Sample questions
Certified Information Systems Security Professional CISSP practice questions
A company recently suffered a data breach where an attacker was able to intercept network traffic and read sensitive data. Which network security control should be implemented to prevent this type of attack?
Trap 1: Network segmentation
Segmentation limits the blast radius but does not encrypt traffic; an attacker on the same segment could still intercept.
Trap 2: Intrusion prevention system (IPS)
IPS can detect and block certain attacks but does not encrypt traffic; prevention of interception requires encryption.
Trap 3: Strong password policies
Strong passwords authenticate users but do not protect data in transit from sniffing.
- A
Encryption at the network layer (e.g., IPsec)
IPsec encrypts IP packets, making intercepted data unreadable without decryption keys.
- B
Network segmentation
Why wrong: Segmentation limits the blast radius but does not encrypt traffic; an attacker on the same segment could still intercept.
- C
Intrusion prevention system (IPS)
Why wrong: IPS can detect and block certain attacks but does not encrypt traffic; prevention of interception requires encryption.
- D
Strong password policies
Why wrong: Strong passwords authenticate users but do not protect data in transit from sniffing.
Which TWO options are valid methods for providing confidentiality in network communications? (Choose two.)
Trap 1: SSH
SSH provides encryption for remote sessions, but it is a terminal protocol, not a general network security protocol like IPsec or TLS.
Trap 2: HMAC
HMAC provides integrity and authentication, not confidentiality.
Trap 3: AH in tunnel mode
AH does not encrypt; it only provides authentication and integrity.
- A
SSH
Why wrong: SSH provides encryption for remote sessions, but it is a terminal protocol, not a general network security protocol like IPsec or TLS.
- B
ESP in transport mode
ESP provides encryption, thus confidentiality.
- C
HMAC
Why wrong: HMAC provides integrity and authentication, not confidentiality.
- D
AH in tunnel mode
Why wrong: AH does not encrypt; it only provides authentication and integrity.
- E
TLS 1.3
TLS encrypts application data, providing confidentiality.
A network administrator is configuring switches to prevent VLAN hopping attacks. Which TWO of the following measures should be implemented?
Trap 1: Use private VLANs on all trunk ports.
Private VLANs isolate traffic within a VLAN but do not prevent VLAN hopping attacks.
Trap 2: Enable BPDU guard on all access ports.
BPDU guard protects against STP attacks, not VLAN hopping.
Trap 3: Implement port security on all access ports.
Port security limits MAC addresses per port but does not prevent VLAN hopping.
- A
Use private VLANs on all trunk ports.
Why wrong: Private VLANs isolate traffic within a VLAN but do not prevent VLAN hopping attacks.
- B
Set the native VLAN to an unused VLAN.
This prevents double-tagging attacks by ensuring the native VLAN is not used by any user traffic.
- C
Enable BPDU guard on all access ports.
Why wrong: BPDU guard protects against STP attacks, not VLAN hopping.
- D
Disable Dynamic Trunking Protocol (DTP) on trunk ports.
DTP can be exploited to negotiate trunks; disabling it prevents unauthorized trunk establishment.
- E
Implement port security on all access ports.
Why wrong: Port security limits MAC addresses per port but does not prevent VLAN hopping.
Which THREE of the following are common indicators of a privilege escalation attack? (Choose three.)
Trap 1: Higher-than-normal network traffic
More indicative of data exfiltration or C2.
Trap 2: System performance degradation
Too generic; can have many causes.
- A
Creation of new user accounts with administrative privileges
Often used to maintain persistence after escalation.
- B
Higher-than-normal network traffic
Why wrong: More indicative of data exfiltration or C2.
- C
System performance degradation
Why wrong: Too generic; can have many causes.
- D
Modification of system files or registry keys
Common after successful escalation to achieve persistence.
- E
Unusual processes running under elevated privileges
Could indicate exploitation of local privilege escalation.
