ISC2 Certified in Cybersecurity CC (CC) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

The exhibit shows an AWS S3 bucket policy. What is the net effect for a user with IP 10.1.1.1 trying to read the object 'executive/salary.xlsx'?

A.Allowed because the IP matches the Allow condition
B.Denied because the Deny statement explicitly blocks access to the executive prefix
C.Allowed only if the user is authenticated with MFA
D.Denied only if the request originates from outside 10.0.0.0/8
AnswerB

The Deny statement explicitly denies all actions on the executive prefix, overriding the Allow.

Why this answer

The policy has an Allow for GetObject from IP range 10.0.0.0/8 (including 10.1.1.1) but also a Deny for all actions on the 'executive/' prefix. Deny overrides Allow (explicit deny). So the read is denied.

Option B is correct. Option A is wrong because the Deny applies. Option C and D are wrong.

452
MCQmedium

Refer to the exhibit. An administrator configures the above ACLs on a router. The goal is to allow internal users (192.168.1.0/24) to browse the web, and to allow SSH management from the internet to a server at 10.0.0.10. However, users report that they cannot browse external websites. What is the most likely reason?

A.ACL 100 is applied outbound on the internal interface, so it does not filter outbound traffic from internal users
B.ACL 100 does not permit DNS traffic, so users cannot resolve domain names
C.ACL 110 blocks the return traffic from the internet
D.The implicit deny at the end of ACL 100 blocks established connections
AnswerA

The access-group is applied outbound on Gi0/1; traffic from internal users to the internet exits Gi0/1 inbound, so ACL 100 is not checked.

Why this answer

ACL 100 is applied outbound on the internal interface (e.g., GigabitEthernet0/0). Outbound ACLs filter traffic leaving the interface, but internal users' web traffic originates from the internal network and must be allowed inbound on the internal interface (or outbound on the external interface). Since ACL 100 is applied outbound on the internal interface, it only filters traffic that has already been routed out of that interface, which is not the path for internal users' outbound web requests.

The correct approach is to apply the ACL inbound on the internal interface or outbound on the external interface.

Exam trap

ISC2 often tests the concept that ACL direction is relative to the interface, not the traffic source; the trap here is that candidates assume an outbound ACL on the internal interface will filter traffic leaving the internal network, but it actually filters traffic leaving the router through that interface, which is the opposite direction for internal users' outbound traffic.

How to eliminate wrong answers

Option B is wrong because DNS traffic (UDP/TCP port 53) is not explicitly required for web browsing if users use IP addresses or if a separate DNS resolver is configured; the issue is about ACL placement, not missing DNS permit statements. Option C is wrong because ACL 110 is likely applied inbound on the external interface to permit SSH from the internet to 10.0.0.10, and it does not block return traffic for web sessions because return traffic is matched by established connections or stateful inspection, not by ACL 110. Option D is wrong because the implicit deny at the end of ACL 100 would only affect traffic that is evaluated by that ACL; since ACL 100 is applied outbound on the internal interface, it does not evaluate the outbound web traffic from internal users at all, so the implicit deny is irrelevant to the problem.

453
MCQmedium

An analyst reviews the firewall log exhibit. The source IP 10.0.1.100 is an internal web server. The destination IP 203.0.113.50 is an external host. What does this log pattern MOST likely indicate?

A.A denial-of-service (DoS) attack from the internal server to the external host
B.A port scan from the internal server to the external host
C.Normal web traffic from the server to the external host
D.An attempted SQL injection attack from the external host to the internal server
AnswerA

Multiple SYN packets without completion indicate a SYN flood, a type of DoS attack.

Why this answer

The log pattern shows the internal web server (10.0.1.100) sending traffic to an external host (203.0.113.50). In a typical network, internal web servers serve content to internal users, not initiate outbound connections to external hosts. This anomalous outbound traffic pattern, especially if it involves a high volume of packets or connections, is characteristic of a denial-of-service (DoS) attack where the internal server is used as a source to flood the external target, potentially due to compromise or misconfiguration.

Exam trap

ISC2 often tests the candidate's ability to interpret traffic direction and normal vs. anomalous behavior, and the trap here is assuming that any traffic from a web server is legitimate, ignoring that internal servers should not typically initiate outbound connections to external hosts.

How to eliminate wrong answers

Option B is wrong because a port scan typically involves a single source sending packets to multiple ports on a target to discover open services, but the question does not mention multiple ports or a scanning pattern; it describes a general log pattern that is more indicative of a flood. Option C is wrong because normal web traffic from a server to an external host would be unusual for an internal web server, which is designed to serve internal clients; outbound connections from a server to an external host are not standard and suggest malicious activity. Option D is wrong because an SQL injection attack originates from an external host targeting an internal database or web server, not from the internal server to an external host; the direction of traffic in the log is reversed.

454
MCQhard

During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?

A.Spoof the source IP address of the attacker's machine
B.Launch a denial-of-service attack against the target
C.Perform a stealth scan using a zombie host to hide the attacker's identity
D.Evade a firewall by fragmenting packets
AnswerC

Idle scan uses IP ID to map a zombie's activity and infer port states.

Why this answer

Setting the IP ID field to 0 and the DF flag in packets is characteristic of an idle scan (also known as a stealth scan). This technique uses a zombie host (with an incremental IP ID) to probe a target; by sending packets with DF set and IP ID 0 to the zombie, the attacker can observe changes in the zombie's IP ID to infer open ports on the target, thereby hiding the attacker's true IP address.

Exam trap

ISC2 often tests the idle scan by focusing on the combination of IP ID 0 and DF flag, leading candidates to mistakenly think it is about fragmentation evasion or simple spoofing, rather than the stealthy reconnaissance technique using a zombie host.

How to eliminate wrong answers

Option A is wrong because spoofing the source IP address does not require setting the IP ID to 0 or the DF flag; spoofing simply falsifies the source address field in the IP header. Option B is wrong because a denial-of-service attack aims to overwhelm a target with traffic, not to stealthily probe ports using a zombie's IP ID behavior. Option D is wrong because evading a firewall by fragmenting packets would involve setting the MF (More Fragments) flag or using small fragment sizes, not setting DF (which prevents fragmentation) and IP ID 0.

455
MCQhard

An organization wants to implement a system that enforces access decisions based on a user's attributes (e.g., department, clearance, time) and environmental conditions. Which model is best?

A.Role-based access control (RBAC)
B.Attribute-based access control (ABAC)
C.Discretionary access control (DAC)
D.Mandatory access control (MAC)
AnswerB

ABAC uses attributes and policies for fine-grained, context-aware decisions.

Why this answer

Attribute-based access control (ABAC) is the correct model because it evaluates access decisions based on a combination of user attributes (e.g., department, clearance), resource attributes, and environmental conditions (e.g., time of day, location). Unlike RBAC, which relies solely on predefined roles, ABAC uses policies that can incorporate dynamic factors like current time or threat level, making it ideal for fine-grained, context-aware enforcement.

Exam trap

ISC2 often tests the misconception that RBAC can handle dynamic conditions like time or location, but RBAC only maps users to roles with static permissions, whereas ABAC explicitly evaluates environmental attributes as part of the access decision.

