Certified Information Systems Security Professional CISSP (CISSP) — Questions 175

529 questions total · 8pages · All types, answers revealed

Page 1 of 8

Page 2
1
MCQhard

During an incident response, the team identifies that the attacker gained access through a compromised service account with domain admin privileges. Which of the following steps should be taken FIRST to contain the incident?

A.Isolate all affected systems from the network.
B.Reset all user passwords.
C.Perform a full forensic analysis before any action.
D.Disable the compromised account and revoke its tokens.
AnswerD

Directly removes the attacker's foothold.

Why this answer

Disabling the compromised account and revoking its tokens (e.g., Kerberos TGTs via `Set-ADAccountControl -Disable` and clearing cached tickets) immediately stops the attacker's current authentication and lateral movement capabilities. This is the fastest containment step because the service account with Domain Admin privileges is the direct vector; isolating systems or resetting all passwords is slower and may not address active token reuse.

Exam trap

ISC2 often tests the principle that containment must be immediate and targeted; candidates mistakenly choose isolation or forensic analysis first, forgetting that the compromised account is the root cause and that tokens can outlive password resets.

How to eliminate wrong answers

Option A is wrong because isolating all affected systems can disrupt business operations and may not stop the attacker if they have already established persistence via the compromised account or tokens on other systems. Option B is wrong because resetting all user passwords is a broad, time-consuming step that does not immediately revoke the attacker's active Kerberos tickets or NTLM hashes for the compromised service account, leaving a window for continued access. Option C is wrong because performing a full forensic analysis before any action violates the incident response priority of containment over evidence preservation; the attacker could cause further damage or destroy evidence during the delay.

2
MCQeasy

An organization wants to ensure that only devices that meet security policies can connect to the network. Which technology should be deployed?

A.Firewall
B.SIEM
C.IDS
D.NAC
AnswerD

NAC controls network access based on device compliance.

Why this answer

Network Access Control (NAC) is the correct technology because it enforces security policies by assessing the compliance of devices (e.g., patch level, antivirus status, OS version) before granting network access. NAC can quarantine non-compliant devices, redirect them to a remediation network, or block them entirely, ensuring only authorized and policy-compliant endpoints connect.

Exam trap

The trap here is confusing NAC with a firewall or IDS, as candidates often think a firewall's access control lists (ACLs) are sufficient for device compliance, but NAC specifically performs pre-admission posture checking that firewalls cannot do.

How to eliminate wrong answers

Option A is wrong because a firewall controls traffic between network segments based on IP addresses, ports, and protocols, but it does not assess the security posture of individual devices before allowing them onto the network. Option B is wrong because a Security Information and Event Management (SIEM) system collects and analyzes logs from various sources for threat detection and incident response, but it does not enforce pre-connection device compliance. Option C is wrong because an Intrusion Detection System (IDS) monitors network traffic for malicious activity and alerts administrators, but it cannot block or conditionally allow devices based on security policy checks at the point of connection.

3
Matchingmedium

Match each security control to its category (preventive, detective, corrective).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Preventive

Detective

Why these pairings

Controls are classified by their function in security management.

4
MCQmedium

A SOC analyst receives an alert for a high number of outbound connections to a known malicious IP. Which action should be taken first?

A.Notify management
B.Block the IP at the firewall
C.Run an antivirus scan
D.Isolate the affected host
AnswerD

Prevents further data exfiltration and contains the threat.

Why this answer

Option A is correct because isolating the host prevents further data exfiltration and allows for safe investigation. Blocking the IP may stop the traffic but the host remains compromised. Antivirus and notification are secondary steps.

5
MCQmedium

A financial institution is implementing a data loss prevention (DLP) solution to protect customer financial information. The DLP system must detect and block the transmission of credit card numbers via email. Which of the following is the BEST approach to ensure accurate detection while minimizing false positives?

A.Apply a regular expression that validates the Luhn algorithm in addition to pattern matching
B.Hash all outbound emails and compare against a database of known credit card hashes
C.Use a simple regular expression matching patterns like '\d{4}-\d{4}-\d{4}-\d{4}'
D.Rely on machine learning classifiers trained on past credit card data
AnswerA

Combining regex with Luhn check reduces false positives by verifying the mathematical validity of the number.

Why this answer

Option A is correct because combining a regular expression for credit card number patterns with Luhn algorithm validation significantly reduces false positives. The Luhn algorithm checks the mathematical validity of the number (e.g., checksum), ensuring that random digit sequences matching the pattern are not flagged as credit card numbers. This dual-layer approach is a standard DLP best practice for accurately detecting sensitive data like credit card numbers.

Exam trap

The trap here is that candidates may choose option C, thinking simple pattern matching is sufficient, but they overlook the need for Luhn validation to avoid false positives from non-credit-card digit sequences.

How to eliminate wrong answers

Option B is wrong because hashing outbound emails and comparing against a database of known credit card hashes is impractical; credit card numbers are unique per transaction and not pre-known, and hashing prevents detection of previously unseen numbers. Option C is wrong because using a simple regular expression like '\d{4}-\d{4}-\d{4}-\d{4}' will generate many false positives by matching any 16-digit sequence (e.g., phone numbers, order IDs) without validating the number's structure or checksum. Option D is wrong because machine learning classifiers trained on past credit card data require extensive labeled datasets and may still produce high false positive rates or miss novel patterns, and they lack the deterministic validation that Luhn provides.

6
MCQmedium

A multinational corporation is evaluating risk treatment options for a identified high-impact, low-probability risk. The risk is below the organization's risk appetite threshold. Which is the most appropriate action?

A.Mitigate the risk
B.Transfer the risk via insurance
C.Avoid the risk by discontinuing the activity
D.Accept the risk
AnswerD

Risk that falls below the risk appetite can be accepted without further action.

Why this answer

Since the risk is within the risk appetite, acceptance is the most efficient and appropriate response. Transferring, mitigating, or avoiding would consume resources unnecessarily for a risk that is already tolerated.

7
Matchingmedium

Match each cryptographic algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric (public-key) cipher

Hash function

Keyed-hash message authentication code

Elliptic curve digital signature algorithm

Why these pairings

These algorithms are used for encryption, hashing, and authentication.

8
MCQmedium

Refer to the exhibit. Which access control model is described?

A.Mandatory Access Control (MAC)
B.Discretionary Access Control (DAC)
C.Role-Based Access Control (RBAC)
D.Attribute-Based Access Control (ABAC)
AnswerA

MAC enforces clearance and need-to-know, as described.

Why this answer

The exhibit describes a system where access decisions are based on security labels (e.g., classification levels like Top Secret, Secret, Confidential) and clearances assigned to subjects, with the system enforcing the policy. This is the defining characteristic of Mandatory Access Control (MAC), where the operating system or security kernel centrally controls access based on predefined rules, and users cannot override these controls. The reference to labels and clearances without user discretion confirms MAC as the correct model.

Exam trap

The trap here is that candidates often confuse MAC with RBAC because both involve centralized policy, but MAC is uniquely defined by the use of security labels and clearances, not roles, and the exhibit's mention of 'labels' is the key differentiator that eliminates RBAC.

How to eliminate wrong answers

Option B (DAC) is wrong because DAC allows the owner of a resource to set permissions at their discretion (e.g., using file ownership and ACLs in Windows or Unix), whereas the exhibit shows a system-enforced label-based policy with no user override. Option C (RBAC) is wrong because RBAC assigns permissions based on job roles (e.g., 'admin', 'auditor'), not on security labels or clearances; the exhibit does not mention roles but rather classification levels. Option D (ABAC) is wrong because ABAC uses attributes (e.g., time, location, resource type) evaluated against policies, often via XACML, but the exhibit specifically describes a label-based system with hierarchical classifications, which is the hallmark of MAC, not ABAC's flexible attribute evaluation.

9
MCQmedium

During a security incident, the incident response team identifies that an attacker exfiltrated data via a compromised service account. Which of the following is the BEST immediate step to contain the incident?

A.Notify law enforcement
B.Enable detailed auditing on the account
C.Revoke the service account's privileges
D.Change the password of the service account
AnswerC

Revoking privileges immediately stops unauthorized access.

Why this answer

Option C is correct because revoking the compromised account's privileges stops further access. Option A is wrong because changing the password may not be effective if the attacker has established persistence. Option B is wrong while important, auditing alone doesn't stop ongoing exfiltration.

Option D is wrong because notifying law enforcement is a later step, not immediate containment.

10
MCQhard

A data classification policy is shown. A database contains a field labeled 'SSN' that matches the pattern for 'employee_id'. What action should be applied to the SSN field?

A.None
B.Mask
C.Encrypt
D.Block
AnswerB

Correct - The rule for employee_id pattern specifies mask.

Why this answer

The SSN field matches the pattern for 'employee_id', indicating it contains sensitive personally identifiable information (PII). Masking is the appropriate action because it preserves the data format for operational use (e.g., testing, analytics) while irreversibly obscuring the actual values, reducing exposure risk without breaking referential integrity. Encryption would still allow authorized decryption, which is unnecessary for fields that only need pattern matching, and blocking would prevent legitimate access to the field entirely.

Exam trap

The trap here is that candidates often confuse 'encrypt' with 'mask', assuming encryption is always the best protection for sensitive data, but masking is specifically designed for fields that need to retain their format for operational use while preventing actual value disclosure.

How to eliminate wrong answers

Option A is wrong because 'None' would leave the SSN field exposed as plaintext, violating the data classification policy that requires protection for sensitive PII. Option C is wrong because encryption is reversible and adds unnecessary complexity for a field that only needs to be obfuscated for non-production use; masking is a one-way transformation that better suits the requirement to hide the actual value while maintaining format. Option D is wrong because blocking the field would prevent any access, including legitimate business needs like pattern matching or reporting, which is too restrictive for a field that still requires some level of usability.

11
MCQeasy

A company is deploying a wireless network for guests. The security requirement is to provide internet access only, with no access to the internal corporate network. Which technology should be used?

A.WPA3-SAE
B.MAC address filtering
C.A separate guest VLAN with ACLs restricting access to internal networks
D.WPA2-Enterprise with 802.1X
AnswerC

A guest VLAN combined with ACLs that block access to internal subnets ensures guests can only reach the internet.

Why this answer

A separate guest VLAN with ACLs restricting access to internal networks is the correct choice because it provides network segmentation at Layer 2 (VLAN) and Layer 3/4 (ACLs), ensuring guest traffic is isolated from the corporate network while allowing internet access. This approach aligns with the principle of least privilege and is a standard best practice for guest wireless deployments, as it does not rely on authentication or encryption alone to enforce access control.

Exam trap

The trap here is that candidates often confuse strong authentication (WPA2-Enterprise or WPA3) with network segmentation, failing to realize that authentication alone does not enforce access boundaries between guest and corporate networks.