A company uses a cloud storage service. Which asset security control is most important to prevent unauthorized access to data?
Trap 1: Logging and monitoring
Monitoring detects incidents but does not prevent them.
Trap 2: Periodic access reviews
Reviews ensure proper permissions but do not prevent initial unauthorized access.
Trap 3: Regular vulnerability scanning
Scanning identifies weaknesses but does not prevent access directly.
- A
Logging and monitoring
Why wrong: Monitoring detects incidents but does not prevent them.
- B
Encryption in transit and at rest
Encryption renders data unreadable without keys, preventing unauthorized access.
- C
Periodic access reviews
Why wrong: Reviews ensure proper permissions but do not prevent initial unauthorized access.
- D
Regular vulnerability scanning
Why wrong: Scanning identifies weaknesses but does not prevent access directly.
A multinational corporation is designing a data retention schedule. Which factor is most critical when determining retention periods for personal data subject to the GDPR?
Trap 1: The length of the third-party data processing agreement
The agreement term may affect retention but not the primary driver.
Trap 2: The cost of storage media
Cost is not a compliance factor; data must be retained for legal/regulatory reasons.
Trap 3: The duration of any pending legal holds
Legal holds may extend retention, but the base retention is determined by purpose.
- A
The length of the third-party data processing agreement
Why wrong: The agreement term may affect retention but not the primary driver.
- B
The purpose for which the data was collected
GDPR's storage limitation principle requires retention no longer than necessary for processing purposes.
- C
The cost of storage media
Why wrong: Cost is not a compliance factor; data must be retained for legal/regulatory reasons.
- D
The duration of any pending legal holds
Why wrong: Legal holds may extend retention, but the base retention is determined by purpose.
Refer to the exhibit. An organization uses this ACL on the external interface of a border router to control access to internal services. A security analyst discovered that an attacker from the Internet was able to SSH into the internal server at 192.168.1.100. Which of the following is the MOST likely reason for this security gap?
Exhibit
Access control list (ACL) extract from a Cisco router: ! access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq 443 access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.1.100 eq 22 access-list 100 deny tcp any host 10.0.0.1 eq 80 access-list 100 permit ip any any ! interface GigabitEthernet0/0 ip access-group 100 in !
Trap 1: The final permit ip any any rule allows all traffic, bypassing the…
The final rule permits all traffic not explicitly denied, but the SSH traffic is permitted earlier, so this is not the gap.
Trap 2: The ACL permits HTTP traffic to host 10.0.0.1 which could be used…
The HTTP rule denies traffic to 10.0.0.1 port 80, so it is not the cause.
Trap 3: The ACL is applied inbound on the external interface, so it should…
Inbound on the external interface, the ACL examines traffic coming into the interface from outside, so the permit rules apply to traffic originating from outside, which is the intended filter point.
- A
The final permit ip any any rule allows all traffic, bypassing the other rules
Why wrong: The final rule permits all traffic not explicitly denied, but the SSH traffic is permitted earlier, so this is not the gap.
- B
The ACL permits HTTP traffic to host 10.0.0.1 which could be used as a pivot
Why wrong: The HTTP rule denies traffic to 10.0.0.1 port 80, so it is not the cause.
- C
The ACL permits SSH from any source in 10.0.0.0/8 to the internal host, allowing an external attacker to spoof an internal IP
An attacker can spoof an IP address in the 10.0.0.0/8 range to bypass the ACL and SSH into the server.
- D
The ACL is applied inbound on the external interface, so it should block all external traffic, but the permit rules override
Why wrong: Inbound on the external interface, the ACL examines traffic coming into the interface from outside, so the permit rules apply to traffic originating from outside, which is the intended filter point.
Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?
Exhibit
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*"
},
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/confidential/*"
}
]
}Trap 1: Allowed because the resource match is broader in the Allow
The Deny is more specific and explicit; it overrides the Allow.
Trap 2: Allowed because the Allow statement grants GetObject
The Deny statement overrides the Allow for the confidential prefix.