How to eliminate wrong answers

Option A is wrong because RBAC assigns permissions based on static roles, not on user attributes or environmental conditions, so it cannot enforce time-based or clearance-level decisions dynamically. Option C is wrong because DAC allows resource owners to set permissions at their discretion, lacking centralized policy control and the ability to incorporate environmental attributes like time. Option D is wrong because MAC enforces access based on fixed security labels (e.g., classification levels) and system-wide rules, not on user-specific attributes or environmental conditions, making it inflexible for attribute-driven policies.

456
MCQeasy

Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?

A.The ACL is applied to the wrong interface or direction.
B.The implicit deny at the end of the ACL blocks HTTPS traffic.
C.The ACL is missing a permit statement for TCP port 443 return traffic.
D.The ACL explicitly denies TCP port 443.
AnswerA

If the ACL is applied inbound on the internal interface, it should work; if applied outbound on the external interface, it may block return traffic. The most likely issue is misapplication.

Why this answer

The exhibit shows an ACL that permits HTTP (TCP 80) but does not explicitly permit HTTPS (TCP 443). However, the question states that HTTP works and HTTPS does not, which suggests the ACL is correctly filtering inbound traffic on the outside interface. The most likely cause is that the ACL is applied to the wrong interface or direction, because if it were applied inbound on the inside interface, it would block outbound HTTPS traffic from the 192.168.1.0/24 network.

The implicit deny at the end of the ACL would block any traffic not explicitly permitted, but since HTTP works, the issue is not the implicit deny itself but rather the placement of the ACL.

Exam trap

ISC2 often tests the concept that an ACL applied to the wrong interface or direction can cause selective service failures, leading candidates to mistakenly focus on missing permit statements or the implicit deny rather than the ACL placement.

How to eliminate wrong answers

Option B is wrong because the implicit deny at the end of the ACL blocks all traffic not explicitly permitted, but that alone would also block HTTP if the ACL were correctly placed; the fact that HTTP works indicates the ACL is not blocking outbound traffic from the inside, so the implicit deny is not the root cause. Option C is wrong because HTTPS uses TCP port 443 for the initial outbound connection, and return traffic is statefully allowed by the Cisco IOS firewall or router if the ACL is applied correctly; the issue is not missing return traffic rules but the ACL's application direction. Option D is wrong because the exhibit does not show an explicit deny for TCP port 443; the ACL only permits HTTP, so HTTPS is implicitly denied, not explicitly denied.

457
MCQhard

A security analyst is reviewing logs and finds that a user accessed files outside of their department. The user claims it was necessary for a project. Which principle should the analyst use to assess whether this was appropriate?

A.Need to know
B.Accountability
C.Separation of duties
D.Least privilege
AnswerA

Correct. Access should be based on necessity for the task.

Why this answer

The 'need to know' principle restricts access to information based on the specific requirements of a user's role or project. In this scenario, the analyst must verify if the user's project actually required access to those specific files, not just if the user had the technical ability to access them. This principle is a subset of least privilege, focusing on data access rather than system permissions.

Exam trap

ISC2 often tests the distinction between 'least privilege' (permissions assigned to a role) and 'need to know' (justification for accessing specific data at a specific time), causing candidates to pick 'least privilege' when the scenario involves a user who already has the permission but needs to justify the access.

How to eliminate wrong answers

Option B (Accountability) is wrong because accountability refers to the ability to trace actions back to an individual (e.g., via audit logs), not to determine if the access was justified. Option C (Separation of duties) is wrong because it prevents a single individual from performing conflicting tasks (e.g., initiating and approving a payment) to reduce fraud risk, which is unrelated to cross-departmental file access. Option D (Least privilege) is wrong because while it grants the minimum permissions needed for a role, the user already had access; the question is about whether that access was appropriate for a specific task, which is the definition of 'need to know'.

458
Matchingmedium

Match each type of malware to its primary behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Attaches to files and spreads

Self-replicates without a host file

Disguised as legitimate software

Encrypts data for payment

Secretly monitors user activity

Why these pairings

These are common malware types defined in cybersecurity.

459
MCQmedium

A security manager is designing a policy to prevent one person from both approving and disbursing payments. Which principle is being applied?

A.Separation of duties
B.Need to know
C.Least privilege
D.Defense in depth
AnswerA

Separation of duties ensures that no single individual has control over multiple critical tasks, reducing fraud risk.

Why this answer

Separation of duties ensures that no single individual has control over two or more phases of a critical transaction, such as both approving and disbursing payments. By splitting these responsibilities, the organization reduces the risk of fraud or error because collusion between two or more people would be required to bypass controls. In payment systems, this is often enforced through dual-authorization workflows in ERP or financial management software.

Exam trap

ISC2 often tests separation of duties by pairing it with 'least privilege' in the same question, and the trap is that candidates confuse the two because both limit access, but separation of duties specifically prevents conflicting task combinations, not just reducing permissions.

How to eliminate wrong answers

Option B (Need to know) is wrong because it restricts access to information only to those who require it for their job, not to prevent a single person from completing conflicting tasks. Option C (Least privilege) is wrong because it limits users to the minimum permissions necessary to perform their role, but does not inherently separate conflicting duties like approval and disbursement. Option D (Defense in depth) is wrong because it describes a layered security approach using multiple controls, not the specific segregation of incompatible functions.

460
MCQhard

A medium-sized company uses a network with three VLANs: VLAN 10 (Users, 192.168.10.0/24), VLAN 20 (Servers, 192.168.20.0/24), and VLAN 30 (DMZ, 192.168.30.0/24). A Layer 3 switch with an ACL is used for inter-VLAN routing. The company has a web server in the DMZ that must be accessible from the internet (via a public IP mapped to 192.168.30.10). Users in VLAN 10 need to access the web server on its private IP (192.168.30.10) for internal testing. The ACL is applied inbound on the VLAN 10 SVI. The ACL currently has the following entries: permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255; deny ip any 192.168.20.0 0.0.0.255; permit ip any any. Recently, the security team noticed that users can access the web server on its private IP, but they cannot access the web server via the public IP (which goes through the firewall and then to the DMZ). The firewall logs show that traffic from the users to the public IP is allowed and reaches the DMZ web server, but the return traffic is blocked. The web server's default gateway is the Layer 3 switch (192.168.30.1). Which of the following is the most likely cause of the problem?

A.The web server's default gateway should be set to the firewall, not the Layer 3 switch
B.The ACL on the DMZ SVI (VLAN 30) is blocking the return traffic from the web server to the firewall
C.The ACL on the VLAN 10 SVI is blocking the traffic to the public IP because it only allows private IP ranges
D.The firewall is blocking the return traffic due to a stateful inspection rule
AnswerB

The return traffic from the web server to the firewall must traverse the DMZ SVI. If the ACL on that SVI does not permit the firewall's IP or the traffic, it will be blocked.

Why this answer

The correct answer is B. The web server's default gateway is the Layer 3 switch (192.168.30.1). When users access the web server via the public IP, traffic enters the DMZ through the firewall, but the web server sends return traffic to its default gateway (the Layer 3 switch) instead of back to the firewall.

