Certified Information Systems Security Professional CISSP (CISSP) — Questions 676750

990 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
Multi-Selectmedium

A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?

Select 3 answers
A.Obtain explicit written consent from management
B.Use real personal information of targets
C.Have a stop word or abort mechanism
D.Define clear scope and boundaries
E.Include all employees without exceptions
AnswersA, C, D

Written consent provides legal authorization and clarifies expectations.

Why this answer

Option A is correct because explicit written consent from management is a foundational ethical and legal requirement for social engineering tests. Without documented authorization, the test could be construed as unauthorized access or harassment, violating laws such as the Computer Fraud and Abuse Act (CFAA) or GDPR. This consent ensures the test is conducted under the organization's official risk management framework and provides legal protection for the testers.

Exam trap

The trap here is that candidates may think 'obtain consent' is optional if the test is internal, or they may confuse 'informed consent' with 'blanket approval' and fail to recognize that explicit written consent from management is mandatory to avoid legal and ethical violations.

677
MCQmedium

Refer to the exhibit. What type of attack is indicated by the logs?

A.Malware infection
B.Privilege escalation
C.Denial of service
D.Brute force attack on root
AnswerD

Multiple failed root logins from same IP.

Why this answer

The logs show repeated SSH authentication attempts with the username 'root' from the same source IP, incrementing the failed password count until success is recorded. This pattern of sequential login attempts against a single privileged account is the hallmark of a brute force attack targeting the root user.

Exam trap

The trap here is that candidates may confuse a brute force attack with a denial of service because repeated failed logins can appear to 'overwhelm' the authentication system, but the key differentiator is the intent and pattern—guessing credentials versus exhausting resources.

How to eliminate wrong answers

Option A is wrong because malware infection would typically show indicators like file downloads, unusual process execution, or outbound connections to command-and-control servers, not repeated authentication attempts. Option B is wrong because privilege escalation involves an authenticated user gaining higher privileges than authorized, whereas these logs show failed logins before any successful authentication occurs. Option C is wrong because a denial of service attack would aim to overwhelm the service or system, not systematically attempt to guess credentials; the logs show normal SSH session establishment and teardown, not resource exhaustion.

678
MCQmedium

What is the primary purpose of a Change Advisory Board (CAB) in change management?

A.To conduct vulnerability assessments
B.To approve and oversee changes to IT systems
C.To implement changes in the IT environment
D.To respond to security incidents
AnswerB

The CAB evaluates change requests and authorizes them.

Why this answer

The CAB reviews and approves changes to ensure they are properly assessed and minimize risk.

679
MCQmedium

A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?

A.The resource server is configured to expect a different token type.
B.The client application is not using HTTPS to transmit the token.
C.The access token expired before being presented to the resource server.
D.The authorization server did not grant the requested scope due to user consent settings.
AnswerD

The token lacks the required scope, so the resource server denies access.

Why this answer

The 403 Forbidden error indicates the resource server received a valid access token but denied access because the token lacks the necessary scope. In OAuth 2.0, the authorization server issues tokens based on the scope granted by the user during consent. If the user did not consent to the required scope (e.g., 'write' instead of 'read'), the token will not include it, causing the resource server to reject the request despite the token being valid.

Exam trap

The trap here is confusing token validity (which is about signature, expiration, and issuer) with token authorization (which is about scope); candidates often assume a valid token guarantees access, but OAuth 2.0 separates authentication from authorization, and scope is the key authorization attribute.

How to eliminate wrong answers

Option A is wrong because the resource server validates the token type (e.g., Bearer) via the token's 'typ' header or introspection endpoint; a mismatch would cause a different error (e.g., 401 Unauthorized), not a scope-related 403. Option B is wrong because HTTPS is a transport-layer security requirement; transmitting the token over HTTP could lead to interception but does not affect the token's scope content, and the error is specifically about missing scope, not token theft. Option C is wrong because an expired token would result in a 401 Unauthorized error (or a token refresh request), not a 403 Forbidden; the logs explicitly state the token is valid, ruling out expiration.

680
Multi-Selectmedium

A multinational corporation is implementing a data classification policy for commercial data. Which TWO labels are commonly used in commercial classification schemes? (Select TWO.)

Select 2 answers
A.Public
B.Secret
C.Unclassified
D.Private
E.Top Secret
AnswersA, D

Correct. Public is a commercial label for data that can be freely distributed.

Why this answer

Commercial classification often includes 'Public' for non-sensitive data and 'Private' for internal data. 'Top Secret' and 'Unclassified' are government labels.

681
Drag & Dropmedium

Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital signatures involve hashing the message, encrypting the hash with the private key, attaching, then verifying with the public key.

682
MCQhard

An organization uses Active Directory and needs to enforce password complexity settings for all users in a specific department. What is the most efficient way to achieve this?

A.Configure password settings in the user's individual properties
B.Use a script to set passwords for each user
C.Apply a Group Policy Object (GPO) to the OU containing the department's users
D.Create a password policy in the Default Domain Policy
AnswerC

GPOs linked to OUs allow targeted policy application.

Why this answer

Group Policy Objects (GPOs) can be linked to an Organizational Unit (OU) containing the department's user accounts to enforce password settings.

683
Multi-Selecthard

Which THREE of the following are valid countermeasures to prevent SQL injection vulnerabilities? (Select exactly 3.)

Select 3 answers
A.Using parameterized queries or prepared statements
B.Implementing strict input validation on user-supplied data
C.Encoding output to the user
D.Hashing the input before insertion into the database
E.Using stored procedures with explicit parameter definitions
AnswersA, B, E

Parameterized queries prevent malicious input from altering SQL structure.

Why this answer

Parameterized queries (also known as prepared statements) separate SQL logic from data by using placeholders (e.g., '?' in ODBC or ':param' in Oracle). The database engine treats the placeholder as a literal value, never as executable code, which inherently prevents an attacker from injecting malicious SQL syntax even if the input contains single quotes or semicolons.

Exam trap

The trap here is that candidates often confuse input validation (option B) as a primary SQL injection defense, but while it is a useful defense-in-depth layer, it is not a guaranteed countermeasure because blacklists can be bypassed and whitelists may not cover all edge cases; the CISSP exam expects parameterized queries or stored procedures with explicit parameters as the definitive technical control.

684
MCQmedium

A security architect is designing a system that must prevent conflicts of interest when a consultant works for two competing clients. Which security model ensures that the consultant cannot access data from one client if they have already accessed data from the other?

A.Clark-Wilson
B.Biba
C.Brewer-Nash
D.Bell-LaPadula
AnswerC

Correct. Brewer-Nash enforces Chinese Wall to prevent conflicts of interest.

Why this answer

Brewer-Nash (Chinese Wall) model prevents conflict of interest by dynamically adjusting access based on previously accessed datasets.

685
MCQmedium

During a threat modeling session for a new online banking application, the team uses the STRIDE methodology. Which threat category addresses the risk of an attacker modifying transaction data in transit?

A.Information Disclosure
B.Tampering
C.Elevation of Privilege
D.Spoofing
AnswerB

Tampering involves unauthorized alteration of data.

Why this answer

Tampering refers to the malicious modification of data. STRIDE's 'T' stands for Tampering.

686
MCQmedium

An organization's security operations center (SOC) uses a SIEM to correlate logs. The SOC manager wants to automate response actions for low-severity alerts. Which technology would best support this goal?

A.Network firewall
B.Threat intelligence platform
C.SOAR platform
D.Vulnerability scanner
AnswerC

SOAR automates response actions based on playbooks.

Why this answer

SOAR (Security Orchestration, Automation and Response) enables automated playbooks for incident response.

687
Multi-Selectmedium

Which TWO are common techniques to defend against VLAN hopping attacks? (Choose two.)

Select 2 answers
A.Disable DTP
B.Enable BPDU Guard
C.Use Private VLANs
D.Enable Port Security
E.Set access ports as static VLAN
AnswersA, E

DTP can be exploited to negotiate a trunk, enabling hopping.

Why this answer

Disabling Dynamic Trunking Protocol (DTP) on all switch ports prevents interfaces from automatically negotiating trunk links, which is the primary vector for VLAN hopping attacks. By setting ports to 'switchport mode access' and disabling DTP with 'switchport nonegotiate', an attacker cannot trick the switch into forming a trunk and gain access to traffic from multiple VLANs.

Exam trap

ISC2 often tests the distinction between DTP-related defenses (disabling DTP, setting static access) and other Layer 2 security features like BPDU Guard or Port Security, leading candidates to confuse STP or MAC-based protections with VLAN hopping countermeasures.

688
MCQhard

Refer to the exhibit. A security administrator is reviewing CloudTrail logs for unusual activity. Which aspect of this event is potentially concerning from a key management perspective?

A.The event is read-only and thus not a security concern.
B.The message type is DIGEST, which is unusual for signing.
C.The user agent indicates the request came from AWS Signer using a customer-managed key, which may violate key usage policies.
D.The signing algorithm used is outdated.
AnswerC

AWS Signer typically uses AWS managed keys; using a CMK could be unauthorized.

Why this answer

The event shows a KMS Sign operation using a CMK. The user agent is 'signer.amazonaws.com', which is the AWS Signer service. AWS Signer typically uses its own managed keys.

The use of a customer-managed key (CMK) by Signer could indicate that the key is being used outside of its intended purpose or policy, potentially violating key usage restrictions. Also, the source IP is from outside AWS (public IP) which might be unusual if the key is restricted to VPC endpoints.