Trap 3: Denied only if the user has no other Allow policies
The Deny is explicit, so it denies regardless of other policies.
- A
Denied because the Deny statement explicitly denies all actions on that path
Explicit Deny always takes precedence over any Allow.
- B
Allowed because the resource match is broader in the Allow
Why wrong: The Deny is more specific and explicit; it overrides the Allow.
- C
Allowed because the Allow statement grants GetObject
Why wrong: The Deny statement overrides the Allow for the confidential prefix.
- D
Denied only if the user has no other Allow policies
Why wrong: The Deny is explicit, so it denies regardless of other policies.
Which TWO of the following are considered the primary access control models in the context of the CISSP? (Select two.)
Trap 1: Role-Based Access Control (RBAC)
RBAC is a widely used model but not considered 'primary' in the same sense.
Trap 2: Attribute-Based Access Control (ABAC)
ABAC is a later model using attributes, not primary.
Trap 3: Risk-Based Access Control
Risk-based is an adaptive approach, not a classic model.
- A
Role-Based Access Control (RBAC)
Why wrong: RBAC is a widely used model but not considered 'primary' in the same sense.
- B
Mandatory Access Control (MAC)
MAC is the other primary model with system-enforced policies.
- C
Attribute-Based Access Control (ABAC)
Why wrong: ABAC is a later model using attributes, not primary.
- D
Discretionary Access Control (DAC)
DAC is one of the primary models where owners control access.
- E
Risk-Based Access Control
Why wrong: Risk-based is an adaptive approach, not a classic model.
A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)
Trap 1: Require password changes every 30 days
NIST discourages mandatory periodic changes as they lead to weaker passwords.
Trap 2: Allow password hints
Password hints can be exploited and are not recommended.
- A
Enforce password history of 10
Password history prevents reuse of recent passwords.
- B
Require password changes every 30 days
Why wrong: NIST discourages mandatory periodic changes as they lead to weaker passwords.
- C
Allow password hints
Why wrong: Password hints can be exploited and are not recommended.
- D
Implement multi-factor authentication
MFA provides additional security beyond passwords.
- E
Use a minimum password length of 8
Length is a key factor; at least 8 characters is recommended.
A network engineer is configuring 802.1X authentication for wired network access. The authentication server supports EAP-TLS. What must be deployed to clients to support this authentication method?
Trap 1: Server certificate
Server certificate is required for the authentication server, but the client also needs a certificate for EAP-TLS.
Trap 2: RADIUS server
The RADIUS server is the authentication server itself, not a client requirement.
Trap 3: Shared secret
Shared secrets are used in EAP-MD5 or PEAP, not in EAP-TLS which uses certificates.
- A
Client certificate
EAP-TLS requires both client and server certificates for mutual authentication.
- B
Server certificate
Why wrong: Server certificate is required for the authentication server, but the client also needs a certificate for EAP-TLS.
- C
RADIUS server
Why wrong: The RADIUS server is the authentication server itself, not a client requirement.
- D
Shared secret
Why wrong: Shared secrets are used in EAP-MD5 or PEAP, not in EAP-TLS which uses certificates.
Which TWO of the following are common causes of network performance degradation that can be detected by network monitoring tools?
Trap 1: Incorrect default gateway
Incorrect default gateway breaks connectivity to remote networks but does not degrade performance locally.
Trap 2: High CPU utilization on routers
High CPU is a symptom of other issues, not a direct cause of network performance degradation.
Trap 3: DNS misconfiguration
DNS issues cause name resolution failures, not network throughput degradation.
- A
Incorrect default gateway
Why wrong: Incorrect default gateway breaks connectivity to remote networks but does not degrade performance locally.
- B
High CPU utilization on routers
Why wrong: High CPU is a symptom of other issues, not a direct cause of network performance degradation.
- C
Duplex mismatch on a link
Duplex mismatch causes collisions and retransmissions, significantly degrading performance.