The ACL applied inbound on the VLAN 30 SVI (the DMZ SVI) blocks this return traffic because the source is the web server (192.168.30.10) and the destination is the user's IP (192.168.10.x), which is not explicitly permitted by the ACL (the ACL only permits traffic from VLAN 10 to DMZ, not the reverse).

Exam trap

ISC2 often tests the concept of asymmetric routing and the importance of ACL directionality, where candidates mistakenly focus on the inbound ACL on the user VLAN (VLAN 10) instead of realizing that the return traffic is blocked by the ACL on the DMZ SVI (VLAN 30) due to the web server's default gateway pointing to the Layer 3 switch.

How to eliminate wrong answers

Option A is wrong because the web server's default gateway should remain the Layer 3 switch for internal routing; changing it to the firewall would break internal access from VLAN 10 to the web server's private IP, which is currently working. Option C is wrong because the ACL on the VLAN 10 SVI permits traffic from 192.168.10.0/24 to 192.168.30.0/24, which includes the public IP traffic that is NATed to the private IP; the issue is not with the inbound ACL on VLAN 10 but with the return path. Option D is wrong because the firewall logs show that traffic from users to the public IP is allowed and reaches the DMZ web server, and the firewall is stateful, so it would expect return traffic; the blockage is occurring after the traffic leaves the firewall, specifically on the Layer 3 switch's DMZ SVI ACL.

461
Multi-Selecteasy

Which THREE are essential elements of a disaster recovery plan? (Select THREE.)

Select 3 answers
A.Recovery time objectives (RTOs)
B.Communication plan for employees
C.Business impact analysis results
D.Alternate processing site details
E.Backup procedures and schedules
AnswersA, D, E

Define target restoration times.

Why this answer

Recovery time objectives (RTOs) define the maximum acceptable downtime for a system or application after a disaster. They are essential because they directly drive the design of the recovery strategy, including resource allocation and technology choices, ensuring that critical services are restored within the business's tolerance for interruption.

Exam trap

ISC2 often tests the distinction between a disaster recovery plan (which focuses on IT systems and data recovery) and a business continuity plan (which includes broader organizational elements like employee communication and crisis management), causing candidates to mistakenly select the communication plan as a DRP essential.

462
MCQmedium

A company deploys a web application that stores user passwords using a salted hash. During a security review, an auditor recommends switching from SHA-1 to SHA-256. What is the primary security benefit of this change?

A.It improves system availability
B.It provides encryption of the passwords at rest
C.It increases collision resistance
D.It enhances non-repudiation
AnswerC

SHA-256 offers stronger collision resistance than SHA-1, reducing the risk of two different inputs producing the same hash.

Why this answer

SHA-1 is considered weak due to collision vulnerabilities, while SHA-256 is more resistant. The change improves integrity protection for stored passwords. Option B (collision resistance) is correct.

Option A (encryption) is wrong because hashing is not encryption. Option C (availability) is not directly related. Option D (non-repudiation) requires digital signatures, not just hashing.

463
MCQhard

In a cloud environment, the security team discovers that a misconfigured S3 bucket has made customer data publicly accessible. After securing the bucket, what is the most important next step?

A.Delete the data
B.Review logs to determine access
C.Notify affected customers
D.Change the bucket policy
AnswerC

Breach notification is legally required in many jurisdictions and prioritizes customer protection.

Why this answer

Option C is correct because after securing a misconfigured S3 bucket that exposed customer data, the most important next step is to notify affected customers. This aligns with incident response best practices and regulatory requirements (e.g., GDPR, HIPAA) that mandate timely disclosure of data breaches to impacted individuals. Without notification, the organization may face legal penalties and loss of trust, even if the data is now secure.

Exam trap

ISC2 often tests the misconception that technical remediation (e.g., changing policies or deleting data) is the most important step, when in fact incident response frameworks prioritize communication and legal/regulatory obligations over purely technical actions.

How to eliminate wrong answers

Option A is wrong because deleting the data would destroy evidence needed for forensic analysis and could violate data retention policies; the data should be preserved for investigation. Option B is wrong because while reviewing logs is important, it is not the most critical next step—notification takes precedence to comply with breach notification laws and ethical obligations. Option D is wrong because changing the bucket policy is already part of securing the bucket, which was completed before this step; the question states the bucket has already been secured, so repeating this action is unnecessary and does not address the exposure.

464
MCQhard

Refer to the exhibit. A user from IP 10.0.1.5 attempts to download an object from example-bucket. What will happen?

A.Denied because the deny statement overrides
B.Access denied due to implicit deny
C.Allowed because the allow statement matches
D.Allowed because the deny statement is invalid
AnswerA

Correct. Explicit deny takes precedence over allow.

Why this answer

The policy includes both an allow for the 10.0.0.0/16 range and a more specific deny for the 10.0.1.0/24 subnet. Since 10.0.1.5 falls within the deny condition, the explicit deny overrides the allow, resulting in denied access.

465
Multi-Selecthard

Which THREE of the following are acceptable risk treatment options according to NIST risk management framework?

Select 3 answers
A.Risk mitigation
B.Risk duplication
C.Risk transfer
D.Risk identification
E.Risk acceptance
AnswersA, C, E

Risk mitigation involves implementing controls to reduce risk.

Why this answer

Risk avoidance, mitigation, transfer, and acceptance are standard. Risk identification is a step, not treatment. Risk duplication is not a term.

466
Multi-Selecteasy

Which TWO of the following are core components of the CIA triad?

Select 2 answers
A.Authentication
B.Non-repudiation
C.Confidentiality
D.Authorization
E.Availability
AnswersC, E

Confidentiality is one of the three CIA triad components.

Why this answer

Confidentiality, Integrity, and Availability are the three core principles. Authentication and Non-repudiation are additional security goals.

467
Drag & Dropmedium

Drag and drop the steps to implement a firewall rule allowing inbound HTTPS traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HTTPS uses TCP port 443; rules must specify zones and be saved.

468
MCQmedium

Refer to the exhibit. An analyst sees these logs. What type of attack is occurring?

A.Phishing
B.SQL injection
C.Brute-force attack
D.Port scan
AnswerC

Multiple failed password attempts from a single source characterize a brute-force attack.

Why this answer

Option A is correct because repeated failed login attempts from the same IP indicate a brute-force attack. The other options do not match the pattern.

469
MCQhard

Refer to the exhibit. A DBA is investigating a replication issue. What should be the FIRST action?

A.Restore table from backup
B.Verify data integrity on primary
C.Reseed replication
D.Fail over to standby
AnswerB

Check primary data to ensure it is not corrupted before taking further action.

Why this answer

Checksum mismatch indicates data corruption on one side. The first step is to verify data integrity on the primary to determine which copy is correct.

470
MCQmedium

A primary data center is destroyed. The disaster recovery plan calls for activation of a hot standby site. If the RTO is 2 hours, what is the expected recovery time?