How to eliminate wrong answers

Option A is wrong because WPA3-SAE is an authentication and encryption protocol for securing wireless connections, but it does not inherently restrict which networks or resources a connected device can access; it only secures the wireless link. Option B is wrong because MAC address filtering is a weak, easily spoofed access control method that only controls which devices can associate with the access point, not what those devices can reach after association; it provides no network-level segmentation. Option D is wrong because WPA2-Enterprise with 802.1X provides strong per-user authentication and encryption, but it does not by itself prevent authenticated users from accessing internal corporate resources; it lacks the VLAN and ACL enforcement needed for network isolation.

12
MCQeasy

A company wants to ensure that data is properly classified before storage. Which control should be implemented?

A.Data Classification Policy
B.Encryption
C.Data Loss Prevention (DLP)
D.Access Control Lists (ACLs)
AnswerA

A Data Classification Policy defines how data should be classified, ensuring proper handling.

Why this answer

A Data Classification Policy is the foundational control that defines the categories (e.g., public, internal, confidential) and handling requirements for data before it is stored. Without a policy, technical controls like encryption or DLP lack the classification labels needed to apply the correct rules. The policy ensures that data owners and custodians consistently label data at creation or ingestion, enabling downstream security controls to function correctly.

Exam trap

The trap here is that candidates confuse a technical control (like encryption or DLP) with the administrative control (the policy) that governs classification, leading them to pick a tool instead of the foundational directive.

How to eliminate wrong answers

Option B (Encryption) is wrong because encryption protects data confidentiality after classification but does not determine or enforce the classification itself; it is a technical safeguard applied based on policy. Option C (Data Loss Prevention) is wrong because DLP monitors and prevents unauthorized data transfers using classification labels but cannot classify data on its own—it relies on a policy to define what is sensitive. Option D (Access Control Lists) is wrong because ACLs enforce permissions on objects based on classification but do not classify the data; they are an implementation of the policy, not the policy itself.

13
MCQmedium

An organization is implementing IPsec VPN tunnels between multiple branch offices and the main office. The security team notices that the VPN tunnels are established successfully but no traffic passes through. Which of the following is the most likely cause?

A.Certificates expired
B.Mismatched encryption algorithm
C.Incorrect routing entries in the VPN routing table
D.Mismatched IKE version
AnswerC

If routes are missing or misconfigured, traffic will not be forwarded into the tunnel even though the tunnel is operational.

Why this answer

When IPsec VPN tunnels are established (IKE Phase 1 and Phase 2 complete) but no traffic passes, the most common cause is incorrect routing entries in the VPN routing table. The tunnel may be up, but if the branch office does not have a route pointing the destination subnet to the tunnel interface (e.g., a static route or policy-based route), packets will be sent out the physical interface unencrypted or dropped. This is distinct from authentication or encryption mismatches, which would prevent tunnel establishment entirely.

Exam trap

The trap here is that candidates assume a successful tunnel establishment (Phase 1 and Phase 2 UP) guarantees traffic flow, but ISC2 often tests the subtle distinction between control plane success and data plane forwarding, where routing misconfigurations silently drop traffic.

How to eliminate wrong answers

Option A is wrong because expired certificates would cause IKE authentication to fail during Phase 1, preventing the VPN tunnel from being established at all. Option B is wrong because a mismatched encryption algorithm would cause IKE Phase 2 negotiation to fail, so the tunnel would not reach an established state. Option D is wrong because a mismatched IKE version (e.g., IKEv1 vs IKEv2) would prevent the initial IKE SA from forming, again blocking tunnel establishment.

14
MCQmedium

A multinational corporation must comply with GDPR and CCPA. Which data protection strategy should they prioritize?

A.Data masking
B.Data retention
C.Data encryption
D.Data minimization
AnswerD

Core principle under GDPR and CCPA, reducing data collection and storage.

Why this answer

Data minimization reduces the amount of personal data collected and stored, thereby limiting exposure and compliance burden. Encryption protects data but does not reduce collection. Data retention policies are secondary.

Data masking is useful for specific use cases but not a primary strategy.

15
MCQhard

Refer to the exhibit. A security analyst detects unusual process creation. Which attack technique is most likely being observed?

A.Privilege escalation via SeDebugPrivilege
B.Pass-the-Hash attack
C.Kerberos Golden Ticket attack
D.LSASS credential dumping using Mimikatz
AnswerD

Mimikatz can inject into lsass.exe to dump credentials; spawning cmd.exe from lsass is a common post-exploitation step.

Why this answer

The exhibit shows that a cmd.exe process was spawned by lsass.exe, which is abnormal. lsass.exe is the Local Security Authority Subsystem Service. The parent process being lsass.exe indicates that an attacker may have injected code into lsass.exe to execute commands. The privileges assigned to the logon session include SeDebugPrivilege and SeTcbPrivilege, which are high privileges.

This is indicative of a Pass-the-Hash or credential dumping attack where the attacker uses LSASS to extract credentials or execute commands with SYSTEM privileges.

16
MCQeasy

Refer to the exhibit. A security analyst reviews this syslog entry from a firewall. The firewall's ACL is configured to deny all traffic by default except what is explicitly permitted. This is an example of which security principle?

A.Least privilege
B.Separation of duties
C.Need to know
D.Defense in depth
AnswerA

Least privilege ensures only necessary access is granted; default-deny enforces this.

Why this answer

The principle of least privilege grants only necessary access; default-deny (deny all by default) is an implementation of this principle.

17
MCQhard

Refer to the exhibit. A network administrator sees that IPsec IKE negotiations fail between site A and site B. Site B's firewall has the above ACL applied inbound on the external interface. What is the most likely cause?

A.The ACL permits only TCP and UDP but not ESP packets.
B.The ACL permits only TCP and UDP but not IKE and IPsec traffic.
C.The ACL permits only TCP and UDP but not L2TP.
D.The ACL permits only TCP and UDP but not AH packets.
AnswerA

ESP uses IP protocol 50, not TCP or UDP.

Why this answer

The ACL permits TCP and UDP only. IPsec ESP uses IP protocol 50 (not TCP/UDP), so ESP packets are denied by the implicit deny rule. While IKE (UDP 500/4500) is permitted, the actual data traffic after IKE negotiation fails because ESP is blocked.

18
Multi-Selecteasy

Which TWO of the following are common techniques used in dynamic application security testing (DAST)?

Select 2 answers
A.Fuzzing
B.Static analysis
C.Spidering
D.String search
E.Code review
AnswersA, C

Fuzzing is a dynamic testing technique that inputs malformed data to trigger faults.

Why this answer

Fuzzing is a DAST technique that involves sending malformed or unexpected input to an application to trigger unhandled exceptions, crashes, or security vulnerabilities. It tests the runtime behavior of the application, making it a dynamic testing method.

Exam trap

ISC2 often tests the distinction between static and dynamic testing techniques, and candidates may mistakenly associate code review or string search with dynamic testing because they are security assessment activities, but they are not performed against a running application.

19
MCQmedium

During a vulnerability scan, a security analyst discovers that a web server is running an outdated version of Apache with known remote code execution vulnerabilities. The server is in production and cannot be patched immediately due to dependency conflicts. What is the best compensating control to reduce risk while a permanent fix is developed?

A.Disable all unnecessary modules and services on the server
B.Implement a web application firewall (WAF) to block known attack patterns
C.Enable detailed logging and alerting for the server
D.Isolate the server in a separate VLAN with strict ACLs
AnswerB

A WAF can detect and block exploit attempts, providing virtual patching until the software is updated.

Why this answer

A Web Application Firewall (WAF) is the best compensating control because it can inspect HTTP/HTTPS traffic at the application layer (Layer 7) and block known attack patterns targeting the outdated Apache version, such as specific payloads for CVE-2017-9798 or CVE-2021-41773. Unlike other options, a WAF provides virtual patching without modifying the vulnerable server, directly mitigating the remote code execution risk while a permanent fix is developed.

Exam trap

ISC2 often tests the distinction between detective controls (logging/alerting) and preventive controls (WAF), leading candidates to choose logging because it seems proactive, but it fails to reduce risk in real time.

How to eliminate wrong answers

Option A is wrong because disabling unnecessary modules and services reduces the attack surface but does not block the specific remote code execution exploits that target the vulnerable Apache core or remaining enabled modules. Option C is wrong because enabling detailed logging and alerting only improves detection and incident response, not prevention; it does not reduce the likelihood of exploitation. Option D is wrong because isolating the server in a separate VLAN with strict ACLs limits network-level exposure but does not prevent application-layer attacks (e.g., HTTP requests carrying exploit payloads) from reaching the vulnerable Apache service.

20
Multi-Selecteasy

Which TWO principles are essential for implementing least privilege in identity and access management?

Select 2 answers
A.Minimum necessary permissions
B.Need-to-know
C.Segregation of duties
D.User awareness training
E.Password complexity requirements
AnswersA, B

Minimum necessary permissions are the core of least privilege.

Why this answer

A is correct because 'minimum necessary permissions' is the core principle of least privilege, ensuring users and processes are granted only the permissions required to perform their authorized tasks. This directly limits the attack surface by preventing access to resources beyond what is strictly needed for a specific role or function.

Exam trap

The trap here is that candidates often confuse 'need-to-know' (which applies to data confidentiality and information disclosure) with 'minimum necessary permissions' (which applies to system access and authorization), or mistakenly think segregation of duties is a subset of least privilege rather than a distinct control.

21
Multi-Selectmedium

Which THREE of the following are common security design principles? (Select THREE.)

Select 3 answers
A.Open design
B.Least privilege
C.Single point of failure
D.Security through obscurity
E.Economy of mechanism
AnswersA, B, E

Correct. Security should not depend on secrecy of design.

Why this answer

Open design (A) is a fundamental security principle stating that the security of a system should not depend on the secrecy of its implementation; instead, it relies on the strength of its cryptographic keys and algorithms. This principle is embodied in Kerckhoffs's principle, which asserts that a cryptosystem should remain secure even if everything about the system, except the key, is public knowledge. Open design allows for public scrutiny and peer review, which helps identify vulnerabilities and build trust in the system's security.

Exam trap

The trap here is that candidates may confuse 'single point of failure' as a design principle (it is a risk to be mitigated, not a principle) or mistakenly think 'security through obscurity' is a valid principle, when in fact the CISSP explicitly teaches that it is not a reliable security measure.

22
Multi-Selectmedium

A security analyst is evaluating a web application firewall (WAF). Which TWO features are most critical for preventing common web attacks?

Select 2 answers
A.Virtual patching.
B.Signature-based detection.
C.SSL inspection.
D.Rate limiting.
E.Behavioral analysis.
AnswersB, E

Detects known attack signatures like SQL injection patterns.

Why this answer

Signature-based detection catches known attack patterns; behavioral analysis identifies anomalies and unknown attacks. SSL inspection is for decryption, not prevention. Rate limiting is for availability.

Virtual patching is a specific technique that is less critical than core detection engines.

