ISC2 Certified in Cybersecurity CC (CC) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Multi-Selecteasy

Which TWO are key outputs of a Business Impact Analysis (BIA)?

Select 2 answers
A.List of critical business processes
B.Password policy
C.Network diagram
D.Risk register
E.Recovery Time Objectives
AnswersA, E

BIA identifies and prioritizes critical processes.

Why this answer

BIA identifies critical business processes and determines their recovery requirements, such as Recovery Time Objectives (RTO).

377
MCQmedium

An organization has a policy that all servers must have security patches applied within 30 days of release. Which of the following is the best practice for patching?

A.Skip patches that have not been widely tested
B.Apply patches to all servers simultaneously
C.Test patches in a non-production environment before deploying to production
D.Only apply critical patches
AnswerC

Testing validates patches without impacting production services.

Why this answer

Option C is correct because testing patches in a non-production environment first allows the organization to identify compatibility issues, performance regressions, or conflicts with existing software before risking production systems. This aligns with the change management principle of validating changes in a controlled setting, ensuring that the 30-day patching deadline can be met without introducing instability. Skipping testing (A) or applying patches simultaneously (B) could lead to widespread outages, while only applying critical patches (D) would leave the organization exposed to non-critical vulnerabilities that could be chained in an attack.

Exam trap

ISC2 often tests the misconception that 'all patches must be applied immediately' or that 'critical patches are the only priority,' but the trap here is that candidates overlook the necessity of a controlled testing phase to prevent production outages, even when a strict 30-day deadline exists.

How to eliminate wrong answers

Option A is wrong because skipping patches that have not been widely tested leaves the organization vulnerable to known exploits, and the policy requires all patches to be applied within 30 days, not just widely tested ones. Option B is wrong because applying patches to all servers simultaneously can cause cascading failures if a patch introduces a bug, and it violates the principle of staggered rollouts to maintain service availability. Option D is wrong because only applying critical patches ignores the policy's requirement for all security patches, and non-critical patches often address vulnerabilities that can be leveraged in multi-stage attacks (e.g., privilege escalation).

378
MCQeasy

A company has a disaster recovery plan that includes a hot site. Which of the following is the PRIMARY advantage of a hot site over a cold site?

A.Easier maintenance
B.Faster recovery time
C.Greater security
D.Lower cost
AnswerB

Hot sites are fully configured and ready, enabling rapid failover.

Why this answer

A hot site is a fully operational duplicate of the primary data center, complete with live servers, storage, networking, and synchronized data. This eliminates the need to procure and configure hardware after a disaster, enabling recovery in minutes or hours rather than days or weeks. The primary advantage is therefore a significantly faster recovery time objective (RTO) compared to a cold site, which has no pre-installed equipment.

Exam trap

ISC2 often tests the distinction that a hot site's primary benefit is speed of recovery (RTO), not cost or security, and candidates mistakenly choose 'lower cost' because they confuse hot sites with warm sites or assume all DR sites are expensive.

How to eliminate wrong answers

Option A is wrong because hot sites require more complex maintenance, including continuous data replication and live system updates, whereas cold sites have minimal upkeep. Option C is wrong because a hot site does not inherently provide greater security; security depends on the specific controls implemented at each site, and both hot and cold sites can be equally secure. Option D is wrong because a hot site is far more expensive than a cold site due to the cost of maintaining duplicate hardware, software licenses, and ongoing data synchronization.

379
MCQmedium

A company wants to ensure that if a server fails, it does not cause a security breach. Which principle should guide the design?

A.Defense in depth
B.Fail-safe
C.Default deny
D.Least privilege
AnswerB

Correct. The system should fail securely.

Why this answer

Fail-safe ensures that when a server fails, it defaults to a secure state (e.g., closed ports, denied access) rather than an insecure one. This prevents a security breach by guaranteeing that failure does not inadvertently expose data or allow unauthorized access. In the CC exam, this principle is directly tied to designing systems that remain secure even under fault conditions.

Exam trap

ISC2 often tests fail-safe by contrasting it with 'fail-open' scenarios, where candidates mistakenly think a failed server should continue operating (e.g., allowing traffic) to maintain availability, but the principle prioritizes security over availability in failure states.

How to eliminate wrong answers

Option A is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) that reduces risk but does not specifically address what happens when a server fails. Option C is wrong because default deny is an access control rule that denies all traffic unless explicitly allowed, which is a configuration policy, not a principle for handling server failure scenarios. Option D is wrong because least privilege limits user/process permissions to the minimum necessary, which reduces attack surface but does not dictate the system's behavior upon failure.

380
Drag & Dropmedium

Drag and drop the steps for the proper disposal of a hard drive containing sensitive data into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Proper disposal includes identification, backup, sanitization, verification, and documentation.

381
MCQeasy

An organization wants to ensure that no single employee can both request and approve a payment. Which access control principle does this enforce?

A.Separation of duties
B.Least privilege
C.Need to know
D.Defense in depth
AnswerA

Separation of duties divides critical functions among multiple people.

Why this answer

Separation of duties (SoD) is the access control principle that prevents a single individual from having conflicting permissions, such as both requesting and approving a payment. By splitting the payment lifecycle into distinct roles (e.g., requester vs. approver), the organization enforces a dual-control mechanism that reduces the risk of fraud or error. This is commonly implemented in financial systems using role-based access control (RBAC) where the 'payment request' and 'payment approval' roles are mutually exclusive.

Exam trap

ISC2 often tests the confusion between 'separation of duties' and 'least privilege' because both limit user capabilities, but the trap is that least privilege reduces the scope of permissions for a single user while separation of duties divides a critical process across multiple users.

How to eliminate wrong answers

Option B (Least privilege) is wrong because it focuses on granting only the minimum permissions necessary to perform a job function, not on splitting conflicting tasks across multiple people. Option C (Need to know) is wrong because it restricts access to data based on whether it is required for a specific task, not on preventing a single user from holding two conflicting functional roles. Option D (Defense in depth) is wrong because it describes a layered security architecture (e.g., firewalls, IDS, encryption) rather than a principle for segregating duties within a process.

382
MCQeasy

What is the primary purpose of identification in the context of access control?

A.To grant permissions to resources
B.To verify the identity of the user
C.To record user activities
D.To claim an identity
AnswerD

Identification provides a claimed identity (e.g., username).

Why this answer

In access control, identification is the process by which a user claims an identity (e.g., by providing a username or account name). It is distinct from authentication, which verifies that claim. The primary purpose of identification is to assert who you are, not to prove it.

Exam trap

ISC2 often tests the distinction between identification (claiming an identity) and authentication (proving that identity), so candidates mistakenly select 'To verify the identity of the user' (Option B) because they conflate the two steps.

How to eliminate wrong answers

Option A is wrong because granting permissions to resources is the function of authorization, not identification. Option B is wrong because verifying the identity of the user is the purpose of authentication, which typically follows identification. Option C is wrong because recording user activities is the role of accounting (auditing), not identification.

383
MCQhard

During a disaster recovery exercise, the backup systems are not available because the storage array failed. Which of the following should be done FIRST?

A.Activate the disaster recovery plan
B.Contact the vendor
C.Restore from offsite tape
D.Order replacement hardware
AnswerA

The DR plan includes procedures for such failures and guides next steps.

Why this answer

When backup systems are unavailable due to a storage array failure, the first action must be to activate the disaster recovery plan (DRP). The DRP is the predefined, documented set of procedures that guides the organization through the recovery process, including escalation, communication, and alternative recovery methods. Without activating the plan, subsequent steps like contacting vendors or restoring from tape lack coordination and may violate recovery time objectives (RTOs) and recovery point objectives (RPOs).

Exam trap

ISC2 often tests the principle that the disaster recovery plan must be activated before any technical recovery action is taken, trapping candidates who jump to a specific recovery step like restoring from tape or contacting a vendor without first following the documented process.

How to eliminate wrong answers

Option B is wrong because contacting the vendor is a tactical step that should be performed after the DRP is activated, as the plan specifies when and how to engage vendors. Option C is wrong because restoring from offsite tape is a specific recovery action that must be directed by the DRP, which first requires assessing the situation and authorizing the restore process. Option D is wrong because ordering replacement hardware is a procurement action that occurs later in the recovery timeline, after the DRP has been activated and a gap analysis has been performed.

384
Multi-Selectmedium

Which TWO of the following are valid types of disaster recovery tests?

Select 2 answers
A.Tabletop exercise.
B.Full-scale simulation without prior notification.
C.Unit testing of individual applications.
D.Vulnerability scan.
E.Parallel test between primary and backup site.
AnswersA, E

Tabletop exercises involve walkthroughs of disaster scenarios.

Why this answer

Options B and D are correct. Tabletop exercises and parallel tests are common DR test types. Option A is a simulation but not typically classified as a test type.

Option C is unit testing unrelated to DR. Option E is a security assessment.

385
MCQeasy

An organization wants to ensure that a critical database can be restored within 2 hours after a failure. Which metric should the organization define?

A.Maximum Tolerable Downtime (MTD)
B.Service Level Agreement (SLA)
C.Recovery Point Objective (RPO)
D.Recovery Time Objective (RTO)
AnswerD

RTO sets the target restoration time.

Why this answer

Option B is correct because RTO (Recovery Time Objective) defines the maximum acceptable downtime. Option A is about data loss. Option C is about recovery point.

Option D is a testing metric.

