ISC2 Certified in Cybersecurity CC (CC) — Questions 601675

984 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

A company implements a new firewall and intrusion detection system to reduce the risk of network breaches. This is an example of:

A.Risk avoidance
B.Risk acceptance
C.Risk transfer
D.Risk mitigation
AnswerD

Correct. Controls are put in place to mitigate risk.

Why this answer

Risk mitigation involves implementing controls to reduce the likelihood or impact of a risk.

602
MCQmedium

Refer to the exhibit. A network administrator configured the following firewall rules. After implementation, users from the internal network cannot browse the internet. Which element is causing the issue?

A.Rule id=30
B.Rule id=10
C.Rule id=20
D.The rule order
AnswerD

The deny rule should be after the allow rule to permit internal traffic first.

Why this answer

The issue is that firewall rules are processed in sequential order from top to bottom, and the implicit deny-all rule at the end blocks any traffic that does not match an explicit permit rule. Since rule id=10 permits HTTP/HTTPS from internal to external, but rule id=20 blocks all traffic from the internal network, the deny rule (id=20) is evaluated before any later permit rule (id=30) and thus blocks all internet-bound traffic. The correct answer is D because the rule order causes the deny to override the intended permit.

Exam trap

ISC2 often tests the concept that ACL rule order is critical — candidates mistakenly think that a permit rule later in the list can override an earlier deny, but the first-match principle means the deny is evaluated first and blocks the traffic permanently.

How to eliminate wrong answers

Option A is wrong because rule id=30 (permit from internal to DMZ) is irrelevant to internet browsing and would not cause the block. Option B is wrong because rule id=10 (permit HTTP/HTTPS from internal to external) is actually the intended permit rule, but it is placed before the problematic deny rule; however, the deny rule (id=20) still overrides it due to order. Option C is wrong because rule id=20 (deny all from internal) is the direct cause of the block, but the root issue is its placement before the permit rule (id=30) — the rule itself is not inherently wrong, but its position in the sequence is.

603
Multi-Selectmedium

Which THREE are recommended practices for password policies according to current guidelines?

Select 3 answers
A.Check passwords against lists of known breached passwords
B.Require passwords at least 8 characters long
C.Require at least one uppercase letter, one number, and one special character
D.Allow passwords up to 64 characters
E.Force password changes every 30 days
AnswersA, B, D

Prevents use of compromised passwords.

Why this answer

Current guidelines recommend long passwords, breach checking, and avoiding frequent changes.

604
MCQmedium

During an incident, an organization needs to preserve volatile data. Which of the following should be collected FIRST?

A.Backup tapes
B.Memory contents
C.Hard drive contents
D.Network logs
AnswerB

Memory is volatile and disappears when the system is turned off.

Why this answer

Volatile data is lost when the system loses power. Memory content is the most volatile.

605
MCQmedium

A company's security policy requires that all data at rest be encrypted. Which of the following is the BEST approach to ensure compliance while maintaining performance?

A.Deploy full disk encryption on all endpoints and servers.
B.Use database encryption to protect sensitive data.
C.Apply network encryption using TLS for all data transfers.
D.Implement file-level encryption for sensitive files only.
AnswerA

Full disk encryption encrypts the entire drive, ensuring all data at rest is protected with minimal performance overhead when using hardware-based encryption.

Why this answer

Full disk encryption (FDE) encrypts the entire storage volume, including the operating system, applications, and all data at rest, ensuring compliance with a policy requiring all data at rest to be encrypted. FDE operates at the block level, typically using AES-256, with minimal performance overhead because encryption and decryption are handled by the disk controller or CPU with hardware acceleration (e.g., AES-NI), making it the best approach for maintaining performance while meeting the broad requirement.

Exam trap

ISC2 often tests the distinction between 'data at rest' and 'data in transit' encryption, and the trap here is that candidates may choose database or file-level encryption because they think it is more targeted, but they overlook the policy's explicit 'all data at rest' requirement, which only full disk encryption satisfies comprehensively.

How to eliminate wrong answers

Option B is wrong because database encryption only protects data within the database, leaving other data at rest (e.g., OS files, logs, temp files) unencrypted, failing the 'all data at rest' requirement. Option C is wrong because network encryption (TLS) protects data in transit, not data at rest, so it does not address the policy requirement at all. Option D is wrong because file-level encryption only encrypts specific files, leaving other data at rest (e.g., system files, swap space, unencrypted directories) exposed, and it often introduces higher performance overhead due to per-file cryptographic operations and key management.

606
MCQmedium

A company's primary data center experiences a complete power failure, and operations are shifted to a secondary site. The failover process takes 4 hours, but the recovery point objective (RPO) is set to 1 hour. Which of the following is the most likely consequence of this incident?

A.Data loss of up to 3 hours occurred.
B.The failover process was unsuccessful.
C.No data loss occurred because the secondary site was available.
D.The recovery time objective (RTO) was not met.
AnswerA

The RPO is 1 hour but failover took 4 hours, causing up to 3 hours of data loss.

Why this answer

The RPO of 1 hour means the company can tolerate losing up to 1 hour of data. Since the failover took 4 hours, any data written in the 3 hours before the power failure that had not yet been replicated to the secondary site would be lost. This results in a data loss window of up to 3 hours, exceeding the RPO.

Exam trap

ISC2 often tests the distinction between RPO (data loss tolerance) and RTO (downtime tolerance), and candidates mistakenly assume that a successful failover means no data loss, ignoring the replication lag.

How to eliminate wrong answers

Option B is wrong because the failover process completed successfully in 4 hours, as stated; the question does not indicate any failure in the failover itself. Option C is wrong because data loss can occur even if the secondary site is available, if the replication lag exceeds the RPO. Option D is wrong because the RTO is the maximum acceptable downtime, and the failover took 4 hours; without knowing the RTO value, we cannot conclude it was not met — the question only provides the RPO.

607
MCQhard

A security analyst discovers that a vendor's software contains a known vulnerability that could lead to data exposure. The analyst reports this to management. According to risk management principles, which action represents risk transfer?

A.Discontinuing use of the vendor's software
B.Purchasing cyber insurance to cover potential losses
C.Installing a patch to fix the vulnerability
D.Accepting the risk and documenting the decision
AnswerB

Correct. Transfers financial risk to insurer.

Why this answer

Risk transfer shifts the financial impact to another party, such as through cyber insurance.

608
MCQeasy

Which of the following ports is commonly used for secure web traffic (HTTPS)?

A.53
B.80
C.22
D.443
AnswerD

Port 443 is for HTTPS.

Why this answer

HTTPS uses port 443 by default. HTTP uses port 80, and SSH uses port 22.

609
Multi-Selecthard

Which THREE of the following are best practices for securing a remote access VPN?

Select 3 answers
A.Enable multi-factor authentication.
B.Keep VPN client software up to date.
C.Use pre-shared keys for authentication.
D.Enforce strong password policies.
E.Implement split tunneling by default.
AnswersA, B, D

Adds an extra layer of security beyond passwords.

Why this answer

Multi-factor authentication (MFA) adds an additional layer of security beyond just a password, requiring a second factor such as a one-time code from a token or biometric. For a remote access VPN, this mitigates the risk of credential theft or brute-force attacks against the VPN gateway. Even if an attacker obtains a user's password, they cannot authenticate without the second factor, significantly reducing the likelihood of unauthorized access.

Exam trap

ISC2 often tests the misconception that pre-shared keys are acceptable for remote access VPNs because they are simple to configure, but the exam expects you to recognize that PSKs are a weak, shared secret that should be replaced with certificate-based or EAP authentication for secure remote access.

610
MCQeasy

A system administrator must grant a help desk technician the ability to reset user passwords but not change user roles. Which security principle does this scenario enforce?

A.Accountability
B.Principle of least privilege
C.Need-to-know
D.Non-repudiation
AnswerB

The technician has only the necessary permissions (password reset) and no extra privileges (role changes).

Why this answer

Least privilege ensures users have only the permissions needed. Granting password reset but not role changes limits permissions to the job function. Option A is correct.

