipe, policy enforcement, or the ability to selectively wipe corporate data without affecting personal data, which is critical in BYOD environments.

310
MCQeasy

A company's primary data center is destroyed by a natural disaster. The backup site has been fully synchronized but needs to be activated. Which process addresses the activation of the backup site?

A.Risk Management Plan
B.Incident Response Plan (IRP)
C.Disaster Recovery Plan (DRP)
D.Business Continuity Plan (BCP)
AnswerC

DRP specifically addresses IT infrastructure recovery and activation of backup sites.

Why this answer

The Disaster Recovery Plan (DRP) specifically outlines the procedures for activating a backup site after a primary data center failure. In this scenario, the backup site is fully synchronized but requires activation, which involves steps like DNS changes, storage array failover (e.g., using synchronous replication with a quorum witness), and network reconfiguration. The DRP is the document that contains these technical recovery steps, distinguishing it from broader continuity or incident response plans.

Exam trap

ISC2 often tests the distinction between BCP and DRP by presenting a scenario where the backup site is already synchronized but needs activation, leading candidates to incorrectly choose BCP because they confuse business continuity with technical disaster recovery.

How to eliminate wrong answers

Option A is wrong because a Risk Management Plan identifies, assesses, and mitigates risks before an incident occurs; it does not contain the step-by-step activation procedures for a backup site. Option B is wrong because an Incident Response Plan (IRP) focuses on immediate containment, eradication, and recovery from security incidents (e.g., malware, data breaches), not on activating a backup data center after a natural disaster. Option D is wrong because a Business Continuity Plan (BCP) addresses maintaining critical business functions during a disruption, often through alternative work arrangements or manual processes, but it does not provide the technical failover steps for activating a backup data center.

311
MCQmedium

A company has implemented a security information and event management (SIEM) system. The SOC team notices that the SIEM is generating a high volume of false positive alerts from a specific web application firewall (WAF). The WAF logs show many requests with SQL injection patterns, but the application is not vulnerable. Which of the following actions would BEST reduce false positives without compromising security?

A.Create a SIEM rule to suppress alerts from that WAF
B.Increase the alert threshold in the WAF to reduce sensitivity
C.Tune the WAF's detection rules based on the application's normal traffic profile
D.Disable SQL injection detection in the WAF for that application
AnswerC

Tuning reduces false positives by filtering out benign patterns that resemble attacks.

Why this answer

Option C is correct because tuning the WAF's detection rules to match the application's normal traffic profile reduces false positives by filtering out benign requests that resemble SQL injection patterns. This approach maintains security by still detecting actual attacks, unlike simply suppressing alerts or disabling detection. The SIEM should correlate WAF alerts with application context, but the root cause is the WAF's overly broad rules, which need refinement.

Exam trap

ISC2 often tests the misconception that suppressing alerts or disabling detection is acceptable, but the correct approach is to tune detection rules to balance security and operational efficiency.

How to eliminate wrong answers

Option A is wrong because suppressing alerts from the WAF in the SIEM ignores the underlying issue, potentially missing real attacks and creating a blind spot in monitoring. Option B is wrong because increasing the alert threshold in the WAF reduces sensitivity globally, which could cause true SQL injection attacks to be missed, compromising security. Option D is wrong because disabling SQL injection detection entirely removes a critical defense layer, leaving the application exposed to actual SQL injection attempts.

312
Multi-Selectmedium

Which TWO are characteristics of Role-Based Access Control (RBAC)?

Select 2 answers
A.Users are assigned to roles, and inherit permissions from those roles.
B.Object owners can delegate permissions to others.
C.Access decisions are based on security labels.
D.It enforces a centralized policy that cannot be overridden by users.
E.Permissions are assigned to roles, not individual users.
AnswersA, E

Role assignment is fundamental to RBAC.

Why this answer

Option A is correct because RBAC defines roles that group specific permissions, and users are assigned to these roles. When a user is added to a role, they automatically inherit all permissions associated with that role, simplifying administration and ensuring consistent access rights across the organization.

Exam trap

ISC2 often tests the distinction between RBAC and DAC by presenting delegation of permissions (Option B) as a plausible RBAC feature, when in fact it belongs to DAC.

313
MCQhard

When implementing a role-based access control (RBAC) system, what is the primary challenge organizations face?

A.Managing password complexity
B.Ensuring users do not share passwords
C.Role explosion
D.Defining roles that align with job functions
AnswerC

Role explosion leads to administrative overhead and is a frequent pitfall in RBAC.

Why this answer

Role explosion is the primary challenge in RBAC because as organizations grow, the number of distinct roles can proliferate rapidly, leading to administrative overhead, complexity in role management, and potential security gaps. This occurs when roles are defined too granularly or for every unique combination of permissions, making it difficult to maintain least privilege and audit access. Proper RBAC design requires careful role engineering to minimize the number of roles while still mapping to job functions.

Exam trap

ISC2 often tests the misconception that the main difficulty in RBAC is defining roles themselves, when in fact the real operational challenge is controlling role proliferation (role explosion) after initial implementation.

How to eliminate wrong answers

Option A is wrong because managing password complexity is a concern of authentication mechanisms, not RBAC, which focuses on authorization after authentication. Option B is wrong because ensuring users do not share passwords is an authentication policy issue, unrelated to the role-based access control model. Option D is wrong because defining roles that align with job functions is actually a fundamental requirement of RBAC, not a primary challenge; the challenge arises when too many roles are created (role explosion), not from the initial definition itself.

314
MCQmedium

You are designing a backup strategy for a critical database. The business requires that in the event of a failure, data loss must not exceed 15 minutes. Which metric primarily addresses this requirement?

A.Service Level Agreement (SLA)
B.Mean Time Between Failures (MTBF)
C.Recovery Point Objective (RPO)
D.Recovery Time Objective (RTO)
AnswerC

RPO specifies the maximum age of data that must be restored, directly limiting data loss.

Why this answer

Option A is correct because Recovery Point Objective (RPO) defines the maximum acceptable data loss in terms of time. Recovery Time Objective (RTO) is about downtime duration. MTBF relates to reliability, and SLA is a service agreement.

RPO directly addresses data loss tolerance.

315
MCQmedium

A security analyst receives an alert of unusual network traffic from an internal host to an external IP known for command-and-control. After isolating the host, what should be the next step?

A.Wipe the host and reinstall OS
B.Preserve forensic evidence and analyze
C.Reimage the host from backup
D.Notify law enforcement
AnswerB

Preserving and analyzing evidence is critical to understand the compromise and prevent future incidents.

Why this answer

Preserving forensic evidence and analyzing the host is the correct next step because incident response methodology (e.g., NIST SP 800-61) requires containment followed by evidence collection and analysis to determine the scope of compromise, identify indicators of compromise (IOCs), and understand the attack vector. Wiping or reimaging destroys volatile data (e.g., memory, running processes, network connections) and artifacts (e.g., registry keys, prefetch files, event logs) that are critical for attribution and remediation. Analysis may involve memory forensics (using tools like Volatility) and disk forensics to extract malware samples, C2 communication logs, and lateral movement traces.

Exam trap

ISC2 often tests the misconception that immediate containment (like wiping or reimaging) is the priority, but the trap here is that the CC exam emphasizes the incident response process order: isolate, then preserve evidence, then analyze, then remediate — skipping evidence preservation violates standard forensic procedures.

How to eliminate wrong answers

Option A is wrong because wiping the host and reinstalling the OS destroys all forensic evidence, preventing root cause analysis and potentially allowing the attacker to persist if the infection vector is not identified. Option C is wrong because reimaging from backup may reintroduce the same vulnerability or malware if the backup is also compromised, and it skips the critical step of evidence preservation and analysis. Option D is wrong because notifying law enforcement is premature before internal investigation confirms the incident's nature and scope; law enforcement involvement typically occurs after evidence is preserved and a decision is made to pursue legal action, not as an immediate next step.

316
MCQmedium

A company uses WPA2-Enterprise for wireless authentication. What additional security measure should be implemented to protect against rogue access points?

A.Enable MAC filtering
B.Deploy a wireless intrusion prevention system (WIPS)
C.Implement 802.1X with mutual authentication
D.Use WPA3
AnswerB

WIPS detects and prevents rogue access points.

Why this answer

WPA2-Enterprise uses 802.1X for authentication, but it does not inherently detect or block rogue access points (APs) that mimic legitimate SSIDs. A Wireless Intrusion Prevention System (WIPS) continuously monitors the RF spectrum, identifies unauthorized APs by analyzing beacon frames, probe responses, and MAC addresses, and can automatically contain them by sending deauthentication frames or alerting administrators. This is the most direct and effective measure to protect against rogue APs in an enterprise WLAN.

Exam trap

ISC2 often tests the misconception that WPA2-Enterprise or 802.1X alone can prevent rogue APs, but the trap is that these protocols authenticate users and servers, not the physical AP device itself, leaving the network vulnerable to rogue APs that broadcast the same SSID.

How to eliminate wrong answers

Option A is wrong because MAC filtering is a weak, static access control that can be easily bypassed by MAC spoofing and does not detect or prevent rogue APs from operating. Option C is wrong because 802.1X with mutual authentication (EAP-TLS, for example) already authenticates both the client and the RADIUS server, but it does not monitor the airwaves for unauthorized APs; a rogue AP can still broadcast the same SSID and trick clients into connecting before any 802.1X exchange completes. Option D is wrong because WPA3, while more secure than WPA2, still does not include built-in rogue AP detection or containment; it only improves encryption and authentication (e.g., SAE) but does not replace the need for a dedicated WIPS.