386
MCQhard

You are the security administrator for a mid-sized e-commerce company. The company uses a Linux-based web server running Apache, with a MySQL database backend. User authentication is handled via LDAP. Recently, the security team discovered that a former employee's account was used to access the customer database two weeks after the employee was terminated. The account had not been disabled. The database contains personally identifiable information (PII). The incident was traced to an internal IP address from the marketing department. The marketing department's network segment is not segregated from the database server. Additionally, the database server's firewall rules allow any internal IP to connect to the MySQL port (3306). The company has a written policy that accounts must be disabled within 24 hours of termination, but the HR department did not notify IT in a timely manner. Which combination of controls would BEST prevent a recurrence of this incident?

A.Deploy a database activity monitoring (DAM) solution that alerts on unusual queries, and require strong passwords for all database accounts.
B.Implement a firewall rule to block all traffic from the marketing network to the database server, and require all database access to go through a bastion host.
C.Integrate HR system with identity management to automatically disable accounts upon termination, and implement network segmentation with a firewall that restricts database access to only authorized application servers.
D.Implement two-factor authentication for all database access, and conduct quarterly access reviews.
AnswerC

Automated account disablement prevents use of terminated accounts; segmentation limits lateral movement.

Why this answer

Option B addresses both the user provisioning issue (automated account disablement) and the network access issue (segmentation and least privilege). Option A only addresses one aspect. Option C focuses on monitoring but not prevention.

Option D adds unnecessary complexity and does not directly fix the root causes.

387
Multi-Selectmedium

Which TWO are key components of an effective incident response plan? (Select TWO.)

Select 2 answers
A.Business continuity procedures
B.List of forensic tools
C.Backup verification schedule
D.Communication plan for stakeholders
E.Post-incident review process
AnswersD, E

Critical for coordination during an incident.

Why this answer

Option D is correct because an incident response plan must include a communication plan for stakeholders to ensure timely and accurate information sharing during a security incident. This includes predefined escalation paths, contact lists, and communication channels (e.g., email, phone, secure messaging) to coordinate response efforts and manage external notifications (e.g., legal, PR, customers). Without a communication plan, response teams risk confusion, delays, and inconsistent messaging, which can exacerbate the incident's impact.

Exam trap

ISC2 often tests the distinction between incident response and adjacent processes (like business continuity or disaster recovery) to see if candidates confuse overlapping but distinct security operations concepts.

388
MCQhard

A company's business continuity plan requires a maximum tolerable downtime of 2 hours for the ERP system. The current backup process takes 3 hours to restore. Which of the following is the BEST corrective action?

A.Reduce RTO to 1 hour
B.Increase backup frequency
C.Implement synchronous replication
D.Perform restoration testing quarterly
AnswerC

Synchronous replication ensures data is mirrored in real-time, allowing near-instant failover.

Why this answer

The maximum tolerable downtime (MTD) is 2 hours, but the current restore process takes 3 hours, which exceeds the MTD. Synchronous replication writes data to both primary and secondary storage simultaneously, ensuring that the secondary copy is always current and can be failed over to in seconds or minutes, not hours. This reduces the recovery time objective (RTO) to well under the required 2 hours, directly addressing the gap.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates confuse backup frequency (which affects RPO) with restore speed (which affects RTO), leading them to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because reducing the RTO to 1 hour does not fix the underlying problem—the restore process still takes 3 hours, and simply changing a target number without improving the technology does not achieve compliance. Option B is wrong because increasing backup frequency reduces the recovery point objective (RPO), not the recovery time objective (RTO); the restore time remains 3 hours regardless of how often backups are taken. Option D is wrong because quarterly restoration testing validates that backups work but does not reduce the 3-hour restore time; testing alone cannot bring the RTO below the MTD.

389
MCQeasy

A company implements a policy that requires two employees to approve any financial transaction over $10,000. Which security principle is being applied?

A.Need to know
B.Defense in depth
C.Least privilege
D.Separation of duties
AnswerD

Correct. The policy requires two individuals, which is a classic example of separation of duties.

Why this answer

Separation of duties ensures that no single individual has control over all critical functions, reducing the risk of fraud or error. In this scenario, requiring two approvals for large transactions institutionalizes the principle.

390
MCQeasy

A company's backup strategy involves daily full backups only. What is the primary risk associated with this approach?

A.Recovery Point Objective (RPO) may be too long
B.Recovery Time Objective (RTO) may be exceeded due to long restore
C.High cost of backup storage
D.Data corruption could spread across backups
AnswerB

Restoring a full backup takes significant time, which may violate the RTO.

Why this answer

With daily full backups only, the Recovery Point Objective (RPO) is effectively 24 hours, which may be acceptable depending on business requirements. However, the primary risk is that restoring from a single full backup can take a very long time, especially for large datasets, potentially exceeding the Recovery Time Objective (RTO). This is because full backups contain all data and must be restored entirely, unlike incremental or differential backups that allow faster recovery by restoring only changed blocks.

Exam trap

ISC2 often tests the distinction between RPO and RTO, and the trap here is that candidates assume the primary risk is a long RPO (Option A) because they think daily backups mean losing a day of data, but the question specifically asks about the primary risk of this approach, which is the long restore time impacting RTO.

How to eliminate wrong answers

Option A is wrong because the RPO for daily full backups is fixed at 24 hours, which may be acceptable for many organizations; the question asks for the primary risk, and RPO is not inherently too long—it depends on the business requirement. Option C is wrong because daily full backups do not inherently have high storage cost; in fact, they can be more storage-efficient than combining full and incremental backups if retention is short, and cost is not the primary risk. Option D is wrong because data corruption spreading across backups is a risk associated with any backup strategy, not specific to daily full backups; it is not the primary risk highlighted by this approach.

391
MCQeasy

An organization's security policy requires that all employees change their passwords every 90 days. This is an example of which type of security control?

A.Deterrent control
B.Detective control
C.Preventive control
D.Corrective control
AnswerC

Regular password changes help prevent unauthorized access if credentials are stolen.

Why this answer

Password expiration policies, such as requiring a change every 90 days, are classified as preventive controls because they proactively reduce the risk of credential compromise by limiting the window of opportunity for an attacker to use a stolen or guessed password. This control enforces a security baseline before any unauthorized access can occur, directly preventing prolonged use of compromised credentials.

Exam trap

ISC2 often tests the distinction between preventive and deterrent controls, where candidates mistakenly classify password policies as deterrent because they 'discourage' sharing, but the key is that password expiration actively blocks access, not just discourages behavior.

How to eliminate wrong answers

Option A is wrong because a deterrent control is designed to discourage malicious behavior through the threat of consequences (e.g., warning banners, surveillance cameras), not to enforce a mandatory action like password rotation. Option B is wrong because a detective control identifies and logs security events after they occur (e.g., audit logs, intrusion detection systems), whereas password expiration proactively prevents stale credentials from being used. Option D is wrong because a corrective control remediates damage after an incident (e.g., restoring from backup, patching a vulnerability), not a scheduled administrative action to maintain security posture.

392
MCQhard

According to the NIST 800-61 incident response lifecycle, after containment and eradication have been performed, what is the next phase?

A.Recovery
B.Post-incident activity
C.Detection and analysis
D.Preparation
AnswerA

Recovery follows containment and eradication to bring systems back online.

Why this answer

According to the NIST 800-61 incident response lifecycle, the phases are Preparation, Detection & Analysis, Containment/Eradication, and Recovery. After containment (isolating the threat) and eradication (removing malware, patching vulnerabilities), the next phase is Recovery, where systems are carefully restored to normal operations, often using clean backups and verifying system integrity before reconnecting to the network.

Exam trap

ISC2 often tests the exact NIST 800-61 phase order, and the trap here is that candidates confuse 'Post-incident activity' as the immediate next step after eradication, when in fact Recovery must occur first to restore operations before conducting the final review.

How to eliminate wrong answers

Option B is wrong because Post-incident activity is the final phase that occurs after Recovery, involving lessons learned, documentation, and evidence retention. Option C is wrong because Detection and analysis occurs before containment/eradication, not after. Option D is wrong because Preparation is the initial phase that happens before any incident occurs, establishing policies, tools, and training.

393
MCQeasy

Which document outlines the procedures for maintaining critical business functions during a disruption?

A.Business Continuity Plan
B.Continuity of Operations Plan
C.Incident Response Plan
D.Disaster Recovery Plan
AnswerA

BCP outlines procedures to sustain essential business operations.

Why this answer

The Business Continuity Plan (BCP) is the correct answer because it specifically outlines the procedures and strategies to maintain critical business functions during a disruption. Unlike other plans that focus on IT recovery or incident response, the BCP ensures that essential business operations continue, often by leveraging alternate work sites, manual workarounds, or scaled-down processes, until normal operations can be restored.

Exam trap

ISC2 often tests the distinction between BCP and DRP, where candidates mistakenly choose Disaster Recovery Plan because they focus only on IT recovery, forgetting that BCP covers the broader business continuity including non-IT functions like manual order processing or alternate facilities.

How to eliminate wrong answers

Option B (Continuity of Operations Plan) is wrong because it is a U.S. government-specific framework (COOP) focused on maintaining essential government functions at an alternate facility, not a general business continuity document. Option C (Incident Response Plan) is wrong because it focuses on detecting, containing, and eradicating security incidents (e.g., malware outbreaks or data breaches), not on maintaining ongoing business functions during a disruption. Option D (Disaster Recovery Plan) is wrong because it is a subset of BCP that specifically addresses the recovery of IT infrastructure and systems after a disaster, not the broader maintenance of critical business functions.

394
MCQmedium

A company is designing a new authentication system for remote employees. They want to ensure that if one authentication factor is compromised, the system remains secure. Which security principle should they apply?

A.Fail-safe
B.Least privilege
C.Need to know
D.Defense in depth
AnswerD

Correct. Multiple authentication factors provide layered security.

