CCNA Security Operations Questions

75 of 128 questions · Page 1/2 · Security Operations topic · Answers revealed

1
MCQeasy

A security analyst is reviewing an alert from the IDS that shows a large number of TCP SYN packets sent to a single port on multiple internal hosts from a single external IP address. The analyst suspects a reconnaissance attack. Which type of attack is this most likely?

A.SYN flood
B.Ping sweep
C.Smurf attack
D.SYN scan
AnswerD

A SYN scan sends TCP SYN packets to determine which ports are open, characteristic of reconnaissance.

Why this answer

This is most likely a SYN scan (option D), a reconnaissance technique where an attacker sends TCP SYN packets to a specific port on multiple hosts to determine if the port is open. A SYN scan is stealthier than a full TCP connect scan because it never completes the three-way handshake, leaving fewer logs. The IDS alert describes the hallmark behavior of a SYN scan: a single external IP targeting the same port across many internal hosts.

Exam trap

ISC2 often tests the distinction between a SYN flood (DoS) and a SYN scan (reconnaissance), and the trap here is that candidates confuse the use of SYN packets in a volumetric attack versus a probing technique.

How to eliminate wrong answers

Option A is wrong because a SYN flood is a denial-of-service (DoS) attack that aims to overwhelm a single target with SYN packets, exhausting its connection table, not a reconnaissance scan across multiple hosts. Option B is wrong because a ping sweep uses ICMP Echo Request packets (ping) to discover live hosts, not TCP SYN packets to a specific port. Option C is wrong because a Smurf attack is a distributed DoS attack that sends ICMP Echo Requests with a spoofed source IP to a broadcast address, causing amplification, and does not involve TCP SYN packets or port scanning.

2
MCQmedium

During a security incident, the incident response team needs to preserve evidence. Which of the following actions should be performed first?

A.Notify law enforcement
B.Capture a memory dump
C.Power off the system
D.Run antivirus scan
AnswerB

Memory dump captures volatile data crucial for forensic analysis.

Why this answer

Capturing a memory dump (volatile data) is the first priority because it contains critical evidence such as running processes, network connections, and encryption keys that will be lost when the system is powered off. The order of volatility dictates that volatile data must be collected before any non-volatile data, and before any actions that could alter system state.

Exam trap

ISC2 often tests the principle of order of volatility, and the trap here is that candidates mistakenly think powering off the system preserves evidence, when in fact it destroys the most volatile and valuable forensic data.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a procedural step that should occur after evidence has been secured, not before, and it does not directly preserve volatile evidence. Option C is wrong because powering off the system destroys volatile memory (RAM) and may cause loss of critical forensic data, such as active network connections and malware in memory. Option D is wrong because running an antivirus scan modifies the system state (e.g., quarantining files, altering timestamps) and can destroy or contaminate evidence, violating forensic integrity.

3
MCQhard

Which of the following is the best practice for managing cryptographic keys in a large organization?

A.Embed keys in application code to ensure availability.
B.Distribute keys to administrators via email for convenience.
C.Use a single key for all encryption to simplify management.
D.Store keys in a centralized hardware security module (HSM) with strict access controls.
AnswerD

HSM provides tamper-resistant key storage and management.

Why this answer

Option D is correct because a centralized Hardware Security Module (HSM) provides tamper-resistant, dedicated hardware for secure key generation, storage, and cryptographic operations. Strict access controls (e.g., role-based access, multi-factor authentication) ensure that only authorized personnel can manage keys, while the HSM prevents key extraction even if the host system is compromised. This aligns with NIST SP 800-57 guidelines for key management in large organizations.

Exam trap

ISC2 often tests the misconception that convenience (e.g., embedding keys in code or using a single key) is acceptable for key management, when in fact security and compartmentalization are paramount in enterprise environments.

How to eliminate wrong answers

Option A is wrong because embedding keys in application code exposes them to static analysis, reverse engineering, and version control leaks, violating the principle of key separation and making key rotation nearly impossible. Option B is wrong because distributing keys via email transmits them in cleartext over potentially insecure channels, exposing them to interception and violating confidentiality requirements (e.g., PCI DSS, GDPR). Option C is wrong because using a single key for all encryption violates key separation and compartmentalization; if that key is compromised, all encrypted data is exposed, and it prevents granular access control and rotation without massive re-encryption.

4
MCQmedium

During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?

A.Disable SSH on all servers
B.Notify the server owners and wait for their response
C.Document the finding and include it in the audit report
D.Modify the firewall rules to allow SSH only from specific management IPs
AnswerD

This directly mitigates the vulnerability by restricting access.

Why this answer

Option D is correct because the immediate priority is to eliminate the critical vulnerability by restricting inbound SSH access to only authorized management IPs. This aligns with the principle of least privilege and the immediate remediation steps in security incident response, as leaving the misconfiguration active even briefly exposes the servers to potential compromise.

Exam trap

ISC2 often tests the distinction between 'documenting' a finding and taking immediate remediation for a critical vulnerability, where candidates mistakenly choose documentation over action because they confuse audit procedures with incident response priorities.

How to eliminate wrong answers

Option A is wrong because disabling SSH entirely would disrupt legitimate administrative access and is an overly drastic measure that could cause operational outages; the correct approach is to restrict access rather than remove the service. Option B is wrong because waiting for server owners introduces an unacceptable delay in mitigating an active, critical vulnerability that exposes the servers to internet-wide brute-force attacks. Option C is wrong because merely documenting the finding without taking immediate corrective action violates the security analyst's duty to remediate critical risks promptly, as per standard incident response procedures.

5
MCQmedium

A security analyst is configuring an intrusion detection system (IDS) to detect SQL injection attacks. Which method is most effective?

A.Analyze DNS query patterns
B.Detect port scans from external IPs
C.Examine HTTP request parameters for SQL commands
D.Monitor bandwidth usage for spikes
AnswerC

This directly identifies SQL injection payloads in web requests.

Why this answer

Option D is correct because examining HTTP request parameters for SQL commands directly detects SQL injection attempts. The other options are unrelated or less effective.

6
MCQhard

A security operations center (SOC) analyst is investigating an alert about a user downloading a suspicious file. The analyst opens the file on a sandboxed virtual machine and observes that it attempts to modify registry keys and establish persistence. This type of analysis is known as:

A.Dynamic analysis
B.Static analysis
C.Reverse engineering
D.Threat hunting
AnswerA

Running the sample in a sandbox to observe behavior is dynamic analysis.

Why this answer

Dynamic analysis involves executing a suspicious file in a controlled environment, such as a sandboxed virtual machine, to observe its runtime behavior. In this scenario, the analyst runs the file and directly observes registry modifications and persistence mechanisms, which are characteristic of dynamic analysis. This approach captures actual system interactions that static analysis cannot reveal.

Exam trap

ISC2 often tests the distinction between dynamic and static analysis, and the trap here is that candidates may confuse 'reverse engineering' (which includes both static and dynamic methods) with the specific act of executing a file to observe behavior, leading them to select reverse engineering instead of the more precise dynamic analysis.

How to eliminate wrong answers

Option B is wrong because static analysis examines the file without executing it, typically by inspecting its binary structure, strings, or metadata, not by observing runtime behavior like registry changes. Option C is wrong because reverse engineering is a broader process that often includes static and dynamic techniques to understand a program's logic, but the specific act of running the file in a sandbox to observe behavior is dynamic analysis, not reverse engineering itself. Option D is wrong because threat hunting is a proactive search for indicators of compromise across an environment, not the analysis of a single file in a sandbox.

7
MCQhard

An analyst is reviewing a series of failed login attempts from multiple IP addresses targeting a single user account. This pattern is indicative of what type of attack?

A.Password spraying
B.Keylogging
C.Brute force
D.Credential stuffing
AnswerA

Password spraying uses multiple sources and common passwords to avoid detection.

Why this answer

Password spraying involves an attacker attempting a small number of common passwords (e.g., 'Password123', 'Welcome1') against many user accounts, or in this case, multiple IP addresses targeting a single user account. This pattern avoids account lockout thresholds by keeping attempts per IP low, making it distinct from brute force attacks that hammer a single account with many passwords from one source.

Exam trap

ISC2 often tests the distinction between password spraying and brute force by describing the number of IPs versus the number of passwords tried, so the trap here is confusing a distributed low-rate attack (password spraying) with a high-rate single-source attack (brute force).

How to eliminate wrong answers

Option B is wrong because keylogging requires malware to capture keystrokes on the user's device, not failed login attempts from multiple IP addresses. Option C is wrong because a brute force attack typically targets a single account with many password attempts from one or few IPs, not a low number of attempts from many IPs. Option D is wrong because credential stuffing uses previously leaked username/password pairs from other breaches, not a small set of common passwords tried across many IPs.

8
MCQmedium

You are a SOC analyst for a financial institution. At 2:00 AM, your SIEM generates a critical alert from the email security gateway indicating that an internal user received a phishing email with a malicious attachment. The email was delivered to the user's inbox, and the user's account activity logs show that the attachment was opened 10 minutes ago. The user is a junior accountant who works in the accounts payable department. You have access to endpoint detection tools, email logs, and network traffic data. The organization's incident response policy requires containment within 30 minutes of detection. Which action should you take FIRST?

A.Isolate the user's workstation from the network to prevent lateral movement.
B.Scan the user's workstation with antivirus software.
C.Block the sender's email address at the email gateway.
D.Send an email to the user instructing them to delete the email.
AnswerA

Isolation contains the incident quickly, as per policy.

Why this answer

The incident response policy requires containment within 30 minutes. Isolating the workstation (e.g., via network access control or disabling the switch port) immediately stops any ongoing malicious activity, such as command-and-control communication or lateral movement, which is the highest priority after detection. This aligns with the NIST SP 800-61 containment strategy and the SANS PICERL model, where containment precedes eradication and recovery.

Exam trap

ISC2 often tests the principle that containment must happen before any eradication or recovery steps, so candidates mistakenly choose scanning or blocking the sender because they focus on the email vector rather than the active compromise on the endpoint.

How to eliminate wrong answers

Option B is wrong because scanning with antivirus is an eradication step that should only occur after containment; the malware may already be executing, and scanning could trigger further malicious actions or alert the attacker. Option C is wrong because blocking the sender's email address is a preventive measure that does not address the already-opened attachment and active compromise on the user's workstation. Option D is wrong because instructing the user to delete the email is ineffective and dangerous—the attachment has already been opened, and the user may be compromised, so relying on user action wastes critical containment time.

9
Drag & Dropmedium

Drag and drop the steps to create a new VLAN on a managed switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation involves creating the VLAN, naming it, and assigning ports.

10
MCQmedium

Refer to the exhibit. Given the ACL shown, which traffic is allowed to reach 10.0.0.1?

A.No traffic is allowed.
B.HTTP and HTTPS only.
C.Only traffic from the internal network.
D.All TCP traffic from any source.
AnswerB

Permit statements for ports 80 and 443 allow HTTP and HTTPS.

