CCNA Security Operations Questions

53 of 128 questions · Page 2/2 · Security Operations · Answers revealed

76
Matchingmedium

Match each phase of the incident response process to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Train and equip the team

Identify and scope the incident

Stop the spread and restore systems

Lessons learned and reporting

Why these pairings

These phases are from NIST SP 800-61 and ISC2 CC.

77
Multi-Selecthard

Which THREE of the following are essential components of a security baseline configuration for a server?

Select 3 answers
A.Disable unnecessary services.
B.Enable auditing and logging.
C.Apply the latest security patches.
D.Install all optional software for functionality.
E.Grant administrative rights to all users.
AnswersA, B, C

Reduces the number of potential entry points.

Why this answer

Disabling unnecessary services reduces the attack surface by removing potential entry points for exploitation. Services like Telnet, FTP, or unused web servers should be disabled via systemctl or service managers to prevent unauthorized access or privilege escalation.

Exam trap

ISC2 often tests the principle of least functionality by making candidates think that installing all optional software ensures compatibility, when in reality it violates the core security baseline goal of reducing the attack surface.

78
Multi-Selecthard

Which THREE of the following are best practices for securing a remote access VPN?

Select 3 answers
A.Enable multi-factor authentication.
B.Keep VPN client software up to date.
C.Use pre-shared keys for authentication.
D.Enforce strong password policies.
E.Implement split tunneling by default.
AnswersA, B, D

Adds an extra layer of security beyond passwords.

Why this answer

Multi-factor authentication (MFA) adds an additional layer of security beyond just a password, requiring a second factor such as a one-time code from a token or biometric. For a remote access VPN, this mitigates the risk of credential theft or brute-force attacks against the VPN gateway. Even if an attacker obtains a user's password, they cannot authenticate without the second factor, significantly reducing the likelihood of unauthorized access.

Exam trap

ISC2 often tests the misconception that pre-shared keys are acceptable for remote access VPNs because they are simple to configure, but the exam expects you to recognize that PSKs are a weak, shared secret that should be replaced with certificate-based or EAP authentication for secure remote access.

79
Multi-Selecthard

Which THREE of the following are best practices for securing a wireless network?

Select 3 answers
A.Disable SSID broadcast
B.Use WPA2 encryption
C.Enable MAC address filtering
D.Use a strong passphrase
E.Implement a captive portal
AnswersA, B, D

Disabling SSID broadcast hides the network from casual scanning, though it is not a strong security measure.

Why this answer

WPA2 encryption, disabling SSID broadcast (though not strong, often considered best practice in older materials), and using a strong passphrase are commonly recommended. MAC filtering and captive portals are not primary security controls.

80
MCQeasy

An AWS bucket policy is shown. What is the security implication?

A.The bucket allows anonymous write access
B.The bucket allows read access to anyone from a specific IP range
C.The policy contains a syntax error
D.The bucket is fully public
AnswerB

Principals '*' means anyone, but restricted by IP.

Why this answer

The bucket policy grants the `s3:GetObject` action (read access) to all principals (`"Principal": "*"`) but only if the request originates from the specified IP range (`"IpAddress": {"aws:SourceIp": "10.0.0.0/24"}`). This means anyone on the internet can read objects, but only if their source IP falls within that CIDR block. This is a common pattern for allowing read access to a trusted network without requiring AWS credentials.

Exam trap

ISC2 often tests the distinction between a bucket being 'public' (anyone can access) versus having a condition that restricts access to a specific IP range, causing candidates to mistakenly think any policy with `Principal: "*"` makes the bucket fully public.

How to eliminate wrong answers

Option A is wrong because the policy only grants `s3:GetObject` (read) access, not `s3:PutObject` or `s3:DeleteObject` (write) access; anonymous write access would require an explicit `Effect: Allow` for write actions. Option C is wrong because the policy syntax is valid — it uses the correct `Condition` block with `IpAddress` and `aws:SourceIp`, which is a standard AWS IAM policy element. Option D is wrong because the bucket is not fully public; access is restricted by the IP address condition, so only requests from the `10.0.0.0/24` range are allowed, not the entire internet.

81
Multi-Selecthard

An organization is planning to implement a security operations center (SOC) and is considering different monitoring strategies. Which THREE of the following are essential components of a tiered SOC model? (Choose three.)

Select 3 answers
A.A SOC manager who oversees daily operations and reporting
B.A dedicated threat intelligence team that provides context on indicators
C.Tier 2 analysts who conduct in-depth analysis and incident response
D.Tier 1 analysts who monitor alerts and perform initial triage
E.Tier 3 analysts who focus on threat hunting and advanced forensics
AnswersC, D, E

Tier 2 handles escalated incidents and performs root cause analysis.

Why this answer

Option C is correct because Tier 2 analysts in a tiered SOC model are responsible for in-depth analysis of escalated incidents, performing incident response actions, and determining the scope and impact of security events. This tier bridges the gap between initial triage and advanced threat hunting, ensuring that confirmed incidents are properly contained and remediated.

Exam trap

ISC2 often tests the distinction between SOC tiers and supporting roles; the trap here is that candidates mistake management or intelligence functions as part of the tiered analyst hierarchy, when only Tier 1, Tier 2, and Tier 3 analysts constitute the core escalation model.

82
MCQmedium

An organization implements a bring-your-own-device (BYOD) policy. Which security control is most important to enforce in the BYOD policy?

A.Require complex passwords
B.Install a firewall on each device
C.Enable full disk encryption
D.Implement mobile device management (MDM) for remote wipe and policy enforcement
AnswerD

MDM allows IT to enforce security policies and remotely wipe devices if lost or stolen.

Why this answer

Mobile device management (MDM) is the most important control for a BYOD policy because it provides centralized policy enforcement, remote wipe capabilities, and device compliance monitoring. Unlike isolated controls like passwords or encryption, MDM allows the organization to enforce security policies dynamically and revoke access or wipe corporate data if a device is lost, stolen, or non-compliant.

Exam trap

ISC2 often tests the misconception that a single technical control (like encryption or passwords) is sufficient for BYOD security, when the real exam focus is on centralized management and the ability to enforce and revoke policies remotely via MDM.

How to eliminate wrong answers

Option A is wrong because requiring complex passwords alone does not protect data if the device is lost or stolen; passwords can be bypassed or guessed, and they do not provide remote wipe or policy enforcement. Option B is wrong because installing a firewall on each device is impractical in BYOD scenarios (users may disable it, and it does not protect against data leakage or device loss), and it does not address the core need for centralized control and data separation. Option C is wrong because full disk encryption protects data at rest but does not enable remote wipe, policy enforcement, or the ability to selectively wipe corporate data without affecting personal data, which is critical in BYOD environments.

83
MCQmedium

A company has implemented a security information and event management (SIEM) system. The SOC team notices that the SIEM is generating a high volume of false positive alerts from a specific web application firewall (WAF). The WAF logs show many requests with SQL injection patterns, but the application is not vulnerable. Which of the following actions would BEST reduce false positives without compromising security?

A.Create a SIEM rule to suppress alerts from that WAF
B.Increase the alert threshold in the WAF to reduce sensitivity
C.Tune the WAF's detection rules based on the application's normal traffic profile
D.Disable SQL injection detection in the WAF for that application
AnswerC

Tuning reduces false positives by filtering out benign patterns that resemble attacks.