23
MCQmedium

During a web application security test, a tester attempts to inject JavaScript into a search field and observes that the script executes when the page is loaded. This indicates a vulnerability to:

A.SQL injection
B.Cross-site scripting (XSS)
C.Command injection
D.Cross-site request forgery (CSRF)
AnswerB

XSS allows injection of client-side scripts into web pages.

Why this answer

The observed behavior—JavaScript injected into a search field executing when the page loads—is the hallmark of stored (persistent) cross-site scripting (XSS). In this attack, the tester's input is stored on the server (e.g., in a database or log) and later served to other users without proper output encoding, causing the browser to interpret the injected script as part of the page's HTML DOM. This directly violates the same-origin policy and allows arbitrary script execution in the context of the victim's session.

Exam trap

ISC2 often tests the distinction between XSS and CSRF by presenting a scenario where script execution occurs, leading candidates to confuse the client-side injection (XSS) with a cross-site request forgery (CSRF) that relies on forged requests, not injected scripts.

How to eliminate wrong answers

Option A is wrong because SQL injection targets the database layer by manipulating SQL queries (e.g., via ' OR 1=1 --), not by executing JavaScript in the browser. Option C is wrong because command injection exploits the operating system shell by injecting system commands (e.g., ; ls -la) into server-side functions, not client-side script execution. Option D is wrong because cross-site request forgery (CSRF) forces an authenticated user to perform unintended actions (e.g., state-changing requests) via crafted links or forms, but it does not involve injecting and executing JavaScript in the page itself.

24
MCQmedium

A healthcare organization recently experienced a data breach. The incident response team traced the breach to a compromised third-party vendor that had remote access to the organization's network. The vendor's credentials were stolen via a phishing attack. The organization's security policy requires that all third-party remote access be monitored and logged. During the investigation, it was discovered that the vendor's session traffic was not logged because the logging system was misconfigured. The security team needs to prevent similar incidents in the future. Which of the following is the MOST effective remediation?

A.Require multi-factor authentication for all third-party access.
B.Conduct regular phishing simulations for third-party vendors.
C.Implement a privileged access management (PAM) solution with session recording.
D.Disable all third-party remote access until a new vendor vetting process is established.
AnswerC

PAM with session recording enforces least privilege and captures all activity for logs.

Why this answer

Option C is correct because a Privileged Access Management (PAM) solution with session recording directly addresses the root cause: the logging system was misconfigured and failed to capture third-party remote access traffic. PAM enforces centralized control, vaulting credentials, and recording all sessions (e.g., via RDP, SSH) in a tamper-proof audit trail, ensuring that even if credentials are stolen, every keystroke and screen activity is logged and monitored. This provides the forensic evidence needed to detect and investigate unauthorized actions, closing the gap left by the misconfigured logging system.

Exam trap

The trap here is that candidates confuse authentication controls (MFA) with monitoring/logging controls, overlooking that the specific failure was a logging misconfiguration, not a lack of authentication strength.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) prevents credential theft from being used for authentication, but it does not ensure session traffic is logged or monitored; the logging system misconfiguration would remain unaddressed. Option B is wrong because phishing simulations train vendors to recognize phishing attacks, but they do not enforce logging of remote access sessions or fix the misconfigured logging system; the breach vector (stolen credentials) could still succeed if MFA is absent. Option D is wrong because disabling all third-party remote access until a new vetting process is established is an extreme operational disruption that does not remediate the logging misconfiguration; it also fails to address the need for continuous monitoring and session recording for future access.

25
Drag & Dropmedium

Drag and drop the steps for setting up a VPN using IPsec in tunnel mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup involves IKE phase 1, phase 2, defining traffic, applying crypto map, and verification.

26
MCQhard

A security analyst discovers that an employee shared confidential customer data with an unauthorized third party. The analyst reports this to the CISO, who decides to terminate the employee. Which ethical principle from the (ISC)² Code of Ethics is most directly violated by the employee?

A.Provide diligent and competent service to principals
B.Protect society, the common good, necessary public trust and confidence, and the infrastructure
C.Advance and protect the profession
D.Act honorably, honestly, justly, responsibly, and legally
AnswerB

Sharing confidential data violates trust and public confidence.

Why this answer

The (ISC)² Code of Ethics Canon 1: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Disclosing confidential data undermines trust and harms society.

27
MCQeasy

Which of the following is the primary purpose of a security assessment?

A.To fix all vulnerabilities immediately
B.To ensure compliance with regulations
C.To punish non-compliant employees
D.To identify weaknesses and measure control effectiveness
AnswerD

This is the core objective of security assessments.

Why this answer

The primary purpose of a security assessment is to systematically identify vulnerabilities, threats, and weaknesses in an organization's information systems, and to evaluate the effectiveness of existing security controls. This aligns with the CISSP domain of Security Assessment and Testing, where the goal is to measure control performance against a baseline, not to immediately remediate or enforce compliance.

Exam trap

The trap here is that candidates often confuse the purpose of a security assessment with remediation or compliance, but the CISSP emphasizes that assessment is about measuring and identifying, not fixing or enforcing.

How to eliminate wrong answers

Option A is wrong because fixing all vulnerabilities immediately is the goal of remediation, not assessment; assessment identifies weaknesses but does not prescribe or execute fixes. Option B is wrong because ensuring compliance with regulations is a possible outcome or driver of an assessment, but not its primary purpose; the core function is to evaluate control effectiveness, not merely to check regulatory boxes. Option C is wrong because punishing non-compliant employees is a disciplinary action, which is outside the scope of a security assessment; assessments focus on systems and controls, not personnel punishment.

28
Multi-Selecthard

A security analyst is reviewing log data from various sources. Which of the following are essential for effective security logging in accordance with best practices? (Select THREE.)

Select 3 answers
A.Storage of logs in plaintext format only
B.Secure transmission of logs to a central repository
C.Time synchronization across all log sources
D.Log retention of at least one year
E.Inclusion of user identifiers in log entries
AnswersB, C, E

Ensuring logs are sent securely prevents tampering and interception.

Why this answer

Option B is correct because logs must be transmitted securely to a central repository to prevent tampering, interception, or unauthorized disclosure during transit. Best practices require the use of encrypted channels such as TLS (e.g., syslog over TLS per RFC 5425) or IPsec to ensure confidentiality and integrity of log data while in motion.

Exam trap

The trap here is that candidates may mistakenly believe that log retention must always be at least one year, but the CISSP emphasizes that retention periods are policy-driven and vary by compliance requirements, not a fixed universal standard.

29
MCQmedium

Refer to the exhibit. A user reports they cannot authenticate to a web application after receiving a new token. The error log shows the above entries. Which of the following is the MOST likely cause?

A.The token uses a different signing algorithm than expected
B.The token has expired
C.The token's issuer claim does not match the expected issuer
D.The token was signed with a different secret key than the one used by the verifier
AnswerD

Signature mismatch indicates key mismatch.

Why this answer

The error log entries indicate a signature validation failure, which occurs when the token was signed with a secret key that differs from the one the verifier uses. In JSON Web Token (JWT) authentication, the verifier must possess the exact same secret (for HMAC) or the corresponding public key (for RSA/ECDSA) to validate the signature; a mismatch causes authentication to fail. This is the most likely cause because the user received a new token, suggesting a key rotation or misconfiguration where the signing key was changed without updating the verifier.

Exam trap

ISC2 often tests the distinction between signature validation failures (key mismatch) and claim validation failures (exp, iss, aud), and the trap here is that candidates confuse a token being 'invalid' with it being 'expired' or having a wrong issuer, when the error log specifically points to cryptographic signature failure.

How to eliminate wrong answers

Option A is wrong because a signing algorithm mismatch would typically produce an 'algorithm not allowed' or 'unexpected algorithm' error, not a generic signature validation failure; the error log does not mention algorithm issues. Option B is wrong because token expiration errors are explicitly logged as 'token expired' or 'exp' claim validation failure, not as a signature validation error. Option C is wrong because an issuer claim mismatch would generate an 'issuer not valid' or 'unexpected issuer' error, not a signature validation failure; the verifier checks the 'iss' claim separately from signature verification.

30
MCQeasy

A password policy requires passwords to be at least 12 characters, with uppercase, lowercase, digits, and special characters. Which of the following is an example of a password that meets the policy?

A.Abcdefghijkl
B.Pa$$w0rd
C.MyP@ssw0rd1
D.SecureP@ss1
E.Password123!
AnswerE

This is 12 characters, includes uppercase, lowercase, digits, and special character.

Why this answer

Option E (Password123!) meets the policy because it is 12 characters long and includes uppercase (P), lowercase (assword), digits (123), and a special character (!). The policy requires all four character types, and this password satisfies each requirement without any ambiguity.

Exam trap

The trap here is that candidates often overlook the exact length requirement and focus only on character variety, leading them to select options like C or D that contain all character types but are shorter than 12 characters.

How to eliminate wrong answers

Option A is wrong because it contains only uppercase and lowercase letters (no digits or special characters), failing the policy's requirement for all four character types. Option B is wrong because it is only 8 characters long (Pa$$w0rd), falling short of the 12-character minimum. Option C is wrong because it is 11 characters long (MyP@ssw0rd1), one character short of the 12-character minimum.

Option D is wrong because it is 10 characters long (SecureP@ss1), also failing the length requirement.

31
MCQeasy

A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?

A.ARP scan to discover hosts on the local subnet.
B.Ping sweep using ICMP echo requests.
C.Vulnerability scan of all IP addresses in the target range.
D.Full TCP port scan on common ports.
AnswerB

Ping sweep is a standard, non-disruptive host discovery technique.

Why this answer

A ping sweep using ICMP echo requests (ICMP Type 8) is the most appropriate first step for identifying live hosts on a network because it is a standard, low-disruption method that quickly determines host availability. ICMP echo requests are typically allowed by default on many networks and do not initiate full protocol handshakes or service interactions, minimizing the risk of triggering alarms or causing instability. This aligns with the penetration testing methodology of starting with passive or low-impact reconnaissance before escalating to more intrusive techniques.

Exam trap

The trap here is that candidates often choose 'ARP scan' (Option A) thinking it is the least disruptive, but they forget that ARP is limited to the local broadcast domain and cannot discover hosts across routers, making it ineffective for a penetration test that typically spans multiple subnets.

How to eliminate wrong answers

Option A is wrong because an ARP scan is limited to the local subnet and cannot discover hosts across routed networks, making it unsuitable as a first step for a general penetration test that may involve multiple subnets. Option C is wrong because a vulnerability scan is an intrusive, high-impact activity that should only be performed after live hosts have been identified and authorized; running it on all IP addresses in the target range would waste resources and potentially disrupt non-existent or sensitive systems. Option D is wrong because a full TCP port scan on common ports is more intrusive than a ping sweep, as it involves completing TCP three-way handshakes (or sending SYN packets) to many ports, which can trigger intrusion detection systems and cause performance issues on target hosts.