Option B (need-to-know) limits data access. Option C (accountability) tracks actions. Option D (non-repudiation) ensures actions can't be denied.

611
MCQeasy

An organization wants to segment its network so that public-facing servers are isolated from internal users. Which network design component should be used?

A.Honeypot
B.Subnet
C.DMZ
D.VLAN
AnswerC

DMZ isolates public-facing servers from internal network.

Why this answer

A DMZ (demilitarized zone) is a separate network segment that hosts public-facing services, isolated from the internal LAN.

612
MCQhard

A security engineer is designing a physical security plan. Which combination of controls best represents defense in depth for a data center?

A.Visitor sign-in and escort policy only
B.A single high-tech lock on the server room door
C.A strong password policy for all employees
D.Perimeter fencing, access badges at building entrance, biometric reader on server room, and cable locks on servers
AnswerD

Correct. This layered approach exemplifies defense in depth.

Why this answer

Defense in depth uses multiple, overlapping controls. Perimeter fencing, access badges, biometric readers, and cable locks each address different layers, providing redundancy.

613
MCQeasy

After a ransomware attack, which team is primarily responsible for coordinating the response?

A.Executive Management
B.Incident Response Team
C.IT Support
D.Legal Department
AnswerB

The IRT is responsible for coordinating the response to security incidents.

Why this answer

The Incident Response Team (IRT) is primarily responsible for coordinating the response to a ransomware attack because it follows a predefined incident response plan (IRP) that includes containment, eradication, and recovery procedures. The IRT typically includes security analysts, forensic experts, and system administrators who execute technical steps such as isolating affected systems, analyzing the ransomware strain, and restoring from backups. This team operates under the NIST SP 800-61 framework, ensuring a structured and rapid response to minimize damage.

Exam trap

ISC2 often tests the misconception that Executive Management or Legal should lead the response due to their authority or compliance role, but the exam emphasizes that technical coordination belongs to the Incident Response Team as defined in the CC curriculum's incident response process.

How to eliminate wrong answers

Option A is wrong because Executive Management provides strategic oversight and approves budget/resource allocation, but they lack the technical expertise to coordinate hands-on incident response activities like network isolation or forensic analysis. Option C is wrong because IT Support focuses on routine user troubleshooting and system maintenance, not on executing the specialized containment and eradication steps required during a ransomware incident, such as analyzing malware indicators of compromise (IOCs) or applying firewall rules. Option D is wrong because the Legal Department handles regulatory compliance, breach notification, and liability issues, but they do not perform the technical coordination of response actions like system restoration or evidence preservation.

614
MCQmedium

An organization stores backup data on a tape drive (onsite) and also replicates critical data to a cloud storage service. This practice best exemplifies which backup rule?

A.Incremental backup strategy
B.Differential backup strategy
C.Full backup strategy
D.3-2-1 backup rule
AnswerD

The scenario describes 2 copies (tape and cloud), 2 media types (tape and cloud storage), and 1 offsite (cloud), meeting the 3-2-1 rule.

Why this answer

The 3-2-1 rule states: have at least 3 copies of data, on 2 different media types, with 1 copy offsite. Here, tape (onsite) and cloud (offsite) provide two media types and an offsite copy.

615
MCQhard

In risk management, which term describes the probability that a threat will exploit a vulnerability and cause harm to an asset?

A.Vulnerability
B.Control
C.Risk
D.Threat
AnswerC

Correct. Risk is the combination of threat, vulnerability, and impact.

Why this answer

Risk is defined as the likelihood of a threat exploiting a vulnerability, resulting in harm to an asset.

616
Multi-Selecthard

Which THREE of the following are best practices for securing a wireless network?

Select 3 answers
A.Disable SSID broadcast
B.Use WPA2 encryption
C.Enable MAC address filtering
D.Use a strong passphrase
E.Implement a captive portal
AnswersA, B, D

Disabling SSID broadcast hides the network from casual scanning, though it is not a strong security measure.

Why this answer

WPA2 encryption, disabling SSID broadcast (though not strong, often considered best practice in older materials), and using a strong passphrase are commonly recommended. MAC filtering and captive portals are not primary security controls.

617
MCQmedium

An organization implements a policy requiring employees to use a smart card and a PIN to access the data center. This is an example of which type of authentication?

A.Multi-factor authentication
B.Type 3 authentication
C.Single-factor authentication
D.Type 2 authentication only
AnswerA

Correct. Combines Type 2 (possession) and Type 1 (knowledge).

Why this answer

Multi-factor authentication combines two or more types: smart card (possession) and PIN (knowledge).

618
MCQeasy

An AWS bucket policy is shown. What is the security implication?

A.The bucket allows anonymous write access
B.The bucket allows read access to anyone from a specific IP range
C.The policy contains a syntax error
D.The bucket is fully public
AnswerB

Principals '*' means anyone, but restricted by IP.

Why this answer

The bucket policy grants the `s3:GetObject` action (read access) to all principals (`"Principal": "*"`) but only if the request originates from the specified IP range (`"IpAddress": {"aws:SourceIp": "10.0.0.0/24"}`). This means anyone on the internet can read objects, but only if their source IP falls within that CIDR block. This is a common pattern for allowing read access to a trusted network without requiring AWS credentials.

Exam trap

ISC2 often tests the distinction between a bucket being 'public' (anyone can access) versus having a condition that restricts access to a specific IP range, causing candidates to mistakenly think any policy with `Principal: "*"` makes the bucket fully public.

How to eliminate wrong answers

Option A is wrong because the policy only grants `s3:GetObject` (read) access, not `s3:PutObject` or `s3:DeleteObject` (write) access; anonymous write access would require an explicit `Effect: Allow` for write actions. Option C is wrong because the policy syntax is valid — it uses the correct `Condition` block with `IpAddress` and `aws:SourceIp`, which is a standard AWS IAM policy element. Option D is wrong because the bucket is not fully public; access is restricted by the IP address condition, so only requests from the `10.0.0.0/24` range are allowed, not the entire internet.

619
MCQeasy

An administrator reviews the exhibit. Which security principle is being violated?

A.Non-repudiation
B.Separation of duties
C.Least privilege
D.Accountability
AnswerC

Correct. Write access may be excessive.

Why this answer

The user has write access to HR documents, which may not be necessary for their role, violating least privilege.

620
MCQhard

According to the (ISC)² Code of Ethics, if a conflict arises between protecting society and providing diligent service to your employer, which should take precedence?

A.Advance the profession
B.Act honorably
C.Protect society
D.Provide diligent service
AnswerC

The first canon is to protect society, the common good, and the infrastructure.

Why this answer

The (ISC)² Code of Ethics has a priority order: protect society first, then act honorably, provide diligent service, and advance the profession.

621
MCQhard

A security analyst reviews this firewall log entry. What type of activity is most likely being attempted?

A.A legitimate SMB file sharing connection from an internal client.
B.A potential SMB exploitation attempt from an external host.
C.A port scan attempt on port 445.
D.An outbound connection to an SMB server.
AnswerB

The SYN packet to port 445 from an external source is typical of SMB exploits such as EternalBlue.

Why this answer

The log shows a TCP SYN packet from a high source port to destination port 445 (SMB), commonly used in ransomware attacks like EternalBlue.

622
MCQmedium

An organization wants to allow external users to securely access internal web applications. Which network security device is specifically designed to inspect HTTP/HTTPS traffic and block malicious requests?

A.Stateful firewall
B.Web Application Firewall (WAF)
C.Intrusion Detection System (IDS)
D.Packet filtering firewall
AnswerB

WAF inspects HTTP/HTTPS and filters malicious payloads like SQL injection.

Why this answer

A Web Application Firewall (WAF) is specialized for filtering HTTP/HTTPS traffic and protecting web applications.

623
MCQmedium

A system administrator notices that a user has been granted read and write permissions to a folder but should only have read access. Which type of access control issue does this represent?