317
MCQeasy

A security analyst notices that a user has been granted access to files beyond their job function. Which principle is violated?

A.Least privilege
B.Authentication
C.Non-repudiation
D.Accountability
AnswerA

Correct. Excessive access violates the least privilege principle.

Why this answer

Least privilege requires that users be granted only the minimum permissions necessary to perform their duties. The scenario shows excessive access, directly violating this principle.

318
Multi-Selecthard

Which THREE of the following are considered methods to ensure accountability in a system?

Select 3 answers
A.Data encryption
B.Audit logs
C.Digital signatures
D.Intrusion prevention system
E.User authentication
AnswersB, C, E

Audit logs record user actions, enabling traceability.

Why this answer

Accountability requires that actions can be traced to an individual. Audit logs (A) track events. User authentication (B) identifies users.

Digital signatures (D) provide non-repudiation and link actions to a signer. Option C (encryption) protects data but does not directly provide accountability. Option E (firewall) controls access but does not trace actions.

319
MCQhard

A mid-sized financial services company has recently experienced a security incident where an attacker gained access to the internal network through a compromised VPN account. The account belonged to a remote employee who had been granted full network access. The company's security team is now reviewing their security principles to prevent a recurrence. The company has 500 employees, with 50 remote workers. They use a traditional perimeter-based firewall and VPN for remote access. The incident revealed that the compromised account had access to the entire internal network, including sensitive financial databases. The security team is considering implementing a new access control model. They have identified the following requirements: (1) Remote workers should only access specific applications necessary for their roles, (2) Access should be granted based on identity and device posture, (3) Network segmentation should be enforced regardless of location. Which of the following approaches BEST addresses these requirements?

A.Implement multi-factor authentication on the existing VPN and enforce stricter password policies.
B.Adopt a Zero Trust Architecture (ZTA) that uses an identity-aware proxy and micro-segmentation.
C.Create separate VLANs for each department and restrict inter-VLAN routing with ACLs.
D.Apply the principle of least privilege by reducing user permissions on the network and servers.
AnswerB

ZTA provides identity and device verification, least privilege access to specific applications, and network segmentation regardless of location.

Why this answer

Zero Trust Architecture (ZTA) aligns with all three requirements: it verifies identity and device posture, grants least privilege access to specific applications, and enforces micro-segmentation regardless of location. VPN with MFA (A) still grants broad network access. Network segmentation (B) alone does not incorporate identity or device posture.

Least privilege (D) is a principle, not an architecture; implementing it without ZTA may not provide the granular control needed.

320
MCQmedium

A SOC analyst detects a series of failed login attempts from a single external IP address targeting multiple user accounts within a short time. Which action should the analyst take FIRST?

A.Block the IP address at the firewall immediately.
B.Verify if any accounts were successfully compromised.
C.Disable all user accounts that were targeted.
D.Notify law enforcement about the attempted breach.
AnswerB

This assesses immediate impact and guides next steps.

Why this answer

The correct first step is to verify if any accounts were successfully compromised (Option B). In security operations, the priority is to assess the impact of an incident before taking containment actions. If an account was breached, immediate password resets and session invalidation are needed; blocking the IP prematurely could destroy forensic evidence and alert the attacker, while disabling all accounts causes unnecessary business disruption.

The analyst must confirm compromise via log review (e.g., checking for successful authentication events after the failed attempts) to guide the appropriate response.

Exam trap

ISC2 often tests the principle that containment (e.g., blocking an IP) should not be performed before verifying impact, because the first priority in incident response is to confirm whether a breach actually occurred, not to assume the worst and disrupt operations.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the firewall may destroy forensic evidence (e.g., attacker's subsequent actions) and could be a false positive if the IP is legitimate (e.g., a misconfigured VPN). Option C is wrong because disabling all targeted user accounts without evidence of compromise causes unnecessary operational disruption and may lock out legitimate users; the analyst should first verify if any account was actually breached. Option D is wrong because notifying law enforcement is premature and not the first action; internal incident response procedures (verification, containment, eradication) must be followed first, and law enforcement is typically contacted only after confirming a breach and consulting legal counsel.

321
MCQeasy

A small business owner wants to ensure that their company's data remains accurate and unaltered during transmission over the internet. They regularly send financial reports to their accountant via email. The owner is concerned that a hacker might intercept and modify the reports before they reach the accountant. Which security principle is most directly threatened in this scenario, and what is the best technical control to implement?

A.Confidentiality; encrypt the email attachments
B.Non-repudiation; require read receipts
C.Integrity; apply a digital signature or hash to the files
D.Availability; use a redundant email server
AnswerC

Digital signatures and hashes detect and prevent unauthorized changes.

Why this answer

Correct: Integrity is threatened; using digital signatures or hashing ensures data integrity. Option A is wrong because confidentiality protects secrecy, not accuracy; Option B is wrong because availability ensures access, not integrity; Option D is wrong because non-repudiation prevents denial, but the immediate threat is modification.

322
MCQeasy

Refer to the exhibit. ``` C:\> netstat -an | find "LISTENING" TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 192.168.1.10:3389 0.0.0.0:0 LISTENING ``` A server administrator runs this command and sees the output. Which service is listening on a port that should typically be disabled to reduce the attack surface?

A.HTTP (port 80)
B.Remote Desktop (port 3389)
C.All of the above
D.HTTPS (port 443)
AnswerB

Port 3389 (RDP) is a common attack vector and should be disabled if remote administration is not strictly required.

Why this answer

Remote Desktop Protocol (RDP) on port 3389 is a high-risk service that should typically be disabled on servers unless absolutely necessary, as it provides a direct graphical interface for remote administration and is a common target for brute-force attacks. The output shows RDP listening on a specific internal IP (192.168.1.10), indicating it is bound to a routable interface, which increases exposure. In contrast, HTTP (port 80) and HTTPS (port 443) are standard web services that are often required for a server's function, so they are not typically disabled for attack surface reduction.

Exam trap

ISC2 often tests the misconception that all listening ports are equally risky, but the trap here is that HTTP and HTTPS are expected services on a server, while RDP is a high-risk administrative service that should be disabled unless explicitly required.

How to eliminate wrong answers

Option A is wrong because HTTP (port 80) is a standard web service that is often necessary for serving web content; disabling it would break normal server functionality, and it is not typically disabled solely to reduce attack surface unless the server has no web role. Option C is wrong because not all services listed should be disabled; only Remote Desktop (port 3389) is the one that should typically be disabled, while HTTP and HTTPS are commonly required. Option D is wrong because HTTPS (port 443) is the secure version of HTTP and is essential for encrypted web traffic; it is not a service that should be routinely disabled, as it protects data in transit.

323
MCQhard

A medium-sized e-commerce company operates a web application on three virtual servers behind a load balancer. The application handles credit card payments and stores customer data in a database server. The company has a security operations team that monitors logs from firewalls, IDS, and servers. One morning, the IDS generates a critical alert indicating a SQL injection attempt from an external IP to the web application. The alert shows that the injection string was ' OR '1'='1' -- . The web server logs confirm that the request returned a 200 OK status and a large response size. The database logs show a query that returned multiple rows. The security analyst needs to determine the best immediate course of action. The company has a documented incident response plan that includes containment, eradication, and recovery phases. Which action should the analyst take first?

A.Apply a virtual patch using a web application firewall (WAF) rule to block similar injection attempts
B.Notify the web development team to fix the SQL injection vulnerability in the code
C.Run a full database backup to preserve evidence
D.Take the web server offline and initiate the containment phase of the incident response plan
AnswerD

Taking the server offline stops the attack and preserves evidence.

Why this answer

The correct first action is to take the web server offline and initiate the containment phase. The IDS alert confirms a successful SQL injection (200 OK, large response, multiple rows returned), indicating a data breach is in progress. Containment must precede any other step to stop further data exfiltration, as per the incident response plan's phases.

Exam trap

ISC2 often tests the order of incident response phases, and the trap here is that candidates confuse 'preserve evidence' (Option C) with the first step, when containment must come first to stop the active breach.

How to eliminate wrong answers

Option A is wrong because applying a WAF rule is a remediation step that should occur after containment, and it does not stop the ongoing breach or preserve evidence. Option B is wrong because notifying the development team to fix the code is part of the eradication phase, which comes after containment; immediate action is needed to halt the attack. Option C is wrong because running a full database backup could overwrite or alter volatile evidence (e.g., logs, memory), and the priority is to stop the attack, not preserve evidence first.

324
MCQhard

During a security audit, it is found that a database administrator can access payroll data. The company policy states that administrators should not have access to sensitive HR data. Which security principle is being violated?

A.Accountability
B.Least privilege
C.Separation of duties
D.Privacy
AnswerC

Correct. The DBA should not have access to payroll data.

Why this answer

The scenario describes a single database administrator having both the ability to access and modify payroll data, which combines operational and oversight roles. Separation of duties (SoD) is the principle that requires splitting critical tasks and privileges among multiple individuals to prevent fraud or error. Here, the administrator's access violates SoD because they can both manage the database and view sensitive HR data, which should require separate authorization.