32
Multi-Selecteasy

Which TWO of the following are principles of the zero trust security model? (Select TWO.)

Select 2 answers
A.Trust but verify
B.Never trust, always verify
C.Users are inherently trustworthy
D.Assume all networks are hostile
E.Perimeter defenses are sufficient
AnswersB, D

Correct. This is a core zero trust principle.

Why this answer

The zero trust security model is founded on the principle of 'never trust, always verify,' meaning no entity—inside or outside the network—is trusted by default. This requires continuous authentication and authorization for every access request, regardless of the user's location or network. Option B correctly captures this core tenet.

Exam trap

The trap here is that candidates confuse 'trust but verify' (a legacy perimeter model) with zero trust, or assume that zero trust still allows some inherent trust for authenticated users, when in fact it requires verification for every single access request regardless of prior authentication.

33
MCQhard

A financial services company uses a custom web application for online banking. The application is developed in-house using Java and deployed on Apache Tomcat servers. Recently, the security team discovered that the application is vulnerable to a critical remote code execution (RCE) vulnerability due to insecure deserialization of untrusted data. The vulnerability exists in a module that processes session objects. The development team has been assigned to fix this issue. They propose the following options: A. Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes. B. Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default. C. Encrypt all serialized objects using AES-256 before sending them to the client. D. Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads. The application must maintain high availability and minimal latency. Which option provides the MOST effective and sustainable remediation?

A.Replace Java serialization with JSON serialization using a library like Jackson, and configure it to disallow polymorphic deserialization by default.
B.Use a Web Application Firewall (WAF) to block requests containing known deserialization payloads.
C.Implement a custom deserialization filter using ObjectInputFilter to whitelist only expected classes.
D.Encrypt all serialized objects using AES-256 before sending them to the client.
AnswerA

This eliminates the insecure deserialization vector by using a safer serialization format and disabling dangerous features.

Why this answer

Option A is correct because replacing Java serialization with JSON serialization (e.g., Jackson) and disabling polymorphic deserialization eliminates the root cause of insecure deserialization—Java's native serialization mechanism that automatically executes arbitrary code when deserializing untrusted data. JSON serialization with strict type handling prevents the attacker from injecting malicious objects, providing a sustainable fix without relying on fragile blacklists or encryption that doesn't address the vulnerability.

Exam trap

The trap here is that candidates often choose encryption (Option D) thinking it secures the data in transit, but encryption does not address the deserialization logic flaw—the vulnerability remains after decryption, and the attacker can still trigger RCE if they control the serialized stream.

How to eliminate wrong answers

Option B is wrong because a WAF can only block known payload patterns, but deserialization attacks can be obfuscated or use novel gadgets, making it an incomplete and unsustainable defense that fails against zero-day exploits. Option C is wrong because while ObjectInputFilter can whitelist classes, it is a Java-specific filter that can be bypassed if not perfectly configured (e.g., via nested objects or reflection), and it still relies on the insecure Java serialization protocol, which is inherently risky. Option D is wrong because encrypting serialized objects does not prevent the deserialization vulnerability; if the attacker obtains the decryption key or the encrypted data is decrypted server-side, the malicious payload will still be executed upon deserialization.

34
MCQmedium

In a zero trust architecture, which component is responsible for continuously verifying the trustworthiness of a device before granting access to resources?

A.Policy Decision Point (PDP)
B.Policy Enforcement Point (PEP)
C.Identity Provider (IdP)
D.Policy Administrator (PA)
AnswerA

Correct. PDP evaluates policies and verifies trust continuously.

Why this answer

In a zero trust architecture, the Policy Decision Point (PDP) is the component that evaluates all available telemetry and contextual data—such as device posture, user identity, and behavioral analytics—to make a real-time trust decision. It continuously verifies device trustworthiness by applying dynamic policies (e.g., checking for up-to-date patches, compliance with security baselines, or absence of malware) before granting or denying access to resources. This aligns with the NIST SP 800-207 zero trust model, where the PDP is the logical brain that computes trust levels and issues authorization decisions.

Exam trap

The trap here is that candidates often confuse the Policy Decision Point (PDP) with the Policy Enforcement Point (PEP), mistakenly thinking the PEP makes the trust decision when it only enforces the decision made by the PDP.

How to eliminate wrong answers

Option B (Policy Enforcement Point) is wrong because the PEP is responsible for executing the access decision—either allowing, blocking, or restricting traffic—but it does not perform the continuous trust evaluation itself; it relies on the PDP for that decision. Option C (Identity Provider) is wrong because the IdP authenticates users and issues identity tokens (e.g., SAML assertions or OIDC claims), but it does not continuously verify device posture or trustworthiness; device trust is a separate attribute evaluated by the PDP. Option D (Policy Administrator) is wrong because the PA generates the session token and communicates the PDP's decision to the PEP, but it does not perform the actual trust evaluation; it is an intermediary that manages the lifecycle of the authorization session.

35
Multi-Selecthard

Which THREE of the following are examples of asymmetric cryptographic algorithms? (Select THREE.)

Select 3 answers
A.Elliptic Curve Cryptography (ECC)
B.Diffie-Hellman
C.AES
D.RSA
E.Blowfish
AnswersA, B, D

Correct. ECC is asymmetric.

Why this answer

Elliptic Curve Cryptography (ECC) is an asymmetric cryptographic algorithm that uses the algebraic structure of elliptic curves over finite fields to provide security with smaller key sizes compared to RSA. It relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP) for its security, making it computationally infeasible to derive the private key from the public key. ECC is widely used in modern protocols such as TLS, SSH, and Bitcoin for key exchange and digital signatures.

Exam trap

The trap here is that candidates often confuse symmetric ciphers like AES and Blowfish with asymmetric algorithms because they are both used for encryption, but the key management difference is the defining characteristic tested in CISSP.

36
MCQmedium

An organization is implementing a security awareness program. Which topic should be emphasized most?

A.Social media usage
B.Phishing recognition
C.Password policy
D.Clean desk policy
AnswerB

Directly addresses a leading cause of breaches.

Why this answer

Phishing is one of the most common attack vectors and requires user vigilance. Password policies are important but phishing directly exploits human error. Clean desk and social media are relevant but less critical.

37
MCQhard

A global manufacturing company with headquarters in Europe and factories in Asia and North America has recently experienced a data breach. The breach involved the theft of intellectual property (IP) containing product designs stored on a file server located in the Asian factory. The investigation revealed that the attacker gained access using a compromised administrator account from a contractor's laptop that was connected to the corporate VPN. The company has implemented network segmentation, but the file server resides in the same VLAN as other factory equipment. The company uses Active Directory for identity management, and all employees and contractors use the same domain. The company is now reviewing its data governance policies to prevent future incidents. The security team must recommend a set of controls that address the root cause while maintaining operational efficiency. Which of the following is the BEST course of action?

A.Create a separate Active Directory forest for contractors and establish a one-way trust to allow access only to necessary resources
B.Implement a privileged access management (PAM) solution with just-in-time (JIT) elevation and conditional access policies that require managed, compliant devices for VPN access
C.Require multi-factor authentication (MFA) for all users accessing the VPN, regardless of role
D.Isolate the file server into its own VLAN and implement strict firewall rules to limit access to only necessary personnel
AnswerB

PAM/JIT limits the time window of privileged access, and device compliance checks help ensure that only secure devices can connect, reducing the risk of compromised credentials.

Why this answer

Option C is correct because implementing privileged access management (PAM) with just-in-time (JIT) access and conditional access policies (e.g., requiring compliant devices for VPN) directly addresses the use of compromised credentials and contractor access. Option A is wrong because adding more VLANs complicates management but does not prevent credential misuse. Option B is wrong because MFA for all users would help but still allows compromised devices to log in.

Option D is wrong because a separate domain for contractors requires significant administrative overhead and may not be feasible.

38
Multi-Selecteasy

Which TWO of the following are examples of administrative controls? (Select exactly 2)

Select 2 answers
A.Firewall rules
B.Security awareness training
C.Security guards at entrances
D.Encryption of data at rest
E.Background checks for employees
AnswersB, E

Correct - Administrative control addressing people.

Why this answer

Security awareness training (B) is an administrative control because it involves policies, procedures, and human behavior management to reduce risk. Background checks (E) are also administrative controls, as they are part of personnel security policies that vet employees before granting access. Both are documented in the organization's security policy framework and are not technical or physical mechanisms.

Exam trap

ISC2 often tests the distinction between administrative, technical, and physical controls, and the trap here is that candidates confuse security guards (physical) or firewall rules (technical) with administrative controls because they involve 'security' or 'rules,' but they are not policy-based or procedural in nature.

39
MCQhard

A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?

A.Network throughput between application tiers.
B.Average CPU load across all systems.
C.Number of failed login attempts per hour.
D.Configuration drift from a known good baseline.
AnswerD

Configuration drift detection directly identifies unauthorized changes to system settings.

Why this answer

Configuration drift from a known good baseline is the most effective metric for detecting unauthorized changes because it directly compares the current state of production systems against a secure, approved baseline (e.g., using tools like AWS Config, Azure Policy, or Chef InSpec). Any deviation—such as altered file permissions, unexpected services, or modified registry keys—triggers an alert, enabling rapid detection of unauthorized modifications. This aligns with continuous monitoring principles in cloud security, focusing on integrity rather than performance or access patterns.

Exam trap

The trap here is that candidates often choose 'Number of failed login attempts per hour' (Option C) because they associate monitoring with authentication events, but the question specifically targets unauthorized changes to production systems, which require integrity-focused metrics like configuration drift, not access attempts.

How to eliminate wrong answers

Option A is wrong because network throughput between application tiers measures performance and capacity, not the integrity of system configurations; unauthorized changes may not affect throughput. Option B is wrong because average CPU load indicates resource utilization, not configuration changes; an attacker could modify systems without impacting CPU load. Option C is wrong because failed login attempts per hour detect brute-force or credential-based attacks, not unauthorized changes to production systems after authentication is bypassed or compromised.

40
MCQhard

An organization implements a data masking policy for production databases. Which of the following best describes the primary goal?

A.Reduce the risk of data exposure during testing
B.Ensure data availability
C.Encrypt data at rest
D.Simplify access controls
AnswerA

Masking protects sensitive data when used in development, testing, or training.

Why this answer

Data masking irreversibly replaces sensitive data with realistic but fictitious values, ensuring that production data is not exposed in non-production environments like testing or development. This directly reduces the risk of data exposure during testing, which is the primary goal of a data masking policy. Unlike encryption, masking does not preserve the ability to reverse the transformation, making it ideal for scenarios where the original data is not needed.

Exam trap

The trap here is confusing data masking with encryption, as both protect data but serve fundamentally different purposes—encryption is reversible and protects data in transit/at rest, while masking is irreversible and protects data in non-production environments.

