CCNA Cc Security Operations Questions

45 questions · Cc Security Operations topic · All types, answers revealed

1
MCQhard

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system is critical for operations. Which compensating control is most appropriate to reduce the risk of exploitation?

A.Isolate the system on a separate network segment with strict access controls
B.Increase logging and monitoring without any network changes
C.Apply a virtual patch using a web application firewall
D.Remove the system from the network entirely
AnswerA

Network isolation limits attack surface and is a common compensating control.

Why this answer

Network isolation (segmentation) limits the system's exposure to potential attackers. A WAF can protect web-facing systems, but isolation is broader.

2
MCQhard

A configuration management tool detects that a critical server's security settings have changed from the approved baseline. What is the first action the security team should take?

A.Investigate the root cause of the configuration change
B.Isolate the server from the network
C.Automatically revert the settings to the baseline
D.Update the baseline to match the current configuration
AnswerA

Correct. Understanding why the change occurred is crucial.

Why this answer

The first step is to investigate the cause of the drift, as it may indicate a misconfiguration or compromise.

3
MCQhard

A SOC analyst reviews a SIEM alert indicating a high volume of outbound traffic from a server to an external IP address known for command-and-control activity. The analyst has confirmed the alert is not a false positive. What is the most appropriate next step?

A.Escalate the alert to Tier 3 for advanced analysis.
B.Conduct a deeper investigation to identify affected systems and data.
C.Block the external IP address at the firewall immediately.
D.Reboot the server to terminate any malicious processes.
AnswerB

Tier 2 investigates to understand the incident's scope and impact.

Why this answer

Tier 2 analysts conduct deeper investigation to determine the scope and impact of a confirmed incident before initiating response actions.

4
MCQmedium

An employee receives an email from the CEO asking for an urgent wire transfer to a new vendor. The email address is slightly misspelled. What type of attack is this?

A.Shoulder surfing
B.USB drop attack
C.Tailgating
D.Phishing
AnswerD

Correct. Phishing uses deceptive emails to elicit actions.

Why this answer

This is a social engineering attack, specifically phishing (or business email compromise), aiming to trick the employee into transferring money.

5
MCQeasy

A security analyst at a Security Operations Centre (SOC) receives an alert from the SIEM indicating multiple failed login attempts for a user account followed by a successful login from an unusual geographic location. According to SOC tier responsibilities, which tier should perform the initial triage of this alert?

A.Tier 1 analyst
B.IT support team
C.Tier 2 analyst
D.Tier 3 analyst
AnswerA

Tier 1 analysts monitor alerts and perform initial triage.

Why this answer

Tier 1 analysts are responsible for monitoring alerts and performing initial triage to determine if further investigation is needed.

6
MCQmedium

An organization must retain authentication logs for compliance with PCI DSS. What is the minimum retention period and the requirement for immediate availability?

A.6 months retention with 1 month immediately available
B.24 months retention with 12 months immediately available
C.18 months retention with 6 months immediately available
D.12 months retention with 3 months immediately available
AnswerD

This matches PCI DSS requirements.

Why this answer

PCI DSS requires a minimum of 12 months retention with at least 3 months immediately available for analysis.

7
MCQeasy

To protect the integrity of log files, which of the following is a best practice?

A.Use write-once storage or a separate log server
B.Store logs on the same server as the application
C.Allow administrators to edit logs for accuracy
D.Encrypt logs but store them locally
AnswerA

This prevents modification or deletion of logs.

Why this answer

Using write-once storage (e.g., WORM) or a separate log server prevents tampering with log data.

8
MCQeasy

Which of the following is an indicator of a phishing email?

A.The email has a professional signature with contact information
B.The email includes a link that directs to a website with a domain similar to, but not exactly, the company's official domain
C.The email comes from a known colleague and contains a file attachment they mentioned earlier
D.The email is sent during regular business hours
AnswerB

Correct. Phishing often uses look-alike domains to trick users.

Why this answer

Phishing emails often contain suspicious links that lead to malicious websites. Unexpected senders and urgency are also common indicators.

9
MCQmedium

An employee receives an email that appears to be from the CEO requesting an urgent wire transfer to a new vendor. The email contains several grammatical errors and the sender's address is slightly misspelled. What type of security incident is this?

A.USB drop attack
B.Tailgating incident
C.Password attack
D.Phishing attack
AnswerD

The email is fraudulent and attempts to deceive the employee.

Why this answer

This is a social engineering attack, specifically phishing (or CEO fraud), where the attacker impersonates a trusted figure to trick the employee.

10
Multi-Selectmedium

An organization is implementing a patch management policy. Which THREE steps are part of the standard patch lifecycle?