Exam trap

ISC2 often tests the distinction between least privilege and separation of duties, where candidates mistakenly choose least privilege because they focus on the 'should not have access' phrasing, but the real violation is the combination of conflicting roles, not just excessive permissions.

How to eliminate wrong answers

Option A is wrong because accountability refers to the ability to trace actions to a specific user via logging and auditing, not to restricting access based on role. Option B is wrong because least privilege would limit the administrator's access to only what is necessary for their job, but the core issue here is the combination of conflicting duties (admin and data viewer), not just excessive permissions. Option D is wrong because privacy is a broader concept about protecting personal data from unauthorized disclosure, but the specific security principle violated is the lack of separation between operational and oversight functions.

325
MCQmedium

Refer to the exhibit. The file is readable and writable by everyone. A user from the marketing team, user2, needs to be able to read the file but not write to it. Which command should the administrator use to achieve this?

A.chmod 664 project_data.txt
B.chmod 755 project_data.txt
C.chmod 644 project_data.txt
D.chmod 600 project_data.txt
AnswerC

644 sets read/write for owner, read for group and others, so user2 can read but not write.

Why this answer

Option C is correct because `chmod 644` sets the file permissions to `rw-r--r--`, which grants read and write to the owner, read-only to the group, and read-only to others. Since the file is initially readable and writable by everyone (likely `666`), changing to `644` removes write access for the group and others while preserving read access for all, meeting the requirement that user2 (a marketing team member, presumably in the group or others category) can read but not write.

Exam trap

ISC2 often tests the misconception that `chmod 664` is the standard 'read and write for owner and group, read-only for others' when in fact it grants write to the group, which would allow user2 to write if they are in the group, so candidates must carefully consider the user's group membership and the exact requirement of 'read but not write'.

How to eliminate wrong answers

Option A is wrong because `chmod 664` sets permissions to `rw-rw-r--`, which gives read and write to both the owner and group, but user2 might be in the group, allowing write access, which violates the requirement. Option B is wrong because `chmod 755` sets permissions to `rwxr-xr-x`, which grants execute permission to everyone, unnecessarily allowing execution and potentially write access to the owner only, but it does not specifically restrict write for user2 if they are in the group or others. Option D is wrong because `chmod 600` sets permissions to `rw-------`, which removes all read and write access for the group and others, preventing user2 from reading the file, which fails the requirement.

326
MCQhard

A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?

A.The switch is now using a different certificate that is not trusted by the clients
B.The switch is not forwarding EAP packets properly due to a firmware bug
C.The RADIUS shared secret was changed during the firmware update
D.The authentication server (NPS) is overloaded and dropping requests
AnswerA

The firmware update may have changed the certificate presented by the switch, and clients do not trust it.

Why this answer

The error 'Unknown CA certificate' indicates that the client does not trust the certificate presented by the RADIUS server during PEAP-MSCHAPv2 authentication. After a switch firmware update, the switch may have been reconfigured to use a different server certificate (e.g., a self-signed or internally issued certificate) that is not in the trusted root store of the affected workstations. Since PEAP requires the client to validate the server certificate, a mismatch causes intermittent authentication failures.

Exam trap

ISC2 often tests the distinction between authentication failures caused by certificate trust issues versus RADIUS shared secret mismatches, trapping candidates who confuse server-side RADIUS configuration with client-side certificate validation.

How to eliminate wrong answers

Option B is wrong because if the switch were not forwarding EAP packets properly, the authentication would fail consistently for all clients, not intermittently, and the error would likely be a timeout or EAP failure, not a certificate-specific error. Option C is wrong because the RADIUS shared secret is used for encrypting RADIUS traffic between the switch (NAS) and the authentication server; changing it would cause authentication failures for all users, not just some workstations, and the error would be a RADIUS authentication failure, not a certificate error. Option D is wrong because an overloaded NPS would result in timeouts or dropped requests, not a specific 'Unknown CA certificate' error, which is a client-side certificate validation issue.

327
MCQmedium

A company experiences a ransomware attack that encrypts all files on a critical server. The backup strategy includes nightly backups stored on a separate network. What should be the first action during recovery?

A.Restore all files from the most recent backup.
B.Isolate the affected server from the network.
C.Verify the integrity and availability of the backup data.
D.Report the incident to law enforcement.
AnswerC

Ensures the backup is not compromised before restoring.

Why this answer

Option C is correct because before any recovery action, you must verify that the backup data is intact, uncorrupted, and free from the ransomware. If the backup itself is encrypted or compromised, restoring it would re-infect the environment. This step aligns with the 3-2-1 backup rule and ensures the recovery point is clean.

Exam trap

ISC2 often tests the misconception that the first recovery step is to restore data, but the trap is that you must first confirm the backup is clean to avoid restoring the ransomware itself.

How to eliminate wrong answers

Option A is wrong because restoring immediately from the most recent backup risks restoring encrypted files if the backup was taken after the ransomware began encrypting, or if the backup itself is compromised. Option B is wrong because isolating the server is a containment step, not the first action during recovery; containment should have already occurred before recovery begins. Option D is wrong because reporting to law enforcement is a post-recovery or parallel action, not the first step in technical recovery, and does not address data restoration.

328
MCQeasy

Based on the incident log, at which step did the incident response team contain the threat?

A.14:30 - Scanned system, detected Trojan.Downloader
B.14:45 - Removed malware via AV
C.14:25 - Isolated WKS-045 from network
D.14:35 - Escalated to incident handler
AnswerC

Isolation prevents further spread, containing the threat.

Why this answer

Option C is correct because containment is the immediate step to prevent the threat from spreading, and isolating WKS-045 from the network at 14:25 achieves this by cutting off its network connectivity. This aligns with the NIST SP 800-61 incident response lifecycle, where containment is prioritized before eradication or recovery. The log shows isolation occurred before scanning or removal, making it the correct containment action.

Exam trap

ISC2 often tests the distinction between containment and eradication, where candidates mistakenly choose removal (Option B) as containment, but containment must stop the spread before any cleanup occurs.

How to eliminate wrong answers

Option A is wrong because scanning the system and detecting Trojan.Downloader at 14:30 is a detection and analysis step, not containment; containment must happen before or concurrently with analysis to stop lateral movement. Option B is wrong because removing malware via AV at 14:45 is an eradication step, which occurs after containment to eliminate the threat from the isolated system. Option D is wrong because escalating to the incident handler at 14:35 is a communication and coordination step, not a technical containment action; it does not directly stop the threat from spreading.

329
MCQmedium

A security engineer is designing a network for a small business that needs to segregate guest Wi-Fi from the internal corporate network. The guest network should have internet access only, with no access to internal resources. Which of the following is the BEST design approach?

A.Implement MAC address filtering on the access point to allow only known devices.
B.Connect the guest Wi-Fi to the internet through a separate router that does not have routes to the internal network.
C.Use a single VLAN with a DHCP server that assigns different IP ranges to guests and employees.
D.Place the guest Wi-Fi on a separate VLAN with a firewall rule blocking traffic to internal subnets.
AnswerD

This creates logical isolation and allows granular control over traffic between VLANs.

Why this answer

Option D is the best approach because placing the guest Wi-Fi on a separate VLAN and applying a firewall rule to block traffic to internal subnets provides both logical segmentation and access control. This ensures that guest traffic is isolated at Layer 2 (VLAN) and Layer 3/4 (firewall), preventing any unauthorized access to the corporate network while still allowing internet connectivity through a default route.

Exam trap

ISC2 often tests the misconception that simply using different IP subnets on the same VLAN provides security, when in fact true isolation requires separate VLANs or firewall rules to prevent Layer 2 communication.

How to eliminate wrong answers

Option A is wrong because MAC address filtering only controls which devices can associate with the access point; it does not prevent those devices from accessing internal resources once connected, nor does it scale or provide security against MAC spoofing. Option B is wrong because using a separate router for guest Wi-Fi is unnecessarily complex and costly for a small business; it also fails to leverage existing infrastructure and can lead to routing misconfigurations if not carefully managed, whereas a single router with VLANs and firewall rules achieves the same goal more efficiently. Option C is wrong because a single VLAN with different IP ranges does not provide Layer 2 isolation; devices on the same VLAN can communicate directly via ARP and broadcasts, so guests could still reach internal hosts if they are on the same broadcast domain.

330
MCQmedium

A company's security policy requires that all employees use strong passwords and change them every 90 days. An employee writes their password on a sticky note and attaches it to their monitor. Another employee sees it and uses it to log into the first employee's account to send a fake email. The security team is conducting a post-incident review. Which security principle failed, and what is the most effective long-term solution to prevent this type of incident?

A.Integrity; conduct annual security awareness training
B.Accountability; implement multi-factor authentication
C.Availability; prohibit sticky notes in the office
D.Confidentiality; enforce 15-character passwords
AnswerB

MFA ensures that a password alone is not sufficient for access.

Why this answer

Correct: The failure is in enforcement of policy and user behavior (accountability). The most effective solution is to implement multi-factor authentication (MFA) (B), which reduces reliance on passwords. Option A is wrong because shorter passwords are weaker; Option C is wrong because training alone is often insufficient; Option D is wrong because disabling sticky notes is hard to enforce.

331
Multi-Selectmedium

Which TWO of the following are examples of administrative security controls? (Choose two.)

Select 2 answers
A.Intrusion detection system
B.Security awareness training
C.Firewall
D.Encryption
E.Background checks for employees
AnswersB, E

Training is an administrative control that educates users on security policies.