Why this answer

The ACL permits TCP traffic to destination 10.0.0.1 with destination port numbers 80 (HTTP) and 443 (HTTPS). Since the ACL ends with an implicit deny any, only HTTP and HTTPS traffic is allowed to reach 10.0.0.1. Option B is correct because the ACL explicitly permits these two services.

Exam trap

ISC2 often tests the implicit deny any at the end of ACLs, leading candidates to forget that only explicitly permitted traffic is allowed, and that the ACL does not block traffic based on source network unless specified.

How to eliminate wrong answers

Option A is wrong because the ACL does permit some traffic (HTTP and HTTPS), so it is not true that no traffic is allowed. Option C is wrong because the ACL does not filter based on source network; it permits traffic from any source as long as the destination and port match. Option D is wrong because the ACL only permits TCP traffic to ports 80 and 443, not all TCP traffic.

11
MCQeasy

Which of the following is a primary goal of security operations?

A.Minimize user complaints
B.Increase network speed
C.Reduce attack surface
D.Ensure compliance with marketing standards
AnswerC

Security operations aim to reduce vulnerabilities and exposure.

Why this answer

Reducing the attack surface is a primary goal of security operations because it minimizes the number of potential entry points an attacker can exploit. By disabling unnecessary services, applying strict access controls, and segmenting networks, the organization lowers its risk of compromise. This directly supports the core security operations objective of protecting assets and maintaining confidentiality, integrity, and availability.

Exam trap

ISC2 often tests the misconception that security operations is about user satisfaction or performance optimization, when in fact its primary goal is risk reduction through attack surface minimization.

How to eliminate wrong answers

Option A is wrong because minimizing user complaints is a usability or helpdesk goal, not a primary security operations objective; security operations may even increase user friction (e.g., requiring MFA) to enforce security. Option B is wrong because increasing network speed is a performance goal typically handled by network engineering, not security operations; security controls like deep packet inspection can actually reduce speed. Option D is wrong because ensuring compliance with marketing standards is unrelated to security operations; compliance with security standards (e.g., PCI DSS, HIPAA) is relevant, but marketing standards are not a security concern.

12
MCQmedium

Refer to the exhibit. An analyst sees many alerts from this IDS rule. What is a likely cause?

A.A web application is vulnerable to SQL injection
B.An attacker is scanning for SQL injection
C.The rule is missing the "flow" keyword
D.The rule is poorly written generating false positives
AnswerD

The rule matches common SQL keywords in normal traffic, causing false positives.

Why this answer

Option D is correct because the IDS rule is likely generating excessive alerts due to poor signature design, such as using overly broad content matches or lacking proper contextual filters. Without the 'flow' keyword to establish session state (e.g., 'to_server, established'), the rule may trigger on any packet containing the SQL pattern, including non-exploit traffic like error messages or benign queries, resulting in false positives.

Exam trap

ISC2 often tests the distinction between a rule triggering due to actual malicious activity versus poor rule design, and the trap here is assuming that many alerts always indicate a real attack (like SQL injection scanning) rather than considering signature quality issues.

How to eliminate wrong answers

Option A is wrong because the alerts are from the IDS rule itself, not from confirmed exploitation; SQL injection vulnerability would require evidence of successful data extraction or error-based responses, not just rule hits. Option B is wrong because scanning for SQL injection typically involves sending multiple crafted payloads to probe endpoints, which would generate fewer, more targeted alerts rather than a high volume of false positives. Option C is wrong because while missing the 'flow' keyword can contribute to false positives, the question asks for the 'likely cause' of many alerts, and a poorly written rule (Option D) is the broader, more direct reason—missing 'flow' is just one specific example of poor rule writing.

13
MCQeasy

Which security control is most effective in preventing unauthorized physical access to a data center?

A.Mantraps.
B.Video surveillance.
C.Biometric door locks.
D.Security guards.
AnswerA

Physically restricts entry to one person at a time.

Why this answer

Mantraps create a double-door system that prevents tailgating, making them highly effective. Other controls like video surveillance and guards are deterrents but less direct at preventing unauthorized entry.

14
MCQeasy

Refer to the exhibit. A security analyst sees this log entry from a firewall. What is the most likely reason for this denial?

A.The destination port is not allowed
B.The source IP is blacklisted
C.The access-group is misconfigured
D.The packet is malformed
AnswerA

The access-group denies traffic to the destination port 33456.

Why this answer

The firewall log entry indicates a packet was denied due to a policy violation, and the most common reason for such a denial in a stateful firewall is that the destination port is not permitted by the configured access control list (ACL) or security policy. Firewalls evaluate traffic against rules that specify allowed source/destination IPs, ports, and protocols; if the destination port is not explicitly allowed, the packet is dropped. This is a standard security practice to restrict unauthorized services.

Exam trap

ISC2 often tests the concept that a firewall's default implicit deny will drop traffic if no explicit permit exists for the destination port, leading candidates to incorrectly assume the source IP is blacklisted or the packet is malformed.

How to eliminate wrong answers

Option B is wrong because a blacklisted source IP would typically generate a log with a specific reason such as 'blacklist' or 'reputation', not a generic denial, and the log entry does not indicate a blacklist match. Option C is wrong because a misconfigured access-group would likely cause broader connectivity issues or permit unintended traffic, not a single specific denial; the log entry shows a targeted drop, not a configuration error. Option D is wrong because a malformed packet would usually be dropped by the firewall's stateful inspection or TCP/IP stack with a different log message (e.g., 'invalid packet' or 'TCP flags violation'), not a standard policy denial.

15
MCQeasy

Which of the following is an example of a detective control in a security operations context?

A.Installing a security patch to fix a vulnerability.
B.Reviewing audit logs for suspicious activity.
C.Requiring multi-factor authentication for remote access.
D.Firewall rules blocking unauthorized traffic.
AnswerB

Audit log review detects incidents that have already happened.

Why this answer

Detective controls are designed to identify and alert on security incidents after they have occurred. Reviewing audit logs for suspicious activity is a classic detective control because it involves examining historical records to detect unauthorized access or anomalies. In contrast, preventive controls like patching, MFA, and firewall rules aim to stop incidents before they happen.

Exam trap

ISC2 often tests the distinction between preventive and detective controls, and the trap here is that candidates confuse 'blocking' or 'preventing' actions (like patching or firewalls) with detective controls that only monitor and alert after the fact.

How to eliminate wrong answers

Option A is wrong because installing a security patch is a corrective control that fixes a known vulnerability, not a detective control that identifies ongoing or past threats. Option C is wrong because requiring multi-factor authentication is a preventive control that verifies identity before granting access, not a detective measure. Option D is wrong because firewall rules blocking unauthorized traffic is a preventive control that enforces access policies at the network layer, not a detective control that reviews events after the fact.

16
MCQhard

After a security incident, the incident response team closes the case. What is the MOST important final step to improve future security posture?

A.Revoke all compromised credentials
B.Patch all systems
C.Restore all systems from backup
D.Conduct a post-incident review and update policies
AnswerD

Ensures continuous improvement.

Why this answer

Option D is correct because the post-incident review (often called a lessons-learned meeting) is the final step that analyzes root causes, identifies gaps in detection or response, and drives updates to policies, playbooks, and security controls. Without this review, the same vulnerability or misconfiguration could be exploited again, even if immediate containment steps like credential revocation or patching were performed. The goal is to close the incident with a feedback loop that improves the overall security posture, not just restore operations.

Exam trap

ISC2 often tests the distinction between immediate remediation steps (like patching or credential revocation) and the final continuous improvement step (post-incident review), trapping candidates who confuse containment/recovery with the ultimate goal of preventing future incidents.

How to eliminate wrong answers

Option A is wrong because revoking compromised credentials is a containment step performed during the early stages of incident response, not the final step; it does not address underlying vulnerabilities or process improvements. Option B is wrong because patching all systems is a remediation action that may be necessary but is not the final step—it focuses on technical fixes without analyzing why the incident occurred or updating policies to prevent recurrence. Option C is wrong because restoring systems from backup is a recovery step that returns operations to normal but does not provide any insight into the incident's root cause or lead to long-term security improvements.

17
MCQeasy

A help desk technician receives a report that a user cannot access a shared network drive. The technician checks the file server and sees that the disk is full. What is the most immediate action the technician should take?

A.Reboot the file server
B.Free up space by deleting unnecessary files or moving data
C.Run antivirus scan
D.Increase disk quota
AnswerB

This directly addresses the root cause (disk full) and can quickly restore access.

Why this answer

Option B is correct because freeing up space restores access. The other options are either not immediate or do not directly address the disk full issue.

18
MCQmedium

A SOC analyst is reviewing logs from a web server and sees the following entry: GET /../../../../etc/passwd HTTP/1.1 Which type of attack is being attempted?

A.Cross-site scripting
B.SQL injection
C.Directory traversal
D.Cross-site request forgery
AnswerC

The '..' sequence indicates an attempt to navigate directories.

Why this answer

The log entry shows a GET request with '../' sequences attempting to navigate outside the web root to access the '/etc/passwd' file. This is the classic signature of a directory traversal attack, which exploits insufficient path sanitization to read arbitrary files on the server. The correct answer is C because the attack targets the file system, not the application's data layer or client-side scripts.

Exam trap

ISC2 often tests directory traversal by including a file path like '/etc/passwd' in the URL, which candidates may mistakenly associate with SQL injection or XSS due to the presence of 'passwd' or the GET method, but the key indicator is the '../' sequence indicating file system navigation.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting malicious scripts into web pages viewed by other users, not manipulating file paths in HTTP requests. Option B is wrong because SQL injection targets database queries by inserting SQL commands into input fields, whereas this request is a simple GET with path traversal sequences and no SQL syntax. Option D is wrong because cross-site request forgery (CSRF) tricks a user's browser into making unintended requests on their behalf, but the log shows a direct attacker-controlled request, not a forged one.

19
MCQmedium

A company deploys a new intrusion detection system (IDS) on the internal network. Which of the following best describes the primary purpose of this system?

A.Block malicious traffic in real time.
B.Detect and alert on potential security incidents.
C.Encrypt sensitive data at rest.
D.Prevent unauthorized access to the network.
AnswerB

The core function of an IDS is detection and alerting.

Why this answer

An intrusion detection system (IDS) is a passive monitoring technology that analyzes network traffic or system activity for signs of malicious behavior or policy violations. Unlike an intrusion prevention system (IPS), an IDS does not take inline action to block traffic; its primary purpose is to detect suspicious activity and generate alerts for security personnel to investigate and respond.

Exam trap

ISC2 often tests the distinction between IDS and IPS, where candidates mistakenly assume an IDS can block traffic because they conflate detection with prevention.