689
Multi-Selectmedium

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)

Select 2 answers
A.Perform bounds checking on array indices and pointers
B.Use dynamic memory allocation for all buffers
C.Enable Address Space Layout Randomization (ASLR)
D.Use bounded string functions (e.g., strncpy instead of strcpy)
E.Deallocate memory after use
AnswersA, D

Bounds checking ensures memory accesses are within allocated space.

Why this answer

Bounds checking ensures that array indices and pointers do not reference memory outside the allocated buffer, directly preventing the overwrite of adjacent memory that leads to buffer overflows. This is a fundamental defensive coding practice that validates all input and index values before use.

Exam trap

The trap here is that candidates confuse system-level mitigations (like ASLR) or memory management practices (like deallocation) with actual secure coding practices that prevent the vulnerability from being written into the code.

690
MCQhard

During a penetration test, the tester successfully performs a VLAN hopping attack by sending packets with a specific tag. Which mitigation technique is most effective at preventing double-tagging VLAN hopping?

A.Use VLAN access control lists (VACLs) only
B.Implement port security with sticky MAC
C.Disable the native VLAN and explicitly tag all VLANs
D.Enable Dynamic Trunking Protocol (DTP) on all ports
AnswerC

By not using a native VLAN (i.e., tagging all traffic including the default), double-tagging attacks fail because the switch strips the outer tag and expects no tag for native VLAN.

Why this answer

Option C is correct because double-tagging VLAN hopping exploits the native VLAN (typically VLAN 1) on a trunk link. By disabling the native VLAN and explicitly tagging all VLANs, including the native VLAN, the switch will not forward untagged frames or frames with a single 802.1Q tag that can be misinterpreted by the next switch, thus preventing the attacker from injecting frames into a different VLAN.

Exam trap

The trap here is that candidates often confuse VLAN hopping with MAC flooding or ARP spoofing, or they assume that VACLs or port security can stop Layer 2 tagging attacks, when in fact the root cause is the untagged native VLAN behavior on trunk ports.

How to eliminate wrong answers

Option A is wrong because VLAN access control lists (VACLs) filter traffic based on Layer 3/4 criteria within a VLAN but do not prevent the underlying frame-tagging manipulation used in double-tagging attacks. Option B is wrong because port security with sticky MAC addresses limits the number of MAC addresses on an access port and prevents MAC flooding, but it has no effect on 802.1Q tag manipulation across trunk links. Option D is wrong because enabling Dynamic Trunking Protocol (DTP) on all ports actually increases the attack surface by allowing an attacker to negotiate a trunk link, which is a prerequisite for launching a VLAN hopping attack; DTP should be disabled on all ports that are not intended to trunk.

691
Multi-Selecteasy

A security analyst is evaluating secure email protocols. Which TWO of the following provide both encryption and digital signing of email messages?

Select 2 answers
A.S/MIME
B.SSL/TLS
C.PGP/GPG
D.SSH
E.IPsec
AnswersA, C

S/MIME uses certificates to encrypt and sign emails.

Why this answer

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and digital signing of MIME data. It uses X.509 certificates for key exchange and provides both confidentiality (encryption) and non-repudiation (digital signing) for email messages, making it a correct choice.

Exam trap

The trap here is confusing transport-layer security (SSL/TLS) with end-to-end message security; candidates often select SSL/TLS because it encrypts email in transit, but it does not provide digital signing or protect the message after delivery.

692
MCQmedium

An organization's risk assessment identified a vulnerability in a legacy system that cannot be patched because the vendor no longer supports it. The system processes sensitive customer data and is critical for daily operations. The risk is rated as high likelihood and high impact. The organization has a moderate risk appetite. Which risk treatment is most appropriate?

A.Transfer the risk through cyber insurance
B.Avoid the risk by decommissioning the system
C.Accept the risk
D.Mitigate by implementing compensating controls
AnswerD

Compensating controls reduce risk to an acceptable level while allowing business operations to continue.

Why this answer

Since the system cannot be replaced immediately, implementing compensating controls (e.g., network segmentation, strict access controls, monitoring) reduces the risk to an acceptable level. Accepting a high risk is not advisable when it exceeds appetite. Cyber insurance does not protect against data breach consequences adequately.

Decommissioning would disrupt critical operations.

693
MCQmedium

An organization implements Single Sign-On (SSO) using SAML 2.0. A user attempts to access a cloud application (Service Provider) but is not authenticated. The Service Provider redirects the user to the Identity Provider (IdP) for authentication. Which type of SAML flow is this?

A.AuthN-initiated SSO
B.SP-initiated SSO
C.Assertion-initiated SSO
D.IdP-initiated SSO
AnswerB

The SP redirects the user to the IdP.

Why this answer

In SP-initiated SSO, the user first tries to access the SP, which then redirects to the IdP.

694
MCQhard

After a penetration test, the tester provides a report that includes vulnerabilities found, exploitation details, and recommended fixes. Which step of the penetration testing process does this represent?

A.Reporting
B.Post-exploitation
C.Planning and scoping
D.Reconnaissance
AnswerA

Reporting is the final phase, presenting findings and recommendations.

Why this answer

The reporting phase is the final step in the penetration testing process, where the tester documents all findings, including vulnerabilities discovered, exploitation details, and recommended remediation steps. This report is delivered to the client to provide a clear understanding of the security posture and actionable fixes. Without this step, the test results would have no value for improving security.

Exam trap

The trap here is that candidates may confuse 'post-exploitation' with the final reporting step, because post-exploitation involves documenting actions taken after access, but the formal report is a separate, distinct phase that synthesizes all findings from the entire test.

How to eliminate wrong answers

Option B (Post-exploitation) is wrong because post-exploitation occurs after gaining access and involves activities like maintaining persistence, escalating privileges, or exfiltrating data, not compiling and delivering the final report. Option C (Planning and scoping) is wrong because this initial phase defines the test's boundaries, rules of engagement, and objectives, not the documentation of results. Option D (Reconnaissance) is wrong because reconnaissance is the information-gathering phase (e.g., using tools like Nmap or Shodan) to identify targets, not the reporting of exploitation outcomes.

695
Multi-Selectmedium

Which TWO of the following are key principles for designing an effective Security Operations Center (SOC)?

Select 2 answers
A.Applying least privilege to all user accounts
B.Ensuring separation of duties among analysts
C.Using defense-in-depth strategies across layers
D.Automating routine investigation tasks
E.Implementing centralized logging for all devices
AnswersB, C

Separation of duties prevents conflict of interest and reduces collusion risk.

Why this answer

Option B (Separation of duties) and Option D (Defense in depth) are correct because they reduce risk of single points of failure and provide layered security. Option A (Centralized logging) is important but not a principle per se; Option C (Least privilege) is a separate concept; Option E (Automation) is a tactic, not a core principle.

696
MCQhard

A company is merging with another and must integrate security policies. What is the first step?

A.Conduct a gap analysis
B.Train all employees
C.Create a new policy
D.Adopt the stricter policy
AnswerA

Essential first step to understand current state.

Why this answer

The first step in integrating security policies during a merger is to conduct a gap analysis. This systematically compares the existing policies, controls, and compliance requirements of both organizations against each other and against relevant standards (e.g., ISO 27001, NIST SP 800-53). Without understanding the current state and discrepancies, any subsequent policy creation, training, or adoption of a stricter policy would be uninformed and likely ineffective.

Exam trap

The trap here is that candidates often assume the immediate goal is to enforce the highest security level (Option D), but CISSP emphasizes that effective security management requires a structured, risk-based approach starting with assessment, not unilateral adoption.

How to eliminate wrong answers

Option B is wrong because training all employees is an implementation step that should occur only after the new integrated policy is defined and approved; premature training risks confusion and rework. Option C is wrong because creating a new policy without first understanding the existing policies and gaps could result in a policy that conflicts with legal, regulatory, or operational requirements of either organization. Option D is wrong because simply adopting the stricter policy ignores the need to assess compatibility, enforceability, and business impact; a policy that is stricter but not aligned with the merged entity's risk appetite or operational reality may be impractical or non-compliant.

697
MCQeasy

A financial services company is migrating its customer relationship management (CRM) system to a public cloud provider. The CRM contains personally identifiable information (PII) and financial transaction records. The security architect must design a solution that ensures data confidentiality and integrity both at rest and in transit, while complying with PCI DSS requirements. The cloud provider offers a key management service (KMS) that can generate and store encryption keys, a hardware security module (HSM) in the cloud, and a certificate authority for TLS certificates. The architect needs to select the appropriate encryption methods and access controls. The company's security policy requires encryption keys to be rotated every 90 days and stored separately from the data. The cloud provider's KMS supports automatic key rotation, but the HSM requires manual intervention. The CRM application uses a database that supports transparent data encryption (TDE) with keys stored in the KMS, and the application also requires TLS for all network connections. Which course of action best meets all requirements?

A.Use the cloud provider's KMS to generate and store the database encryption key, disable automatic rotation, and manually rotate it every 90 days. Use a self-signed certificate for TLS to save costs.
B.Use the cloud provider's KMS to generate and store the database encryption key with automatic rotation, and use a certificate from a third-party CA for TLS. Store the KMS key in a separate account and region from the database.
C.Use the cloud HSM to generate and store the database encryption key, manually rotate it every 90 days, and use a certificate from the cloud provider's CA for TLS. Store the HSM key in a different region from the database.
D.Use the cloud provider's KMS to generate and store the database encryption key, enable automatic key rotation, and use a separate KMS-managed key for TLS certificates. Store all keys in the same KMS region as the database.
AnswerB

Automatic rotation meets the 90-day policy, separate account and region ensure key separation, and third-party CA provides proper trust for TLS.