Why this answer

Defense in depth is the correct principle because it involves implementing multiple layers of security controls so that if one authentication factor is compromised, other layers still protect the system. In this scenario, requiring multiple authentication factors (e.g., password plus biometric or token) ensures that a single compromised factor does not grant full access, maintaining overall system security.

Exam trap

ISC2 often tests the distinction between defense in depth and fail-safe, where candidates mistakenly choose fail-safe because they think it means 'safe if one factor fails,' but fail-safe is about system failure modes, not layered authentication.

How to eliminate wrong answers

Option A is wrong because fail-safe refers to a system that defaults to a secure state when a failure occurs (e.g., locking all doors on power loss), not to layering multiple authentication factors. Option B is wrong because least privilege limits user access rights to only what is necessary for their role, but does not address the scenario of a compromised authentication factor. Option C is wrong because need to know restricts access to information based on job requirements, which is about data confidentiality, not about ensuring security when one factor is breached.

395
MCQeasy

A company has implemented a policy where all employees must use a smart card and PIN to access the data center. Which security principle does this practice support?

A.Keep it simple
B.Defense in depth
C.Least privilege
D.Fail-safe
AnswerB

Correct. Multiple factors create depth.

Why this answer

The use of both a smart card (something you have) and a PIN (something you know) creates a multi-factor authentication mechanism. This layered approach ensures that even if one factor is compromised, the other still provides protection, which is the core of the defense-in-depth principle. Defense in depth is about implementing multiple, overlapping security controls rather than relying on a single point of defense.

Exam trap

ISC2 often tests the concept that defense in depth is about multiple layers of security, not just multiple factors of authentication, but here the smart card and PIN specifically represent two distinct authentication factors, which is a clear example of a layered defense.

How to eliminate wrong answers

Option A is wrong because 'Keep it simple' advocates for minimizing complexity to reduce errors and attack surface, whereas adding a smart card and PIN introduces additional complexity for stronger security. Option C is wrong because 'Least privilege' restricts users to only the permissions necessary for their job, which is unrelated to the authentication method used to access the data center. Option D is wrong because 'Fail-safe' ensures that a system defaults to a secure state (e.g., locking access) when a failure occurs, but the question describes a normal operational authentication process, not a failure scenario.

396
Multi-Selecthard

A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)

Select 2 answers
A.Authorization
B.Identification
C.Non-repudiation
D.Authentication
E.Auditing
AnswersA, D

Authorization determines access rights; it is a core AAA component.

Why this answer

The AAA framework consists of Authentication, Authorization, and Accounting. Authentication verifies the identity of a user or device (e.g., via RADIUS or TACACS+). Authorization determines what resources or actions the authenticated entity is permitted to access (e.g., via privilege levels or ACLs).

Accounting tracks and logs user activities for auditing and billing purposes. Therefore, Authorization (A) and Authentication (D) are two of the three core components of AAA.

Exam trap

ISC2 often tests that candidates confuse 'Identification' with 'Authentication' or think 'Auditing' is a core AAA component instead of 'Accounting', leading them to select B or E incorrectly.

397
Multi-Selecteasy

Which TWO of the following are common indicators of a ransomware attack?

Select 2 answers
A.New user accounts created.
B.Elevated system performance.
C.Sudden decrease in network traffic.
D.Files with .encrypted extension.
E.Ransom note displayed on screen.
AnswersD, E

Encrypted file extensions are a common sign of ransomware.

Why this answer

Option D is correct because ransomware commonly encrypts victim files and appends a new extension such as .encrypted to indicate the files have been locked. This extension change is a direct artifact of the encryption process performed by the ransomware payload, making it a key forensic indicator during incident response.

Exam trap

ISC2 often tests the distinction between ransomware indicators and general malware or intrusion indicators, so candidates mistakenly associate user account creation (Option A) with ransomware when it is actually a lateral movement technique, not a direct ransomware artifact.

398
MCQeasy

A company's business continuity plan includes an alternate work site with full IT capabilities. Which type of recovery site does this describe?

A.Hot site
B.Mobile site
C.Cold site
D.Warm site
AnswerA

A hot site is fully operational with all necessary hardware, software, and data.

Why this answer

A hot site is a fully equipped alternate work site with all necessary IT infrastructure—servers, networking, telecommunications, and power—ready to take over operations immediately. The question specifies 'full IT capabilities,' which aligns with the hot site's purpose of enabling rapid failover with minimal downtime, typically within hours.

Exam trap

ISC2 often tests the distinction between hot, warm, and cold sites by emphasizing the 'full IT capabilities' phrase—candidates may confuse a warm site (which has some equipment) with a hot site, but the key differentiator is that a hot site is fully operational and ready for immediate use, while a warm site requires additional setup.

How to eliminate wrong answers

Option B (Mobile site) is wrong because a mobile site is a portable, temporary facility (e.g., a trailer) that may not have full IT capabilities pre-installed and is used for short-term emergencies, not as a permanent alternate work site with full IT readiness. Option C (Cold site) is wrong because a cold site provides only basic physical infrastructure (space, power, cooling) but lacks IT equipment, requiring days or weeks to procure and configure systems, which contradicts 'full IT capabilities.' Option D (Warm site) is wrong because a warm site has some pre-installed hardware and connectivity but not full IT capabilities; it typically requires additional configuration and data restoration before operations can resume, making it slower than a hot site.

399
Multi-Selectmedium

Which TWO of the following are types of security controls?

Select 2 answers
A.Network
B.Corrective
C.All of the above
D.Preventive
E.None of the above
AnswersB, D

Corrective controls remedy damage after an incident.

Why this answer

Preventive and corrective controls are recognized types. The other options are not standard categories or are too broad.

400
MCQhard

During a disaster recovery test, the recovery time objective (RTO) for a critical application is 4 hours, but the actual recovery takes 6 hours. Which of the following best describes the impact?

A.Data loss beyond the recovery point objective (RPO).
B.The recovery point objective (RPO) is not met.
C.The application is unavailable for 2 hours longer than acceptable.
D.No impact because RTO is only a guideline.
AnswerC

Matches the definition of RTO breach.

Why this answer

The recovery time objective (RTO) defines the maximum acceptable downtime for an application. Since the RTO is 4 hours but the actual recovery took 6 hours, the application was unavailable for 2 hours beyond the acceptable threshold, directly impacting business continuity. This is a failure to meet the RTO, not the RPO, which concerns data loss.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is confusing the two metrics — candidates may incorrectly associate a recovery time failure with data loss (RPO) instead of availability (RTO).

How to eliminate wrong answers

Option A is wrong because data loss is measured by the recovery point objective (RPO), not the RTO; exceeding the RTO does not imply any data loss. Option B is wrong because the RPO is a separate metric that defines the maximum acceptable age of data in the recovery copy; the scenario does not mention any data loss or failure to meet the RPO. Option D is wrong because RTO is a contractual or policy-driven requirement, not a guideline; exceeding it represents a non-compliance that can have serious operational and financial consequences.

401
MCQhard

You are the incident response lead for a financial services company. At 09:00, the SOC detects unusual outbound traffic from a server in the DMZ to an external IP known to be a command-and-control (C2) server. The server runs a legacy application that cannot be patched. The server is critical for customer transactions, but an alternate manual process can sustain operations for up to 4 hours. The CTO wants to keep the server online to avoid customer impact. The CEO is concerned about data exfiltration. The compliance officer reminds you of regulatory requirements to report breaches within 72 hours. Which action should you take FIRST?

A.Report the incident to the regulatory authority immediately.
B.Perform a forensic analysis of the server to determine the scope of compromise.
C.Disconnect the server from the network and activate the manual process.
D.Keep the server online under close monitoring to minimize customer disruption.
AnswerC

Immediate containment stops the C2 communication and protects data.

Why this answer

The correct first action is to disconnect the server from the network and activate the manual process. This immediately stops potential data exfiltration to the C2 server and contains the incident, aligning with the NIST incident response lifecycle's containment phase. Since the server runs a legacy application that cannot be patched and the manual process can sustain operations for up to 4 hours, isolation is both feasible and necessary to prevent further compromise while maintaining business continuity.

Exam trap

ISC2 often tests the principle that containment must precede any other action, even when business pressure or regulatory deadlines exist, to prevent candidates from prioritizing reporting or analysis over stopping the active threat.

How to eliminate wrong answers

Option A is wrong because reporting to the regulatory authority immediately (within 72 hours) is a post-containment step; the priority is to stop the active C2 communication and data loss first. Option B is wrong because performing forensic analysis on a live, compromised server connected to a C2 server risks altering evidence and allows continued data exfiltration; containment must precede forensics. Option D is wrong because keeping the server online under close monitoring does not stop the active outbound traffic to the C2 server, allowing ongoing data exfiltration and potential lateral movement, which violates the containment principle.

402
MCQhard

Refer to the exhibit. A security analyst runs the above iptables command on a Linux server. The server is configured with a default policy of DROP on the INPUT chain. Users report they can SSH to the server but cannot ping it. What is the most likely reason?

A.The default policy DROP on the INPUT chain drops echo replies, but they should be matched by the ESTABLISHED,RELATED rule.
B.The ICMP rule is placed after the ESTABLISHED,RELATED rule, so it is never evaluated for new ICMP packets.
C.The ACCEPT rule for ICMP only permits echo request (type 8), but ping requires echo reply (type 0) which is not allowed.
D.The ICMP rule only allows incoming echo requests; outgoing echo replies are not covered by the displayed rules and must be allowed by the OUTPUT chain.
AnswerD

Outgoing echo replies require an OUTPUT chain rule to be allowed.