How to eliminate wrong answers

Option B is wrong because data masking does not ensure data availability; in fact, it may reduce availability for certain use cases by obscuring the original values. Option C is wrong because data masking is not encryption; encryption is reversible with a key, while masking is typically irreversible and does not protect data at rest in the same cryptographic sense. Option D is wrong because data masking does not simplify access controls; it is a separate data obfuscation technique that may require additional access management for masked versus unmasked data.

41
MCQeasy

In asset security, which of the following is a primary responsibility of a data owner?

A.Monitoring access logs
B.Classifying data
C.Implementing security controls
D.Backing up data
AnswerB

Data owners classify the data they are responsible for.

Why this answer

The data owner is the senior-level manager who is ultimately accountable for a specific set of data. Their primary responsibility is to determine the data's sensitivity and business value, which directly drives the classification level (e.g., public, internal, confidential, restricted). Classification is the foundational step that dictates all subsequent protection requirements, making it a core duty of the data owner, not a technical implementer.

Exam trap

The trap here is that candidates confuse the data owner's strategic, accountability-based role (classification) with the data custodian's operational, hands-on tasks (monitoring, implementing controls, backups), leading them to pick a technical option like 'implementing security controls' instead of the correct classification duty.

How to eliminate wrong answers

Option A is wrong because monitoring access logs is an operational, detective control typically performed by data custodians or security administrators, not the data owner. Option C is wrong because implementing security controls (e.g., encryption, ACLs) is the responsibility of the data custodian or system administrator, who executes the technical measures based on the owner's classification and policy. Option D is wrong because backing up data is a routine operational task assigned to data custodians or backup administrators to ensure availability and recoverability, not a strategic ownership duty.

42
MCQmedium

A vulnerability scan report shows that a web server has a critical vulnerability with a CVSS score of 9.8. However, the server is behind a WAF that blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. What should the security manager do first?

A.Remove the server from production
B.Ignore the finding because the WAF blocks it
C.Document the compensating control and accept the residual risk
D.Immediately patch the vulnerability
AnswerC

Proper risk treatment includes acknowledging existing controls and formal acceptance.

Why this answer

Option C is correct because the WAF serves as a compensating control that effectively mitigates the attack vector for this vulnerability, and the residual risk has been formally documented and accepted by management. In the absence of an immediate patch or removal of the deprecated feature, documenting the compensating control and accepting the residual risk is the appropriate risk management decision per the organization's risk appetite and the NIST SP 800-30 risk assessment framework.

Exam trap

The trap here is that candidates mistakenly think a high CVSS score always demands immediate patching or removal, ignoring the role of compensating controls and formal risk acceptance in the risk management process.

How to eliminate wrong answers

Option A is wrong because removing the server from production would cause unnecessary service disruption when a compensating control (WAF) already blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. Option B is wrong because ignoring the finding violates due care and security governance principles; the finding must be documented, risk-assessed, and formally accepted, not simply ignored. Option D is wrong because patching is not immediately possible as the vulnerability is in a deprecated feature that cannot be removed until the next major release, and attempting to patch a deprecated feature could introduce instability or break functionality.

43
MCQmedium

An organization uses OAuth 2.0 for delegated access to APIs. A developer creates a public client application that runs on mobile devices. Which OAuth 2.0 grant type is MOST appropriate for this scenario?

A.Client Credentials Grant
B.Implicit Grant
C.Resource Owner Password Credentials Grant
D.Authorization Code Grant with PKCE
AnswerD

Provides secure token exchange for public clients.

Why this answer

The Authorization Code Grant with PKCE (Proof Key for Code Exchange) is the most appropriate for a public client on a mobile device because it prevents authorization code interception attacks. PKCE replaces the client secret with a dynamically generated code verifier and challenge, ensuring that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original verifier. This is the OAuth 2.0 Security Best Current Practice (BCP) recommendation for native and mobile apps.

Exam trap

The trap here is that candidates often choose the Implicit Grant (Option B) because they mistakenly believe it is simpler for mobile apps, but the CISSP exam tests the current OAuth 2.0 Security BCP which deprecates Implicit and mandates PKCE for public clients.

How to eliminate wrong answers

Option A is wrong because the Client Credentials Grant is designed for server-to-server (confidential client) authentication without user involvement, not for a public client on a mobile device that requires delegated user access. Option B is wrong because the Implicit Grant is deprecated by OAuth 2.0 Security BCP (RFC 8252) due to security risks like access token leakage in the URL fragment and lack of client authentication, making it unsuitable for mobile apps. Option C is wrong because the Resource Owner Password Credentials Grant requires the client to directly handle the user's password, which violates security best practices for mobile apps and is only recommended when the client is highly trusted (e.g., first-party apps) and other grants are not viable.

44
MCQmedium

You are a security analyst at a financial institution. The company has a hybrid infrastructure with on-premises servers and AWS cloud. The on-premises network uses a SIEM that aggregates logs from all sources. Recently, the SIEM has been generating a high volume of alerts for failed SSH login attempts from an internal IP (10.10.50.100) to multiple Linux servers. The IP belongs to a jump box used by system administrators. Upon investigation, you find that the jump box is running a hardened OS, and only authorized admins can access it via SSH key authentication. However, the failed login attempts show usernames like 'root', 'admin', 'test', which are not valid accounts on the target servers. The attempts occur every 5 seconds around the clock. There are no successful logins from that IP. The jump box has the latest patches and antivirus. What should you do FIRST?

A.Add the usernames 'root', 'admin', 'test' to the target servers' password blacklist
B.Isolate the jump box from the network immediately and conduct a forensic analysis
C.Ignore the alerts because the usernames are invalid and the jump box is hardened
D.Run a full antivirus scan on the jump box and check for malware
AnswerB

The jump box is likely compromised; isolating it stops the attack and allows for investigation.

Why this answer

The jump box is exhibiting automated, high-frequency failed login attempts with non-existent usernames, which is a classic indicator of a compromised host being used as an attack launch point—even if the OS appears hardened and AV shows clean. The first priority in incident response is containment; isolating the jump box prevents further potential lateral movement or data exfiltration while preserving forensic evidence. A forensic analysis is then required to determine the root cause (e.g., a hidden backdoor, credential theft, or kernel-level rootkit) before any remediation steps.

Exam trap

The trap here is that candidates focus on the 'hardened OS' and 'no successful logins' as signs of safety, but CISSP expects you to recognize that anomalous outbound attack traffic from an internal asset is a containment trigger, not a false positive.

How to eliminate wrong answers

Option A is wrong because adding usernames to a password blacklist does not address the source of the attack—the jump box itself is likely compromised, and blacklisting usernames on target servers is a reactive, non-containment measure that ignores the real threat. Option C is wrong because ignoring alerts based on invalid usernames and a hardened OS is a dangerous assumption; automated brute-force or credential-stuffing attempts from an internal jump box indicate a breach of trust, and the absence of successful logins does not rule out other malicious activities (e.g., lateral movement via other protocols). Option D is wrong because running an antivirus scan is insufficient—modern attackers use fileless malware, rootkits, or living-off-the-land binaries that AV may miss, and scanning should only occur after containment and forensic imaging to avoid altering evidence.

45
MCQeasy

During a risk communication session, the security team needs to present risk analysis results to executive management. Which approach is most effective for this audience?

A.A high-level summary highlighting top risks and recommended actions
B.Raw data from the risk assessment without interpretation
C.A comprehensive report with all risk register entries
D.Detailed technical explanations of each vulnerability
AnswerA

Executives need a concise overview to make strategic decisions.

Why this answer

Option D is correct because executive management prefers high-level summaries that focus on business impact, strategic risk, and resource needs. Option A is incorrect because technical details may overwhelm executives. Option B is incorrect because showing only raw data without analysis requires more effort from the audience.

Option C is incorrect because it is too detailed for a high-level audience.

46
MCQmedium

A multinational corporation with a hybrid cloud infrastructure has recently experienced a series of security incidents involving unauthorized access to sensitive customer data. The incidents were traced to compromised credentials of privileged users. The company has implemented multi-factor authentication (MFA) for all privileged accounts, but the attacks persisted. A security assessment team is brought in to evaluate the environment. During the assessment, they discover that some privileged accounts do not require MFA when accessing systems via API calls, and that session tokens for these APIs have a long expiration time of 24 hours. Additionally, the team finds that the logging and monitoring system does not capture API calls from privileged accounts, making it difficult to detect anomalous behavior. The company wants to remediate these issues effectively. Which of the following is the BEST course of action to address the root cause of the incidents?

A.Implement a SIEM system to analyze logs from all sources and create alerts for anomalous API activity.
B.Conduct a full audit of privileged account usage and revoke access for any accounts with suspicious activity.
C.Require MFA for all privileged access methods, including APIs, and reduce session token expiration to 15 minutes.
D.Replace API tokens with certificate-based authentication for all privileged accounts.
AnswerC

This addresses both the lack of MFA and the long token expiration, the root causes.

Why this answer

Option C is correct because the root cause is that privileged accounts can bypass MFA when accessing systems via API calls, and long-lived session tokens (24 hours) provide a wide window for attackers to reuse stolen tokens. Requiring MFA for all privileged access methods, including APIs, closes the authentication gap, and reducing session token expiration to 15 minutes minimizes the impact of token theft by limiting the reuse window. This directly addresses the two key vulnerabilities identified in the assessment.

Exam trap

The trap here is that candidates often choose a detective control (like SIEM) or a reactive measure (like auditing) instead of a preventive control that directly closes the authentication gap, because they overlook that the root cause is the MFA bypass on API calls and long-lived tokens, not a lack of monitoring or account hygiene.

How to eliminate wrong answers

Option A is wrong because implementing a SIEM system to analyze logs and create alerts is a detective control, not a preventive one; it does not address the root cause of missing MFA on API calls and long-lived tokens, and without capturing API calls from privileged accounts, the SIEM would have no data to analyze. Option B is wrong because conducting a full audit and revoking access for suspicious accounts is a reactive, one-time cleanup that does not prevent future credential compromise or token reuse; it ignores the systemic gaps in authentication and session management. Option D is wrong because replacing API tokens with certificate-based authentication, while more secure, does not inherently enforce MFA for every API call and does not address the long session token expiration issue; it also introduces complexity without directly solving the MFA bypass problem.

47
MCQhard

A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?

A.Incorrect pre-shared key
B.Mismatched authentication algorithm
C.Firewall rule blocking IKE traffic
D.Mismatched proxy IDs (traffic selectors)
AnswerD

Proxy IDs define which traffic should be encrypted; if they don't match, Phase 2 fails.

Why this answer

Phase 1 (IKE SA) establishes a secure channel for key exchange, while Phase 2 (IPsec SA) negotiates the specific traffic to be encrypted. If Phase 1 is up but Phase 2 fails, the most common cause is a mismatch in proxy IDs (traffic selectors), such as local/remote subnets or ports, which prevents the two peers from agreeing on which traffic to protect. This is distinct from authentication or encryption mismatches, which would typically cause Phase 1 to fail.