Why this answer

Option D is correct because it uses the KMS with automatic key rotation (meeting the 90-day rotation requirement), stores the key in a separate account and region from the data (satisfying the separation requirement), and uses a third-party CA for TLS (providing strong trust and compliance). Option A stores the key in the same region, violating separation. Option B uses manual rotation, which is error-prone and may not meet the automation expectation.

Option C uses self-signed certificates, which do not provide the trust required for external connections and disables automatic rotation, adding manual overhead.

698
MCQmedium

A SOC has three tiers: Tier 1 triages alerts, Tier 2 investigates, and Tier 3 performs advanced analysis. An alert about a potential data exfiltration using DNS tunneling is escalated from Tier 1. Which tier is BEST suited to perform deep packet inspection and memory forensics to confirm the exfiltration?

A.Incident manager
B.Tier 2
C.Tier 1
D.Tier 3
AnswerD

Tier 3 has advanced forensic capabilities.

Why this answer

Tier 3 handles advanced analysis including memory forensics.

699
Multi-Selecthard

An organization is reviewing its use of SSH for remote administration. Which TWO features of SSH should be disabled or carefully managed to reduce security risks? (Select two.)

Select 2 answers
A.Port forwarding
B.Using SSH protocol version 1
C.X11 forwarding
D.Public-key authentication
E.Using SSH protocol version 2
AnswersA, C

Port forwarding can create tunnels that bypass network security controls; it should be restricted to authorized users.

Why this answer

Port forwarding (option A) allows SSH to tunnel arbitrary TCP connections, which can bypass network firewalls and expose internal services to external attackers if misconfigured or left enabled for non-administrative users. Disabling or restricting port forwarding reduces the risk of unauthorized tunneling and lateral movement within the network.

Exam trap

Cisco often tests the distinction between features that are inherently insecure (like SSHv1) versus features that are secure by default but introduce risk when misused (like port forwarding and X11 forwarding), leading candidates to incorrectly select SSHv1 as a feature to 'carefully manage' rather than outright disable.

700
MCQeasy

Which cryptographic algorithm is a symmetric block cipher widely used for encrypting sensitive data, with key sizes of 128, 192, or 256 bits?

A.RSA
B.RC4
C.AES
D.ECC
AnswerC

AES is a symmetric block cipher.

Why this answer

AES is a symmetric block cipher with standard key sizes of 128, 192, and 256 bits.

701
MCQhard

A company is designing secure boot for IoT devices to ensure only trusted firmware runs. The devices have limited resources. Which mechanism provides the highest assurance of boot integrity?

A.Use a software-based integrity check that runs after boot.
B.Set a BIOS password to prevent unauthorized changes.
C.Use a TPM to measure boot components and compare to stored hashes.
D.Implement full disk encryption (FDE).
AnswerC

TPM provides hardware-based integrity measurement and storage.

Why this answer

Option C is correct because a Trusted Platform Module (TPM) provides hardware-rooted trust by measuring each boot component (e.g., BIOS, bootloader, OS kernel) and storing the measurements in Platform Configuration Registers (PCRs). These measurements are compared against known-good hashes stored in the TPM, ensuring that any tampering with firmware is detected before execution. This offers the highest assurance for resource-constrained IoT devices as it relies on immutable hardware rather than software-based checks.

Exam trap

The trap here is that candidates often confuse integrity verification (ensuring code hasn't been tampered with) with confidentiality protections (like encryption) or access controls (like passwords), leading them to pick full disk encryption or BIOS passwords instead of the hardware-based attestation provided by a TPM.

How to eliminate wrong answers

Option A is wrong because a software-based integrity check that runs after boot cannot prevent malicious code from already executing; it is a post-boot verification that assumes the system is already compromised, violating the chain of trust. Option B is wrong because a BIOS password only controls access to BIOS settings, not the integrity of the firmware itself; it can be bypassed by resetting CMOS or using default passwords, and does not verify that the firmware has not been modified. Option D is wrong because full disk encryption (FDE) protects data at rest but does not verify the integrity of the boot process or firmware; an attacker could replace the bootloader with a malicious one that still decrypts the disk, leaving the system vulnerable.

702
MCQhard

An organization wants to implement single sign-on across multiple web applications using an XML-based protocol that supports identity provider (IdP) and service provider (SP) initiated flows. Which technology should they choose?

A.OpenID Connect
B.OAuth 2.0
C.SAML 2.0
D.Kerberos
AnswerC

SAML 2.0 is XML-based and supports IdP and SP initiated SSO.

Why this answer

SAML 2.0 is an XML-based protocol for SSO that supports both IdP and SP initiated flows and uses assertions.

703
MCQhard

Refer to the exhibit. The PAM configuration shows pam_tally2.so with deny=5 and unlock_time=300. What is the effect of this configuration?

A.The account is disabled after 5 successful logins
B.Passwords must be changed every 5 days
C.Users are locked out after 5 failed login attempts, and automatically unlocked after 5 minutes
D.Users are locked out after 5 failed attempts until manually unlocked
AnswerC

deny=5 means lock after 5 failures; unlock_time=300 means 300 seconds (5 minutes).

Why this answer

Option C is correct because pam_tally2.so with deny=5 locks the user account after 5 failed authentication attempts, and unlock_time=300 sets the automatic unlock period to 300 seconds (5 minutes). This is a standard PAM (Pluggable Authentication Modules) configuration for account lockout policies, commonly used on Linux systems to mitigate brute-force attacks.

Exam trap

The trap here is that candidates confuse pam_tally2.so with password aging or account disablement features, or assume that unlock_time=300 means manual unlock is required, when in fact it specifies automatic unlock after 300 seconds.

How to eliminate wrong answers

Option A is wrong because pam_tally2.so tracks failed logins, not successful logins; disabling after successful logins would be a different mechanism (e.g., account expiration). Option B is wrong because password aging (e.g., 5-day change interval) is configured via pam_unix.so or pam_cracklib.so, not pam_tally2.so. Option D is wrong because unlock_time=300 specifies automatic unlocking after 300 seconds, not manual intervention; manual unlock would require a separate configuration (e.g., pam_tally2.so without unlock_time or with a very high value).

704
MCQmedium

An organization is designing a disaster recovery site. The primary data center is located in a region prone to earthquakes. The recovery site must be far enough away to avoid the same seismic zone but close enough to minimize latency. Which site selection criteria is most important?

A.Access to diverse power grids
B.Geographical diversity to avoid the same seismic zone
C.High-speed network connectivity between sites
D.Availability of skilled personnel near the recovery site
AnswerB

Prevents a single earthquake from disabling both sites.

Why this answer

Geographical diversity (Option B) is the most important criterion because the primary data center is in an earthquake-prone region, and the recovery site must be located outside the same seismic zone to ensure that a single seismic event does not destroy both sites. This directly addresses the core requirement of disaster recovery: maintaining availability during a regional catastrophe. While latency and connectivity are important, they are secondary to ensuring the recovery site survives the same disaster.

Exam trap

The trap here is that candidates often prioritize network connectivity (Option C) or power diversity (Option A) because they are common in high-availability design, but the question explicitly states the primary risk is a regional earthquake, making geographic diversity the non-negotiable requirement.

How to eliminate wrong answers

Option A is wrong because access to diverse power grids, while beneficial for power redundancy, does not protect against the physical destruction caused by an earthquake; the site could still be in the same seismic zone and be destroyed. Option C is wrong because high-speed network connectivity between sites, though important for data replication and low latency, is irrelevant if both sites are rendered inoperable by the same earthquake. Option D is wrong because availability of skilled personnel near the recovery site is a staffing consideration, not a site selection criterion that mitigates the risk of a single seismic event destroying both locations.

705
MCQmedium

A company wants to test the effectiveness of its security controls without causing disruption. Which type of assessment is most appropriate?

A.Penetration test
B.Security audit
C.Vulnerability scan
D.Red team exercise
AnswerC

Vulnerability scanning assesses systems passively without exploitation, minimizing disruption.

Why this answer

A vulnerability scan is the most appropriate assessment because it passively identifies known vulnerabilities (e.g., missing patches, misconfigurations) without exploiting them, ensuring no disruption to production systems. Unlike active exploitation tests, vulnerability scanners use non-intrusive probes (e.g., banner grabbing, version fingerprinting) that do not trigger denial-of-service or system crashes. This aligns with the requirement to test control effectiveness while maintaining operational stability.

Exam trap

ISC2 often tests the distinction between passive identification (vulnerability scan) and active exploitation (penetration test), where candidates mistakenly choose penetration test because they think it provides a more thorough assessment, ignoring the explicit 'without causing disruption' constraint.

How to eliminate wrong answers

Option A is wrong because a penetration test involves active exploitation of vulnerabilities, which can cause service disruptions (e.g., buffer overflows, resource exhaustion) and is not suitable when the primary goal is to avoid disruption. Option B is wrong because a security audit focuses on verifying compliance with policies, standards, or regulations (e.g., ISO 27001) through document review and interviews, not on actively testing technical control effectiveness against real-world threats. Option D is wrong because a red team exercise is a full-scope adversarial simulation that includes social engineering, physical breaches, and aggressive exploitation, often causing significant operational disruption and alerting defenders, contradicting the 'without causing disruption' requirement.