How to eliminate wrong answers

Option A is wrong because blocking malicious traffic in real time is the function of an intrusion prevention system (IPS), not an IDS; an IDS operates out-of-band and cannot actively block traffic. Option C is wrong because encrypting sensitive data at rest is a data protection mechanism typically handled by encryption tools, file-level encryption, or full-disk encryption, not by an IDS. Option D is wrong because preventing unauthorized access to the network is the role of firewalls, access control lists (ACLs), or authentication systems, whereas an IDS only monitors and alerts on potential threats without enforcing access controls.

20
MCQeasy

An employee reports receiving a suspicious email with an attachment from an unknown sender. What is the first action the employee should take?

A.Open the attachment to check its content.
B.Report the email to the security team.
C.Forward the email to all employees as a warning.
D.Delete the email immediately.
AnswerB

Ensures proper handling of the potential security incident.

Why this answer

Reporting the email to the security team allows professionals to analyze and respond appropriately. Deleting the email or opening the attachment can be dangerous; forwarding may spread the threat.

21
MCQeasy

A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?

A.Deploying a web application firewall
B.Enabling verbose logging for authentication events
C.Increasing password complexity requirements
D.Implementing account lockout policies
AnswerD

Account lockout policies limit the number of failed attempts, preventing continued brute-force attacks.

Why this answer

Option D is correct because account lockout policies directly mitigate brute-force attacks by temporarily disabling an account after a defined number of failed login attempts (e.g., 5 failures within 15 minutes). This prevents the attacker from continuing to guess passwords for multiple user accounts from a single external IP, without affecting legitimate users who can be unlocked after a lockout duration or via an administrative reset.

Exam trap

ISC2 often tests the misconception that a WAF (Option A) can stop brute-force attacks, but the trap is that WAFs operate at Layer 7 for web traffic and do not control authentication attempts against native OS or directory service logins.

How to eliminate wrong answers

Option A is wrong because a web application firewall (WAF) inspects HTTP/HTTPS traffic for application-layer attacks (e.g., SQL injection, XSS), not authentication brute-force attempts against a directory service or operating system login. Option B is wrong because enabling verbose logging for authentication events only improves visibility and forensic analysis; it does not prevent the attack from succeeding. Option C is wrong because increasing password complexity requirements makes passwords harder to guess but does not stop an attacker from making unlimited login attempts; brute-force tools can still try millions of complex passwords over time.

22
MCQhard

A company's security policy requires that all incident response activities be logged and that evidence be preserved for potential legal action. During an incident, a responder mistakenly uses a personal USB drive to copy log files. Which principle of forensic evidence handling has been violated?

A.Integrity
B.Chain of custody
C.Availability
D.Confidentiality
AnswerB

Using unapproved media and not documenting the transfer violates chain of custody.

Why this answer

The chain of custody is a documented record that tracks the seizure, control, transfer, analysis, and disposition of evidence. By using a personal USB drive to copy log files, the responder introduces an unverified and uncontrolled storage medium, breaking the documented chain and making it impossible to prove that the evidence was not tampered with or contaminated. This directly violates the requirement to preserve evidence for potential legal action.

Exam trap

ISC2 often tests the distinction between chain of custody and integrity by presenting a scenario where evidence is copied to an unauthorized device, leading candidates to mistakenly choose 'Integrity' because they focus on potential data alteration rather than the lack of documented control over the evidence.

How to eliminate wrong answers

Option A is wrong because integrity refers to the assurance that data has not been altered or destroyed in an unauthorized manner; while using a personal USB drive could potentially affect integrity, the core violation here is the lack of documented control over the evidence, not the alteration of the data itself. Option C is wrong because availability concerns ensuring that data and systems are accessible when needed; the responder was able to copy the log files, so availability was not compromised. Option D is wrong because confidentiality involves preventing unauthorized disclosure of information; although using a personal USB drive might raise confidentiality concerns, the primary forensic principle violated is the broken chain of custody, not the exposure of the data.

23
MCQeasy

A security operations center (SOC) analyst receives an alert for a potential malware infection on a workstation. Which of the following is the first action the analyst should take?

A.Reimage the workstation
B.Run a full antivirus scan
C.Isolate the workstation from the network to prevent spread
D.Notify law enforcement
AnswerC

Immediate containment limits damage and buys time for analysis.

Why this answer

When a potential malware infection is detected, the immediate priority is containment to prevent lateral movement and further compromise. Isolating the workstation from the network (e.g., disabling the network interface or disconnecting the cable) stops the malware from communicating with command-and-control servers or spreading to other hosts. This aligns with the NIST incident response framework's containment phase, which precedes eradication and recovery actions.

Exam trap

ISC2 often tests the principle that containment (isolation) must come before eradication (scanning or reimaging), and candidates mistakenly choose a remediation step like running a scan or reimaging as the first action.

How to eliminate wrong answers

Option A is wrong because reimaging the workstation destroys forensic evidence and is a recovery step that should only occur after containment and investigation. Option B is wrong because running a full antivirus scan while the system is still connected to the network may alert the malware, trigger destructive behavior, or allow continued data exfiltration during the scan. Option D is wrong because notifying law enforcement is a post-containment, post-investigation step that is not the first action; it is typically reserved for incidents involving sensitive data or legal requirements, not initial triage.

24
Multi-Selecthard

A security operations center (SOC) analyst is investigating a potential data exfiltration. Which two indicators are most likely signs of data exfiltration?

Select 2 answers
A.Large number of failed login attempts
B.Frequent DNS queries to known malicious domains
C.Unexpected large file transfers via FTP
D.Multiple antivirus alerts
E.Unusual outbound traffic to a foreign IP
AnswersC, E

Large file transfers out of the network are a classic exfiltration sign.

Why this answer

Unexpected large file transfers via FTP are a classic indicator of data exfiltration because FTP is a clear-text protocol often used to move bulk data out of a network. A sudden spike in outbound FTP traffic, especially to an unfamiliar external IP, suggests an attacker is compressing and uploading stolen files. This behavior directly matches the exfiltration phase of the Cyber Kill Chain.

Exam trap

ISC2 often tests the distinction between indicators of compromise (IOCs) for different attack phases—candidates confuse C2 beaconing (DNS queries) with data exfiltration (large file transfers), or mistake authentication failures for exfiltration activity.

25
MCQmedium

A company is implementing a security information and event management (SIEM) system. Which data source is most critical for detecting an ongoing brute-force attack?

A.DNS logs.
B.Authentication logs.
C.Firewall logs.
D.Application logs.
AnswerB

Directly contain login attempt records.

Why this answer

Authentication logs record successful and failed login attempts, which are directly indicative of brute-force attacks. Other logs may provide supporting information but are not as directly tied to the attack.

26
Multi-Selecteasy

Which TWO of the following are types of security controls used in defense in depth? (Select TWO.)

Select 2 answers
A.Detective controls
B.Corrective controls
C.Compensating controls
D.Administrative controls
E.Preventive controls
AnswersA, E

Detective controls identify attacks, e.g., IDS.

Why this answer

Detective controls are a core type of security control in a defense-in-depth strategy, designed to identify and alert on ongoing or past security incidents. Examples include intrusion detection systems (IDS) like Snort or Suricata, which analyze network traffic for malicious patterns, and security information and event management (SIEM) systems that correlate logs to detect anomalies. These controls provide visibility into the security posture, enabling timely response to threats that bypass preventive measures.

Exam trap

ISC2 often tests the distinction between control categories by including 'Administrative controls' as a distractor, leading candidates to confuse governance-level controls (policies, awareness training) with the operational control types (preventive, detective, corrective) that form the core of defense in depth.

27
MCQmedium

A security operations center (SOC) analyst receives an alert for a high volume of outbound traffic from an internal server to a known malicious IP address. Which step should the analyst take next?

A.Shut down the server.
B.Disregard the alert as a false positive.
C.Block all outbound traffic from the server.
D.Isolate the server from the network.
AnswerD

Immediately contains the potential compromise.

Why this answer

Isolating the server stops the suspicious traffic and prevents further data exfiltration or lateral movement while the incident is investigated. Other actions are either too broad or premature.

28
MCQmedium

An organization is implementing a new logging policy. Which type of data should be excluded from logs to comply with privacy regulations?

A.System performance metrics
B.User authentication attempts
C.Personal identifiable information (PII)
D.Network traffic patterns
AnswerC

Logging PII violates privacy regulations and should be avoided.

Why this answer

Option C is correct because Personal Identifiable Information (PII) should be excluded from logs to comply with privacy regulations like GDPR. Options A, B, and D are typically safe to log and important for security monitoring.

29
MCQhard

A large organization has implemented a Security Operations Center (SOC) with a tiered incident response model. Tier 1 analysts triage alerts and escalate confirmed incidents to Tier 2 for deeper analysis. Recently, the SOC has been overwhelmed by a high volume of low-severity alerts from endpoint detection and response (EDR) tools, causing delays in handling true positive incidents. The SOC manager wants to reduce alert fatigue without missing critical threats. Which of the following strategies would be MOST effective?

A.Require Tier 2 analysts to review all alerts before Tier 1.
B.Increase the number of Tier 1 analysts to handle the volume.
C.Implement automated playbooks for low-severity alerts to perform initial investigation and closure if benign.
D.Disable all low-severity alert rules in the EDR.
AnswerC

Reduces manual triage and allows analysts to focus on critical threats.

Why this answer

Option B is correct because automating playbooks for low-severity alerts reduces the workload on analysts and allows them to focus on high-severity alerts. Option A is expensive and does not address the root cause. Option C could miss important indicators that might escalate.

Option D would overload Tier 2 and worsen the bottleneck.

30
MCQeasy

A user reports that they received a suspicious email with an attachment claiming to be an invoice. What should the user do?

A.Report the email to the security team without opening the attachment
B.Reply to the email and ask for confirmation
C.Delete the email immediately
D.Open the attachment to check what it contains
AnswerA

This allows security to investigate safely.

Why this answer

Option A is correct because the user should immediately report the suspicious email to the security team without opening the attachment. Opening the attachment could trigger a malicious payload, such as a macro-enabled document or executable, that exploits vulnerabilities in the email client or operating system. The security team can analyze the email headers, attachment hash, and sender domain using tools like sandboxing or threat intelligence feeds to determine if it is a phishing attempt or malware delivery.

Exam trap

ISC2 often tests the misconception that deleting a suspicious email is sufficient, but the correct incident response procedure requires preserving evidence and reporting to the security team for analysis and containment.

How to eliminate wrong answers

Option B is wrong because replying to the email confirms the user's email address as active to the attacker, potentially leading to targeted follow-up attacks or social engineering. Option C is wrong because deleting the email immediately removes forensic evidence (e.g., email headers, attachment metadata) that the security team needs to investigate and block the threat across the organization. Option D is wrong because opening the attachment risks executing malware, such as ransomware or a trojan, that could compromise the user's endpoint and spread laterally within the network.

31
MCQhard

A security analyst reviews firewall logs and sees a series of outbound connections from an internal server to a known command-and-control (C2) IP address at regular intervals. Which step should the analyst take first according to incident response best practices?

