Certified Information Systems Security Professional CISSP (CISSP) — Questions 751825

990 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQhard

A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?

A.Password spraying attack
B.Brute-force attack
C.Dictionary attack
D.Rainbow table attack
AnswerA

Password spraying tries common passwords across many accounts.

Why this answer

This is a password spraying attack because the attacker attempts a small set of common passwords against many usernames, avoiding account lockout by not exceeding the threshold for any single account. The observed behavior—repeated failed attempts from one IP, then switching usernames after lockout—matches the pattern of password spraying, where the attacker tries one or a few passwords across many accounts rather than many passwords against one account.

Exam trap

The trap here is that candidates confuse password spraying with brute-force or dictionary attacks, failing to recognize that the key differentiator is the attacker's strategy of targeting multiple usernames with a few passwords to evade account lockout thresholds.

How to eliminate wrong answers

Option B (Brute-force attack) is wrong because a brute-force attack tries many passwords against a single username, which would quickly trigger the account lockout policy and not involve switching usernames. Option C (Dictionary attack) is wrong because a dictionary attack uses a list of likely passwords against a single account, again focusing on one username and leading to lockout, not switching targets. Option D (Rainbow table attack) is wrong because rainbow tables are used to crack password hashes offline, not for online authentication attempts against a live domain controller.

752
MCQmedium

A security architect is designing a zero trust network. Which principle is fundamental to a zero trust architecture?

A.Trust but verify
B.Rely on perimeter defenses
C.Never trust, always verify
D.Trust internal traffic implicitly
AnswerC

This is the core principle of zero trust.

Why this answer

Zero trust architecture (ZTA) fundamentally rejects implicit trust based on network location. The principle 'never trust, always verify' mandates continuous authentication and authorization for every access request, regardless of whether it originates from inside or outside the network perimeter. This is enforced through micro-segmentation, least-privilege access, and per-session verification, often using technologies like identity-aware proxies and software-defined perimeters (SDP).

Exam trap

The trap here is that candidates may confuse 'trust but verify' (Option A) with zero trust, but zero trust explicitly removes the initial trust assumption, making 'never trust, always verify' the correct principle.

How to eliminate wrong answers

Option A is wrong because 'trust but verify' is the traditional perimeter-based model that assumes trust once a user or device is inside the network, which is the opposite of zero trust's assumption of breach. Option B is wrong because relying on perimeter defenses is a castle-and-moat approach that fails once an attacker breaches the boundary; zero trust eliminates the concept of a trusted internal network. Option D is wrong because trusting internal traffic implicitly is the exact vulnerability zero trust aims to remove; internal traffic must be subject to the same verification as external traffic.

753
MCQeasy

Which vulnerability scoring system is commonly used to assess the severity of vulnerabilities?

A.CVSS
B.NVD
C.CVE
D.OWASP
AnswerA

CVSS provides severity scores (0-10).

Why this answer

The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for assigning a numerical severity score (0–10) to a vulnerability based on metrics like attack vector, complexity, privileges required, and impact. It is maintained by the Forum of Incident Response and Security Teams (FIRST) and is widely adopted by organizations for prioritization in vulnerability management. CVSS provides a consistent, quantitative measure that allows security teams to compare and triage vulnerabilities across different systems and vendors.

Exam trap

Cisco often tests the distinction between a vulnerability database (NVD), a naming standard (CVE), and a scoring system (CVSS), so the trap here is confusing the repository or identifier with the actual scoring methodology.

How to eliminate wrong answers

Option B (NVD) is wrong because the National Vulnerability Database (NVD) is a repository of vulnerability data that uses CVSS scores, but it is not itself a scoring system; it is a database that references CVSS. Option C (CVE) is wrong because the Common Vulnerabilities and Exposures (CVE) system is a dictionary of unique identifiers for publicly known vulnerabilities, not a scoring or severity assessment system. Option D (OWASP) is wrong because the Open Web Application Security Project (OWASP) provides guidelines, tools, and frameworks for web application security (e.g., the OWASP Top 10), but it does not define a standardized vulnerability scoring system like CVSS.

754
Multi-Selecthard

A network administrator is reviewing the security of the company's VPN solution. They discover that the current VPN uses PPTP. Which TWO of the following are significant security weaknesses associated with PPTP?

Select 2 answers
A.It uses MS-CHAPv2 authentication which is susceptible to brute-force attacks
B.It relies on IKE for key exchange
C.It uses MPPE encryption which is considered weak
D.It supports strong authentication with digital certificates
E.It provides perfect forward secrecy
AnswersA, C

MS-CHAPv2 has known vulnerabilities and can be cracked.

Why this answer

PPTP uses Microsoft Point-to-Point Encryption (MPPE), which relies on the RC4 stream cipher. RC4 has known weaknesses, including statistical biases and the ability to recover plaintext after encrypting a large volume of traffic, making it considered weak for modern security requirements. Additionally, PPTP's default authentication protocol is MS-CHAPv2, which is vulnerable to offline brute-force attacks because its challenge-response mechanism uses a weak DES-based hash that can be cracked with tools like Asleap or ChapCrack.

Exam trap

The trap here is that candidates may confuse PPTP's use of MPPE with stronger encryption protocols like IPsec, or mistakenly think that MS-CHAPv2 is secure because it uses a challenge-response mechanism, overlooking its fundamental reliance on weak DES encryption and the NT hash.

755
MCQmedium

An organization requires users to authenticate with a password and a one-time code sent to their mobile phone. This is an example of which authentication method?

A.Two-step verification
B.Single-factor authentication
C.Step-up authentication
D.Multi-factor authentication
AnswerD

MFA requires two or more different factor types.

Why this answer

Using two different types of factors (password - Type 1, OTP - Type 2) constitutes multi-factor authentication.

756
MCQeasy

A small company with 50 employees operates a flat network where all workstations, servers, and printers are on a single subnet without segmentation. The company recently suffered a ransomware outbreak that spread rapidly from an infected workstation to the file server and multiple other machines, causing significant downtime. The IT manager wants to redesign the network to contain future outbreaks and limit lateral movement. The budget is limited, and the environment uses a mixture of managed and unmanaged switches. Which course of action would BEST mitigate the risk of lateral spread while minimizing cost and complexity?

A.Implement VLANs with ACLs to separate departments and restrict traffic between them.
B.Enable full-disk encryption on all endpoints and servers.
C.Upgrade all endpoint antivirus to the latest version and enable real-time scanning.
D.Deploy a network-based intrusion detection system (IDS) to alert on suspicious traffic.
AnswerA

VLANs create logical segmentation; ACLs enforce policies to allow only necessary traffic, containing outbreaks to one segment.

Why this answer

Implementing VLANs with ACLs segments the flat network into separate broadcast domains, preventing lateral movement by restricting traffic between departments at Layer 2. This directly contains ransomware propagation without requiring new hardware, as VLANs can be configured on existing managed switches, making it cost-effective. ACLs further enforce least-privilege access between VLANs, blocking unauthorized inter-VLAN communication.

Exam trap

The trap here is that candidates often choose endpoint-focused solutions (like antivirus or encryption) because they seem directly related to malware, but the question specifically targets lateral movement containment, which requires network segmentation, not just endpoint protection.

How to eliminate wrong answers

Option B is wrong because full-disk encryption protects data at rest but does not prevent lateral movement or contain ransomware spread across the network. Option C is wrong because upgrading antivirus only improves endpoint detection but does not segment the network, so ransomware can still propagate laterally via SMB or other protocols. Option D is wrong because a network-based IDS only alerts on suspicious traffic after it occurs, lacking proactive containment to stop lateral movement in real time.

757
MCQhard

A security analyst discovers that an attacker has gained domain admin privileges by forging a Kerberos TGT using the KRBTGT account hash. Which attack has occurred?

A.Golden ticket attack
B.Pass-the-ticket attack
C.Silver ticket attack
D.Kerberos brute force attack
AnswerA

Forging TGT with KRBTGT hash is a Golden Ticket attack.

Why this answer

A Golden Ticket attack involves forging a TGT with the KRBTGT hash, granting unrestricted access.

758
MCQhard

Refer to the exhibit. A VPN tunnel between two routers is not establishing. Which of the following is the most likely cause?

A.The pre-shared key is configured for any peer, which is a security risk but not the cause of failure.
B.The crypto map is applied to the physical interface, but a tunnel interface is also configured for the same peer, causing a conflict.
C.The ISAKMP policy uses AES 256 encryption, but the transform set also uses AES 256, causing a mismatch.
D.The access list 100 does not match the traffic correctly; it should be a permit statement for the VPN traffic.
AnswerB

Having both a crypto map on the physical interface and a tunnel interface to the same peer creates a conflict and prevents the tunnel from establishing.

Why this answer

The crypto map is applied to the physical interface GigabitEthernet0/0, but the tunnel interface Tunnel0 is also configured with the same tunnel destination. The crypto map and the tunnel interface are both trying to establish a tunnel to the same peer, which causes a conflict. Typically, you would use either a crypto map or a tunnel interface, not both.

The crypto map is applied to the physical interface, but the tunnel interface is also configured. This can prevent the tunnel from establishing.

759
MCQeasy

Which security model focuses on preventing unauthorized access by enforcing a 'no read up, no write down' rule?

A.Clark-Wilson
B.Bell-LaPadula
C.Biba
D.Brewer-Nash
AnswerB

Correct. Bell-LaPadula is the confidentiality model with no read up and no write down.

Why this answer

The Bell-LaPadula model is a formal state machine model for enforcing access control in government and military systems. Its core rule, 'no read up' (simple security property) and 'no write down' (star property), prevents subjects from reading objects at a higher classification level and from writing to objects at a lower classification level, thereby preventing unauthorized disclosure of sensitive information.

Exam trap

The trap here is that candidates often confuse the Biba model's 'no read down, no write up' integrity rules with Bell-LaPadula's confidentiality rules, leading them to select Biba when the question specifically describes 'no read up, no write down'.

How to eliminate wrong answers

Option A is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duty, not on confidentiality or the 'no read up, no write down' rule. Option C is wrong because the Biba model enforces integrity with 'no read down, no write up' rules, which is the inverse of Bell-LaPadula's confidentiality rules. Option D is wrong because the Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically controlling access based on previously accessed datasets, not by enforcing a static 'no read up, no write down' policy.

760
MCQeasy

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

A.Security testing is performed only at the end of the project
B.Security issues can be addressed incrementally throughout development
C.Security requirements are finalized upfront
D.Security documentation is minimized to reduce overhead
AnswerB

Agile's short cycles allow for prompt remediation of security findings.