706
MCQeasy

During a code review, a developer notices that an application directly concatenates user input into SQL queries. Which type of vulnerability does this represent?

A.Cross-site scripting (XSS)
B.Cross-site request forgery (CSRF)
C.Buffer overflow
D.SQL injection
AnswerD

Concatenating user input into SQL queries allows an attacker to modify the query structure.

Why this answer

Directly concatenating user input into SQL queries allows an attacker to inject arbitrary SQL commands, altering the query's intended behavior. This is the classic definition of SQL injection, which can lead to unauthorized data access, modification, or deletion. The vulnerability arises because the input is treated as executable code rather than data, bypassing parameterized query protections.

Exam trap

The trap here is that candidates may confuse SQL injection with cross-site scripting (XSS) because both involve injection of untrusted data, but XSS targets the browser's DOM, not the database query layer.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) involves injecting client-side scripts into web pages viewed by other users, not into SQL queries. Option B is wrong because cross-site request forgery (CSRF) tricks a user's browser into making unintended requests to a trusted site, exploiting authentication, not directly manipulating database queries. Option C is wrong because buffer overflow occurs when data exceeds a buffer's memory boundary, corrupting adjacent memory, which is unrelated to SQL query construction.

707
MCQeasy

During a penetration test, the tester successfully exploits a vulnerability in a web server and gains initial access. The next step in the penetration testing process is to:

A.Disconnect from the network
B.Report the findings immediately
C.Conduct post-exploitation and lateral movement
D.Perform reconnaissance
AnswerC

Post-exploitation and lateral movement are standard steps after initial exploitation to assess the full impact.

Why this answer

After gaining initial access during a penetration test, the standard methodology (e.g., PTES, OWASP) requires conducting post-exploitation and lateral movement to assess the full impact of the compromise. This involves enumerating the compromised host, escalating privileges, and pivoting to other systems using techniques like pass-the-hash or SSH tunneling. Reporting findings immediately or disconnecting would violate the test scope and fail to demonstrate the real risk of the vulnerability.

Exam trap

The trap here is that candidates confuse the linear 'reconnaissance → exploitation → reporting' model with the iterative nature of penetration testing, where post-exploitation and lateral movement are essential steps after initial access to fully assess risk.

How to eliminate wrong answers

Option A is wrong because disconnecting from the network aborts the test prematurely, preventing the tester from identifying the full attack path and potential data exposure, which is the core objective of a penetration test. Option B is wrong because reporting findings immediately after initial access is not part of the penetration testing process; findings are typically documented and reported after the test concludes, not during active exploitation. Option D is wrong because reconnaissance is performed before exploitation, not after gaining initial access; it involves passive and active information gathering (e.g., DNS enumeration, port scanning) to identify targets and vulnerabilities.

708
MCQmedium

Refer to the exhibit. A user in the 10.1.0.0/16 range attempts to retrieve the object s3://example-bucket/secret/top_secret.pdf. What will be the result?

A.The request is denied because the first statement allows but the second denies.
B.The request is allowed because the Deny statement only applies to the secret prefix, and the IP condition is satisfied for the user in 10.1.0.0/16.
C.The request is allowed because the first statement matches and allows.
D.The request is denied because the condition in the first statement does not match the IP range.
AnswerD

The Allow is not triggered, and the Deny applies.

Why this answer

Option D is correct because the first statement in the policy has a condition that restricts access to requests originating from the IP range 10.2.0.0/16. Since the user is in the 10.1.0.0/16 range, the condition is not satisfied, so the first statement does not apply. Without an explicit Allow that matches the request, the default implicit Deny takes effect, resulting in the request being denied.

Exam trap

The trap here is that candidates assume the first statement's Allow applies globally without checking the IP condition, leading them to think the Deny in the second statement is the deciding factor, when in fact the Allow never matched due to the condition failure.

How to eliminate wrong answers

Option A is wrong because it misinterprets the policy evaluation logic: the first statement does not apply due to the IP condition mismatch, so there is no Allow to override; the Deny in the second statement is irrelevant because the request is already denied by default. Option B is wrong because it incorrectly assumes the Deny statement applies only to the secret prefix, but the Deny is unconditional for s3://example-bucket/secret/*; however, the request is denied earlier due to the lack of a matching Allow. Option C is wrong because the first statement does not match the request since the IP condition requires the source to be in 10.2.0.0/16, not 10.1.0.0/16.

709
Multi-Selectmedium

Which THREE of the following are valid methods for securely disposing of magnetic hard drives?

Select 3 answers
A.Deleting files and emptying recycle bin
B.Physical shredding
C.Overwriting with random data (multiple passes)
D.Degaussing
E.Quick formatting
AnswersB, C, D

Destroys platters.

Why this answer

Physical shredding (B) destroys the platters, making data recovery impossible regardless of the magnetic state. This is a valid method for secure disposal because it physically prevents any read/write head from accessing the data.

Exam trap

The trap here is that candidates often confuse logical deletion (A, E) with secure erasure, or assume that multiple overwrites are always required, when in fact degaussing and physical destruction are the only methods that guarantee data is irrecoverable from magnetic media.

710
MCQhard

A company is designing a disaster recovery plan. They need to recover critical systems within 4 hours and lose no more than 15 minutes of data. Which combination of RTO and RPO should be specified?

A.RTO = 15 minutes, RPO = 4 hours
B.RTO = 4 hours, RPO = 4 hours
C.RTO = 4 hours, RPO = 15 minutes
D.RTO = 15 minutes, RPO = 15 minutes
AnswerC

Correct - RTO for downtime, RPO for data loss.

Why this answer

RTO (Recovery Time Objective) is the maximum acceptable downtime, here 4 hours. RPO (Recovery Point Objective) is the maximum acceptable data loss, here 15 minutes.

711
MCQhard

In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?

A.Segment services into separate VLANs without encryption
B.Use TLS only for all communication
C.Implement mutual TLS (mTLS) and identity-based access policies
D.Rely on API keys in the request headers
AnswerC

mTLS provides strong authentication and encryption per request.

Why this answer

In a service mesh, mutual TLS (mTLS) provides both encryption and identity verification for every inter-service call, ensuring that only authenticated services with the correct identity can communicate. Identity-based access policies (e.g., using SPIFFE IDs) then enforce fine-grained authorization, which is essential in dynamic microservices environments where IP addresses are ephemeral. This combination directly addresses the core security requirements of confidentiality, integrity, and authentication in zero-trust architectures.

Exam trap

The trap here is that candidates often choose 'TLS only' (Option B) thinking encryption alone is sufficient, but the CISSP exam emphasizes that in a zero-trust microservices environment, mutual authentication and identity-based authorization are critical to prevent impersonation and lateral movement.

How to eliminate wrong answers

Option A is wrong because segmenting services into separate VLANs without encryption fails to protect data in transit; VLANs provide network segmentation but no encryption, leaving traffic vulnerable to sniffing or man-in-the-middle attacks within the same physical network. Option B is wrong because using TLS only for all communication provides encryption but does not authenticate the identity of the calling service; without mutual authentication, a compromised or rogue service can impersonate a legitimate one. Option D is wrong because relying on API keys in request headers is a weak form of authentication that can be easily intercepted, replayed, or leaked, and it does not provide encryption or identity-based authorization at the transport layer.

712
MCQhard

An organization deploys a hypervisor to host multiple virtual machines. To mitigate the risk of VM escape attacks, which of the following is the most effective security measure?

A.Disabling all unnecessary hypervisor services and applying security patches
B.Using Type 2 hypervisor only
C.Using VLANs to isolate VM traffic
D.Enabling VM snapshots for quick recovery
AnswerA

Minimizing and patching reduces vulnerabilities.

Why this answer

Keeping the hypervisor patched and minimized reduces attack surface and addresses known vulnerabilities that could be exploited for VM escape.

713
Multi-Selectmedium

A security officer is developing a risk management plan. Which TWO of the following are valid risk response strategies? (Select TWO.)

Select 2 answers
A.Transfer
B.Avoid
C.Accept
D.Ignore
E.Eliminate
AnswersA, B

Transfer is a valid risk response (e.g., insurance).

Why this answer

Common risk response strategies include: avoid, transfer, mitigate, and accept. 'Ignore' is not a valid strategy, and 'eliminate' is similar to avoid but not standard terminology.

714
MCQhard

A company develops a web application using microservices architecture deployed on Kubernetes. The security team identifies that the application is vulnerable to injection attacks because user input is concatenated into SQL queries. The development team wants to implement a fix quickly. They propose using parameterized queries, but the database access layer currently uses stored procedures. The team considers modifying the stored procedures to accept parameters and using prepared statements in the code. However, the operations team is concerned about performance impact. Which of the following is the BEST course of action?

A.Use parameterized queries immediately without modifying stored procedures.
B.Implement both parameterized queries and modify stored procedures to use parameters, and then monitor performance.
C.Modify stored procedures to use dynamic SQL with input validation.
D.Use input validation only, as stored procedures inherently prevent injection.
AnswerB

This provides defense in depth and allows performance assessment before full rollout.

Why this answer

Option C is correct because it addresses the vulnerability through both parameterized queries and parameterized stored procedures, then monitors performance to address the operations team's concern. Option A is wrong because parameterized queries alone may not protect if the stored procedures still concatenate input. Option B is wrong because dynamic SQL within stored procedures can still be vulnerable to injection.

Option D is wrong because input validation alone is not sufficient to prevent injection; stored procedures without parameterization can still be vulnerable.