Why this answer

Option C is correct because tuning the WAF's detection rules to match the application's normal traffic profile reduces false positives by filtering out benign requests that resemble SQL injection patterns. This approach maintains security by still detecting actual attacks, unlike simply suppressing alerts or disabling detection. The SIEM should correlate WAF alerts with application context, but the root cause is the WAF's overly broad rules, which need refinement.

Exam trap

ISC2 often tests the misconception that suppressing alerts or disabling detection is acceptable, but the correct approach is to tune detection rules to balance security and operational efficiency.

How to eliminate wrong answers

Option A is wrong because suppressing alerts from the WAF in the SIEM ignores the underlying issue, potentially missing real attacks and creating a blind spot in monitoring. Option B is wrong because increasing the alert threshold in the WAF reduces sensitivity globally, which could cause true SQL injection attacks to be missed, compromising security. Option D is wrong because disabling SQL injection detection entirely removes a critical defense layer, leaving the application exposed to actual SQL injection attempts.

84
MCQmedium

A SOC analyst detects a series of failed login attempts from a single external IP address targeting multiple user accounts within a short time. Which action should the analyst take FIRST?

A.Block the IP address at the firewall immediately.
B.Verify if any accounts were successfully compromised.
C.Disable all user accounts that were targeted.
D.Notify law enforcement about the attempted breach.
AnswerB

This assesses immediate impact and guides next steps.

Why this answer

The correct first step is to verify if any accounts were successfully compromised (Option B). In security operations, the priority is to assess the impact of an incident before taking containment actions. If an account was breached, immediate password resets and session invalidation are needed; blocking the IP prematurely could destroy forensic evidence and alert the attacker, while disabling all accounts causes unnecessary business disruption.

The analyst must confirm compromise via log review (e.g., checking for successful authentication events after the failed attempts) to guide the appropriate response.

Exam trap

ISC2 often tests the principle that containment (e.g., blocking an IP) should not be performed before verifying impact, because the first priority in incident response is to confirm whether a breach actually occurred, not to assume the worst and disrupt operations.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP at the firewall may destroy forensic evidence (e.g., attacker's subsequent actions) and could be a false positive if the IP is legitimate (e.g., a misconfigured VPN). Option C is wrong because disabling all targeted user accounts without evidence of compromise causes unnecessary operational disruption and may lock out legitimate users; the analyst should first verify if any account was actually breached. Option D is wrong because notifying law enforcement is premature and not the first action; internal incident response procedures (verification, containment, eradication) must be followed first, and law enforcement is typically contacted only after confirming a breach and consulting legal counsel.

85
MCQhard

A medium-sized e-commerce company operates a web application on three virtual servers behind a load balancer. The application handles credit card payments and stores customer data in a database server. The company has a security operations team that monitors logs from firewalls, IDS, and servers. One morning, the IDS generates a critical alert indicating a SQL injection attempt from an external IP to the web application. The alert shows that the injection string was ' OR '1'='1' -- . The web server logs confirm that the request returned a 200 OK status and a large response size. The database logs show a query that returned multiple rows. The security analyst needs to determine the best immediate course of action. The company has a documented incident response plan that includes containment, eradication, and recovery phases. Which action should the analyst take first?

A.Apply a virtual patch using a web application firewall (WAF) rule to block similar injection attempts
B.Notify the web development team to fix the SQL injection vulnerability in the code
C.Run a full database backup to preserve evidence
D.Take the web server offline and initiate the containment phase of the incident response plan
AnswerD

Taking the server offline stops the attack and preserves evidence.

Why this answer

The correct first action is to take the web server offline and initiate the containment phase. The IDS alert confirms a successful SQL injection (200 OK, large response, multiple rows returned), indicating a data breach is in progress. Containment must precede any other step to stop further data exfiltration, as per the incident response plan's phases.

Exam trap

ISC2 often tests the order of incident response phases, and the trap here is that candidates confuse 'preserve evidence' (Option C) with the first step, when containment must come first to stop the active breach.

How to eliminate wrong answers

Option A is wrong because applying a WAF rule is a remediation step that should occur after containment, and it does not stop the ongoing breach or preserve evidence. Option B is wrong because notifying the development team to fix the code is part of the eradication phase, which comes after containment; immediate action is needed to halt the attack. Option C is wrong because running a full database backup could overwrite or alter volatile evidence (e.g., logs, memory), and the priority is to stop the attack, not preserve evidence first.

86
MCQmedium

A company experiences a ransomware attack that encrypts all files on a critical server. The backup strategy includes nightly backups stored on a separate network. What should be the first action during recovery?

A.Restore all files from the most recent backup.
B.Isolate the affected server from the network.
C.Verify the integrity and availability of the backup data.
D.Report the incident to law enforcement.
AnswerC

Ensures the backup is not compromised before restoring.

Why this answer

Option C is correct because before any recovery action, you must verify that the backup data is intact, uncorrupted, and free from the ransomware. If the backup itself is encrypted or compromised, restoring it would re-infect the environment. This step aligns with the 3-2-1 backup rule and ensures the recovery point is clean.

Exam trap

ISC2 often tests the misconception that the first recovery step is to restore data, but the trap is that you must first confirm the backup is clean to avoid restoring the ransomware itself.

How to eliminate wrong answers

Option A is wrong because restoring immediately from the most recent backup risks restoring encrypted files if the backup was taken after the ransomware began encrypting, or if the backup itself is compromised. Option B is wrong because isolating the server is a containment step, not the first action during recovery; containment should have already occurred before recovery begins. Option D is wrong because reporting to law enforcement is a post-recovery or parallel action, not the first step in technical recovery, and does not address data restoration.

87
Matchingmedium

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data Link: frames and MAC addresses

Network: routing and IP addresses

Transport: end-to-end reliability

Application: user interface and protocols

Why these pairings

OSI model layers are referenced in network security.

88
Multi-Selecthard

Which TWO of the following are examples of detective security controls? (Choose two.)

Select 2 answers
A.Data backup and restoration procedures.
B.Security logging and monitoring.
C.Intrusion detection system (IDS) alerts.
D.Encryption of sensitive data.
E.Firewall rules that block certain traffic.
AnswersB, C

Log analysis and monitoring detect incidents.

Why this answer

Intrusion detection systems (B) and security logging and monitoring (D) are detective controls. Firewalls (A) and encryption (C) are preventive. Data backup (E) is corrective/recovery.

89
Multi-Selecthard

Which THREE of the following are best practices for securing a network firewall? (Select THREE.)

Select 3 answers
A.Disable unused services and ports
B.Allow all traffic by default and block specific threats
C.Implement rule change management and review
D.Place the firewall outside the network perimeter
E.Use strong, complex passwords for firewall administration
AnswersA, C, E

Reduces the attack surface.

Why this answer

Disabling unused services and ports reduces the attack surface by eliminating potential entry points for attackers. A firewall should only have necessary ports (e.g., TCP 80/443 for web traffic) open, as each open service represents a vector for exploitation. This aligns with the principle of least privilege and is a fundamental hardening step.

Exam trap

ISC2 often tests the misconception that a firewall should be placed outside the network perimeter for better visibility, but the correct placement is at the perimeter to filter traffic before it enters the internal network.

90
MCQmedium

Refer to the exhibit. An administrator notices that external access to the MySQL database (port 3306) is blocked, but internal access should be allowed. What change should be made?

A.Change the DROP rule to ACCEPT for port 3306
B.Allow port 3306 in the FORWARD chain
C.Create a rule to allow traffic from internal IP range to port 3306
D.Remove the DROP rule for port 3306
AnswerC

A specific allow rule for internal IPs overrides the default DROP, enabling internal access.

