ISC2 Certified in Cybersecurity CC (CC) — Questions 526600

984 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

A financial institution requires that no single employee can both initiate and approve a wire transfer. This policy enforces which security principle?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need to know
AnswerA

Separation of duties ensures no single person has control over all parts of a transaction.

Why this answer

Separation of duties prevents fraud by dividing critical tasks. Least privilege limits access, but here it's about task division.

527
MCQeasy

Which of the following is a key component of the 3-2-1 backup rule?

A.Two copies on different media, one off-site
B.One copy on two different media, two off-site
C.Three copies on different media, two off-site
D.Three copies, two different media types, one off-site
AnswerD

This is the exact description of the 3-2-1 rule.

Why this answer

The 3-2-1 rule states: have 3 copies of data, on 2 different media types, with 1 copy off-site.

528
Multi-Selecteasy

Which TWO of the following are fundamental principles of information security that form the CIA triad?

Select 2 answers
A.Confidentiality
B.Integrity
C.Privacy
D.Non-repudiation
E.Accountability
AnswersA, B

Confidentiality ensures data is accessible only to authorized parties.

Why this answer

Correct: Confidentiality and Integrity are part of the CIA triad. Option B (Non-repudiation) is not part of CIA; Option D (Accountability) is not; Option E (Privacy) is related but not a core CIA principle.

529
MCQeasy

Which of the following ensures that data has not been tampered with during transmission?

A.Redundancy
B.Encryption
C.Hashing
D.Authentication
AnswerC

Correct. Hashing verifies integrity.

Why this answer

Integrity ensures data accuracy and completeness; hashing detects changes.

530
MCQhard

A company has a reciprocal agreement with another organization for disaster recovery. During a major outage, the company attempts to activate the agreement but finds that the partner's facility is also impacted by the same disaster. This scenario highlights a primary disadvantage of which recovery strategy?

A.Cold site
B.Warm site
C.Reciprocal agreement
D.Hot site
AnswerC

Reciprocal agreements rely on the partner's availability, which may be compromised in a widespread disaster.

Why this answer

Reciprocal agreements depend on the partner not being affected by the same disaster. If both are impacted, the agreement fails.

531
MCQmedium

An organization's recovery time objective (RTO) for its customer database is 4 hours. During a disaster, the backup restore process takes 2 hours, but reconfigure and test tasks add another 3 hours. Which action best addresses this gap?

A.Conduct the restore test only during annual disaster recovery drills.
B.Reduce the recovery point objective (RPO) to minimize data loss.
C.Increase the RTO to 6 hours.
D.Automate the configuration and validation steps after restore.
AnswerD

Automation reduces manual time, helping meet the 4-hour RTO.

Why this answer

The RTO is 4 hours, but the actual recovery time is 2 hours (restore) + 3 hours (reconfigure and test) = 5 hours, exceeding the RTO by 1 hour. Automating the configuration and validation steps (option D) reduces the post-restore manual effort, bringing the total recovery time closer to or within the 4-hour RTO. This directly addresses the gap without altering the RTO or neglecting testing.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is that candidates confuse reducing RPO (data loss) with fixing a time-based gap, or they incorrectly assume that simply increasing the RTO is an acceptable solution without considering process improvement.

How to eliminate wrong answers

Option A is wrong because conducting the restore test only during annual drills does not fix the daily operational gap; it merely postpones validation, leaving the recovery process untested and potentially non-compliant with the RTO. Option B is wrong because reducing the RPO (recovery point objective) addresses data loss tolerance, not recovery time; it does not reduce the 5-hour total recovery duration. Option C is wrong because increasing the RTO to 6 hours accepts the inefficiency rather than fixing it; best practice is to improve the process to meet the original RTO, not relax the requirement.

532
MCQmedium

An attacker intercepts communication between two parties by sending forged ARP messages. This is an example of which type of attack?

A.Sniffing
B.Spoofing
C.DoS
D.Man-in-the-middle
AnswerD

ARP poisoning enables interception of communications.

Why this answer

ARP poisoning allows man-in-the-middle attacks by associating attacker's MAC with the victim's IP.

533
MCQmedium

A critical zero-day vulnerability is actively being exploited in the wild, affecting an organization's internet-facing application. Which patching approach should be taken?

A.Isolate the application from the network and wait for a vendor patch.
B.Deploy an emergency patch without testing.
C.Implement a web application firewall (WAF) as a permanent solution.
D.Follow the standard patch lifecycle with testing.
AnswerB

Emergency patching prioritizes speed over testing to mitigate immediate threat.

Why this answer

Emergency patching is used for vulnerabilities that are actively exploited or have high severity, bypassing normal testing cycles to reduce risk quickly.

534
Multi-Selecteasy

Which TWO of the following are best practices for password management in a corporate environment?

Select 2 answers
A.Store passwords in plaintext in a shared document.
B.Enforce password complexity requirements.
C.Prohibit password changes more than once per year.
D.Share passwords among team members for shared accounts.
E.Implement multi-factor authentication.
AnswersB, E

Complex passwords are harder to guess or crack.

Why this answer

Option B is correct because enforcing password complexity requirements (e.g., minimum length, character types) reduces the risk of brute-force and dictionary attacks by increasing the effective keyspace. Option E is correct because multi-factor authentication (MFA) adds an additional layer of security beyond the password, mitigating credential theft or reuse. Together, they form a defense-in-depth approach to authentication security.

Exam trap

ISC2 often tests the misconception that frequent password changes improve security, but the CC exam expects candidates to know that NIST now recommends against mandatory periodic changes unless there is evidence of compromise, and that sharing passwords is never a best practice.

535
MCQmedium

According to the (ISC)² Code of Ethics, which of the following obligations takes the highest priority?

A.Advance the profession
B.Act honourably
C.Provide diligent service
D.Protect society
AnswerD

Protect society is the highest priority.

Why this answer

The Code of Ethics prioritizes protecting society, the common good, and the public trust.

536
Multi-Selecteasy

Which TWO of the following are examples of physical access controls?

Select 2 answers
A.Encryption
B.Biometric scanners
C.Smart cards
D.Intrusion Prevention Systems (IPS)
E.Firewalls
AnswersB, C

Biometrics are physical attributes used for authentication.

Why this answer

Biometric scanners (Option B) are physical access controls because they authenticate individuals based on unique biological traits (e.g., fingerprints, iris patterns) to grant or deny entry to a physical space, such as a server room or data center. This is a tangible, hardware-based mechanism that directly controls physical access, aligning with the definition of physical access controls in the CC exam.