A.Exactly 2 hours
B.More than 2 hours
C.Unknown, depends on the disaster
D.Less than 2 hours
AnswerD

Hot sites are designed to achieve RTOs; recovery is expected within the target.

Why this answer

The RTO (Recovery Time Objective) defines the maximum acceptable downtime, not the guaranteed recovery time. A hot standby site is fully operational and synchronized, so recovery can be completed in less than the RTO if the disaster does not cause additional complications. Option D is correct because the expected recovery time should be less than the 2-hour RTO, assuming the hot site functions as designed.

Exam trap

ISC2 often tests the misconception that RTO is a guaranteed recovery time rather than a maximum allowable downtime, leading candidates to incorrectly choose 'Exactly 2 hours' or 'More than 2 hours' when the correct answer is that recovery should be faster than the RTO.

How to eliminate wrong answers

Option A is wrong because the RTO is a target, not a precise prediction; actual recovery time depends on factors like data synchronization lag and failover automation, so it is not guaranteed to be exactly 2 hours. Option B is wrong because a properly configured hot standby site should recover in less than the RTO, not more; exceeding the RTO would mean the DR plan fails its objective. Option C is wrong because while the disaster type can affect recovery, the question asks for the expected recovery time under the assumption the hot standby site is activated per the DR plan, and the RTO defines the maximum allowable time, so the expectation is that recovery completes within that window.

471
Multi-Selecthard

Which TWO actions are appropriate during the identification phase of incident response?

Select 2 answers
A.Conduct a post-mortem analysis.
B.Correlate alerts from multiple sources.
C.Review system logs for anomalies.
D.Restore data from backups.
E.Disconnect affected systems from the network.
AnswersB, C

Alert correlation aids in identifying incidents.

Why this answer

During the identification phase of incident response, the goal is to detect and confirm that an incident is occurring. Correlating alerts from multiple sources (e.g., IDS/IPS logs, firewall logs, and endpoint detection) helps reduce false positives and provides a clearer picture of the attack chain. Reviewing system logs for anomalies is a core detection technique that can reveal indicators of compromise (IoCs) such as unusual process execution or failed login bursts.

Exam trap

ISC2 often tests the distinction between identification and containment, so the trap here is that candidates mistake disconnecting systems (a containment step) for an identification action, when in fact identification must occur first to confirm the incident.

472
MCQhard

An organization is implementing a new identity management system. They want to ensure that users can only access resources necessary for their job roles. Which principle should guide the access control design?

A.Separation of duties
B.Least privilege
C.Need to know
D.Defense in depth
AnswerB

Least privilege grants only necessary access for job roles.

Why this answer

The principle of least privilege dictates that users should be granted only the permissions necessary to perform their job functions and nothing more. In an identity management system, this is implemented by assigning minimal access rights to resources, reducing the attack surface and limiting potential damage from compromised accounts. This directly aligns with the scenario of ensuring users can only access resources essential for their roles.

Exam trap

ISC2 often tests least privilege versus need to know, where candidates mistakenly choose need to know because it sounds more specific, but least privilege is the broader, correct principle for general access control design in identity management.

How to eliminate wrong answers

Option A is wrong because separation of duty is a principle that prevents fraud by requiring multiple users to complete a sensitive task (e.g., one user creates a purchase order, another approves it), not about limiting individual access to job-necessary resources. Option C is wrong because need to know is a subset of least privilege focused specifically on access to classified or sensitive information on a per-case basis, not the broader principle of limiting all resource access to job-role requirements. Option D is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS, encryption) to protect assets, not a principle for designing user access rights.

473
Multi-Selectmedium

A company is developing a business continuity plan (BCP). Which TWO of the following are essential components that must be included in a BCP?

Select 2 answers
A.Asset inventory
B.Vulnerability assessment
C.Business Impact Analysis (BIA)
D.Recovery Time Objective (RTO)
E.Network diagram
AnswersC, D

BIA is essential as it identifies critical processes, dependencies, and resource requirements for recovery.

Why this answer

A Business Impact Analysis (BIA) is essential in a BCP because it identifies critical business functions, their dependencies, and the impact of disruptions. It quantifies the financial and operational consequences of downtime, directly informing the selection of recovery strategies and resource allocation. Without a BIA, the BCP lacks a data-driven foundation for prioritizing recovery efforts.

Exam trap

ISC2 often tests the distinction between components that are 'essential' to the BCP itself versus supporting documents or risk management activities, causing candidates to select asset inventory or vulnerability assessment as core BCP elements.

474
MCQmedium

Refer to the exhibit. A security engineer applies this S3 bucket policy to restrict access. Users outside the 10.0.0.0/16 network report being denied access, which is expected. However, users inside that network also report access denied. What is the likely issue?

A.The condition syntax is incorrect and causes all requests to be evaluated incorrectly.
B.The Deny statement overrides the Allow statement for all requests.
C.The policy only allows GetObject; users likely need ListBucket or other actions.
D.The resource ARN includes a wildcard, causing a mismatch with the bucket name.
AnswerC

Only GetObject is allowed; any other action is implicitly denied.

Why this answer

Option C is correct because the S3 bucket policy only grants the s3:GetObject action, but users inside the 10.0.0.0/16 network are likely performing other actions such as s3:ListBucket (e.g., listing objects) or s3:PutObject. Even though the source IP condition allows access from the trusted network, the explicit Allow statement is scoped solely to GetObject. Any request for a different action (like listing the bucket) will be implicitly denied by default, as IAM and S3 policies are deny-by-default unless an explicit Allow exists for that specific action.

Exam trap

ISC2 often tests the misconception that a single Allow statement for one action (like GetObject) implicitly permits all other actions for users who satisfy the condition, when in reality each action requires its own explicit Allow.

How to eliminate wrong answers

Option A is wrong because the condition syntax (IpAddress with aws:SourceIp) is valid and correctly structured; an incorrect syntax would cause a policy parsing error, not a selective denial for both inside and outside users. Option B is wrong because the Deny statement only applies to requests originating outside the 10.0.0.0/16 network (due to the NotIpAddress condition), so it does not override the Allow for internal users; the Deny is scoped correctly and does not affect internal traffic. Option D is wrong because the resource ARN 'arn:aws:s3:::example-bucket/*' with a wildcard is standard for matching all objects in the bucket; it does not cause a mismatch with the bucket name, and the bucket name itself is explicitly stated.

475
MCQhard

Refer to the exhibit. The IDS alert indicates a possible SpyEye botnet check-in from an internal host. What immediate action should the analyst take?

A.Isolate the internal host from the network
B.Ignore the alert as it is a false positive
C.Block the destination IP at the firewall
D.Run a full antivirus scan on the internal host
AnswerA

Isolating the host stops the C2 traffic and prevents lateral movement.

Why this answer

Isolating the internal host immediately stops the potential command-and-control (C2) communication with the SpyEye botnet, preventing data exfiltration or further compromise. This is the first step in incident response (containment) before any forensic analysis or remediation, as per NIST SP 800-61 guidelines. Delaying containment could allow the botnet to receive new instructions or spread laterally.