A.Excessive permissions
B.Segregation of duties conflict
C.Authorization creep
D.Incomplete revocation
AnswerA

Excessive permissions directly describe having more rights than required.

Why this answer

Excessive permissions occur when a user or group is granted more privileges than necessary for their role. In this scenario, the user has read and write access to a folder but should only have read access, meaning the write permission is unnecessary and violates the principle of least privilege. This is a classic example of excessive permissions, as the user has been over-provisioned beyond their job requirements.

Exam trap

ISC2 often tests the distinction between authorization creep (gradual accumulation over time) and excessive permissions (a one-time over-provisioning), so candidates may confuse the two when the scenario describes a single incorrect assignment.

How to eliminate wrong answers

Option B is wrong because segregation of duties conflicts involve splitting critical tasks among multiple users to prevent fraud or error, not a single user having extra permissions. Option C is wrong because authorization creep refers to the gradual accumulation of permissions over time due to role changes or transfers, not a one-time misassignment of write access. Option D is wrong because incomplete revocation occurs when permissions are not fully removed after a user no longer needs them, whereas here the user was never supposed to have write access in the first place.

624
MCQeasy

A company's security policy requires that employees must change their passwords every 90 days and passwords must be at least 12 characters. Which security principle is being enforced?

A.Integrity
B.Availability
C.Non-repudiation
D.Confidentiality
AnswerA

Regularly changing and strengthening passwords ensures that credentials remain valid and are not compromised, which upholds integrity.

Why this answer

Option B is correct because password complexity and expiration directly support the integrity of authentication by making it harder for attackers to guess or reuse credentials. Confidentiality (A) is about secrecy, but the primary goal here is ensuring that only authorized users can access systems (integrity of access control). Availability (C) and non-repudiation (D) are not the main focus.

625
MCQmedium

An organization uses Active Directory to manage user accounts. Which protocol does Active Directory primarily use to query and modify directory services?

A.HTTP
B.FTP
C.SNMP
D.LDAP
AnswerD

LDAP is the protocol used by Active Directory for directory access.

Why this answer

Active Directory uses LDAP (Lightweight Directory Access Protocol) as the underlying protocol for directory queries and modifications.

626
MCQhard

During an incident response, a forensics analyst captures a memory dump from a compromised server. The analyst needs to ensure the dump is not altered during analysis. Which practice best maintains integrity?

A.Encrypt the memory dump file
B.Maintain a chain of custody log
C.Restrict access to the dump to authorized personnel only
D.Generate a cryptographic hash of the dump before analysis
AnswerD

A hash allows subsequent verification that the data has not been altered.

Why this answer

Creating a cryptographic hash (e.g., SHA-256) of the original dump and verifying it before and after analysis ensures integrity. Option D is correct. Option A (encryption) protects confidentiality, not integrity.

Option B (log access) is about monitoring. Option C (chain of custody) documents handling but doesn't prevent alteration by itself.

627
MCQhard

Refer to the exhibit. Which security principle is being supported by the logging of these events?

A.Availability
B.Authentication
C.Non-repudiation
D.Accountability
AnswerD

Logs allow tracing failures to an IP address and time, supporting accountability.

Why this answer

Correct: A - Accountability. Logging provides a record of events that can be traced to specific sources, enabling accountability. Non-repudiation involves proof of actions by a user, but these logs do not prove user identity.

Authentication and availability are not directly supported.

628
MCQmedium

According to the (ISC)² Code of Ethics, which obligation has the highest priority?

A.Provide diligent and competent service to principals
B.Advance and protect the profession
C.Act honorably, honestly, justly, responsibly, and legally
D.Protect society, the common good, and the public trust
AnswerD

This is the first and highest priority.

Why this answer

The Code of Ethics states the highest priority is to protect society, the common good, and the public trust.

629
MCQeasy

A network technician is setting up a remote access VPN for employees using IPsec. The company's firewall is configured to allow IPsec traffic. Employees report that they can successfully establish the VPN connection (tunnel appears up), but they cannot ping or access any internal resources (e.g., file servers). The firewall logs show that packets from the VPN client IP addresses are being dropped at the firewall interface. Which of the following is the MOST likely cause of this issue?

A.The VPN client is not assigned a correct IP address from the pool.
B.The firewall's access control list does not permit traffic from the VPN subnet to the internal network.
C.The firewall's intrusion prevention system is blocking the traffic.
D.The IPsec encryption algorithm is incompatible between client and firewall.
AnswerB

The tunnel being up indicates IPsec negotiation succeeded, but the firewall still needs ACL to allow forwarded traffic.

Why this answer

The VPN tunnel is established, meaning Phase 1 and Phase 2 of IPsec are complete and the client has a valid IP from the pool. However, packets from the VPN subnet are being dropped at the firewall interface, which indicates that the firewall's access control list (ACL) does not include a permit statement for traffic sourced from the VPN client subnet destined to the internal network. Without this ACL entry, the firewall will drop the traffic even though the tunnel is up.

Exam trap

ISC2 often tests the distinction between tunnel establishment (IPsec Phase 1 and Phase 2) and traffic forwarding (ACL/permit rules), leading candidates to mistakenly blame encryption mismatches or client IP assignment when the real issue is a missing firewall rule.

How to eliminate wrong answers

Option A is wrong because if the VPN client were not assigned a correct IP address from the pool, the tunnel would not establish successfully (the client would fail Phase 2 or not receive a usable IP), and the logs would show authentication or address assignment failures, not dropped packets at the firewall interface. Option C is wrong because an intrusion prevention system (IPS) typically blocks traffic based on signatures or anomalies, not by default for all traffic from a VPN subnet; the logs would show IPS alerts, not simple drops at the interface. Option D is wrong because if the IPsec encryption algorithm were incompatible, the tunnel would fail to establish (Phase 2 would fail), and the VPN connection would not appear up.

630
MCQeasy

A small manufacturing company's IT infrastructure consists of a single server running ERP and file services, with a nightly backup to an external hard drive. The server fails due to hardware failure. The company's BCP states that the ERP system must be restored within 8 hours. The backup is 12 hours old. The IT administrator has a spare server of similar configuration. What is the BEST course of action?

A.Use cloud-based ERP temporarily.
B.Perform a bare-metal restore using the backup.
C.Install the backup onto the spare server and restore the data from the external hard drive.
D.Order a new server from the vendor (lead time 3 days).
AnswerC

Utilizes spare server and meets RTO.

Why this answer

Option C is correct because the spare server has a similar configuration, allowing the IT administrator to install the backup software and restore the ERP system and file data from the external hard drive. This approach meets the 8-hour RTO by leveraging the existing backup, even though it is 12 hours old, as the restore process is straightforward and does not require ordering new hardware or migrating to a cloud platform.

Exam trap

The trap here is that candidates may confuse 'bare-metal restore' with a simple file restore, assuming the backup contains a full system image, when in fact the backup is to an external hard drive and likely file-level, making a bare-metal restore impossible without a compatible system image.

How to eliminate wrong answers

Option A is wrong because using a cloud-based ERP temporarily would require significant setup time, data migration, and potential licensing changes, which likely exceeds the 8-hour RTO and introduces complexity not aligned with the existing BCP. Option B is wrong because a bare-metal restore requires the backup to be in a specific format (e.g., system image) and the spare server to have identical hardware; the backup is to an external hard drive, likely file-level, not a full system image, making a bare-metal restore impractical. Option D is wrong because ordering a new server with a 3-day lead time far exceeds the 8-hour RTO, and the spare server is already available, making this the slowest and least effective course of action.

631
Multi-Selecthard

An organization is planning to implement a security operations center (SOC) and is considering different monitoring strategies. Which THREE of the following are essential components of a tiered SOC model? (Choose three.)

Select 3 answers
A.A SOC manager who oversees daily operations and reporting
B.A dedicated threat intelligence team that provides context on indicators
C.Tier 2 analysts who conduct in-depth analysis and incident response
D.Tier 1 analysts who monitor alerts and perform initial triage
E.Tier 3 analysts who focus on threat hunting and advanced forensics
AnswersC, D, E

Tier 2 handles escalated incidents and performs root cause analysis.