Exam trap

ISC2 often tests the distinction between physical controls (tangible, hardware-based mechanisms that restrict physical access) and logical/technical controls (software or network-based protections), causing candidates to mistakenly classify encryption or firewalls as physical controls.

537
MCQeasy

A company is creating a business continuity plan. Which analysis should be performed first to identify critical business functions and their dependencies?

A.Vulnerability assessment
B.Business Impact Analysis (BIA)
C.Risk assessment
D.Gap analysis
AnswerB

BIA identifies critical business functions, dependencies, and recovery priorities.

Why this answer

A Business Impact Analysis (BIA) is the first step in BCP to identify critical functions, dependencies, and recovery requirements.

538
MCQhard

An attacker sends a forged ARP response to a switch, associating the attacker's MAC address with the IP address of the default gateway. The switch updates its ARP cache accordingly. This is an example of which attack?

A.MAC flooding
B.DNS spoofing
C.IP spoofing
D.ARP spoofing
AnswerD

Forged ARP replies redirect traffic to the attacker.

Why this answer

ARP spoofing (or ARP poisoning) involves sending fake ARP messages to associate the attacker's MAC with a legitimate IP, enabling man-in-the-middle attacks.

539
MCQhard

A security professional is evaluating a system that uses a trust model where every component authenticates to each other before communicating. Which security principle does this model exemplify?

A.Least privilege
B.Separation of duties
C.Non-repudiation
D.Defense in depth
AnswerD

Mutual authentication adds a layer of security, exemplifying defense in depth.

Why this answer

Correct: A - Defense in depth. While zero trust is a model, defense in depth is the principle of multiple layers; mutual authentication is one layer. Option B is wrong because least privilege is about access rights.

Option C is wrong because separation of duties divides roles. Option D is wrong because non-repudiation prevents denial.

540
MCQmedium

An organization needs to prioritize recovery of systems after a disaster. Which metric directly indicates the maximum acceptable outage time for a business function?

A.Recovery Time Objective (RTO)
B.Maximum Tolerable Downtime (MTD)
C.Recovery Point Objective (RPO)
D.Work Recovery Time (WRT)
AnswerB

MTD is the maximum acceptable outage time.

Why this answer

Maximum Tolerable Downtime (MTD) is the maximum time a business function can be unavailable before causing unacceptable harm.

541
MCQmedium

During a BIA, the maximum tolerable downtime for a critical application is determined to be 4 hours. The IT team estimates system recovery will take 2 hours, but additional manual work to reconcile data will take 1 hour. What is the Recovery Time Objective (RTO)?

A.1 hour
B.2 hours
C.4 hours
D.3 hours
AnswerB

The RTO is the time to restore the system, which is 2 hours.

Why this answer

RTO is the time within which systems must be recovered to avoid unacceptable consequences. Here, the system must be back within 2 hours to meet the 4-hour MTD, but recovery includes both system restoration and work recovery. The RTO is typically the time to restore systems to a functional state, which is 2 hours.

542
Multi-Selecthard

Which THREE are common indicators of a compromised system? (Select THREE.)

Select 3 answers
A.Unexpected software installations
B.Unusual outbound network connections
C.High CPU usage during business hours
D.System uptime greater than 30 days
E.Multiple failed login attempts leading to account lockout
AnswersA, B, E

Malware often installs without user consent.

Why this answer

Unexpected software installations are a common indicator of compromise because attackers often deploy malware, backdoors, or remote access tools (RATs) without user consent. In a CC context, this aligns with the principle that unauthorized software changes signal a breach, as legitimate installations typically follow change management processes. The presence of unknown executables or services in the system's process list or startup entries is a red flag.

Exam trap

ISC2 often tests the distinction between symptoms of normal operations (e.g., high CPU usage during business hours) and true indicators of compromise, tricking candidates into selecting benign metrics as signs of a breach.

543
MCQmedium

Refer to the exhibit. Based on the exhibit, which traffic will be permitted?

A.All traffic from 192.168.1.100
B.All traffic from 10.0.1.0/24
C.SSH traffic from any source to 192.168.1.100
D.HTTP traffic from any source to 192.168.1.100
AnswerD

The permit statement allows TCP port 80 (HTTP) traffic to host 192.168.1.100 from any source.

Why this answer

The exhibit shows an access control list (ACL) that permits TCP traffic from any source to destination host 192.168.1.100 on port 80 (HTTP). The ACL entry is `permit tcp any host 192.168.1.100 eq 80`, which matches only HTTP traffic. Therefore, only HTTP traffic from any source to 192.168.1.100 is permitted.

Exam trap

ISC2 often tests the distinction between source and destination in ACL statements, and the trap here is that candidates misread the ACL as permitting traffic from 192.168.1.100 (source) rather than to it (destination), or confuse the port number (80 for HTTP vs. 22 for SSH).

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all traffic from 192.168.1.100; it only permits inbound HTTP traffic to that host, and the source is 'any', not a specific source. Option B is wrong because the ACL does not reference the 10.0.1.0/24 network at all; the source is 'any', and the destination is a single host, not a subnet. Option C is wrong because SSH uses TCP port 22, not port 80; the ACL explicitly matches port 80 (HTTP), so SSH traffic would be denied.

544
MCQeasy

Which of the following is considered Sensitive PII?

A.Email address
B.Social Security Number
C.Phone number
D.Name
AnswerB

Correct. SSN is sensitive because it can lead to identity theft.

Why this answer

Sensitive PII includes information that could cause harm if disclosed, such as medical records, financial account numbers, and biometric data.

545
Multi-Selectmedium

A security analyst is reviewing physical security controls. Which TWO are considered layered physical security measures for external perimeter protection?

Select 2 answers
A.Fencing around the property
B.Lighting in parking lots
C.Biometric reader on server room door
D.Cable locks on laptops
E.Chassis locks on servers
AnswersA, B

Fencing is a perimeter barrier.

Why this answer

Fencing and lighting are external perimeter controls.

546
MCQmedium

A security analyst is implementing a solution to ensure that data transmitted between two servers cannot be read by unauthorized parties. Which security principle is the analyst primarily addressing?

A.Integrity
B.Confidentiality
C.Availability
D.Authentication
AnswerB

Correct. Encryption protects confidentiality by preventing unauthorized disclosure.

Why this answer

Confidentiality ensures that data is not disclosed to unauthorized individuals or systems. Encryption is a key mechanism to protect confidentiality of data in transit.