Exam trap

ISC2 often tests the principle that containment (isolation) must precede remediation (scanning or blocking) in incident response, tricking candidates into choosing a reactive firewall block or a delayed scan instead of immediate host isolation.

How to eliminate wrong answers

Option B is wrong because ignoring the alert assumes a false positive without verification; SpyEye check-ins are rarely benign and require investigation. Option C is wrong because blocking the destination IP at the firewall only disrupts communication to that specific IP, but botnets often use domain flux or multiple fallback IPs, and the internal host remains compromised and could beacon to other C2 servers. Option D is wrong because running a full antivirus scan is a remediation step that should occur after containment; the immediate priority is to stop the active C2 traffic, not to scan while the host is still communicating with the botnet.

476
MCQmedium

During a vulnerability scan, the security team discovers a critical vulnerability on a public-facing server. According to best practices, what should the team do next?

A.Disable the server
B.Remediate immediately during business hours
C.Inform all users
D.Schedule a maintenance window
AnswerD

Scheduling a maintenance window allows for planned and tested remediation.

Why this answer

Option D is correct because, according to vulnerability management best practices, the first step after discovering a critical vulnerability is to schedule a maintenance window to apply a patch or mitigation in a controlled manner. This minimizes service disruption and allows for testing, ensuring the fix does not introduce new issues. Immediate remediation during business hours (Option B) could cause downtime or impact users, while disabling the server (Option A) is an extreme measure reserved for active exploitation with no available patch.

Exam trap

ISC2 often tests the misconception that 'critical' means 'act immediately without planning,' leading candidates to choose Option B, but the correct approach is to balance urgency with change control to avoid operational disruption.

How to eliminate wrong answers

Option A is wrong because disabling the server is a last-resort action typically taken only when the vulnerability is actively exploited and no patch or workaround exists; it unnecessarily disrupts services without following a structured response process. Option B is wrong because remediating immediately during business hours violates change management best practices, as it risks causing unplanned downtime and may bypass testing, which could lead to service outages or incomplete fixes. Option C is wrong because informing all users is premature and not a standard first step; disclosure should be controlled and communicated to relevant stakeholders (e.g., system owners, management) after a patch is ready or a mitigation plan is in place, to avoid unnecessary panic or security leaks.

477
Multi-Selectmedium

Which TWO are true about a differential backup? (Select two.)

Select 2 answers
A.It copies files changed since the last backup of any type
B.It requires a full backup to be restored first
C.It copies files changed since the last full backup
D.It resets the archive bit on backed-up files
E.It is faster to restore than a full backup
AnswersB, C

The full backup must be restored before applying the differential.

Why this answer

A differential backup copies all files that have changed since the last full backup. Because it does not contain the complete data set, you must first restore the most recent full backup and then apply the differential backup on top of it to recover the system. This makes option B correct.

Exam trap

ISC2 often tests the distinction between differential and incremental backups by making candidates confuse 'changed since last full' (differential) with 'changed since last backup of any type' (incremental), and by implying that differential backups reset the archive bit when they do not.

478
MCQeasy

A helpdesk technician receives a report that a user in the finance department cannot access a shared folder on the server. The same server is accessible from other departments. What is the most likely cause?

A.The server is down
B.A firewall rule is blocking traffic from the finance VLAN to the server
C.The network cable is unplugged
D.The user's account is disabled
AnswerB

This explains why only the finance department is affected.

Why this answer

The scenario describes a user in the finance department unable to access a shared folder on a server that is reachable from other departments. This points to a segmentation or access control issue specific to the finance VLAN. A firewall rule blocking traffic from the finance VLAN to the server is the most likely cause because it would selectively prevent access for that subnet while allowing other VLANs to reach the server, matching the symptom of partial connectivity.

Exam trap

ISC2 often tests the concept of VLAN segmentation and firewall rules by presenting a symptom of partial connectivity, leading candidates to mistakenly focus on client-side issues (like a disabled account or cable problem) rather than network-layer access controls.

How to eliminate wrong answers

Option A is wrong because if the server were down, no users from any department would be able to access it, but the report states other departments can access the server. Option C is wrong because an unplugged network cable would cause a complete loss of network connectivity for the user, not just an inability to access a specific shared folder while other services might still work. Option D is wrong because a disabled user account would prevent authentication to the server entirely, affecting access from any location, not just the finance department, and the user can still reach the server (as implied by the scenario).

479
MCQmedium

A network administrator is configuring a DMZ for a company's web and email servers. Which firewall rule is most appropriate for traffic from the internet to the DMZ?

A.Deny all inbound traffic to DMZ but allow outbound
B.Allow inbound HTTP, HTTPS, SMTP, and DNS to DMZ
C.Allow inbound only to the web server on ports 80 and 443
D.Allow all inbound traffic to DMZ
AnswerB

These are the required services for web and email servers.

Why this answer

Option B is correct because a DMZ must selectively permit essential services from the internet to the public-facing servers while blocking all other inbound traffic. HTTP (80), HTTPS (443), SMTP (25), and DNS (53) are the standard protocols required for web and email servers to function. This rule implements the principle of least privilege by allowing only the necessary traffic to the DMZ.

Exam trap

ISC2 often tests the misconception that a DMZ should allow only web traffic (HTTP/HTTPS) and forget that email servers require SMTP and DNS, leading candidates to choose option C instead of the more complete option B.

How to eliminate wrong answers

Option A is wrong because denying all inbound traffic to the DMZ would prevent external users from accessing the web and email servers, defeating the purpose of a DMZ. Option C is wrong because it omits SMTP and DNS, which are required for email delivery and name resolution; a real-world DMZ hosting both web and email servers must allow SMTP (port 25) for inbound email and DNS (port 53) for queries. Option D is wrong because allowing all inbound traffic to the DMZ violates security best practices and would expose internal servers to attacks such as port scanning and exploitation of non-essential services.

480
MCQhard

A company is implementing a data loss prevention (DLP) solution. Which strategy BEST balances security and productivity when monitoring outgoing email?

A.Log all emails without any alerts
B.Block all emails containing keywords like 'confidential'
C.Encrypt all outgoing emails automatically
D.Alert on policy violations and allow user to override with manager approval
AnswerD

Balances security with business needs.

Why this answer

Option D is correct because it balances security and productivity by alerting on policy violations while allowing users to override the block with manager approval. This approach ensures that legitimate business communications are not disrupted, while still enforcing DLP policies through a secondary review process. In a DLP solution, this is often implemented via a 'justify and override' workflow, where the user must provide a reason and receive approval from a manager before the email is sent.

Exam trap

ISC2 often tests the concept that DLP is not just about blocking or encrypting data, but about applying policy with context and user feedback to balance security and productivity, leading candidates to mistakenly choose overly restrictive options like B.

How to eliminate wrong answers

Option A is wrong because logging all emails without any alerts provides no active enforcement or notification, failing to prevent data loss in real time and offering only passive auditing. Option B is wrong because blocking all emails containing keywords like 'confidential' is overly restrictive and lacks context, leading to high false positive rates that disrupt legitimate business communications and reduce productivity. Option C is wrong because encrypting all outgoing emails automatically does not prevent data loss; encryption protects data in transit but does not stop sensitive data from being sent to unauthorized recipients, which is the core function of DLP.