Why this answer

Option C is correct because Tier 2 analysts in a tiered SOC model are responsible for in-depth analysis of escalated incidents, performing incident response actions, and determining the scope and impact of security events. This tier bridges the gap between initial triage and advanced threat hunting, ensuring that confirmed incidents are properly contained and remediated.

Exam trap

ISC2 often tests the distinction between SOC tiers and supporting roles; the trap here is that candidates mistake management or intelligence functions as part of the tiered analyst hierarchy, when only Tier 1, Tier 2, and Tier 3 analysts constitute the core escalation model.

632
MCQhard

An organization uses a warm site for disaster recovery. Which of the following is the MOST significant risk of this approach?

A.Data may not be synchronized with the primary site
B.The site may be too far away
C.The site may not have recent data
D.High cost of maintaining duplicate hardware
AnswerA

Lack of real-time replication means data loss up to the last backup.

Why this answer

A warm site has infrastructure and connectivity ready but does not maintain real-time data synchronization with the primary site. The most significant risk is that data may not be synchronized, meaning the Recovery Point Objective (RPO) could be hours or days old, leading to potential data loss during failover. Unlike a hot site with synchronous replication, a warm site typically uses periodic backups or asynchronous replication, creating a gap in data currency.

Exam trap

ISC2 often tests the distinction between hot, warm, and cold sites by focusing on data synchronization versus infrastructure readiness — the trap here is that candidates confuse 'data may not be recent' (Option C) with the more precise technical risk of 'data may not be synchronized,' which is the defining vulnerability of a warm site.

How to eliminate wrong answers

Option B is wrong because distance is a consideration for any DR site (hot, warm, or cold) and is not specific to the warm site model; latency can be mitigated with WAN optimization or replication tuning. Option C is wrong because it is essentially a restatement of the data synchronization issue but less precise — the core risk is lack of synchronization, not merely that data 'may not have recent data,' which is a symptom of the synchronization gap. Option D is wrong because high cost of maintaining duplicate hardware is a characteristic of a hot site, not a warm site; a warm site typically has lower hardware costs as it may not run full production-equivalent systems until activation.

633
MCQeasy

Which of the following is a control that can reduce the risk of a DDoS attack?

A.Access control lists
B.Load balancing
C.Encryption
D.Digital signatures
AnswerB

Load balancing helps distribute traffic and can mitigate the impact of DDoS attacks.

Why this answer

Load balancers can distribute traffic and absorb some DDoS attacks; DDoS protection services are also common controls.

634
MCQmedium

An organization experiences a ransomware attack that encrypts critical file servers. The backups are stored on a separate network segment but are also encrypted. The incident response team suspects the attacker compromised the backup system using stored credentials. Which best practice should have been implemented to prevent this?

A.Implement air-gapped backups stored offline
B.Enable multi-factor authentication (MFA) on backup system access
C.Encrypt backup data at rest and in transit
D.Use a separate VLAN for backup traffic
AnswerB

MFA mitigates the risk of credential theft, as the attacker would need an additional factor to authenticate.

Why this answer

Option B is correct because enabling multi-factor authentication (MFA) on backup system access would have prevented the attacker from using stored credentials to compromise the backup system. MFA requires an additional authentication factor beyond just a password or stored token, making credential theft or reuse insufficient for access. This directly addresses the attack vector described—stolen credentials—rather than relying solely on network segmentation or encryption.

Exam trap

ISC2 often tests the distinction between preventive controls that stop the attack vector (MFA on access) versus controls that mitigate damage after compromise (air gaps, encryption, VLANs), leading candidates to choose network segmentation or encryption instead of addressing the credential theft directly.

How to eliminate wrong answers

Option A is wrong because air-gapped backups stored offline would prevent encryption of the backup data during the attack, but the question specifically states the backups were on a separate network segment and were encrypted using stored credentials; an air gap does not address the root cause of credential compromise and reuse. Option C is wrong because encrypting backup data at rest and in transit protects the confidentiality of the data but does not prevent an attacker from accessing or encrypting the backup system itself using valid credentials. Option D is wrong because using a separate VLAN for backup traffic provides network segmentation but does not prevent an attacker who has compromised credentials from authenticating to the backup system from within that VLAN or from another compromised host.

635
MCQmedium

A company implements role-based access control (RBAC) to ensure users have only the permissions necessary for their job roles. This is an example of:

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Need-to-know
AnswerA

RBAC enforces least privilege by granting only required permissions.

Why this answer

RBAC enforces least privilege by granting permissions based on roles. Option A (Separation of duties) divides tasks. Option B (Need-to-know) restricts data access.

Option C (Defense in depth) is layering controls.

636
MCQhard

Refer to the exhibit. A user from the Auditors group is unable to access the folder. What is the most likely cause?

A.The user is not a member of the Auditors group
B.A deny entry for Auditors overrides the allow
C.The Auditors group has only read permission, which is insufficient
D.The folder is encrypted
AnswerB

The deny entry explicitly blocks read access, causing the failure despite the allow.

Why this answer

In NTFS permissions, a Deny entry explicitly blocks access and takes precedence over any Allow entries, regardless of the order in which they are applied. Since the user is a member of the Auditors group, the Deny entry for that group overrides any Allow permissions the user might have individually or through other group memberships. This is the most likely cause of the access failure.

Exam trap

ISC2 often tests the principle that Deny entries override Allow entries in NTFS permissions, and the trap here is that candidates mistakenly think the order of permission entries or the most specific permission wins, rather than recognizing that Deny always takes precedence.

How to eliminate wrong answers

Option A is wrong because the user is explicitly stated to be from the Auditors group, so they are a member. Option C is wrong because even if the Auditors group has only Read permission, that would still allow the user to access the folder (read contents), but the user cannot access it at all, indicating a Deny is in effect. Option D is wrong because encryption (e.g., EFS) would not prevent access if the user has the proper decryption key; the scenario points to a permission conflict, not encryption.

637
MCQhard

During a security assessment, a penetration tester captures network traffic and notices that the source IP address in packets appears to be from a different network. Which technique is the attacker likely using?

A.DNS spoofing
B.ARP spoofing
C.MAC spoofing
D.IP spoofing
AnswerD

IP spoofing forges the source IP address.

Why this answer

IP spoofing involves forging the source IP address in packets to impersonate another system or hide the true origin. This can be used in various attacks like DDoS or session hijacking.

638
MCQeasy

Which account type is considered highest risk and should be protected with strict controls, including separate daily use accounts?

A.Standard user account
B.Service account
C.Admin/root account
D.Guest account
AnswerC

Admin accounts have full system access and are high risk.

Why this answer

Admin/root accounts have elevated privileges and are high-risk targets.

639
MCQhard

An organization implements a security baseline using CIS Benchmarks for all new servers. After a routine scan, a server is found to have a configuration that deviates from the baseline. The deviation was introduced by a system administrator to resolve a performance issue. What is the best course of action?

A.Ignore the deviation since it was done for a valid reason
B.Revert the change immediately without discussion
C.Update the baseline to match the new configuration
D.Document the change and submit it through the change control process
AnswerD

Change control ensures changes are reviewed, approved, and documented.

Why this answer

Any change to a security baseline should go through the change control process to ensure it is reviewed and approved, preventing unauthorized changes that could introduce vulnerabilities.

640
MCQmedium

A company's remote access VPN uses IPsec with pre-shared keys. Employees report that they cannot connect from home. The VPN server logs show 'IKE authentication failed.' The help desk confirms the pre-shared keys are correct. Which of the following is the most likely cause?

A.The client is behind a NAT device that blocks IPsec traffic
B.The VPN server is not responding to IKE requests
C.The client's certificate has expired
D.The IKE phase 1 parameters (encryption, hash, DH group) do not match
AnswerD

Mismatched parameters cause authentication failure despite correct keys.