715
Multi-Selectmedium

A security analyst is evaluating access control models for a healthcare organization that needs to enforce both confidentiality and integrity. Which TWO models should be considered? Select two.

Select 2 answers
A.Take-Grant
B.Bell-LaPadula
C.Biba
D.Clark-Wilson
E.Brewer-Nash
AnswersB, C

Confidentiality model.

Why this answer

Bell-LaPadula enforces confidentiality; Biba enforces integrity. Together they address both requirements.

716
MCQmedium

A security analyst is tasked with identifying vulnerabilities in a network without exploiting them. Which type of assessment is most appropriate?

A.Vulnerability assessment
B.Security audit
C.Penetration test
D.Security review
AnswerA

Correct: Vulnerability assessment identifies vulnerabilities without exploitation.

Why this answer

A vulnerability assessment identifies and reports vulnerabilities without exploitation, unlike penetration testing which exploits to demonstrate impact.

717
MCQmedium

An organization uses a data loss prevention (DLP) system to monitor outbound emails. Which data classification type would the DLP most likely use to detect sensitive information leaving the network?

A.Context-based classification
B.Content-based classification
C.User-based classification
D.Role-based classification
AnswerB

Content-based DLP scans for patterns and data content to detect sensitive information.

Why this answer

Content-based classification inspects the actual data within outbound emails—such as credit card numbers, social security numbers, or other regex-defined patterns—to detect sensitive information. DLP systems rely on content analysis (e.g., regular expressions, exact data matching, or fingerprinting) to identify and block policy violations, making this the correct classification type for detecting sensitive data leaving the network.

Exam trap

ISC2 often tests the distinction between context-based and content-based classification, where candidates mistakenly choose context-based because they confuse 'monitoring outbound emails' with analyzing sender/recipient metadata rather than the actual data content.

How to eliminate wrong answers

Option A is wrong because context-based classification examines metadata like sender, recipient, or time of transmission, not the actual data payload, so it cannot detect sensitive content within the email body or attachments. Option C is wrong because user-based classification assigns sensitivity based on the user's identity or group membership, but it does not inspect the content of the email itself, making it insufficient for DLP detection of specific data patterns. Option D is wrong because role-based classification uses job roles to determine data access rights, but it does not analyze the content of outbound messages, so it cannot identify sensitive information in transit.

718
MCQhard

Refer to the exhibit. An organization has a lawsuit requiring preservation of all records related to a customer dispute from 2018. Which data set must be preserved beyond its scheduled retention?

A.Email logs from 2018
B.Payment card data from 2018 transactions
C.All of the above
D.Customer records from 2018 accounts that are still open
AnswerC

Legal hold applies to all relevant data, overriding retention schedules.

Why this answer

Option C is correct because a legal hold overrides any scheduled retention policy. The lawsuit requires preservation of all records related to the 2018 customer dispute, which includes email logs (for communication evidence), payment card data (for transaction records), and customer records (for account details). Under eDiscovery rules (FRCP Rule 26), any data set that may contain relevant information must be preserved, even if its normal retention period has expired.

Exam trap

The trap here is that candidates often assume only the most obvious data set (e.g., customer records) needs preservation, but the legal hold applies to all data sets that could contain relevant information, including logs and payment data, regardless of their normal retention schedules.

How to eliminate wrong answers

Option A is wrong because email logs from 2018 are directly relevant to the dispute (e.g., communications with the customer) and must be preserved under the legal hold, so they are not exempt. Option B is wrong because payment card data from 2018 transactions is relevant to the financial aspect of the dispute and must be preserved, even if PCI DSS retention schedules would normally allow deletion. Option D is wrong because customer records from 2018 accounts that are still open are also subject to the legal hold; the fact that the account is still open does not exclude it from preservation—the hold applies to all records related to the dispute, regardless of account status.

719
MCQmedium

A network engineer is configuring 802.1X authentication for wired network access. The authentication server supports EAP-TLS. What must be deployed to clients to support this authentication method?

A.Client certificate
B.Server certificate
C.RADIUS server
D.Shared secret
AnswerA

EAP-TLS requires both client and server certificates for mutual authentication.

Why this answer

EAP-TLS requires mutual authentication using digital certificates on both the client and the server. The client must present a certificate to prove its identity to the authentication server, which is validated against a trusted root CA. Without a client certificate, EAP-TLS cannot establish the TLS tunnel, as it relies on certificate-based client authentication per RFC 5216.

Exam trap

ISC2 often tests the distinction between what is deployed to clients versus the infrastructure; candidates mistakenly choose 'server certificate' because they know TLS requires certificates, but forget that EAP-TLS mandates client certificates for mutual authentication.

How to eliminate wrong answers

Option B is wrong because a server certificate is already required by the authentication server (RADIUS) for EAP-TLS, but the question asks what must be deployed to clients, not the server. Option C is wrong because a RADIUS server is the authentication server itself, not something deployed to clients; clients communicate with the RADIUS server via the authenticator (switch). Option D is wrong because a shared secret is used between the authenticator (switch) and the RADIUS server for secure communication, not between the client and the authentication server in EAP-TLS.

720
MCQmedium

A financial institution must retain customer transaction records for 7 years. After that, what is the most appropriate action?

A.Degauss and physically destroy
B.Securely delete using overwriting
C.Transfer to a third-party storage vendor
D.Archive to tape for additional redundancy
AnswerB

Overwriting renders data unrecoverable, meeting disposal requirements.

Why this answer

After the 7-year retention period, the most appropriate action is to securely delete the records using overwriting. This ensures that the data is irrecoverable while maintaining compliance with data disposal policies. Overwriting with multiple passes (e.g., using the Gutmann method or DoD 5220.22-M standard) prevents data remanence, which is critical for financial records.

Exam trap

The trap here is that candidates often confuse 'secure deletion' with 'physical destruction' or 'archiving,' failing to recognize that after the retention period, the primary goal is to eliminate the data securely, not to preserve or transfer it.

How to eliminate wrong answers

Option A is wrong because degaussing and physical destruction are excessive for digital records that only need secure deletion; degaussing destroys the magnetic media entirely, which is unnecessary and may not be feasible for all storage types (e.g., SSDs). Option C is wrong because transferring to a third-party storage vendor does not address the requirement to dispose of the data after retention; it merely shifts custody, which could lead to compliance violations. Option D is wrong because archiving to tape for additional redundancy retains the data beyond the required period, violating the retention policy and increasing legal and security risks.

721
Multi-Selecthard

In the context of the Clark-Wilson integrity model, which of the following are key elements? (Choose TWO)

Select 2 answers
A.Simple Security Property
B.Lattice-based access control
C.Constrained Data Items (CDIs)
D.No Write Up property
E.Transformation Procedures (TPs)
AnswersC, E

Correct. CDIs are data items that must be protected.

Why this answer

Clark-Wilson uses well-formed transactions (constrained data items) and separation of duties (transformation procedures and integrity verification procedures).

722
MCQhard

During a merger, the security teams of two companies are integrating their networks. The acquiring company has a high-security classification system (e.g., Top Secret, Secret, Confidential), while the acquired company uses a lower classification (e.g., Internal, Public). Which approach best ensures secure data handling during integration?

A.Maintain separate classification systems for each company
B.Create a new classification system for the merged entity
C.Apply the lower classification level to all data to simplify integration
D.Apply the higher of the two classification levels to all data
AnswerB

While this may be ideal long-term, immediate integration requires using the higher classification to avoid data leaks. However, the question asks for 'best ensures secure data handling during integration' – a new system takes time and may not be immediately effective. The correct answer should be applying the higher classification. I will fix the correct answer to A and adjust explanations.

Why this answer

Option B is correct because creating a new, unified classification system for the merged entity allows the security teams to define consistent data handling policies, access controls, and labeling standards that reflect the combined risk posture. This approach avoids the confusion and security gaps that arise from maintaining disparate systems, and it aligns with the principle of governance and policy integration required during mergers. By designing a single taxonomy, the organization can map old labels to new ones and enforce uniform controls (e.g., via data loss prevention rules or mandatory access control) across the integrated network.

Exam trap

The trap here is that candidates assume 'higher security is always better' (Option D) or 'keep things separate to avoid risk' (Option A), failing to recognize that integration requires a single, coherent policy to enforce consistent access controls and avoid administrative chaos.

How to eliminate wrong answers

Option A is wrong because maintaining separate classification systems for each company perpetuates incompatible security policies, leading to inconsistent access control decisions and potential data leakage when data crosses network boundaries. Option C is wrong because applying the lower classification level to all data would downgrade sensitive information, violating the principle of least privilege and exposing high-value assets to unauthorized users. Option D is wrong because applying the higher classification level to all data results in over-classification, causing unnecessary operational overhead, reduced productivity, and potential violation of data utility requirements (e.g., marking public data as Top Secret would block legitimate access).

723
MCQeasy

Refer to the exhibit. What is the effect of this ACL when applied inbound to an interface?

A.All traffic is denied
B.Only traffic from host 10.1.1.2 to port 80 is denied, all other traffic permitted
C.Traffic from host 10.1.1.2 to port 80 is denied, but others allowed
D.All traffic to port 80 is denied
AnswerC

Correct. The first line denies 10.1.1.2 to port 80; the second permits others to port 80.

Why this answer

Option C is correct because the ACL explicitly denies traffic from host 10.1.1.2 to any destination on TCP port 80, and then permits all other IP traffic. Since the ACL is applied inbound, it filters traffic before routing, and the implicit deny at the end only blocks traffic that does not match any permit statement. Thus, only the specific host-to-port-80 traffic is denied, and all other traffic is permitted.