332
MCQhard

An organization is implementing a new system that processes financial transactions. To reduce the risk of fraud, they ensure that no single individual can both initiate and approve a transaction. Which security principle is this?

A.Need to know
B.Separation of duties
C.Accountability
D.Least privilege
AnswerB

Correct. Initiation and approval are separate duties.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from having conflicting responsibilities, such as both initiating and approving a financial transaction. By splitting these tasks across different roles, the organization reduces the risk of fraud or error because collusion would be required to bypass controls. This is a core internal control mechanism in financial systems and aligns with the principle of dual control.

Exam trap

ISC2 often tests the distinction between 'separation of duties' and 'least privilege' by presenting a scenario where a user has too many permissions, tempting candidates to choose least privilege, but the core issue is the conflict of having both initiation and approval authority, not the amount of access.

How to eliminate wrong answers

Option A is wrong because 'need to know' restricts access to information based on job requirements, not the division of conflicting tasks. Option C is wrong because 'accountability' ensures actions can be traced to an individual, but does not inherently prevent a single person from performing both initiation and approval. Option D is wrong because 'least privilege' limits permissions to the minimum necessary for a role, but does not address the conflict of having both initiation and approval capabilities within the same role.

333
MCQhard

A security analyst discovers that an organization's firewall rule set allows all inbound traffic on TCP port 443 from any source to a single web server. Additionally, the server has a known critical vulnerability in its TLS implementation. Which principle of security architecture is most directly violated by this configuration?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Fail-safe defaults
AnswerA

The rule allows any source, which is the broadest possible privilege, violating the principle of least privilege.

Why this answer

Least privilege requires restricting access to only what is necessary. Allowing inbound from any source (0.0.0.0/0) violates least privilege because it is broader than necessary. Option B is correct.

Option A (defense in depth) would be violated if no other controls exist, but the question asks the most direct violation. Option C (separation of duties) is about task division. Option D (fail-safe) is about default deny.

334
MCQeasy

A company uses encryption to protect data at rest and in transit. This primarily addresses which aspect of the CIA triad?

A.Integrity
B.Authentication
C.Confidentiality
D.Availability
AnswerC

Correct. Encryption protects data confidentiality by making it unreadable to unauthorized parties.

Why this answer

Encryption prevents unauthorized access to data, thereby maintaining confidentiality. While encryption can support integrity, its primary role in this context is confidentiality.

335
Matchingmedium

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data Link: frames and MAC addresses

Network: routing and IP addresses

Transport: end-to-end reliability

Application: user interface and protocols

Why these pairings

OSI model layers are referenced in network security.

336
Multi-Selectmedium

Which TWO actions are most effective in reducing the mean time to detect (MTTD) a security incident?

Select 2 answers
A.Requiring multi-factor authentication for all remote access
B.Implementing a SIEM with centralized logging from critical systems
C.Conducting annual security awareness training for all employees
D.Deploying endpoint detection and response (EDR) agents on all workstations
E.Standardizing firewall rules across all network segments
AnswersB, D

SIEM correlates events and alerts analysts, reducing detection time.

Why this answer

Option B is correct because a SIEM with centralized logging aggregates and correlates logs from critical systems, enabling real-time analysis and automated alerting. This drastically reduces MTTD by surfacing indicators of compromise (IoCs) within minutes rather than hours or days, as manual log review would require.

Exam trap

The trap here is that candidates confuse preventive controls (MFA, training, firewall rules) with detective controls, failing to recognize that only logging and monitoring tools directly reduce the time to detect an incident.

337
MCQeasy

You are the cybersecurity lead for a mid-sized retail company. One morning, employees report that they cannot access files on the shared drive, and a ransom note appears on several screens demanding $50,000 in Bitcoin. The company has a formal incident response plan that was last updated two years ago and has never been tested. Backups are taken nightly to an on-premises tape library and also replicated to a cloud storage service but have not been verified recently. The CEO is insisting on paying the ransom to avoid business disruption. Which of the following is the MOST appropriate first course of action?

A.Delete all infected files and rebuild the file server from scratch without involving backups.
B.Ignore the incident and continue operations, assuming it will resolve on its own.
C.Pay the ransom immediately to minimize downtime and recover data quickly.
D.Isolate the infected systems from the network, then restore data from the most recent verified backup.
AnswerD

Isolation stops the spread, and restoring from verified backups is the standard incident response procedure.

Why this answer

Option D is correct because the first priority in any ransomware incident is containment: isolating infected systems prevents lateral movement and further encryption. Restoring from the most recent verified backup ensures data integrity and avoids paying the ransom, which does not guarantee decryption and funds criminal activity. The incident response plan should then be activated and updated based on lessons learned.

Exam trap

ISC2 often tests the misconception that paying the ransom is the fastest way to recover data, but the correct answer emphasizes containment and verified backups as the primary incident response steps.

How to eliminate wrong answers

Option A is wrong because deleting infected files and rebuilding from scratch without involving backups discards all data, including potentially unencrypted files, and ignores the need for verified clean backups to restore operations. Option B is wrong because ignoring the incident allows ransomware to spread, encrypt more systems, and cause greater business disruption, violating basic incident response containment principles. Option C is wrong because paying the ransom does not guarantee decryption keys will be provided, encourages further attacks, and bypasses proper forensic investigation and recovery procedures.

338
Multi-Selecthard

Which TWO of the following are examples of detective security controls? (Choose two.)

Select 2 answers
A.Data backup and restoration procedures.
B.Security logging and monitoring.
C.Intrusion detection system (IDS) alerts.
D.Encryption of sensitive data.
E.Firewall rules that block certain traffic.
AnswersB, C

Log analysis and monitoring detect incidents.

Why this answer

Intrusion detection systems (B) and security logging and monitoring (D) are detective controls. Firewalls (A) and encryption (C) are preventive. Data backup (E) is corrective/recovery.

339
MCQmedium

A company experiences a ransomware attack that encrypts all files on a server. Which security control would MOST effectively allow recovery without paying the ransom?

A.Firewall
B.Regular backups
C.Intrusion detection system
D.Antivirus software
AnswerB

Correct. Backups are the primary recovery mechanism against ransomware.

Why this answer

Regular backups enable restoration of encrypted data from a clean copy, bypassing the need to pay the ransom. Other controls help prevent or detect but do not directly facilitate recovery.

340
Multi-Selecthard

Which THREE are valid methods for authenticating a user in an access control system?

Select 3 answers
A.User ID
B.Fingerprint scan
C.Password
D.Smart card
E.Access control list
AnswersB, C, D

Fingerprint is inherence factor.

Why this answer

A fingerprint scan is a valid authentication method because it falls under 'something you are' (biometric authentication). In access control systems, biometrics like fingerprint scans provide a high level of assurance by verifying a unique physical characteristic of the user, making it a strong factor for authentication.

Exam trap

ISC2 often tests the distinction between identification (e.g., User ID) and authentication (e.g., password, biometric, smart card), and the trap here is that candidates mistakenly treat a User ID as an authentication factor rather than just an identifier.

341
MCQeasy

A company's primary data center is located in a region prone to hurricanes. The IT team is designing a disaster recovery plan to ensure critical applications resume within 4 hours of a declared disaster. Which of the following is the MOST appropriate recovery strategy?

A.Hot site with synchronous replication (RTO 1 hour, RPO near zero)
B.Colocation with tape backups shipped offsite (RTO 24 hours, RPO 24 hours)
C.Cold site with weekly full backups (RTO 48 hours, RPO 7 days)
D.Warm site with daily incremental backups (RTO 6 hours, RPO 4 hours)
AnswerA

Meets RTO and RPO requirements.

Why this answer

A hot site with synchronous replication is the most appropriate strategy because it provides an RTO of 1 hour (well within the 4-hour requirement) and an RPO near zero, ensuring critical applications resume quickly with minimal data loss. Synchronous replication writes data to both primary and replica storage simultaneously, so in a hurricane scenario, the hot site is fully operational and ready to take over immediately.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates may choose a warm site (Option D) because its RTO of 6 hours seems close to 4 hours, but they overlook that the RTO must be strictly less than or equal to the requirement, and synchronous replication at a hot site is the only option that meets both the 4-hour RTO and near-zero RPO for critical applications.

How to eliminate wrong answers

Option B is wrong because colocation with tape backups shipped offsite has an RTO of 24 hours and RPO of 24 hours, far exceeding the 4-hour RTO requirement, and tape restoration is slow and prone to media errors. Option C is wrong because a cold site with weekly full backups has an RTO of 48 hours and RPO of 7 days, meaning applications would be down for two days and up to a week of data could be lost, completely failing the 4-hour RTO. Option D is wrong because a warm site with daily incremental backups has an RTO of 6 hours, which exceeds the 4-hour requirement, and the RPO of 4 hours still risks losing up to 4 hours of transactions, whereas synchronous replication offers near-zero data loss.

342
Multi-Selecthard

Which THREE of the following are best practices for securing a network firewall? (Select THREE.)

Select 3 answers
A.Disable unused services and ports
B.Allow all traffic by default and block specific threats
C.Implement rule change management and review
D.Place the firewall outside the network perimeter
E.Use strong, complex passwords for firewall administration
AnswersA, C, E

Reduces the attack surface.