Why this answer

Option D is correct because the displayed iptables rules only govern the INPUT chain, which controls incoming packets. While the rule allows incoming ICMP echo requests (type 8), the server's response—an ICMP echo reply (type 0)—is an outgoing packet that must traverse the OUTPUT chain. If the OUTPUT chain has a default policy of DROP or lacks an explicit ACCEPT rule for ICMP echo replies, the replies are dropped, preventing ping from working even though SSH succeeds (since SSH uses TCP, which is handled differently).

Exam trap

ISC2 often tests the misconception that a single chain (INPUT) controls all traffic to and from the server, leading candidates to overlook the fact that outgoing packets (like ICMP echo replies) are filtered by the OUTPUT chain, not the INPUT chain.

How to eliminate wrong answers

Option A is wrong because the default policy DROP on the INPUT chain does drop unmatched packets, but echo replies are not incoming packets from the server's perspective; they are outgoing. The ESTABLISHED,RELATED rule would only match incoming packets that are part of an established connection, but ICMP is connectionless, and the echo reply is not considered RELATED to the echo request in the context of iptables' conntrack module unless explicitly configured. Option B is wrong because the order of rules is irrelevant here; the ICMP rule is evaluated for new ICMP packets, but the issue is that the echo reply is not an incoming packet on the INPUT chain—it is an outgoing packet on the OUTPUT chain.

Option C is wrong because the ACCEPT rule for ICMP permits echo request (type 8) correctly, but ping requires the server to send echo replies (type 0), which are outgoing and not governed by the INPUT chain; the rule does not need to allow echo replies on INPUT.

403
Multi-Selecthard

Which THREE of the following are recognized security control types according to ISC2? (Choose three.)

Select 3 answers
A.Deterrent
B.Technical
C.Physical
D.Operational
E.Administrative
AnswersB, C, E

Technical controls include firewalls, encryption, etc.

Why this answer

Option B (Technical) is correct because ISC2 recognizes technical controls as a primary security control type, encompassing mechanisms like firewalls, encryption, and intrusion detection systems that enforce security policies through technology. These controls operate at the system or network level to protect assets directly.

Exam trap

ISC2 often tests the distinction between control types and control functions (like deterrent, detective, preventive), causing candidates to mistakenly select 'deterrent' as a type instead of recognizing it as a function that can be fulfilled by any of the three recognized types.

404
MCQhard

During a security incident, a forensic analyst needs to acquire the contents of RAM from a live system. Which tool should be used?

A.Disk cloning tool like dd
B.Network monitoring tool like Wireshark
C.Memory dump tool like DumpIt
D.Antivirus scanner
AnswerC

DumpIt captures volatile memory contents without powering down the system.

Why this answer

Option A is correct because specialized memory dump tools like DumpIt are designed for live memory acquisition. Other tools are for disk or network analysis.

405
MCQeasy

A small financial firm has a single server that hosts a critical database and also runs a web application. The server is located in a closet with a simple lock. An intern accidentally left the closet door open, and an unauthorized person gained physical access, connected a laptop to the server, and copied the database. The company wants to prevent such incidents in the future. Which of the following is the most effective course of action?

A.Require two-factor authentication for database access.
B.Move the database to a separate server and apply encryption.
C.Implement strong access controls on the database files.
D.Install a CCTV camera in the server closet.
AnswerB

Separating the database and encrypting it reduces the risk of data theft from physical access.

Why this answer

Moving the database to a separate server and encrypting it reduces the risk of data theft from physical access. CCTV is detective, 2FA protects remote access, and strong ACLs can be bypassed with physical control of the server.

406
MCQeasy

A security analyst discovers that an employee shared their password with a colleague to complete a task. Which security principle has been violated?

A.Availability
B.Confidentiality
C.Integrity
D.Accountability
AnswerD

Password sharing undermines accountability because actions cannot be tied to a specific individual.

Why this answer

Accountability relies on unique identification. Password sharing breaks this link.

407
MCQeasy

A company wants to implement a security control that ensures users are who they claim to be before granting access to a system. Which type of control should they prioritize?

A.Auditing
B.Authentication
C.Authorization
D.Accounting
AnswerB

Authentication verifies identity, which is the first step in access control.

Why this answer

Authentication verifies identity. Authorization determines permissions. Accounting tracks actions.

Auditing reviews logs.

408
MCQmedium

An organization uses a primary data center and a backup site 500 miles away. The backup site replicates data synchronously. Which risk is MOST likely introduced by this configuration?

A.High recovery point objective (RPO)
B.Data encryption overhead
C.Insufficient bandwidth between sites
D.Increased latency for write operations
AnswerD

Synchronous replication requires acknowledgment from backup, causing latency proportional to distance.

Why this answer

Synchronous replication requires the primary site to wait for an acknowledgment from the backup site before completing each write operation. The 500-mile distance introduces a minimum round-trip latency of approximately 8-10 ms (based on fiber optic propagation at ~200 km/ms), which directly increases the time taken for write operations. This latency impact is the most likely risk introduced by this configuration.

Exam trap

ISC2 often tests the distinction between synchronous and asynchronous replication, and the trap here is that candidates confuse 'synchronous' with 'high RPO' or assume bandwidth is the main constraint, when in fact synchronous replication introduces latency as the primary risk due to the distance-dependent acknowledgment delay.

How to eliminate wrong answers

Option A is wrong because synchronous replication ensures that data is written to both sites before acknowledging the write, resulting in an RPO of zero (no data loss), not high RPO. Option B is wrong because data encryption overhead is a general security concern unrelated to the replication method or distance; it applies equally to any encrypted data transfer. Option C is wrong because insufficient bandwidth between sites is a capacity planning issue that can affect replication throughput but is not inherently introduced by synchronous replication or distance; latency is the primary risk, not bandwidth.

409
MCQeasy

Which access control model uses subject and object labels to enforce access based on a security policy?

A.Discretionary Access Control (DAC)
B.Attribute-Based Access Control (ABAC)
C.Mandatory Access Control (MAC)
D.Role-Based Access Control (RBAC)
AnswerC

MAC uses labels and a central policy to control access.

Why this answer

Mandatory Access Control (MAC) enforces access decisions based on security labels assigned to subjects (users/processes) and objects (files/resources). The system, not the user, controls access by comparing these labels against a security policy, such as Bell-LaPadula or Biba. This is why MAC is the correct answer for label-based enforcement.

Exam trap

ISC2 often tests the misconception that ABAC uses labels (since attributes can be labels), but the key distinction is that MAC uses mandatory, system-enforced labels tied to a security policy, whereas ABAC evaluates attribute-based rules dynamically without fixed subject/object labels.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows the owner of an object to set permissions at their discretion, using Access Control Lists (ACLs) or owner-based rights, not system-enforced labels. Option B is wrong because Attribute-Based Access Control (ABAC) uses attributes (e.g., user role, time, location) evaluated against policies, but it does not rely on fixed subject/object labels as the primary enforcement mechanism. Option D is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'admin', 'viewer'), not on security labels that compare subject and object classifications.

410
MCQeasy

Refer to the exhibit. What is the first action the incident responder should take?

A.Disable the web application
B.Block the source IP in firewall
C.Ignore the alert as false positive
D.Investigate the web server at 192.168.1.10
AnswerD

Investigating the target server will confirm whether the attack succeeded and what data may be compromised.

Why this answer

The incident responder must first investigate the web server at 192.168.1.10 to confirm whether the alert is a true positive or a false positive. Jumping to containment actions like disabling the application or blocking the IP without verification could disrupt legitimate services or overlook the root cause. The initial step in any incident response process (as per NIST SP 800-61) is to validate the alert through analysis of logs, processes, and system state.

Exam trap

ISC2 often tests the candidate's understanding that the first step in incident response is always to investigate and validate the alert, not to immediately contain or dismiss it, tempting candidates to jump to a reactive action like blocking the IP or disabling the application.

How to eliminate wrong answers

Option A is wrong because disabling the web application immediately could cause unnecessary business disruption and may destroy volatile evidence (e.g., running processes, memory contents) before the incident is confirmed. Option B is wrong because blocking the source IP in the firewall is a containment action that should only occur after the alert is verified and the scope of the incident is understood; premature blocking could also block legitimate traffic if the IP is spoofed or shared. Option C is wrong because ignoring the alert as a false positive without investigation violates the fundamental incident response principle of 'trust but verify' and could allow an actual breach to go undetected.

411
Multi-Selectmedium

Which TWO are principles of access control?

Select 2 answers
A.Separation of duties
B.Security through obscurity
C.Multifactor authentication
D.Single sign-on (SSO)
E.Least privilege
AnswersA, E

Principle that no single person has excessive control.

Why this answer

Separation of duties is a principle of access control that prevents any single individual from having excessive control over critical processes by dividing tasks and privileges among multiple people. This reduces the risk of fraud or error, as collusion is required to bypass controls. It is a foundational concept in security frameworks like NIST SP 800-53 and is often enforced through role-based access control (RBAC) policies.

Exam trap

ISC2 often tests the distinction between access control principles (like least privilege and separation of duties) and access control mechanisms or technologies (like multifactor authentication and SSO), causing candidates to confuse a method for a principle.

412
MCQeasy

A company's backup strategy requires daily full backups of all servers. The backup window is 4 hours. What is the primary risk if backups consistently take longer than the window?

A.Compliance requirements may be violated
B.Backup media may fill up
C.Backups may interfere with production operations
D.Backups may be corrupted
AnswerC

Overlapping backups can degrade system performance.

Why this answer

When backups consistently exceed the 4-hour window, they overlap with production hours, causing resource contention (CPU, I/O, network bandwidth) that degrades application performance and user experience. This directly risks production operations, as backup jobs compete with live workloads for system resources.