Why this answer

The correct answer is C because the exhibit shows a DROP rule for port 3306 in the INPUT chain, which blocks all incoming traffic to the MySQL database. To allow internal access while keeping external access blocked, a specific rule must be added to ACCEPT traffic from the internal IP range to port 3306, placed before the DROP rule. This ensures that internal packets are matched first and permitted, while external packets hit the DROP rule and are rejected.

Simply modifying or removing the DROP rule would allow all traffic, violating the requirement to block external access.

Exam trap

ISC2 often tests the distinction between INPUT and FORWARD chains, and the trap here is that candidates mistakenly think adding a rule to the FORWARD chain will fix the issue, not realizing that traffic to the local MySQL service is processed by the INPUT chain.

How to eliminate wrong answers

Option A is wrong because changing the DROP rule to ACCEPT for port 3306 would allow all traffic (both internal and external) to the MySQL database, which violates the requirement to block external access. Option B is wrong because the FORWARD chain is used for traffic passing through the firewall, not for traffic destined to the local system; MySQL traffic arriving at the firewall's own interface is processed by the INPUT chain, not FORWARD. Option D is wrong because removing the DROP rule for port 3306 would remove the block entirely, allowing all traffic (including external) to reach the MySQL database, which does not meet the requirement to block external access.

91
MCQhard

You are a forensic analyst responding to a reported compromise of a Linux web server. The server hosts a public-facing web application and is part of a DMZ. The initial investigation shows that unauthorized outbound connections were made to a known malicious IP address during the previous night. The server is still running and connected to the network, but the web application has been taken offline for maintenance. The incident response team wants to preserve evidence for potential legal action. You have a forensic workstation with tools like dd, netcat, and memory acquisition tools. Which of the following should be your FIRST step in the forensic acquisition process?

A.Create a bit-for-bit copy of the hard drive using dd and a write blocker.
B.Capture network traffic from the server for analysis.
C.Run a full antivirus scan to identify malware.
D.Capture the contents of volatile memory (RAM) using a memory acquisition tool.
AnswerD

Memory is most volatile and contains critical evidence.

Why this answer

Volatile memory (RAM) contains critical evidence such as running processes, network connections, encryption keys, and in-memory malware that would be lost when the system is powered off. In a forensic response, the order of volatility dictates that RAM must be captured first before any non-volatile data. Option D is correct because it follows the established forensic principle of preserving the most volatile data first.

Exam trap

ISC2 often tests the 'order of volatility' principle, and the trap here is that candidates mistakenly prioritize disk imaging (Option A) because it is a familiar step, ignoring that RAM holds the most ephemeral and critical evidence.

How to eliminate wrong answers

Option A is wrong because creating a bit-for-bit copy of the hard drive is important but should be done after volatile memory capture, as hard drive data is non-volatile and will not be lost on shutdown. Option B is wrong because capturing network traffic from the server is a live response step that can be performed after memory acquisition, but it is not the first priority since network traffic is also volatile but less critical than RAM contents. Option C is wrong because running an antivirus scan modifies the system state (e.g., file access times, writes to disk) and can destroy or alter evidence, violating forensic integrity.

92
MCQhard

Refer to the exhibit. A firewall rule set is shown (first match applies). An analyst reviews these rules. Which of the following best describes the traffic outcome for a packet from source IP 10.0.0.1 to destination 192.168.1.1?

A.The packet is permitted because the last rule permits any any.
B.The packet is denied because rule 1 matches and denies it.
C.The packet is permitted because rule 2 explicitly permits the traffic.
D.The packet is denied because there is no explicit permit for 10.0.0.0/8 to 192.168.1.0/24.
AnswerB

First-match logic: rule 1 matches and denies before rule 2 can permit.

Why this answer

Rule 1 matches the source IP 10.0.0.1 (which falls within the 10.0.0.0/8 range) and the destination 192.168.1.1 (within 192.168.1.0/24), and since the action is 'deny', the packet is denied immediately. Firewalls using 'first match applies' logic stop processing as soon as a matching rule is found, so subsequent rules are never evaluated. Therefore, the correct outcome is denial.

Exam trap

ISC2 often tests the 'first match applies' concept by placing a broad deny rule early in the rule set, leading candidates to incorrectly assume that a later permit rule will override it, when in fact the packet is denied immediately upon the first match.

How to eliminate wrong answers

Option A is wrong because the 'permit any any' rule is never reached; the packet is matched and denied by rule 1 before the last rule is evaluated. Option C is wrong because rule 2, even if it explicitly permits the traffic, is not evaluated since rule 1 already matched and denied the packet. Option D is wrong because the absence of an explicit permit for the specific source/destination pair is irrelevant; the packet is denied by an explicit deny rule (rule 1), not by a lack of a permit.

93
Multi-Selectmedium

Which TWO of the following are essential elements of an incident response plan?

Select 2 answers
A.A list of compliance standards.
B.Personal phone numbers of executives.
C.Step-by-step procedures for each incident type.
D.Contact information for all employees.
E.Defined roles and responsibilities.
AnswersC, E

Provides guidance for consistent response.

Why this answer

Option C is correct because an incident response plan must include step-by-step procedures for each incident type to ensure consistent, repeatable actions during a security event. These procedures guide responders through detection, containment, eradication, and recovery phases, reducing errors and response time. Without predefined steps, teams risk ad-hoc actions that can worsen the incident or miss critical containment measures.

Exam trap

ISC2 often tests the distinction between 'essential operational elements' (like procedures and roles) and 'supporting documentation' (like compliance lists or full employee directories), causing candidates to mistake administrative details for core response components.

94
MCQeasy

A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?

A.The network is experiencing a denial of service attack
B.The user is streaming video from a blocked site
C.The workstation is performing a legitimate software update
D.The workstation is infected with malware that is beaconing to the attacker
AnswerD

C2 communication is a hallmark of malware infection.

Why this answer

The large volume of outbound traffic from a single workstation to a known command-and-control (C2) server is a classic indicator of malware beaconing. Beaconing involves the infected host periodically sending small packets or HTTP/HTTPS requests to the C2 server to receive instructions or exfiltrate data, which matches the observed behavior. This is distinct from legitimate traffic patterns because the destination IP is specifically associated with malicious activity.

Exam trap

ISC2 often tests the distinction between a single workstation's outbound traffic to a known malicious IP versus generic network anomalies like DoS or legitimate updates, trapping candidates who confuse high-volume traffic with beaconing or assume any outbound traffic to an external IP is benign.

How to eliminate wrong answers

Option A is wrong because a denial of service (DoS) attack typically involves a flood of traffic from multiple sources targeting a single victim, not a single workstation sending outbound traffic to a known C2 server. Option B is wrong because streaming video from a blocked site would generate sustained, high-bandwidth traffic to a content delivery network or streaming service, not to a known C2 server, and would not match the beaconing pattern of periodic, low-volume requests. Option C is wrong because a legitimate software update would connect to the vendor's official update servers (e.g., Microsoft, Adobe) over HTTPS, not to an external IP address known to be associated with a C2 server, and would not exhibit the suspicious, periodic beaconing behavior.

95
MCQhard

Refer to the exhibit. Based on the JSON policy, what access does the SecurityAuditor role have?

A.No access to any S3 resources.
B.Read-only access to all objects in the critical-data bucket.
C.Write access to the critical-data bucket.
D.Full access to the S3 bucket critical-data.
AnswerB

GetObject grants read access.