547
MCQeasy

Refer to the exhibit. An AWS IAM policy is shown. Which action is permitted by this policy?

A.Upload objects to the bucket.
B.List all objects in the bucket.
C.Delete objects from the bucket.
D.Read objects from the bucket.
AnswerD

s3:GetObject allows reading (downloading) objects.

Why this answer

The IAM policy grants the `s3:GetObject` action, which allows reading objects from the specified S3 bucket. This action corresponds to downloading or retrieving the content of an object, making option D correct.

Exam trap

ISC2 often tests the distinction between read actions (`s3:GetObject`) and list actions (`s3:ListBucket`), trapping candidates who assume that reading objects also allows listing them.

How to eliminate wrong answers

Option A is wrong because uploading objects requires the `s3:PutObject` action, which is not listed in the policy. Option B is wrong because listing objects requires the `s3:ListBucket` action, which is not included in the policy. Option C is wrong because deleting objects requires the `s3:DeleteObject` action, which is absent from the policy.

548
MCQmedium

A user reports that they are unable to access a shared network drive that they previously could access. The administrator checks permissions and finds the user's account is still a member of the correct group. What should the administrator check next?

A.Group membership inheritance
B.User account lockout status
C.Check for explicit deny permissions on the folder
D.Effective permissions
AnswerC

Deny entries override allows and can cause access issues even with correct group membership.

Why this answer

Even if group membership is correct, explicit deny permissions can override allow permissions. Checking for deny entries on the folder is a logical next step. User lockout would affect all accesses.

Effective permissions would show the combined result but checking for denies is more direct. Password expiration is a login issue, not a permissions issue.

549
MCQhard

An administrator configures a Group Policy Object (GPO) in Active Directory to enforce account lockout after 5 failed attempts within 15 minutes. Which type of control is this?

A.Administrative access control
B.Logical access control
C.Compensating control
D.Physical access control
AnswerB

Correct. Lockout is enforced by the operating system or application, a logical control.

Why this answer

Logical access controls are software-based mechanisms that govern access to systems. Account lockout policies are logical controls.

550
MCQmedium

Refer to the exhibit. Based on the report, which improvement is most appropriate?

A.Increase backup frequency
B.Reduce network failover time
C.Implement load balancing
D.Switch to synchronous replication
AnswerD

Synchronous replication guarantees transaction consistency across sites.

Why this answer

Asynchronous replication can lead to data inconsistency during failover. Switching to synchronous replication ensures data consistency at the cost of some latency.

551
Multi-Selectmedium

A network engineer is designing a DMZ. Which three servers should typically be placed in the DMZ? (Choose THREE.)

Select 3 answers
A.Web server
B.DHCP server
C.Mail server
D.Database server
E.DNS server
AnswersA, C, E

Correct. Web servers are public-facing.

Why this answer

Public-facing servers like web, mail, and DNS servers are typically placed in a DMZ to isolate them from the internal network. DHCP servers are usually internal, and database servers are kept internal for security.

552
Multi-Selectmedium

Which TWO are best practices for managing backup media?

Select 2 answers
A.Encrypt backup data
B.Keep backups on the same server for easy access
C.Store backups in a separate physical location
D.Use only tape media
E.Test backups annually
AnswersA, C

Encryption protects sensitive data from unauthorized access.

Why this answer

Encrypting backup data ensures confidentiality and integrity during transit and at rest, protecting against unauthorized access if media is lost or stolen. This is a critical best practice for compliance with standards like GDPR or HIPAA, and aligns with the principle of defense in depth. Without encryption, backup media becomes a significant security vulnerability.

Exam trap

ISC2 often tests the 3-2-1 backup rule (three copies, two different media, one offsite) to trick candidates into thinking that keeping backups on the same server is acceptable for convenience, when it actually violates the core principle of redundancy.

553
MCQeasy

A security team configures a system to record all user activities for audit purposes. Which principle is being applied?

A.Accountability
B.Integrity
C.Authentication
D.Confidentiality
AnswerA

Accountability ensures actions can be traced via logs.

Why this answer

Correct: A - Accountability. Accountability ensures actions can be traced to an individual through logging. Option B is wrong because authentication verifies identity.

Option C is wrong because confidentiality prevents unauthorized disclosure. Option D is wrong because integrity ensures data accuracy.

554
Multi-Selecthard

Which THREE are primary phases of the incident response lifecycle?

Select 3 answers
A.Containment
B.Forensic Analysis
C.Preparation
D.Data Archiving
E.Detection
AnswersA, C, E

Containment phase limits damage and prevents spread.

Why this answer

Containment is a primary phase of the incident response lifecycle because it focuses on stopping the spread of an incident and preventing further damage. In the NIST SP 800-61 framework, containment is explicitly listed as a core phase, following detection and analysis. This phase includes actions such as isolating affected systems, blocking malicious IPs via ACLs, or disabling compromised accounts to limit the blast radius.

Exam trap

ISC2 often tests the distinction between primary phases and supporting activities, so candidates mistakenly select 'Forensic Analysis' or 'Data Archiving' as primary phases when they are actually tasks performed within the Containment or Post-Incident phases.

555
Multi-Selectmedium

A security auditor is reviewing access controls at a financial institution. The auditor identifies a scenario where one employee can initiate a payment transaction, and the same employee can also approve it. Which access control principle is being violated, and what is the primary risk?

Select 1 answer
A.Separation of duties; risk of fraud
B.Defense in depth; risk of single point of failure
C.Need-to-know; risk of data exposure
D.Least privilege; risk of excessive permissions
E.Privileged access management; risk of account compromise
AnswersA

Correct. Separation of duties prevents a single person from performing conflicting tasks, reducing fraud risk.

Why this answer

Separation of duties requires that no single person has the ability to complete a high-risk action without another person's involvement. The scenario describes a violation of this principle, which increases the risk of fraud because an individual could both initiate and approve a fraudulent payment without oversight.

556
Multi-Selectmedium

A security analyst is reviewing access control mechanisms. Which TWO of the following are examples of logical access controls? (Select two.)

Select 2 answers
A.Security guard at entrance
B.Smart card authentication for system access
C.Bollards at parking lot
D.Password policy enforcing complexity
E.Perimeter fence
AnswersB, D

Smart cards are logical controls for authentication.

Why this answer

Logical access controls are technology-based mechanisms. Passwords and smart cards are logical; fences and guards are physical.

557
MCQeasy

Which of the following is an example of a detective control?