Why this answer

Disabling unused services and ports reduces the attack surface by eliminating potential entry points for attackers. A firewall should only have necessary ports (e.g., TCP 80/443 for web traffic) open, as each open service represents a vector for exploitation. This aligns with the principle of least privilege and is a fundamental hardening step.

Exam trap

ISC2 often tests the misconception that a firewall should be placed outside the network perimeter for better visibility, but the correct placement is at the perimeter to filter traffic before it enters the internal network.

343
MCQhard

After a security breach, investigators find that an attacker exploited a vulnerability in a publicly accessible application to gain access to internal databases. Which security principle would have most effectively limited the impact?

A.Accountability
B.Confidentiality
C.Defense in depth
D.Non-repudiation
AnswerC

Defense in depth would have layered controls (e.g., segmentation, IDS) to limit the attacker's lateral movement.

344
MCQmedium

Refer to the exhibit. An administrator notices that external access to the MySQL database (port 3306) is blocked, but internal access should be allowed. What change should be made?

A.Change the DROP rule to ACCEPT for port 3306
B.Allow port 3306 in the FORWARD chain
C.Create a rule to allow traffic from internal IP range to port 3306
D.Remove the DROP rule for port 3306
AnswerC

A specific allow rule for internal IPs overrides the default DROP, enabling internal access.

Why this answer

The correct answer is C because the exhibit shows a DROP rule for port 3306 in the INPUT chain, which blocks all incoming traffic to the MySQL database. To allow internal access while keeping external access blocked, a specific rule must be added to ACCEPT traffic from the internal IP range to port 3306, placed before the DROP rule. This ensures that internal packets are matched first and permitted, while external packets hit the DROP rule and are rejected.

Simply modifying or removing the DROP rule would allow all traffic, violating the requirement to block external access.

Exam trap

ISC2 often tests the distinction between INPUT and FORWARD chains, and the trap here is that candidates mistakenly think adding a rule to the FORWARD chain will fix the issue, not realizing that traffic to the local MySQL service is processed by the INPUT chain.

How to eliminate wrong answers

Option A is wrong because changing the DROP rule to ACCEPT for port 3306 would allow all traffic (both internal and external) to the MySQL database, which violates the requirement to block external access. Option B is wrong because the FORWARD chain is used for traffic passing through the firewall, not for traffic destined to the local system; MySQL traffic arriving at the firewall's own interface is processed by the INPUT chain, not FORWARD. Option D is wrong because removing the DROP rule for port 3306 would remove the block entirely, allowing all traffic (including external) to reach the MySQL database, which does not meet the requirement to block external access.

345
MCQhard

You are a forensic analyst responding to a reported compromise of a Linux web server. The server hosts a public-facing web application and is part of a DMZ. The initial investigation shows that unauthorized outbound connections were made to a known malicious IP address during the previous night. The server is still running and connected to the network, but the web application has been taken offline for maintenance. The incident response team wants to preserve evidence for potential legal action. You have a forensic workstation with tools like dd, netcat, and memory acquisition tools. Which of the following should be your FIRST step in the forensic acquisition process?

A.Create a bit-for-bit copy of the hard drive using dd and a write blocker.
B.Capture network traffic from the server for analysis.
C.Run a full antivirus scan to identify malware.
D.Capture the contents of volatile memory (RAM) using a memory acquisition tool.
AnswerD

Memory is most volatile and contains critical evidence.

Why this answer

Volatile memory (RAM) contains critical evidence such as running processes, network connections, encryption keys, and in-memory malware that would be lost when the system is powered off. In a forensic response, the order of volatility dictates that RAM must be captured first before any non-volatile data. Option D is correct because it follows the established forensic principle of preserving the most volatile data first.

Exam trap

ISC2 often tests the 'order of volatility' principle, and the trap here is that candidates mistakenly prioritize disk imaging (Option A) because it is a familiar step, ignoring that RAM holds the most ephemeral and critical evidence.

How to eliminate wrong answers

Option A is wrong because creating a bit-for-bit copy of the hard drive is important but should be done after volatile memory capture, as hard drive data is non-volatile and will not be lost on shutdown. Option B is wrong because capturing network traffic from the server is a live response step that can be performed after memory acquisition, but it is not the first priority since network traffic is also volatile but less critical than RAM contents. Option C is wrong because running an antivirus scan modifies the system state (e.g., file access times, writes to disk) and can destroy or alter evidence, violating forensic integrity.

346
MCQhard

A security engineer is designing a system that must ensure that any changes to a configuration file are logged with the identity of the person who made the change. Which principle is being implemented?

A.Accountability
B.Non-repudiation
C.Confidentiality
D.Integrity
AnswerB

Non-repudiation ensures that changes cannot be denied by the person who made them.

Why this answer

Non-repudiation provides proof of the identity of the person who performed an action, preventing denial. Option B (Accountability) is about tracking but not necessarily proof. Option C (Integrity) ensures data unchanged.

Option D (Confidentiality) protects from unauthorized access.

347
MCQeasy

The exhibit shows the current iptables rules. Which security principle is most clearly enforced by the default policy?

A.Fail-safe defaults
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerA

The default drop policy ensures that any unapproved traffic is blocked, which is a fail-safe default.

Why this answer

The default policy is DROP on the INPUT chain, meaning any traffic not explicitly allowed is denied. This is a 'fail-safe defaults' or 'default deny' principle. Option B is correct.

Option A (least privilege) is about minimal permissions, but the default policy is about default action. Option C (separation of duties) is not shown. Option D (defense in depth) is not directly demonstrated.

348
MCQhard

A financial institution is implementing a new transaction approval process. The process requires that for any transaction over $10,000, two managers must approve: one from the sales department and one from the finance department. However, due to a system configuration error, a single manager can approve the entire transaction if they are logged in from a specific IP address. This error is discovered during a routine audit. Which security principle has been circumvented, and what is the best remediation?

A.Separation of duties; fix the configuration to require approvals from two different managers
B.Defense in depth; add a third approval for transactions over $50,000
C.Accountability; log all approvals and audit monthly
D.Least privilege; reduce the transaction limit to $5,000
AnswerA

This restores the intended segregation of duties.

Why this answer

Correct: Separation of duties is circumvented. The best remediation is to correct the configuration to require two distinct approvals (B). Option A is wrong because it doesn't fix the flaw; Option C is wrong because it adds unnecessary complexity; Option D is wrong because it ignores the requirement for two different departments.

349
MCQhard

Refer to the exhibit. A firewall rule set is shown (first match applies). An analyst reviews these rules. Which of the following best describes the traffic outcome for a packet from source IP 10.0.0.1 to destination 192.168.1.1?

A.The packet is permitted because the last rule permits any any.
B.The packet is denied because rule 1 matches and denies it.
C.The packet is permitted because rule 2 explicitly permits the traffic.
D.The packet is denied because there is no explicit permit for 10.0.0.0/8 to 192.168.1.0/24.
AnswerB

First-match logic: rule 1 matches and denies before rule 2 can permit.

Why this answer

Rule 1 matches the source IP 10.0.0.1 (which falls within the 10.0.0.0/8 range) and the destination 192.168.1.1 (within 192.168.1.0/24), and since the action is 'deny', the packet is denied immediately. Firewalls using 'first match applies' logic stop processing as soon as a matching rule is found, so subsequent rules are never evaluated. Therefore, the correct outcome is denial.

Exam trap

ISC2 often tests the 'first match applies' concept by placing a broad deny rule early in the rule set, leading candidates to incorrectly assume that a later permit rule will override it, when in fact the packet is denied immediately upon the first match.

How to eliminate wrong answers

Option A is wrong because the 'permit any any' rule is never reached; the packet is matched and denied by rule 1 before the last rule is evaluated. Option C is wrong because rule 2, even if it explicitly permits the traffic, is not evaluated since rule 1 already matched and denied the packet. Option D is wrong because the absence of an explicit permit for the specific source/destination pair is irrelevant; the packet is denied by an explicit deny rule (rule 1), not by a lack of a permit.

350
MCQeasy

A company wants to allow remote employees to securely access internal resources over the internet. Which technology is most appropriate?

A.NAT
B.VLAN
C.DMZ
D.VPN
AnswerD

VPN provides secure remote connectivity.

Why this answer

A VPN (Virtual Private Network) creates an encrypted tunnel over the internet, typically using protocols like IPsec or TLS, to securely connect remote users to internal resources. This ensures confidentiality, integrity, and authentication of data in transit, making it the standard solution for remote access security.

Exam trap

ISC2 often tests the misconception that NAT or a DMZ alone can secure remote access, but candidates must recognize that only VPN provides the required encryption and tunneling for secure internet-based connectivity.

How to eliminate wrong answers

Option A (NAT) is wrong because Network Address Translation only modifies IP addresses in packet headers to enable private-to-public address mapping; it does not provide encryption or secure remote access. Option B (VLAN) is wrong because a Virtual LAN segments a local network at Layer 2 to isolate traffic within a switch, but it cannot extend secure connectivity across the internet. Option C (DMZ) is wrong because a Demilitarized Zone is a perimeter network that hosts public-facing services (e.g., web servers) while isolating them from the internal LAN; it does not create encrypted tunnels for remote users.

351
Multi-Selectmedium

Which TWO of the following are essential elements of an incident response plan?