Select 3 answers
A.Emergency patching without testing
B.Verifying backups before deployment
C.Deploying the patch to production systems
D.Vulnerability disclosure by the vendor
E.Testing the patch in a staging environment
AnswersC, D, E

Deployment is the final step in the standard lifecycle.

Why this answer

The standard patch lifecycle includes vulnerability disclosure, testing in staging, and deployment to production. Emergency patching is a separate process, and verifying backup is not a standard step in patching.

11
MCQmedium

An organization wants to ensure that all workstations are configured according to a hardened baseline. Which process detects when a workstation deviates from this baseline?

A.Patch management
B.Change control
C.Security awareness training
D.Automated configuration scanning
AnswerD

Automated scanning compares current state to baseline and identifies deviations.

Why this answer

Configuration drift detection involves automated scanning that compares current configurations to the approved baseline and reports discrepancies.

12
MCQmedium

An organization needs to retain authentication logs for compliance with PCI DSS. What is the minimum retention period required, and how long must the logs be immediately available?

A.18 months retention, 6 months immediately available
B.12 months retention, 3 months immediately available
C.6 months retention, 1 month immediately available
D.24 months retention, 12 months immediately available
AnswerB

This matches PCI DSS requirements.

Why this answer

PCI DSS requires logs to be retained for at least 12 months, with the most recent 3 months immediately accessible for analysis.

13
Multi-Selectmedium

An organization is planning to implement a security awareness program. Which TWO topics should be included to address common social engineering attacks?

Select 2 answers
A.Recognizing phishing emails
B.Awareness of tailgating and piggybacking
C.Understanding encryption algorithms
D.Configuring firewall rules
E.Proper password management using a password manager
AnswersA, B

Phishing is a primary social engineering vector.

Why this answer

Phishing awareness and tailgating awareness are both critical social engineering topics. USB drop attacks are also social engineering, but the question asks for TWO; phishing and tailgating are the most common.

14
MCQmedium

An organization must comply with PCI DSS log retention requirements. What is the minimum retention period for logs, and how long must they be immediately available for analysis?

A.24 months retention, 12 months immediately available
B.6 months retention, 1 month immediately available
C.12 months retention, 3 months immediately available
D.12 months retention, 6 months immediately available
AnswerC

Correct. This matches PCI DSS requirements.

Why this answer

PCI DSS requires logs to be retained for at least 12 months, with the most recent 3 months immediately available for review.

15
MCQhard

A legacy system cannot be patched due to vendor unavailability. Which compensating control would be most effective in reducing the risk of exploitation?

A.Increase logging and monitoring of the system.
B.Perform weekly vulnerability scans on the system.
C.Apply a virtual patch using an intrusion prevention system (IPS).
D.Deploy a web application firewall (WAF) in front of the system.
AnswerD

WAF can filter malicious traffic targeting known vulnerabilities.

Why this answer

Network isolation prevents attackers from reaching the vulnerable system, while a WAF adds an additional layer of defense for web-based vulnerabilities.

16
MCQmedium

A company discovers a critical vulnerability in a widely used software application. The vendor has released a patch, but the company's patch management policy requires testing before deployment. What is the best course of action?

A.Apply the patch using emergency change control to critical systems first, then test and deploy to others
B.Wait for the next scheduled maintenance window to apply the patch
C.Deploy the patch immediately without testing to all systems
D.Test the patch in a staging environment and then deploy to production
AnswerA

Correct. Emergency patching prioritizes critical systems with expedited testing.

Why this answer

For critical vulnerabilities being actively exploited, emergency patching should bypass normal testing cycles to reduce risk quickly.

17
Multi-Selecthard

An organization is implementing a security baseline for new servers. Which THREE components are typically included in a hardened baseline configuration? (Choose three.)

Select 3 answers
A.Allowing remote desktop access from any IP address.
B.Disabling unnecessary services and ports.
C.Enabling automatic login for administrators.
D.Enforcing strong password policies.
E.Installing all available security patches.
AnswersB, D, E

Reduces attack surface.

Why this answer

Hardened baselines include disabling unnecessary services to reduce attack surface, enforcing strong password policies, and applying security updates to fix known vulnerabilities.

18
MCQmedium

A SOC analyst detects a pattern of outbound traffic from an internal server to a known malicious IP address. Which SOC tier should this alert be escalated to for a deeper investigation?

A.Tier 3
B.Tier 2
C.Tier 1
D.Incident Response Team
AnswerB

Correct. Tier 2 conducts in-depth investigation.

Why this answer

Tier 2 analysts conduct deeper investigation to confirm if the activity is malicious and determine the scope.