Why this answer

In Agile development, security testing and remediation are integrated into each iteration (sprint), allowing teams to identify and fix vulnerabilities incrementally rather than waiting until the end. This continuous feedback loop reduces the risk of late-stage security surprises and aligns with the principle of 'shifting left' on security.

Exam trap

The trap here is conflating 'Agile' with 'no documentation' or 'no upfront planning,' when in reality Agile requires disciplined, just-in-time security activities and maintains necessary documentation for compliance and risk management.

How to eliminate wrong answers

Option A is wrong because performing security testing only at the end of the project is a characteristic of the waterfall model, not Agile, and it increases the cost and effort to remediate issues found late. Option C is wrong because Agile embraces changing requirements; security requirements are refined iteratively through backlog grooming and user stories, not finalized upfront. Option D is wrong because while Agile may reduce unnecessary documentation, security documentation (e.g., threat models, security acceptance criteria) is still essential and should not be minimized to the point of compromising auditability or compliance.

761
MCQhard

A multinational corporation is developing a new cloud-based collaboration platform that handles sensitive intellectual property. The platform must ensure end-to-end encryption (E2EE) so that even the cloud provider cannot access the data. Users communicate via chat and file sharing. The architect proposes using a hybrid encryption scheme where each user has a public/private key pair, and for each message, a random symmetric key is used to encrypt the message, which is then encrypted with the recipient's public key. However, there is a requirement for the company to be able to lawfully intercept communications in case of a court order. This conflicts with E2EE. Which design can satisfy both confidentiality and lawful interception?

A.Implement key escrow where the company holds a copy of all users' private keys.
B.Implement a transparent encryption proxy on the user's device that logs all keys and sends them to the company.
C.Use client-side encryption where the encryption key is derived from user password and stored with a backup that can be recovered by the company using a master key.
D.Implement a split-key design where the encryption keys are generated and held by the users, but a separate escrow agent splits the key into two parts: one held by the user and one held by the company. Alternatively, use a 'drop box' approach where communications are recorded in an encrypted format and the company can decrypt only after a court order by using a secondary key that is released upon authorization.
AnswerD

This preserves E2EE for routine communications while allowing lawful interception through a separate mechanism.

Why this answer

Option D is correct because it uses a split-key or drop-box design that preserves end-to-end encryption for regular communications while enabling lawful interception under strict authorization. In this scheme, the user holds one part of the key and the company holds another, or communications are recorded encrypted and a secondary key is released only after a court order, ensuring that neither the cloud provider nor the company can decrypt data without proper legal process. This satisfies both the E2EE requirement and the lawful interception mandate without compromising the core security principle of least privilege.

Exam trap

The trap here is that candidates often assume key escrow (Option A) is the only way to achieve lawful interception, failing to recognize that escrow breaks E2EE and that split-key or drop-box designs can satisfy both requirements without compromising the confidentiality of all communications.

How to eliminate wrong answers

Option A is wrong because key escrow where the company holds a copy of all users' private keys completely breaks end-to-end encryption, as the company (and potentially the cloud provider) can decrypt any past or future communication at any time, violating the confidentiality requirement. Option B is wrong because a transparent encryption proxy on the user's device that logs all keys and sends them to the company effectively creates a backdoor that bypasses E2EE, allowing the company to access all communications without user consent or court order, and it introduces a single point of compromise. Option C is wrong because deriving encryption keys from user passwords and storing a backup recoverable by a master key means the company can decrypt all data without a court order, and password-derived keys are often weak and vulnerable to offline brute-force attacks, undermining both confidentiality and the lawful interception control.

762
MCQmedium

A company uses WPA2-Enterprise with EAP-TLS for wireless access. An employee reports that a new laptop cannot connect to the wireless network, while older laptops work fine. The employee has installed the correct client certificate. What is the most likely cause?

A.The wireless network uses WPA2-PSK instead of WPA2-Enterprise.
B.The RADIUS server's certificate is not trusted by the new laptop.
C.The client certificate is not correctly associated with the user account.
D.The laptop does not support MSCHAPv2.
AnswerB

EAP-TLS mutual authentication requires the client to trust the server's certificate.

Why this answer

In WPA2-Enterprise with EAP-TLS, mutual authentication requires the client to validate the RADIUS server's certificate. If the new laptop does not trust the RADIUS server's certificate (e.g., its CA root certificate is missing or expired), the EAP-TLS handshake will fail, preventing connection. Older laptops likely have the necessary root CA installed, while the new laptop does not.

Exam trap

The trap here is that candidates may confuse EAP-TLS with EAP-PEAP or EAP-TTLS, which use MSCHAPv2 for inner authentication, and incorrectly assume the issue is MSCHAPv2 support, when in fact EAP-TLS relies solely on certificate trust.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the network uses WPA2-Enterprise with EAP-TLS, not WPA2-PSK; a PSK mismatch would affect all clients, not just the new laptop. Option C is wrong because the employee has installed the correct client certificate, and EAP-TLS authenticates the client based on the certificate itself, not a user account association; the RADIUS server validates the client certificate against its trust store, not a user account. Option D is wrong because EAP-TLS does not use MSCHAPv2; it uses TLS-based certificate authentication, so MSCHAPv2 support is irrelevant.

763
MCQhard

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

A.The system clocks on the IdP and SP are significantly out of sync
B.The SP is configured to require a specific SAML attribute not present in the assertion
C.The IdP server for the subsidiary is temporarily unreachable
D.The SAML certificate used by the SP has expired
AnswerA

SAML assertions include timestamps; clock skew leads to validation failure.

Why this answer

SAML 2.0 relies on timestamps (NotBefore and NotOnOrAfter) within the assertion for validity. If the system clocks on the identity provider (IdP) and service provider (SP) are significantly out of sync, the SP will reject the assertion as expired or not yet valid, even though the IdP logs show successful authentication. This is the most common cause of assertion validation failures in cross-domain SSO deployments.

Exam trap

The trap here is that candidates confuse assertion validation failures (which involve timestamps, signatures, or conditions) with authentication failures (which involve credentials or IdP reachability), leading them to incorrectly select options like IdP unreachability or certificate expiration.

How to eliminate wrong answers

Option B is wrong because a missing required SAML attribute would cause an authorization failure or attribute mismatch error, not an assertion validation failure; the SP would still validate the assertion's signature and timestamps first. Option C is wrong because if the IdP server were unreachable, the user would not be able to authenticate at all, and the IdP logs would not show successful authentication. Option D is wrong because an expired SAML certificate would cause a signature validation failure, not a generic assertion validation failure; the SP would log a certificate-related error, not a timestamp or validity period issue.

764
MCQhard

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

A.File a claim under your cyber insurance policy and pay the deductible to cover the costs.
B.Negotiate with the vendor to split the costs and update the contract to remove the liability cap.
C.Accept the loss and implement additional vendor oversight to prevent future incidents.
D.Initiate legal proceedings against the vendor to enforce the liability clause and recover costs.
AnswerD

Correct - Legal action may force the vendor to pay, and the limitation of liability may be deemed invalid.

Why this answer

Option D is the best course of action because the vendor's negligence caused the breach, and the contract explicitly holds the vendor liable for such incidents. Initiating legal proceedings to enforce the liability clause is the most direct way to recover the full $500,000 in costs, as the vendor's limitation of liability clause ($100,000 cap) may be challenged in court, especially given HIPAA's requirement for covered entities to ensure business associates safeguard PHI. This approach aligns with risk management principles by transferring the financial risk back to the responsible party, rather than accepting the loss or relying on insurance that explicitly excludes vendor negligence.

Exam trap

The trap here is that candidates may assume insurance is the primary risk transfer tool, but the exclusion for vendor negligence and the existence of a contractual liability clause make legal enforcement the superior option, as insurance cannot cover risks explicitly excluded in the policy.

How to eliminate wrong answers

Option A is wrong because the cyber insurance policy excludes losses due to vendor negligence, so filing a claim would likely be denied, leaving the organization to pay the $250,000 deductible and the remaining costs out-of-pocket. Option B is wrong because negotiating a split without legal leverage would likely result in the vendor paying only up to the $100,000 cap, leaving the organization with $400,000 in uncovered costs, and contract updates cannot retroactively apply to the current breach. Option C is wrong because accepting the loss ignores the contractual liability clause and the vendor's negligence, failing to enforce legal rights and setting a precedent that could encourage future vendor non-compliance.

765
MCQmedium

An organization is migrating from WPA2 to WPA3 for its wireless network. Which improvement does WPA3 provide over WPA2?

A.Use of TKIP for backward compatibility
B.Mandatory use of WPS for easy setup
C.Simultaneous Authentication of Equals (SAE) providing forward secrecy
D.Support for 802.1X only, no personal mode
AnswerC

SAE protects against offline dictionary attacks and provides forward secrecy, a major improvement over WPA2 PSK.

Why this answer

WPA3 replaces WPA2's Pre-Shared Key (PSK) handshake with Simultaneous Authentication of Equals (SAE), defined in IEEE 802.11-2016 and RFC 7664. SAE uses a Dragonfly key exchange based on discrete logarithm cryptography, which provides forward secrecy: even if an attacker captures the handshake and later obtains the pre-shared key, they cannot decrypt past session traffic. This eliminates the vulnerability to offline dictionary attacks that plagued WPA2-PSK.

Exam trap

The trap here is that candidates confuse WPA3's mandatory use of SAE with the older WPA2-PSK handshake, and mistakenly think WPA3 still supports TKIP or WPS, or that it only works in Enterprise mode, when in fact SAE is the core personal mode enhancement.

How to eliminate wrong answers

Option A is wrong because TKIP (Temporal Key Integrity Protocol) is deprecated and not used in WPA3; WPA3 mandates CCMP (AES) and removes TKIP for security reasons. Option B is wrong because WPS (Wi-Fi Protected Setup) is not mandatory in WPA3; in fact, WPS is often disabled due to its known PIN brute-force vulnerability, and WPA3 does not require it. Option D is wrong because WPA3 supports both Personal mode (SAE) and Enterprise mode (with 802.1X and EAP), not only 802.1X; the personal mode is a key improvement over WPA2.

766
MCQeasy

A DevOps team implements a CI/CD pipeline that runs security scans automatically. The pipeline fails often due to false positives, causing delays. Which approach balances security and efficiency?