Select 2 answers
A.A list of compliance standards.
B.Personal phone numbers of executives.
C.Step-by-step procedures for each incident type.
D.Contact information for all employees.
E.Defined roles and responsibilities.
AnswersC, E

Provides guidance for consistent response.

Why this answer

Option C is correct because an incident response plan must include step-by-step procedures for each incident type to ensure consistent, repeatable actions during a security event. These procedures guide responders through detection, containment, eradication, and recovery phases, reducing errors and response time. Without predefined steps, teams risk ad-hoc actions that can worsen the incident or miss critical containment measures.

Exam trap

ISC2 often tests the distinction between 'essential operational elements' (like procedures and roles) and 'supporting documentation' (like compliance lists or full employee directories), causing candidates to mistake administrative details for core response components.

352
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

353
Multi-Selecthard

Which TWO of the following are best practices for implementing the principle of least privilege?

Select 2 answers
A.Grant all users full administrative rights to reduce support calls
B.Assign permissions based on the minimum necessary to perform job functions
C.Use a single shared administrative account for all IT staff
D.Remove all default accounts from systems
E.Regularly review and revoke unnecessary privileges
AnswersB, E

This is the core of least privilege.

Why this answer

Options B and D are correct: assign minimal permissions and regularly audit privileges. Granting all permissions (A) violates least privilege. Using a single shared admin account (C) prohibits accountability.

Removing default accounts is good but not directly least privilege (E).

354
MCQhard

You are the network security lead for a medium-sized financial firm with 500 employees. The network consists of a core switch, distribution switches, and access switches. There are three main VLANs: VLAN 10 (Management - 192.168.10.0/24), VLAN 20 (Finance - 192.168.20.0/24), and VLAN 30 (Guest Wi-Fi - 192.168.30.0/24). The network uses a single firewall with three interfaces: inside (trusted), outside (untrusted), and DMZ. The firewall is configured with default-deny rules. Recently, the helpdesk reported that employees in the Finance VLAN cannot access a web-based accounting application hosted on a server at 10.0.0.5, which is in the DMZ. The server's default gateway is the firewall's DMZ interface (10.0.0.1). The accounting application runs on HTTPS (TCP 443). Employees in the Management VLAN can access the application without issue. You have verified that the Finance VLAN has connectivity to the firewall's inside interface (192.168.20.1). The firewall's inside interface has an IP of 192.168.20.1. There is no ACL on the inside interface. The firewall's DMZ interface has an ACL permitting TCP/443 from any to 10.0.0.5. The firewall's routing table shows a route to 10.0.0.0/24 via DMZ interface. What is the most likely cause of the issue?

A.The routing table on the firewall does not have a return route to the Finance subnet.
B.The firewall lacks a policy permitting traffic from the inside zone to the DMZ zone.
C.The DMZ ACL is blocking traffic from the Finance subnet because it only permits from Management subnet.
D.An ACL applied inbound on the inside interface is blocking Finance traffic but allowing Management traffic.
AnswerB

Firewall policies are zone-based; the inside-to-DMZ policy is missing, blocking Finance traffic.

Why this answer

The firewall uses a default-deny policy between zones. Even though the inside interface has no ACL and the DMZ ACL permits HTTPS from any source, the firewall still requires an explicit policy rule allowing traffic from the inside (Finance) zone to the DMZ zone. Without this policy, packets from VLAN 20 to the DMZ server are dropped by the firewall's stateful inspection engine, regardless of interface ACLs or routing.

Exam trap

ISC2 often tests the distinction between interface ACLs and zone-based firewall policies, trapping candidates into thinking that permissive ACLs alone allow traffic, when in fact a zone-pair policy is required for inter-zone communication.

How to eliminate wrong answers

Option A is wrong because the firewall's routing table already has a route to 10.0.0.0/24 via the DMZ interface, and the Finance VLAN can reach the inside interface; the issue is not a missing return route but a missing zone-based policy. Option C is wrong because the DMZ ACL permits TCP/443 from any to 10.0.0.5, so it does not restrict based on source subnet; the problem is not an ACL on the DMZ interface. Option D is wrong because the question explicitly states there is no ACL on the inside interface, so no inbound ACL is blocking Finance traffic while allowing Management traffic.

355
MCQmedium

Refer to the exhibit. Based on the backup log, what is the most likely corrective action?

A.Reschedule the backup for a later time
B.Check network connectivity
C.Replace the tape drive
D.Add more storage space to the backup target
AnswerD

The explicit error is 'insufficient storage space', so adding space directly addresses the issue.

Why this answer

The final error indicates insufficient storage space. Adding more storage space to the backup target would resolve the issue. The earlier tape error may be a symptom of full storage.

356
MCQmedium

A system administrator needs to grant a contractor temporary access to a server for patching. The contractor should only have access during the patching window. Which access control implementation method is most appropriate?

A.Time-based ACL (rule-based access control)
B.Group-based permissions with a recurring schedule
C.Discretionary access control (DAC)
D.Mandatory access control (MAC)
AnswerA

Time-based ACLs restrict access to specific time windows, ideal for temporary access.

Why this answer

Time-based ACLs (rule-based access control) allow the administrator to define a specific time range during which the contractor's access is permitted. This directly matches the requirement for temporary access only during the patching window, as the ACL can be configured with a time-range object that automatically enables and disables the permit statement without manual intervention.

Exam trap

ISC2 often tests the distinction between rule-based access control (RBAC) with time-based ACLs and group-based permissions, where candidates mistakenly choose group-based permissions because they think 'recurring schedule' implies time control, but group-based permissions lack the precise time-range enforcement at the network layer.

How to eliminate wrong answers

Option B is wrong because group-based permissions with a recurring schedule typically apply to user group memberships and do not provide the granular, time-bound enforcement at the network or system level that a time-based ACL offers. Option C is wrong because discretionary access control (DAC) allows the resource owner to grant permissions arbitrarily, which does not inherently enforce a time-limited access window. Option D is wrong because mandatory access control (MAC) uses system-wide labels and security clearances, which are static and not designed for temporary, time-based access exceptions.

357
MCQeasy

An organization wants to ensure that data remains unaltered during transmission over the internet. Which security goal is being addressed?

A.Non-repudiation
B.Availability
C.Confidentiality
D.Integrity
AnswerD

Integrity ensures data is not altered during transmission.

Why this answer

Integrity ensures that data is not altered during transmission, typically verified through cryptographic hash functions (e.g., SHA-256) or message authentication codes (MACs) such as HMAC. Protocols like TLS use integrity checks to detect any unauthorized modification of packets in transit, directly addressing the requirement that data remains unaltered.

Exam trap

ISC2 often tests the distinction between confidentiality and integrity by presenting a scenario about data alteration, where candidates mistakenly choose confidentiality because they associate encryption with all security, ignoring that encryption alone does not prevent tampering.

How to eliminate wrong answers

Option A is wrong because non-repudiation prevents a party from denying an action, usually via digital signatures (e.g., RSA or ECDSA), not by ensuring data is unchanged during transit. Option B is wrong because availability ensures systems and data are accessible when needed, often through redundancy or DDoS mitigation, not by protecting against alteration. Option C is wrong because confidentiality protects data from unauthorized disclosure via encryption (e.g., AES), but does not guarantee that data has not been tampered with during transmission.

358
MCQeasy

Which metric defines the maximum acceptable amount of data loss measured in time?

A.Recovery Point Objective (RPO)
B.Mean Time Between Failures (MTBF)
C.Mean Time to Repair (MTTR)
D.Recovery Time Objective (RTO)
AnswerA

RPO defines the maximum data loss in terms of time.

Why this answer

The Recovery Point Objective (RPO) defines the maximum acceptable amount of data loss measured in time, typically expressed in seconds, minutes, or hours. It represents the age of the most recent backup or replicated data that must be available to resume operations after a disaster, directly determining the frequency of backups or replication intervals.

Exam trap

ISC2 often tests the distinction between RPO and RTO, where candidates confuse 'data loss' (RPO) with 'downtime' (RTO); the trap is that both are time-based metrics, but RPO is about how far back in time you can recover data, while RTO is about how long it takes to restore service.

How to eliminate wrong answers

Option B is wrong because Mean Time Between Failures (MTBF) measures the average time between system failures, not data loss; it is a reliability metric used for hardware or component failure prediction. Option C is wrong because Mean Time to Repair (MTTR) measures the average time required to restore a failed system or component, not the acceptable data loss window. Option D is wrong because Recovery Time Objective (RTO) defines the maximum acceptable downtime after a disaster, not the amount of data loss measured in time; RTO focuses on service restoration speed, while RPO focuses on data currency.

359
MCQeasy

A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?

A.The network is experiencing a denial of service attack
B.The user is streaming video from a blocked site
C.The workstation is performing a legitimate software update
D.The workstation is infected with malware that is beaconing to the attacker
AnswerD

C2 communication is a hallmark of malware infection.

Why this answer

The large volume of outbound traffic from a single workstation to a known command-and-control (C2) server is a classic indicator of malware beaconing. Beaconing involves the infected host periodically sending small packets or HTTP/HTTPS requests to the C2 server to receive instructions or exfiltrate data, which matches the observed behavior. This is distinct from legitimate traffic patterns because the destination IP is specifically associated with malicious activity.