Why this answer

Option D is correct because 'IKE authentication failed' specifically indicates a failure during IKE phase 1, where the peers negotiate security parameters. Even if the pre-shared key is correct, mismatched encryption (e.g., AES vs. 3DES), hash (e.g., SHA-1 vs. SHA-256), or Diffie-Hellman group (e.g., group 2 vs. group 14) will cause the IKE SA to fail, preventing phase 1 authentication from completing.

Exam trap

ISC2 often tests the distinction between 'IKE authentication failed' (which points to phase 1 parameter mismatch or PSK error) and 'no response' (which points to firewall/NAT blocking), trapping candidates who assume NAT is always the culprit without reading the log message carefully.

How to eliminate wrong answers

Option A is wrong because NAT devices typically block ESP/AH traffic, which would cause 'no response' or 'timeout' errors, not 'IKE authentication failed' — IKE itself uses UDP port 500/4500 and can often traverse NAT with NAT-T. Option B is wrong because if the VPN server were not responding, the client would see 'no response' or 'timeout' messages, not a specific 'IKE authentication failed' log entry, which requires the server to have received and processed the IKE request. Option C is wrong because certificates are not used with pre-shared keys; the error message explicitly references IKE authentication, which for PSK uses the pre-shared key, not a certificate — certificate expiration would cause a different error like 'certificate validation failed'.

641
MCQmedium

An organization implements a bring-your-own-device (BYOD) policy. Which security control is most important to enforce in the BYOD policy?

A.Require complex passwords
B.Install a firewall on each device
C.Enable full disk encryption
D.Implement mobile device management (MDM) for remote wipe and policy enforcement
AnswerD

MDM allows IT to enforce security policies and remotely wipe devices if lost or stolen.

Why this answer

Mobile device management (MDM) is the most important control for a BYOD policy because it provides centralized policy enforcement, remote wipe capabilities, and device compliance monitoring. Unlike isolated controls like passwords or encryption, MDM allows the organization to enforce security policies dynamically and revoke access or wipe corporate data if a device is lost, stolen, or non-compliant.

Exam trap

ISC2 often tests the misconception that a single technical control (like encryption or passwords) is sufficient for BYOD security, when the real exam focus is on centralized management and the ability to enforce and revoke policies remotely via MDM.

How to eliminate wrong answers

Option A is wrong because requiring complex passwords alone does not protect data if the device is lost or stolen; passwords can be bypassed or guessed, and they do not provide remote wipe or policy enforcement. Option B is wrong because installing a firewall on each device is impractical in BYOD scenarios (users may disable it, and it does not protect against data leakage or device loss), and it does not address the core need for centralized control and data separation. Option C is wrong because full disk encryption protects data at rest but does not enable remote wipe, policy enforcement, or the ability to selectively wipe corporate data without affecting personal data, which is critical in BYOD environments.

642
MCQeasy

A company's primary data center is destroyed by a natural disaster. The backup site has been fully synchronized but needs to be activated. Which process addresses the activation of the backup site?

A.Risk Management Plan
B.Incident Response Plan (IRP)
C.Disaster Recovery Plan (DRP)
D.Business Continuity Plan (BCP)
AnswerC

DRP specifically addresses IT infrastructure recovery and activation of backup sites.

Why this answer

The Disaster Recovery Plan (DRP) specifically outlines the procedures for activating a backup site after a primary data center failure. In this scenario, the backup site is fully synchronized but requires activation, which involves steps like DNS changes, storage array failover (e.g., using synchronous replication with a quorum witness), and network reconfiguration. The DRP is the document that contains these technical recovery steps, distinguishing it from broader continuity or incident response plans.

Exam trap

ISC2 often tests the distinction between BCP and DRP by presenting a scenario where the backup site is already synchronized but needs activation, leading candidates to incorrectly choose BCP because they confuse business continuity with technical disaster recovery.

How to eliminate wrong answers

Option A is wrong because a Risk Management Plan identifies, assesses, and mitigates risks before an incident occurs; it does not contain the step-by-step activation procedures for a backup site. Option B is wrong because an Incident Response Plan (IRP) focuses on immediate containment, eradication, and recovery from security incidents (e.g., malware, data breaches), not on activating a backup data center after a natural disaster. Option D is wrong because a Business Continuity Plan (BCP) addresses maintaining critical business functions during a disruption, often through alternative work arrangements or manual processes, but it does not provide the technical failover steps for activating a backup data center.

643
MCQmedium

A company has implemented a security information and event management (SIEM) system. The SOC team notices that the SIEM is generating a high volume of false positive alerts from a specific web application firewall (WAF). The WAF logs show many requests with SQL injection patterns, but the application is not vulnerable. Which of the following actions would BEST reduce false positives without compromising security?

A.Create a SIEM rule to suppress alerts from that WAF
B.Increase the alert threshold in the WAF to reduce sensitivity
C.Tune the WAF's detection rules based on the application's normal traffic profile
D.Disable SQL injection detection in the WAF for that application
AnswerC

Tuning reduces false positives by filtering out benign patterns that resemble attacks.

Why this answer

Option C is correct because tuning the WAF's detection rules to match the application's normal traffic profile reduces false positives by filtering out benign requests that resemble SQL injection patterns. This approach maintains security by still detecting actual attacks, unlike simply suppressing alerts or disabling detection. The SIEM should correlate WAF alerts with application context, but the root cause is the WAF's overly broad rules, which need refinement.

Exam trap

ISC2 often tests the misconception that suppressing alerts or disabling detection is acceptable, but the correct approach is to tune detection rules to balance security and operational efficiency.

How to eliminate wrong answers

Option A is wrong because suppressing alerts from the WAF in the SIEM ignores the underlying issue, potentially missing real attacks and creating a blind spot in monitoring. Option B is wrong because increasing the alert threshold in the WAF reduces sensitivity globally, which could cause true SQL injection attacks to be missed, compromising security. Option D is wrong because disabling SQL injection detection entirely removes a critical defense layer, leaving the application exposed to actual SQL injection attempts.

644
MCQmedium

An attacker sends a flood of SYN packets to a server, never completing the three-way handshake, exhausting the server's resources and causing it to become unresponsive. What type of attack is this?

A.ICMP flood
B.SYN flood
C.UDP flood
D.ARP spoofing
AnswerB

Correct. SYN flood targets TCP handshake.

Why this answer

A SYN flood is a type of DoS attack that exploits the TCP three-way handshake by sending many SYN packets and not completing the handshake.

645
Multi-Selectmedium

A security analyst is evaluating controls to protect the confidentiality of customer data. Which TWO of the following are effective controls? (Select TWO).

Select 2 answers
A.Hashing of passwords
B.Redundant network links
C.Encryption of data at rest
D.Regular data backups
E.Role-based access controls
AnswersC, E

Encryption prevents unauthorized disclosure.

Why this answer

Encryption protects data at rest and in transit; access controls restrict unauthorized access.

646
MCQmedium

Which of the following is a recommended practice for password security according to NIST SP 800-63?

A.Require frequent password changes every 30 days
B.Use a minimum of 8 characters and check against breached password lists
C.Set maximum password age to 90 days
D.Enforce complex passwords with special characters
AnswerB

Correct. Length is favored, and passwords should be checked against known breaches.

Why this answer

NIST SP 800-63 recommends favoring password length over complexity and checking passwords against breached lists.

647
Multi-Selectmedium

A company wants to protect its internal web server from common web application attacks. Which two security measures are most appropriate? (Choose TWO.)

Select 2 answers
A.Deploy a Web Application Firewall (WAF)
B.Implement HTTPS with a valid certificate
C.Deploy an IDS in promiscuous mode
D.Use a stateful firewall only
E.Enable SNMP on the server
AnswersA, B

Correct. A WAF inspects HTTP/HTTPS traffic and blocks attacks.

Why this answer

A WAF specifically filters HTTP/HTTPS traffic, and HTTPS encryption protects data in transit. A firewall alone is not application-aware, and IDS/IPS are not specific to web applications.

648
Multi-Selectmedium

Which TWO are characteristics of Role-Based Access Control (RBAC)?