Exam trap

The trap here is that candidates often forget the implicit deny at the end of an ACL and mistakenly think the deny entry blocks all traffic to port 80, or they misread the order and assume the permit ip any any does not override the deny for other sources.

How to eliminate wrong answers

Option A is wrong because the ACL contains a permit ip any any statement, which explicitly allows all traffic not matching the deny entry, so not all traffic is denied. Option B is wrong because it states 'only traffic from host 10.1.1.2 to port 80 is denied, all other traffic permitted,' which is actually the same as option C; however, the phrasing 'only' is misleading—the ACL denies traffic from host 10.1.1.2 to port 80, but it does not deny traffic from other hosts to port 80, so option B is technically incorrect because it implies exclusivity that is not present in the ACL logic. Option D is wrong because the ACL only denies traffic from host 10.1.1.2 to port 80, not all traffic to port 80 from any source.

724
MCQmedium

A hospital is implementing an access control system for its electronic health record (EHR) application. The system must ensure that only authorized healthcare providers can access patient records based on their role (doctor, nurse, administrator), department (cardiology, oncology, etc.), and patient consent status. The hospital also needs to support break-the-glass access for emergencies. The current solution uses static role-based access control (RBAC) but fails to enforce department-level restrictions and consent checks. What is the most appropriate access control model to address these requirements?

A.Enhance the existing RBAC model with more granular roles for each department
B.Use mandatory access control (MAC) with security labels per patient record
C.Implement an attribute-based access control (ABAC) system
D.Apply discretionary access control (DAC) allowing providers to set access permissions
AnswerC

ABAC can evaluate multiple attributes and support dynamic policies like consent and emergency access.

Why this answer

Attribute-based access control (ABAC) is the correct choice because it can dynamically evaluate multiple attributes—such as user role, department, patient consent status, and emergency context—to grant or deny access. Unlike static RBAC, ABAC supports fine-grained, context-aware policies that can enforce department-level restrictions and consent checks, and it can incorporate break-the-glass rules by evaluating an emergency attribute or time-based condition.

Exam trap

The trap here is that candidates often assume RBAC can be extended with more roles to cover all requirements, but they miss that RBAC cannot dynamically evaluate multi-attribute conditions like consent status or emergency context without becoming unmanageable, whereas ABAC is designed for exactly such fine-grained, attribute-driven policies.

How to eliminate wrong answers

Option A is wrong because simply adding more granular roles to RBAC would still result in a static, role-based model that cannot evaluate dynamic attributes like patient consent status or emergency context; it would require an explosion of roles (e.g., 'Cardiology-Nurse-ConsentYes') that is impractical and does not support break-the-glass. Option B is wrong because MAC uses fixed security labels (e.g., classification levels) assigned by a central authority and cannot dynamically enforce consent status or department-specific rules based on user attributes; it is designed for confidentiality hierarchies, not fine-grained, multi-attribute policies. Option D is wrong because DAC allows data owners (e.g., individual providers) to set permissions, which violates the hospital's need for centralized, policy-driven enforcement of department and consent restrictions and would introduce security inconsistencies and potential unauthorized sharing.

725
MCQhard

A security assessment reveals that a web application uses client-side input validation exclusively. What is the most likely security risk?

A.Attacker can inject malicious scripts that execute on the client side.
B.An attacker can submit malicious data directly to the server without client-side constraints.
C.The application will have poor user experience due to slow responses.
D.The client-side code can be obfuscated but not decrypted.
AnswerB

Client-side validation only works in the browser; server-side validation is necessary to prevent malicious input.

Why this answer

Client-side validation (e.g., JavaScript in the browser) can be bypassed by intercepting and modifying HTTP requests using tools like Burp Suite or cURL. Since the server does not re-validate the input, an attacker can submit crafted payloads (e.g., SQL injection, command injection) directly to the server, leading to data breaches or code execution. This violates the principle of defense in depth, where validation must occur on the server side regardless of client-side checks.

Exam trap

The trap here is that candidates confuse client-side validation with a security control, when in fact it is only a usability feature that provides no real security against a determined attacker.

How to eliminate wrong answers

Option A is wrong because client-side validation does not inherently prevent or enable XSS; XSS is a separate vulnerability caused by improper output encoding, not by the location of input validation. Option C is wrong because client-side validation typically improves user experience by providing instant feedback, not causing slow responses. Option D is wrong because client-side code can be obfuscated to hinder readability, but it can always be decrypted or reversed by the client (e.g., via browser developer tools), making obfuscation a weak security control.

726
MCQhard

A software vulnerability allows an attacker to overwrite a return address on the stack to execute arbitrary code. What mitigation technique randomizes the memory layout to prevent the attacker from predicting target addresses?

A.ASLR (Address Space Layout Randomization)
B.Stack canary
C.Data Execution Prevention (DEP)
D.NX bit (No-Execute)
AnswerA

Correct. ASLR randomizes memory addresses to hinder exploitation.

Why this answer

ASLR (Address Space Layout Randomization) randomizes the base addresses of executable regions, making it harder to exploit buffer overflows.

727
MCQeasy

Which protocol is specifically designed for authorization and not authentication, often using grant types like authorization code and client credentials?

A.SAML 2.0
B.OpenID Connect
C.Kerberos
D.OAuth 2.0
AnswerD

OAuth 2.0 is an authorization framework, not authentication.

Why this answer

OAuth 2.0 is an authorization framework that provides delegated access; it does not authenticate the user.

728
MCQmedium

A security engineer is designing an API that handles sensitive customer data. The engineer wants to ensure that only authorized clients can access the API, and that requests are not tampered with in transit. Which approach best addresses both requirements?

A.Enforcing TLS for all communications
B.Requiring a digital signature using HMAC on each request
C.Implementing OAuth 2.0 with Bearer tokens over HTTPS
D.Using API keys transmitted in the request header
AnswerC

OAuth 2.0 provides delegated authorization, and HTTPS ensures confidentiality and integrity of tokens and data.

Why this answer

OAuth 2.0 with Bearer tokens over HTTPS combines a token-based authorization framework with TLS encryption. HTTPS (TLS) ensures confidentiality and integrity of data in transit, preventing tampering, while OAuth 2.0 provides a standardized mechanism for issuing and validating access tokens, ensuring only authorized clients with valid tokens can access the API. This dual approach directly addresses both authorization and integrity requirements.

Exam trap

The trap here is that candidates often assume TLS alone is sufficient for API security, overlooking that TLS provides transport-layer security but does not enforce application-layer authorization, which is a separate requirement.

How to eliminate wrong answers

Option A is wrong because enforcing TLS for all communications only protects data in transit (confidentiality and integrity) but does not provide any mechanism for authenticating or authorizing individual clients; any client with network access could still call the API. Option B is wrong because requiring a digital signature using HMAC on each request provides integrity and authenticity of the request payload but does not inherently enforce client authorization; HMAC alone does not manage token issuance, revocation, or scoped permissions. Option D is wrong because using API keys transmitted in the request header provides a simple form of client identification but lacks robust authorization scoping, and if transmitted over plain HTTP (or even HTTPS without proper token management), they are vulnerable to interception and replay; API keys are not designed for fine-grained authorization or delegation.

729
MCQmedium

In Kerberos authentication, which component issues a Ticket Granting Ticket (TGT) after verifying the user's credentials?

A.Domain Controller
B.Ticket Granting Server (TGS)
C.Key Distribution Center (KDC)
D.Authentication Server (AS)
AnswerD

The AS authenticates the user and issues a TGT.

Why this answer

The Authentication Server (AS) verifies the user's credentials and issues a TGT, which the user can then use to request service tickets from the TGS.

730
Multi-Selecthard

Which THREE of the following are primary objectives of a risk management program?

Select 3 answers
A.Eliminate all risks
B.Identify assets
C.Protect critical assets
D.Ensure compliance
E.Achieve risk appetite
AnswersB, C, E

Asset identification is foundational to risk management.

Why this answer

Identifying assets (Option B) is a primary objective because a risk management program must first know what assets exist to assess their value, vulnerabilities, and threats. Without asset identification, subsequent risk analysis, prioritization, and control selection are impossible. This aligns with the NIST SP 800-39 risk management framework, which begins with framing risk through asset inventory.

Exam trap

Cisco often tests the distinction between primary objectives (like asset identification, protection, and risk appetite alignment) and secondary or supporting activities (like compliance), leading candidates to mistakenly select compliance as a core objective.

731
MCQeasy

In LDAP, what does the Distinguished Name (DN) uniquely identify?

A.An entry in the directory
B.The root of the directory
C.The schema of the directory
D.A group within the directory
AnswerA

The DN uniquely identifies each entry in the LDAP tree.

Why this answer

The DN is the unique identifier for an entry in the LDAP directory, consisting of a sequence of Relative Distinguished Names (RDNs).

732
MCQhard

An organization's backup strategy includes daily full backups and hourly incremental backups. The system suffers a ransomware attack that encrypts all data. Which backup set is essential to restore the most recent clean state?

A.The last full backup plus all incremental backups after that
B.The last full backup plus the last incremental backup
C.The last full backup only
D.The last incremental backup only
AnswerA

Provides the most recent clean state by applying all increments.