Why this answer

The JSON policy grants the SecurityAuditor role the `s3:GetObject` action on the `arn:aws:s3:::critical-data/*` resource, which provides read-only access to all objects in the critical-data bucket. The `Effect` is set to `Allow`, and no other actions like `s3:PutObject` or `s3:DeleteObject` are included, so the role cannot write or delete objects. This matches the correct answer B.

Exam trap

ISC2 often tests the distinction between bucket-level and object-level permissions, where candidates mistakenly assume that `s3:GetObject` on `/*` implies full access or write capabilities, but it only grants read access to objects.

How to eliminate wrong answers

Option A is wrong because the policy explicitly allows `s3:GetObject` on the critical-data bucket, so the role does have access to S3 resources. Option C is wrong because the policy does not include any write actions such as `s3:PutObject` or `s3:DeleteObject`, so write access is not granted. Option D is wrong because the policy only allows `s3:GetObject`, not full access (which would require actions like `s3:*` or `s3:PutObject`, `s3:DeleteObject`, `s3:ListBucket`, etc.).

96
MCQhard

A security analyst reviews this firewall configuration. Which potential security issue exists?

A.Logging is not enabled at session start
B.Outbound traffic is not inspected for malicious content
C.The source is too restrictive
D.The policy does not specify a destination
AnswerB

SSL traffic is permitted without decryption or inspection.

Why this answer

Option B is correct because the firewall configuration shown only inspects inbound traffic (from the internet to the internal network) but does not apply any inspection to outbound traffic. Without outbound inspection, malicious content such as malware command-and-control traffic or data exfiltration can leave the network undetected. A security analyst should ensure that both inbound and outbound traffic are inspected for malicious content to provide comprehensive threat protection.

Exam trap

ISC2 often tests the misconception that only inbound traffic needs inspection because threats come from the internet, but the trap is that outbound traffic can carry malicious payloads or exfiltrate data, making outbound inspection equally important for a defense-in-depth strategy.

How to eliminate wrong answers

Option A is wrong because logging at session start is not a mandatory security requirement; logging at session end is typically sufficient for auditing and troubleshooting, and the absence of session-start logging does not represent a security issue. Option C is wrong because the source being too restrictive would actually reduce the attack surface, not create a security issue; overly permissive sources are the concern. Option D is wrong because the policy does specify a destination (the internal network), and a missing destination would cause the policy to fail to match traffic, not create a security issue.

97
MCQmedium

You are a security engineer responsible for the company's intrusion detection system (IDS). The IDS has been generating an excessive number of false positive alerts related to a legitimate application that uses encrypted traffic. The alerts are based on network signatures that match certain patterns in the encrypted payload. The volume of alerts is overwhelming the SOC team, and they are beginning to ignore IDS alerts altogether. You have the ability to modify IDS signatures and tune the system. Which of the following is the BEST approach to reduce false positives while maintaining security?

A.Create custom exceptions for the specific signatures that are causing false positives for the legitimate application.
B.Add the application's source IP addresses to a whitelist to suppress all alerts from that host.
C.Increase the threshold for alert generation so fewer alerts fire.
D.Disable all signatures that trigger on encrypted traffic.
AnswerA

This targeted approach reduces false positives while retaining overall detection capability.

Why this answer

Option A is correct because creating custom exceptions for the specific signatures that trigger false positives allows you to suppress alerts for the legitimate application without disabling broader detection capabilities. This targeted approach preserves the IDS's ability to detect actual threats in encrypted traffic while reducing noise for the SOC team. It is the most precise tuning method, as it only excludes the known benign traffic pattern rather than broadly disabling signatures or whitelisting entire hosts.

Exam trap

The trap here is that candidates often choose IP whitelisting (Option B) because it seems quick and easy, but Cisco tests the understanding that whitelisting entire hosts is overly broad and can hide malicious activity from the same source, whereas signature-specific exceptions are the correct, surgical tuning method.

How to eliminate wrong answers

Option B is wrong because whitelisting the application's source IP addresses suppresses all alerts from that host, including those for potentially malicious activity that might originate from the same IP (e.g., if the host is compromised or used for lateral movement). This creates a dangerous blind spot. Option C is wrong because increasing the alert threshold reduces the sensitivity of the IDS globally, which can cause true positive alerts for real threats to be missed, especially in low-volume attacks.

Option D is wrong because disabling all signatures that trigger on encrypted traffic eliminates the IDS's ability to detect threats that use encryption (e.g., malware C2 over TLS), which is a common evasion technique and would severely weaken security posture.

98
MCQhard

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

A.Intrusion detection system alerts
B.DNS query logs from internal DNS servers
C.Firewall deny logs
D.Authentication logs from domain controllers
AnswerB

DNS logs are less frequently used for real-time security monitoring and can be archived with lower priority.

Why this answer

DNS query logs from internal DNS servers are the least critical for ongoing security monitoring because they primarily contain name resolution requests, which are high-volume and low-signal data. While they can be useful for threat hunting or forensic analysis of malware command-and-control (C2) traffic, they are not essential for real-time alerting or immediate incident response. Archiving them first preserves storage for more actionable logs like IDS alerts, firewall denies, and authentication failures.

Exam trap

ISC2 often tests the misconception that DNS logs are critical for security monitoring because they can reveal C2 traffic, but the trap is that they are high-volume, low-signal data best suited for archival after more immediate security event sources are preserved.

How to eliminate wrong answers

Option A is wrong because intrusion detection system alerts are high-priority, actionable events that directly indicate potential security incidents; archiving them first would blind the SOC to ongoing attacks. Option C is wrong because firewall deny logs are critical for identifying reconnaissance scans, policy violations, and attempted breaches; they are often used in real-time correlation and incident triage. Option D is wrong because authentication logs from domain controllers are essential for detecting brute-force attacks, credential theft, and account compromise; they are a primary source for identity-based threat detection and compliance auditing.

99
MCQhard

A security analyst notices that system logs are being overwritten before the retention period ends. What is the most likely cause?

A.Malware is deleting logs
B.SIEM is consuming logs too quickly
C.Log rotation settings are misconfigured
D.Disk space is insufficient
AnswerC

Improper rotation settings (e.g., small file size) cause early overwriting.

Why this answer

Option B is correct because misconfigured log rotation settings can cause logs to be overwritten prematurely. Option A is wrong because insufficient disk space would cause log failure, not overwriting. Option C is wrong while possible, but less likely than configuration error.

Option D is wrong because SIEM consumption does not overwrite local logs.

100
MCQmedium

An organization has a policy that all servers must have security patches applied within 30 days of release. Which of the following is the best practice for patching?

A.Skip patches that have not been widely tested
B.Apply patches to all servers simultaneously
C.Test patches in a non-production environment before deploying to production
D.Only apply critical patches
AnswerC

Testing validates patches without impacting production services.

Why this answer

Option C is correct because testing patches in a non-production environment first allows the organization to identify compatibility issues, performance regressions, or conflicts with existing software before risking production systems. This aligns with the change management principle of validating changes in a controlled setting, ensuring that the 30-day patching deadline can be met without introducing instability. Skipping testing (A) or applying patches simultaneously (B) could lead to widespread outages, while only applying critical patches (D) would leave the organization exposed to non-critical vulnerabilities that could be chained in an attack.