A.Tune scan rules to reduce false positives while retaining critical checks.
B.Turn off all security scans.
C.Manually review every false positive.
D.Only run scans on code that is deployed to production.
AnswerA

Reduces noise while keeping essential security.

Why this answer

Tuning scan rules reduces false positives by adjusting thresholds or disabling low-severity checks while preserving critical security controls (e.g., SAST rules for OWASP Top 10). This maintains automated security validation in the CI/CD pipeline without blocking development velocity, aligning with the principle of 'secure enough' rather than 'perfect security'.

Exam trap

Cisco often tests the misconception that 'security must never be compromised,' leading candidates to choose manual review (C) or full scans (D), but the CISSP emphasizes risk-based decisions where tuning is the pragmatic balance between security and efficiency.

How to eliminate wrong answers

Option B is wrong because disabling all security scans eliminates detection of vulnerabilities, violating the 'secure development' requirement in the Software Development Security domain. Option C is wrong because manually reviewing every false positive is unscalable and defeats the purpose of automation, causing unacceptable delays in a CI/CD pipeline. Option D is wrong because running scans only on production code misses vulnerabilities introduced earlier in the development lifecycle, violating the 'shift left' security principle and allowing defects to reach production.

767
Multi-Selectmedium

A security architect is designing a secure communication channel between two remote sites over the internet. Which TWO of the following protocols should be used to ensure confidentiality, integrity, and authentication?

Select 2 answers
A.PPTP
B.SSL/TLS
C.IPsec with ESP in tunnel mode
D.MPLS
E.L2TP over IPsec
AnswersC, E

IPsec ESP provides encryption and authentication.

Why this answer

Options B (IPsec with ESP in tunnel mode) and E (L2TP over IPsec) provide encryption and authentication for site-to-site VPNs. PPTP is outdated and insecure. SSL/TLS is primarily used for client-to-site VPNs.

MPLS does not provide encryption.

768
MCQhard

A security analyst is evaluating the impact of upgrading web servers from TLS 1.2 to TLS 1.3. Which advantage does TLS 1.3 offer in terms of handshake efficiency?

A.It supports the same cipher suites as TLS 1.2
B.Fewer round trips during handshake
C.More round trips during handshake
D.It eliminates the need for asymmetric encryption
AnswerB

TLS 1.3 handshake takes 1 RTT, down from 2 in TLS 1.2.

Why this answer

TLS 1.3 reduces the handshake from two round trips (2-RTT) in TLS 1.2 to one round trip (1-RTT) for a full handshake, and offers 0-RTT for resumed sessions. This is achieved by combining the ClientHello and ServerHello with key exchange parameters, eliminating the separate round trip for the ServerHello and Certificate exchange. The result is lower latency and faster connection establishment, which is critical for performance-sensitive applications.

Exam trap

The trap here is that candidates may confuse 'fewer round trips' with 'eliminating asymmetric encryption,' but TLS 1.3 still relies on asymmetric key exchange (e.g., ECDHE) for forward secrecy, just in a more streamlined handshake.

How to eliminate wrong answers

Option A is wrong because TLS 1.3 does not support the same cipher suites as TLS 1.2; it removes weak or obsolete ciphers (e.g., CBC-mode ciphers, RC4, 3DES) and mandates only AEAD ciphers like AES-GCM and ChaCha20-Poly1305. Option C is wrong because TLS 1.3 actually reduces the number of round trips compared to TLS 1.2, not increases them. Option D is wrong because TLS 1.3 still requires asymmetric encryption for the initial key exchange (e.g., ECDHE or DHE) to establish a shared secret; it does not eliminate asymmetric cryptography entirely.

769
Multi-Selecthard

Which TWO of the following are essential components of a successful security awareness program?

Select 2 answers
A.Metrics to measure the program's effectiveness
B.Implementation of technical controls like antivirus
C.Annual one-time training sessions
D.Punitive measures for security violations
E.Regular, engaging, and role-specific training
AnswersA, E

Measuring outcomes (e.g., phishing test results) allows refinement of the program.

Why this answer

Metrics to measure the program's effectiveness (Option A) are essential because they provide quantifiable data—such as phishing click rates, incident reporting trends, and policy violation statistics—that allow the organization to evaluate whether the awareness program is changing behavior and reducing risk. Without metrics, the program cannot be improved or justified to stakeholders, making it a core component of a successful security awareness initiative.

Exam trap

ISC2 often tests the misconception that technical controls or punitive measures are part of a security awareness program, when in fact the program is purely about human-focused education and behavior change, not technology enforcement or punishment.

770
MCQmedium

During a security assessment, a penetration tester sends TCP SYN packets to various ports on a target server. Based on the responses, the tester determines which ports are open. This technique is commonly used at which OSI layer?

A.Layer 7 – Application
B.Layer 3 – Network
C.Layer 4 – Transport
D.Layer 2 – Data Link
AnswerC

Port scanning uses TCP or UDP at Layer 4 to probe ports.

Why this answer

The TCP SYN scan operates at Layer 4 (Transport) of the OSI model because it manipulates TCP segment headers, specifically the SYN flag, to probe port states. The tester sends SYN packets and interprets the response (SYN-ACK for open, RST for closed) to infer port availability, which is a transport-layer function defined by RFC 793.

Exam trap

The trap here is that candidates confuse the OSI layer of the scanning technique with the layer of the protocol being scanned (e.g., thinking a web server scan is Layer 7), but the SYN scan itself operates at Layer 4 regardless of the application running on the target port.

How to eliminate wrong answers

Option A is wrong because Layer 7 (Application) deals with application-specific protocols like HTTP or FTP, not raw TCP segment manipulation; SYN scanning does not involve application-layer payloads. Option B is wrong because Layer 3 (Network) handles IP addressing and routing, not the TCP flags or port numbers used in SYN scanning; the scan relies on transport-layer port numbers, not IP addresses. Option D is wrong because Layer 2 (Data Link) manages framing and MAC addresses on a local network segment; SYN scanning operates above this layer and does not interact with Ethernet frames or switches.

771
MCQhard

A company is deploying a new application that processes personally identifiable information (PII) in a hybrid cloud environment. The security architect needs to ensure that encryption keys are never exposed to the cloud provider. Which solution should be recommended?

A.Envelope encryption with a key management service
B.Server-side encryption with cloud provider managed keys
C.Client-side encryption with keys stored on-premises
D.Server-side encryption with customer-provided keys
AnswerC

Correct. Keys are never sent to the cloud provider.

Why this answer

Client-side encryption ensures that encryption keys are generated and managed on-premises, never transmitted to the cloud provider. This directly meets the requirement that keys are never exposed to the cloud provider, as all cryptographic operations occur before data leaves the customer's controlled environment.

Exam trap

The trap here is confusing 'customer-provided keys' (SSE-C) with 'client-side encryption' — SSE-C still sends the key to the cloud provider for each operation, while client-side encryption keeps the key entirely on-premises.

How to eliminate wrong answers

Option A is wrong because envelope encryption with a key management service still involves the cloud provider's KMS handling the key encryption key (KEK), which could be exposed to the provider. Option B is wrong because server-side encryption with cloud provider managed keys gives the provider full control over the keys, violating the requirement. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still transmits the key to the cloud provider for each encryption/decryption operation, exposing it to the provider's infrastructure.

772
MCQhard

A security engineer is evaluating a system that uses a Trusted Platform Module (TPM) for secure boot. The TPM measures the boot components and stores the measurements in Platform Configuration Registers (PCRs). Which of the following is a primary security goal achieved by this process?

A.Ensures the boot process has not been tampered with
B.Provides full disk encryption
C.Prevents all malware from executing
D.Authenticates the user during boot
AnswerA

Correct. The TPM measures and attests boot components to detect tampering.

Why this answer

Measured boot ensures that each boot component's hash is extended into PCRs. The TPM can attest these measurements to a remote verifier, proving the boot integrity.

773
MCQhard

An organization implements Privileged Access Management (PAM) and wants to reduce the risk of standing privileges. Which approach grants temporary elevated access only when needed?

A.Session recording
B.Password vaulting
C.Break-glass accounts
D.Just-in-time access
AnswerD

JIT access provides temporary privileges as needed.

Why this answer

Just-in-time (JIT) access provides time-limited privileges that are granted on demand, reducing the attack surface.

774
MCQmedium

Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?

A.Discretionary Access Control (DAC)
B.Mandatory Access Control (MAC)
C.Rule-Based Access Control
D.Role-Based Access Control (RBAC)
AnswerC

The ACL is a set of rules that match on packet characteristics and are enforced by a system.

Why this answer

The access control list (ACL) applied to the inbound interface of a router connecting to the internet enforces traffic filtering based on a set of predefined rules (e.g., permit or deny statements based on source IP, destination IP, port numbers). This is the essence of Rule-Based Access Control (RBAC), where access decisions are governed by a global set of rules applied uniformly to all subjects, independent of user identity or roles. The ACL does not allow individual users to change permissions (eliminating DAC), does not use security labels or clearances (eliminating MAC), and does not map permissions to job roles (eliminating Role-Based Access Control).

Exam trap

ISC2 often tests the distinction between Rule-Based and Role-Based access control by presenting an ACL scenario and hoping candidates confuse the term 'rule' with 'role', but ACLs are purely rule-based and do not incorporate user roles or identity.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows the resource owner to set permissions at their discretion (e.g., file permissions in Windows or Linux), whereas an ACL on a router is centrally managed by the network administrator and cannot be modified by end users. Option B is wrong because Mandatory Access Control (MAC) requires security labels (e.g., classification levels like Top Secret) and a central authority to enforce access based on those labels; a standard ACL does not use labels or a lattice-based model. Option D is wrong because Role-Based Access Control (RBAC) grants permissions based on job functions or roles (e.g., 'admin' or 'guest'), but a router ACL matches on packet attributes like IP addresses and ports, not on user roles or group memberships.

775
MCQeasy

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

A.To ensure appropriate protection measures are applied to data based on its value and sensitivity.
B.To satisfy regulatory requirements for data retention.
C.To facilitate data sharing across departments without restrictions.
D.To simplify the process of granting access to users.
AnswerA

Correct - classification drives the level of protection needed.

Why this answer

Data classification is the foundational process of assigning a sensitivity label (e.g., Public, Internal, Confidential, Restricted) to information assets. The primary reason is to ensure that appropriate security controls—such as encryption, access control lists (ACLs), and data loss prevention (DLP) policies—are applied proportionally to the data's value and sensitivity, aligning with the principle of defense in depth and risk management.