19
MCQeasy

What is the primary purpose of a Security Information and Event Management (SIEM) system?

A.Encrypt sensitive data at rest
B.Manage user passwords and access controls
C.Aggregate and correlate logs to generate alerts
D.Block malicious network traffic in real time
AnswerC

This is the core function of a SIEM.

Why this answer

A SIEM aggregates and correlates logs from various sources, generates alerts, and stores historical data for analysis and forensics.

20
MCQhard

A critical vulnerability is discovered in a widely used VPN appliance that is actively being exploited in the wild. The vendor has released an emergency patch. However, the organization's patch management policy requires testing in a staging environment before production deployment. What should the security team do?

A.Apply a workaround from the vendor and skip patching
B.Deploy the patch immediately without testing to all devices
C.Wait for the scheduled patch cycle to test thoroughly
D.Disconnect the VPN appliance until the next patch cycle
AnswerB

Emergency patching is justified to mitigate active exploitation risk.

Why this answer

For critical vulnerabilities under active exploitation, emergency patching should bypass normal testing to reduce risk, but compensating controls can be applied if immediate patching is not possible.

21
Multi-Selectmedium

A SOC analyst is investigating a potential data exfiltration incident. Which TWO log sources would be most useful for identifying outbound data transfers? (Select TWO)

Select 2 answers
A.Firewall logs
B.Patch management logs
C.Proxy logs
D.System logs
E.Authentication logs
AnswersA, C

Correct. Firewall logs record outbound connections.

Why this answer

Firewall logs show allowed outbound connections, and proxy logs can reveal web traffic and file uploads, both critical for detecting exfiltration.

22
MCQeasy

A Security Operations Center (SOC) Tier 1 analyst notices an alert for a failed login attempt from an unusual geographic location. What is the primary responsibility of a Tier 1 analyst in this scenario?

A.Escalate the alert to Tier 2 for further investigation.
B.Perform advanced forensic analysis on the affected system.
C.Conduct threat hunting to identify similar patterns.
D.Implement a firewall rule to block all traffic from that location.
AnswerA

Tier 1 triages and escalates suspicious alerts.

Why this answer

Tier 1 analysts monitor alerts, triage them, and escalate potential incidents to higher tiers for deeper investigation.

23
Multi-Selectmedium

An organization is implementing a security awareness program. Which THREE topics should be included to address common social engineering attacks? (Select THREE)

Select 3 answers
A.Tailgating awareness
B.Secure coding practices
C.USB drop attack risks
D.Recognizing phishing emails
E.Password complexity requirements
AnswersA, C, D

Correct. Tailgating exploits human courtesy to gain physical access.

Why this answer

Phishing, tailgating, and USB drop attacks are common social engineering vectors. Password security, while important, is more about authentication hygiene.

24
MCQmedium

A company's SIEM solution aggregates logs from various sources and generates an alert when multiple failed logins occur within a short timeframe. Which log source is most likely to provide the data for this alert?

A.System logs
B.Firewall logs
C.Application logs
D.Authentication logs
AnswerD

Authentication logs capture login successes and failures.

Why this answer

Authentication logs record login attempts, including failures, and are the primary source for detecting brute-force attacks.

25
MCQmedium

A SOC analyst notices a large spike in outbound traffic from a workstation that is not scheduled for any data transfers. Upon checking the SIEM, the analyst sees that the workstation's antivirus was disabled 30 minutes ago. What type of logs should the analyst examine first to understand the sequence of events?

A.Application logs
B.Firewall logs
C.System logs
D.Authentication logs
AnswerC

System logs record service starts and stops, such as antivirus disabling.

Why this answer

System logs record service start/stop events, including antivirus disabling. Authentication logs may show who logged in, but system logs are more direct for service changes.

26
MCQeasy

Which of the following is an indicator of a phishing email?

A.The email contains a sense of urgency and a suspicious link.
B.The email includes an attachment from a trusted source.
C.The email has a professional signature with contact details.
D.The email is from a known colleague.
AnswerA

Urgency and suspicious links are common phishing indicators.

Why this answer

Phishing emails often create a sense of urgency to pressure recipients into acting without thinking, such as claiming an account will be closed.

27
MCQeasy

During a patch management cycle, a new vulnerability is disclosed in a widely used web server software. What is the first step an organization should take in the patch lifecycle?

A.Apply compensating controls if the patch cannot be installed.
B.Deploy the patch immediately to all production servers.
C.Test the patch in a staging environment.
D.Wait for the vendor to release a patch.
AnswerD

Vendor release is a prerequisite for testing and deployment.