Exam trap

ISC2 often tests the misconception that 'all patches must be applied immediately' or that 'critical patches are the only priority,' but the trap here is that candidates overlook the necessity of a controlled testing phase to prevent production outages, even when a strict 30-day deadline exists.

How to eliminate wrong answers

Option A is wrong because skipping patches that have not been widely tested leaves the organization vulnerable to known exploits, and the policy requires all patches to be applied within 30 days, not just widely tested ones. Option B is wrong because applying patches to all servers simultaneously can cause cascading failures if a patch introduces a bug, and it violates the principle of staggered rollouts to maintain service availability. Option D is wrong because only applying critical patches ignores the policy's requirement for all security patches, and non-critical patches often address vulnerabilities that can be leveraged in multi-stage attacks (e.g., privilege escalation).

101
Multi-Selectmedium

Which TWO of the following are valid types of disaster recovery tests?

Select 2 answers
A.Tabletop exercise.
B.Full-scale simulation without prior notification.
C.Unit testing of individual applications.
D.Vulnerability scan.
E.Parallel test between primary and backup site.
AnswersA, E

Tabletop exercises involve walkthroughs of disaster scenarios.

Why this answer

Options B and D are correct. Tabletop exercises and parallel tests are common DR test types. Option A is a simulation but not typically classified as a test type.

Option C is unit testing unrelated to DR. Option E is a security assessment.

102
MCQeasy

An organization wants to ensure that a critical database can be restored within 2 hours after a failure. Which metric should the organization define?

A.Maximum Tolerable Downtime (MTD)
B.Service Level Agreement (SLA)
C.Recovery Point Objective (RPO)
D.Recovery Time Objective (RTO)
AnswerD

RTO sets the target restoration time.

Why this answer

Option B is correct because RTO (Recovery Time Objective) defines the maximum acceptable downtime. Option A is about data loss. Option C is about recovery point.

Option D is a testing metric.

103
Multi-Selectmedium

Which TWO are key components of an effective incident response plan? (Select TWO.)

Select 2 answers
A.Business continuity procedures
B.List of forensic tools
C.Backup verification schedule
D.Communication plan for stakeholders
E.Post-incident review process
AnswersD, E

Critical for coordination during an incident.

Why this answer

Option D is correct because an incident response plan must include a communication plan for stakeholders to ensure timely and accurate information sharing during a security incident. This includes predefined escalation paths, contact lists, and communication channels (e.g., email, phone, secure messaging) to coordinate response efforts and manage external notifications (e.g., legal, PR, customers). Without a communication plan, response teams risk confusion, delays, and inconsistent messaging, which can exacerbate the incident's impact.

Exam trap

ISC2 often tests the distinction between incident response and adjacent processes (like business continuity or disaster recovery) to see if candidates confuse overlapping but distinct security operations concepts.

104
MCQeasy

An organization's security policy requires that all employees change their passwords every 90 days. This is an example of which type of security control?

A.Deterrent control
B.Detective control
C.Preventive control
D.Corrective control
AnswerC

Regular password changes help prevent unauthorized access if credentials are stolen.

Why this answer

Password expiration policies, such as requiring a change every 90 days, are classified as preventive controls because they proactively reduce the risk of credential compromise by limiting the window of opportunity for an attacker to use a stolen or guessed password. This control enforces a security baseline before any unauthorized access can occur, directly preventing prolonged use of compromised credentials.

Exam trap

ISC2 often tests the distinction between preventive and deterrent controls, where candidates mistakenly classify password policies as deterrent because they 'discourage' sharing, but the key is that password expiration actively blocks access, not just discourages behavior.

How to eliminate wrong answers

Option A is wrong because a deterrent control is designed to discourage malicious behavior through the threat of consequences (e.g., warning banners, surveillance cameras), not to enforce a mandatory action like password rotation. Option B is wrong because a detective control identifies and logs security events after they occur (e.g., audit logs, intrusion detection systems), whereas password expiration proactively prevents stale credentials from being used. Option D is wrong because a corrective control remediates damage after an incident (e.g., restoring from backup, patching a vulnerability), not a scheduled administrative action to maintain security posture.

105
Multi-Selecteasy

Which TWO of the following are common indicators of a ransomware attack?

Select 2 answers
A.New user accounts created.
B.Elevated system performance.
C.Sudden decrease in network traffic.
D.Files with .encrypted extension.
E.Ransom note displayed on screen.
AnswersD, E

Encrypted file extensions are a common sign of ransomware.

Why this answer

Option D is correct because ransomware commonly encrypts victim files and appends a new extension such as .encrypted to indicate the files have been locked. This extension change is a direct artifact of the encryption process performed by the ransomware payload, making it a key forensic indicator during incident response.

Exam trap

ISC2 often tests the distinction between ransomware indicators and general malware or intrusion indicators, so candidates mistakenly associate user account creation (Option A) with ransomware when it is actually a lateral movement technique, not a direct ransomware artifact.

106
Multi-Selectmedium

Which TWO of the following are types of security controls?

Select 2 answers
A.Network
B.Corrective
C.All of the above
D.Preventive
E.None of the above
AnswersB, D

Corrective controls remedy damage after an incident.

Why this answer

Preventive and corrective controls are recognized types. The other options are not standard categories or are too broad.

107
MCQhard

During a disaster recovery test, the recovery time objective (RTO) for a critical application is 4 hours, but the actual recovery takes 6 hours. Which of the following best describes the impact?

A.Data loss beyond the recovery point objective (RPO).
B.The recovery point objective (RPO) is not met.
C.The application is unavailable for 2 hours longer than acceptable.
D.No impact because RTO is only a guideline.
AnswerC

Matches the definition of RTO breach.

Why this answer

The recovery time objective (RTO) defines the maximum acceptable downtime for an application. Since the RTO is 4 hours but the actual recovery took 6 hours, the application was unavailable for 2 hours beyond the acceptable threshold, directly impacting business continuity. This is a failure to meet the RTO, not the RPO, which concerns data loss.

Exam trap

ISC2 often tests the distinction between RTO and RPO, and the trap here is confusing the two metrics — candidates may incorrectly associate a recovery time failure with data loss (RPO) instead of availability (RTO).

How to eliminate wrong answers

Option A is wrong because data loss is measured by the recovery point objective (RPO), not the RTO; exceeding the RTO does not imply any data loss. Option B is wrong because the RPO is a separate metric that defines the maximum acceptable age of data in the recovery copy; the scenario does not mention any data loss or failure to meet the RPO. Option D is wrong because RTO is a contractual or policy-driven requirement, not a guideline; exceeding it represents a non-compliance that can have serious operational and financial consequences.

108
MCQhard

During a security incident, a forensic analyst needs to acquire the contents of RAM from a live system. Which tool should be used?

A.Disk cloning tool like dd
B.Network monitoring tool like Wireshark
C.Memory dump tool like DumpIt
D.Antivirus scanner
AnswerC

DumpIt captures volatile memory contents without powering down the system.

Why this answer

Option A is correct because specialized memory dump tools like DumpIt are designed for live memory acquisition. Other tools are for disk or network analysis.

109
MCQeasy

A company's backup strategy requires daily full backups of all servers. The backup window is 4 hours. What is the primary risk if backups consistently take longer than the window?

A.Compliance requirements may be violated
B.Backup media may fill up
C.Backups may interfere with production operations
D.Backups may be corrupted
AnswerC

Overlapping backups can degrade system performance.