481
Multi-Selecthard

Which THREE are differences between a hot site and a cold site? (Select three.)

Select 3 answers
A.Hot site is more expensive to maintain
B.Cold site has pre-installed software and applications
C.Hot site has real-time data synchronization
D.Both have the same recovery time objective (RTO)
E.Cold site has no hardware or infrastructure installed
AnswersA, C, E

Hot sites require constant replication and active hardware, increasing costs.

Why this answer

A hot site is a fully operational, mirrored environment with real-time data synchronization, pre-installed hardware, and active network connectivity, making it significantly more expensive to maintain due to ongoing costs for power, cooling, bandwidth, and dedicated staff. In contrast, a cold site is a bare facility with no active infrastructure, requiring manual setup and provisioning before recovery can begin. The higher cost of a hot site is justified by its near-zero Recovery Time Objective (RTO), whereas a cold site's lower cost reflects its much longer RTO.

Exam trap

ISC2 often tests the misconception that a cold site has some pre-installed infrastructure or software, when in fact it is a completely empty facility with only power and cooling, and that RTO is identical across site types, whereas RTO is a key differentiator between hot, warm, and cold sites.

482
MCQmedium

After a security incident has been contained and eradicated, which of the following should be done to improve future incident response?

A.Conduct a post-incident review
B.Reinstall the operating system
C.Disable the affected user accounts
D.Delete all incident-related logs
AnswerA

The review captures lessons learned and updates procedures.

Why this answer

A post-incident review (lessons learned) helps identify improvements to prevent recurrence and enhance response.

483
MCQmedium

You are the IT security officer for a hospital that handles protected health information (PHI). The hospital uses an electronic health record (EHR) system. You receive a report that a nurse accessed the medical records of a celebrity patient without a legitimate medical reason. The access was logged. The hospital policy requires all employees to access only the minimum necessary information for their job duties. The nurse claims they were just curious. This is a violation of which security principle, and what is the best course of action?

A.Confidentiality; encrypt all patient records
B.Accountability; disable access for all nurses to the EHR
C.Least privilege; revoke the nurse's access to the EHR system and initiate disciplinary proceedings
D.Least privilege; send a warning to the nurse
AnswerC

This enforces the principle and addresses the violation appropriately.

Why this answer

Correct: Violation of least privilege; the nurse should have only been granted access to records necessary for their job. The best course is to revoke access and follow disciplinary procedures (B). Option A is wrong because it doesn't address the root cause; Option C is wrong because encryption doesn't prevent unauthorized access; Option D is wrong because disabling access for all nurses is excessive.

484
MCQeasy

A company wants to segment its network into separate broadcast domains to improve performance and security. Which device should be used to achieve this?

A.Switch
B.Hub
C.Repeater
D.Router
AnswerD

Routers segment broadcast domains by forwarding packets based on IP addresses.

Why this answer

A router is the correct device because it operates at Layer 3 (Network layer) of the OSI model and can segment a network into separate broadcast domains by forwarding packets based on IP addresses while blocking broadcast traffic (e.g., ARP requests) from crossing between interfaces. This isolation improves performance by reducing broadcast overhead and enhances security by controlling traffic flow between segments.

Exam trap

ISC2 often tests the misconception that a switch with VLANs can create separate broadcast domains, but the trap is that a switch alone (without a Layer 3 device) cannot route between those VLANs—it still requires a router to forward traffic between broadcast domains.

How to eliminate wrong answers

Option A is wrong because a switch operates at Layer 2 and forwards frames based on MAC addresses, but it does not block broadcast traffic—all ports in the same VLAN belong to the same broadcast domain, so a switch alone cannot create separate broadcast domains without VLANs. Option B is wrong because a hub is a Layer 1 device that simply repeats electrical signals to all ports, creating a single collision domain and a single broadcast domain, offering no segmentation. Option C is wrong because a repeater is also a Layer 1 device that regenerates signals to extend cable distance but does not filter or segment traffic, so it cannot create separate broadcast domains.

485
Multi-Selecthard

A security team is investigating a potential ARP spoofing attack on the local network. Which two measures can effectively detect or prevent such attacks? (Choose two.)

Select 2 answers
A.Disable ICMP redirects on hosts.
B.Enable DHCP snooping with Dynamic ARP Inspection.
C.Use MAC address filtering on switches.
D.Enable STP BPDU guard.
E.Configure static ARP entries on critical servers.
AnswersB, E

DHCP snooping with DAI validates ARP packets against DHCP bindings.

Why this answer

Dynamic ARP Inspection (DAI) uses DHCP snooping binding tables to validate ARP packets, ensuring that only legitimate IP-to-MAC address mappings are accepted. This directly prevents ARP spoofing by dropping malicious ARP replies that do not match the binding table. Configuring static ARP entries on critical servers hardcodes the IP-to-MAC mapping, so the server will ignore any spoofed ARP replies attempting to redirect traffic.

Exam trap

ISC2 often tests the distinction between Layer 2 security features (like DAI and DHCP snooping) and Layer 3 or other mitigation techniques (like ICMP redirects or BPDU guard), leading candidates to confuse unrelated security controls with ARP-specific defenses.

486
Multi-Selecteasy

Which TWO of the following are examples of administrative security controls?

Select 2 answers
A.Firewall rule sets
B.Data encryption
C.Biometric access controls
D.Security policies and procedures
E.Security awareness training
AnswersD, E

Policies are administrative controls that govern behavior.

Why this answer

Options B and D are correct because security policies and security awareness training are administrative controls. Firewalls (A) are technical controls. Biometrics (C) is physical/technical.

Encryption (E) is technical.

487
MCQeasy

A small company has a single flat network with no segmentation. They recently experienced a malware outbreak that spread quickly across all devices. The IT manager wants to implement network segmentation to contain future outbreaks with minimal cost and complexity. The company currently has a single switch and a router/firewall appliance. The network consists of three departments: Sales, HR, and Engineering. After analyzing the requirements, what is the best course of action?

A.Deploy a next-generation firewall between the switch and the router to inspect traffic
B.Replace the single switch with multiple managed switches and create VLANs for each department, then connect them to the firewall
C.Implement 802.1X authentication on the switch to control device access
D.Install host-based firewalls on all endpoints
AnswerB

This provides logical segmentation using VLANs, containing outbreaks.

Why this answer

Option B is correct because VLANs logically segment the flat network into separate broadcast domains for Sales, HR, and Engineering, containing malware spread at Layer 2. Using multiple managed switches with VLANs and trunking to the firewall allows inter-VLAN traffic to be inspected and controlled by the firewall, providing segmentation with minimal cost and complexity. This approach leverages existing hardware (router/firewall) and avoids the expense of additional appliances.

Exam trap

ISC2 often tests the misconception that adding a firewall or security appliance alone provides segmentation, when in fact segmentation requires separating Layer 2 broadcast domains (via VLANs or physical separation) before applying access controls.