A.Isolate the server from the network immediately.
B.Check if the IP address is associated with known malware or threats.
C.Quarantine the server and begin forensic analysis.
D.Terminate the outbound connections by blocking the IP.
AnswerB

First, validate the alert; then take containment actions.

Why this answer

First, verify the alert is not a false positive by checking threat intelligence. Immediately isolating the server (B) might be too aggressive if it's a false positive. Terminating (C) or quarantining (D) without confirmation can cause unnecessary disruption.

32
MCQeasy

Refer to the exhibit. Based on the log entries, what type of attack is most likely occurring?

A.Brute-force attack.
B.Dictionary attack.
C.Privilege escalation.
D.Denial of service.
AnswerB

Multiple usernames tried suggests a dictionary of common names.

Why this answer

The log entries show repeated failed login attempts using different usernames and passwords, which is characteristic of a dictionary attack where an attacker uses a list of common usernames and passwords to gain unauthorized access. Unlike a brute-force attack that tries all possible combinations, a dictionary attack uses a predefined list of likely credentials, making it more efficient and matching the pattern in the logs.

Exam trap

ISC2 often tests the distinction between a dictionary attack and a brute-force attack, where candidates mistakenly choose 'brute-force' because they see many failed logins, but the key is whether the attempts use a predefined list (dictionary) versus exhaustive character combinations (brute-force).

How to eliminate wrong answers

Option A is wrong because a brute-force attack systematically tries every possible combination of characters (e.g., aaa, aab, aac), which would generate a much higher volume of attempts and not be limited to a list of common words or names as seen in the logs. Option C is wrong because privilege escalation involves an attacker gaining higher-level permissions after initial access, not repeated login attempts from the start. Option D is wrong because a denial of service attack aims to overwhelm a system with traffic or requests to disrupt service, not to authenticate via repeated login attempts.

33
Multi-Selectmedium

Which TWO of the following are commonly used techniques to detect phishing emails? (Choose two.)

Select 2 answers
A.Scanning for specific file extensions.
B.Disabling automatic image loading.
C.Sandboxing email attachments in a secure environment.
D.Analyzing sender reputation and email headers.
E.Implementing DKIM and DMARC records.
AnswersC, D

Sandboxing can detect malicious attachments by executing them safely.

Why this answer

Sandboxing email attachments in a secure environment (Option C) is a common technique to detect phishing emails because it allows suspicious attachments to be executed and analyzed in an isolated virtual machine. This process observes the attachment's behavior for malicious activities, such as attempting to connect to a command-and-control server or dropping malware, without risking the actual endpoint. It is a core technology used in advanced email security gateways and threat intelligence platforms.

Exam trap

ISC2 often tests the distinction between email authentication protocols (DKIM/DMARC) and detection techniques, causing candidates to mistakenly select Option E as a detection method when it is actually a preventive authentication standard.

34
MCQmedium

During a phishing investigation, a security analyst identifies that an employee clicked a malicious link. The analyst isolates the workstation. What is the NEXT best step?

A.Capture a memory image of the workstation for analysis
B.Update the company's acceptable use policy
C.Notify all employees about phishing risks
D.Reimage the workstation
AnswerA

Memory forensics can reveal running malware.

Why this answer

After isolating the workstation, the next best step is to capture a memory image (RAM) to preserve volatile evidence such as running processes, network connections, and malware artifacts that would be lost on shutdown. This follows the order of volatility (RFC 3227) and is critical for forensic analysis to determine the scope of the compromise.

Exam trap

ISC2 often tests the order of volatility (RFC 3227) and the principle that volatile data (memory) must be captured before non-volatile data (disk), so the trap here is that candidates may choose to reimage the workstation immediately to 'clean' it, not realizing that destroys forensic evidence needed for attribution and prevention.

How to eliminate wrong answers

Option B is wrong because updating the acceptable use policy is a long-term administrative control, not an immediate incident response step; it does not preserve evidence or contain the threat. Option C is wrong because notifying all employees about phishing risks is a general awareness activity that should occur after the investigation, not before evidence is collected, and it could cause unnecessary panic or tip off an attacker. Option D is wrong because reimaging the workstation destroys all volatile and non-volatile evidence, making it impossible to perform a root-cause analysis or identify indicators of compromise (IOCs) that could prevent future incidents.

35
MCQeasy

A security operations team is implementing a new SIEM solution. They want to ensure that logs from all critical systems are collected and analyzed in real time. Which of the following is the MOST important consideration when designing the log collection architecture?

A.Ensure sufficient network bandwidth and storage capacity
B.Use a standardized log format for all systems
C.Encrypt all log transmissions in transit
D.Define a log retention policy of at least one year
AnswerA

Insufficient bandwidth can cause log loss, and inadequate storage can lead to data being overwritten before analysis.

Why this answer

The most critical factor in real-time log collection is ensuring that the network can handle the volume of log data without congestion and that storage can ingest and retain the data without dropping events. Without sufficient bandwidth, logs will be delayed or lost, defeating the purpose of real-time analysis. Storage capacity directly impacts the ability to retain and query logs for immediate and historical investigation.

Exam trap

ISC2 often tests the distinction between operational feasibility (bandwidth/storage) and security or compliance features, leading candidates to over-prioritize encryption or retention policies when the core requirement is real-time ingestion.

How to eliminate wrong answers

Option B is wrong because while a standardized log format (e.g., syslog, CEF, JSON) simplifies parsing, it is not the most important consideration for real-time collection; the SIEM can normalize diverse formats after ingestion. Option C is wrong because encrypting log transmissions in transit (e.g., TLS) is a security best practice but does not directly affect the feasibility of real-time collection; it adds overhead but is not the primary bottleneck. Option D is wrong because a log retention policy defines how long logs are kept, not how they are collected in real time; retention is a compliance and storage planning concern, not an architectural design priority for ingestion.

36
Multi-Selecteasy

A security analyst is reviewing event logs and notices multiple failed login attempts from a single IP address followed by a successful login. Which TWO actions should the analyst take next?

Select 2 answers
A.Disable the user account immediately.
B.Escalate to the incident response team.
C.Investigate the source IP address for malicious activity.
D.Block the IP address at the firewall.
E.Reset the password for the affected account.
AnswersB, C

Escalation ensures proper handling and coordination, especially if the incident indicates a broader attack.

Why this answer

Options B and E are correct. Investigating the source IP and escalating to the incident response team are appropriate first steps. Disabling the account or resetting the password may be necessary later but should be done after investigation.

Blocking the IP may be done but escalation is more critical.

37
MCQhard

A security analyst investigates a possible data exfiltration. The analyst sees a large amount of data being sent to an external IP address at regular intervals. Which of the following is the most likely technique being used?

A.DNS tunneling
B.SQL injection
C.Phishing
D.Man-in-the-middle
AnswerA

DNS tunneling encodes data in DNS requests, allowing stealthy exfiltration.

Why this answer

DNS tunneling encodes data within DNS queries and responses, allowing attackers to bypass network security controls by exfiltrating data through UDP port 53, which is often allowed through firewalls. The regular intervals of large data transfers to an external IP address are characteristic of a DNS tunnel, as the attacker segments data into multiple DNS queries to avoid detection.

Exam trap

ISC2 often tests DNS tunneling as a data exfiltration technique because candidates may overlook that DNS traffic is commonly allowed through firewalls, making it a stealthy channel compared to other attack methods.

How to eliminate wrong answers

Option B is wrong because SQL injection is an attack against a database via web application input fields, not a method for exfiltrating data over the network at regular intervals. Option C is wrong because phishing is a social engineering technique used to steal credentials or deliver malware, not a direct data exfiltration technique that sends large amounts of data to an external IP. Option D is wrong because a man-in-the-middle attack intercepts communications between two parties to eavesdrop or modify traffic, but it does not inherently involve sending large volumes of data to an external IP at regular intervals.

38
MCQeasy

A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?

A.Restore the workstation from a recent backup
B.Disconnect the workstation from the network
C.Reboot the workstation in safe mode
D.Run a full antivirus scan
AnswerB

Network isolation is the primary containment step to halt lateral movement.

Why this answer

The first step in the containment phase is to disconnect the workstation from the network. This immediately stops the ransomware from spreading laterally to other systems via SMB, RDP, or other network protocols. Containment prioritizes preventing further damage over remediation or analysis.

Exam trap

ISC2 often tests the distinction between containment and eradication/recovery phases, and the trap here is that candidates mistake a recovery action (restore from backup) or a detection action (antivirus scan) for the first containment step.

How to eliminate wrong answers

Option A is wrong because restoring from backup is a recovery-phase action, not a containment step; attempting recovery before containment risks re-infection if the ransomware is still active on the network. Option C is wrong because rebooting in safe mode may allow the ransomware to execute its payload during startup or trigger persistence mechanisms, and it does not stop network-based propagation. Option D is wrong because running a full antivirus scan is a detection/eradication step that can take significant time, during which the ransomware could encrypt additional shares or spread to other hosts.

39
MCQmedium

An organization is implementing a patch management program. Which of the following is the BEST approach to minimize risk while maintaining operational stability?

A.Skip patches that are not related to security.
B.Apply patches to all systems simultaneously.
C.Only patch systems that are internet-facing.
D.Deploy patches to a test environment before production.
AnswerD

Testing identifies compatibility issues before production deployment.

Why this answer

Option A is correct because testing patches in a staging environment reduces the chance of adverse impacts. Option B is risky without testing. Option C leaves many systems vulnerable.

Option D ignores important security patches.

40
MCQhard

You are a security analyst at a medium-sized company with 500 employees. The company uses a centralized log management system that collects logs from all servers and network devices. For the past week, you have noticed a pattern: every night at 2:00 AM, a series of failed login attempts occurs on the domain controller from an internal IP address (10.10.50.100). The attempts use the username "Administrator" and are always from the same workstation in the accounting department. The accounting department operates 9 AM to 6 PM, so no one is in the office at 2 AM. You have checked the workstation's physical security; it is in a locked office with access only by authorized accounting staff. The workstation is running Windows 10 with up-to-date antivirus and has no signs of compromise. You also checked the network switch logs and see that the workstation is connected to a specific port. You suspect the workstation might be compromised or being used remotely. What is the most appropriate next step?

A.Reimage the workstation with a clean OS image and reset all passwords.
B.Perform a forensic analysis of the workstation to identify any malware or remote access tools.
C.Increase the password complexity requirements for the domain.
D.Immediately block the IP address at the firewall and disable the administrator account.
AnswerB

Forensic analysis can uncover the source of the logins and determine if the workstation is truly compromised.

Why this answer

Option B is correct because the pattern of failed logins at 2 AM from a locked workstation with no signs of compromise strongly suggests a remote access tool (RAT) or hidden malware that is not detected by standard antivirus. Forensic analysis of the workstation is the most appropriate next step to identify the specific malware or remote access tool, its persistence mechanism, and the attacker's entry point, which is essential before taking any remediation actions. This aligns with the incident response process of identification and analysis before containment or eradication.