Exam trap

ISC2 often tests the distinction between Phase 1 and Phase 2 failures, and the trap here is that candidates mistakenly attribute Phase 2 failures to authentication or encryption mismatches, which actually affect Phase 1, not the traffic selector negotiation in Phase 2.

How to eliminate wrong answers

Option A is wrong because an incorrect pre-shared key would cause Phase 1 authentication to fail, preventing the IKE SA from being established. Option B is wrong because a mismatched authentication algorithm (e.g., SHA-1 vs SHA-256) would also cause Phase 1 negotiation to fail during the IKE proposal exchange. Option C is wrong because a firewall rule blocking IKE traffic (UDP 500/4500) would prevent Phase 1 from completing, not just Phase 2.

48
MCQhard

A red team exercise is planned to simulate a sophisticated adversary. The blue team is aware of the exercise but not the exact methods. The red team is given a budget to acquire attack tools. What is the primary advantage of this approach over a traditional penetration test?

A.It ensures that the blue team is not alerted to the test
B.It provides comprehensive vulnerability coverage
C.It evaluates the organization's detection and response capabilities
D.It is more cost-effective than a penetration test
AnswerC

Red team exercises test the blue team's ability to detect and respond to realistic threats.

Why this answer

Option C is correct because a red team exercise with a known-but-not-detailed blue team specifically tests the organization's detection and response capabilities under realistic adversarial conditions. Unlike a traditional penetration test, which focuses on identifying vulnerabilities, this approach evaluates how well the blue team can detect, analyze, and respond to stealthy, multi-stage attacks that mimic a sophisticated adversary. The red team's budget for attack tools allows them to simulate advanced persistent threats (APTs) that challenge the blue team's security operations center (SOC) processes and incident response procedures.

Exam trap

The trap here is that candidates confuse the purpose of a red team exercise (evaluating detection and response) with a penetration test (finding vulnerabilities), leading them to select Option B, which describes the latter's goal rather than the primary advantage of the former.

How to eliminate wrong answers

Option A is wrong because the blue team is explicitly aware of the exercise, so the test is not covert; the advantage is not about avoiding alerts but about evaluating detection under known-threat conditions. Option B is wrong because comprehensive vulnerability coverage is the goal of a traditional penetration test, not a red team exercise, which focuses on simulating adversary behavior rather than enumerating all possible vulnerabilities. Option D is wrong because red team exercises are typically more expensive than penetration tests due to the specialized skills, custom tools, and extended duration required to simulate sophisticated adversaries.

49
MCQmedium

A security analyst is reviewing network logs and sees repeated failed connection attempts from an external IP to the company's SSH server (port 22). The firewall has a rule allowing SSH from anywhere. What is the best immediate action to reduce risk?

A.Remove the firewall rule allowing SSH.
B.Disable SSH access entirely.
C.Change the SSH port to a high-numbered port and restrict source IPs if possible.
D.Block the offending IP address in the firewall.
AnswerC

Changing the port reduces automated scans, and restricting source IPs adds defense.

Why this answer

Option C is correct because changing the SSH port to a non-standard, high-numbered port reduces automated scanning and brute-force attacks by evading default port 22 scans, while restricting source IPs adds a layer of access control. This balances security with operational continuity, as SSH remains available for legitimate administrative use. The immediate risk reduction comes from making the service less discoverable and limiting the attack surface without fully disabling remote access.

Exam trap

The trap here is that candidates often choose Option D (block the offending IP) because it seems like a quick fix, but they fail to recognize that automated attacks rotate IPs constantly, making this a temporary and ineffective solution compared to changing the port and restricting sources.

How to eliminate wrong answers

Option A is wrong because removing the firewall rule entirely would block all SSH traffic, including legitimate administrative access, causing a denial of service and violating the principle of least disruption. Option B is wrong because disabling SSH access entirely is an extreme measure that would prevent all remote administration, which is often operationally necessary and not a proportional response to failed connection attempts. Option D is wrong because blocking only the offending IP address is a reactive, temporary measure that does not address the root cause—automated scanners will simply use a different source IP, and the SSH service remains exposed on the default port.

50
MCQeasy

A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?

A.Implementation
B.Design
C.Testing
D.Requirements gathering
AnswerB

Threat modeling is a design-time activity that helps identify and address security threats before implementation.

Why this answer

Threat modeling is a structured activity that identifies potential threats, vulnerabilities, and attack vectors against a system. It is most effective during the Design phase because architectural decisions, data flow diagrams, trust boundaries, and component interactions are being defined, allowing security controls to be built in rather than bolted on later. Performing threat modeling here aligns with the 'shift left' principle of secure SDLC, reducing cost and effort compared to retrofitting security after implementation.

Exam trap

The trap here is that candidates confuse 'Requirements gathering' (where high-level security goals are set) with 'Design' (where concrete architectural decisions enable actionable threat modeling), leading them to pick D instead of B.

How to eliminate wrong answers

Option A is wrong because Implementation focuses on writing code; threat modeling at this stage is too late to influence architecture and would require costly rework to fix design-level flaws. Option C is wrong because Testing occurs after code is built; while security testing can validate threats, it cannot prevent design flaws from being embedded. Option D is wrong because Requirements gathering captures functional and security objectives but lacks the detailed system architecture and data flow context needed for effective threat modeling (e.g., STRIDE or PASTA analysis).

51
MCQeasy

Refer to the exhibit. A user has obtained a Kerberos ticket. What does the presence of two service principals indicate?

A.The KDC is misconfigured
B.The user has authenticated to two different services
C.The user's credentials have been compromised
D.The user has been issued a Ticket-Granting Ticket and a service ticket
AnswerD

krbtgt is the TGT, and HTTP is a service ticket.

Why this answer

In Kerberos, a Ticket-Granting Ticket (TGT) is issued after initial authentication and is used to request service tickets for specific services. The presence of two service principals in a user's Kerberos ticket cache indicates that the user has both a TGT (identified by the krbtgt service principal) and a service ticket (identified by the target service's principal). This is the normal and expected state after a user has authenticated and then requested access to a service.

Exam trap

The trap here is that candidates often confuse the presence of two service principals with authentication to two services, failing to recognize that one of those principals is always the Ticket-Granting Ticket (krbtgt), not a service ticket for an actual application service.

How to eliminate wrong answers

Option A is wrong because a misconfigured KDC would typically result in authentication failures, missing tickets, or incorrect principal names, not the presence of two distinct service principals in a valid ticket cache. Option B is wrong because the presence of two service principals does not indicate authentication to two different services; one of the principals is always the TGT (krbtgt), and the other is a single service ticket. Option C is wrong because compromised credentials would lead to unauthorized ticket issuance or suspicious activity, not the standard coexistence of a TGT and a service ticket.

52
Multi-Selectmedium

Which TWO of the following are principles of the Bell-LaPadula security model?

Select 2 answers
A.Separation of duty
B.No write up
C.No read down
D.No read up
E.No write down
AnswersD, E

Simple security property prevents reading higher classification.

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) to protect confidentiality. Option D (No read up) is correct because a subject cannot read an object at a higher classification level, preventing unauthorized access to sensitive information. Option E (No write down) is correct because a subject cannot write to an object at a lower classification level, preventing the downgrading of classified data.

Exam trap

The trap here is that candidates confuse 'no write up' (which Bell-LaPadula allows) with 'no write down' (which it prohibits), or they misapply the Biba model's integrity rules (no read down, no write up) to Bell-LaPadula's confidentiality rules.

53
MCQhard

During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users: String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'"; Which of the following is the MOST effective remediation?

A.Use regular expressions to validate the username and password inputs
B.Encode the input using HTML entity encoding before inclusion in the query
C.Escape single quotes in the input parameters
D.Replace the concatenated query with a prepared statement and bind parameters
AnswerD

Prepared statements ensure user input is treated as data, not executable SQL.

Why this answer

Option D is correct because prepared statements with parameterized queries separate SQL logic from user input, preventing SQL injection entirely. In Java, using PreparedStatement with bind variables (e.g., `ps.setString(1, user)`) ensures the database treats input as data, not executable code, which is the only reliable defense against SQL injection attacks.

Exam trap

The trap here is that candidates often choose input validation (Option A) or escaping (Option C) because they seem like reasonable security measures, but the CISSP exam emphasizes that parameterized queries/prepared statements are the definitive, defense-in-depth solution for SQL injection, not ad-hoc sanitization.

How to eliminate wrong answers

Option A is wrong because regular expressions alone cannot prevent SQL injection; an attacker can craft input that passes validation but still contains malicious SQL syntax (e.g., using alternate encodings or bypassing regex logic). Option B is wrong because HTML entity encoding is designed to prevent XSS, not SQL injection; it does not neutralize SQL metacharacters like single quotes or dashes in a database context. Option C is wrong because escaping single quotes is insufficient; attackers can exploit other SQL injection vectors such as backslash escapes, second-order injection, or using `UNION` statements without quotes, and escaping is error-prone across different database drivers.

54
MCQhard

During a penetration test, a tester discovers that the target web application responds to HTTP requests with a "200 OK" status for both valid and invalid session tokens on a particular API endpoint. The application uses JSON Web Tokens (JWT) for authentication. Which of the following vulnerabilities is MOST likely present?

A.Weak JWT signing algorithm
B.Session fixation
C.Missing authentication
D.Insecure direct object reference
AnswerA

A weak or missing signature verification allows any JWT to be accepted.

Why this answer

The application returns a 200 OK for both valid and invalid session tokens, which indicates that the server is not validating the JWT signature. This behavior is characteristic of a weak JWT signing algorithm vulnerability, such as when the server accepts 'none' as the algorithm or uses a symmetric key that can be easily guessed. An attacker can forge arbitrary tokens by setting the algorithm to 'none' or by using a known weak secret, gaining unauthorized access.

Exam trap

ISC2 often tests the distinction between 'missing authentication' and 'weak authentication'—the trap here is that candidates see '200 OK for invalid tokens' and incorrectly assume no authentication is required, when in fact authentication is present but the signing mechanism is flawed.

How to eliminate wrong answers

Option B is wrong because session fixation involves an attacker setting a user's session ID before login, but here the issue is with JWT token validation, not session ID fixation. Option C is wrong because missing authentication would mean the endpoint requires no token at all, but the application does check for a token (it returns 200 OK for both valid and invalid tokens, implying token presence is checked but signature is not). Option D is wrong because insecure direct object reference (IDOR) is about exposing internal object references without authorization checks, which is unrelated to JWT signature validation.

55
MCQhard

A company's vulnerability management program requires that all critical vulnerabilities be remediated within 30 days. A critical vulnerability is discovered in a legacy system that cannot be patched because the vendor no longer supports it. Which of the following is the best compensating control?

A.Deploy a host-based intrusion detection system (HIDS)
B.Increase logging and monitoring
C.Segment the system from the rest of the network
D.Encrypt all data at rest on the system
AnswerC

Segmentation limits exposure by restricting network access to the vulnerable system.