Exam trap

The trap here is that candidates often confuse the primary purpose of classification (protection) with secondary outcomes like compliance or access management, leading them to select options B or D instead of the correct risk-based reasoning in A.

How to eliminate wrong answers

Option B is wrong because satisfying regulatory requirements for data retention is a separate process governed by legal and compliance policies (e.g., GDPR, HIPAA), not the primary driver for classification; classification informs retention but retention is a downstream action. Option C is wrong because unrestricted data sharing across departments would violate the principle of least privilege and confidentiality; classification actually restricts sharing based on sensitivity levels. Option D is wrong because simplifying access granting is a secondary benefit of classification (via role-based access control), but the primary reason is to apply appropriate protection measures, not to simplify administration.

776
MCQmedium

A security team is implementing a zero trust architecture. Which component is essential to enforce access decisions based on user identity, device posture, and context before granting access to resources?

A.Virtual private network (VPN)
B.Network Access Control (NAC)
C.Next-generation firewall (NGFW)
D.Software-defined perimeter (SDP)
AnswerD

SDP creates a dynamically provisioned perimeter that authenticates users and devices before granting access to specific resources.

Why this answer

A software-defined perimeter (SDP) is the essential component for enforcing access decisions based on user identity, device posture, and context in a zero trust architecture. SDP creates a dynamic, encrypted micro-perimeter around each resource, requiring authentication and authorization before any connection is established, effectively hiding the resource from unauthorized users. This aligns with the zero trust principle of 'never trust, always verify' by evaluating identity, device health, and contextual factors (e.g., location, time) before granting access.

Exam trap

The trap here is that candidates often confuse Network Access Control (NAC) with zero trust because both involve device posture checks, but NAC is a pre-admission network-level control, whereas SDP provides per-session, application-level access control that is fundamental to zero trust architecture.

How to eliminate wrong answers

Option A is wrong because a VPN provides encrypted tunnels for remote access but typically grants broad network-level access after authentication, lacking granular, per-request context-based authorization and device posture checks required for zero trust. Option B is wrong because Network Access Control (NAC) focuses on pre-admission authentication and endpoint compliance at the network edge (e.g., 802.1X), but does not enforce per-session, application-level access decisions based on continuous context after initial admission. Option C is wrong because a next-generation firewall (NGFW) performs deep packet inspection and application-level filtering, but it operates at the network perimeter and does not inherently integrate identity- and device-posture-based access control for each resource request in a zero trust model.

777
MCQhard

A network administrator is configuring DNSSEC to protect against DNS spoofing. Which record type is used to provide cryptographic verification of DNS data origins?

A.RRSIG
B.DS
C.DNSKEY
D.NSEC
AnswerA

RRSIG contains the digital signature for a set of records, allowing verification of origin.

Why this answer

RRSIG (Resource Record Signature) is the DNSSEC record type that contains the cryptographic signature for a DNS record set. It provides data origin authentication and integrity verification by allowing resolvers to validate that the DNS data came from the authoritative source and was not modified in transit.

Exam trap

The trap here is that candidates confuse the role of DNSKEY (the key) with RRSIG (the signature), mistakenly thinking the public key itself provides verification, when in fact the signature record (RRSIG) is what cryptographically binds the data to the zone.

How to eliminate wrong answers

Option B (DS) is wrong because DS (Delegation Signer) records are used to create a chain of trust between DNS zones, not to directly sign or verify individual DNS data origins. Option C (DNSKEY) is wrong because DNSKEY records hold the public signing key used to verify RRSIG signatures, but they do not themselves provide cryptographic verification of data origins. Option D (NSEC) is wrong because NSEC (Next Secure) records are used for authenticated denial of existence, proving that a DNS name does not exist, and have no role in verifying data origin signatures.

778
MCQmedium

Which of the following is a key difference between a policy and a guideline in information security governance?

A.Policies are created by IT, while guidelines are created by executives
B.Policies are technical, while guidelines are managerial
C.Policies are mandatory, while guidelines are recommended
D.Policies are static, while guidelines are updated frequently
AnswerC

Policies must be followed; guidelines are advisory.

Why this answer

Policies are high-level, mandatory statements that define the organization's security posture. Guidelines are recommendations that suggest best practices but are not mandatory.

779
MCQmedium

A company uses SSH for remote administration. To enhance security, they want to implement public-key authentication. Which statement about SSH public-key authentication is true?

A.The private key must be kept secret by the user
B.The public key is used to decrypt the session
C.Public-key authentication does not require a passphrase
D.The private key is stored on the server
AnswerA

The private key should never be shared or stored on the server.

Why this answer

In SSH public-key authentication, the private key is the secret half of the asymmetric key pair and must be kept confidential by the user. The server stores only the public key, and authentication is proven by the client signing a challenge with the private key, which the server verifies using the stored public key. This ensures that even if the server is compromised, the private key remains safe on the client side.

Exam trap

The trap here is that candidates often confuse the roles of public and private keys, mistakenly thinking the public key is used for decryption or that the private key is stored on the server, when in fact the private key is kept secret by the user and used only for signing.

How to eliminate wrong answers

Option B is wrong because the public key is used to verify a signature from the client, not to decrypt the session; session encryption is established via a symmetric key negotiated during the key exchange (e.g., Diffie-Hellman). Option C is wrong because while a passphrase is not strictly required, it is strongly recommended to protect the private key at rest; without a passphrase, the private key file is stored in plaintext and can be used by anyone who gains access to it. Option D is wrong because the private key is never stored on the server; only the public key is placed in the user's authorized_keys file on the server.

780
Multi-Selectmedium

Which TWO of the following are essential components of a disaster recovery plan? (Choose two.)

Select 2 answers
A.Recovery Point Objective (RPO)
B.Business continuity plan
C.Recovery Time Objective (RTO)
D.Service Level Agreement (SLA)
E.Cold site configuration
AnswersA, C

Defines acceptable data loss in terms of time.

Why this answer

Options A and C are correct. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key metrics. Business continuity plan is a separate but related plan; cold sites and SLAs are not components of a DRP itself.

781
MCQhard

A security engineer is evaluating VPN protocols for a remote access solution. The requirements are: strong encryption with perfect forward secrecy, support for mutual authentication, and no reliance on pre-shared keys that could be brute-forced. Which protocol best meets these requirements?

A.L2TP/IPsec with pre-shared keys
B.PPTP with MS-CHAPv2
C.WireGuard
D.IPsec with IKEv2 using pre-shared keys
AnswerC

WireGuard meets all requirements: ECC key exchange provides perfect forward secrecy, public-key authentication is mutual, and no PSK is needed.

Why this answer

WireGuard is the correct choice because it uses modern cryptographic primitives (Curve25519, ChaCha20, Poly1305, BLAKE2s) that inherently provide perfect forward secrecy via ephemeral Diffie-Hellman key exchanges, supports mutual authentication through public-key-based handshakes, and eliminates pre-shared keys as the sole authentication factor—though an optional PSK can be added for post-quantum resistance, it is not required and does not weaken security if omitted.

Exam trap

Cisco often tests the misconception that IPsec with IKEv2 is always secure regardless of authentication method, but the trap here is that pre-shared keys (even with IKEv2) violate the 'no reliance on pre-shared keys' requirement and can be brute-forced if weak, whereas WireGuard's public-key-based mutual authentication avoids this vulnerability entirely.

How to eliminate wrong answers

Option A is wrong because L2TP/IPsec with pre-shared keys relies on a static PSK that can be brute-forced if weak, and does not inherently enforce perfect forward secrecy unless IKEv2 with ephemeral Diffie-Hellman is explicitly configured, which is not guaranteed by the option. Option B is wrong because PPTP with MS-CHAPv2 uses the RC4 cipher and MS-CHAPv2 authentication, both of which are cryptographically broken and lack perfect forward secrecy; additionally, PPTP does not support mutual authentication in a strong sense and relies on passwords that can be brute-forced. Option D is wrong because IPsec with IKEv2 using pre-shared keys still depends on a static PSK that can be brute-forced, and while IKEv2 can support perfect forward secrecy, the use of a PSK as the primary authentication method contradicts the requirement of no reliance on pre-shared keys.

782
MCQhard

A financial services company with 5000 employees uses a hybrid identity model with on-premises Active Directory (AD) synchronized to Azure AD via Azure AD Connect. The company has recently deployed Microsoft 365 and uses it for email and file sharing. Users authenticate to Azure AD using password hash synchronization (PHS) with Seamless Single Sign-On (SSO). The security team has implemented Conditional Access policies to require multi-factor authentication (MFA) for all external access and for access to sensitive financial applications. Recently, the help desk has received numerous complaints from users working remotely that they are frequently prompted for MFA, even multiple times during a single work session, causing frustration and productivity loss. Additionally, some users report that they are unable to access certain financial applications despite being in the correct group membership. An investigation reveals that Azure AD Connect synchronization is occurring successfully and that MFA configurations appear correct. The security team suspects that the issue may be related to the Conditional Access session settings or token lifetimes. What is the BEST course of action to diagnose and resolve the primary issue of excessive MFA prompts while maintaining security?

A.Implement a privileged identity management (PIM) solution to manage access to the financial applications.
B.Increase the sign-in frequency and session timeout values in the Conditional Access policies for all users to 24 hours.
C.Review the Conditional Access policy for the financial applications to ensure that the 'Session' controls are configured to 'Use app enforced restrictions' and adjust MFA trust settings.
D.Disable Seamless SSO and require users to enter passwords each time to ensure token freshness.
AnswerC

Session controls can configure MFA reauthentication frequency and improve user experience.

Why this answer

Option C is correct because the issue of excessive MFA prompts while maintaining security is best resolved by reviewing the Conditional Access session controls. Specifically, the 'Sign-in frequency' and 'Persistent browser session' settings in the session controls determine how often users are re-prompted for MFA. By adjusting these settings (e.g., setting sign-in frequency to a longer duration like 24 hours) and ensuring MFA trust settings are configured to allow trusted devices or locations, the security team can reduce unnecessary prompts without weakening security.

This directly addresses the user complaints while keeping Conditional Access policies intact.

Exam trap

The trap here is that candidates may confuse session controls with authentication methods or assume that increasing token lifetimes globally (Option B) is the solution, when in fact the issue is about Conditional Access session settings that control MFA re-prompt behavior, not about overall token expiration.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged access management, not for controlling MFA prompt frequency for general users accessing financial applications. Option B is wrong because blindly increasing sign-in frequency and session timeout values to 24 hours for all users could weaken security by allowing prolonged access without re-authentication, and it does not address the specific session control misconfiguration that causes excessive prompts. Option D is wrong because disabling Seamless SSO would force users to re-enter passwords frequently, increasing friction and not resolving the MFA prompt issue; token freshness is already managed by token lifetimes and session settings, not by disabling SSO.