- D
Excessive broadcast traffic
Broadcasts consume bandwidth and can cause performance degradation on the network.
- E
DNS misconfiguration
Why wrong: DNS issues cause name resolution failures, not network throughput degradation.
Which TWO are common techniques to defend against VLAN hopping attacks? (Choose two.)
Trap 1: Enable BPDU Guard
BPDU Guard protects against STP attacks, not VLAN hopping.
Trap 2: Use Private VLANs
Private VLANs limit traffic within a broadcast domain but don't prevent trunk attacks.
Trap 3: Enable Port Security
Port security limits MAC addresses but does not prevent VLAN hopping.
- A
Disable DTP
DTP can be exploited to negotiate a trunk, enabling hopping.
- B
Enable BPDU Guard
Why wrong: BPDU Guard protects against STP attacks, not VLAN hopping.
- C
Use Private VLANs
Why wrong: Private VLANs limit traffic within a broadcast domain but don't prevent trunk attacks.
- D
Enable Port Security
Why wrong: Port security limits MAC addresses but does not prevent VLAN hopping.
- E
Set access ports as static VLAN
Static access ports do not negotiate trunks, reducing hopping risk.
An organization is implementing IPsec VPN tunnels between multiple branch offices and the main office. The security team notices that the VPN tunnels are established successfully but no traffic passes through. Which of the following is the most likely cause?
Trap 1: Certificates expired
Expired certificates would cause authentication failure during Phase 1, preventing tunnel establishment.
Trap 2: Mismatched encryption algorithm
Encryption algorithm mismatch would also prevent tunnel establishment, typically causing Phase 2 failure.
Trap 3: Mismatched IKE version
IKE version mismatch would prevent Phase 1 from completing; the tunnel would not be established.
- A
Certificates expired
Why wrong: Expired certificates would cause authentication failure during Phase 1, preventing tunnel establishment.
- B
Mismatched encryption algorithm
Why wrong: Encryption algorithm mismatch would also prevent tunnel establishment, typically causing Phase 2 failure.
- C
Incorrect routing entries in the VPN routing table
If routes are missing or misconfigured, traffic will not be forwarded into the tunnel even though the tunnel is operational.
- D
Mismatched IKE version
Why wrong: IKE version mismatch would prevent Phase 1 from completing; the tunnel would not be established.
Refer to the exhibit. A security team is reviewing switch configurations and notices that the native VLAN is set to VLAN 10. An attacker on an access port in VLAN 10 sends a frame with a VLAN tag of VLAN 20 inside another frame. Which type of attack does this configuration make possible?
Exhibit
interface GigabitEthernet0/1 switchport mode trunk switchport trunk native vlan 10 switchport trunk allowed vlan 1-100,110-200
Trap 1: DHCP starvation
DHCP starvation exhausts IP addresses; not related to VLAN hopping.
Trap 2: ARP spoofing
ARP spoofing manipulates ARP tables; not related to VLAN tagging.
Trap 3: MAC flooding
MAC flooding attempts to overflow the CAM table, not related to native VLAN manipulation.
- A
DHCP starvation
Why wrong: DHCP starvation exhausts IP addresses; not related to VLAN hopping.
- B
VLAN hopping via double tagging
Double tagging is possible when the native VLAN is used on trunk ports; the attacker can send frames with two tags to hop VLANs.
- C
ARP spoofing
Why wrong: ARP spoofing manipulates ARP tables; not related to VLAN tagging.
- D
MAC flooding
Why wrong: MAC flooding attempts to overflow the CAM table, not related to native VLAN manipulation.
A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?
Trap 1: Incorrect pre-shared key
Incorrect pre-shared key would cause Phase 1 to fail, not Phase 2.
Trap 2: Mismatched authentication algorithm
Mismatched authentication algorithm would also cause Phase 1 to fail.
Trap 3: Firewall rule blocking IKE traffic
If IKE were blocked, Phase 1 would not establish.