Why this answer

When backups consistently exceed the 4-hour window, they overlap with production hours, causing resource contention (CPU, I/O, network bandwidth) that degrades application performance and user experience. This directly risks production operations, as backup jobs compete with live workloads for system resources.

Exam trap

ISC2 often tests the misconception that exceeding a backup window is a compliance or storage issue, when the core risk is operational interference with production workloads.

How to eliminate wrong answers

Option A is wrong because compliance requirements typically mandate that backups exist, not that they complete within a specific window; exceeding the window does not inherently violate compliance unless the backup itself fails or is absent. Option B is wrong because backup media filling up is a capacity planning issue unrelated to the backup window duration; it occurs when retention policies or data growth are mismanaged, not when backups run long. Option D is wrong because backups being corrupted is a data integrity issue caused by hardware faults, software bugs, or network errors, not by the backup taking longer than the window.

110
MCQhard

An organization wants to ensure that its backup strategy can recover data within 2 hours after a system failure. Which metric should be defined in the disaster recovery plan?

A.Mean Time Between Failures (MTBF)
B.Recovery Point Objective (RPO)
C.Service Level Agreement (SLA)
D.Recovery Time Objective (RTO)
AnswerD

Specifies the maximum time to restore services after a disaster.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable time to restore systems and data after a disaster, directly addressing the 2-hour recovery requirement. In the context of backup strategy, RTO drives decisions on failover mechanisms, replication speed, and restoration procedures to meet the specified downtime limit.

Exam trap

ISC2 often tests the distinction between RTO and RPO, where candidates mistakenly choose RPO because they confuse 'recovery of data' with 'time to recover' rather than 'point in time to which data is recovered'.

How to eliminate wrong answers

Option A is wrong because Mean Time Between Failures (MTBF) measures the average time between system failures, not recovery time, and is used for reliability planning rather than disaster recovery timelines. Option B is wrong because Recovery Point Objective (RPO) defines the maximum acceptable data loss measured in time (e.g., 15 minutes of lost transactions), not the time to restore operations. Option C is wrong because a Service Level Agreement (SLA) is a contractual commitment that may include RTO/RPO targets but is not itself a metric; it is an agreement, not a specific recovery time measurement.

111
MCQhard

A company's security policy requires that all sensitive data be encrypted during transfer. A security administrator discovers that an internal web application is using a self-signed TLS certificate. What vulnerability does this introduce?

A.Data corruption
B.Increased latency
C.Replay attacks because TLS is not used
D.Man-in-the-middle attacks because the certificate cannot be verified
AnswerD

Without a trusted CA, clients cannot confirm the server's identity, allowing interception.

Why this answer

A self-signed TLS certificate is not signed by a trusted Certificate Authority (CA), so clients cannot verify the certificate's authenticity. This allows an attacker to intercept the TLS handshake, present their own self-signed certificate, and perform a man-in-the-middle (MITM) attack, decrypting and reading or modifying the data in transit.

Exam trap

ISC2 often tests the misconception that self-signed certificates mean TLS is not used, but the trap here is that TLS is still active; the real issue is the lack of certificate validation, which opens the door to MITM attacks.

How to eliminate wrong answers

Option A is wrong because data corruption refers to accidental bit flips or storage errors, not to the security weakness introduced by an untrusted certificate. Option B is wrong because increased latency is a performance issue, not a security vulnerability; self-signed certificates do not inherently cause more network delay than CA-signed certificates. Option C is wrong because TLS is still used with a self-signed certificate; the vulnerability is not the absence of TLS but the inability to verify the server's identity, which enables MITM attacks, not replay attacks (which are prevented by TLS sequence numbers and timestamps).

112
MCQhard

Refer to the exhibit. What type of event is this?

A.Account lockout
B.Successful remote login
C.Failed network login
D.Failed local login
AnswerC

Logon Type 3 confirms a network logon attempt.

Why this answer

Option C is correct because Logon Type 3 indicates a network logon (remote connection). Option A is wrong because it's a failed logon. Option B is wrong because Logon Type 3 is remote, not local (local is Type 2 or 10).

Option D is wrong because there is no account lockout event.

113
MCQmedium

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

A.The ACL is misconfigured because the deny for SSH is never reached
B.The ACL is properly ordered with most specific rules first
C.The ACL should have a deny any any at the end to be secure
D.The ACL correctly allows HTTPS and denies SSH, blocking other traffic
AnswerA

The permit any any after the deny SSH will match SSH traffic, allowing it.

Why this answer

Option A is correct because the ACL is evaluated top-down, and the first matching rule is applied. Since the 'permit tcp any any eq 443' rule appears before the 'deny tcp any any eq 22' rule, SSH traffic (TCP/22) is actually permitted by the implicit 'permit ip any any' that follows the explicit permit for HTTPS, or more accurately, the SSH deny is never reached because the permit for HTTPS matches all TCP traffic to port 443, but SSH traffic on port 22 is not matched by that rule; however, the key point is that the ACL lacks an explicit deny at the end, so any traffic not matching the first two rules (including SSH) is implicitly permitted by the default 'permit ip any any' at the end of the ACL, making the SSH deny rule ineffective.

Exam trap

ISC2 often tests the misconception that ACLs have an implicit 'deny any any' at the end, when in fact extended ACLs applied to interfaces have an implicit 'permit ip any any' unless a 'deny any any' is explicitly added.

How to eliminate wrong answers

Option B is wrong because the ACL is not properly ordered with most specific rules first; the 'deny tcp any any eq 22' rule is more specific than the 'permit tcp any any eq 443' rule in terms of port, but the order should place denies before permits to ensure they are evaluated, and here the deny for SSH is placed after a permit that does not match SSH, but the real issue is the missing explicit deny at the end. Option C is wrong because while adding a 'deny any any' at the end is a best practice for security, the primary misconfiguration is that the existing 'deny tcp any any eq 22' is never reached due to the implicit permit at the end, not just the lack of a final deny. Option D is wrong because the ACL does not correctly deny SSH; due to the implicit 'permit ip any any' at the end of the ACL, SSH traffic is actually permitted, not denied.

114
MCQmedium

An organization has implemented a SIEM solution. The security team wants to detect when a user attempts to access a file they do not have permission to read. Which log source is most important for this detection?

A.Windows security event logs
B.Web server access logs
C.DNS logs
D.Firewall logs
AnswerA

Security event logs include audit events for file access and can show access denied events.

Why this answer

Windows security event logs (specifically Event ID 4663) record every attempt to access an object, including files, and include the user's security identifier (SID) and the requested access mask. This allows the SIEM to correlate the user's identity with the file's discretionary access control list (DACL) to detect an 'Access Denied' result, making it the definitive source for detecting unauthorized file access attempts.

Exam trap

ISC2 often tests the misconception that network-level logs (firewall, DNS) or application-level logs (web server) can detect OS-level file access, when in fact only the operating system's security audit subsystem can capture such granular user-to-object access attempts.

How to eliminate wrong answers

Option B is wrong because web server access logs record HTTP requests to web resources, not local file system access on a Windows server or workstation; they cannot detect a user attempting to open a file via SMB or local Explorer. Option C is wrong because DNS logs only contain domain name resolution queries and responses, with no information about file paths, user identities, or access control decisions. Option D is wrong because firewall logs track network traffic based on IP addresses and ports, not user-level file access attempts within an operating system.

115
MCQhard

A company's IDS generates an alert for a potential SQL injection attack on a web application. The analyst reviews the log and sees the following: "SELECT * FROM users WHERE username = 'admin' OR 1=1 --'". Which action should the analyst take next?