Why this answer

Network segmentation isolates the legacy system, reducing the attack surface. HIDS only detects, not prevents. Logging and monitoring are detective controls.

Encryption does not prevent exploitation of the vulnerability.

56
MCQeasy

Which of the following is a key requirement for an effective backup strategy to ensure data can be recovered after a ransomware attack?

A.Incremental backups are performed monthly.
B.Backups use the same credentials as the production environment.
C.Backups are stored on the same network as production.
D.Backups are encrypted and stored offline or air-gapped.
AnswerD

Immutable backups that cannot be modified or encrypted by ransomware.

Why this answer

Option B is correct because backups that are encrypted and stored offline or air-gapped are protected from encryption by ransomware. Other options would leave backups vulnerable.

57
MCQhard

Refer to the exhibit. Which of the following is true regarding the wireless clients?

A.There is only one client on the Corporate WLAN.
B.The client with MAC cc:dd:ee:ff:00:11 is using 802.1X authentication.
C.All clients are using WPA2 encryption.
D.The client with MAC 66:77:88:99:aa:bb is using 802.1X authentication.
AnswerD

Correct. That client is on WLAN 2 which uses 802.1X.

Why this answer

Client with MAC 00:11:22:33:44:55 is associated to WLAN 1 (Guest) which uses Open authentication. Client 66:77:88:99:aa:bb is associated to WLAN 2 (Corporate) which uses 802.1X. Client cc:dd:ee:ff:00:11 is associated to WLAN 1.

Therefore, there are two clients on the Guest WLAN and one on the Corporate WLAN.

58
Matchingmedium

Match each security policy to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines allowed use of organizational assets

Categorizes data based on sensitivity

Procedures for handling security incidents

Rules for password creation and management

Why these pairings

Policies guide organizational security behavior.

59
MCQmedium

A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?

A.Scan images for vulnerabilities and use minimal base images
B.Restrict containers from running as root
C.Use the latest version of the base image without scanning
D.Enable container escape protection
AnswerA

Vulnerability scanning and minimal images reduce risk.

Why this answer

Scanning container images for known vulnerabilities (e.g., using Trivy, Clair, or Snyk) and using minimal base images (e.g., Alpine or distroless) directly reduces the attack surface and eliminates unnecessary packages that may contain exploitable flaws. This practice is foundational to secure software supply chain management and aligns with the principle of least functionality in containerized environments.

Exam trap

The trap here is that candidates often confuse runtime security controls (like root restrictions or escape protection) with image-level security, mistakenly thinking they ensure the image itself is free of vulnerabilities, when in fact they only mitigate exploitation after deployment.

How to eliminate wrong answers

Option B is wrong because restricting containers from running as root is a runtime security control (e.g., using `securityContext.runAsNonRoot: true`), not a practice that ensures the security of the container images themselves; it addresses privilege escalation at runtime, not image composition. Option C is wrong because using the latest version of a base image without scanning introduces unknown vulnerabilities and violates the secure development lifecycle; latest tags can be stale or contain unpatched CVEs, and scanning is essential to verify integrity. Option D is wrong because container escape protection (e.g., using seccomp, AppArmor, or gVisor) is a runtime isolation mechanism that prevents a compromised container from breaking out to the host, but it does not address vulnerabilities embedded within the image layers.

60
MCQeasy

A business continuity coordinator is planning a test of the disaster recovery plan. Which type of test involves a walk-through of the plan with key stakeholders without actually invoking the technical recovery?

A.Tabletop exercise
B.Full interruption test
C.Checklist review
D.Parallel test
AnswerA

Tabletop exercises are verbal walk-throughs without technical execution.

Why this answer

A tabletop exercise is a discussion-based session where team members review their roles and actions in a simulated scenario.

61
MCQhard

A company's compliance officer wants to ensure that the organization's security controls meet regulatory requirements for data protection. The officer requests a review of the controls against the regulation's specific clauses. Which type of assessment is most appropriate?

A.Risk assessment
B.Vulnerability assessment
C.Penetration test
D.Compliance audit
AnswerD

Structured review against regulatory clauses.

Why this answer

A compliance audit is the correct assessment type because it systematically evaluates security controls against specific regulatory clauses (e.g., GDPR Article 32, HIPAA Security Rule §164.312). Unlike risk or vulnerability assessments, a compliance audit maps controls directly to legal requirements to verify adherence, often using checklists and evidence collection.

Exam trap

The trap here is confusing a compliance audit with a risk assessment, as both involve reviewing controls, but only the audit measures adherence to specific regulatory clauses rather than prioritizing risks.

How to eliminate wrong answers

Option A is wrong because a risk assessment identifies and prioritizes threats and vulnerabilities based on likelihood and impact, but does not map controls to specific regulatory clauses. Option B is wrong because a vulnerability assessment scans for technical weaknesses (e.g., missing patches, misconfigurations) without evaluating compliance with legal or regulatory text. Option C is wrong because a penetration test simulates attacks to exploit vulnerabilities, focusing on security posture rather than verifying control alignment with regulation clauses.

62
MCQhard

Refer to the exhibit. A security engineer reviews this S3 bucket policy. The Developer role is used by a CI/CD pipeline that uploads build artifacts. What security weakness exists in this policy?

A.The GetObject action does not have a condition, allowing read access to anyone.
B.The principal specifies a role ARN, but it should be a user ARN for granularity.
C.The Developer role has both write and read permissions, enabling data exfiltration if compromised.
D.The condition on PutObject is too restrictive and may cause upload failures.
AnswerC

A pipeline only needs write access; read access allows an attacker to read all objects in the bucket.

Why this answer

Option C is correct because the policy allows the Developer role to both write (PutObject) and read (GetObject) objects. If the pipeline is compromised, an attacker can exfiltrate sensitive data. Option A is wrong because the condition on PutObject is a good practice to ensure the bucket owner retains control.

Option B is wrong because the condition does enforce a requirement, but it's a security feature, not weakness. Option D is wrong because the principal specifies the role ARN exactly.

63
Multi-Selectmedium

Which two methods provide strong encryption and authentication for wireless networks? (Choose TWO.)

Select 2 answers
A.WEP
B.WPA2-PSK
C.WPA2-Enterprise
D.MAC filtering
E.WPA3
AnswersC, E

Uses 802.1X with RADIUS for strong authentication.

Why this answer

WPA2-Enterprise (C) is correct because it uses IEEE 802.1X authentication with a RADIUS server, providing mutual authentication and per-session dynamic encryption keys via the 4-way handshake using AES-CCMP. WPA3 (E) is correct because it introduces Simultaneous Authentication of Equals (SAE) to replace the pre-shared key (PSK) handshake, offering forward secrecy and stronger encryption with GCMP-256, and also supports 802.1X for enterprise deployments.

Exam trap

The trap here is that candidates often confuse WPA2-PSK with WPA2-Enterprise, assuming both provide strong authentication, but the exam tests the distinction that PSK lacks per-user authentication and is vulnerable to dictionary attacks, while Enterprise uses RADIUS for robust identity verification.

64
MCQhard

A financial institution is implementing a zero-trust network architecture (ZTNA) using micro-segmentation. They have a legacy accounting application that runs on a Windows Server and communicates with multiple client workstations using both TCP and UDP dynamic ports (49152-65535) for various features. After deploying strict host-based firewall rules that only allow specific ports, users report that the application frequently loses connection and fails to authenticate. The security team verified that the application's required ports are allowed, but the dynamic port negotiation fails because the application uses a proprietary protocol that includes ephemeral ports outside the allowed range. The application vendor is no longer supporting it. The organization cannot replace the application immediately. What is the MOST effective short-term solution?

A.Configure NAT traversal to translate the dynamic ports to static ones.
B.Create a firewall rule allowing all traffic from the application server to the client subnets.
C.Disable the host-based firewall on the application server to eliminate connectivity issues.
D.Deploy a reverse proxy in front of the application that performs deep packet inspection to negotiate and manage dynamic port allocations.
AnswerD

The proxy can understand the proprietary protocol and adjust firewall rules dynamically or relay traffic securely, maintaining segmentation.

Why this answer

Option D is correct because deploying a reverse proxy with deep packet inspection (DPI) can intercept the proprietary protocol's dynamic port negotiation, map the ephemeral ports (49152-65535) to static, predictable ports, and manage the connections transparently. This allows the legacy application to function without modifying its code or the host firewall rules, providing an immediate workaround while maintaining zero-trust micro-segmentation principles.

Exam trap

The trap here is that candidates may assume disabling the firewall (Option C) or opening broad rules (Option B) is acceptable for legacy compatibility, but the CISSP exam emphasizes that security controls must be preserved even during workarounds, and a reverse proxy with DPI is the correct architectural solution to handle dynamic port protocols.

How to eliminate wrong answers

Option A is wrong because NAT traversal (e.g., STUN, TURN, or UPnP) is designed for peer-to-peer communication across NAT devices, not for translating dynamic ports to static ones within a host firewall; it would not resolve the proprietary protocol's ephemeral port negotiation failure. Option B is wrong because allowing all traffic from the application server to client subnets violates the zero-trust principle of least privilege and would expose the network to unnecessary risk, effectively bypassing micro-segmentation. Option C is wrong because disabling the host-based firewall eliminates the security control entirely, leaving the server vulnerable to attacks and contradicting the zero-trust architecture's requirement for strict per-host enforcement.

65
MCQmedium

Based on the log entry from an authentication server, which immediate action should the security team take to reduce risk?

A.Block the source IP 10.0.0.5 in the firewall.
B.Change the SSH port to a non-standard port.
C.Disable root login via SSH.
D.Increase the logging verbosity for SSH.
AnswerC

Eliminates possibility of direct root brute force.

Why this answer

The log entry shows repeated failed SSH authentication attempts as root from an internal IP (10.0.0.5). Disabling root login via SSH (Option C) directly eliminates the ability to authenticate as the root user over SSH, which is a fundamental security best practice per CISSP and industry standards (e.g., CIS benchmarks). This reduces the risk of brute-force attacks targeting the root account, as an attacker would need to guess both a valid username and password instead of targeting a known privileged account.

Exam trap

ISC2 often tests the distinction between reactive controls (blocking an IP) and preventive controls (disabling root login), leading candidates to choose the immediate but less effective action of blocking the source IP instead of addressing the systemic vulnerability.

How to eliminate wrong answers

Option A is wrong because blocking the source IP 10.0.0.5 in the firewall is a reactive, temporary measure that does not address the root cause; the attacker could easily spoof or change IPs, and the internal IP may belong to a legitimate compromised host that needs remediation, not permanent blocking. Option B is wrong because changing the SSH port to a non-standard port is security by obscurity and does not prevent brute-force attacks; attackers routinely scan all ports, and the root login vulnerability remains exploitable. Option D is wrong because increasing logging verbosity for SSH only improves visibility and forensic capability but does not reduce the immediate risk of unauthorized root access; it is a detective control, not a preventive one.