783
MCQmedium

Refer to the exhibit. Based on the exhibit, what does the sequence of requests indicate?

A.A session hijacking attempt
B.A successful brute-force attack
C.A privilege escalation attempt
D.A directory traversal attack
AnswerC

After being denied access to /admin/dashboard, the user immediately obtains access, suggesting elevation of privileges.

Why this answer

The sequence of requests shows a user accessing a low-privilege resource (e.g., /user/profile) and then immediately requesting a high-privilege resource (e.g., /admin/config) without proper authentication or authorization checks. This pattern indicates an attempt to escalate privileges by exploiting missing access controls, which is a classic privilege escalation attempt.

Exam trap

The trap here is confusing a privilege escalation attempt with a session hijacking attempt, as both involve unauthorized access, but privilege escalation focuses on vertical movement within the same session, while session hijacking steals an existing session from another user.

How to eliminate wrong answers

Option A is wrong because session hijacking involves stealing or predicting a valid session token (e.g., via XSS or packet sniffing), not a sequence of requests from low to high privilege resources. Option B is wrong because a brute-force attack would show repeated login attempts with different credentials (e.g., multiple POST requests to /login), not a single pair of requests. Option D is wrong because a directory traversal attack uses path manipulation (e.g., ../) to access files outside the web root, not a change in resource privilege levels.

784
MCQmedium

Refer to the exhibit. A RADIUS server log shows multiple successful authentications for the same user followed by failures. What is the most likely cause?

A.The user's account is locked due to multiple failed attempts
B.The user's password has expired
C.The RADIUS server is misconfigured with a wrong secret
D.The user is a victim of credential stuffing
AnswerA

After several failed attempts, the account lockout policy triggers, causing subsequent failures. The earlier successes may be from another session or before lockout.

Why this answer

The RADIUS log shows successful authentications followed by failures for the same user. This pattern indicates that the user's password was correct initially, but subsequent failures triggered an account lockout policy. Account lockout is a common security control that disables an account after a threshold of failed attempts, preventing further authentication even with the correct password.

Exam trap

The trap here is that candidates may confuse account lockout with password expiry or credential stuffing, but the specific sequence of successes followed by failures uniquely points to lockout, not a global authentication failure.

How to eliminate wrong answers

Option B is wrong because a password expiry would cause failures for all attempts after expiry, not a mix of successes and failures. Option C is wrong because a misconfigured RADIUS secret would cause all authentication attempts to fail, not just some. Option D is wrong because credential stuffing typically results in a burst of failures from different IP addresses or user agents, not a pattern of successes followed by failures for the same user.

785
MCQeasy

A security analyst is conducting a review of aggregated logs from firewalls, IDS, and servers to detect anomalous behavior. This activity is best described as:

A.Security log analysis
B.Risk assessment
C.Vulnerability scanning
D.Penetration testing
AnswerA

Log analysis is the process of reviewing logs to detect incidents and anomalies.

Why this answer

Security log analysis involves the systematic review of logs from firewalls, IDS, and servers to identify patterns, anomalies, or indicators of compromise. This activity directly matches the scenario of detecting anomalous behavior through aggregated log review, which is a core practice in security monitoring and incident detection.

Exam trap

The trap here is confusing security log analysis (a passive, detective control) with vulnerability scanning or penetration testing (active, preventive controls), leading candidates to choose a more 'technical-sounding' option like vulnerability scanning.

How to eliminate wrong answers

Option B is wrong because risk assessment is a broader process of identifying, evaluating, and prioritizing risks, not the specific act of reviewing aggregated logs for anomalies. Option C is wrong because vulnerability scanning uses automated tools to probe systems for known weaknesses (e.g., missing patches, misconfigurations), not to analyze historical log data for anomalous behavior. Option D is wrong because penetration testing is an active, simulated attack to exploit vulnerabilities, not a passive review of log data.

786
MCQeasy

Which of the following is a primary purpose of conducting a tabletop exercise for incident response?

A.Measure the effectiveness of backup restoration.
B.Validate communication and decision-making processes.
C.Test technical capabilities of security tools.
D.Identify unpatched vulnerabilities in systems.
AnswerB

Focuses on team coordination and escalation paths.

Why this answer

A tabletop exercise is a discussion-based session where participants walk through a simulated incident scenario to evaluate the effectiveness of communication channels, decision-making hierarchies, and coordination among stakeholders. It does not involve live systems or technical testing, so its primary purpose is to validate the procedural and human elements of the incident response plan, such as who notifies whom and how escalation decisions are made.

Exam trap

The trap here is that candidates confuse a tabletop exercise with a technical drill or live-fire exercise, mistakenly thinking it tests tool capabilities or system-level actions, when in fact it strictly evaluates human processes and communication workflows.

How to eliminate wrong answers

Option A is wrong because measuring backup restoration effectiveness requires a hands-on technical test (e.g., a recovery drill or restore validation), not a discussion-based tabletop exercise. Option C is wrong because testing technical capabilities of security tools (e.g., SIEM rule tuning or firewall ACLs) demands live execution or simulation in a lab environment, not a walkthrough. Option D is wrong because identifying unpatched vulnerabilities is the domain of vulnerability scanning (e.g., using Nessus or OpenVAS) or penetration testing, not a tabletop exercise which focuses on process and communication.

787
MCQeasy

Which of the following is a lightweight directory access protocol used for accessing and maintaining distributed directory information?

A.OAuth
B.LDAP
C.Kerberos
D.SAML
AnswerB

LDAP is the correct protocol for directory access.

Why this answer

LDAP (Lightweight Directory Access Protocol) is used for directory services.

788
Multi-Selecthard

Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)

Select 3 answers
A.Using signed and verified software artifacts
B.Maintaining a software bill of materials (SBOM) for all dependencies
C.Running penetration tests on the production environment
D.Conducting static analysis on all in-house code
E.Performing security assessments on third-party vendors
AnswersA, B, E

Signing ensures integrity and authenticity of artifacts.

Why this answer

Using signed and verified software artifacts ensures integrity and authenticity throughout the software supply chain. By applying cryptographic signatures (e.g., GPG or Sigstore) to artifacts and verifying them before use, organizations can detect tampering and confirm the artifact originated from a trusted source. This is a foundational control to prevent malicious code injection during transit or storage.

Exam trap

Cisco often tests the distinction between general security practices (like penetration testing or static analysis) and the specific, unique controls required for software supply chain security, such as artifact signing and vendor assessments.

789
MCQeasy

Which of the following is the PRIMARY purpose of the confidentiality principle in the CIA triad?

A.Preventing unauthorized access to information
B.Ensuring data is accurate and complete
C.Ensuring that users are who they claim to be
D.Guaranteeing that systems are available when needed
AnswerA

Confidentiality is about protecting information from unauthorized disclosure.

Why this answer

Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes.

790
Multi-Selecteasy

An organization plans to allow employees to access third-party SaaS applications using their corporate credentials. Which THREE are necessary components for implementing SAML-based identity federation?

Select 3 answers
A.Service Provider (SP)
B.Bcrypt password hashing
C.Identity Provider (IdP)
D.RADIUS server
E.XML digital signatures
AnswersA, C, E

The SP consumes SAML assertions to grant access to the application.

Why this answer

Option A is correct because the Service Provider (SP) is the entity that hosts the SaaS application and relies on the Identity Provider (IdP) to authenticate users. In SAML-based identity federation, the SP receives a SAML assertion from the IdP and uses it to grant access, making it a necessary component of the trust relationship.

Exam trap

The trap here is that candidates confuse authentication protocols (like RADIUS or password hashing) with federation components, forgetting that SAML is an XML-based assertion framework that requires an IdP, SP, and digital signatures, not network-level or storage mechanisms.

791
MCQhard

A financial institution has developed a trading application that sends orders via an internal API. The application processes high-frequency trades and must ensure non-repudiation of orders. The development team implemented digital signatures using RSA with SHA-256. However, testers found that occasionally two different orders produce the same signature. The team suspects a collision resistance issue. After reviewing the implementation, they notice that the private key is generated using a deterministic key generation algorithm that uses a fixed seed derived from the current timestamp. The signatures are generated by signing the order hash directly. What is the most likely root cause of the signature collision?

A.The hash function SHA-256 provides insufficient collision resistance for the order volume.
B.The use of a fixed seed for key generation leads to weak keys, making it possible for an attacker to forge signatures.
C.The private key is reused across multiple instances, causing storage conflicts.
D.The signature algorithm does not use a random salt or padding, causing deterministic signatures that can collide when the same order is processed twice.
AnswerD

Deterministic signatures produce the same output for the same input; if two orders have identical hashes (e.g., due to data equality or collision), they yield identical signatures.

Why this answer

Option D is correct because the deterministic nature of RSA digital signatures without a random salt or padding (like PSS) means that signing the same hash twice produces identical signatures. In this scenario, if two different orders produce the same hash (due to a collision in SHA-256, which is extremely unlikely), or if the same order is processed twice, the deterministic signature will collide. The core issue is that the implementation signs the hash directly without using probabilistic padding (e.g., RSA-PSS), which would introduce randomness and prevent identical signatures for identical hashes.

Exam trap

Cisco often tests the distinction between deterministic and probabilistic signature schemes, and the trap here is that candidates incorrectly attribute the collision to a hash function weakness (Option A) rather than recognizing that the deterministic nature of the signature algorithm (without random padding) is the root cause.

How to eliminate wrong answers

Option A is wrong because SHA-256 provides 128 bits of collision resistance, which is more than sufficient for any realistic order volume; a collision in SHA-256 is astronomically improbable and not the cause of occasional signature collisions. Option B is wrong because while a fixed seed for key generation can produce weak keys if predictable, the question describes signature collisions, not key compromise or forgery; weak keys would not cause two different orders to produce the same signature. Option C is wrong because private key reuse across instances does not cause signature collisions; it could lead to security issues like key compromise, but not to identical signatures from different orders.

792
MCQmedium

A multinational corporation has experienced several security incidents where terminated employees retained access to internal systems for weeks after their departure. The HR department manually terminates accounts by sending notifications to IT, but the process is often delayed or missed. The company uses an identity management system (IDM) that supports automated provisioning and deprovisioning. The security team is tasked with reducing the risk of unauthorized access by former employees. Which of the following is the most effective course of action?