- A
Incorrect pre-shared key
Why wrong: Incorrect pre-shared key would cause Phase 1 to fail, not Phase 2.
- B
Mismatched authentication algorithm
Why wrong: Mismatched authentication algorithm would also cause Phase 1 to fail.
- C
Firewall rule blocking IKE traffic
Why wrong: If IKE were blocked, Phase 1 would not establish.
- D
Mismatched proxy IDs (traffic selectors)
Proxy IDs define which traffic should be encrypted; if they don't match, Phase 2 fails.
A switch port is configured with port security that allows only one MAC address. The help desk reports that a user's device cannot connect after a laptop is replaced. What should the network administrator do to resolve the issue?
Trap 1: Disable port security
Disabling port security removes the protection entirely.
Trap 2: Shut down the port and re-enable
This may not clear the learned MAC; it only resets the link.
Trap 3: Change the port security to sticky MAC
Sticky MAC converts dynamically learned addresses to static, not resolving the current issue.
- A
Clear the port security counters
Clearing the counters removes the existing MAC address, allowing the new one to be learned.
- B
Disable port security
Why wrong: Disabling port security removes the protection entirely.
- C
Shut down the port and re-enable
Why wrong: This may not clear the learned MAC; it only resets the link.
- D
Change the port security to sticky MAC
Why wrong: Sticky MAC converts dynamically learned addresses to static, not resolving the current issue.
A company has multiple offices connected via a WAN. They want to ensure that all traffic between offices is encrypted and authenticated. Which technology is most appropriate?
Trap 1: MPLS
MPLS is a label-switching technology that does not provide encryption.
Trap 2: DMVPN
DMVPN is a specific implementation of IPsec VPN but is not the most basic technology.
Trap 3: SSL VPN
SSL VPN is designed for remote user access, not site-to-site.
- A
MPLS
Why wrong: MPLS is a label-switching technology that does not provide encryption.
- B
DMVPN
Why wrong: DMVPN is a specific implementation of IPsec VPN but is not the most basic technology.
- C
SSL VPN
Why wrong: SSL VPN is designed for remote user access, not site-to-site.
- D
IPsec VPN
IPsec VPN is the standard for site-to-site encryption and authentication.
In a software-defined network (SDN) architecture, the control plane is separated from the data plane. A network administrator is troubleshooting packet forwarding delays. Which plane is directly responsible for forwarding packets?
Trap 1: Application plane
Delivers network services, not packet forwarding.
Trap 2: Control plane
Makes forwarding decisions but does not forward packets.
Trap 3: Management plane
Handles monitoring and configuration, not forwarding.
- A
Data plane
Directly responsible for forwarding packets based on flow tables.
- B
Application plane
Why wrong: Delivers network services, not packet forwarding.
- C
Control plane
Why wrong: Makes forwarding decisions but does not forward packets.
- D
Management plane
Why wrong: Handles monitoring and configuration, not forwarding.
A security engineer notices that the IKE phase 1 lifetime is set to 3600 seconds. What is a potential security implication?
Exhibit
Refer to the exhibit. The following output is from a Cisco router: crypto isakmp policy 10 hash sha256 authentication pre-share group 14 lifetime 3600
Trap 1: Longer lifetimes reduce rekeying overhead
This is true, but the question asks about a security implication of the short lifetime.
Trap 2: Shorter lifetimes increase performance
Shorter lifetimes increase CPU usage due to frequent rekeying.
Trap 3: The lifetime should be at least 86400 seconds
There is no mandatory minimum; 3600 seconds is acceptable but more frequent.
- A
Longer lifetimes reduce rekeying overhead
Why wrong: This is true, but the question asks about a security implication of the short lifetime.
- B
Shorter lifetimes increase performance
Why wrong: Shorter lifetimes increase CPU usage due to frequent rekeying.
- C
Short lifetimes may cause frequent reauthentication and potential disruption
Frequent rekeying increases overhead and risk of disruption if rekey fails.