A.Security awareness training
B.Firewall
C.Encryption
D.Intrusion Detection System (IDS)
AnswerD

IDS monitors and detects potential security breaches.

Why this answer

Option A is correct because an Intrusion Detection System (IDS) detects and alerts on suspicious activity. Option B is a preventive control. Option C is a preventive control.

Option D is a directive control.

558
MCQmedium

An organization wants to implement defense in depth for its web application. Which combination of controls best illustrates this principle?

A.A strict perimeter firewall without internal controls.
B.Encryption at rest only.
C.A firewall, intrusion detection system, and regular security awareness training.
D.A single strong password policy.
AnswerC

This combines technical, physical, and administrative controls at multiple layers, which is defense in depth.

559
MCQhard

A security incident report indicates that an employee used their access to view confidential records unrelated to their job. Which security principle was most likely violated?

A.Separation of duties
B.Availability
C.Least privilege
D.Non-repudiation
AnswerC

Least privilege requires limiting access to only what is necessary for job functions; the employee had excessive access.

560
MCQeasy

Which of the following is an example of a physical control that supports the availability principle of the CIA triad?

A.Data encryption
B.Biometric authentication
C.Digital signatures
D.Redundant servers
AnswerD

Correct. Redundancy ensures availability if one server fails.

Why this answer

Availability ensures systems are accessible when needed. Redundant servers provide failover capability, minimizing downtime.

561
MCQhard

An organization uses a Privileged Access Management (PAM) solution. Which of the following is a primary benefit of PAM?

A.Controls and monitors privileged access
B.Provides a single sign-on for all users
C.Eliminates the need for passwords
D.Automates user provisioning for all accounts
AnswerA

PAM provides oversight and control over admin accounts.

Why this answer

PAM solutions monitor, control, and audit privileged account usage, reducing risk of misuse.

562
MCQmedium

A medium-sized company uses a SIEM solution to collect logs from firewalls, servers, and endpoints. The security team receives an alert indicating a possible data exfiltration: an employee's workstation is sending large amounts of data to an external IP address outside business hours. The employee works in the finance department and has access to sensitive financial records. The SIEM shows the connection is ongoing. The security team must respond immediately to contain the incident while preserving evidence. The company's incident response plan designates the security team as first responders. Which of the following is the BEST first action?

A.Block the external IP address at the firewall and disconnect the workstation from the network.
B.Notify the employee's manager and wait for further instructions.
C.Call the employee to ask if they are transferring files for a legitimate business purpose.
D.Take a forensic image of the workstation's hard drive before anything else.
AnswerA

Stops data exfiltration and isolates the system, following incident response best practices.

Why this answer

Option B is correct because it stops the data flow and isolates the system, containing the incident. Option A could tip off an attacker if malicious and delays containment. Option C is important but should be performed after containment to preserve evidence.

Option D delays response and may allow further damage.

563
MCQmedium

Which of the following is the most effective way to prevent tailgating in a secured facility?

A.Training employees to not hold doors open for unknown individuals.
B.Installing security cameras at all entrances.
C.Using keycard access for all doors.
D.Hiring security guards to monitor entrances.
AnswerA

Awareness training directly addresses the human behavior that enables tailgating.

Why this answer

Tailgating occurs when an unauthorized person follows an authorized person through a door. Employee awareness training teaches staff not to hold doors open for strangers.

564
MCQmedium

Refer to the exhibit. A security analyst observes repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port. What is the MOST likely interpretation?

A.The server is being used for remote desktop access
B.The server is performing a port scan
C.The server is a legitimate mail server
D.The server is infected with malware
AnswerD

Beaconing to multiple external IPs on a non-standard port is a common malware behavior.

Why this answer

Repeated outbound connection attempts from an internal server to external IP addresses on a non-standard port are a classic indicator of malware command-and-control (C2) activity. Malware often uses non-standard ports to evade detection and establish outbound communication with an external attacker. This behavior is not typical of legitimate services, which use well-known ports and protocols.

Exam trap

ISC2 often tests the distinction between outbound connection attempts (indicative of malware C2) and inbound connection attempts (indicative of remote access or scanning), leading candidates to mistakenly choose remote desktop or port scanning.

How to eliminate wrong answers

Option A is wrong because remote desktop access (e.g., RDP) uses TCP port 3389 by default, not a non-standard port, and would typically involve inbound connections, not repeated outbound attempts. Option B is wrong because a port scan involves sending packets to multiple ports on a target to discover open services, not repeated outbound connection attempts from a single server to external IPs on a single non-standard port. Option C is wrong because a legitimate mail server uses standard ports such as TCP 25 (SMTP), 587 (submission), or 993 (IMAPS), and would not repeatedly connect to arbitrary external IPs on a non-standard port.

565
MCQeasy

Which OSI layer is responsible for routing packets based on IP addresses?

A.Layer 3 – Network
B.Layer 1 – Physical
C.Layer 4 – Transport
D.Layer 2 – Data Link
AnswerA

Network layer routes packets using IP addresses.

Why this answer

Layer 3 (Network) handles packet forwarding and routing using IP addresses.

566
Multi-Selectmedium

Which TWO of the following are core principles of information security?

Select 2 answers
A.Authentication
B.Integrity
C.Confidentiality
D.Non-repudiation
E.Availability
AnswersB, C

Integrity ensures data is accurate and not modified improperly.

Why this answer

The core principles of information security are the CIA triad: Confidentiality, Integrity, and Availability. Integrity (B) ensures data has not been altered or tampered with, typically verified through hashing algorithms like SHA-256 or HMAC. Confidentiality (C) protects data from unauthorized access, often enforced via encryption (e.g., AES-256).

These three form the foundational security model, while other options are supporting mechanisms.

Exam trap

ISC2 often tests whether candidates can distinguish between core principles (CIA triad) and supporting security services (authentication, non-repudiation), leading many to incorrectly select authentication or non-repudiation as core principles instead of availability.

567
Multi-Selecteasy

Which two of the following are common types of security controls?

Select 2 answers
A.Corrective
B.Preventative
C.Detective
D.Predictive
E.Reactive
AnswersB, C

Preventative controls block attacks before they occur.

Why this answer

Detective and Preventative controls are foundational security control categories. Corrective is also a category but not listed as one of the two most common; Reactive and Predictive are not standard categories.

568
MCQeasy

A small business wants to protect its customer data by ensuring that only employees who need access to perform their jobs can view it. Which security principle is being applied?