How to eliminate wrong answers

Option A is wrong because deploying a next-generation firewall between the switch and router inspects traffic but does not create network segmentation; the flat network remains, so malware can still spread laterally across all devices at Layer 2. Option C is wrong because 802.1X authentication controls device access to the network port but does not segment traffic between departments; once authenticated, devices are still on the same flat network and vulnerable to lateral movement. Option D is wrong because host-based firewalls on endpoints provide per-device protection but do not segment the network; malware can still propagate via broadcast traffic or direct Layer 2 communication between hosts.

488
Multi-Selecthard

Which TWO of the following are recognized as benefits of network segmentation?

Select 2 answers
A.Reduced attack surface
B.Easier monitoring
C.Increased broadcast domains
D.Simplified IP address management
E.Containment of breaches
AnswersA, E

Segmentation limits access to sensitive resources, reducing the attack surface.

Why this answer

Option A (Reduced attack surface) and Option D (Containment of breaches) are correct. Segmentation limits the scope of attacks and reduces exposure. Option B (Increased broadcast domains) is not a security benefit; it can cause performance issues.

Option C (Simplified IP address management) is not directly related to security. Option E (Easier monitoring) is subjective and not a primary benefit.

489
MCQmedium

Based on the exhibit, what is the most likely result of the client's HTTP request?

A.The HTTP request is permitted because the ACL is applied to the wrong interface.
B.The HTTP request is permitted because the ACL only blocks traffic from the router's own IP.
C.The HTTP request is blocked, and all other traffic from the client is also blocked.
D.The HTTP request is blocked, but other traffic from the client is allowed.
AnswerD

The ACL denies TCP port 80, then permits all other IP traffic.

Why this answer

The exhibit shows an extended ACL applied inbound on the client's interface that permits TCP traffic from the client to the server on port 80 (HTTP) but denies all other IP traffic from the client. Therefore, the HTTP request is permitted, but any other traffic from the client (e.g., DNS, ICMP) is blocked. Option D correctly states that the HTTP request is blocked, but other traffic is allowed, which matches the ACL behavior.

Exam trap

ISC2 often tests the misconception that an ACL blocking all traffic from a client means no traffic is allowed, but here the ACL explicitly permits HTTP while denying other traffic, so candidates may incorrectly choose Option C thinking all traffic is blocked.

How to eliminate wrong answers

Option A is wrong because the ACL is applied to the correct interface (the client's ingress interface) and direction (inbound), so it does affect traffic from the client. Option B is wrong because the ACL does not block traffic from the router's own IP; it filters traffic based on source and destination IP addresses and ports, not the router's IP. Option C is wrong because the ACL specifically permits HTTP traffic (TCP port 80) from the client to the server, so not all traffic is blocked; only non-HTTP traffic is denied.

490
Multi-Selectmedium

Which THREE of the following are recognized security principles according to NIST and ISC2?

Select 3 answers
A.Separation of duties
B.Security through obscurity
C.Least privilege
D.Defense in depth
E.Single point of failure
AnswersA, C, D

Separation of duties prevents fraud and error.

Why this answer

Least privilege, separation of duties, and defense in depth are fundamental. Security through obscurity is not a recognized principle.

491
MCQeasy

Which of the following protocols provides secure remote administration of a network device over an untrusted network?

A.SNMPv1
B.Telnet
C.HTTP
D.SSH
AnswerD

SSH provides encrypted remote access, securing the session.

Why this answer

SSH (Secure Shell) is correct because it encrypts all traffic, including authentication credentials and commands, using strong cryptographic algorithms, making it safe for remote administration over untrusted networks. It operates on TCP port 22 and provides confidentiality, integrity, and authentication, unlike cleartext protocols. SSH is the standard for secure CLI access to network devices such as routers and switches.

Exam trap

ISC2 often tests the distinction between 'secure' and 'insecure' protocols, and the trap here is that candidates may confuse Telnet with SSH because both provide remote CLI access, forgetting that Telnet lacks encryption entirely.

How to eliminate wrong answers

Option A is wrong because SNMPv1 uses community strings in cleartext and lacks encryption or authentication, making it insecure for remote administration over untrusted networks. Option B is wrong because Telnet transmits all data, including usernames and passwords, in plaintext, allowing anyone with packet capture access to intercept credentials and commands. Option C is wrong because HTTP transmits data unencrypted, and while HTTPS exists, the question specifies HTTP, which provides no security for remote administration.

492
MCQmedium

A hospital uses role-based access control (RBAC) for its electronic health records. Nurses can view patient records; doctors can view and edit; administrators can only view administrative data. Recently, a nurse was able to edit a patient's record, which should only be allowed for doctors. The investigation finds that the nurse's role was incorrectly assigned a 'doctor' role due to a misconfiguration. To prevent recurrence, the access control system should be reviewed. Which is the best long-term solution?

A.Implement mandatory access control (MAC) with security labels
B.Remove the nurse's ability to edit records
C.Implement user behavior analytics to detect anomalies
D.Conduct quarterly role reviews and recertification
AnswerD

Regular reviews ensure roles are correctly assigned, preventing misconfigurations over time.

Why this answer

Option D is correct because the root cause is a role misconfiguration, and the best long-term solution is to implement a process of periodic role reviews and recertification. This ensures that role assignments are regularly audited and validated against current job responsibilities, preventing role creep and unauthorized privilege accumulation. In RBAC, the principle of least privilege is maintained through ongoing governance, not through a one-time fix.

Exam trap

ISC2 often tests the distinction between reactive fixes (like removing a single user's permission) and systemic governance processes (like periodic recertification), trapping candidates who choose a quick technical fix instead of a long-term administrative control.

How to eliminate wrong answers

Option A is wrong because mandatory access control (MAC) uses system-enforced security labels (e.g., classification levels) and is not designed to fix a role misconfiguration in an RBAC system; it would require a complete architectural change and does not address the need for periodic role validation. Option B is wrong because removing the nurse's ability to edit records is a reactive, short-term fix that does not prevent future misconfigurations or other role assignment errors; it treats the symptom, not the systemic issue. Option C is wrong because user behavior analytics (UBA) can detect anomalous activity after it occurs, but it does not prevent the underlying misconfiguration or ensure correct role assignments; it is a detective control, not a preventive or corrective control for role management.

493
MCQeasy

Which of the following is a best practice for securing physical access to a data center?

A.Allow employees to use personal badges for entry.
B.Implement mantrap entry with biometric verification.
C.Install CCTV only at the main entrance.
D.Use a single-factor authentication for all doors.
AnswerB

Mantraps prevent tailgating and biometrics provide strong authentication.

Why this answer

Option D is correct because mantrap entry with biometric verification provides strong physical access control. Option A weakens security by allowing personal badges. Option B does not cover all areas.

Option C single-factor is insufficient.

494
MCQmedium

Refer to the exhibit. ``` -rw-r-x--- 1 user1 developers 1024 Apr 12 10:00 config.cfg ``` The security policy states that only the file owner (user1) and members of the developers group should be able to read the file. Which change is necessary to align with the principle of least privilege?