Exam trap

ISC2 often tests the misconception that exceeding a backup window is a compliance or storage issue, when the core risk is operational interference with production workloads.

How to eliminate wrong answers

Option A is wrong because compliance requirements typically mandate that backups exist, not that they complete within a specific window; exceeding the window does not inherently violate compliance unless the backup itself fails or is absent. Option B is wrong because backup media filling up is a capacity planning issue unrelated to the backup window duration; it occurs when retention policies or data growth are mismanaged, not when backups run long. Option D is wrong because backups being corrupted is a data integrity issue caused by hardware faults, software bugs, or network errors, not by the backup taking longer than the window.

413
MCQhard

An organization wants to ensure that its backup strategy can recover data within 2 hours after a system failure. Which metric should be defined in the disaster recovery plan?

A.Mean Time Between Failures (MTBF)
B.Recovery Point Objective (RPO)
C.Service Level Agreement (SLA)
D.Recovery Time Objective (RTO)
AnswerD

Specifies the maximum time to restore services after a disaster.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable time to restore systems and data after a disaster, directly addressing the 2-hour recovery requirement. In the context of backup strategy, RTO drives decisions on failover mechanisms, replication speed, and restoration procedures to meet the specified downtime limit.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates mistakenly choose RPO because they confuse 'recovery of data' with 'time to recover' rather than 'point in time to which data is recovered'.

How to eliminate wrong answers

Option A is wrong because Mean Time Between Failures (MTBF) measures the average time between system failures, not recovery time, and is used for reliability planning rather than disaster recovery timelines. Option B is wrong because Recovery Point Objective (RPO) defines the maximum acceptable data loss measured in time (e.g., 15 minutes of lost transactions), not the time to restore operations. Option C is wrong because a Service Level Agreement (SLA) is a contractual commitment that may include RTO/RPO targets but is not itself a metric; it is an agreement, not a specific recovery time measurement.

414
MCQhard

A security architect is evaluating a biometric authentication system. The system's false positive rate is 0.1%, and the false negative rate is 2%. Which security principle is most compromised if the organization prioritizes user convenience over security?

A.Confidentiality
B.Non-repudiation
C.Availability
D.Integrity
AnswerC

A high false negative rate denies access to legitimate users, reducing availability.

Why this answer

A low false positive rate means few unauthorized users are authenticated, but a high false negative rate can lock out legitimate users, affecting availability. If convenience is prioritized, the false negative rate might be reduced by lowering thresholds, increasing false positives and compromising security (confidentiality/integrity). However, the immediate principle affected by a high false negative rate is availability because legitimate users cannot access systems.

Option C is correct. Option A (confidentiality) is more related to false positives. Option B (integrity) is not direct.

Option D (non-repudiation) is about accountability.

415
Matchingmedium

Match each authentication factor to an example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Password

Smart card

Fingerprint

GPS location

Why these pairings

These are factors in multi-factor authentication (MFA).

416
MCQhard

A company's security policy requires that all sensitive data be encrypted during transfer. A security administrator discovers that an internal web application is using a self-signed TLS certificate. What vulnerability does this introduce?

A.Data corruption
B.Increased latency
C.Replay attacks because TLS is not used
D.Man-in-the-middle attacks because the certificate cannot be verified
AnswerD

Without a trusted CA, clients cannot confirm the server's identity, allowing interception.

Why this answer

A self-signed TLS certificate is not signed by a trusted Certificate Authority (CA), so clients cannot verify the certificate's authenticity. This allows an attacker to intercept the TLS handshake, present their own self-signed certificate, and perform a man-in-the-middle (MITM) attack, decrypting and reading or modifying the data in transit.

Exam trap

ISC2 often tests the misconception that self-signed certificates mean TLS is not used, but the trap here is that TLS is still active; the real issue is the lack of certificate validation, which opens the door to MITM attacks.

How to eliminate wrong answers

Option A is wrong because data corruption refers to accidental bit flips or storage errors, not to the security weakness introduced by an untrusted certificate. Option B is wrong because increased latency is a performance issue, not a security vulnerability; self-signed certificates do not inherently cause more network delay than CA-signed certificates. Option C is wrong because TLS is still used with a self-signed certificate; the vulnerability is not the absence of TLS but the inability to verify the server's identity, which enables MITM attacks, not replay attacks (which are prevented by TLS sequence numbers and timestamps).

417
MCQhard

In a MAC environment implementing Bell-LaPadula, a subject with Secret clearance attempts to read an object classified as Confidential and write to an object classified as Top Secret. Which operations are permitted?

A.Read denied, write allowed
B.Both read and write allowed
C.Read allowed, write denied
D.Both read and write denied
AnswerB

Read down (Secret→Confidential) and write up (Secret→Top Secret) are both permitted.

Why this answer

In Bell-LaPadula, the Simple Security Property (no read up) prevents a subject from reading an object at a higher classification, but reading down is allowed. The *-Property (no write down) prevents writing to a lower classification, but writing up is allowed. Since the subject has Secret clearance, reading Confidential (lower) is permitted, and writing to Top Secret (higher) is permitted, so both operations are allowed.

Exam trap

ISC2 often tests the misconception that both read and write must be at the same clearance level, but Bell-LaPadula actually allows reading down and writing up, not the reverse.

How to eliminate wrong answers

Option A is wrong because it claims read is denied, but reading down (Secret reading Confidential) is allowed by the Simple Security Property. Option C is wrong because it claims write is denied, but writing up (Secret writing to Top Secret) is allowed by the *-Property. Option D is wrong because it claims both are denied, but both operations are actually permitted under Bell-LaPadula rules.

418
Multi-Selecthard

A network administrator is implementing a defense-in-depth strategy. Which THREE of the following are considered network security controls? (Select THREE)

Select 3 answers
A.Virtual Private Network (VPN)
B.Intrusion Detection System (IDS)
C.Full disk encryption
D.Network firewall
E.Antivirus software
AnswersA, B, D

VPN provides encrypted tunnels for secure communication over untrusted networks, a network security control.

Why this answer

A Virtual Private Network (VPN) is a network security control because it creates an encrypted tunnel (using protocols such as IPsec or TLS) between a remote user and the corporate network, ensuring data confidentiality and integrity over untrusted networks like the internet. This protects data in transit and authenticates endpoints, which is a core network-layer security function.

Exam trap

ISC2 often tests the distinction between network-layer controls (VPN, IDS, firewall) and host/endpoint controls (disk encryption, antivirus), so the trap is that candidates mistakenly classify host-based security measures as network security controls.

419
MCQhard

You are implementing a security control to prevent unauthorized devices from connecting to the corporate wired network. Which network access control method should be used?

A.VLAN segmentation
B.MAC address filtering
C.Network Access Control (NAC) only
D.802.1X authentication
AnswerD

802.1X authenticates devices at the port level, checking credentials before allowing network access.

Why this answer

Option C is correct because 802.1X authentication requires devices to authenticate before gaining network access, providing port-level security. MAC filtering (A) can be bypassed by spoofing. NAC (B) is a broader concept, but 802.1X is the specific technology.

VLAN segmentation (D) separates traffic but does not authenticate devices.

420
Multi-Selecteasy

Which THREE are phases of the incident response process according to NIST SP 800-61?

Select 3 answers
A.Containment, Eradication, and Recovery
B.Risk Assessment
C.Detection and Analysis
D.Preparation
E.Vendor Management
AnswersA, C, D

Third phase.

Why this answer

Option A is correct because NIST SP 800-61 defines the incident response process as four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The 'Containment, Eradication, and Recovery' phase is explicitly grouped together as a single phase in the standard, making A a correct choice.

Exam trap

ISC2 often tests whether candidates recognize that 'Containment, Eradication, and Recovery' is a single phase in NIST SP 800-61, not three separate phases, and that 'Risk Assessment' and 'Vendor Management' are common distractors because they appear in other security frameworks but are not part of the incident response process.

421
Multi-Selectmedium

A security administrator is reviewing network security controls. Which TWO of the following are examples of network segmentation technologies? (Select TWO)

Select 2 answers
A.Proxy servers
B.Honeypots
C.Subnetting
D.VLANs
E.Firewalls
AnswersC, D

Subnetting divides a network into smaller IP subnetworks, providing Layer 3 segmentation.

Why this answer

Subnetting divides a larger network into smaller, logical subnetworks by manipulating the subnet mask (e.g., using VLSM or CIDR). This creates separate broadcast domains at Layer 3, allowing administrators to isolate traffic and apply distinct security policies between subnets, which is a core function of network segmentation.

Exam trap

ISC2 often tests the distinction between technologies that create segmentation (subnetting, VLANs) and technologies that enforce security policies between segments (firewalls, ACLs), leading candidates to mistakenly select firewalls as a segmentation technology.

422
MCQhard

Refer to the exhibit. What type of event is this?

A.Account lockout
B.Successful remote login
C.Failed network login
D.Failed local login
AnswerC

Logon Type 3 confirms a network logon attempt.

Why this answer

Option C is correct because Logon Type 3 indicates a network logon (remote connection). Option A is wrong because it's a failed logon. Option B is wrong because Logon Type 3 is remote, not local (local is Type 2 or 10).

Option D is wrong because there is no account lockout event.

423
MCQmedium

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

A.The ACL is misconfigured because the deny for SSH is never reached
B.The ACL is properly ordered with most specific rules first
C.The ACL should have a deny any any at the end to be secure
D.The ACL correctly allows HTTPS and denies SSH, blocking other traffic
AnswerA

The permit any any after the deny SSH will match SSH traffic, allowing it.