A.Separation of duties
B.Defense in depth
C.Least privilege
D.Need-to-know
AnswerC

Least privilege ensures users have only necessary permissions.

Why this answer

Least privilege grants users only the permissions necessary to perform their job functions. Option A (Separation of duties) divides critical tasks among multiple people. Option C (Defense in depth) uses multiple layers of security.

Option D (Need-to-know) restricts access to specific data required for a role, but least privilege is the overarching principle.

569
MCQmedium

A healthcare organization uses a legacy application that stores patient records in plain text. The IT team is planning to upgrade the system but needs to ensure compliance with HIPAA. The new system will be hosted on-premises and accessed by doctors and nurses via a web portal. The security team proposes implementing a VPN for remote access, but the CEO wants to allow access from any device without VPN for convenience. Which principle should guide the decision?

A.Defense in depth
B.Least privilege
C.Security is an enabler
D.Risk acceptance
AnswerA

Defense in depth emphasizes multiple layers; a VPN alone is insufficient.

Why this answer

Defense in depth emphasizes multiple layers of security; a VPN alone is insufficient to protect sensitive health records. The CEO's request sacrifices security for convenience, and risk acceptance is not the best approach when stronger controls are feasible.

570
MCQmedium

A security analyst detects a large number of incomplete TCP connection requests (SYN segments) directed at a server. This is indicative of which type of attack?

A.ICMP flood
B.UDP flood
C.Smurf attack
D.SYN flood
AnswerD

SYN flood exploits TCP three-way handshake by sending many SYN packets without completing.

Why this answer

SYN flood is a DoS attack that exhausts server resources by initiating many half-open connections.

571
MCQeasy

Which process involves verifying the identity of a user who claims to be a specific person?

A.Authorization
B.Authentication
C.Identification
D.Accounting
AnswerB

Correct. Authentication verifies the claimed identity.

Why this answer

Authentication is the process of proving a claimed identity, typically with passwords, biometrics, or tokens.

572
MCQhard

Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?

A.The condition is evaluated as OR instead of AND.
B.The time condition is evaluated as BETWEEN 09:00 and 17:00 exclusive.
C.The policy is misconfigured with effect Deny.
D.The user's device attribute is incorrectly set to Windows.
AnswerD

If the device OS attribute is wrong, the condition might be satisfied.

Why this answer

Option D is correct because the policy likely includes a device attribute condition (e.g., device.os == 'Windows') that must be satisfied for the Deny effect to apply. Since the user is on a macOS device, the condition evaluates to false, so the Deny is not enforced, and the default Allow (or a broader Allow rule) permits write access. This is a common misconfiguration where the device attribute is set incorrectly, causing unintended access.

Exam trap

ISC2 often tests the nuance that a Deny rule with unmet conditions does not block access—candidates mistakenly assume a Deny rule always denies, but in policy engines, a rule only applies if all its conditions are true; otherwise, the engine falls through to the next rule or default action.

How to eliminate wrong answers

Option A is wrong because the exhibit shows a single condition block; if multiple conditions were present, they would be ANDed by default in Cisco ISE or similar policy engines, not ORed, so this does not explain the behavior. Option B is wrong because the time condition 'BETWEEN 09:00 and 17:00' in Cisco policy engines is inclusive of both endpoints (09:00 and 17:00), not exclusive; 10:00 AM falls within the inclusive range, so the Deny would apply if time were the only factor. Option C is wrong because the policy is configured with effect Deny, but the issue is that the Deny is not being triggered due to a condition mismatch; the policy itself is not misconfigured in terms of effect—it is the condition that fails to match.

573
MCQeasy

Which principle ensures that a user is granted only the permissions necessary to perform their job functions, thereby reducing the potential impact of a compromised account?

A.Least privilege
B.Need-to-know
C.Separation of duties
D.Defense in depth
AnswerA

Correct. Least privilege grants only the minimum permissions needed.

Why this answer

Least privilege limits permissions to the minimum required, reducing the blast radius if an account is compromised.

574
MCQeasy

Refer to the exhibit. An SOC analyst pulled this log snippet. Which type of attack is most likely in progress?

A.Phishing
B.DDoS attack
C.Man-in-the-middle
D.Insider threat
AnswerB

Coordinated traffic from many sources to a single target is characteristic of DDoS.

Why this answer

The log snippet shows a massive volume of incoming traffic from multiple source IPs targeting a single destination, which is characteristic of a distributed denial-of-service (DDoS) attack. The high packet rate and diverse source addresses indicate an attempt to overwhelm the target's resources, such as bandwidth or server capacity, making services unavailable to legitimate users.

Exam trap

ISC2 often tests the distinction between DDoS and DoS by including logs with multiple source IPs, where candidates might mistakenly focus on the high traffic volume alone and overlook the distributed nature, leading them to choose a generic 'DoS' or another attack type.

How to eliminate wrong answers

Option A is wrong because phishing involves deceptive messages (e.g., emails) to trick users into revealing credentials or installing malware, not a flood of network traffic from many sources. Option C is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, which would show unusual traffic patterns or certificate anomalies, not a high-volume flood from multiple IPs. Option D is wrong because an insider threat originates from within the organization, typically involving unauthorized access or data exfiltration, not a distributed traffic flood from external sources.

575
MCQeasy

An employee receives an email from an unknown sender claiming to be from the IT department, asking for their password to perform an urgent system update. What type of social engineering attack is this?

A.Phishing
B.Tailgating
C.USB drop attack
D.Piggybacking
AnswerA

Phishing uses deceptive emails to obtain sensitive information.

Why this answer

Phishing is a social engineering attack where attackers impersonate legitimate entities to trick victims into revealing sensitive information.

576
MCQhard

You are the lead SOC analyst for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers and cloud services (AWS). The SIEM is Splunk Enterprise, collecting logs from firewalls, IDS/IPS, endpoints (Windows and Linux), and AWS CloudTrail. Recently, the company experienced a ransomware attack that encrypted critical file servers. The initial infection vector was a phishing email that led to the download of a malicious macro-enabled document. The document was executed on a Windows workstation, which then established a C2 connection to an external IP. The C2 traffic was over HTTPS, and the workstation was part of the domain. After the attack, the forensic team found that the workstation had Windows Event Logs cleared, and the local admin account had been used to disable the antivirus. The C2 IP was later blocked, but the ransomware had already spread to file servers via SMB. As part of the lessons learned, you need to recommend improvements to prevent and detect such attacks in the future. Which of the following is the BEST course of action to address the specific weaknesses exploited in this incident?