Why this answer

The patch lifecycle begins with disclosure of the vulnerability, which prompts the vendor to develop and release a patch.

28
MCQmedium

A critical zero-day vulnerability is actively being exploited in the wild, affecting an organization's internet-facing application. Which patching approach should be taken?

A.Isolate the application from the network and wait for a vendor patch.
B.Deploy an emergency patch without testing.
C.Implement a web application firewall (WAF) as a permanent solution.
D.Follow the standard patch lifecycle with testing.
AnswerB

Emergency patching prioritizes speed over testing to mitigate immediate threat.

Why this answer

Emergency patching is used for vulnerabilities that are actively exploited or have high severity, bypassing normal testing cycles to reduce risk quickly.

29
MCQmedium

Which of the following is the most effective way to prevent tailgating in a secured facility?

A.Training employees to not hold doors open for unknown individuals.
B.Installing security cameras at all entrances.
C.Using keycard access for all doors.
D.Hiring security guards to monitor entrances.
AnswerA

Awareness training directly addresses the human behavior that enables tailgating.

Why this answer

Tailgating occurs when an unauthorized person follows an authorized person through a door. Employee awareness training teaches staff not to hold doors open for strangers.

30
MCQeasy

An employee receives an email from an unknown sender claiming to be from the IT department, asking for their password to perform an urgent system update. What type of social engineering attack is this?

A.Phishing
B.Tailgating
C.USB drop attack
D.Piggybacking
AnswerA

Phishing uses deceptive emails to obtain sensitive information.

Why this answer

Phishing is a social engineering attack where attackers impersonate legitimate entities to trick victims into revealing sensitive information.

31
MCQmedium

What is the primary purpose of using security baselines derived from CIS Benchmarks?

A.To ensure all systems have the same software versions
B.To monitor network traffic for anomalies
C.To automate patch deployment
D.To establish a secure starting point for system configuration
AnswerD

Correct. Baselines define secure configurations.

Why this answer

CIS Benchmarks provide hardened configuration standards to reduce vulnerabilities and improve security posture.

32
MCQhard

An organization implements a security baseline using CIS Benchmarks for all new servers. After a routine scan, a server is found to have a configuration that deviates from the baseline. The deviation was introduced by a system administrator to resolve a performance issue. What is the best course of action?

A.Ignore the deviation since it was done for a valid reason
B.Revert the change immediately without discussion
C.Update the baseline to match the new configuration
D.Document the change and submit it through the change control process
AnswerD

Change control ensures changes are reviewed, approved, and documented.

Why this answer

Any change to a security baseline should go through the change control process to ensure it is reviewed and approved, preventing unauthorized changes that could introduce vulnerabilities.

33
MCQeasy

Which tier in a Security Operations Center (SOC) is primarily responsible for triaging alerts and determining whether to escalate?

A.SOC Manager
B.Tier 3
C.Tier 2
D.Tier 1
AnswerD

Correct. Tier 1 handles initial alert monitoring and triage.

Why this answer

Tier 1 analysts monitor alerts and perform initial triage, escalating potential incidents to Tier 2 for deeper investigation.

34
Multi-Selectmedium

A SOC team is reviewing security controls for a new critical application. Which THREE of the following are essential components of a security operations capability?

Select 3 answers
A.SIEM for log aggregation and alerting
B.Vulnerability scanning tools
C.Data backup and recovery procedures
D.Configuration management with security baselines
E.Patch management process
AnswersA, D, E

SIEM is central to security monitoring.

Why this answer

SIEM, patch management, and configuration management are all core security operations functions. Backup management, while important, is not typically a SOC function.

35
MCQeasy

Which of the following is a key function of a Security Information and Event Management (SIEM) system?

A.Blocking malicious network traffic
B.Correlating log data from multiple sources to identify security incidents
C.Enforcing password complexity requirements
D.Patching vulnerabilities in operating systems
AnswerB

Correct. Correlation is a core SIEM function.

Why this answer

SIEM aggregates and correlates logs from various sources to detect patterns and generate alerts.

36
MCQhard

An organization has a legacy system that cannot be patched due to vendor end-of-life. Which compensating control is most effective at reducing the risk of exploitation via network-based attacks?

A.Increasing log retention for the system
B.Implementing strict password policies
C.Deploying a Web Application Firewall (WAF) in front of the system
D.Conducting regular security awareness training
AnswerC

Correct. A WAF can filter malicious traffic and mitigate attacks.

Why this answer

A Web Application Firewall (WAF) can block malicious traffic targeting known vulnerabilities, providing a layer of defense for unpatched systems.