Why this answer

Option A is correct because the ACL is evaluated top-down, and the first matching rule is applied. Since the 'permit tcp any any eq 443' rule appears before the 'deny tcp any any eq 22' rule, SSH traffic (TCP/22) is actually permitted by the implicit 'permit ip any any' that follows the explicit permit for HTTPS, or more accurately, the SSH deny is never reached because the permit for HTTPS matches all TCP traffic to port 443, but SSH traffic on port 22 is not matched by that rule; however, the key point is that the ACL lacks an explicit deny at the end, so any traffic not matching the first two rules (including SSH) is implicitly permitted by the default 'permit ip any any' at the end of the ACL, making the SSH deny rule ineffective.

Exam trap

ISC2 often tests the misconception that ACLs have an implicit 'deny any any' at the end, when in fact extended ACLs applied to interfaces have an implicit 'permit ip any any' unless a 'deny any any' is explicitly added.

How to eliminate wrong answers

Option B is wrong because the ACL is not properly ordered with most specific rules first; the 'deny tcp any any eq 22' rule is more specific than the 'permit tcp any any eq 443' rule in terms of port, but the order should place denies before permits to ensure they are evaluated, and here the deny for SSH is placed after a permit that does not match SSH, but the real issue is the missing explicit deny at the end. Option C is wrong because while adding a 'deny any any' at the end is a best practice for security, the primary misconfiguration is that the existing 'deny tcp any any eq 22' is never reached due to the implicit permit at the end, not just the lack of a final deny. Option D is wrong because the ACL does not correctly deny SSH; due to the implicit 'permit ip any any' at the end of the ACL, SSH traffic is actually permitted, not denied.

424
MCQmedium

During a security audit, you discover that a financial application stores passwords using MD5 hashing without salt. What is the primary security concern with this practice?

A.MD5 is reversible, allowing attackers to recover plaintext passwords
B.MD5 is too slow, causing performance issues during authentication
C.Without salting, the hashes are vulnerable to precomputed rainbow table attacks
D.Storing hashes violates PCI DSS compliance, but does not affect security
AnswerC

Rainbow tables can quickly find matching plaintext for unsalted MD5 hashes.

Why this answer

Option B is correct because MD5 is vulnerable to rainbow table attacks, and lack of salting makes it easy for attackers to precompute hashes. Reversibility is not the primary concern (hashing is one-way). Speed is actually a vulnerability, not a strength.

Compliance violation is a secondary issue.

425
MCQhard

An analyst reviews the exhibit. What security principle is best demonstrated by this policy?

A.Separation of duties
B.Defense in depth
C.Non-repudiation
D.Least privilege
AnswerD

Correct. The policy grants only necessary access and denies all other actions.

Why this answer

The policy grants users only the permissions necessary to perform their job functions, which is the core definition of least privilege. By restricting access to only required resources, the policy minimizes the attack surface and limits potential damage from compromised accounts.

Exam trap

ISC2 often tests least privilege by describing a policy that restricts access to only what is needed, and the trap is confusing it with separation of duties because both involve limiting actions, but separation of duties focuses on dividing tasks among multiple people to prevent collusion, not on minimizing individual permissions.

How to eliminate wrong answers

Option A is wrong because separation of duty requires splitting critical tasks among multiple people to prevent fraud, not simply limiting individual permissions. Option B is wrong because defense in depth involves multiple layers of security controls (e.g., firewall, IDS, encryption), not a single access restriction policy. Option C is wrong because non-repudiation ensures that an action cannot be denied later, typically via digital signatures or logging, not by limiting permissions.

426
MCQmedium

An organization has implemented a SIEM solution. The security team wants to detect when a user attempts to access a file they do not have permission to read. Which log source is most important for this detection?

A.Windows security event logs
B.Web server access logs
C.DNS logs
D.Firewall logs
AnswerA

Security event logs include audit events for file access and can show access denied events.

Why this answer

Windows security event logs (specifically Event ID 4663) record every attempt to access an object, including files, and include the user's security identifier (SID) and the requested access mask. This allows the SIEM to correlate the user's identity with the file's discretionary access control list (DACL) to detect an 'Access Denied' result, making it the definitive source for detecting unauthorized file access attempts.

Exam trap

ISC2 often tests the misconception that network-level logs (firewall, DNS) or application-level logs (web server) can detect OS-level file access, when in fact only the operating system's security audit subsystem can capture such granular user-to-object access attempts.

How to eliminate wrong answers

Option B is wrong because web server access logs record HTTP requests to web resources, not local file system access on a Windows server or workstation; they cannot detect a user attempting to open a file via SMB or local Explorer. Option C is wrong because DNS logs only contain domain name resolution queries and responses, with no information about file paths, user identities, or access control decisions. Option D is wrong because firewall logs track network traffic based on IP addresses and ports, not user-level file access attempts within an operating system.

427
Multi-Selecteasy

Which TWO of the following are core principles of the CIA triad?

Select 2 answers
A.Integrity
B.Non-repudiation
C.Confidentiality
D.Authorization
E.Authentication
AnswersA, C

Integrity is one of the three CIA triad principles.

Why this answer

The CIA triad consists of Confidentiality, Integrity, and Availability. Options A and C are correct. Option B (Non-repudiation) is separate.

Option D (Authentication) is separate. Option E (Authorization) is separate.

428
MCQhard

A company's IDS generates an alert for a potential SQL injection attack on a web application. The analyst reviews the log and sees the following: "SELECT * FROM users WHERE username = 'admin' OR 1=1 --'". Which action should the analyst take next?

A.Submit a change request to patch the application
B.Conduct a forensic analysis of the database
C.Verify if the WAF blocked the attack
D.Block the source IP immediately
AnswerC

First verify if the WAF mitigated the attack; IDS alerts often require correlation.

Why this answer

Option C is correct because the analyst's first priority is to determine whether the attack was actually successful or was already mitigated. A Web Application Firewall (WAF) sits in front of the web application and can inspect and block SQL injection payloads before they reach the database. By verifying the WAF logs, the analyst can confirm if the attack was blocked, which dictates the next steps—if blocked, no immediate escalation is needed; if not blocked, further investigation is required.

Exam trap

ISC2 often tests the candidate's ability to follow a proper incident response triage process—specifically, the trap is that candidates jump to a reactive action (like blocking IPs or patching) instead of first verifying whether existing controls (like a WAF) already mitigated the threat.

How to eliminate wrong answers

Option A is wrong because submitting a change request to patch the application is premature without first confirming that the attack was successful; patching is a long-term fix, not an immediate triage step. Option B is wrong because conducting a forensic analysis of the database is an invasive and time-consuming step that should only be taken if there is evidence that the attack actually reached and compromised the database, which is not yet known. Option D is wrong because blocking the source IP immediately could be an overreaction—the IP might be spoofed, part of a legitimate scan, or the attack might have already been blocked by the WAF; blocking without verification can cause unnecessary disruption and is not the standard first response in a security operations workflow.

429
Multi-Selecteasy

Which THREE of the following are important steps in the incident response process as defined by the NIST framework? (Choose three.)

Select 3 answers
A.Detection and Analysis
B.Vulnerability scanning
C.Containment, Eradication, and Recovery
D.Preparation
E.Post-incident auditing
AnswersA, C, D

Detecting and analyzing incidents is a key phase.

Why this answer

Preparation (B), Detection & Analysis (C), and Containment, Eradication & Recovery (D) are the core phases. Vulnerability scanning (A) is part of ongoing security, not incident response. Auditing (E) is a compliance activity.

430
MCQmedium

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

A.Perform a forensic analysis of the user's workstation
B.Reset the user's password and enforce multi-factor authentication
C.Disable the user account immediately
D.Initiate the incident response process
AnswerD

The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.

Why this answer

Option D is correct because the scenario describes a potential security incident—unauthorized access to sensitive data from an unfamiliar IP address outside business hours—which requires immediate activation of the incident response process. The first step in any security operations workflow is to follow the organization's incident response plan (NIST SP 800-61) to contain, analyze, and remediate the threat. Jumping to forensic analysis, password resets, or account disabling without a coordinated incident response can destroy evidence or fail to address the root cause.

Exam trap

ISC2 often tests the misconception that immediate account disabling or password reset is the correct first response, but the CC exam emphasizes that initiating the incident response process is the foundational step to ensure proper handling, evidence preservation, and coordination.

How to eliminate wrong answers

Option A is wrong because performing forensic analysis of the user's workstation is a later step in the incident response process, not the first action; it could also be irrelevant if the compromise originated from a remote attacker without local artifacts. Option B is wrong because resetting the password and enforcing MFA addresses only credential hygiene but does not investigate the extent of the breach, identify the attack vector, or preserve evidence—potentially alerting the attacker prematurely. Option C is wrong because disabling the user account immediately might disrupt legitimate business operations and could tip off an attacker, whereas a coordinated incident response includes controlled containment actions based on investigation.

431
MCQmedium

During a security audit, it is discovered that a single employee can approve purchase orders and also receive the goods. Which security principle is being violated?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need-to-know
AnswerA

Separation of duties prevents conflicts by dividing critical tasks.

Why this answer

Separation of duties requires that conflicting tasks be divided among different individuals to prevent fraud. Option A (Least privilege) is about access levels. Option B (Need-to-know) restricts data access.

Option C (Defense in depth) is about layered controls.

432
MCQmedium

A company is designing a secure network architecture for its new headquarters. The security team proposes implementing multiple layers of security controls, including firewalls, intrusion detection systems, and access control lists. Which security principle is being primarily applied?

A.Defense in depth
B.Separation of duties
C.Least privilege
D.Need-to-know
AnswerA

Defense in depth employs multiple overlapping security controls to protect assets.