A.Increase the frequency of vulnerability scans and patch all systems within 24 hours of patch release.
B.Implement application whitelisting, disable macros by default, enforce strong local administrator passwords, and segment the network to restrict SMB traffic between workstations and servers.
C.Deploy additional IDS/IPS sensors and tune the SIEM to detect C2 traffic patterns.
D.Require multi-factor authentication (MFA) for all remote access and privileged account use.
AnswerB

These controls directly address the attack vectors: macro execution, local admin abuse, and lateral movement via SMB.

Why this answer

Option B directly addresses the attack chain: disabling macros by default prevents the initial infection vector, application whitelisting blocks unauthorized executables (including the ransomware), strong local admin passwords hinder credential abuse, and network segmentation restricts SMB lateral movement. This combination targets the specific weaknesses exploited (macro execution, antivirus disablement via local admin, and SMB propagation) rather than just detecting or patching after the fact.

Exam trap

ISC2 often tests the concept that prevention (whitelisting, macro control, segmentation) is more effective than detection (IDS/IPS tuning) or reactive measures (patching, MFA) when the attack chain exploits user behavior and local credentials, not external vulnerabilities.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning and patching do not prevent phishing-based macro execution or local admin abuse; the attack exploited user behavior and weak local credentials, not unpatched vulnerabilities. Option C is wrong because additional IDS/IPS and SIEM tuning for C2 traffic only improves detection, not prevention; the C2 traffic was over HTTPS (encrypted), making pattern detection difficult, and the ransomware had already spread before the C2 IP was blocked. Option D is wrong because MFA for remote access and privileged accounts does not address the local admin account used to disable antivirus on the workstation, nor does it prevent macro execution or SMB lateral movement within the internal network.

577
MCQmedium

Which protocol is considered insecure because it transmits data, including credentials, in cleartext?

A.SFTP
B.SSH
C.Telnet
D.HTTPS
AnswerC

Correct. Telnet transmits data in cleartext.

Why this answer

Telnet (port 23) sends all data in cleartext, making it vulnerable to eavesdropping. SSH is the secure alternative.

578
MCQhard

An organization classifies data as 'Confidential' and requires encryption both at rest and in transit. Which data classification level best fits this requirement?

A.Confidential
B.Restricted/Top Secret
C.Internal/Private
D.Public
AnswerA

Confidential data typically requires encryption to protect against unauthorized disclosure.

Why this answer

Confidential data typically requires strong protection like encryption; restricted/top secret may require even higher controls.

579
Matchingmedium

Match each phase of the incident response process to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train and equip the team

Identify and scope the incident

Stop the spread and restore systems

Lessons learned and reporting

Why these pairings

These phases are from NIST SP 800-61 and ISC2 CC.

580
MCQmedium

Refer to the exhibit. What action did the firewall take on the traffic from 10.0.1.15 to 10.0.2.10?

A.Logged and permitted
B.Denied the traffic
C.Permitted the traffic
D.Translated the source address
AnswerB

The syslog message explicitly states 'denied'.

Why this answer

The firewall denied the traffic from 10.0.1.15 to 10.0.2.10 because the access control list (ACL) or security policy explicitly denies the source IP 10.0.1.15, as shown in the exhibit. The firewall processes rules sequentially, and the first matching rule for this traffic is a deny entry, so the packet is dropped without further inspection or logging unless specified.

Exam trap

ISC2 often tests the sequential processing of ACLs, where candidates mistakenly think a later permit rule overrides an earlier deny rule, but the first match always wins.

How to eliminate wrong answers

Option A is wrong because the firewall did not log the traffic; the exhibit shows no log keyword on the matching deny rule, and logging is only triggered by a permit or explicit log action. Option C is wrong because the traffic was not permitted; the first matching rule is a deny, so the packet is dropped before any permit rule is evaluated. Option D is wrong because source NAT (translation) is not applied; NAT rules are typically evaluated after ACLs, and the traffic was denied before any translation could occur.

581
Multi-Selecthard

A company wants to mitigate the risk of a man-in-the-middle (MITM) attack. Which three measures are effective? (Choose THREE.)

Select 3 answers
A.Deploy a VPN for remote connections
B.Implement mutual authentication
C.Enable ARP spoofing protection
D.Use HTTPS with proper certificate validation
E.Use WPA2 encryption on the Wi-Fi network
AnswersA, B, D

Correct. VPNs encrypt all traffic between endpoints.

Why this answer

Using HTTPS with certificate validation ensures encrypted and authenticated communication, VPNs create encrypted tunnels, and mutual authentication verifies both parties. ARP spoofing is an attack vector, not a mitigation. WPA2 is for Wi-Fi but can be vulnerable if not properly configured.

582
Multi-Selecthard

In incident response, which TWO are considered volatile data that should be collected first? (Select exactly 2.)

Select 2 answers
A.Hard drive contents
B.Network connections
C.Backup tapes
D.System logs
E.Memory contents
AnswersB, E

Active network connections are ephemeral and lost after reboot.

Why this answer

Network connections (option B) are volatile because they represent active communication channels that disappear when the system is powered off or disconnected. In incident response, collecting network connection data (e.g., using netstat -an) first preserves evidence of ongoing malicious activity, such as command-and-control (C2) traffic or lateral movement, before it is lost.

Exam trap

ISC2 often tests the distinction between volatile and non-volatile data, and the trap here is that candidates mistakenly classify system logs as volatile because they change frequently, but logs are stored on disk and are not lost on power-off, whereas network connections and memory are lost immediately.

583
MCQmedium

An account lockout policy is designed to mitigate which type of attack?

A.SQL injection
B.Man-in-the-middle
C.Phishing
D.Brute force
AnswerD

Lockout stops repeated password guessing.

Why this answer

Account lockout prevents brute force attacks by disabling the account after several failed attempts.

584
MCQeasy

A government agency stores classified documents on a secure server. The server is connected to the internet, but access is restricted using a firewall and requires two-factor authentication. An auditor discovers that the server's operating system has not been patched for over a year, making it vulnerable to remote code execution attacks. Which security principle is most directly compromised by this missing patch, and what is the best corrective action?

A.Confidentiality; test the patch in a dev environment first before applying to production
B.Non-repudiation; disconnect the server from the internet
C.Integrity; apply the security patch immediately
D.Availability; use a load balancer to distribute traffic
AnswerC

Prompt patching restores the integrity of the system and closes the vulnerability.