- D
The lifetime should be at least 86400 seconds
Why wrong: There is no mandatory minimum; 3600 seconds is acceptable but more frequent.
A network administrator has configured private VLANs on a switch. The host in this port is part of PVLAN 100, and its associated secondary PVLAN is 200. What is the expected behavior for traffic from this host to other hosts in the same primary VLAN 100?
Exhibit
Refer to the exhibit. The following is a configuration snippet from a network device: interface GigabitEthernet0/1 switchport mode private-vlan host switchport private-vlan host-association 100 200
Trap 1: It cannot communicate with any other host
It can communicate with the promiscuous port.
Trap 2: It can communicate only with other hosts in the same secondary VLAN…
Host ports in private VLANs cannot communicate with other host ports, regardless of secondary VLAN.
Trap 3: It can communicate with all hosts in primary VLAN 100
Private VLANs isolate host ports from each other.
- A
It cannot communicate with any other host
Why wrong: It can communicate with the promiscuous port.
- B
It can communicate only with other hosts in the same secondary VLAN 200
Why wrong: Host ports in private VLANs cannot communicate with other host ports, regardless of secondary VLAN.
- C
It can communicate with the promiscuous port only
Private VLAN host ports can only communicate with the promiscuous port in the same primary VLAN.
- D
It can communicate with all hosts in primary VLAN 100
Why wrong: Private VLANs isolate host ports from each other.
Which three BGP security mechanisms help protect against route hijacking? (Choose THREE.)
Trap 1: BGP Flowspec
Used for traffic filtering and DDoS mitigation.
Trap 2: BGP MED attribute
Influences inbound path selection, not security.
- A
Resource Public Key Infrastructure (RPKI)
Validates the origin AS of IP prefixes.
- B
BGP Flowspec
Why wrong: Used for traffic filtering and DDoS mitigation.
- C
Prefix filtering on edge routers
Blocks unauthorized route announcements.
- D
BGP MED attribute
Why wrong: Influences inbound path selection, not security.
- E
MD5 authentication between BGP peers
Ensures secure BGP session between neighbors.
Refer to the exhibit. Which security model does this policy enforce?
Exhibit
The TSF shall enforce the Access Control SFP on all subjects and objects covered by the following rules: (a) Subjects with a security level less than the object's security level are denied read access. (b) Subjects with a security level greater than the object's security level are denied write access.
Trap 1: Biba
Biba enforces no read down and no write up.
Trap 2: Brewer-Nash
Brewer-Nash prevents conflict of interest, not the stated rules.
Trap 3: Clark-Wilson
Clark-Wilson focuses on integrity through transformation procedures and constrained data items.
- A
Biba
Why wrong: Biba enforces no read down and no write up.
- B
Brewer-Nash
Why wrong: Brewer-Nash prevents conflict of interest, not the stated rules.
- C
Bell-LaPadula
Correct. BLP enforces no read up and no write down.
- D
Clark-Wilson
Why wrong: Clark-Wilson focuses on integrity through transformation procedures and constrained data items.
Refer to the exhibit. A security analyst finds these logs on a Linux server. What is the most likely cause of these events?
Exhibit
Feb 10 10:23:45 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Feb 10 10:23:48 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2 Feb 10 10:23:50 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Trap 1: The root account is disabled
If disabled, attempts would not generate failure logs as shown.
Trap 2: The firewall is blocking port 22
If blocked, the connection would not reach sshd.
Trap 3: The SSH service is not running
If not running, there would be no sshd process to log.
- A
The root account is disabled
Why wrong: If disabled, attempts would not generate failure logs as shown.
- B
The firewall is blocking port 22
Why wrong: If blocked, the connection would not reach sshd.
- C
A brute-force attack is in progress
Correct. Repeated failed passwords from same IP indicate brute-force.
- D
The SSH service is not running
Why wrong: If not running, there would be no sshd process to log.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.