Why this answer

Correct: Defense in depth uses multiple layers of security to protect assets. Option A is wrong because least privilege limits access rights; Option B is wrong because separation of duties divides tasks among multiple people; Option D is wrong because need-to-know restricts access to information necessary for job functions.

433
MCQeasy

During an incident, the incident response team discovers that an attacker has exfiltrated sensitive customer data. According to incident response best practices, whose approval is REQUIRED before contacting law enforcement?

A.CISO
B.CEO
C.Legal counsel
D.Public relations
AnswerC

Legal counsel ensures compliance and manages liability.

Why this answer

Legal counsel approval is required before contacting law enforcement because they ensure that the disclosure complies with data privacy laws (e.g., GDPR, CCPA) and does not violate chain-of-custody requirements or expose the organization to liability. The incident response team must coordinate with legal to determine the appropriate timing and scope of law enforcement involvement, as premature contact can compromise ongoing forensic investigations or breach legal agreements.

Exam trap

ISC2 often tests the misconception that the CISO or CEO has the final say on law enforcement contact, but the correct answer is always legal counsel because they are the only ones who can navigate the legal and regulatory implications of involving external authorities.

How to eliminate wrong answers

Option A is wrong because the CISO (Chief Information Security Officer) oversees the technical incident response but does not have the authority to approve external law enforcement contact; that decision requires legal review to avoid legal exposure. Option B is wrong because the CEO (Chief Executive Officer) may be informed but is not the required approver for law enforcement contact; legal counsel must assess the legal implications first. Option D is wrong because Public Relations handles external communications and reputation management but has no authority to approve law enforcement involvement; contacting law enforcement without legal approval could violate privacy regulations and damage the organization's legal standing.

434
MCQmedium

A security analyst observes these SSH logs. What is the MOST likely attack?

A.Brute force attack on SSH service
B.Session hijacking via SSH
C.Phishing attack targeting root and admin accounts
D.Denial of service attack on port 22
AnswerA

Multiple failed attempts from a single IP.

Why this answer

Option B is correct because repeated failed login attempts from the same IP indicate a brute force attack. Option A is phishing. Option C is SSH hijacking.

Option D is a DoS, but not evident.

435
MCQmedium

A company's security policy requires that all privileged access to critical servers be logged and monitored. The IT team has implemented a jump server (bastion host) for administrators to connect to critical servers. All SSH connections to the jump server are logged, and from there, administrators connect to target servers. The security team notices that some administrators are bypassing the jump server and connecting directly to critical servers from their workstations. The direct connections are not logged. The security team needs to enforce the policy without disrupting operations. Which of the following is the BEST solution?

A.Implement a host-based firewall on each critical server to block direct connections.
B.Send a warning email to all administrators reminding them of the policy.
C.Disable direct SSH access to critical servers at the network firewall level.
D.Revoke local administrator rights on workstations.
AnswerA

Specifically blocks unauthorized direct connections while allowing jump server traffic.

Why this answer

A host-based firewall on each critical server can enforce the security policy by blocking direct SSH connections (TCP port 22) from any source other than the jump server's IP address. This ensures that all administrative access must go through the jump server, where logging is already in place, without disrupting legitimate operations through the authorized path.

Exam trap

ISC2 often tests the distinction between network-based controls (like a perimeter firewall) and host-based controls, where candidates mistakenly choose a network firewall solution without realizing it does not block internal direct connections from the same subnet.

How to eliminate wrong answers

Option B is wrong because a warning email is a non-technical, administrative control that relies on user compliance and does not actually prevent the bypass; it fails to enforce the policy. Option C is wrong because disabling direct SSH access at the network firewall level would block all external SSH traffic to the critical servers, but it would not prevent direct connections from within the same subnet or from workstations on the internal network that are not subject to the firewall rule. Option D is wrong because revoking local administrator rights on workstations does not prevent users from using SSH clients to connect directly to critical servers; it only limits software installation privileges, not network connectivity.

436
MCQeasy

Which metric is used to define the maximum amount of data loss an organization can tolerate during a disaster?

A.RTO
B.RPO
C.SLA
D.MTBF
AnswerB

RPO defines the maximum acceptable data loss.

Why this answer

RPO (Recovery Point Objective) defines the maximum acceptable amount of data loss measured in time, such as seconds, minutes, or hours. It determines the age of the backup or replication data that must be restored to resume normal operations after a disaster. For example, an RPO of 1 hour means the organization can tolerate losing up to 1 hour's worth of data.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates mistakenly select RTO because they confuse 'time to recover' with 'time of data loss' — remember RTO is about downtime, RPO is about data loss.

How to eliminate wrong answers

Option A (RTO) is wrong because RTO (Recovery Time Objective) defines the maximum acceptable downtime, not data loss; it measures how quickly systems must be restored after a disaster. Option C (SLA) is wrong because SLA (Service Level Agreement) is a contractual commitment between a provider and customer covering performance metrics like uptime, not a specific measure of tolerable data loss. Option D (MTBF) is wrong because MTBF (Mean Time Between Failures) is a reliability metric that predicts the average time between system failures, not a measure of data loss tolerance.

437
MCQeasy

A small business uses a cloud file storage service that allows sharing links. An employee mistakenly shared a folder containing customer data via a public link. The business wants to prevent such incidents in the future without blocking legitimate sharing. Which access control method should they implement?

A.Disable all external sharing
B.Require authentication for shared links
C.Use watermarking on documents
D.Encrypt all files
AnswerB

Authentication limits access to authorized users only, preventing public exposure.

Why this answer

Requiring authentication for shared links ensures that only intended recipients can access the data, reducing the risk of public exposure. Disabling all sharing is too restrictive. Watermarking and encryption do not prevent sharing to unauthorized users.

438
MCQhard

The exhibit shows a snippet of /var/log/auth.log on a Linux server. Which security principle is most likely violated if the failed attempts continue without action?

A.Non-repudiation
B.Separation of duties
C.Least privilege
D.Defense in depth
AnswerC

Allowing root login over SSH grants full privileges and is a violation of least privilege; it should be disabled.

Why this answer

The logs show repeated failed SSH attempts from the same IP, indicating a brute force attack. If no action is taken, availability could be compromised if the attacker locks out the root account, or confidentiality/integrity if they succeed. However, most directly, the principle of least privilege is violated because root login over SSH is allowed (root is a privileged account).

Option A is correct. Option B (defense in depth) would be violated if no other controls, but the question asks the principle most likely violated. Option C (separation of duties) not relevant.

Option D (non-repudiation) not directly.

439
MCQmedium

A company implements a policy where a financial transaction must be initiated by one employee and approved by a different employee. This is an example of which access control concept?

A.Need-to-know
B.Separation of duties
C.Least privilege
D.Job rotation
AnswerB

Separation of duties requires multiple people to complete a sensitive task.

Why this answer

Separation of duties (SoD) is an access control concept that requires a critical task, such as a financial transaction, to be split into multiple steps performed by different individuals. This prevents any single employee from having the authority to both initiate and approve a transaction, thereby reducing the risk of fraud or error. In this scenario, the policy directly enforces SoD by ensuring that no one person can complete the entire process alone.

Exam trap

ISC2 often tests candidates by confusing separation of duties with least privilege, as both involve limiting user actions, but the key distinction is that separation of duties requires multiple people to complete a task, while least privilege only limits the permissions of a single user.

How to eliminate wrong answers

Option A is wrong because need-to-know restricts access to information based on an individual's job requirements, not on splitting tasks among multiple people. Option C is wrong because least privilege grants users only the minimum permissions necessary to perform their job, but it does not require a second person to approve an action. Option D is wrong because job rotation moves employees between roles over time to cross-train and reduce boredom, but it does not enforce a dual-authority requirement for a single transaction.

440
Multi-Selectmedium

Which two of the following are common methods to secure a virtual private network (VPN) connection? (Choose two.)

Select 2 answers
A.ICMP
B.LDAP
C.SSL/TLS
D.SNMP
E.IPsec
AnswersC, E

SSL/TLS is used for secure web-based VPNs.

Why this answer

SSL/TLS is a common method to secure VPN connections, typically used in SSL VPNs. It operates at the transport layer (Layer 4) and provides encryption, authentication, and integrity for data transmitted over the internet, often using port 443 to bypass firewalls. This makes it ideal for remote access VPNs where clients connect via a web browser or a lightweight client.

Exam trap

ISC2 often tests the distinction between VPN security protocols (IPsec, SSL/TLS) and unrelated network protocols (ICMP, SNMP, LDAP) to see if candidates confuse management or authentication protocols with encryption/tunneling mechanisms.

441
MCQmedium

A company's security policy states that all sensitive data must be encrypted both at rest and in transit. Which threat model does this control primarily address?

A.Data tampering
B.Unauthorized disclosure
C.Denial of service
D.Repudiation
AnswerB

Encryption prevents unauthorized parties from reading the data, thus preventing disclosure.

Why this answer

Encryption at rest and in transit primarily protects confidentiality against unauthorized access. Option B is correct. Option A (availability) is about uptime.

Option C (integrity) is about accuracy, though encryption can help, but primary is confidentiality. Option D (non-repudiation) is about proof of origin.

442
MCQeasy

A security engineer is configuring a network intrusion detection system (NIDS) to monitor traffic on a critical subnet. To minimize false positives, which of the following should the engineer baseline first?

A.The results of a recent vulnerability scan
B.The normal traffic patterns during peak business hours
C.The latest attack signatures from the vendor
D.The firewall logs from the past 24 hours
AnswerB

Baseline normal traffic to identify anomalies.