Exam trap

ISC2 often tests the distinction between a single workstation's outbound traffic to a known malicious IP versus generic network anomalies like DoS or legitimate updates, trapping candidates who confuse high-volume traffic with beaconing or assume any outbound traffic to an external IP is benign.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack typically involves a flood of traffic from multiple sources targeting a single victim, not a single workstation sending outbound traffic to a known C2 server. Option B is wrong because streaming video from a blocked site would generate sustained, high-bandwidth traffic to a content delivery network or streaming service, not to a known C2 server, and would not match the beaconing pattern of periodic, low-volume requests. Option C is wrong because a legitimate software update would connect to the vendor's official update servers (e.g., Microsoft, Adobe) over HTTPS, not to an external IP address known to be associated with a C2 server, and would not exhibit the suspicious, periodic beaconing behavior.

360
MCQhard

Refer to the exhibit. Based on the JSON policy, what access does the SecurityAuditor role have?

A.No access to any S3 resources.
B.Read-only access to all objects in the critical-data bucket.
C.Write access to the critical-data bucket.
D.Full access to the S3 bucket critical-data.
AnswerB

GetObject grants read access.

Why this answer

The JSON policy grants the SecurityAuditor role the `s3:GetObject` action on the `arn:aws:s3:::critical-data/*` resource, which provides read-only access to all objects in the critical-data bucket. The `Effect` is set to `Allow`, and no other actions like `s3:PutObject` or `s3:DeleteObject` are included, so the role cannot write or delete objects. This matches the correct answer B.

Exam trap

ISC2 often tests the distinction between bucket-level and object-level permissions, where candidates mistakenly assume that `s3:GetObject` on `/*` implies full access or write capabilities, but it only grants read access to objects.

How to eliminate wrong answers

Option A is wrong because the policy explicitly allows `s3:GetObject` on the critical-data bucket, so the role does have access to S3 resources. Option C is wrong because the policy does not include any write actions such as `s3:PutObject` or `s3:DeleteObject`, so write access is not granted. Option D is wrong because the policy only allows `s3:GetObject`, not full access (which would require actions like `s3:*` or `s3:PutObject`, `s3:DeleteObject`, `s3:ListBucket`, etc.).

361
MCQhard

A security analyst reviews this firewall configuration. Which potential security issue exists?

A.Logging is not enabled at session start
B.Outbound traffic is not inspected for malicious content
C.The source is too restrictive
D.The policy does not specify a destination
AnswerB

SSL traffic is permitted without decryption or inspection.

Why this answer

Option B is correct because the firewall configuration shown only inspects inbound traffic (from the internet to the internal network) but does not apply any inspection to outbound traffic. Without outbound inspection, malicious content such as malware command-and-control traffic or data exfiltration can leave the network undetected. A security analyst should ensure that both inbound and outbound traffic are inspected for malicious content to provide comprehensive threat protection.

Exam trap

ISC2 often tests the misconception that only inbound traffic needs inspection because threats come from the internet, but the trap is that outbound traffic can carry malicious payloads or exfiltrate data, making outbound inspection equally important for a defense-in-depth strategy.

How to eliminate wrong answers

Option A is wrong because logging at session start is not a mandatory security requirement; logging at session end is typically sufficient for auditing and troubleshooting, and the absence of session-start logging does not represent a security issue. Option C is wrong because the source being too restrictive would actually reduce the attack surface, not create a security issue; overly permissive sources are the concern. Option D is wrong because the policy does specify a destination (the internal network), and a missing destination would cause the policy to fail to match traffic, not create a security issue.

362
MCQmedium

Your organization is implementing a new access control system to protect a highly sensitive research database. The security policy mandates that no single individual should have the ability to both approve and execute changes to the database. This is to prevent fraud and errors. Which security principle does this policy enforce, and which of the following best implements it?

A.Defense in depth; require both parties to authenticate
B.Accountability; log all changes and have an auditor review them
C.Separation of duties; require that one person submits a change request and another person implements it
D.Least privilege; assign the same person as approver and executor but with limited permissions
AnswerC

This ensures no single individual has complete control over the entire process.

Why this answer

Correct: Separation of duties; requiring two different people for approval and execution (B). Option A is wrong because it gives one person both roles; Option C is wrong because it combines roles; Option D is wrong because an auditor does not execute changes.

363
MCQmedium

You are a security engineer responsible for the company's intrusion detection system (IDS). The IDS has been generating an excessive number of false positive alerts related to a legitimate application that uses encrypted traffic. The alerts are based on network signatures that match certain patterns in the encrypted payload. The volume of alerts is overwhelming the SOC team, and they are beginning to ignore IDS alerts altogether. You have the ability to modify IDS signatures and tune the system. Which of the following is the BEST approach to reduce false positives while maintaining security?

A.Create custom exceptions for the specific signatures that are causing false positives for the legitimate application.
B.Add the application's source IP addresses to a whitelist to suppress all alerts from that host.
C.Increase the threshold for alert generation so fewer alerts fire.
D.Disable all signatures that trigger on encrypted traffic.
AnswerA

This targeted approach reduces false positives while retaining overall detection capability.

Why this answer

Option A is correct because creating custom exceptions for the specific signatures that trigger false positives allows you to suppress alerts for the legitimate application without disabling broader detection capabilities. This targeted approach preserves the IDS's ability to detect actual threats in encrypted traffic while reducing noise for the SOC team. It is the most precise tuning method, as it only excludes the known benign traffic pattern rather than broadly disabling signatures or whitelisting entire hosts.

Exam trap

The trap here is that candidates often choose IP whitelisting (Option B) because it seems quick and easy, but Cisco tests the understanding that whitelisting entire hosts is overly broad and can hide malicious activity from the same source, whereas signature-specific exceptions are the correct, surgical tuning method.

How to eliminate wrong answers

Option B is wrong because whitelisting the application's source IP addresses suppresses all alerts from that host, including those for potentially malicious activity that might originate from the same IP (e.g., if the host is compromised or used for lateral movement). This creates a dangerous blind spot. Option C is wrong because increasing the alert threshold reduces the sensitivity of the IDS globally, which can cause true positive alerts for real threats to be missed, especially in low-volume attacks.

Option D is wrong because disabling all signatures that trigger on encrypted traffic eliminates the IDS's ability to detect threats that use encryption (e.g., malware C2 over TLS), which is a common evasion technique and would severely weaken security posture.

364
MCQhard

A security architect is designing a system that must ensure that a sender cannot later deny having sent a message. Which cryptographic mechanism should be implemented?

A.Symmetric encryption
B.Access control lists
C.Hashing
D.Digital signatures
AnswerD

Correct. Digital signatures ensure non-repudiation of origin.

Why this answer

Digital signatures provide non-repudiation by binding the sender's identity to the message using public key cryptography. The sender cannot deny because only they possess the private key used to sign.

365
MCQmedium

Which component of the AAA framework determines what resources an authenticated user can access?

A.Auditing
B.Accounting
C.Authorization
D.Authentication
AnswerC

Authorization determines access rights.

Why this answer

Authorization is the component of the AAA (Authentication, Authorization, Accounting) framework that determines what resources an authenticated user can access. After authentication verifies the user's identity, authorization enforces policies—such as those defined in a local database or via RADIUS/TACACS+—to permit or deny access to specific network services, commands, or resources.

Exam trap

ISC2 often tests the distinction between authentication and authorization by presenting a scenario where a user is successfully logged in but cannot access a resource, and candidates mistakenly blame authentication instead of recognizing that authorization is the missing step.

How to eliminate wrong answers

Option A is wrong because auditing is not a separate AAA component; it is often part of accounting or logging, and it reviews past actions rather than controlling real-time access. Option B is wrong because accounting tracks and logs user activities (e.g., session time, data transfer) for billing or auditing, but it does not decide what resources a user can access. Option D is wrong because authentication only verifies identity (e.g., via username/password, certificate, or token) and does not grant or deny access to specific resources.

366
MCQhard

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

A.Intrusion detection system alerts
B.DNS query logs from internal DNS servers
C.Firewall deny logs
D.Authentication logs from domain controllers
AnswerB

DNS logs are less frequently used for real-time security monitoring and can be archived with lower priority.

Why this answer

DNS query logs from internal DNS servers are the least critical for ongoing security monitoring because they primarily contain name resolution requests, which are high-volume and low-signal data. While they can be useful for threat hunting or forensic analysis of malware command-and-control (C2) traffic, they are not essential for real-time alerting or immediate incident response. Archiving them first preserves storage for more actionable logs like IDS alerts, firewall denies, and authentication failures.

Exam trap

ISC2 often tests the misconception that DNS logs are critical for security monitoring because they can reveal C2 traffic, but the trap is that they are high-volume, low-signal data best suited for archival after more immediate security event sources are preserved.

How to eliminate wrong answers

Option A is wrong because intrusion detection system alerts are high-priority, actionable events that directly indicate potential security incidents; archiving them first would blind the SOC to ongoing attacks. Option C is wrong because firewall deny logs are critical for identifying reconnaissance scans, policy violations, and attempted breaches; they are often used in real-time correlation and incident triage. Option D is wrong because authentication logs from domain controllers are essential for detecting brute-force attacks, credential theft, and account compromise; they are a primary source for identity-based threat detection and compliance auditing.

367
MCQmedium

A network administrator needs to allow secure remote access for teleworkers. Which VPN protocol provides the best confidentiality and integrity while using a single UDP port?

A.PPTP
B.SSL/TLS (OpenVPN)
C.L2TP/IPsec
D.IKEv2
AnswerB

OpenVPN uses a single UDP port and provides strong encryption.