A.Integrate the HR system with the identity management system for automated deprovisioning
B.Require terminated employees to change their passwords upon exit
C.Increase frequency of access reviews and audits to identify stale accounts
D.Implement a user self-service portal for managers to disable accounts
AnswerA

Automated deprovisioning ensures accounts are disabled immediately when an employee is terminated.

Why this answer

Integrating the HR system with the identity management (IDM) system enables automated deprovisioning, ensuring that when an employee is terminated in HR records, the IDM immediately triggers account disablement across all connected systems. This eliminates the manual delay and human error inherent in the current notification-based process, directly addressing the root cause of the risk.

Exam trap

The trap here is that candidates often choose 'increase access reviews' (Option C) because it sounds like a thorough security measure, but they fail to recognize that it is a detective control that does not prevent the immediate risk of unauthorized access by former employees.

How to eliminate wrong answers

Option B is wrong because requiring terminated employees to change their passwords upon exit is impractical and insecure; former employees cannot be relied upon to perform this action, and it does not prevent access if they refuse or forget. Option C is wrong because increasing the frequency of access reviews and audits only identifies stale accounts after the fact, not preventing access in the critical window between termination and review; it is a detective control, not a preventive one. Option D is wrong because a user self-service portal for managers to disable accounts still relies on manual action by managers, which can be delayed, forgotten, or misused, and does not provide the automated, policy-driven deprovisioning that an integrated HR-IDM system offers.

793
Multi-Selectmedium

Which TWO of the following are essential components of a data classification policy? (Select two.)

Select 2 answers
A.Data retention periods for each classification level
B.Roles and responsibilities for data classification
C.Definition of classification levels (e.g., public, confidential, secret)
D.Methods for secure data destruction
E.Encryption standards for each classification level
AnswersB, C

Defining who is responsible for classifying data is essential.

Why this answer

Roles and responsibilities are essential because a data classification policy must clearly define who is accountable for classifying data, who can assign classification levels, and who is responsible for maintaining the labels. Without this, classification efforts become inconsistent and unenforceable, leading to security gaps. The CISSP emphasizes that governance requires clear assignment of ownership and decision-making authority for data assets.

Exam trap

ISC2 often tests the distinction between a data classification policy (which defines levels and roles) and supporting policies (retention, encryption, destruction) that operationalize the classification but are not core components of the classification policy itself.

794
MCQhard

Refer to the exhibit. A cloud security architect is designing access control for an S3 bucket. This policy is attached to an IAM role. Which access control model does this policy primarily implement?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerD

ABAC evaluates attributes (tags) to grant access.

Why this answer

The policy uses condition keys like `s3:prefix`, `s3:versionid`, and `s3:locationconstraint` to control access based on resource attributes, not on user identity or role alone. This is the defining characteristic of Attribute-Based Access Control (ABAC), where access decisions are made dynamically by evaluating attributes of the user, resource, or environment. AWS S3 bucket policies with condition blocks that reference resource tags or S3-specific keys are a classic implementation of ABAC.

Exam trap

The trap here is that candidates see 'IAM role' and immediately think RBAC, but the policy's reliance on condition keys (attributes) rather than role names or static permissions is the hallmark of ABAC, not RBAC.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows the resource owner to set permissions at their discretion (e.g., using ACLs), but this policy is attached to an IAM role and uses condition-based logic, not owner-granted permissions. Option B is wrong because Role-Based Access Control (RBAC) assigns permissions based on a user's role, but this policy does not reference any role-specific identifiers; it evaluates attributes like prefix and version ID. Option C is wrong because Mandatory Access Control (MAC) enforces system-wide labels and clearance levels (e.g., Bell-LaPadula), which are not present in this policy; AWS IAM does not natively implement MAC.

795
MCQhard

Refer to the exhibit. The ACL is applied inbound on the DMZ interface. What is the effect of this configuration?

A.The ACL permits all HTTP traffic to the web server and blocks all other traffic.
B.The ACL allows HTTP requests to the web server and allows the web server to respond, but blocks it from initiating new connections to the inside.
C.The ACL permits the web server to respond to HTTP requests but blocks all other outbound traffic.
D.The ACL allows the web server to initiate connections to the internal network.
AnswerB

Correct as explained.

Why this answer

The ACL is applied inbound on the DMZ interface, meaning it filters traffic entering the DMZ from the outside. The specific permit statement allows HTTP (TCP port 80) traffic from any source to the web server's IP address. Because the ACL is inbound, it only controls traffic arriving at the DMZ interface; return traffic from the web server to the inside is not subject to this ACL (it is evaluated by the outbound ACL on the inside interface or by stateful inspection).

Thus, the web server can respond to HTTP requests (which are part of the same session), but it cannot initiate new connections to the inside because those would be outbound from the DMZ and not permitted by the inbound ACL on the DMZ interface.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACL application, tricking candidates into thinking an inbound ACL on the DMZ interface controls outbound traffic from the DMZ, when in fact it only controls traffic entering the DMZ.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all other traffic; it only permits HTTP traffic inbound to the web server, but other traffic (e.g., ICMP, SSH) is implicitly denied by the implicit deny all at the end of the ACL, but the ACL does not explicitly block all other traffic—it simply does not permit it. Option C is wrong because the ACL is applied inbound on the DMZ interface, so it controls traffic entering the DMZ, not outbound traffic from the web server; the web server's responses are part of the established session and are not blocked by this inbound ACL. Option D is wrong because the ACL does not permit the web server to initiate connections to the internal network; it only permits inbound HTTP traffic to the web server, and any new connection from the web server to the inside would be outbound from the DMZ and would be denied by the implicit deny unless a separate permit statement exists.

796
MCQeasy

Which of the following BEST describes the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

A.BCP deals with natural disasters, DRP deals with cyberattacks
B.BCP is for IT systems, DRP is for business processes
C.BCP is a subset of DRP
D.BCP ensures business functions continue, DRP restores IT operations
AnswerD

This is the correct distinction.

Why this answer

D is correct because the Business Continuity Plan (BCP) focuses on maintaining critical business functions during and after a disruption, ensuring minimal impact on operations, while the Disaster Recovery Plan (DRP) is a subset of BCP that specifically addresses the restoration of IT infrastructure, systems, and data after a disaster. The BCP encompasses broader organizational resilience, including manual workarounds and alternate sites, whereas the DRP targets technical recovery procedures such as system rebuilds, data restoration from backups, and failover to redundant systems.

Exam trap

The trap here is that candidates often confuse the scope of BCP and DRP, mistakenly thinking BCP is only for business processes and DRP only for IT, when in fact BCP is the overarching plan that includes DRP as a component for IT recovery.

How to eliminate wrong answers

Option A is wrong because BCP and DRP are not distinguished by the type of disaster; both plans address a wide range of incidents including natural disasters, cyberattacks, and human errors. Option B is wrong because it reverses the roles: BCP covers business processes and continuity strategies, while DRP is specifically for IT systems and technical recovery. Option C is wrong because it incorrectly states that BCP is a subset of DRP; in reality, the DRP is a subset of the BCP, as the BCP includes the DRP along with other continuity elements like crisis communication and alternate site activation.

797
MCQmedium

A financial application requires two employees to authorize a wire transfer. Which principle does this implement?

A.Least privilege
B.Separation of duties
C.Need-to-know
D.Zero standing privileges
AnswerB

Requiring two people to authorize a transfer is SoD.

Why this answer

Separation of duties (SoD) is the principle that requires two or more individuals to complete a sensitive transaction, such as a wire transfer, to prevent fraud or error. By mandating two employees to authorize the transfer, the application ensures no single person has unchecked control over the entire process, enforcing a dual-control mechanism. This directly implements the SoD principle, which is a core access control concept in identity and access management.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, thinking that limiting permissions alone achieves the same goal, but least privilege does not prevent a single user from performing all steps of a critical process.

How to eliminate wrong answers

Option A is wrong because least privilege grants users only the minimum permissions needed to perform their job, but it does not require multiple people to authorize a single action; that is a separate control. Option C is wrong because need-to-know restricts access to information based on necessity for a specific task, not the collaborative authorization of a transaction. Option D is wrong because zero standing privileges (ZSP) removes persistent access rights and grants them just-in-time, but it does not inherently enforce dual authorization for a single operation.

798
Matchingmedium

Match each access control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner controls access permissions

System-enforced based on labels

Access based on job roles

Access based on rules and policies

Why these pairings

These are the main access control models.

799
MCQmedium

A company recently suffered a data breach where an attacker was able to intercept network traffic and read sensitive data. Which network security control should be implemented to prevent this type of attack?

A.Encryption at the network layer (e.g., IPsec)
B.Network segmentation
C.Intrusion prevention system (IPS)
D.Strong password policies
AnswerA

IPsec encrypts IP packets, making intercepted data unreadable without decryption keys.

Why this answer

IPsec operates at the network layer (Layer 3) and provides encryption of the entire IP packet, including the payload, ensuring that even if an attacker intercepts the traffic, the data remains unreadable. This directly addresses the scenario where an attacker reads sensitive data from intercepted network traffic, as IPsec can be configured in transport mode for end-to-end encryption or tunnel mode for VPNs.

Exam trap

ISC2 often tests the misconception that network segmentation (Option B) prevents data interception, but segmentation only limits lateral movement, not the ability to read traffic within the same segment.

How to eliminate wrong answers

Option B is wrong because network segmentation (e.g., VLANs, subnets) limits the scope of traffic an attacker can reach but does not encrypt data; an attacker who intercepts traffic within a segment can still read it in plaintext. Option C is wrong because an intrusion prevention system (IPS) detects and blocks malicious patterns in traffic but does not encrypt data; it cannot prevent an attacker from reading already intercepted plaintext traffic. Option D is wrong because strong password policies control authentication and access but do not protect data in transit; an attacker who intercepts network traffic can bypass password controls entirely.

800
Multi-Selecthard

A company needs to protect data at rest in a cloud storage system. Which THREE encryption methods are appropriate for this purpose?

Select 3 answers
A.Stream cipher without authentication (e.g., RC4)
B.Client-side encryption with key management
C.MD5 hashing
D.AES-256 in GCM mode
E.Envelope encryption
AnswersB, D, E

Client-side encryption ensures data is encrypted before reaching the cloud, and keys are controlled by the client.