Select 2 answers
A.Users are assigned to roles, and inherit permissions from those roles.
B.Object owners can delegate permissions to others.
C.Access decisions are based on security labels.
D.It enforces a centralized policy that cannot be overridden by users.
E.Permissions are assigned to roles, not individual users.
AnswersA, E

Role assignment is fundamental to RBAC.

Why this answer

Option A is correct because RBAC defines roles that group specific permissions, and users are assigned to these roles. When a user is added to a role, they automatically inherit all permissions associated with that role, simplifying administration and ensuring consistent access rights across the organization.

Exam trap

ISC2 often tests the distinction between RBAC and DAC by presenting delegation of permissions (Option B) as a plausible RBAC feature, when in fact it belongs to DAC.

649
MCQhard

When implementing a role-based access control (RBAC) system, what is the primary challenge organizations face?

A.Managing password complexity
B.Ensuring users do not share passwords
C.Role explosion
D.Defining roles that align with job functions
AnswerC

Role explosion leads to administrative overhead and is a frequent pitfall in RBAC.

Why this answer

Role explosion is the primary challenge in RBAC because as organizations grow, the number of distinct roles can proliferate rapidly, leading to administrative overhead, complexity in role management, and potential security gaps. This occurs when roles are defined too granularly or for every unique combination of permissions, making it difficult to maintain least privilege and audit access. Proper RBAC design requires careful role engineering to minimize the number of roles while still mapping to job functions.

Exam trap

ISC2 often tests the misconception that the main difficulty in RBAC is defining roles themselves, when in fact the real operational challenge is controlling role proliferation (role explosion) after initial implementation.

How to eliminate wrong answers

Option A is wrong because managing password complexity is a concern of authentication mechanisms, not RBAC, which focuses on authorization after authentication. Option B is wrong because ensuring users do not share passwords is an authentication policy issue, unrelated to the role-based access control model. Option D is wrong because defining roles that align with job functions is actually a fundamental requirement of RBAC, not a primary challenge; the challenge arises when too many roles are created (role explosion), not from the initial definition itself.

650
Multi-Selecteasy

A company is evaluating backup strategies for its critical database. Which TWO of the following are correct statements about backup types?

Select 3 answers
A.A full backup copies all data regardless of change status.
B.Restoring from a full backup is faster than restoring from a differential backup.
C.A differential backup copies data that has changed since the last full backup.
D.An incremental backup only copies data that has changed since the last full backup.
E.Incremental backups require less storage space than differential backups.
AnswersA, C, E

Correct. A full backup copies all selected data.

Why this answer

Incremental backup only backs up changes since the last backup (any type), and differential backup backs up changes since the last full backup. Full backup does not require a previous backup, and full backup is not faster than incremental; it is slower. Differential backup restore is faster than incremental because only the last full plus one differential are needed.

651
MCQeasy

Which tier in a Security Operations Center (SOC) is primarily responsible for triaging alerts and determining whether to escalate?

A.SOC Manager
B.Tier 3
C.Tier 2
D.Tier 1
AnswerD

Correct. Tier 1 handles initial alert monitoring and triage.

Why this answer

Tier 1 analysts monitor alerts and perform initial triage, escalating potential incidents to Tier 2 for deeper investigation.

652
MCQmedium

You are designing a backup strategy for a critical database. The business requires that in the event of a failure, data loss must not exceed 15 minutes. Which metric primarily addresses this requirement?

A.Service Level Agreement (SLA)
B.Mean Time Between Failures (MTBF)
C.Recovery Point Objective (RPO)
D.Recovery Time Objective (RTO)
AnswerC

RPO specifies the maximum age of data that must be restored, directly limiting data loss.

Why this answer

Option A is correct because Recovery Point Objective (RPO) defines the maximum acceptable data loss in terms of time. Recovery Time Objective (RTO) is about downtime duration. MTBF relates to reliability, and SLA is a service agreement.

RPO directly addresses data loss tolerance.

653
MCQmedium

A security analyst receives an alert of unusual network traffic from an internal host to an external IP known for command-and-control. After isolating the host, what should be the next step?

A.Wipe the host and reinstall OS
B.Preserve forensic evidence and analyze
C.Reimage the host from backup
D.Notify law enforcement
AnswerB

Preserving and analyzing evidence is critical to understand the compromise and prevent future incidents.

Why this answer

Preserving forensic evidence and analyzing the host is the correct next step because incident response methodology (e.g., NIST SP 800-61) requires containment followed by evidence collection and analysis to determine the scope of compromise, identify indicators of compromise (IOCs), and understand the attack vector. Wiping or reimaging destroys volatile data (e.g., memory, running processes, network connections) and artifacts (e.g., registry keys, prefetch files, event logs) that are critical for attribution and remediation. Analysis may involve memory forensics (using tools like Volatility) and disk forensics to extract malware samples, C2 communication logs, and lateral movement traces.

Exam trap

ISC2 often tests the misconception that immediate containment (like wiping or reimaging) is the priority, but the trap here is that the CC exam emphasizes the incident response process order: isolate, then preserve evidence, then analyze, then remediate — skipping evidence preservation violates standard forensic procedures.

How to eliminate wrong answers

Option A is wrong because wiping the host and reinstalling the OS destroys all forensic evidence, preventing root cause analysis and potentially allowing the attacker to persist if the infection vector is not identified. Option C is wrong because reimaging from backup may reintroduce the same vulnerability or malware if the backup is also compromised, and it skips the critical step of evidence preservation and analysis. Option D is wrong because notifying law enforcement is premature before internal investigation confirms the incident's nature and scope; law enforcement involvement typically occurs after evidence is preserved and a decision is made to pursue legal action, not as an immediate next step.

654
MCQhard

An organization is evaluating a new vendor that will process customer data. The security team performs a thorough assessment of the vendor's security controls and background checks. This process best demonstrates:

A.Risk acceptance
B.Risk transfer
C.Due care
D.Due diligence
AnswerD

Due diligence is the investigation and assessment before engagement.

Why this answer

Due diligence involves investigating and verifying before making a decision, such as vendor risk assessments and background checks.

655
MCQmedium

A company uses WPA2-Enterprise for wireless authentication. What additional security measure should be implemented to protect against rogue access points?

A.Enable MAC filtering
B.Deploy a wireless intrusion prevention system (WIPS)
C.Implement 802.1X with mutual authentication
D.Use WPA3
AnswerB

WIPS detects and prevents rogue access points.

Why this answer

WPA2-Enterprise uses 802.1X for authentication, but it does not inherently detect or block rogue access points (APs) that mimic legitimate SSIDs. A Wireless Intrusion Prevention System (WIPS) continuously monitors the RF spectrum, identifies unauthorized APs by analyzing beacon frames, probe responses, and MAC addresses, and can automatically contain them by sending deauthentication frames or alerting administrators. This is the most direct and effective measure to protect against rogue APs in an enterprise WLAN.

Exam trap

ISC2 often tests the misconception that WPA2-Enterprise or 802.1X alone can prevent rogue APs, but the trap is that these protocols authenticate users and servers, not the physical AP device itself, leaving the network vulnerable to rogue APs that broadcast the same SSID.

How to eliminate wrong answers

Option A is wrong because MAC filtering is a weak, static access control that can be easily bypassed by MAC spoofing and does not detect or prevent rogue APs from operating. Option C is wrong because 802.1X with mutual authentication (EAP-TLS, for example) already authenticates both the client and the RADIUS server, but it does not monitor the airwaves for unauthorized APs; a rogue AP can still broadcast the same SSID and trick clients into connecting before any 802.1X exchange completes. Option D is wrong because WPA3, while more secure than WPA2, still does not include built-in rogue AP detection or containment; it only improves encryption and authentication (e.g., SAE) but does not replace the need for a dedicated WIPS.

656
MCQeasy

A security analyst notices that a user has been granted access to files beyond their job function. Which principle is violated?

A.Least privilege
B.Authentication
C.Non-repudiation
D.Accountability
AnswerA

Correct. Excessive access violates the least privilege principle.