Why this answer

SSL/TLS (OpenVPN) is correct because it provides robust confidentiality and integrity through TLS encryption (e.g., AES-256-GCM) and HMAC authentication, while operating over a single UDP port (typically 1194). This makes it ideal for teleworkers as it can traverse NAT and firewalls easily, unlike protocols that require multiple ports or IPsec's complex port/protocol handling.

Exam trap

ISC2 often tests the misconception that L2TP/IPsec is the best for secure remote access because it is commonly used in site-to-site VPNs, but the key constraint here is 'single UDP port,' which eliminates L2TP/IPsec and IKEv2, and PPTP is insecure.

How to eliminate wrong answers

Option A (PPTP) is wrong because it uses MPPE for encryption, which is based on RC4 and is considered weak, and it does not provide strong integrity (no HMAC); it also uses TCP port 1723 and GRE protocol 47, not a single UDP port. Option C (L2TP/IPsec) is wrong because it requires two UDP ports (500 for IKE and 4500 for NAT-T) plus ESP (protocol 50) or AH, and while it offers strong security, it does not use a single UDP port. Option D (IKEv2) is wrong because it uses UDP ports 500 and 4500 for IKE and ESP for data, and although it can be efficient, it does not operate over a single UDP port; it also typically requires IPsec for encryption, not a standalone VPN protocol on one port.

368
MCQhard

An organization requires that two separate administrators approve and implement changes to firewall rules. This practice enforces which security principle?

A.Least privilege
B.Defense in depth
C.Need to know
D.Separation of duties
AnswerD

Requiring two administrators to approve changes is a classic example of separation of duties.

Why this answer

Requiring two separate administrators to approve and implement firewall rule changes enforces separation of duties. This principle ensures that no single individual has the authority to both authorize and execute a change, reducing the risk of unauthorized modifications or errors. In firewall management, this prevents a single admin from introducing malicious or misconfigured rules without oversight.

Exam trap

ISC2 often tests separation of duties by describing a scenario involving multiple people for a single task, and the trap is confusing it with least privilege, which focuses on limiting permissions rather than splitting responsibilities.

How to eliminate wrong answers

Option A is wrong because least privilege restricts user access rights to the minimum necessary for their role, but it does not require multiple approvals for a single action. Option B is wrong because defense in depth involves multiple layers of security controls (e.g., firewalls, IDS, encryption), not administrative approval workflows. Option C is wrong because need to know limits access to information based on job requirements, not the process of approving changes.

369
MCQeasy

An organization implements a policy where users must swipe their ID card and enter a PIN to access a secure room. This is an example of which access control principle?

A.Biometric authentication
B.Single-factor authentication
C.Multifactor authentication
D.Role-based access control
AnswerC

Two factors: card (possession) and PIN (knowledge).

Why this answer

Option C is correct because the policy requires two distinct factors: something you have (the ID card) and something you know (the PIN). This combination of multiple authentication factors from different categories is the defining characteristic of multifactor authentication (MFA).

Exam trap

ISC2 often tests the distinction between authentication factors and authorization models, so the trap here is confusing multifactor authentication (which is about verifying identity) with role-based access control (which is about granting permissions after identity is verified).

How to eliminate wrong answers

Option A is wrong because biometric authentication relies on unique physical characteristics like fingerprints or iris scans, not on possession of an ID card or knowledge of a PIN. Option B is wrong because single-factor authentication uses only one type of credential, whereas this scenario uses two distinct factors. Option D is wrong because role-based access control (RBAC) governs authorization based on job roles, not the authentication method used to verify identity.

370
MCQeasy

Refer to the exhibit. The security principle demonstrated by the default policy is:

A.Separation of duties
B.Defense in depth
C.Need to know
D.Least privilege
AnswerD

Default deny restricts access to only what is explicitly allowed, embodying least privilege.

Why this answer

Correct: A - Least privilege. The default DROP policy denies all traffic by default, allowing only explicitly permitted services, which follows the principle of least privilege. Options B, C, and D do not describe default deny.

371
MCQmedium

A security policy requires that all changes to a production system go through a formal change management process with approval from a change control board. This is an example of which security principle?

A.Least privilege
B.Governance
C.Defense in depth
D.Separation of duties
AnswerB

Correct. The structured approval board and process exemplify security governance.

Why this answer

Governance involves establishing policies, processes, and oversight to ensure security aligns with business objectives. The formal change management process is a governance mechanism.

372
MCQeasy

Refer to the exhibit. A user with this policy tries to list objects in bucket1 but gets an access denied error. What is the most likely reason?

A.The policy does not grant s3:ListBucket permission
B.The resource ARN should include the bucket itself
C.The effect should be Deny
D.The user lacks encryption keys
AnswerA

Listing objects requires the ListBucket action, which is not included.

Why this answer

The policy shown grants s3:GetObject permission, which allows reading individual objects, but does not include s3:ListBucket permission. Listing objects in a bucket requires the s3:ListBucket action on the bucket resource. Without this permission, the user receives an access denied error when attempting to list objects, even if they can read objects directly.

Exam trap

ISC2 often tests the distinction between bucket-level and object-level S3 permissions, trapping candidates who assume that granting GetObject on objects automatically allows listing the bucket.

How to eliminate wrong answers

Option B is wrong because the resource ARN in the policy already specifies the bucket itself (arn:aws:s3:::bucket1/*), and adding the bucket without the wildcard would not grant ListBucket permission; the missing action is the core issue. Option C is wrong because changing the effect to Deny would explicitly block access, not resolve the denied error; the policy currently has an Allow effect, which is correct for granting permissions. Option D is wrong because encryption keys are unrelated to S3 bucket listing permissions; the error is due to missing IAM policy permissions, not encryption key access.

373
MCQhard

A small e-commerce company hosts its web application on a single server with a public IP address. The server runs a Linux OS with Apache, MySQL, and PHP. The company recently experienced a data breach where an attacker gained access to the customer database. The investigation reveals that the attacker exploited a vulnerability in the PHP application to execute arbitrary commands. The server logs show that the attacker used an unauthenticated HTTP POST request to a legacy script that should have been removed. Additionally, the server had default firewall rules allowing all inbound traffic on ports 80 and 443. The company wants to prevent future breaches without redesigning the entire application. Which course of action is the most effective?

A.Move the database to a separate internal server and require VPN access for administration.
B.Upgrade the PHP version to the latest release and enable SELinux.
C.Remove the legacy script and update the firewall to block all traffic except necessary IPs.
D.Implement a web application firewall (WAF) with virtual patching for the vulnerability.
AnswerD

A WAF can block the exploit and similar attacks without requiring code changes, providing immediate protection.

Why this answer

Option D is the most effective because it provides immediate protection against the exploited vulnerability without requiring application redesign. A WAF with virtual patching can inspect HTTP POST requests to the legacy script and block malicious payloads, even if the underlying code remains vulnerable. This approach addresses the root cause (the unauthenticated exploit) while allowing the company to maintain operations and plan a permanent fix.

Exam trap

ISC2 often tests the misconception that removing the vulnerable component (Option C) is sufficient, but the trap is that the question asks for preventing future breaches without redesigning the entire application, meaning a WAF provides ongoing protection against similar exploits in other parts of the application, whereas simply removing one script leaves other potential vulnerabilities unaddressed.

How to eliminate wrong answers

Option A is wrong because moving the database to a separate server and requiring VPN for administration does not prevent the attacker from exploiting the PHP application vulnerability to execute commands on the web server, which could still lead to database access via the application's credentials. Option B is wrong because upgrading PHP and enabling SELinux may reduce the attack surface but does not directly block the specific unauthenticated POST request to the legacy script; SELinux can restrict process capabilities but does not filter HTTP traffic. Option C is wrong because removing the legacy script and updating the firewall to block all traffic except necessary IPs is reactive and does not protect against future zero-day vulnerabilities or similar exploits in other scripts; the firewall only controls network-level access, not application-layer attacks.

374
MCQmedium

A security analyst observes the log entries on an SSH server as shown. What is the most likely type of attack in progress?

A.Dictionary attack
B.Privilege escalation
C.Brute-force attack
D.Denial-of-service (DoS) attack
AnswerC

Multiple rapid failures from the same IP indicate an automated brute-force attempt to guess the password.

Why this answer

Option B is correct because repeated failed password attempts for the same account (root) from the same IP in rapid succession is characteristic of a brute-force attack. Dictionary attack (A) uses a list of common passwords, but the log does not show different passwords; it could be either, but brute-force is more general. (C) is wrong because it's not a DoS (though it might degrade performance). (D) is wrong because there is no indication of privilege escalation beyond root attempts.

375
MCQhard

A security analyst notices that system logs are being overwritten before the retention period ends. What is the most likely cause?

A.Malware is deleting logs
B.SIEM is consuming logs too quickly
C.Log rotation settings are misconfigured
D.Disk space is insufficient
AnswerC

Improper rotation settings (e.g., small file size) cause early overwriting.

Why this answer

Option B is correct because misconfigured log rotation settings can cause logs to be overwritten prematurely. Option A is wrong because insufficient disk space would cause log failure, not overwriting. Option C is wrong while possible, but less likely than configuration error.

Option D is wrong because SIEM consumption does not overwrite local logs.

Page 4

Page 5 of 7

Page 6

All pages