Why this answer

Correct: Availability and integrity could be compromised by unpatched vulnerabilities. The best action is to apply the patch (B) as soon as possible. Option A is wrong because patching after testing is good but immediate application is needed; Option A delays; Option C is wrong because it doesn't fix the vulnerability; Option D is wrong because disconnecting all servers is excessive.

585
MCQmedium

Based on the backup schedule, what is the maximum potential data loss?

A.9 hours (since Tuesday 01:00)
B.2 days (data since Monday)
C.33 hours (data since Tuesday 01:00)
D.1 day (data since last full backup)
AnswerC

Last successful backup was Tuesday 01:00; failure at Wednesday 10:00 = 33 hours.

Why this answer

The maximum potential data loss is determined by the interval between the last successful backup and the point of failure. With a full backup on Monday at 01:00 and differential backups every 12 hours (Tuesday 01:00 and 13:00), the last backup before a failure at, say, Wednesday 10:00 is Tuesday 13:00. The data loss window spans from Tuesday 13:00 to Wednesday 10:00 (21 hours), but the question's correct answer of 33 hours indicates the failure occurs just before the next differential backup, meaning data since Tuesday 01:00 (the last full backup) is lost if differentials are not applied or the failure destroys the differential chain.

In this scenario, the maximum loss is from the last full backup (Monday 01:00) to the failure point, which is 33 hours if the failure occurs at Wednesday 10:00, but the answer explicitly states 'data since Tuesday 01:00'—this implies the differential backup chain is intact but the last differential was at Tuesday 01:00, and the failure occurs 33 hours later, losing all changes since that differential.

Exam trap

ISC2 often tests the distinction between full, differential, and incremental backups, and the trap here is confusing the last full backup as the recovery point when differential backups actually allow restoration to a much more recent point, causing candidates to overestimate data loss.

How to eliminate wrong answers

Option A is wrong because 9 hours (since Tuesday 01:00) represents only the interval from the last differential backup to a failure shortly after, not the maximum possible loss; the maximum loss must consider the full period since the last successful backup that can be restored. Option B is wrong because 2 days (data since Monday) overestimates the loss; with differential backups, you can restore from the last full backup plus the latest differential, so data loss is limited to the time since that differential, not the full two days. Option D is wrong because 1 day (data since last full backup) ignores that differential backups reduce the recovery point; the maximum loss is not from the full backup but from the last differential backup that was successfully taken before the failure.

586
Multi-Selecthard

Which of the following are effective defenses against man-in-the-middle attacks? (Choose THREE)

Select 3 answers
A.Using HTTP instead of HTTPS
B.Educating users to verify certificates
C.Disabling ARP
D.Implementing HTTPS with proper certificate validation
E.Using a VPN to encrypt all traffic
AnswersB, D, E

Users can detect invalid certificates.

Why this answer

HTTPS, VPNs, and certificate validation help prevent MITM.

587
Multi-Selectmedium

Which TWO of the following are components of the identification and authentication process? (Select TWO.)

Select 2 answers
A.Password
B.Username
C.Group policy
D.Access control list (ACL)
E.Role-based access control (RBAC)
AnswersA, B

Password is an authentication factor.

Why this answer

Identification claims an identity; authentication proves it.

588
Multi-Selecteasy

Which THREE of the following are considered fundamental security principles? (Select three).

Select 3 answers
A.Separation of duties
B.Single sign-on
C.Hashing
D.Least privilege
E.Defense in depth
AnswersA, D, E

Correct. Separation of duties is a key principle to prevent fraud and error.

Why this answer

Separation of duties is a fundamental security principle that prevents any single individual from having excessive control over critical processes by dividing responsibilities among multiple people. This reduces the risk of fraud, error, or abuse, as collusion would be required to bypass controls. It is a core concept in access control models and compliance frameworks like SOX and PCI DSS.

Exam trap

ISC2 often tests the distinction between a security principle (a high-level design guideline) and a security mechanism (a specific tool or technology), so candidates mistakenly select SSO or hashing because they are security-related, but they are not fundamental principles.

589
Multi-Selectmedium

A security team is designing a visitor management policy. Which TWO of the following are essential components? (Select TWO.)

Select 2 answers
A.Requiring visitors to provide a biometric scan
B.Performing background checks on all visitors
C.Issuing temporary visitor badges
D.Requiring an escort for visitors
E.Requiring visitors to sign in and out
AnswersD, E

Correct. Escort policy ensures visitors are supervised.

Why this answer

Visitor sign-in and escort policy are core to visitor management.

590
MCQmedium

An IT administrator wants to inspect HTTP traffic for malicious payloads such as SQL injection. Which network security device is most appropriate?

A.IDS
B.WAF
C.Honeypot
D.IPS
AnswerB

WAF is designed for application-layer HTTP inspection.

Why this answer

A Web Application Firewall (WAF) specializes in filtering and monitoring HTTP/HTTPS traffic, often using OWASP rules to detect attacks like SQL injection.

591
MCQeasy

During a ransomware incident, the incident response team isolates affected systems. Which of the following is the NEXT best step?

A.Preserve forensic evidence from the isolated systems.
B.Wipe and rebuild all affected systems.
C.Notify law enforcement immediately.
D.Pay the ransom to restore operations quickly.
AnswerA

Preserving evidence supports investigation and potential legal action.

Why this answer

After isolating affected systems during a ransomware incident, the next best step is to preserve forensic evidence from those systems. This ensures that data such as memory dumps, logs, and encrypted files are captured intact for analysis, which is critical for understanding the attack vector, identifying the ransomware variant, and potentially recovering data without paying the ransom. Forensic preservation must occur before any remediation steps like wiping or rebuilding, as those actions would destroy the evidence needed for investigation and legal proceedings.

Exam trap

ISC2 often tests the misconception that containment (isolation) is the final step, but the trap here is that candidates skip forensic preservation and jump to remediation (wipe/rebuild) or external actions (law enforcement/payment), failing to recognize that evidence must be secured first to support both investigation and potential recovery.

How to eliminate wrong answers

Option B is wrong because wiping and rebuilding all affected systems destroys forensic evidence and prevents analysis of the ransomware's behavior, encryption keys, or entry point, which is essential for preventing future incidents and potentially recovering data. Option C is wrong because notifying law enforcement immediately is not the next operational step; while it may be required later, the immediate priority is preserving evidence to support any law enforcement investigation, and premature notification without evidence could hinder the response. Option D is wrong because paying the ransom does not guarantee data recovery, encourages further attacks, and violates many organizational policies and legal guidelines; the incident response team should never recommend payment as a first step.