37
Multi-Selectmedium

A security awareness trainer is developing material on USB drop attacks. Which TWO messages should be included in the training? (Choose two.)

Select 2 answers
A.Use the USB drive only on a non-networked computer.
B.Never plug in a USB drive that you found lying around.
C.Always scan a found USB drive with antivirus before using.
D.Report any discovered USB drives to the security team.
E.Format the USB drive before using it.
AnswersB, D

Unknown USB drives can contain malicious software.

Why this answer

Users should not plug in unknown USB drives as they may contain malware, and they should report found drives to security for safe handling.

38
Multi-Selecthard

A security engineer is designing a patch management process. Which TWO steps are part of the standard patch lifecycle? (Select TWO)

Select 2 answers
A.Vulnerability disclosure by researcher
B.Decommissioning the vulnerable system
C.Testing the patch in a staging environment
D.Deploying the patch to production systems after approval
E.Immediately deploying patches to all systems
AnswersC, D

Correct. Testing ensures patches don't break functionality.

Why this answer

The patch lifecycle includes testing in a staging environment and deploying to production after approval.

39
Multi-Selecteasy

Which TWO of the following are common indicators of a phishing email?

Select 2 answers
A.Professional formatting with correct grammar
B.Presence of a file attachment
C.Use of the recipient's full name in the greeting
D.Unexpected sender or email address
E.Urgent language requesting immediate action
AnswersD, E

Phishing often uses spoofed or unexpected addresses.

Why this answer

Unexpected sender and urgent language are classic phishing indicators. File attachments can be malicious, but presence alone is not always phishing; legitimate emails have attachments too. The other options are not typical phishing indicators.

40
MCQmedium

A security analyst notices repeated failed login attempts from an internal IP address to a domain controller, followed by a successful login. Which log type is most likely to provide detailed evidence of this activity?

A.Application logs
B.Firewall logs
C.System logs
D.Authentication logs
AnswerD

Correct. Authentication logs capture login attempts and outcomes.

Why this answer

Authentication logs record login attempts, including failures and successes, making them ideal for detecting brute-force attacks.

41
Multi-Selectmedium

A security analyst is reviewing firewall logs and notices an unusually high number of blocked outbound connections to a single external IP address. Which TWO actions should the analyst take to investigate this potential security incident? (Choose two.)

Select 2 answers
A.Check threat intelligence feeds for the external IP address.
B.Increase logging for all traffic to that IP.
C.Disable the firewall rule that is blocking the connections.
D.Block all outbound traffic from the source system.
E.Identify the internal system generating the connections.
AnswersA, E

Threat intelligence can confirm if the IP is associated with malicious activity.

Why this answer

Investigating the source system helps determine if it is compromised; checking threat intelligence can reveal if the IP is known malicious.

42
MCQhard

A security administrator is implementing measures to protect log integrity. Which of the following is the most effective method to prevent tampering with logs after they are generated?

A.Rotating logs daily
B.Encrypting logs with a symmetric key
C.Storing logs on the local system drive
D.Using write-once storage
AnswerD

Correct. Write-once media prevents modification after writing.

Why this answer

Write-once storage (e.g., WORM) ensures logs cannot be altered or deleted, preserving integrity.

43
MCQhard

A security analyst needs to ensure that log data cannot be altered after it is written. Which of the following is the most effective method to protect log integrity?

A.Storing logs on the same server as the application
B.Using a separate log server with read-only access
C.Implementing write-once storage for log files
D.Encrypting logs with a symmetric key
AnswerC

Write-once media prevents modification of stored data.

Why this answer

Write-once storage (e.g., WORM drives) ensures data cannot be modified, deleted, or overwritten, preserving integrity.

44
MCQmedium

Which type of log should be monitored to detect a user account that has been granted administrative privileges unexpectedly?

A.Authentication logs
B.Application logs
C.System logs
D.Firewall logs
AnswerA

Authentication logs track login events and privilege escalations.

Why this answer

Authentication logs typically record privilege escalation events, such as when a user is added to an admin group or granted elevated rights.

45
Multi-Selecthard

After a security incident, an investigator needs to analyze logs to determine the timeline of events. Which TWO types of logs are most likely to provide evidence of lateral movement within the network?

Select 2 answers
A.DNS logs
B.Authentication logs
C.Firewall logs
D.System logs
E.Application logs
AnswersB, C

Failed and successful logins can indicate lateral movement.

Why this answer

Authentication logs show user logins to different systems (lateral movement), and firewall logs show connections between internal hosts. System logs may show service creation but are not as direct.

Ready to test yourself?

Try a timed practice session using only Cc Security Operations questions.

CCNA Cc Security Operations Questions | Courseiva