Why this answer

Least privilege requires that users be granted only the minimum permissions necessary to perform their duties. The scenario shows excessive access, directly violating this principle.

657
MCQeasy

An organization is preparing its Business Continuity Plan (BCP). Which process identifies critical business functions and the impact of disruptions?

A.Incident Response Plan (IRP)
B.Disaster Recovery Plan (DRP)
C.Risk Assessment
D.Business Impact Analysis (BIA)
AnswerD

The BIA identifies critical business functions and the impact of disruptions.

Why this answer

A Business Impact Analysis (BIA) identifies critical business functions, dependencies, and the impact of disruptions, providing metrics like MTD, RTO, and RPO.

658
Multi-Selecthard

Which THREE of the following are considered methods to ensure accountability in a system?

Select 3 answers
A.Data encryption
B.Audit logs
C.Digital signatures
D.Intrusion prevention system
E.User authentication
AnswersB, C, E

Audit logs record user actions, enabling traceability.

Why this answer

Accountability requires that actions can be traced to an individual. Audit logs (A) track events. User authentication (B) identifies users.

Digital signatures (D) provide non-repudiation and link actions to a signer. Option C (encryption) protects data but does not directly provide accountability. Option E (firewall) controls access but does not trace actions.

659
MCQeasy

Which TCP segment is sent to initiate the three-way handshake?

A.ACK
B.SYN-ACK
C.FIN
D.SYN
AnswerD

Correct. Client sends SYN to start the handshake.

Why this answer

The three-way handshake starts with a SYN (synchronize) packet from the client.

660
MCQhard

A mid-sized financial services company has recently experienced a security incident where an attacker gained access to the internal network through a compromised VPN account. The account belonged to a remote employee who had been granted full network access. The company's security team is now reviewing their security principles to prevent a recurrence. The company has 500 employees, with 50 remote workers. They use a traditional perimeter-based firewall and VPN for remote access. The incident revealed that the compromised account had access to the entire internal network, including sensitive financial databases. The security team is considering implementing a new access control model. They have identified the following requirements: (1) Remote workers should only access specific applications necessary for their roles, (2) Access should be granted based on identity and device posture, (3) Network segmentation should be enforced regardless of location. Which of the following approaches BEST addresses these requirements?

A.Implement multi-factor authentication on the existing VPN and enforce stricter password policies.
B.Adopt a Zero Trust Architecture (ZTA) that uses an identity-aware proxy and micro-segmentation.
C.Create separate VLANs for each department and restrict inter-VLAN routing with ACLs.
D.Apply the principle of least privilege by reducing user permissions on the network and servers.
AnswerB

ZTA provides identity and device verification, least privilege access to specific applications, and network segmentation regardless of location.

Why this answer

Zero Trust Architecture (ZTA) aligns with all three requirements: it verifies identity and device posture, grants least privilege access to specific applications, and enforces micro-segmentation regardless of location. VPN with MFA (A) still grants broad network access. Network segmentation (B) alone does not incorporate identity or device posture.

Least privilege (D) is a principle, not an architecture; implementing it without ZTA may not provide the granular control needed.

661
MCQmedium

A security analyst notices that a user is accessing files in a department they do not work in. Which principle is being violated?

A.Need-to-know
B.Least privilege
C.Defense in depth
D.Separation of duties
AnswerA

Accessing files outside job scope violates need-to-know.

Why this answer

Need-to-know restricts access to data necessary for one's job, even if the user has broader permissions.

662
MCQeasy

Which protocol operates at the Transport layer of the OSI model and is connectionless and unreliable?

A.TCP
B.HTTP
C.IP
D.UDP
AnswerD

UDP is connectionless and unreliable.

Why this answer

UDP is connectionless and does not guarantee delivery, making it fast but unreliable.

663
MCQmedium

A SOC analyst detects a series of failed login attempts from a single external IP address targeting multiple user accounts within a short time. Which action should the analyst take FIRST?

A.Block the IP address at the firewall immediately.
B.Verify if any accounts were successfully compromised.
C.Disable all user accounts that were targeted.
D.Notify law enforcement about the attempted breach.
AnswerB

This assesses immediate impact and guides next steps.

Why this answer

The correct first step is to verify if any accounts were successfully compromised (Option B). In security operations, the priority is to assess the impact of an incident before taking containment actions. If an account was breached, immediate password resets and session invalidation are needed; blocking the IP prematurely could destroy forensic evidence and alert the attacker, while disabling all accounts causes unnecessary business disruption.

The analyst must confirm compromise via log review (e.g., checking for successful authentication events after the failed attempts) to guide the appropriate response.

Exam trap

ISC2 often tests the principle that containment (e.g., blocking an IP) should not be performed before verifying impact, because the first priority in incident response is to confirm whether a breach actually occurred, not to assume the worst and disrupt operations.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the firewall may destroy forensic evidence (e.g., attacker's subsequent actions) and could be a false positive if the IP is legitimate (e.g., a misconfigured VPN). Option C is wrong because disabling all targeted user accounts without evidence of compromise causes unnecessary operational disruption and may lock out legitimate users; the analyst should first verify if any account was actually breached. Option D is wrong because notifying law enforcement is premature and not the first action; internal incident response procedures (verification, containment, eradication) must be followed first, and law enforcement is typically contacted only after confirming a breach and consulting legal counsel.

664
MCQeasy

A small business owner wants to ensure that their company's data remains accurate and unaltered during transmission over the internet. They regularly send financial reports to their accountant via email. The owner is concerned that a hacker might intercept and modify the reports before they reach the accountant. Which security principle is most directly threatened in this scenario, and what is the best technical control to implement?

A.Confidentiality; encrypt the email attachments
B.Non-repudiation; require read receipts
C.Integrity; apply a digital signature or hash to the files
D.Availability; use a redundant email server
AnswerC

Digital signatures and hashes detect and prevent unauthorized changes.

Why this answer

Correct: Integrity is threatened; using digital signatures or hashing ensures data integrity. Option A is wrong because confidentiality protects secrecy, not accuracy; Option B is wrong because availability ensures access, not integrity; Option D is wrong because non-repudiation prevents denial, but the immediate threat is modification.

665
MCQeasy

Refer to the exhibit. ``` C:\> netstat -an | find "LISTENING" TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 192.168.1.10:3389 0.0.0.0:0 LISTENING ``` A server administrator runs this command and sees the output. Which service is listening on a port that should typically be disabled to reduce the attack surface?

A.HTTP (port 80)
B.Remote Desktop (port 3389)
C.All of the above
D.HTTPS (port 443)
AnswerB

Port 3389 (RDP) is a common attack vector and should be disabled if remote administration is not strictly required.

Why this answer

Remote Desktop Protocol (RDP) on port 3389 is a high-risk service that should typically be disabled on servers unless absolutely necessary, as it provides a direct graphical interface for remote administration and is a common target for brute-force attacks. The output shows RDP listening on a specific internal IP (192.168.1.10), indicating it is bound to a routable interface, which increases exposure. In contrast, HTTP (port 80) and HTTPS (port 443) are standard web services that are often required for a server's function, so they are not typically disabled for attack surface reduction.

Exam trap

ISC2 often tests the misconception that all listening ports are equally risky, but the trap here is that HTTP and HTTPS are expected services on a server, while RDP is a high-risk administrative service that should be disabled unless explicitly required.

How to eliminate wrong answers

Option A is wrong because HTTP (port 80) is a standard web service that is often necessary for serving web content; disabling it would break normal server functionality, and it is not typically disabled solely to reduce attack surface unless the server has no web role. Option C is wrong because not all services listed should be disabled; only Remote Desktop (port 3389) is the one that should typically be disabled, while HTTP and HTTPS are commonly required. Option D is wrong because HTTPS (port 443) is the secure version of HTTP and is essential for encrypted web traffic; it is not a service that should be routinely disabled, as it protects data in transit.

666
MCQmedium

A security analyst detects a large number of half-open TCP connections targeting a web server. This is most likely indicative of what type of attack?