Why this answer

To restore the most recent clean state after a ransomware attack, you need the last full backup as the base and all subsequent incremental backups to apply every change made up to the moment before the attack. Incremental backups capture only data changed since the last backup (full or incremental), so skipping any breaks the chain and results in data loss. Option A correctly includes the full backup and every incremental backup after it, ensuring a complete restoration to the latest point before encryption.

Exam trap

The trap here is that candidates confuse incremental backups with differential backups, mistakenly thinking only the last incremental is needed, when in fact incremental backups require the entire chain from the last full backup to restore completely.

How to eliminate wrong answers

Option B is wrong because it omits all intermediate incremental backups between the last full and the last incremental, which would leave the restored data missing changes from those skipped intervals, resulting in an incomplete state. Option C is wrong because a full backup alone restores only the data as of its creation time, losing all changes made by subsequent hourly increments, which is far from the most recent clean state. Option D is wrong because an incremental backup contains only changes since the last backup and cannot be restored without its base full backup and all prior increments in the chain; applying it alone would fail due to missing parent data.

733
MCQhard

A security analyst is evaluating risks using a qualitative matrix. The likelihood is rated as 'high' and the impact as 'medium'. What is the overall risk level typically assigned in a 3x3 matrix?

A.Medium
B.High
C.Critical
D.Low
AnswerB

Commonly, high likelihood combined with medium impact yields a high risk level.

Why this answer

In a 3x3 matrix with ratings of low, medium, high, high likelihood and medium impact often results in a high risk level.

734
MCQhard

During a vulnerability assessment, a security analyst discovers that a web application uses a library known to be vulnerable to Log4Shell (CVE-2021-44228). Which type of vulnerability does this represent?

A.Server-side request forgery (SSRF)
B.Vulnerable components
C.Insecure deserialization
D.Security misconfiguration
AnswerB

Log4Shell is a vulnerability in a third-party component (Log4j).

Why this answer

Log4Shell is a remote code execution vulnerability in the Log4j library, an example of using vulnerable components (third-party libraries with known vulnerabilities).

735
MCQmedium

Which type of firewall can inspect the contents of application-layer traffic, such as HTTP requests, and block malicious payloads?

A.Packet filter firewall
B.Circuit-level gateway
C.Application proxy firewall
D.Stateful inspection firewall
AnswerC

Application proxies terminate and re-establish connections, allowing full inspection.

Why this answer

An application proxy firewall (also known as an application-level gateway) operates at Layer 7 of the OSI model and can fully inspect the content of application-layer protocols such as HTTP, FTP, and SMTP. By terminating the client connection and establishing a separate connection to the server, it can parse and validate the payload—for example, examining HTTP request bodies for SQL injection strings or malicious scripts—and block them before they reach the internal server. This deep inspection capability distinguishes it from lower-layer firewalls that only examine headers or connection states.

Exam trap

The trap here is that candidates often confuse a stateful inspection firewall (which tracks connection state) with an application proxy firewall, mistakenly believing that stateful inspection includes deep payload analysis, when in fact stateful inspection only monitors packet headers and connection state at Layers 3 and 4.

How to eliminate wrong answers

Option A is wrong because a packet filter firewall operates at Layer 3 (and sometimes Layer 4), inspecting only source/destination IP addresses, ports, and protocol types; it cannot examine the application-layer payload of an HTTP request. Option B is wrong because a circuit-level gateway operates at Layer 5 (session layer) and validates TCP handshakes and session establishment (e.g., SOCKS proxy), but it does not inspect the contents of application-layer traffic. Option D is wrong because a stateful inspection firewall tracks the state of network connections (e.g., TCP sequence numbers) at Layers 3 and 4, but it does not perform deep packet inspection of application-layer payloads like HTTP bodies.

736
MCQhard

An organization uses a siem to collect logs from multiple sources. The security team notices that some events are missing during peak traffic hours. Analysis shows that the log sources are sending data via UDP. What is the most likely cause?

A.Clock skew between sources and SIEM
B.Insufficient SIEM storage capacity
C.UDP packet loss
D.Network bandwidth saturation
AnswerC

UDP does not guarantee delivery; packets can be lost.

Why this answer

UDP is a connectionless, best-effort transport protocol that does not guarantee delivery. During peak traffic hours, network congestion can cause UDP datagrams to be dropped without any retransmission mechanism, leading to missing events in the SIEM. This is the most direct and likely cause given the scenario.

Exam trap

The trap here is that candidates may incorrectly attribute missing events to storage or bandwidth issues, but the question specifically highlights UDP as the transport, which directly implies packet loss due to the protocol's lack of reliability.

How to eliminate wrong answers

Option A is wrong because clock skew would cause timestamp misalignment, not event loss; NTP synchronization is the standard remedy. Option B is wrong because insufficient SIEM storage would cause older data to be rotated out or ingestion to stop, not selective loss during peak hours. Option D is wrong because network bandwidth saturation could cause packet loss, but the specific mention of UDP points to the protocol's lack of reliability as the root cause; bandwidth saturation alone would affect TCP and UDP equally, but TCP would retransmit lost segments.

737
Multi-Selectmedium

A security architect is designing a network segmentation strategy for a financial institution. Which TWO techniques are best suited for implementing micro-segmentation in a data center environment? (Select two.)

Select 2 answers
A.VLANs (Virtual Local Area Networks)
B.Software-Defined Networking (SDN)
C.Hypervisor-based firewalls
D.Physical network firewalls
E.DMZ (screened subnet)
AnswersB, C

SDN enables dynamic, granular control over network flows, allowing per-application or per-tenant segmentation.

Why this answer

Software-Defined Networking (SDN) decouples the control plane from the data plane, enabling centralized, programmable network policies. This allows granular, dynamic micro-segmentation at the virtual network level, where traffic flows can be isolated based on application identity or workload attributes, not just IP addresses or VLANs.

Exam trap

The trap here is that candidates often confuse VLANs (a Layer 2 broadcast domain technique) with micro-segmentation, but VLANs lack the granularity and dynamic policy enforcement needed for workload-level isolation in modern data centers.

738
MCQeasy

Which of the following is an example of an Insecure Direct Object Reference (IDOR) vulnerability?

A.An attacker intercepts session cookies to impersonate a user
B.An attacker uses a SQL injection to retrieve data from the database
C.An attacker submits a cross-site request forgery (CSRF) token to perform actions
D.An attacker changes the user ID parameter in a URL to view another user's profile
AnswerD

This is classic IDOR: modifying a direct object reference (user ID) to access unauthorized data.

Why this answer

IDOR occurs when an application exposes a direct reference to an internal object (e.g., database key) and does not verify the user's authorization to access that object.

739
MCQmedium

A security architect is designing a system for a military intelligence agency where data classification labels (Top Secret, Secret, Confidential, Unclassified) are mandatory. Users are cleared to a specific level and must not read data above their clearance. Which security model enforces this type of access control?

A.Bell-LaPadula model
B.Biba model
C.Brewer-Nash model
D.Clark-Wilson model
AnswerA

Correct. Bell-LaPadula enforces confidentiality via no read up and no write down.

Why this answer

Bell-LaPadula focuses on confidentiality and enforces no read up (simple security property) and no write down (*-property), matching the scenario's need to prevent reading higher classified data.

740
MCQhard

An organization uses a federated identity system with SAML. A new service provider (SP) is added, but users cannot authenticate. The identity provider (IdP) logs show that the SAML response is signed correctly, but the SP rejects it. What is the most likely issue?

A.The SP does not support HTTP-POST binding
B.The IdP's clock is skewed
C.The SAML assertion is not encrypted
D.The user's browser cookies are blocked
E.The SP's metadata is missing the IdP's certificate
AnswerE

Without the IdP's certificate, the SP cannot validate the signature, so it rejects.

Why this answer

Option E is correct because the SP must have the IdP's signing certificate in its metadata to validate the SAML response signature. If the SP's metadata is missing the IdP's certificate, the SP cannot verify the signature, causing it to reject the response even though the IdP logs show it was signed correctly.

Exam trap

The trap here is that candidates confuse signature validation with encryption or assume clock skew is the default issue, but the core problem is missing trust material in the SP's metadata, not cryptographic failures or transport issues.

How to eliminate wrong answers

Option A is wrong because HTTP-POST binding is widely supported and the SP would typically reject the initial request, not a signed response, if it lacked support. Option B is wrong because clock skew would cause the SP to reject the SAML response due to invalid timestamps (NotBefore/NotOnOrAfter), not because of a missing certificate. Option C is wrong because SAML assertion encryption is optional and not required for authentication; the SP can reject a response for missing encryption only if it explicitly requires it, but the question states the response is signed correctly, pointing to a trust issue.

Option D is wrong because blocked browser cookies would prevent session management after authentication, not the initial SAML response validation at the SP.

741
MCQmedium

Which of the following is the PRIMARY goal of a Business Impact Analysis (BIA) in business continuity planning?

A.To determine the maximum acceptable outage for each process
B.To test the disaster recovery plan
C.To assign roles and responsibilities during a disaster
D.To select a hot site vendor
AnswerA

BIA identifies MTD and other recovery time objectives.

Why this answer

The BIA identifies critical business processes and their recovery requirements, such as RTO and RPO.

742
MCQmedium

An organization wants to implement a security mechanism that ensures all accesses are mediated and cannot be bypassed, is tamperproof, and is small enough to be verified. This describes which concept?

A.Trusted Computing Base (TCB)
B.Reference Monitor
C.Trusted Platform Module (TPM)
D.Security Kernel
AnswerB

Correct. The reference monitor is an abstract machine that enforces access control and must be tamperproof, always invoked, and verifiable.