Why this answer

Client-side encryption with key management (B) ensures data is encrypted before it leaves the client device, so the cloud provider never has access to plaintext or the encryption keys. This is a fundamental control for protecting data at rest in untrusted environments, as it decouples key management from the storage provider.

Exam trap

The trap here is that candidates may confuse hashing (MD5) with encryption, or assume that any cipher (like RC4) is acceptable for data at rest, ignoring the critical need for authentication and integrity in storage systems.

801
MCQhard

An organization wants to ensure that its web application is secure by analyzing the source code for vulnerabilities without executing the code. Which type of testing is most appropriate?

A.Interactive Application Security Testing (IAST)
B.Dynamic Application Security Testing (DAST)
C.Runtime Application Self-Protection (RASP)
D.Static Application Security Testing (SAST)
AnswerD

SAST analyzes source code without execution, identifying vulnerabilities in the code itself.

Why this answer

SAST (Static Application Security Testing) analyzes source code at rest, without executing it, making it ideal for finding vulnerabilities early in the development lifecycle.

802
MCQhard

Under the PCI DSS, which of the following best describes a 'cardholder data environment' (CDE)?

A.A physical room where payment cards are stored
B.Any system that connects to the internet
C.Systems that store, process, or transmit cardholder data
D.A network segment that contains only point-of-sale devices
AnswerC

This is the PCI DSS definition of CDE.

Why this answer

The CDE includes people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. Segmentation is used to isolate the CDE from other networks.

803
MCQmedium

An organization wants to verify that its security policies are being followed by employees. Which testing method is most appropriate?

A.Compliance audit
B.Vulnerability scan
C.Risk assessment
D.Penetration test
AnswerA

A compliance audit verifies adherence to policies and standards.

Why this answer

A compliance audit is the most appropriate method to verify that security policies are being followed because it systematically compares actual practices, configurations, and controls against documented policy requirements. Unlike technical scans that identify vulnerabilities, a compliance audit focuses on adherence to rules, standards, and procedures, often using checklists derived from frameworks like ISO 27001 or NIST SP 800-53.

Exam trap

The trap here is that candidates confuse 'compliance audit' with 'vulnerability scan' because both involve checking systems, but the audit is specifically about policy adherence by people and processes, not technical flaws.

How to eliminate wrong answers

Option B (Vulnerability scan) is wrong because it identifies technical weaknesses in systems (e.g., missing patches, open ports) but does not assess whether employees are following security policies such as password handling or data classification procedures. Option C (Risk assessment) is wrong because it evaluates the likelihood and impact of threats to assets, not the degree of policy compliance by personnel. Option D (Penetration test) is wrong because it simulates attacks to exploit vulnerabilities and gain unauthorized access, focusing on technical defenses rather than verifying employee adherence to policies.

804
Multi-Selectmedium

A security architect is designing a Single Sign-On (SSO) solution for a web application that needs to support authentication and authorization. Which TWO of the following protocols are best suited for this purpose? (Select TWO)

Select 2 answers
A.Kerberos
B.LDAP
C.OpenID Connect (OIDC)
D.SAML 2.0
E.OAuth 2.0
AnswersC, D

OIDC adds authentication to OAuth 2.0.

Why this answer

SAML 2.0 and OpenID Connect (OIDC) are both SSO protocols that provide authentication and authorization. OAuth 2.0 alone provides only authorization.

805
MCQeasy

A company experiences a data breach. Which step should be taken first according to best practices?

A.Inform affected parties
B.Contain the breach
C.Notify law enforcement
D.Assess the damage
AnswerB

Stops the incident from spreading and limits impact.

Why this answer

According to incident response best practices (NIST SP 800-61), the first priority after confirming a breach is to contain it. This prevents further data exfiltration, limits lateral movement by an attacker, and preserves forensic evidence. Containment actions may include isolating affected systems, blocking malicious IPs at the firewall, or revoking compromised credentials.

Exam trap

The trap here is that candidates confuse the urgency of notification (A) or assessment (D) with the immediate need to stop the attack, forgetting that containment is the foundational step that enables all subsequent actions.

How to eliminate wrong answers

Option A is wrong because informing affected parties prematurely can alert the attacker, destroy evidence, and violate legal hold requirements; notification should occur after containment and forensic analysis. Option C is wrong because notifying law enforcement is a secondary step that typically occurs after containment and initial assessment, and may not be required in all jurisdictions. Option D is wrong because assessing the damage before containment allows the breach to continue spreading, increasing data loss and making recovery more difficult.

806
MCQhard

A security engineer is analyzing a vulnerability where an attacker can cause a buffer overflow on the stack. Which mitigation technique randomizes memory addresses to make it harder for the attacker to predict the location of shellcode or return addresses?

A.ASLR
B.SafeSEH
C.Stack canaries
D.DEP/NX bit
AnswerA

Correct. ASLR randomizes memory addresses.

Why this answer

ASLR (Address Space Layout Randomization) randomizes the base addresses of stack, heap, and libraries, making it difficult for an attacker to guess memory addresses.

807
Multi-Selecthard

An organization is acquiring a third-party software product. Which THREE of the following should be included in the security assessment of the vendor?

Select 3 answers
A.Vulnerability scanning of dependencies
B.Reviewing the Software Bill of Materials (SBOM)
C.Verifying software license compliance
D.Performing a vendor security assessment
E.Ensuring code signing is used in the vendor's development process
AnswersA, B, D

Scanning identifies known vulnerabilities in libraries.

Why this answer

Reviewing the SBOM, vulnerability scanning of dependencies, and vendor security assessments are key elements of third-party security evaluation. Code signing is a deployment control, not assessment; license compliance is legal but not security-specific.

808
MCQhard

During a risk assessment, a critical asset has a vulnerability with a CVSS score of 9.0. Which risk treatment strategy is most appropriate if the cost to mitigate exceeds the asset's value?

A.Transfer
B.Acceptance
C.Avoidance
D.Mitigation
AnswerA

Transfers financial impact to a third party, such as cyber insurance.

Why this answer

A CVSS score of 9.0 indicates a critical vulnerability that could severely impact the asset's confidentiality, integrity, or availability. When the cost to mitigate (e.g., implementing patches, compensating controls, or redesign) exceeds the asset's financial value, the most cost-effective risk treatment is to transfer the risk, typically through cyber insurance or outsourcing to a managed security service provider (MSSP). This shifts the financial burden of a potential exploit to a third party without incurring prohibitive remediation costs.

Exam trap

The trap here is that candidates mistakenly choose 'Mitigation' because they assume any high-severity vulnerability must be fixed, ignoring the economic principle that risk treatment should be cost-justified relative to the asset's value.

How to eliminate wrong answers

Option B (Acceptance) is wrong because acceptance is only appropriate when the residual risk is within the organization's risk appetite and the cost of mitigation is not justified; however, a CVSS 9.0 vulnerability represents a high-severity risk that, if exploited, could cause disproportionate damage, making passive acceptance imprudent without explicit senior management approval and a formal risk acceptance process. Option C (Avoidance) is wrong because avoidance means eliminating the risk by discontinuing the activity or decommissioning the asset, which is often too drastic and may not be feasible if the asset is critical to business operations; the question does not indicate that the asset can be removed. Option D (Mitigation) is wrong because mitigation involves reducing the vulnerability's likelihood or impact through controls, but the prompt explicitly states that the cost to mitigate exceeds the asset's value, making mitigation economically unjustifiable and a poor use of resources.

809
Matchingmedium

Match each threat type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to obtain sensitive info

Targeted phishing at specific individuals

Phishing targeting senior executives

Voice phishing over phone

Phishing via SMS

Why these pairings

These are common social engineering attacks.

810
MCQmedium

During the requirements gathering phase of a secure SDLC, the team uses a threat modeling approach that focuses on identifying threats such as spoofing, tampering, and denial of service. Which threat modeling methodology is being employed?

A.PASTA
B.Trike
C.STRIDE
D.OCTAVE
AnswerC

STRIDE directly maps to the threats mentioned.

Why this answer

STRIDE is a threat modeling framework developed by Microsoft that categorizes threats into six categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

811
Multi-Selectmedium

A security auditor is reviewing an organization's governance framework. Which TWO of the following are commonly used frameworks for IT governance and security management?

Select 2 answers
A.ISO/IEC 27001
B.PMBOK
C.TOGAF
D.COBIT 2019
E.Six Sigma
AnswersA, D

An information security management standard.

Why this answer

COBIT 2019 is a framework for IT governance and management. ISO/IEC 27001 is an international standard for information security management systems.

812
MCQhard

An organization is designing a multicast network for live video streaming. They need to ensure that only authorized receivers can access the multicast group. Which technique should be implemented?

A.IGMP filtering
B.Multicast VLAN registration
C.Static IGMP entries
D.IGMP snooping with port security
AnswerA

IGMP filtering restricts which hosts can join multicast groups via IGMP messages.

Why this answer

IGMP filtering allows the network to control which hosts are permitted to join a multicast group by filtering IGMP membership reports at the access layer. This ensures that only authorized receivers can become members of the multicast group, providing access control for live video streaming. It is the most direct technique for enforcing authorization at the receiver level.

Exam trap

The trap here is that candidates confuse IGMP snooping (which optimizes multicast traffic delivery) with IGMP filtering (which enforces access control), leading them to pick IGMP snooping with port security as a security measure when it only controls traffic flooding, not authorization.

How to eliminate wrong answers

Option B is wrong because Multicast VLAN Registration (MVR) is designed to efficiently deliver multicast traffic across VLANs, not to enforce receiver authorization. Option C is wrong because static IGMP entries manually assign a host to a multicast group without any dynamic authorization check, which does not scale or enforce per-receiver access control. Option D is wrong because IGMP snooping with port security only monitors and restricts traffic based on MAC addresses or port-level security, not IGMP group membership authorization; it does not prevent an unauthorized host from sending a valid IGMP join.

813
Multi-Selecteasy

Which TWO features are true of IPsec tunnel mode compared to transport mode? (Select two.)

Select 2 answers
A.It provides better performance than transport mode
B.A new IP header is added to the packet
C.The entire original IP packet is encapsulated and encrypted
D.It is used for end-to-end communication between hosts
E.Only the payload of the packet is encrypted
AnswersB, C

Tunnel mode adds a new outer IP header; transport mode does not.

Why this answer

In IPsec tunnel mode, the entire original IP packet (including the original IP header) is encapsulated within a new IP packet. A new outer IP header is added, and the entire inner packet is encrypted and optionally authenticated. This is why option B is correct: a new IP header is added to the packet.