Exam trap

ISC2 often tests the candidate's ability to prioritize the incident response process; the trap here is that many candidates jump to containment (reimaging, blocking IP) or prevention (password complexity) without first performing forensic analysis to understand the scope and method of the compromise.

How to eliminate wrong answers

Option A is wrong because reimaging the workstation without first performing forensic analysis would destroy critical evidence needed to understand the attack vector, the malware's behavior, and the attacker's methods, potentially allowing the attacker to regain access through another compromised system. Option C is wrong because increasing password complexity does not address the root cause; the attacker is already using a valid username ('Administrator') and the failed logins are from a specific workstation, indicating a targeted attack rather than a brute-force password guessing issue. Option D is wrong because immediately blocking the IP address and disabling the administrator account is premature; the internal IP (10.10.50.100) belongs to a legitimate workstation, and disabling the account could disrupt business operations, while the attacker may have other access methods or accounts that would remain undetected.

41
Multi-Selectmedium

According to the NIST incident response lifecycle, which three phases are considered the core phases?

Select 3 answers
A.Root cause analysis
B.Containment, Eradication, and Recovery
C.Incident declaration
D.Detection and Analysis
E.Preparation
AnswersB, D, E

This phase focuses on stopping the incident and restoring operations.

Why this answer

The NIST incident response lifecycle (SP 800-61) defines four phases: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity. The core phases that form the active response cycle are Preparation, Detection and Analysis, and Containment Eradication and Recovery. Option B correctly lists these three as the essential operational phases, while Post-Incident Activity is a follow-up phase.

Exam trap

ISC2 often tests the distinction between the core phases and sub-activities within them, so candidates mistakenly select root cause analysis or incident declaration as separate phases instead of recognizing they are tasks within the Post-Incident Activity or Detection and Analysis phases.

42
MCQeasy

A small business has a single server that hosts critical applications. The server's hard drive fails, and the most recent backup is 3 days old. The backup is stored on an external drive that is kept in the same room as the server. The server is also the domain controller and file server. After replacing the drive and restoring from backup, the IT administrator discovers that some user files are missing because they were created after the backup. The administrator needs to minimize data loss in the future. Which of the following should be implemented?

A.Use a cloud-based backup solution.
B.Perform daily backups and store them offsite.
C.Implement RAID 1 for disk redundancy.
D.Enable versioning on the file server.
AnswerA

Provides automated offsite backups with flexible scheduling, reducing data loss risk.

Why this answer

A cloud-based backup solution automatically stores backups offsite, ensuring that even if the local site is compromised or the backup drive fails, recent data is recoverable. This minimizes data loss by enabling more frequent backups (e.g., hourly or continuous) without relying on manual intervention or physical media rotation, directly addressing the 3-day gap in the scenario.

Exam trap

ISC2 often tests the distinction between high availability (RAID, redundancy) and backup/disaster recovery, leading candidates to mistakenly choose RAID 1 as a solution for data loss when it only protects against hardware failure, not data corruption or user error.

How to eliminate wrong answers

Option B is wrong because performing daily backups and storing them offsite still leaves a potential 24-hour data loss window, and the backup frequency (daily) does not address the need for more granular recovery of files created after the last backup. Option C is wrong because RAID 1 provides disk redundancy against a single drive failure but does not protect against data loss from accidental deletion, corruption, or the need to recover files created after a backup; it is not a backup solution. Option D is wrong because enabling versioning on the file server (e.g., Windows Previous Versions or Volume Shadow Copy) only protects against accidental modification or deletion of files that exist on the server, not against the loss of files that were created after the last backup and never existed in a previous version.

43
MCQmedium

During a security incident, the incident response team needs to preserve evidence for potential legal action. Which of the following is the most important action to take when collecting volatile data from a compromised server?

A.Capture the contents of RAM.
B.Make a bit-for-bit copy of all storage.
C.Create a forensic image of the hard drive.
D.Review system logs.
AnswerA

RAM is the most volatile data; it must be collected before power is removed.

Why this answer

Volatile data in RAM is lost when power is removed. Capturing RAM preserves evidence that might contain running processes, network connections, and encryption keys. Disk images are non-volatile and can be collected later.

44
Multi-Selectmedium

A SOC analyst is reviewing a security alert about a potential brute-force attack on the company's VPN server. The analyst sees multiple failed login attempts from different IP addresses within a short time frame. Which TWO actions should the analyst take to verify and respond to this incident? (Choose two.)

Select 2 answers
A.Implement an account lockout policy after a certain number of failed attempts
B.Review the VPN server logs for any successful logins following the failed attempts
C.Notify all users to change their passwords immediately
D.Block all source IP addresses that appeared in the failed attempts
E.Disable VPN access until the attack source is identified
AnswersA, B

Lockout policies mitigate brute-force attacks by limiting attempts.

Why this answer

Options B and C are correct. Checking the VPN server logs for successful logins after the attempts helps determine if the attack succeeded. Implementing account lockout policies is a preventive measure to slow down brute-force attacks.

Option A is wrong because blocking all IPs may include legitimate users. Option D is wrong because notifying all users is premature and may cause unnecessary alarm. Option E is wrong because disabling the VPN service would disrupt all remote access.

45
MCQmedium

A company's security operations center (SOC) receives an alert about suspicious outbound traffic from a server in the DMZ to an external IP address known for command-and-control activity. The SOC analyst reviews the logs and sees that the source port is 443 and the destination port is 8080. Which of the following actions should the analyst take FIRST?

A.Notify the incident response team and management immediately
B.Isolate the server from the network and investigate further
C.Block the external IP address at the firewall
D.Modify the firewall rule to deny all outbound traffic from the DMZ
AnswerB

Isolation contains the threat and allows forensic analysis without risk of further damage.

Why this answer

The SOC analyst should first isolate the server from the network because the outbound traffic from a DMZ server to a known C2 IP address, using source port 443 (HTTPS) to destination port 8080 (HTTP alternate), indicates a potential compromise. Isolating the server stops the data exfiltration and prevents further C2 communication, allowing for a controlled forensic investigation without alerting the attacker. This aligns with the NIST SP 800-61 incident response process, where containment is prioritized before eradication or recovery.

Exam trap

ISC2 often tests the candidate's ability to prioritize containment over notification or broad blocking, trapping those who confuse 'first action' with 'escalation' or who apply overly aggressive firewall changes without considering service impact.

How to eliminate wrong answers

Option A is wrong because notifying the incident response team and management immediately is premature; the analyst must first contain the threat by isolating the server to prevent further damage, as notification can occur after initial containment. Option C is wrong because blocking the external IP address at the firewall is a reactive measure that does not stop the compromised server from communicating with other C2 IPs or using different ports, and it may alert the attacker to change tactics. Option D is wrong because modifying the firewall rule to deny all outbound traffic from the DMZ would disrupt legitimate services hosted in the DMZ (e.g., web servers, mail relays) and is an overly broad, non-surgical response that violates the principle of least disruption.

46
MCQeasy

Which of the following is the primary purpose of a security information and event management (SIEM) system?

A.Enforce access control policies.
B.Replace the need for manual log review.
C.Prevent malware infections.
D.Correlate and analyze log data to detect incidents.
AnswerD

SIEMs collect and correlate logs for threat detection.

Why this answer

The primary purpose of a SIEM system is to aggregate, correlate, and analyze log data from multiple sources (e.g., firewalls, servers, IDS/IPS) in real time to detect security incidents. By applying correlation rules and analytics, SIEM identifies patterns or anomalies that indicate malicious activity, enabling security teams to respond promptly.

Exam trap

ISC2 often tests the distinction between a SIEM's core function (correlation and detection) and other security tools' roles (prevention, enforcement, or replacement of manual tasks), leading candidates to mistakenly choose 'replace manual log review' because they overlook the primary purpose of incident detection.

How to eliminate wrong answers

Option A is wrong because enforcing access control policies is the function of dedicated systems like firewalls, identity and access management (IAM) solutions, or directory services (e.g., Active Directory), not a SIEM, which focuses on log analysis and monitoring. Option B is wrong because while SIEM automates log analysis and reduces manual effort, its primary purpose is not simply to replace manual log review but to provide correlation and incident detection; manual review is still needed for validation and complex investigations. Option C is wrong because preventing malware infections is the role of endpoint protection platforms (EPP), antivirus software, or intrusion prevention systems (IPS); a SIEM detects signs of infection through log correlation but does not actively block malware.

47
MCQhard

A security analyst receives an alert from the SIEM indicating a potential data exfiltration event. The alert shows a large volume of data being transferred to an external IP address during non-business hours. What is the MOST appropriate immediate action?

A.Verify whether the transfer is authorized.
B.Call the employee who owns the server.
C.Disconnect the affected server from the network.
D.Run an antivirus scan on the server.
AnswerA

Verification ensures that action is based on confirmed facts.

Why this answer

Option D is correct because verifying the transfer's authorization prevents unnecessary disruption. Option A is too drastic without confirmation. Option B is not efficient and may tip off the user.

Option C does not address exfiltration.

48
Multi-Selecteasy

Which THREE of the following are common components of a disaster recovery plan?

Select 3 answers
A.Backup procedures
B.Restoration of operations in a secondary site
C.Password policy
D.Employee background checks
E.Business impact analysis
AnswersA, B, E

Backups are essential for restoring data after a disaster.

Why this answer

Backup procedures are a core component of a disaster recovery plan (DRP) because they ensure that critical data can be restored after a disruptive event. This includes defining backup frequency, storage locations (e.g., off-site or cloud), and the specific data to be backed up. Without documented backup procedures, recovery of systems and data would be uncoordinated and unreliable.

Exam trap

ISC2 often tests the distinction between disaster recovery components (backup, BIA, alternate sites) and general security controls (password policies, background checks), so candidates mistakenly include the latter because they are also part of overall security operations.

49
MCQhard

During a forensic investigation, the analyst needs to acquire a memory image from a live Windows system without altering evidence. Which tool is MOST appropriate?

A.Volatility
B.EnCase
C.dd
D.FTK Imager
AnswerD

FTK Imager can acquire memory live with low footprint.

Why this answer

Option C is correct because FTK Imager can acquire memory with minimal impact. Option A is for disk imaging. Option B is a GUI tool but may alter memory.

Option D is a volatility framework, not acquisition.

50
MCQhard

A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?

A.The user has administrative privileges, which could allow them to cover their tracks
B.The volume of data transferred makes it difficult to determine what was exfiltrated
C.The data was transferred over HTTPS, which cannot be decrypted by the SOC
D.BitLocker encryption prevents access to the hard drive for forensic analysis
AnswerA

Administrative access allows modification of logs, deletion of evidence, and use of tools to hide malicious activity.

Why this answer

The primary challenge is that administrative privileges allow the user to tamper with logs, disable security monitoring, or use tools to cover their tracks, making forensic reconstruction difficult. Even with BitLocker and HTTPS, the SOC can still analyze network logs and endpoint telemetry, but admin rights directly undermine the integrity of evidence on the workstation.