A.Smurf attack
B.SYN flood
C.ARP spoofing
D.DNS amplification
AnswerB

SYN flood targets TCP handshake to cause resource exhaustion.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending many SYN packets without completing the handshake, exhausting server resources. This is a type of DoS attack.

667
Multi-Selectmedium

A SOC team is reviewing security controls for a new critical application. Which THREE of the following are essential components of a security operations capability?

Select 3 answers
A.SIEM for log aggregation and alerting
B.Vulnerability scanning tools
C.Data backup and recovery procedures
D.Configuration management with security baselines
E.Patch management process
AnswersA, D, E

SIEM is central to security monitoring.

Why this answer

SIEM, patch management, and configuration management are all core security operations functions. Backup management, while important, is not typically a SOC function.

668
MCQhard

A company follows the 3-2-1 backup rule. It has two full backups: one on an external hard drive in the server room and one on tape in a safe on-site. Which step should be taken to fully comply with the rule?

A.No action needed; the rule is satisfied
B.Store the tape copy in a secure offsite location
C.Use cloud storage as an additional copy
D.Add a third copy to the external hard drive
AnswerB

This ensures one copy is offsite.

Why this answer

The 3-2-1 rule requires 3 copies, 2 different media types, and 1 offsite. Currently, there are 2 copies (both on-site) on 2 different media (external HDD and tape). To comply, a third copy must be stored offsite.

669
MCQeasy

An organization uses hashing to ensure that data has not been altered during transmission. Which security principle is being implemented?

A.Availability
B.Authentication
C.Integrity
D.Confidentiality
AnswerC

Hashing ensures data integrity by producing a unique hash that changes if data is modified.

Why this answer

Hashing verifies data integrity by detecting changes to the original data.

670
Multi-Selectmedium

A security team is investigating a potential man-in-the-middle attack. Which TWO of the following are common techniques used in MITM attacks? (Select TWO.)

Select 2 answers
A.ARP poisoning
B.SYN flood
C.DNS amplification
D.Setting up a rogue Wi-Fi access point
E.ICMP flood
AnswersA, D

Poisoned ARP tables redirect traffic to the attacker.

Why this answer

ARP poisoning redirects traffic, and rogue Wi-Fi access points intercept communications.

671
MCQhard

A medium-sized e-commerce company operates a web application on three virtual servers behind a load balancer. The application handles credit card payments and stores customer data in a database server. The company has a security operations team that monitors logs from firewalls, IDS, and servers. One morning, the IDS generates a critical alert indicating a SQL injection attempt from an external IP to the web application. The alert shows that the injection string was ' OR '1'='1' -- . The web server logs confirm that the request returned a 200 OK status and a large response size. The database logs show a query that returned multiple rows. The security analyst needs to determine the best immediate course of action. The company has a documented incident response plan that includes containment, eradication, and recovery phases. Which action should the analyst take first?

A.Apply a virtual patch using a web application firewall (WAF) rule to block similar injection attempts
B.Notify the web development team to fix the SQL injection vulnerability in the code
C.Run a full database backup to preserve evidence
D.Take the web server offline and initiate the containment phase of the incident response plan
AnswerD

Taking the server offline stops the attack and preserves evidence.

Why this answer

The correct first action is to take the web server offline and initiate the containment phase. The IDS alert confirms a successful SQL injection (200 OK, large response, multiple rows returned), indicating a data breach is in progress. Containment must precede any other step to stop further data exfiltration, as per the incident response plan's phases.

Exam trap

ISC2 often tests the order of incident response phases, and the trap here is that candidates confuse 'preserve evidence' (Option C) with the first step, when containment must come first to stop the active breach.

How to eliminate wrong answers

Option A is wrong because applying a WAF rule is a remediation step that should occur after containment, and it does not stop the ongoing breach or preserve evidence. Option B is wrong because notifying the development team to fix the code is part of the eradication phase, which comes after containment; immediate action is needed to halt the attack. Option C is wrong because running a full database backup could overwrite or alter volatile evidence (e.g., logs, memory), and the priority is to stop the attack, not preserve evidence first.

672
MCQhard

An attacker sends forged ARP messages to associate their MAC address with the IP address of a legitimate server. This allows the attacker to intercept traffic intended for that server. What is this attack?

A.DNS poisoning
B.MAC flooding
C.ARP spoofing
D.IP spoofing
AnswerC

ARP spoofing uses forged ARP messages to redirect traffic.

Why this answer

ARP spoofing (or ARP poisoning) involves sending fake ARP replies to associate the attacker's MAC with a victim's IP, enabling man-in-the-middle attacks.

673
MCQhard

During a security audit, it is found that a database administrator can access payroll data. The company policy states that administrators should not have access to sensitive HR data. Which security principle is being violated?

A.Accountability
B.Least privilege
C.Separation of duties
D.Privacy
AnswerC

Correct. The DBA should not have access to payroll data.

Why this answer

The scenario describes a single database administrator having both the ability to access and modify payroll data, which combines operational and oversight roles. Separation of duties (SoD) is the principle that requires splitting critical tasks and privileges among multiple individuals to prevent fraud or error. Here, the administrator's access violates SoD because they can both manage the database and view sensitive HR data, which should require separate authorization.

Exam trap

ISC2 often tests the distinction between least privilege and separation of duties, where candidates mistakenly choose least privilege because they focus on the 'should not have access' phrasing, but the real violation is the combination of conflicting roles, not just excessive permissions.

How to eliminate wrong answers

Option A is wrong because accountability refers to the ability to trace actions to a specific user via logging and auditing, not to restricting access based on role. Option B is wrong because least privilege would limit the administrator's access to only what is necessary for their job, but the core issue here is the combination of conflicting duties (admin and data viewer), not just excessive permissions. Option D is wrong because privacy is a broader concept about protecting personal data from unauthorized disclosure, but the specific security principle violated is the lack of separation between operational and oversight functions.

674
Multi-Selectmedium

A network administrator is planning to segment the network. Which of the following are valid segmentation methods? (Choose TWO)

Select 2 answers
A.Subnetting
B.Firewalls
C.VLANs
D.IDS
E.Honeypots
AnswersA, C

Subnetting divides IP address space.

Why this answer

VLANs and subnetting are common segmentation techniques.

675
MCQmedium

Refer to the exhibit. The file is readable and writable by everyone. A user from the marketing team, user2, needs to be able to read the file but not write to it. Which command should the administrator use to achieve this?

A.chmod 664 project_data.txt
B.chmod 755 project_data.txt
C.chmod 644 project_data.txt
D.chmod 600 project_data.txt
AnswerC

644 sets read/write for owner, read for group and others, so user2 can read but not write.

Why this answer

Option C is correct because `chmod 644` sets the file permissions to `rw-r--r--`, which grants read and write to the owner, read-only to the group, and read-only to others. Since the file is initially readable and writable by everyone (likely `666`), changing to `644` removes write access for the group and others while preserving read access for all, meeting the requirement that user2 (a marketing team member, presumably in the group or others category) can read but not write.

Exam trap

ISC2 often tests the misconception that `chmod 664` is the standard 'read and write for owner and group, read-only for others' when in fact it grants write to the group, which would allow user2 to write if they are in the group, so candidates must carefully consider the user's group membership and the exact requirement of 'read but not write'.

How to eliminate wrong answers

Option A is wrong because `chmod 664` sets permissions to `rw-rw-r--`, which gives read and write to both the owner and group, but user2 might be in the group, allowing write access, which violates the requirement. Option B is wrong because `chmod 755` sets permissions to `rwxr-xr-x`, which grants execute permission to everyone, unnecessarily allowing execution and potentially write access to the owner only, but it does not specifically restrict write for user2 if they are in the group or others. Option D is wrong because `chmod 600` sets permissions to `rw-------`, which removes all read and write access for the group and others, preventing user2 from reading the file, which fails the requirement.

Page 8

Page 9 of 14

Page 10
ISC2 Certified in Cybersecurity CC CC Questions 601–675 | Page 9/14 | Courseiva