A.Add world read permission.
B.Change group permissions to rw-r--.
C.Change the file mode to 640.
D.Change the owner to user2.
AnswerC

640 (rw-r-----) removes the execute permission that is not required for read-only access, adhering to least privilege.

495
MCQhard

During an incident, the IR team identifies that the root cause is a zero-day vulnerability. Which of the following is the best immediate action?

A.Report to CERT/CC
B.Rebuild all affected systems
C.Apply a vendor patch
D.Implement compensating controls
AnswerD

Compensating controls reduce risk by blocking or detecting exploitation of the vulnerability.

Why this answer

When a zero-day vulnerability is the root cause, no vendor patch exists yet (option C is impossible). Rebuilding systems (option B) without addressing the vulnerability leaves them re-exposed. The best immediate action is to implement compensating controls—such as firewall rules, IDS/IPS signatures, or application-layer filtering—to mitigate the risk until a permanent fix is available.

This aligns with incident response containment strategies that prioritize reducing impact while preserving forensic evidence.

Exam trap

ISC2 often tests the misconception that 'rebuilding systems' or 'applying a patch' are immediate actions for a zero-day, when in reality the absence of a patch and the need for containment make compensating controls the only viable first step.

How to eliminate wrong answers

Option A is wrong because reporting to CERT/CC is a post-incident coordination step, not an immediate containment action; it does not stop the ongoing attack. Option B is wrong because rebuilding affected systems without first containing the vulnerability will result in immediate re-infection, as the zero-day exploit vector remains active. Option C is wrong because a zero-day vulnerability, by definition, has no vendor patch available at the time of discovery; applying a non-existent patch is impossible.

496
MCQhard

An IAM policy is shown in the exhibit. Which action is permitted for the attached user?

A.Get an object from bucket2
B.Get an object from bucket1
C.List the objects in bucket1
D.Delete an object from bucket2
AnswerB

s3:GetObject on bucket1/* is explicitly allowed.

Why this answer

The IAM policy grants the `s3:GetObject` action on the ARN `arn:aws:s3:::bucket1/*`, which permits retrieving objects from bucket1. The `Deny` effect for `s3:DeleteObject` on bucket2 does not affect the `Allow` for `s3:GetObject` on bucket1. Therefore, the attached user can get an object from bucket1.

Exam trap

ISC2 often tests the distinction between object-level actions (like `s3:GetObject`) and bucket-level actions (like `s3:ListBucket`), trapping candidates who assume that reading an object implies the ability to list the bucket's contents.

How to eliminate wrong answers

Option A is wrong because the policy only allows `s3:GetObject` on bucket1, not bucket2; bucket2 is only referenced in a Deny statement for `s3:DeleteObject`, which does not grant any read access. Option C is wrong because the policy does not include the `s3:ListBucket` action, which is required to list objects in a bucket; `s3:GetObject` only permits reading individual objects, not listing. Option D is wrong because the policy explicitly denies `s3:DeleteObject` on bucket2, and an explicit Deny overrides any Allow.

497
MCQmedium

A small business with limited budget wants to ensure critical business functions can resume within 24 hours of a disaster. Their data changes infrequently. Which recovery solution is MOST cost-effective?

A.Warm site with daily backups
B.Cloud backup with instant restore
C.Cold site with monthly backups
D.Hot site with real-time replication
AnswerB

Cost-effective and can meet RTO if restore time is fast.

Why this answer

Cloud backup with instant restore (Option B) is the most cost-effective solution because the business has a limited budget, data changes infrequently, and the RTO is 24 hours. Cloud backup eliminates the need for maintaining physical infrastructure, and instant restore from cloud snapshots can meet the 24-hour RTO without the high costs of a warm or hot site.

Exam trap

ISC2 often tests the misconception that a warm site is the 'middle ground' for cost and recovery, but they ignore that cloud backup can achieve the same RTO at a fraction of the cost when data changes infrequently.

How to eliminate wrong answers

Option A is wrong because a warm site requires pre-configured hardware and ongoing maintenance costs, which exceed a limited budget, and daily backups are overkill for infrequently changing data. Option C is wrong because a cold site with monthly backups cannot meet the 24-hour RTO, as provisioning hardware and restoring from month-old backups would take significantly longer. Option D is wrong because a hot site with real-time replication is the most expensive solution, designed for near-zero RTO and RPO, which is unnecessary for infrequently changing data and a 24-hour RTO.

498
MCQeasy

An organization requires that two different administrators approve changes to firewall rules. This is an example of which security principle?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Need-to-know
AnswerC

Requiring two approvals divides the task, preventing a single person from making unauthorized changes.

Why this answer

Separation of duties requires multiple people to complete a sensitive task to reduce fraud and errors. Option B is correct. Option A (least privilege) limits permissions.

Option C (defense in depth) uses layers. Option D (need-to-know) restricts data access.

499
Multi-Selectmedium

Which TWO of the following are common indicators of a phishing email? (Select TWO.)

Select 2 answers
A.The email contains an attachment with a .txt extension
B.The email contains a sense of urgency, such as 'Your account will be closed.'
C.The email has a high-importance flag set by the sender
D.The email is sent to multiple recipients in the 'To' field
E.The sender's email address is similar but not identical to a legitimate domain
AnswersB, E

Urgency is a common social engineering tactic.

Why this answer

Option B is correct because phishing emails commonly exploit urgency to bypass rational decision-making. Attackers use phrases like 'Your account will be closed' to pressure recipients into clicking malicious links or providing credentials without verifying the source. This social engineering tactic is a hallmark of phishing campaigns.

Exam trap

ISC2 often tests the distinction between technical indicators (e.g., file extensions, headers) and behavioral indicators (e.g., urgency, domain spoofing), and the trap here is that candidates mistake common email features like high-importance flags or bulk addressing as phishing indicators when they are not inherently suspicious.

500
MCQeasy

A security team implements a policy that requires all access to sensitive data to be logged and audited. Which principle is being enforced?

A.Accountability
B.Non-repudiation
C.Integrity
D.Least privilege
AnswerA

Correct. Logging creates accountability.

Why this answer

Accountability is enforced because logging and auditing create a traceable record of who accessed sensitive data and what actions they performed. This allows security teams to hold individuals responsible for their actions by correlating log entries with specific user identities, typically via authentication systems like LDAP or SAML. The policy directly supports the principle that users must be answerable for their access to protected resources.

Exam trap

ISC2 often tests the distinction between accountability (tracking and attributing actions) and non-repudiation (cryptographic proof of origin), leading candidates to confuse logging with the stronger assurance provided by digital signatures.

How to eliminate wrong answers

Option B is wrong because non-repudiation ensures that a party cannot deny having performed an action, typically achieved through digital signatures or cryptographic proof (e.g., HMAC, RSA signatures), not through logging and auditing alone. Option C is wrong because integrity focuses on protecting data from unauthorized modification (e.g., via checksums, hashing like SHA-256, or access controls), not on tracking who accessed it. Option D is wrong because least privilege restricts access rights to the minimum necessary for a role, whereas logging and auditing are about monitoring and reviewing access after it has occurred, not about limiting permissions upfront.

Page 6

Page 7 of 7

All pages