A.Submit a change request to patch the application
B.Conduct a forensic analysis of the database
C.Verify if the WAF blocked the attack
D.Block the source IP immediately
AnswerC

First verify if the WAF mitigated the attack; IDS alerts often require correlation.

Why this answer

Option C is correct because the analyst's first priority is to determine whether the attack was actually successful or was already mitigated. A Web Application Firewall (WAF) sits in front of the web application and can inspect and block SQL injection payloads before they reach the database. By verifying the WAF logs, the analyst can confirm if the attack was blocked, which dictates the next steps—if blocked, no immediate escalation is needed; if not blocked, further investigation is required.

Exam trap

ISC2 often tests the candidate's ability to follow a proper incident response triage process—specifically, the trap is that candidates jump to a reactive action (like blocking IPs or patching) instead of first verifying whether existing controls (like a WAF) already mitigated the threat.

How to eliminate wrong answers

Option A is wrong because submitting a change request to patch the application is premature without first confirming that the attack was successful; patching is a long-term fix, not an immediate triage step. Option B is wrong because conducting a forensic analysis of the database is an invasive and time-consuming step that should only be taken if there is evidence that the attack actually reached and compromised the database, which is not yet known. Option D is wrong because blocking the source IP immediately could be an overreaction—the IP might be spoofed, part of a legitimate scan, or the attack might have already been blocked by the WAF; blocking without verification can cause unnecessary disruption and is not the standard first response in a security operations workflow.

116
Multi-Selecteasy

Which THREE of the following are important steps in the incident response process as defined by the NIST framework? (Choose three.)

Select 3 answers
A.Detection and Analysis
B.Vulnerability scanning
C.Containment, Eradication, and Recovery
D.Preparation
E.Post-incident auditing
AnswersA, C, D

Detecting and analyzing incidents is a key phase.

Why this answer

Preparation (B), Detection & Analysis (C), and Containment, Eradication & Recovery (D) are the core phases. Vulnerability scanning (A) is part of ongoing security, not incident response. Auditing (E) is a compliance activity.

117
MCQmedium

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

A.Perform a forensic analysis of the user's workstation
B.Reset the user's password and enforce multi-factor authentication
C.Disable the user account immediately
D.Initiate the incident response process
AnswerD

The incident response process begins with detection and analysis; this scenario meets the criteria for initiating that process.

Why this answer

Option D is correct because the scenario describes a potential security incident—unauthorized access to sensitive data from an unfamiliar IP address outside business hours—which requires immediate activation of the incident response process. The first step in any security operations workflow is to follow the organization's incident response plan (NIST SP 800-61) to contain, analyze, and remediate the threat. Jumping to forensic analysis, password resets, or account disabling without a coordinated incident response can destroy evidence or fail to address the root cause.

Exam trap

ISC2 often tests the misconception that immediate account disabling or password reset is the correct first response, but the CC exam emphasizes that initiating the incident response process is the foundational step to ensure proper handling, evidence preservation, and coordination.

How to eliminate wrong answers

Option A is wrong because performing forensic analysis of the user's workstation is a later step in the incident response process, not the first action; it could also be irrelevant if the compromise originated from a remote attacker without local artifacts. Option B is wrong because resetting the password and enforcing MFA addresses only credential hygiene but does not investigate the extent of the breach, identify the attack vector, or preserve evidence—potentially alerting the attacker prematurely. Option C is wrong because disabling the user account immediately might disrupt legitimate business operations and could tip off an attacker, whereas a coordinated incident response includes controlled containment actions based on investigation.

118
MCQmedium

A security analyst observes these SSH logs. What is the MOST likely attack?

A.Brute force attack on SSH service
B.Session hijacking via SSH
C.Phishing attack targeting root and admin accounts
D.Denial of service attack on port 22
AnswerA

Multiple failed attempts from a single IP.

Why this answer

Option B is correct because repeated failed login attempts from the same IP indicate a brute force attack. Option A is phishing. Option C is SSH hijacking.

Option D is a DoS, but not evident.

119
MCQmedium

A company's security policy requires that all privileged access to critical servers be logged and monitored. The IT team has implemented a jump server (bastion host) for administrators to connect to critical servers. All SSH connections to the jump server are logged, and from there, administrators connect to target servers. The security team notices that some administrators are bypassing the jump server and connecting directly to critical servers from their workstations. The direct connections are not logged. The security team needs to enforce the policy without disrupting operations. Which of the following is the BEST solution?

A.Implement a host-based firewall on each critical server to block direct connections.
B.Send a warning email to all administrators reminding them of the policy.
C.Disable direct SSH access to critical servers at the network firewall level.
D.Revoke local administrator rights on workstations.
AnswerA

Specifically blocks unauthorized direct connections while allowing jump server traffic.

Why this answer

A host-based firewall on each critical server can enforce the security policy by blocking direct SSH connections (TCP port 22) from any source other than the jump server's IP address. This ensures that all administrative access must go through the jump server, where logging is already in place, without disrupting legitimate operations through the authorized path.

Exam trap

ISC2 often tests the distinction between network-based controls (like a perimeter firewall) and host-based controls, where candidates mistakenly choose a network firewall solution without realizing it does not block internal direct connections from the same subnet.

How to eliminate wrong answers

Option B is wrong because a warning email is a non-technical, administrative control that relies on user compliance and does not actually prevent the bypass; it fails to enforce the policy. Option C is wrong because disabling direct SSH access at the network firewall level would block all external SSH traffic to the critical servers, but it would not prevent direct connections from within the same subnet or from workstations on the internal network that are not subject to the firewall rule. Option D is wrong because revoking local administrator rights on workstations does not prevent users from using SSH clients to connect directly to critical servers; it only limits software installation privileges, not network connectivity.

120
Drag & Dropmedium

Drag and drop the steps to configure a basic VPN (site-to-site) between two routers into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Site-to-site VPN configuration involves IPsec, crypto maps, and verification.

121
MCQmedium

An analyst reviews the firewall log exhibit. The source IP 10.0.1.100 is an internal web server. The destination IP 203.0.113.50 is an external host. What does this log pattern MOST likely indicate?

A.A denial-of-service (DoS) attack from the internal server to the external host
B.A port scan from the internal server to the external host
C.Normal web traffic from the server to the external host
D.An attempted SQL injection attack from the external host to the internal server
AnswerA

Multiple SYN packets without completion indicate a SYN flood, a type of DoS attack.

Why this answer

The log pattern shows the internal web server (10.0.1.100) sending traffic to an external host (203.0.113.50). In a typical network, internal web servers serve content to internal users, not initiate outbound connections to external hosts. This anomalous outbound traffic pattern, especially if it involves a high volume of packets or connections, is characteristic of a denial-of-service (DoS) attack where the internal server is used as a source to flood the external target, potentially due to compromise or misconfiguration.

Exam trap

ISC2 often tests the candidate's ability to interpret traffic direction and normal vs. anomalous behavior, and the trap here is assuming that any traffic from a web server is legitimate, ignoring that internal servers should not typically initiate outbound connections to external hosts.

How to eliminate wrong answers

Option B is wrong because a port scan typically involves a single source sending packets to multiple ports on a target to discover open services, but the question does not mention multiple ports or a scanning pattern; it describes a general log pattern that is more indicative of a flood. Option C is wrong because normal web traffic from a server to an external host would be unusual for an internal web server, which is designed to serve internal clients; outbound connections from a server to an external host are not standard and suggest malicious activity. Option D is wrong because an SQL injection attack originates from an external host targeting an internal database or web server, not from the internal server to an external host; the direction of traffic in the log is reversed.

