Back to ISC2 Certified in Cybersecurity CC questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise ISC2 Certified in Cybersecurity CC practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CC
exam code
ISC2
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CC topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Refer to the exhibit. What action did the firewall take on the traffic from 10.0.1.15 to 10.0.2.10?

Exhibit

Refer to the exhibit.

syslog: 2025-03-15T10:23:45Z FW01 %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.0.1.15(54321) -> 10.0.2.10(23), 1 packet
Question 2mediummultiple choice
Full question →

Based on the exhibit, what is the most likely result of the client's HTTP request?

Exhibit

Refer to the exhibit.

Router# show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group BLOCK_HTTP in
!
ip access-list extended BLOCK_HTTP
 deny tcp any any eq 80
 permit ip any any

A client at 192.168.1.100 attempts to access a web server at 10.0.0.1. The router's interface IP is 192.168.1.1.
Question 3mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

Exhibit

Refer to the exhibit.

```
[Firewall Config]
access-list 100 permit tcp any host 10.0.1.10 eq 443
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
```
Question 4easymultiple choice
Full question →

Refer to the exhibit. A security analyst observes that users from the 192.168.1.0/24 network cannot access HTTPS websites, but HTTP access works fine. What is the most likely cause?

Exhibit

Refer to the exhibit.

! Configuration snippet from router R1
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip any any log
!
interface GigabitEthernet0/0
 ip access-group 100 in
!
Question 5mediummultiple choice
Full question →

Refer to the exhibit. A security analyst is reviewing firewall logs and notices repeated denied TCP packets from 192.0.2.10 to internal hosts. The packets are being denied by the access-group "OUTSIDE_IN". What is the most likely reason for these denials?

Exhibit

Refer to the exhibit.

=== syslog output ===
Jan 15 09:23:45 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3456 dst inside:10.0.0.5/22 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:46 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3457 dst inside:10.0.0.5/23 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:47 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3458 dst inside:10.0.0.5/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:48 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3459 dst inside:10.0.0.6/22 by access-group "OUTSIDE_IN" [0x0, 0x0]
Jan 15 09:23:49 firewall01 %ASA-4-106023: Deny tcp src outside:192.0.2.10/3460 dst inside:10.0.0.6/23 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 6mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. An administrator configures the above ACLs on a router. The goal is to allow internal users (192.168.1.0/24) to browse the web, and to allow SSH management from the internet to a server at 10.0.0.10. However, users report that they cannot browse external websites. What is the most likely reason?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group OUTBOUND out
!
interface GigabitEthernet0/2
 ip address 10.0.0.1 255.255.255.0
 ip access-group INBOUND in
!
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
access-list 100 deny ip any any
!
access-list 110 permit tcp any host 10.0.0.10 eq 22
access-list 110 permit icmp any host 10.0.0.10 echo-reply
access-list 110 deny ip any any
Question 7hardmultiple choice
Full question →

Refer to the exhibit. An IDS generates this alert for traffic from an internal server (10.1.1.50) to an external IP on port 443. The security team investigates and finds that the server is a web application that normally uses TLS 1.2. What does this alert most likely indicate?

Exhibit

Refer to the exhibit.

[IDS Alert Log]
Timestamp: 2024-03-15 10:23:45
Signature: ET POLICY Outgoing SSLv3 Handshake (Possible SSL Stripping)
Source IP: 10.1.1.50
Destination IP: 203.0.113.10
Protocol: TCP
Port: 443
Payload: [Hex dump of ClientHello with version 3.0]
Question 8hardmultiple choice
Full question →

An analyst reviews the exhibit. What security principle is best demonstrated by this policy?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket1/*",
      "Condition": {
        "IpAddress": {"aws:SourceIp": "10.0.0.0/24"}
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucket2/*"
    }
  ]
}
```
Question 9mediummultiple choice
Full question →

Refer to the exhibit. A security analyst reviews this log entry. What type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

```
[Windows Security Log]
Event ID 4625: An account failed to log on.
Account Name: jdoe
Source Network Address: 192.168.1.100
Failure Reason: Unknown user name or bad password.
Count: 15 occurrences in 5 minutes.
```
Question 10hardmultiple choice
Full question →

Refer to the exhibit. A security analyst notices that a user with the Finance role is able to write to /finance/data from a macOS device at 10:00 AM. The policy shown is the only policy affecting this resource. What is the most likely reason for this behavior?

Exhibit

Refer to the exhibit.
```
Policy Name: FinanceApp Access
Subject: user role
Resource: /finance/data
Action: read, write
Condition: time between 09:00 and 17:00 AND device.os == "Windows"
Effect: Permit
```
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The network administrator configured NAT as shown. Internal hosts can access the internet, but no external hosts can access the company's web server (192.168.1.10). What is the issue?

Exhibit

ip nat inside source static tcp 192.168.1.10 80 200.100.50.1 80
ip nat pool POOL 200.100.50.1 200.100.50.10 netmask 255.255.255.0
ip nat inside source list 1 pool POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255
interface GigabitEthernet0/0
 ip address 200.100.50.1 255.255.255.0
 ip nat outside
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
Question 12mediummultiple choice
Full question →

Refer to the exhibit. An administrator needs to restore a database file from two weeks ago, but the backup log shows success. What is the most likely reason the file cannot be restored?

Exhibit

BackupPolicy:
  Source: /srv/db
  Destination: s3://backup-bucket/daily/
  Schedule: 0 2 * * *
  Encryption: AES-256
  Retention: 30 days
  Tests: Quarterly
Question 13easymultiple choice
Full question →

Refer to the exhibit. ```

C:\> netstat -an | find "LISTENING"

TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 192.168.1.10:3389 0.0.0.0:0 LISTENING ``` A server administrator runs this command and sees the output. Which service is listening on a port that should typically be disabled to reduce the attack surface?

Exhibit

Refer to the exhibit.
```
C:\> netstat -an | find "LISTENING"
  TCP    0.0.0.0:80     0.0.0.0:0    LISTENING
  TCP    0.0.0.0:443    0.0.0.0:0    LISTENING
  TCP    192.168.1.10:3389  0.0.0.0:0    LISTENING
```
A server administrator runs this command and sees the output. Which service is listening on a port that should typically be disabled to reduce the attack surface?
Question 14hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. What is the effect of this ACL?

Exhibit

access-list 100 permit tcp host 10.0.1.0 0.0.0.255 host 192.168.2.100 eq 443
access-list 100 deny tcp any any eq 443
access-list 100 permit ip any any
Question 15mediummultiple choice
Full question →

Refer to the exhibit. The file is readable and writable by everyone. A user from the marketing team, user2, needs to be able to read the file but not write to it. Which command should the administrator use to achieve this?

Exhibit

-rw-rw-rw- 1 user1 devteam 1024 Mar 10 10:00 project_data.txt

These CC practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CC questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.