Why this answer

Baselining normal traffic patterns during peak business hours establishes a reference of legitimate network behavior, which is essential for a NIDS to distinguish benign anomalies from actual threats. Without this baseline, the NIDS may generate false positives by flagging legitimate peak-hour traffic spikes as malicious. This aligns with the principle that anomaly-based detection relies on a statistical model of normal activity to reduce noise.

Exam trap

ISC2 often tests the distinction between anomaly-based and signature-based detection, and the trap here is that candidates mistakenly think vulnerability scans or firewall logs provide a sufficient baseline, when in fact only observed normal traffic patterns during representative periods (like peak hours) can minimize false positives in an anomaly-based NIDS.

How to eliminate wrong answers

Option A is wrong because vulnerability scan results identify known weaknesses but do not define normal traffic behavior, so they cannot help the NIDS differentiate benign from malicious traffic patterns. Option C is wrong because attack signatures are used for signature-based detection, not for establishing a baseline to minimize false positives in anomaly-based detection; relying solely on signatures can miss novel attacks and still generate false positives if traffic matches signatures incorrectly. Option D is wrong because firewall logs from the past 24 hours provide only a limited snapshot of traffic and may not capture the full range of normal patterns, especially during peak hours, leading to an incomplete baseline.

443
Drag & Dropmedium

Drag and drop the steps to configure a basic VPN (site-to-site) between two routers into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Site-to-site VPN configuration involves IPsec, crypto maps, and verification.

444
MCQhard

A company implements a policy that after an employee leaves, their account must be disabled within 24 hours. Which principle is this policy primarily intended to support?

A.Availability
B.Integrity
C.Confidentiality
D.Accountability
AnswerD

Accountability requires that actions can be traced to individuals; disabling former accounts prevents untraceable actions.

Why this answer

Correct: C - Accountability. Disabling accounts ensures that actions are traceable to active employees, preventing unauthorized use and maintaining accountability. Option A is wrong because confidentiality is about data secrecy.

Option B is wrong because integrity is about data accuracy. Option D is wrong because availability is system accessibility.

445
MCQmedium

A government agency uses a multi-level security system with mandatory access control (MAC). A user with Secret clearance attempts to write data to a file classified as Confidential. Under the Bell-LaPadula model, which rule applies and what is the outcome?

A.The simple security property (no read up) denies the operation
B.The *-property allows the operation because the user is writing down
C.The simple security property allows the operation because the user's clearance is higher
D.The *-property (no write down) denies the operation
AnswerD

The *-property prohibits high clearances from writing to lower classifications.

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) with two primary rules: the simple security property (no read up) and the *-property (no write down). In this scenario, a user with Secret clearance attempts to write to a Confidential file, which is a write-down operation. The *-property prohibits writing to a lower classification to prevent the leakage of higher-classified information, so the operation is denied.

Option D correctly identifies this rule and outcome.

Exam trap

ISC2 often tests the confusion between the simple security property (no read up) and the *-property (no write down), leading candidates to mistakenly apply the read rule to a write operation or assume that higher clearance allows writing down.

How to eliminate wrong answers

Option A is wrong because the simple security property (no read up) governs read operations, not write operations, and here the user is writing, not reading. Option B is wrong because the *-property does not allow write-down; it explicitly prohibits writing to a lower classification to maintain confidentiality. Option C is wrong because the simple security property allows read-down, not write-down, and it does not permit writing to a lower classification based on clearance level.

446
MCQmedium

A network administrator is designing a DMZ to host a public-facing web server and a database server that should only be accessible from the web server. Which of the following firewall rule sets best achieves this design?

A.Allow inbound HTTP/HTTPS to web server; allow web server to database on port 3306; deny all else
B.Allow web server to initiate outbound connections to internet; allow database to initiate connections to web server; deny all else
C.Allow inbound HTTP/HTTPS to web server; allow all traffic from web server to database; deny all else
D.Allow inbound HTTP/HTTPS to web server; allow inbound SQL from internet to database; deny all else
AnswerA

This permits necessary traffic and restricts database access to only the web server.

Why this answer

Option A is correct because it implements the principle of least privilege for a DMZ: it allows inbound HTTP/HTTPS traffic (ports 80/443) to the public-facing web server, then permits only the web server to initiate outbound connections to the database server on port 3306 (MySQL/MariaDB default), and denies all other traffic. This ensures the database is not directly accessible from the internet, reducing the attack surface while still supporting the required application flow.

Exam trap

ISC2 often tests the principle of least privilege by including options that allow overly broad access (like 'all traffic' from web to database) or reverse the direction of connections, so the trap here is assuming that any traffic between the web server and database is acceptable without specifying the exact protocol and port.

How to eliminate wrong answers

Option B is wrong because it allows the web server to initiate outbound connections to the internet, which is unnecessary and could be used for data exfiltration or command-and-control traffic; it also incorrectly allows the database to initiate connections to the web server, which violates the design requirement that the database should only be accessible from the web server. Option C is wrong because it allows all traffic from the web server to the database, not just the specific SQL port (3306), which could permit other protocols or services to reach the database, increasing the attack surface. Option D is wrong because it allows inbound SQL traffic from the internet directly to the database server, which directly contradicts the requirement that the database should only be accessible from the web server and exposes the database to external attacks.

447
Multi-Selectmedium

Which THREE of the following are examples of the principle of least privilege? (Select THREE.)

Select 3 answers
A.Granting a user only the permissions needed to perform their job
B.Giving all employees full access to the file server
C.Allowing a contractor access only during their contract period
D.Providing read-only access to a database for a reporting analyst
E.Assigning administrator rights to all employees by default
AnswersA, C, D

Correct. This is the essence of least privilege.

Why this answer

Option A is correct because the principle of least privilege dictates that a user should be granted only the permissions necessary to perform their job functions. This minimizes the attack surface and limits potential damage from accidental or malicious actions. In practice, this means assigning specific roles or access control lists (ACLs) rather than broad permissions.

Exam trap

ISC2 often tests the principle of least privilege by including options that sound reasonable but grant excessive access, such as 'full access to the file server' or 'administrator rights to all employees,' to see if candidates recognize that even temporary or role-based access must be strictly limited to the minimum necessary.

448
MCQhard

During a tabletop exercise for a data center outage, the IT manager realizes that the disaster recovery plan does not specify how to failover the database cluster. The primary data center fails completely. The standby site has a replica of the database, but the application team cannot promote it because they lack the necessary privileges. What is the most likely cause of this gap?

A.The standby site's network connectivity was not tested
B.The database replication configuration was incorrect
C.The database failover procedure was not documented
D.The DR plan did not include role-based access for failover operations
AnswerD

Proper DR planning should define who has the authority to perform failover and ensure credentials are available at the standby site.

Why this answer

The correct answer is D because the scenario explicitly states that the application team lacks the necessary privileges to promote the standby database. This indicates that the disaster recovery plan did not define role-based access controls (RBAC) or assign failover permissions to specific personnel or groups. Without documented roles and privileges, even a fully replicated standby database cannot be promoted, causing a failover gap.

Exam trap

ISC2 often tests the distinction between a missing procedure (documentation gap) and missing authorization (access control gap), leading candidates to pick 'procedure not documented' when the real issue is that the team lacks the privileges to execute any procedure.

How to eliminate wrong answers

Option A is wrong because network connectivity, while important for replication and access, is not the root cause here—the standby site has a replica, implying connectivity exists. Option B is wrong because the replication configuration is correct (the standby has a replica), so the issue is not with replication setup but with authorization to promote. Option C is wrong because while the failover procedure may not be documented, the core problem is the lack of privileges to execute any documented procedure—documentation alone does not grant access rights.

449
Multi-Selecteasy

Which TWO of the following are common methods to authenticate users on a wireless network? (Select TWO)

Select 2 answers
A.WEP
B.WPA3-SAE
C.802.1X with RADIUS
D.WPA2-PSK
E.MAC address filtering
AnswersB, C

WPA3-SAE provides secure password-based authentication for personal mode.

Why this answer

WPA3-SAE (Simultaneous Authentication of Equals) is a common method to authenticate users on a wireless network because it replaces the pre-shared key (PSK) exchange with a secure password-based authentication protocol that is resistant to offline dictionary attacks. It uses a Diffie-Hellman key exchange combined with a shared password to derive a Pairwise Master Key (PMK), ensuring forward secrecy and mutual authentication.

Exam trap

ISC2 often tests the distinction between encryption protocols (like WEP and WPA2-PSK) and actual authentication methods, leading candidates to mistakenly select WPA2-PSK or MAC address filtering as user authentication mechanisms when they are only device-based access controls.

450
Multi-Selectmedium

Which TWO scenarios best illustrate the principle of least privilege?

Select 2 answers
A.Regular employees can install software on their workstations
B.The CEO has root access to all servers
C.An administrator uses a separate standard account for daily work and an admin account only when needed
D.All users have full control over shared folders
E.A user has only the permissions required to perform their job
AnswersC, E

Running with minimal privileges reduces risk.

Why this answer

Option C is correct because it demonstrates the principle of least privilege by using a separate standard user account for daily tasks and elevating to an administrative account only when necessary. This minimizes the attack surface by ensuring that administrative privileges are not active during routine activities, reducing the risk of accidental system changes or malware execution with elevated rights. In Windows environments, this is commonly implemented via User Account Control (UAC) and the use of a standard vs. administrator account.

Exam trap

ISC2 often tests the misconception that 'least privilege' means giving users the minimum permissions to do their job, but candidates may confuse it with 'separation of duties' or think that granting root access to executives is acceptable because they are trusted, which is a trap.

Page 5

Page 6 of 7

Page 7

All pages