122
Multi-Selecteasy

Which THREE are essential elements of a disaster recovery plan? (Select THREE.)

Select 3 answers
A.Recovery time objectives (RTOs)
B.Communication plan for employees
C.Business impact analysis results
D.Alternate processing site details
E.Backup procedures and schedules
AnswersA, D, E

Define target restoration times.

Why this answer

Recovery time objectives (RTOs) define the maximum acceptable downtime for a system or application after a disaster. They are essential because they directly drive the design of the recovery strategy, including resource allocation and technology choices, ensuring that critical services are restored within the business's tolerance for interruption.

Exam trap

ISC2 often tests the distinction between a disaster recovery plan (which focuses on IT systems and data recovery) and a business continuity plan (which includes broader organizational elements like employee communication and crisis management), causing candidates to mistakenly select the communication plan as a DRP essential.

123
MCQmedium

Refer to the exhibit. An analyst sees these logs. What type of attack is occurring?

A.Phishing
B.SQL injection
C.Brute-force attack
D.Port scan
AnswerC

Multiple failed password attempts from a single source characterize a brute-force attack.

Why this answer

Option A is correct because repeated failed login attempts from the same IP indicate a brute-force attack. The other options do not match the pattern.

124
MCQhard

Refer to the exhibit. The IDS alert indicates a possible SpyEye botnet check-in from an internal host. What immediate action should the analyst take?

A.Isolate the internal host from the network
B.Ignore the alert as it is a false positive
C.Block the destination IP at the firewall
D.Run a full antivirus scan on the internal host
AnswerA

Isolating the host stops the C2 traffic and prevents lateral movement.

Why this answer

Isolating the internal host immediately stops the potential command-and-control (C2) communication with the SpyEye botnet, preventing data exfiltration or further compromise. This is the first step in incident response (containment) before any forensic analysis or remediation, as per NIST SP 800-61 guidelines. Delaying containment could allow the botnet to receive new instructions or spread laterally.

Exam trap

ISC2 often tests the principle that containment (isolation) must precede remediation (scanning or blocking) in incident response, tricking candidates into choosing a reactive firewall block or a delayed scan instead of immediate host isolation.

How to eliminate wrong answers

Option B is wrong because ignoring the alert assumes a false positive without verification; SpyEye check-ins are rarely benign and require investigation. Option C is wrong because blocking the destination IP at the firewall only disrupts communication to that specific IP, but botnets often use domain flux or multiple fallback IPs, and the internal host remains compromised and could beacon to other C2 servers. Option D is wrong because running a full antivirus scan is a remediation step that should occur after containment; the immediate priority is to stop the active C2 traffic, not to scan while the host is still communicating with the botnet.

125
MCQmedium

During a vulnerability scan, the security team discovers a critical vulnerability on a public-facing server. According to best practices, what should the team do next?

A.Disable the server
B.Remediate immediately during business hours
C.Inform all users
D.Schedule a maintenance window
AnswerD

Scheduling a maintenance window allows for planned and tested remediation.

Why this answer

Option D is correct because, according to vulnerability management best practices, the first step after discovering a critical vulnerability is to schedule a maintenance window to apply a patch or mitigation in a controlled manner. This minimizes service disruption and allows for testing, ensuring the fix does not introduce new issues. Immediate remediation during business hours (Option B) could cause downtime or impact users, while disabling the server (Option A) is an extreme measure reserved for active exploitation with no available patch.

Exam trap

ISC2 often tests the misconception that 'critical' means 'act immediately without planning,' leading candidates to choose Option B, but the correct approach is to balance urgency with change control to avoid operational disruption.

How to eliminate wrong answers

Option A is wrong because disabling the server is a last-resort action typically taken only when the vulnerability is actively exploited and no patch or workaround exists; it unnecessarily disrupts services without following a structured response process. Option B is wrong because remediating immediately during business hours violates change management best practices, as it risks causing unplanned downtime and may bypass testing, which could lead to service outages or incomplete fixes. Option C is wrong because informing all users is premature and not a standard first step; disclosure should be controlled and communicated to relevant stakeholders (e.g., system owners, management) after a patch is ready or a mitigation plan is in place, to avoid unnecessary panic or security leaks.

126
MCQhard

A company is implementing a data loss prevention (DLP) solution. Which strategy BEST balances security and productivity when monitoring outgoing email?

A.Log all emails without any alerts
B.Block all emails containing keywords like 'confidential'
C.Encrypt all outgoing emails automatically
D.Alert on policy violations and allow user to override with manager approval
AnswerD

Balances security with business needs.

Why this answer

Option D is correct because it balances security and productivity by alerting on policy violations while allowing users to override the block with manager approval. This approach ensures that legitimate business communications are not disrupted, while still enforcing DLP policies through a secondary review process. In a DLP solution, this is often implemented via a 'justify and override' workflow, where the user must provide a reason and receive approval from a manager before the email is sent.

Exam trap

ISC2 often tests the concept that DLP is not just about blocking or encrypting data, but about applying policy with context and user feedback to balance security and productivity, leading candidates to mistakenly choose overly restrictive options like B.

How to eliminate wrong answers

Option A is wrong because logging all emails without any alerts provides no active enforcement or notification, failing to prevent data loss in real time and offering only passive auditing. Option B is wrong because blocking all emails containing keywords like 'confidential' is overly restrictive and lacks context, leading to high false positive rates that disrupt legitimate business communications and reduce productivity. Option C is wrong because encrypting all outgoing emails automatically does not prevent data loss; encryption protects data in transit but does not stop sensitive data from being sent to unauthorized recipients, which is the core function of DLP.

127
MCQeasy

Which of the following is a best practice for securing physical access to a data center?

A.Allow employees to use personal badges for entry.
B.Implement mantrap entry with biometric verification.
C.Install CCTV only at the main entrance.
D.Use a single-factor authentication for all doors.
AnswerB

Mantraps prevent tailgating and biometrics provide strong authentication.

Why this answer

Option D is correct because mantrap entry with biometric verification provides strong physical access control. Option A weakens security by allowing personal badges. Option B does not cover all areas.

Option C single-factor is insufficient.

128
Multi-Selectmedium

Which TWO of the following are common indicators of a phishing email? (Select TWO.)

Select 2 answers
A.The email contains an attachment with a .txt extension
B.The email contains a sense of urgency, such as 'Your account will be closed.'
C.The email has a high-importance flag set by the sender
D.The email is sent to multiple recipients in the 'To' field
E.The sender's email address is similar but not identical to a legitimate domain
AnswersB, E

Urgency is a common social engineering tactic.

Why this answer

Option B is correct because phishing emails commonly exploit urgency to bypass rational decision-making. Attackers use phrases like 'Your account will be closed' to pressure recipients into clicking malicious links or providing credentials without verifying the source. This social engineering tactic is a hallmark of phishing campaigns.

Exam trap

ISC2 often tests the distinction between technical indicators (e.g., file extensions, headers) and behavioral indicators (e.g., urgency, domain spoofing), and the trap here is that candidates mistake common email features like high-importance flags or bulk addressing as phishing indicators when they are not inherently suspicious.

← PreviousPage 2 of 2 · 128 questions total

Ready to test yourself?

Try a timed practice session using only Security Operations questions.