592
MCQmedium

What is the primary purpose of using security baselines derived from CIS Benchmarks?

A.To ensure all systems have the same software versions
B.To monitor network traffic for anomalies
C.To automate patch deployment
D.To establish a secure starting point for system configuration
AnswerD

Correct. Baselines define secure configurations.

Why this answer

CIS Benchmarks provide hardened configuration standards to reduce vulnerabilities and improve security posture.

593
Multi-Selecthard

Which THREE of the following are essential components of a security baseline configuration for a server?

Select 3 answers
A.Disable unnecessary services.
B.Enable auditing and logging.
C.Apply the latest security patches.
D.Install all optional software for functionality.
E.Grant administrative rights to all users.
AnswersA, B, C

Reduces the number of potential entry points.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for exploitation. Services like Telnet, FTP, or unused web servers should be disabled via systemctl or service managers to prevent unauthorized access or privilege escalation.

Exam trap

ISC2 often tests the principle of least functionality by making candidates think that installing all optional software ensures compatibility, when in reality it violates the core security baseline goal of reducing the attack surface.

594
MCQhard

During a disaster recovery exercise, the team discovers that the backup site does not have the latest security patches applied. Which of the following steps should be taken FIRST?

A.Patch the backup site immediately
B.Shut down the backup site
C.Document the finding and assess risk
D.Continue the exercise and note the issue
AnswerC

Proper incident response documentation and risk assessment are critical first steps.

Why this answer

The first step in any incident or exercise finding is to document the issue and assess the risk it poses. Patching the backup site immediately (Option A) could introduce instability or conflicts with the current exercise, while shutting it down (Option B) would disrupt the DR test. By documenting and assessing risk first, the team can determine the appropriate remediation priority based on the backup site's role and the criticality of the missing patches.

Exam trap

ISC2 often tests the principle that 'document and assess' must precede any corrective action, even in an exercise, to avoid impulsive changes that could invalidate the test results or introduce new risks.

How to eliminate wrong answers

Option A is wrong because applying patches without first assessing the risk could break the backup site's configuration or introduce new vulnerabilities during the exercise, and it may not be the highest priority action. Option B is wrong because shutting down the backup site would halt the disaster recovery exercise and potentially leave the organization without any failover capability, which is counterproductive. Option D is wrong because simply continuing the exercise without documenting or assessing the issue ignores the security gap and could lead to a false sense of readiness, violating standard incident response procedures (NIST SP 800-61).

595
MCQeasy

A security analyst notices unusual traffic on the network. Using Wireshark, they capture packets and see that an attacker is reading all unencrypted data from the network segment. Which type of attack is most likely being performed?

A.Spoofing
B.DoS
C.Sniffing / Eavesdropping
D.Man-in-the-middle
AnswerC

Correct. Sniffing captures unencrypted traffic, as seen in the scenario.

Why this answer

Sniffing or eavesdropping involves capturing network traffic to read data. In this scenario, unencrypted data is being read, which is characteristic of sniffing.

596
MCQmedium

A system administrator has a regular user account for daily work and a separate account with elevated privileges. Which principle is being applied?

A.Separation of duties
B.Need-to-know
C.Defense in depth
D.Least privilege
AnswerD

Correct. Using a limited account for daily work follows least privilege.

Why this answer

Least privilege for admins means using a separate account with only necessary privileges, reducing risk.

597
MCQeasy

Which of the following ports is used by HTTPS?

A.80
B.21
C.25
D.443
AnswerD

HTTPS uses TCP port 443.

Why this answer

HTTPS uses port 443 by default for encrypted web traffic.

598
MCQeasy

A security analyst discovers that an employee's workstation has been infected with ransomware. Which security principle has been directly violated?

A.Availability
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Correct. The user likely had excessive permissions.

Why this answer

Ransomware directly violates the availability security principle because it encrypts files and systems, rendering them inaccessible to authorized users. While the infection may also impact confidentiality or integrity, the immediate and primary effect is denial of access to data and services, which is a breach of availability.

Exam trap

ISC2 often tests the distinction between the CIA triad principles, and the trap here is that candidates confuse the cause (ransomware) with the principle violated, mistakenly thinking 'least privilege' is the answer because the infection occurred, but the direct violation is availability, not least privilege.

How to eliminate wrong answers

Option A is wrong because availability is the principle that is violated, not the one that was directly violated by the ransomware; the question asks which principle has been directly violated, and availability is the correct answer, so this option is actually correct but the question expects the principle that was violated, not the one that was not. Option C is wrong because separation of duties is a control to prevent fraud or errors by dividing responsibilities among multiple people; it is not directly violated by ransomware, which is a technical attack on data access. Option D is wrong because defense in depth is a strategy of layering multiple security controls, not a security principle; the question asks for a security principle, and defense in depth is a design approach, not a principle like confidentiality, integrity, or availability.

599
MCQmedium

A healthcare organization experiences a ransomware attack that encrypts all files on file servers and workstations. The incident response team has isolated the infected systems. The backup policy includes daily incremental backups and weekly full backups stored on a separate network segment. The most recent full backup is 5 days old. The incremental backups from the past 4 days are available but are stored on the same backup server that might be compromised. To restore data with minimal loss, what should the team do?

A.Use the most recent incremental backup to restore files directly.
B.Assume all backups are compromised and rebuild systems from scratch.
C.First verify the integrity of the backups by scanning them on an isolated system, then restore the full backup and apply the most recent clean incremental backups.
D.Restore the weekly full backup and then apply all incremental backups from the past 5 days.
AnswerC

Ensures clean backups and minimal data loss.

Why this answer

Option D is correct. First, verify backup integrity on an isolated system to ensure no ransomware remnants. Then restore the full backup and apply the most recent clean incremental backups.

Option A could restore ransomware if backups are compromised. Option B uses only incremental, missing the full backup. Option C is too drastic if backups are clean.

600
Multi-Selecthard

An organization wants to implement network segmentation to improve security. Which three methods are commonly used for network segmentation? (Select THREE.)

Select 3 answers
A.Subnetting
B.DMZs
C.Firewalls
D.VLANs
E.Intrusion Detection Systems
AnswersA, B, D

Subnetting divides IP address space.

Why this answer

VLANs, subnets, and DMZs are common segmentation methods. Firewalls enforce rules but are not segmentation methods themselves; IDS is a monitoring tool.

Page 7

Page 8 of 14

Page 9