Exam trap

ISC2 often tests the misconception that encryption (BitLocker or HTTPS) is the primary obstacle, when in fact administrative privileges pose a greater threat to evidence integrity and investigation success.

How to eliminate wrong answers

Option B is wrong because the volume of data transferred does not inherently prevent analysis; network logs, file metadata, and cloud storage audit trails can still indicate what was exfiltrated. Option C is wrong because HTTPS traffic can be decrypted if the SOC has a proxy with TLS inspection or access to the client's private keys, and the question does not state that decryption is impossible. Option D is wrong because BitLocker encryption only protects data at rest; if the workstation is powered on and the user is logged in, the drive is accessible for live forensic analysis, and the SOC can also acquire memory dumps or use pre-boot authentication recovery methods.

51
Multi-Selecthard

Which THREE of the following are essential components of an incident response plan? (Select THREE.)

Select 3 answers
A.Preparation
B.Containment, Eradication, and Recovery
C.Business continuity plan activation
D.Detection and Analysis
E.Vulnerability scanning schedule
AnswersA, B, D

Preparation includes training and tools.

Why this answer

Preparation is the foundational phase of the NIST SP 800-61 incident response lifecycle, ensuring policies, tools, and trained personnel are in place before an incident occurs. Without preparation, subsequent phases like detection and containment cannot be executed effectively. The CC exam emphasizes that preparation includes establishing communication plans, acquiring forensic tools, and conducting tabletop exercises.

Exam trap

ISC2 often tests the distinction between incident response phases and adjacent operational processes (like BCP or vulnerability management) to see if candidates confuse proactive security tasks with the reactive incident response lifecycle.

52
MCQmedium

During a security incident, the incident response team isolates a compromised workstation from the network. What is the primary purpose of this action?

A.To prevent further damage.
B.To comply with legal requirements.
C.To preserve forensic evidence.
D.To allow normal operations to continue.
AnswerA

Containment stops the attack from spreading.

Why this answer

Isolating a compromised workstation by disconnecting it from the network (e.g., disabling its switch port or unplugging the Ethernet cable) immediately stops all inbound and outbound traffic. This containment action prevents the attacker from moving laterally to other systems, exfiltrating data, or deploying additional malware, thereby limiting the scope and impact of the incident.

Exam trap

ISC2 often tests the distinction between containment (stopping the spread) and eradication (removing the threat); the trap here is that candidates confuse the secondary benefit of preserving evidence (Option C) with the primary purpose of isolation, which is to prevent further damage.

How to eliminate wrong answers

Option B is wrong because legal compliance (e.g., data breach notification laws) is a procedural requirement that follows containment, not the primary technical goal of isolation. Option C is wrong because while isolation can help preserve evidence by preventing tampering, the primary purpose is containment; forensic preservation is a secondary benefit and is better achieved by creating a forensic image before disconnection. Option D is wrong because isolation actually disrupts normal operations for the affected workstation; the goal is to stop malicious activity, not to allow continued normal operations.

53
MCQeasy

You are an IT administrator for a small business. The company has a backup system that performs nightly full backups of critical servers to an external hard drive. One morning, a user reports that they accidentally deleted an important file from a shared drive. You need to restore the file from last night's backup. However, when you connect the external hard drive to the backup server, the drive is not recognized, and you hear clicking sounds. The backup software shows that the most recent backup job completed successfully with no errors. What is the most likely cause of the problem?

A.The external hard drive has suffered a mechanical failure.
B.The backup software did not actually write the data.
C.The file was not included in the backup job.
D.The backup server has a driver issue.
AnswerA

Clicking sounds are a common symptom of a damaged hard drive read/write head.

Why this answer

The clicking sound from the external hard drive is a classic symptom of a mechanical failure, typically caused by a stuck read/write head or a failing spindle motor. Since the backup software reported a successful completion, the data was likely written to the drive, but the drive's physical components have since failed, preventing the system from recognizing it. This is a hardware-level issue that cannot be resolved by software or driver updates.

Exam trap

ISC2 often tests the distinction between software-reported success and actual hardware integrity, trapping candidates who assume a successful backup log guarantees recoverable data without considering post-backup physical failure.

How to eliminate wrong answers

Option B is wrong because the backup software logged a successful completion with no errors, indicating that the write process finished without issues; if the data had not been written, the software would have reported a failure or incomplete job. Option C is wrong because the user reported the file was on a shared drive, and the backup job was configured to perform full backups of critical servers, which typically includes all files on those drives; there is no evidence that the file was excluded. Option D is wrong because a driver issue would prevent the drive from being recognized but would not cause clicking sounds; clicking is a mechanical noise, not a software or driver symptom.

54
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address targeting multiple user accounts. Which security control should be implemented to mitigate this attack?

A.Implement account lockout after a threshold of failed attempts.
B.Enable single sign-on (SSO).
C.Require complex passwords.
D.Disable the accounts after one failed attempt.
AnswerA

Mitigates brute-force attacks by locking accounts after multiple failures.

Why this answer

Option A is correct because implementing an account lockout policy after a defined threshold of failed attempts (e.g., 5 failed attempts within 15 minutes) directly mitigates brute-force password guessing attacks from a single source. This control prevents an attacker from continuously trying different passwords across multiple accounts, effectively rate-limiting the attack at the authentication layer.

Exam trap

ISC2 often tests the distinction between preventive controls (like account lockout) and deterrent controls (like complex passwords), and the trap here is that candidates choose complex passwords because they think stronger passwords stop brute-force attacks, but they fail to recognize that unlimited attempts still allow eventual guessing regardless of password complexity.

How to eliminate wrong answers

Option B is wrong because single sign-on (SSO) centralizes authentication but does not prevent repeated failed login attempts; it may even increase the blast radius if the SSO provider is compromised. Option C is wrong because requiring complex passwords makes individual passwords harder to guess but does not stop an attacker from making unlimited login attempts; it addresses password strength, not attack frequency. Option D is wrong because disabling an account after a single failed attempt would cause massive denial of service for legitimate users due to typos or forgotten passwords, and it is not a standard security practice; account lockout requires a reasonable threshold to balance security and usability.

55
MCQmedium

Refer to the exhibit. A security analyst is reviewing firewall logs and notices repeated denied TCP packets from 192.0.2.10 to internal hosts. The packets are being denied by the access-group "OUTSIDE_IN". What is the most likely reason for these denials?

A.An external host is performing a port scan against internal systems.
B.The firewall is misconfigured and blocking legitimate traffic.
C.An internal host has been compromised and is exfiltrating data.
D.An external host is launching a denial-of-service (DoS) attack.
AnswerA

The sequential source ports and different destination ports across multiple hosts indicate a scan.

Why this answer

The repeated denied TCP packets from 192.0.2.10 (an external IP) to multiple internal hosts indicate a port scan. The access-group 'OUTSIDE_IN' is applied to the outside interface, and the firewall is denying these packets because they match a deny ACE (access control entry) that blocks unsolicited inbound traffic. This pattern of multiple denied connections from a single external source to different internal destinations is characteristic of a reconnaissance scan, not a DoS attack or data exfiltration.

Exam trap

ISC2 often tests the distinction between a port scan and a DoS attack, where candidates mistakenly choose DoS because they see 'repeated denied packets' without recognizing the pattern of multiple destinations versus a single target flood.

How to eliminate wrong answers

Option B is wrong because the firewall is correctly blocking unsolicited inbound traffic as per the configured access-group; there is no misconfiguration indicated—the denials are expected behavior for a security policy that denies inbound connections by default. Option C is wrong because data exfiltration originates from an internal host sending data outbound, not from an external host sending packets inbound; the source IP 192.0.2.10 is external, so this is not an internal compromise scenario. Option D is wrong because a denial-of-service (DoS) attack typically involves a high volume of traffic aimed at overwhelming a single target, not repeated denied packets to multiple internal hosts; the pattern here is more consistent with a scan (low rate, multiple destinations) rather than a flood.

56
MCQeasy

A security analyst notices repeated failed login attempts to a critical server from a single external IP address. Which immediate action should the analyst take?

B.Disable the server's network interface.
C.Block the IP address at the firewall.
D.Change the server's IP address.
AnswerC

Immediate containment of the attack source.

Why this answer

Blocking the IP address at the firewall is the immediate action because it stops the ongoing brute-force attack at the network perimeter without affecting the server's availability or internal operations. Firewall rules can be applied quickly using access control lists (ACLs) to deny traffic from the specific external IP, which is a standard first response to mitigate a single-source attack.

Exam trap

ISC2 often tests the distinction between immediate containment actions (like blocking an IP at the firewall) and long-term security improvements (like enabling 2FA), trapping candidates who confuse proactive hardening with reactive incident response.

How to eliminate wrong answers

Option A is wrong because enabling two-factor authentication (2FA) is a long-term security improvement that does not stop the current attack in progress; it requires configuration and user enrollment, leaving the server exposed during the delay. Option B is wrong because disabling the server's network interface would deny service to all legitimate users, causing a denial of service (DoS) and violating the principle of maintaining availability. Option D is wrong because changing the server's IP address is a reactive measure that does not prevent the attacker from scanning and finding the new IP, and it disrupts legitimate DNS and client connections without addressing the root cause.

57
MCQmedium

Refer to the exhibit. A security analyst reviews this log entry. What type of attack is most likely occurring?

A.Pass-the-hash attack
B.Brute-force attack
C.Password spraying attack
D.Kerberos ticket attack
AnswerB

Repeated failed attempts on the same account indicate brute-force.

Why this answer

The log entry shows repeated failed authentication attempts from a single source IP (10.10.10.10) against multiple usernames (admin, root, test) in a short time window. This pattern of systematically trying different credentials against a target system is characteristic of a brute-force attack, where an attacker iterates through possible username/password combinations to gain unauthorized access.

Exam trap

ISC2 often tests the distinction between brute-force and password spraying attacks, where the trap is that candidates confuse the target pattern—brute-force focuses on a single user with many passwords, while password spraying uses one password across many users.

How to eliminate wrong answers

Option A is wrong because a pass-the-hash attack involves capturing and reusing NTLM or LM password hashes from a compromised system, not repeated login attempts from a single source. Option C is wrong because a password spraying attack uses a single common password against many usernames across multiple accounts, not multiple passwords against a few usernames as shown in the log. Option D is wrong because a Kerberos ticket attack (e.g., Golden Ticket or Silver Ticket) exploits forged or stolen Kerberos TGTs or service tickets, not repeated authentication failures against local or network logins.

58
MCQeasy

An organization wants to ensure that critical security events are not missed during off-hours. What is the best practice?

A.Rely on automatic responses
B.Assign on-call duties only to senior analysts
C.Schedule nightly scans
D.Configure a central SIEM with 24/7 monitoring
AnswerD

SIEM provides continuous monitoring and alerting for critical events.