Why this answer

The reference monitor is an abstract model that enforces access control with the properties: complete mediation, tamperproof, and verifiable.

743
MCQeasy

Which principle ensures that a user is granted only the permissions necessary to perform their job functions?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Zero standing privileges
AnswerB

Least privilege grants minimum necessary permissions.

Why this answer

The principle of least privilege states that users should have the minimum level of access required.

744
MCQmedium

A healthcare organization uses a custom application to manage patient records. The application uses a database with encrypted columns for sensitive data. The security team discovers that an insider has been copying encrypted data to an external drive. While the data is encrypted, the encryption key is stored in a configuration file accessible to the application. Which additional control would best mitigate this risk?

A.Enable audit logging on the application.
B.Implement role-based access control on the configuration file.
C.Use transparent data encryption (TDE) at the database level.
D.Store the encryption key in a hardware security module (HSM) with access policies.
AnswerD

HSM keeps the key secure and enforces strict access control.

Why this answer

Storing the encryption key in an HSM with access policies ensures the key is never in cleartext accessible to the application or user; it also enforces access controls and auditing. Role-based access on the config file is insufficient because the application still needs to read the key. TDE protects data at rest but does not protect the key.

Auditing is detective, not preventive.

745
MCQmedium

A security analyst notices that an attacker is sending forged ARP messages onto a local area network, linking the attacker's MAC address with the IP address of the default gateway. This allows the attacker to intercept traffic destined for the gateway. Which OSI layer is directly targeted by this attack?

A.Layer 4 – Transport
B.Layer 3 – Network
C.Layer 1 – Physical
D.Layer 2 – Data Link
AnswerD

ARP is a Layer 2 protocol used for MAC address resolution; ARP spoofing directly targets this layer.

Why this answer

ARP spoofing (or ARP poisoning) operates at Layer 2 (Data Link) because ARP messages are encapsulated directly within Ethernet frames and rely on MAC addresses, not IP routing. By forging ARP replies, the attacker corrupts the IP-to-MAC mapping in the victim's ARP cache, causing frames destined for the default gateway to be sent to the attacker's MAC address instead. This attack exploits the lack of authentication in the ARP protocol (RFC 826) and directly targets the Data Link layer's addressing and frame delivery mechanism.

Exam trap

The trap here is that candidates often confuse ARP's role in resolving IP addresses (Layer 3) with the layer at which the attack actually occurs, mistakenly choosing Layer 3 instead of recognizing that ARP operates at Layer 2 and exploits the Data Link layer's addressing scheme.

How to eliminate wrong answers

Option A is wrong because Layer 4 (Transport) handles end-to-end communication, segmentation, and port-based services (TCP/UDP), not MAC-to-IP address resolution or frame forwarding. Option B is wrong because Layer 3 (Network) deals with logical addressing and routing (e.g., IP, ICMP), but ARP itself is a Layer 2 protocol that maps IP addresses to MAC addresses and does not involve routing tables or IP header manipulation. Option C is wrong because Layer 1 (Physical) concerns the electrical, mechanical, and procedural interface to the transmission medium (e.g., cables, signals, hubs), not the addressing or frame-level manipulation used in ARP spoofing.

746
MCQeasy

Which of the following is the primary purpose of a configuration management database (CMDB) in asset management?

A.Store information about hardware and software components and their relationships
B.Track software licenses and compliance
C.Perform vulnerability scanning
D.Monitor network performance
AnswerA

CMDB captures configuration items and relationships.

Why this answer

A CMDB stores information about configuration items (CIs) and their relationships, aiding in change and incident management.

747
MCQhard

An organization with 500 employees operates a hybrid infrastructure with on-premises Active Directory and cloud-based services (Office 365, Azure). The security team receives an alert from the SIEM showing a high number of failed login attempts for a service account named 'svc_backup' from an external IP address. The account has delegated permissions to back up all domain controllers. The attempts are ongoing and fall below the lockout threshold to avoid detection. The team suspects a targeted password spraying attack. The helpdesk reports no recent password changes for this account. The incident response plan requires containment within 15 minutes. The cloud services are integrated with AD via Azure AD Connect. Which of the following actions BEST contains the attack while minimizing operational impact?

A.Block the external IP address at the firewall.
B.Configure Azure AD Conditional Access to require MFA for the account.
C.Disable the svc_backup account in Active Directory and notify the backup team to use an alternate account.
D.Immediately change the password of the svc_backup account.
AnswerC

Directly stops all authentication attempts; least operational impact until a secure replacement is created.

Why this answer

Option C is correct because disabling the compromised service account in Active Directory immediately stops the ongoing password spraying attack, preventing further unauthorized access attempts. This action contains the threat within the 15-minute containment window while minimizing operational impact, as the backup team can switch to an alternate account without disrupting critical backup operations. Disabling the account is faster and more reliable than changing the password, which might not propagate immediately to all domain controllers and cloud services via Azure AD Connect.

Exam trap

The trap here is that candidates may choose to change the password (Option D) thinking it is the fastest containment action, but they overlook the synchronization delay in hybrid environments and the risk of breaking automated processes, whereas disabling the account is the definitive containment step per incident response best practices.

How to eliminate wrong answers

Option A is wrong because blocking the external IP address at the firewall is a temporary measure that does not address the root cause; the attacker can easily switch to a different IP address or proxy, and the compromised account remains active and vulnerable. Option B is wrong because configuring Azure AD Conditional Access to require MFA for the account does not stop the ongoing attack against on-premises Active Directory; the password spraying attempts are targeting the on-premises service account, not cloud authentication, and MFA enforcement would not apply to NTLM or Kerberos authentication used for backup operations. Option D is wrong because immediately changing the password may not propagate quickly enough to all domain controllers and Azure AD via Azure AD Connect (which synchronizes every 30 minutes by default), leaving a window for the attacker to continue; additionally, changing the password could break automated backup scripts that rely on the current password, causing operational disruption.

748
MCQmedium

A security engineer is designing a cryptographic solution to ensure data integrity and non-repudiation. Which combination should be used?

A.HMAC with a shared key
B.Asymmetric encryption with digital signature
C.Digital signature with hashing
D.Symmetric encryption with HMAC
AnswerC

Correct. Digital signatures provide integrity and non-repudiation; hashing ensures integrity.

Why this answer

Digital signature with hashing is the correct combination because hashing ensures data integrity by producing a fixed-size digest, and the digital signature encrypts that hash with the sender's private key, providing non-repudiation by proving the sender's identity and preventing denial of message origin. This satisfies both requirements without relying on a shared secret.

Exam trap

The trap here is that candidates often confuse 'asymmetric encryption' with 'digital signature,' thinking encryption alone provides non-repudiation, but encryption only provides confidentiality, while a digital signature specifically uses the private key for signing (not encryption) to achieve non-repudiation.

How to eliminate wrong answers

Option A is wrong because HMAC with a shared key provides integrity and authentication via a symmetric key, but it does not offer non-repudiation since the shared key could be held by either party, allowing denial of origin. Option B is wrong because asymmetric encryption alone (e.g., RSA encryption) does not inherently provide integrity or non-repudiation; it must be combined with a digital signature, which uses the private key to sign, not encrypt. Option D is wrong because symmetric encryption with HMAC ensures confidentiality and integrity, but non-repudiation is absent because the symmetric key is shared, making it impossible to prove which party created the HMAC.

749
MCQhard

During a security audit, a vulnerability scanner reports a buffer overflow vulnerability in a legacy application. The application runs on a system with Data Execution Prevention (DEP/NX) enabled and Address Space Layout Randomization (ASLR) active. Which of the following is the most likely impact of these mitigations on a typical stack-based buffer overflow exploit?

A.They only protect heap-based overflows, not stack-based
B.They completely prevent any exploitation of buffer overflows
C.They make it harder to execute arbitrary code via injected shellcode
D.They have no effect on buffer overflow exploits
AnswerC

Correct. DEP blocks code execution on stack; ASLR hinders address prediction.

Why this answer

DEP prevents code execution in data segments like the stack. ASLR randomizes memory addresses, making it harder for an attacker to redirect execution to injected code. Combined, they significantly raise the bar.

750
MCQmedium

A vulnerability scanner reports a vulnerability with a CVSS score of 9.8. What does this score indicate?

A.High severity
B.Medium severity
C.Low severity
D.Critical severity
AnswerD

A score of 9.8 falls in the critical range (9.0-10.0).

Why this answer

A CVSS score of 9.8 falls within the range of 9.0–10.0, which is classified as 'Critical' severity according to the CVSS v3.1 specification. This score typically indicates a vulnerability that can be exploited remotely without authentication and with low attack complexity, often leading to complete compromise of confidentiality, integrity, and availability.

Exam trap

The trap here is that candidates may confuse the CVSS v3.1 severity rating scale with the older v2 scale, where scores of 7.0–10.0 were all labeled 'High', but in v3.1, 9.0–10.0 is explicitly 'Critical'.

How to eliminate wrong answers

Option A is wrong because 'High severity' corresponds to CVSS scores of 7.0–8.9, not 9.8. Option B is wrong because 'Medium severity' corresponds to scores of 4.0–6.9, which is far below 9.8. Option C is wrong because 'Low severity' corresponds to scores of 0.1–3.9, and a score of 9.8 is at the top of the scale, not low.

Page 9

Page 10 of 14

Page 11
Certified Information Systems Security Professional CISSP CISSP Questions 676–750 | Page 10/14 | Courseiva