66
Multi-Selecteasy

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities?

Select 2 answers
A.Code obfuscation.
B.Input validation.
C.Dynamic memory allocation without bounds.
D.Use of unsafe functions like strcpy.
E.Use of compilers with stack protection.
AnswersB, E

Validating input length prevents overflow.

Why this answer

Input validation ensures data fits within buffers; stack protection (e.g., canaries) detects overflow. Unsafe functions like strcpy are a cause, not prevention. Dynamic memory allocation without bounds still risks overflow.

Code obfuscation does not prevent overflow.

67
MCQeasy

Which of the following is a best practice for managing privileged user accounts?

A.All users should be granted admin rights by default.
B.Use separate administrative accounts for non-privileged tasks.
C.Passwords for privileged accounts should never be changed.
D.Shared generic accounts should be used to avoid multiple credentials.
AnswerB

Ensures admin accounts are only used for privileged actions.

Why this answer

Option B is correct because the principle of least privilege dictates that administrative accounts should only be used for privileged tasks, not for routine activities like email or web browsing. Using separate, non-privileged accounts for daily work reduces the risk of credential theft and limits the attack surface if a user's session is compromised. This practice is a core component of privileged access management (PAM) and aligns with NIST SP 800-53 AC-6.

Exam trap

The trap here is that candidates often confuse 'using separate accounts' with 'using separate passwords' or think that shared accounts are acceptable for convenience, but the CISSP exam emphasizes individual accountability and the principle of least privilege as non-negotiable security controls.

How to eliminate wrong answers

Option A is wrong because granting all users admin rights by default violates the principle of least privilege and dramatically increases the risk of malware installation, unauthorized system changes, and lateral movement by attackers. Option C is wrong because passwords for privileged accounts must be changed regularly (or rotated after each use via a PAM solution) to mitigate the risk of credential compromise and limit the window of exposure; never changing them is a direct violation of account management best practices. Option D is wrong because shared generic accounts eliminate individual accountability, make auditing impossible, and violate the requirement for non-repudiation; each administrator should have a unique, named privileged account to enable precise logging and forensic analysis.

68
MCQeasy

A company wants to secure its wireless network. Which approach provides the strongest authentication and encryption?

A.WEP
B.Disabling SSID broadcast
C.WPA2-Enterprise with RADIUS
D.WPA2-PSK with a strong passphrase
AnswerC

Provides per-user authentication and strong encryption.

Why this answer

WPA2-Enterprise with RADIUS provides the strongest authentication and encryption for wireless networks because it uses 802.1X/EAP for per-user authentication against a central RADIUS server, and AES-CCMP for encryption. This eliminates the shared passphrase vulnerability of PSK modes and supports dynamic, unique encryption keys per session, making it resistant to offline dictionary attacks and key reuse.

Exam trap

The trap here is that candidates often choose WPA2-PSK with a strong passphrase (Option D) because they think a long, complex passphrase is sufficient, but they overlook that PSK still lacks per-user authentication and is vulnerable to offline brute-force attacks once the 4-way handshake is captured.

How to eliminate wrong answers

Option A is wrong because WEP uses the flawed RC4 stream cipher with a static 40- or 104-bit key and weak IVs, making it trivially crackable in minutes with tools like aircrack-ng. Option B is wrong because disabling SSID broadcast is a security-by-obscurity measure that does not provide authentication or encryption; the SSID is still leaked in probe requests and management frames, and an attacker can easily discover it. Option D is wrong because WPA2-PSK relies on a single pre-shared key (PMK) derived from the passphrase, which is vulnerable to offline dictionary attacks if the passphrase is weak, and all users share the same key, preventing individual accountability and revocation.

69
MCQmedium

A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?

A.Re-scan the application with the same settings to confirm the results.
B.Manually verify a sample of the findings to confirm true vs. false positives.
C.Escalate all critical findings to management immediately.
D.Retune the vulnerability scanner to reduce false positives and re-scan.
AnswerB

Manual verification helps identify false positives and prioritize real vulnerabilities.

Why this answer

Option B is correct because manual verification is the definitive method to distinguish true positives from false positives in vulnerability scanning. Automated scanners can produce false positives due to factors like incomplete service fingerprinting or reliance on banner grabbing, which may not reflect actual exploitability. The analyst must validate a representative sample of findings against the actual application behavior and configuration before taking further action.

Exam trap

The trap here is that candidates often choose Option D (retune the scanner) because they assume tuning reduces false positives, but the CISSP emphasizes that validation through manual testing must precede any scanner configuration changes to avoid missing real vulnerabilities.

How to eliminate wrong answers

Option A is wrong because re-scanning with the same settings will produce identical results, as the scanner will repeat the same checks and generate the same false positives without addressing the root cause. Option C is wrong because escalating all critical findings without verification wastes management's time and resources on potentially non-existent threats, undermining the credibility of the security team. Option D is wrong because retuning the scanner without first understanding which findings are false positives may inadvertently suppress true vulnerabilities or fail to eliminate the specific false positives reported.

70
MCQmedium

Refer to the exhibit. A security analyst finds the above in a configuration file stored in a public GitHub repository. What is the most immediate risk?

A.Man-in-the-middle attacks
B.Loss of confidentiality
C.Unauthorized authentication
D.Integrity violation
AnswerC

The private key allows anyone to impersonate the legitimate owner.

Why this answer

The private key can be used to authenticate as the key owner, enabling unauthorized access to systems or data. Man-in-the-middle attacks are a risk if keys are compromised but less immediate. Loss of confidentiality is a broad category.

Integrity violation is not the primary concern.

71
Multi-Selecthard

Which THREE of the following are essential components of an effective incident response plan according to NIST SP 800-61?

Select 3 answers
A.Preparation
B.Notification
C.Detection and Analysis
D.Vulnerability scanning
E.Containment, Eradication, and Recovery
AnswersA, C, E

Foundational phase.

Why this answer

Option A is correct because NIST SP 800-61 defines the incident response lifecycle as having four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation is the foundational phase that establishes the incident response capability, including creating policies, forming a team, and acquiring necessary tools before any incident occurs.

Exam trap

The trap here is that candidates often confuse Notification as a formal phase because it appears in many incident response frameworks (e.g., SANS PICERL), but NIST SP 800-61 does not list it as a core phase; instead, it is a task within other phases.

72
MCQmedium

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

A.Export the key in plaintext and store it in a safe
B.Replicate the HSM configuration to another HSM in a different location
C.Use the HSM's key-wrapping function to encrypt the key and store the wrapped key in a secure offsite facility
D.Store an encrypted copy on a local server in the same data center
AnswerC

Key wrapping maintains the same cryptographic boundary and offsite storage provides redundancy.

Why this answer

Option C is correct because key-wrapping (also known as key encryption) uses a dedicated wrapping key within the HSM to encrypt the target key, ensuring the key never leaves the HSM in plaintext. The wrapped key can be safely stored offsite and later unwrapped only by an authorized HSM, preserving the same cryptographic protection as the primary storage. This method aligns with NIST SP 800-57 guidelines for secure key backup and escrow.

Exam trap

The trap here is that candidates may assume replication (Option B) is secure because it uses another HSM, but they overlook that replication often transmits keys in the clear or with weaker protection, failing to meet the 'same level of protection' requirement.

How to eliminate wrong answers

Option A is wrong because exporting a key in plaintext violates the fundamental security principle that cryptographic keys should never exist outside the HSM in an unencrypted form, even if stored in a safe. Option B is wrong because replicating the HSM configuration to another HSM typically duplicates the key material in plaintext across devices, which does not provide the same level of protection as the primary HSM's tamper-resistant storage and may expose keys during transmission. Option D is wrong because storing an encrypted copy on a local server in the same data center does not ensure offsite redundancy and the encryption key used for that copy is often stored on the same server, creating a single point of failure and defeating the purpose of secure backup.

73
MCQeasy

A financial institution is conducting a vulnerability assessment of its internal network. The assessor runs a comprehensive scan and discovers that several Windows servers have missing security patches. The organization has a patch management policy that requires all critical patches to be applied within 30 days. The scan results show that some patches have been pending for 45 days. The assessor also finds that the servers are isolated in a separate VLAN with strict firewall rules limiting inbound traffic to only necessary ports. The business owner argues that because the servers are isolated, the risk is low and the patches can be delayed. As the security assessor, what should be the BEST course of action?

A.Recommend additional compensating controls such as intrusion prevention.
B.Accept the risk and close the finding.
C.Escalate the finding to the risk management team for formal risk acceptance.
D.Immediately apply the patches without further approval.
AnswerC

Formal risk acceptance ensures the decision is documented and approved by appropriate stakeholders.

Why this answer

Option B is correct because the finding should be formally documented and accepted by the risk management team to ensure accountability and alignment with the organization's risk appetite. Option A is wrong because simply accepting risk without formal documentation is not proper risk management. Option C is wrong because patches should not be applied without proper change management due to potential operational impact.

Option D is wrong because while compensating controls may be considered, the best first step is to escalate for formal risk acceptance.

74
Multi-Selectmedium

Which TWO of the following are examples of detective controls?

Select 2 answers
A.Access control list
B.CCTV surveillance
C.Firewall
D.Security awareness training
E.Intrusion detection system (IDS)
AnswersB, E

Detects physical security breaches.

Why this answer

CCTV surveillance is a detective control because it records events for later review, enabling the detection of unauthorized activities after they occur. It does not prevent or deter access in real-time, but instead provides evidence for incident investigation and forensic analysis. This aligns with the detective control category in security operations, which focuses on identifying and logging violations post-facto.

Exam trap

The trap here is confusing preventive controls (like ACLs and firewalls) with detective controls, as candidates often misclassify any technology that 'monitors' as detective, but ACLs and firewalls are inherently preventive because they block or allow access in real-time, not after the fact.

75
Multi-Selectmedium

Which THREE of the following are best practices for securing a data center's physical access?

Select 3 answers
A.Implement multi-factor authentication at entry points
B.Install a mantrap at the main entrance
C.Use only biometric readers for all doors
D.Allow visitors to access the lobby without an escort
E.Use CCTV with retention policies for monitoring
AnswersA, B, E

Combining something you know, have, or are increases security.

Why this answer

Multi-factor authentication (MFA) at entry points combines two or more independent credentials (e.g., smart card and PIN, or biometric and token) to verify identity. This significantly reduces the risk of unauthorized access because compromising a single factor (e.g., a lost card) is insufficient to gain entry. MFA aligns with the defense-in-depth principle and is a core physical security control for sensitive areas.

Exam trap

The trap here is that candidates might think biometric-only access (Option C) is inherently more secure, but CISSP emphasizes layered security and the need for multi-factor authentication to avoid single-factor vulnerabilities.

Page 1 of 8

Page 2

All pages