Why this answer

A central SIEM with 24/7 monitoring ensures that security events are continuously analyzed and alerted upon, even during off-hours. This is the best practice because it provides real-time correlation and escalation of critical events, preventing them from being missed. Relying on automatic responses or periodic scans lacks the human oversight needed for complex threat validation.

Exam trap

ISC2 often tests the distinction between proactive security measures (like scheduled scans) and reactive monitoring practices (like 24/7 SIEM analysis), leading candidates to confuse vulnerability management with real-time event detection.

How to eliminate wrong answers

Option A is wrong because automatic responses (e.g., playbooks or auto-blocking) can only handle predefined, low-complexity events and may miss novel or nuanced threats that require human analysis. Option B is wrong because assigning on-call duties only to senior analysts creates a single point of failure and burnout risk; a layered on-call rotation with all qualified staff is more sustainable. Option C is wrong because scheduling nightly scans (e.g., vulnerability scans) is a proactive measure for finding weaknesses, not a reactive practice for detecting and responding to real-time security events during off-hours.

59
MCQhard

A financial institution has a security operations center that monitors network traffic using a SIEM. The SIEM receives logs from all network devices, servers, and endpoints. One analyst notices an anomaly: a user account, 'jsmith', which is normally used during business hours (9 AM to 5 PM), has been logging in from a remote IP address at 2 AM every day for the past week. The logins are successful, and the user is accessing internal file shares. The user jsmith works in the accounting department and has access to sensitive financial reports. The analyst checks the user's workstation logs and finds that the workstation is powered off at the time of the remote logins. The company uses two-factor authentication, but the log entries show that only the password was used. Which of the following is the most likely explanation and the best immediate action?

A.The user is working overtime from home; no action needed
B.The two-factor authentication system is malfunctioning; reconfigure the 2FA server
C.The user's credentials have been stolen and are being used by an attacker; disable the account
D.The user's workstation is infected with a remote access trojan; run antivirus
AnswerC

This matches the indicators: off-hours, remote IP, no 2FA, workstation off.

Why this answer

The anomaly—successful logins at 2 AM from a remote IP while the user's workstation is powered off and only a password (bypassing 2FA) is used—strongly indicates credential theft and account takeover. The SIEM logs show authentication without the second factor, which means the attacker either obtained the password and bypassed 2FA (e.g., through a phishing attack that captured both factors or a session cookie) or the 2FA was not enforced for this specific remote login. Disabling the account immediately stops the unauthorized access to sensitive financial shares.

Exam trap

ISC2 often tests the distinction between a compromised account (where credentials are stolen and used remotely) and a compromised endpoint (where malware is present), and the trap here is that candidates may assume the user's workstation is infected (Option D) because the logins are successful, but the powered-off workstation proves the attacker is authenticating directly from a different device.

How to eliminate wrong answers

Option A is wrong because the workstation is powered off during the logins, so the user cannot be working from home; the remote logins are from an attacker. Option B is wrong because a 2FA malfunction would likely affect all users or generate error logs, not selectively allow only password-based logins for a single account at odd hours; the issue is credential compromise, not a system misconfiguration. Option D is wrong because the workstation is powered off, so a remote access trojan cannot be active on it; the attacker is logging in directly with stolen credentials, not via malware on the user's machine.

60
MCQeasy

An organization wants to ensure that system logs are tamper-proof after generation. Which control should be implemented?

A.Compress logs before archiving.
B.Use a write-once read-many (WORM) storage device.
C.Store logs on the local hard drive of each server.
D.Encrypt logs during transmission.
AnswerB

WORM devices ensure data cannot be overwritten or deleted.

Why this answer

Option C is correct because WORM storage prevents modification or deletion of logs. Option A local storage is not tamper-proof. Option B compression does not prevent tampering.

Option D encryption protects in transit but not at rest on the storage device.

61
Multi-Selecthard

A SOC analyst is investigating an incident where an employee's workstation was compromised via a phishing email. The analyst has captured the following indicators: the email originated from a known malicious domain, the attachment was a macro-enabled document, and the macro executed a PowerShell command that downloaded a payload from a remote server. Which TWO actions should the analyst take immediately as part of the incident response process? (Choose two.)

Select 2 answers
A.Contact law enforcement immediately.
B.Isolate the workstation from the network.
C.Analyze the macro code in a sandbox.
D.Block the malicious domain at the email gateway.
E.Delete the phishing email from all mailboxes.
AnswersB, D

Isolation contains the threat and prevents spread.

Why this answer

Option B is correct because isolating the workstation from the network is a critical containment step in incident response. It immediately stops the compromised system from communicating with the attacker's command-and-control server, preventing further data exfiltration or lateral movement. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread of an incident before deeper analysis.

Exam trap

ISC2 often tests the distinction between immediate containment actions (isolate, block at gateway) and later forensic or administrative steps (analyze macro, contact law enforcement, delete emails) to see if candidates understand the priority of stopping the threat first.

62
MCQhard

You are a security analyst investigating a potential insider threat incident. An employee from the finance department has been behaving suspiciously: printing large volumes of sensitive financial reports, accessing files outside their normal work hours, and attempting to bypass the company's data loss prevention (DLP) controls by renaming files before emailing them. The employee has been with the company for 10 years and has a clean record. The company's policy requires that any investigation be conducted discreetly to avoid alerting the employee. You need to gather evidence to confirm or refute the suspicion. Which of the following actions should you take FIRST?

A.Confront the employee directly to ask for an explanation.
B.Review the employee's system logs and DLP alerts in detail to establish a pattern.
C.Disable the employee's network access immediately to prevent data exfiltration.
D.Notify the employee's manager about the suspicion.
AnswerB

Logs provide objective data; this step is non-intrusive and evidence-gathering.

Why this answer

Option B is correct because the first step in any insider threat investigation is to gather and analyze available evidence discreetly, as required by policy. Reviewing system logs (e.g., Windows Event Logs, file server audit logs) and DLP alerts allows you to establish a behavioral pattern—such as anomalous access times, file rename operations, and email attachments—without alerting the employee. This evidence-based approach ensures you can confirm or refute the suspicion before taking any disruptive or confrontational actions.

Exam trap

ISC2 often tests the principle that investigative actions must be non-disruptive and evidence-driven first, tempting candidates to jump to containment (Option C) or escalation (Option D) before analysis.

How to eliminate wrong answers

Option A is wrong because confronting the employee directly violates the policy of conducting the investigation discreetly, may tip off a potential insider, and could lead to evidence tampering or escalation. Option C is wrong because immediately disabling network access is a reactive containment step that should only be taken after sufficient evidence is gathered; it also alerts the employee and may be premature if the behavior is benign. Option D is wrong because notifying the employee's manager without first establishing a pattern of suspicious activity could breach confidentiality, cause unnecessary alarm, and potentially compromise the investigation if the manager inadvertently alerts the employee.

63
MCQeasy

A security analyst receives an alert indicating multiple failed login attempts from a single IP address targeting a user account. Which action should the analyst take FIRST?

A.Disable the user account immediately
B.Verify the alert and check if the account is compromised
C.Escalate the alert to law enforcement
D.Block the IP address at the firewall
AnswerB

Verification ensures the alert is not a false positive.

Why this answer

Option B is correct because the first step in incident response is to validate the alert. The analyst must verify that the failed login attempts are not a false positive (e.g., a user mistyping their password) and then check if the account has been compromised by reviewing logs for successful logins from the same IP or anomalous behavior. Prematurely disabling the account or blocking the IP could disrupt legitimate access or alert an attacker, while escalation to law enforcement is premature without confirmation of a breach.

Exam trap

ISC2 often tests the principle that verification and analysis must precede any containment or eradication action, tempting candidates to jump to blocking the IP or disabling the account as a quick fix without confirming the alert's validity.

How to eliminate wrong answers

Option A is wrong because disabling the user account immediately without verifying the alert could lock out a legitimate user and does not address the root cause; the account may not be compromised. Option C is wrong because escalating to law enforcement is a drastic step that should only occur after confirming a security incident and following organizational policy, not as a first action. Option D is wrong because blocking the IP address at the firewall may be a reactive measure, but it could block a legitimate user (e.g., a shared IP) and does not confirm whether the account is compromised; verification must come first.

64
MCQmedium

An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?

A.Denial of service attack
B.Brute-force attack
C.Credential theft or session hijacking
D.Man-in-the-middle attack
AnswerC

Logins from impossible travel locations indicate that credentials may be used by an attacker.

Why this answer

The SIEM rule detects impossible travel — a user authenticating from two geographically distant locations within a time window too short for physical travel. This behavior strongly indicates that an attacker has stolen the user's credentials (credential theft) or taken over an active session (session hijacking) and is using them from a different location. The SIEM correlates authentication logs (e.g., from Active Directory, VPN, or web apps) with geolocation data (IP-to-location mapping) to flag this anomaly.

Exam trap

ISC2 often tests the concept of 'impossible travel' as a specific indicator of credential theft or session hijacking, and candidates mistakenly associate any unusual login pattern with brute-force attacks, failing to recognize that brute-force focuses on failed attempts, not successful logins from distant locations.

How to eliminate wrong answers

Option A is wrong because a denial of service attack aims to overwhelm a system with traffic or requests, not to generate geographically disparate login events; the rule focuses on authentication patterns, not resource exhaustion. Option B is wrong because a brute-force attack involves repeated login attempts from a single or few IPs, not two successful logins from distant locations; the rule triggers on successful authentications, not failed attempts. Option D is wrong because a man-in-the-middle attack intercepts communications between two parties without necessarily producing distinct login events from two far-apart IPs; the rule detects post-compromise lateral movement or credential misuse, not active interception.

65
MCQmedium

A security operations center (SOC) analyst notices unusual outbound network traffic from a server that typically only receives connections. The traffic is encrypted and goes to an unknown external IP. Which step should the analyst perform FIRST?

A.Check the server's running processes and connections
B.Power off the server
C.Block the outbound traffic at the firewall
D.Notify the system owner
AnswerA

Local investigation helps confirm compromise.

Why this answer

Option D is correct because the analyst needs to gather more information before containing. Option A is too aggressive without confirmation. Option B is premature.

Option C is reactive but less critical than investigation.

66
MCQhard

An organization's backup strategy includes daily full backups and hourly incremental backups. During a restoration, they discover that a critical file was corrupted 6 hours ago. Which backup set is required for the restoration?

A.The most recent incremental backup only.
B.The most recent full backup only.
C.The most recent full backup plus the incremental backups from the last 6 hours.
D.The most recent full backup plus all incremental backups since.
AnswerC

Restores the state just before corruption.

Why this answer

The correct answer is C because restoring a file that was corrupted 6 hours ago requires the most recent full backup as the base, plus all incremental backups taken in the last 6 hours. Incremental backups only store changes since the last backup (full or incremental), so to reconstruct the file as it existed 6 hours ago, you need the full backup and every incremental backup from that point forward until the corruption time. Without all those increments, the file state cannot be fully reconstructed.

