Back to ISC2 Certified in Cybersecurity CC questions

Scenario-based practice

Hard Difficulty Questions

Practise ISC2 Certified in Cybersecurity CC practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CC
exam code
ISC2
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CC topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A security auditor discovers that a user has been granted read and write access to a sensitive file, but the user's job only requires read access. Which access control principle has been violated?

Question 2hardmultiple choice
Full question →

A company's network uses 802.1X authentication with PEAP-MSCHAPv2 on wired ports. Users report that after a recent switch firmware update, some workstations fail to authenticate intermittently, while others work fine. The authentication server logs show 'Authentication failed: Unknown CA certificate' for affected workstations. What is the most likely cause?

Question 3hardmultiple choice
Full question →

During a security audit, a penetration tester captures network traffic and finds that some packets have the IP ID field set to 0 and the DF (Don't Fragment) flag set. What is this technique attempting to do?

Question 4hardmultiple choice
Full question →

A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?

Question 5hardmulti select
Study the full AAA explanation →

A security administrator is reviewing the principles of access control. Which TWO of the following are core components of the AAA framework? (Select TWO.)

Question 6hardmulti select
Full question →

Which TWO of the following are primary objectives of an incident response plan? (Choose two.)

Question 7hardmulti select
Read the full NAT/PAT explanation →

A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)

Question 8hardmultiple choice
Full question →

An organization is implementing a new identity management system. They want to ensure that users can only access resources necessary for their job roles. Which principle should guide the access control design?

Question 9hardmultiple choice
Full question →

A company is designing a new application that processes credit card payments. They want to ensure that no single administrator can bypass security controls to approve a fraudulent transaction. Which principle should be implemented?

Question 10hardmulti select
Full question →

Which THREE of the following are recognized security control types according to ISC2? (Choose three.)

Question 11hardmultiple choice
Full question →

Refer to the exhibit. An IDS generates this alert for traffic from an internal server (10.1.1.50) to an external IP on port 443. The security team investigates and finds that the server is a web application that normally uses TLS 1.2. What does this alert most likely indicate?

Exhibit

Refer to the exhibit.

[IDS Alert Log]
Timestamp: 2024-03-15 10:23:45
Signature: ET POLICY Outgoing SSLv3 Handshake (Possible SSL Stripping)
Source IP: 10.1.1.50
Destination IP: 203.0.113.10
Protocol: TCP
Port: 443
Payload: [Hex dump of ClientHello with version 3.0]
Question 12hardmulti select
Full question →

Which THREE are valid methods for authenticating a user in an access control system?

Question 13hardmulti select
Full question →

Which THREE of the following are characteristics of a stateful firewall? (Select exactly three.)

Question 14hardmultiple choice
Full question →

An organization uses Active Directory and wants to grant a group of temporary interns access to a shared folder for exactly 30 days. Which access control approach is most efficient?

Question 15hardmultiple choice
Full question →

During a security audit, it is found that a database administrator can access payroll data. The company policy states that administrators should not have access to sensitive HR data. Which security principle is being violated?

Question 16hardmultiple choice
Full question →

An organization is implementing a new system that processes financial transactions. To reduce the risk of fraud, they ensure that no single individual can both initiate and approve a transaction. Which security principle is this?

Question 17hardmultiple choice
Full question →

An analyst reviews the exhibit. What security principle is best demonstrated by this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket1/*",
      "Condition": {
        "IpAddress": {"aws:SourceIp": "10.0.0.0/24"}
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucket2/*"
    }
  ]
}
```
Question 18hardmultiple choice
Full question →

A SOC analyst receives an alert indicating a user executed a PowerShell script that initiated outbound connections to an external IP. The script was delivered via email attachment. Which incident response phase is MOST appropriate for containing this threat?

Question 19hardmulti select
Full question →

Which TWO actions are appropriate during the identification phase of incident response?

Question 20hardmultiple choice
Full question →

A company's security policy requires that all incident response activities be logged and that evidence be preserved for potential legal action. During an incident, a responder mistakenly uses a personal USB drive to copy log files. Which principle of forensic evidence handling has been violated?

These CC practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CC questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.