Exam trap

Cisco often tests the misconception that tunnel mode is faster because it 'tunnels' traffic, but the added encapsulation and encryption overhead actually makes it slower than transport mode; the trap is confusing the purpose (hiding internal addresses) with performance characteristics.

814
MCQmedium

A business is evaluating risk treatment options for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk treatment strategy is most appropriate?

A.Risk transfer by purchasing insurance
B.Risk acceptance with documented decision
C.Risk mitigation by implementing additional controls
D.Risk avoidance by discontinuing the activity
AnswerB

Accepting the risk is justified when cost exceeds benefit.

Why this answer

When the cost of mitigation exceeds the potential loss, risk acceptance is the most cost-effective strategy. The business formally acknowledges the risk and documents the decision to accept it, often because the residual risk is within the organization's risk appetite. This aligns with the principle that not all risks must be mitigated or transferred if the economic justification is absent.

Exam trap

The trap here is that candidates often assume insurance (transfer) is always the best option for any risk, but the CISSP exam emphasizes cost-benefit analysis, making acceptance the correct choice when mitigation costs exceed the potential loss.

How to eliminate wrong answers

Option A is wrong because risk transfer via insurance typically involves paying a premium that may exceed the potential loss, and insurance is more suitable for low-likelihood, high-impact risks, not high-likelihood, low-impact ones. Option C is wrong because risk mitigation by implementing additional controls would cost more than the potential loss, violating the cost-benefit analysis that underpins risk treatment decisions. Option D is wrong because risk avoidance by discontinuing the activity would eliminate the risk but also forfeit any business benefit, which is disproportionate for a low-impact risk that can be accepted at lower cost.

815
MCQhard

During a penetration test, the tester gains access to a server and finds sensitive customer data. What should the tester do next?

A.Exfiltrate the data to demonstrate the risk
B.Delete the data to prevent exposure
C.Continue testing to find more vulnerabilities
D.Report the finding immediately and secure the data
AnswerD

This follows responsible disclosure and protects the organization's data.

Why this answer

Option D is correct because the tester's primary responsibility is to protect sensitive data and minimize risk. Upon discovering PII or other regulated data, the tester must immediately report the finding to the client and secure the data (e.g., by isolating the server or encrypting the data in place) to prevent unauthorized access or exposure. This aligns with the ethical hacking code of conduct and the CISSP principle of 'do no harm'.

Exam trap

The trap here is that candidates confuse the goal of demonstrating risk (which is valid in a controlled lab) with the ethical obligation to protect live data; the CISSP exam emphasizes that a tester must never exfiltrate or alter production data, even to prove a point.

How to eliminate wrong answers

Option A is wrong because exfiltrating data, even to demonstrate risk, violates confidentiality and legal agreements (e.g., GDPR, HIPAA) and could cause real harm; penetration testers must never copy or remove sensitive data without explicit written authorization. Option B is wrong because deleting data destroys evidence and could disrupt business operations or violate chain-of-custody requirements; the tester should not alter production data. Option C is wrong because continuing to test without first securing the exposed data increases the risk of further compromise and violates the responsible disclosure process; the tester must halt and report the finding immediately.

816
Multi-Selecthard

A company is recovering from a ransomware attack. Which THREE of the following are key considerations when restoring data from backups to ensure integrity and minimal downtime?

Select 3 answers
A.Ensure encryption keys for backups are available
B.Isolate the restored data from the production network until verified
C.Perform a test restoration to a separate environment
D.Validate the integrity of the backup data before restoration
E.Restore data directly to production servers to save time
AnswersB, C, D

Prevents spread of malware.

Why this answer

Isolating the restored data from production prevents reinfection. Validating backup integrity ensures clean data. Testing the restoration process ensures the backups work.

Encrypted backups require decryption keys.

817
MCQhard

A company is deploying a hypervisor to run multiple virtual servers. To minimize the risk of VM escape attacks, which type of hypervisor should they choose and what hardening measure is most effective?

A.Type 1 hypervisor with minimal services and regular patching
B.Type 2 hypervisor with regular patching
C.Type 2 hypervisor with host-based firewall
D.Type 1 hypervisor with no additional hardening
AnswerA

Correct. Type 1 runs directly on hardware, reducing attack surface; patching mitigates escape vulnerabilities.

Why this answer

Type 1 hypervisors (bare-metal) have a smaller attack surface than Type 2. Regular patching and secure configuration are essential.

818
MCQmedium

Which of the following is a key objective of a business impact analysis (BIA)?

A.Implement security controls
B.Identify vulnerabilities in the network
C.Test the disaster recovery plan
D.Determine the maximum tolerable downtime for critical processes
AnswerD

BIA focuses on determining recovery objectives.

Why this answer

BIA identifies critical business processes and their recovery requirements such as RTO, RPO, and maximum tolerable downtime.

819
MCQeasy

Which security control is most effective for preventing unauthorized access to a data center?

A.Biometric authentication
B.Mantrap
C.Access logs
D.Video surveillance
AnswerB

Prevents unauthorized physical access through a controlled entry.

Why this answer

A mantrap provides a physical barrier that prevents tailgating and ensures one person enters at a time. Biometrics and video surveillance are controls but less direct prevention. Access logs are detective.

820
MCQmedium

A security analyst notices that the SIEM is generating an overwhelming number of low-priority alerts from a single application server. The server is critical to operations. What is the BEST approach to reduce noise without compromising security?

A.Increase the severity threshold for that server's alerts.
B.Disable all alerts from that server.
C.Create a suppression rule for known benign patterns.
D.Exclude the server from SIEM monitoring.
AnswerC

Suppresses known benign events while keeping alerting for unusual activity.

Why this answer

Option C is correct because suppression rules allow the SIEM to filter out known benign patterns (e.g., routine service checks or scheduled scans) while still capturing genuine threats. This reduces alert fatigue without disabling monitoring for the critical server, preserving visibility into anomalous or malicious activity.

Exam trap

The trap here is that candidates confuse 'reducing noise' with 'reducing monitoring,' leading them to choose threshold increases or outright exclusion, when the correct approach is to surgically filter known benign events while maintaining full detection coverage.

How to eliminate wrong answers

Option A is wrong because increasing the severity threshold would cause the SIEM to ignore all low-severity alerts, potentially missing early indicators of compromise (e.g., reconnaissance or privilege escalation attempts) that often start as low-priority events. Option B is wrong because disabling all alerts from a critical server creates a complete blind spot, violating the principle of defense in depth and allowing attacks to go undetected. Option D is wrong because excluding the server from SIEM monitoring removes all visibility into its security posture, which is unacceptable for a critical asset and contradicts the core purpose of a SIEM.

821
MCQhard

An organization is implementing privacy by design for a new application that processes PII. Which practice BEST aligns with the data minimization principle?

A.Collecting only the PII required for the stated function.
B.Anonymizing data after collection.
C.Obtaining explicit consent from users.
D.Collecting all possible PII in case it is needed later.
AnswerA

This directly implements data minimization.

Why this answer

Data minimization means collecting only the personal data that is directly necessary for the specified purpose.

822
MCQeasy

An organization wants to implement a data classification scheme for internal use. Which of the following is an example of a commercial data classification label?

A.Unclassified
B.Top Secret
C.Confidential
D.Private
AnswerD

Correct. 'Private' is a common label in commercial classification schemes for internal data.

Why this answer

Commercial classification labels often include 'Internal' or 'Confidential/Restricted' for internal business data, as opposed to government labels like 'Top Secret'.

823
MCQmedium

A company is designing a network segmentation strategy to isolate a public-facing web server from the internal corporate network. Which of the following is the most appropriate architecture?

A.Micro-segmentation using SDN
B.VLAN with no firewall
C.Direct connection to internet without segmentation
D.DMZ (screened subnet)
AnswerD

The DMZ is specifically designed to host externally accessible services while protecting the internal network.

Why this answer

A DMZ (screened subnet) is the most appropriate architecture because it places the public-facing web server in a separate, isolated network segment that sits between the internal corporate network and the untrusted internet. Traffic from the internet is allowed only to the DMZ (typically via stateful firewall rules permitting HTTP/HTTPS on TCP ports 80/443), and traffic from the DMZ to the internal network is strictly controlled or proxied, preventing direct lateral movement. This aligns with the principle of defense in depth and is a standard CISSP-recommended design for securing publicly accessible services.

Exam trap

The trap here is that candidates often confuse VLANs with security boundaries, assuming a VLAN alone provides sufficient isolation, when in fact VLANs lack access control and are vulnerable to Layer 2 attacks, making a DMZ with firewalls the correct answer for network segmentation of public-facing services.

How to eliminate wrong answers

Option A is wrong because micro-segmentation using SDN is an advanced, granular isolation technique typically used within data centers or east-west traffic control, but it is not the standard or most appropriate architecture for isolating a single public-facing web server from the internal network; a DMZ is simpler, more established, and directly addresses the requirement. Option B is wrong because a VLAN without a firewall provides only Layer 2 separation and no access control or traffic filtering, leaving the web server and internal network vulnerable to attacks that bypass VLAN segmentation (e.g., VLAN hopping via DTP or double-tagging). Option C is wrong because a direct connection to the internet without segmentation exposes the web server and the entire internal network to unrestricted inbound and outbound traffic, violating the fundamental security principle of least privilege and offering no isolation.

824
Multi-Selecthard

An organization is implementing OpenID Connect (OIDC) for authentication. Which THREE of the following are components of OIDC? (Choose three.)

Select 3 answers
A.Authorization code flow
B.Kerberos ticket granting ticket
C.UserInfo endpoint
D.SAML assertion
E.ID token
AnswersA, C, E

OIDC uses OAuth 2.0 flows, including authorization code.

Why this answer

OIDC uses ID token, UserInfo endpoint, and OAuth 2.0 authorization framework.

825
MCQmedium

A government agency requires a security model that prevents users from reading documents classified above their clearance level and from writing classified information to lower-level systems. Which model enforces these constraints?

A.Bell-LaPadula
B.Biba
C.Brewer-Nash
D.Clark-Wilson
AnswerA

Correct. Bell-LaPadula enforces no read up and no write down to protect confidentiality.

Why this answer

The Bell-LaPadula model is a state machine model that enforces confidentiality via the *no read up* (simple security property) and *no write down* (*-property) rules.

Page 10

Page 11 of 14

Page 12
Certified Information Systems Security Professional CISSP CISSP Questions 751–825 | Page 11/14 | Courseiva