Exam trap

ISC2 often tests the misconception that only the most recent incremental backup is needed, or that all increments since the full backup are required, when in fact the correct set is determined by the specific point in time to which you are restoring.

How to eliminate wrong answers

Option A is wrong because an incremental backup alone contains only changes since the last backup, not the complete file data; without the full backup as a base, the file cannot be restored. Option B is wrong because the most recent full backup alone does not include changes made in the last 6 hours, so the file would be restored to its state at the time of the full backup, not 6 hours ago. Option D is wrong because it includes incremental backups taken after the corruption occurred (i.e., the last 6 hours plus later increments), which would overwrite the corrupted state with even newer changes, failing to restore the file to the exact point 6 hours ago.

67
MCQmedium

Refer to the exhibit. A security analyst sees these logs from a Linux server. Which security control should the analyst recommend to address this pattern?

A.Enable account lockout after 5 failed attempts.
B.Disable root login via SSH.
C.Block the IP address 192.168.1.100 via firewall.
D.Implement two-factor authentication for SSH access.
AnswerD

2FA prevents unauthorized access even if passwords are compromised.

Why this answer

The logs show repeated failed SSH login attempts from a single IP (192.168.1.100) targeting the root account, which is a classic brute-force attack pattern. Two-factor authentication (2FA) for SSH access is the most effective control because it adds a second authentication factor (e.g., TOTP or hardware token) that an attacker cannot bypass even if they guess the password, thus neutralizing the brute-force attack regardless of the number of attempts or the account targeted.

Exam trap

ISC2 often tests the distinction between reactive controls (like blocking an IP or locking an account) and proactive controls (like 2FA) that address the root cause of authentication attacks, leading candidates to pick a quick fix like IP blocking instead of the more robust security measure.

How to eliminate wrong answers

Option A is wrong because account lockout after 5 failed attempts would only lock the root account, but root is a privileged account that should never be locked out for administrative access; also, an attacker could simply switch to another username or wait for the lockout timer to expire. Option B is wrong because disabling root login via SSH does not prevent the attacker from trying other usernames (e.g., admin, user) or from continuing the brute-force attack against non-root accounts; the logs show the attack is against root, but the underlying brute-force pattern remains. Option C is wrong because blocking the IP address 192.168.1.100 via firewall is a reactive, static measure that only stops that specific IP; attackers often rotate IPs or use botnets, so this does not address the broader brute-force pattern and can be easily bypassed.

68
MCQhard

During a forensic investigation, an analyst acquires a live system memory dump. Which tool is most appropriate for capturing the contents of volatile memory on a Windows system?

A.DumpIt
B.Wireshark
C.FTK Imager
D.dd
AnswerA

DumpIt is designed specifically for capturing volatile memory on Windows systems.

Why this answer

DumpIt is a lightweight, standalone tool designed specifically for capturing the full contents of volatile memory (RAM) on a Windows system. It creates a raw memory dump file without requiring installation or complex configuration, making it ideal for forensic acquisition of live system memory.

Exam trap

ISC2 often tests the distinction between tools for capturing volatile memory versus non-volatile storage, and candidates may mistakenly choose FTK Imager because it is a well-known forensic suite, but it is not the primary tool for live memory acquisition on Windows.

How to eliminate wrong answers

Option B is wrong because Wireshark is a network protocol analyzer used for capturing and inspecting network traffic, not for acquiring system memory dumps. Option C is wrong because FTK Imager is primarily a disk imaging and forensic analysis tool; while it can capture a memory dump via a separate plugin (e.g., FTK Imager Lite), it is not the most appropriate or direct tool for live memory acquisition. Option D is wrong because dd is a Unix/Linux command-line utility for bit-for-bit disk cloning; it is not natively available on Windows and does not interface with Windows memory structures without additional drivers or wrappers.

69
Multi-Selecteasy

Which TWO of the following are best practices for password management in a corporate environment?

Select 2 answers
A.Store passwords in plaintext in a shared document.
B.Enforce password complexity requirements.
C.Prohibit password changes more than once per year.
D.Share passwords among team members for shared accounts.
AnswersB, E

Complex passwords are harder to guess or crack.

Why this answer

Option B is correct because enforcing password complexity requirements (e.g., minimum length, character types) reduces the risk of brute-force and dictionary attacks by increasing the effective keyspace. Option E is correct because multi-factor authentication (MFA) adds an additional layer of security beyond the password, mitigating credential theft or reuse. Together, they form a defense-in-depth approach to authentication security.

Exam trap

ISC2 often tests the misconception that frequent password changes improve security, but the CC exam expects candidates to know that NIST now recommends against mandatory periodic changes unless there is evidence of compromise, and that sharing passwords is never a best practice.

70
Multi-Selecthard

Which THREE are common indicators of a compromised system? (Select THREE.)

Select 3 answers
A.Unexpected software installations
B.Unusual outbound network connections
C.High CPU usage during business hours
D.System uptime greater than 30 days
E.Multiple failed login attempts leading to account lockout
AnswersA, B, E

Malware often installs without user consent.

Why this answer

Unexpected software installations are a common indicator of compromise because attackers often deploy malware, backdoors, or remote access tools (RATs) without user consent. In a CC context, this aligns with the principle that unauthorized software changes signal a breach, as legitimate installations typically follow change management processes. The presence of unknown executables or services in the system's process list or startup entries is a red flag.

Exam trap

ISC2 often tests the distinction between symptoms of normal operations (e.g., high CPU usage during business hours) and true indicators of compromise, tricking candidates into selecting benign metrics as signs of a breach.

71
MCQeasy

Refer to the exhibit. An AWS IAM policy is shown. Which action is permitted by this policy?

A.Upload objects to the bucket.
B.List all objects in the bucket.
C.Delete objects from the bucket.
D.Read objects from the bucket.
AnswerD

s3:GetObject allows reading (downloading) objects.

Why this answer

The IAM policy grants the `s3:GetObject` action, which allows reading objects from the specified S3 bucket. This action corresponds to downloading or retrieving the content of an object, making option D correct.

Exam trap

ISC2 often tests the distinction between read actions (`s3:GetObject`) and list actions (`s3:ListBucket`), trapping candidates who assume that reading objects also allows listing them.

How to eliminate wrong answers

Option A is wrong because uploading objects requires the `s3:PutObject` action, which is not listed in the policy. Option B is wrong because listing objects requires the `s3:ListBucket` action, which is not included in the policy. Option C is wrong because deleting objects requires the `s3:DeleteObject` action, which is absent from the policy.

72
MCQeasy

Which of the following is an example of a detective control?

A.Security awareness training
C.Encryption
D.Intrusion Detection System (IDS)
AnswerD

IDS monitors and detects potential security breaches.

Why this answer

Option A is correct because an Intrusion Detection System (IDS) detects and alerts on suspicious activity. Option B is a preventive control. Option C is a preventive control.

Option D is a directive control.

73
MCQmedium

A medium-sized company uses a SIEM solution to collect logs from firewalls, servers, and endpoints. The security team receives an alert indicating a possible data exfiltration: an employee's workstation is sending large amounts of data to an external IP address outside business hours. The employee works in the finance department and has access to sensitive financial records. The SIEM shows the connection is ongoing. The security team must respond immediately to contain the incident while preserving evidence. The company's incident response plan designates the security team as first responders. Which of the following is the BEST first action?

A.Block the external IP address at the firewall and disconnect the workstation from the network.
B.Notify the employee's manager and wait for further instructions.
C.Call the employee to ask if they are transferring files for a legitimate business purpose.
D.Take a forensic image of the workstation's hard drive before anything else.
AnswerA

Stops data exfiltration and isolates the system, following incident response best practices.

Why this answer

Option B is correct because it stops the data flow and isolates the system, containing the incident. Option A could tip off an attacker if malicious and delays containment. Option C is important but should be performed after containment to preserve evidence.

Option D delays response and may allow further damage.

74
Multi-Selecteasy

Which two of the following are common types of security controls?

Select 2 answers
A.Corrective
B.Preventative
C.Detective
D.Predictive
E.Reactive
AnswersB, C

Preventative controls block attacks before they occur.

Why this answer

Detective and Preventative controls are foundational security control categories. Corrective is also a category but not listed as one of the two most common; Reactive and Predictive are not standard categories.

75
MCQhard

You are the lead SOC analyst for a medium-sized financial services company. The company uses a hybrid infrastructure with on-premises servers and cloud services (AWS). The SIEM is Splunk Enterprise, collecting logs from firewalls, IDS/IPS, endpoints (Windows and Linux), and AWS CloudTrail. Recently, the company experienced a ransomware attack that encrypted critical file servers. The initial infection vector was a phishing email that led to the download of a malicious macro-enabled document. The document was executed on a Windows workstation, which then established a C2 connection to an external IP. The C2 traffic was over HTTPS, and the workstation was part of the domain. After the attack, the forensic team found that the workstation had Windows Event Logs cleared, and the local admin account had been used to disable the antivirus. The C2 IP was later blocked, but the ransomware had already spread to file servers via SMB. As part of the lessons learned, you need to recommend improvements to prevent and detect such attacks in the future. Which of the following is the BEST course of action to address the specific weaknesses exploited in this incident?

A.Increase the frequency of vulnerability scans and patch all systems within 24 hours of patch release.
B.Implement application whitelisting, disable macros by default, enforce strong local administrator passwords, and segment the network to restrict SMB traffic between workstations and servers.
C.Deploy additional IDS/IPS sensors and tune the SIEM to detect C2 traffic patterns.
D.Require multi-factor authentication (MFA) for all remote access and privileged account use.
AnswerB

These controls directly address the attack vectors: macro execution, local admin abuse, and lateral movement via SMB.

Why this answer

Option B directly addresses the attack chain: disabling macros by default prevents the initial infection vector, application whitelisting blocks unauthorized executables (including the ransomware), strong local admin passwords hinder credential abuse, and network segmentation restricts SMB lateral movement. This combination targets the specific weaknesses exploited (macro execution, antivirus disablement via local admin, and SMB propagation) rather than just detecting or patching after the fact.

Exam trap

ISC2 often tests the concept that prevention (whitelisting, macro control, segmentation) is more effective than detection (IDS/IPS tuning) or reactive measures (patching, MFA) when the attack chain exploits user behavior and local credentials, not external vulnerabilities.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning and patching do not prevent phishing-based macro execution or local admin abuse; the attack exploited user behavior and weak local credentials, not unpatched vulnerabilities. Option C is wrong because additional IDS/IPS and SIEM tuning for C2 traffic only improves detection, not prevention; the C2 traffic was over HTTPS (encrypted), making pattern detection difficult, and the ransomware had already spread before the C2 IP was blocked. Option D is wrong because MFA for remote access and privileged accounts does not address the local admin account used to disable antivirus on the workstation, nor does it prevent macro execution or SMB lateral movement within the internal network.

Page 1 of 2 · 128 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Operations questions.