Certified Information Systems Security Professional CISSP (CISSP) — Questions 826900

990 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

A security analyst runs a vulnerability scan and sees the output shown in the exhibit. The analyst wants to remediate the most critical issue first. Which action should the analyst take to address the SQL injection vulnerability?

A.Deploy a web application firewall (WAF) with SQL injection signatures.
B.Rewrite the database query to use parameterized statements.
C.Implement strict input validation on the 'id' parameter.
D.Encode all output from the 'id' parameter using HTML entity encoding.
AnswerB

Parameterized queries prevent SQL injection by separating code from data.

Why this answer

Option D is correct because the best practice for preventing SQL injection is to use parameterized queries or prepared statements, which separate SQL logic from data. Option A is wrong because input validation alone is insufficient and can be bypassed. Option B is wrong because encoding only helps with XSS, not SQLi.

Option C is wrong because WAF rules are a compensating control but not the primary fix.

827
MCQmedium

An employee leaves the company, and their user account is not disabled. This creates a security risk known as:

A.Orphaned account
B.Insider threat
C.Privilege creep
D.Separation of duties violation
AnswerA

An account without a valid user is an orphaned account.

Why this answer

An orphaned account is a user account that remains active in the identity management system after the employee has left the organization. This creates a security risk because the account can be exploited by attackers or former employees to gain unauthorized access to systems, data, or network resources, bypassing access controls that rely on account deactivation.

Exam trap

The trap here is that candidates may confuse 'orphaned account' with 'insider threat' because both involve a former employee, but the question specifically asks for the name of the security risk created by the account itself, not the general threat category.

How to eliminate wrong answers

Option B is wrong because an insider threat is a broader category of risk posed by individuals within the organization (current or former) who misuse their access, but the specific risk of an account not being disabled after departure is defined as an orphaned account. Option C is wrong because privilege creep refers to the gradual accumulation of excessive permissions over time for a user who remains employed, not to an account left active after termination. Option D is wrong because a separation of duties violation occurs when a single user is allowed to perform conflicting tasks (e.g., both creating and approving a purchase order), which is unrelated to the failure to disable a departed user's account.

828
MCQhard

A company's risk assessment identifies a high likelihood of a data breach due to outdated encryption standards. The cost to upgrade encryption is $50,000, and the estimated loss from a breach is $2,000,000. The risk manager decides to implement the upgrade. Which risk treatment option is being applied?

A.Risk acceptance
B.Risk avoidance
C.Risk enhancement
D.Risk transfer
E.Risk mitigation
AnswerE

Upgrading encryption reduces the likelihood of a breach, which is risk mitigation.

Why this answer

The risk manager is applying risk mitigation by implementing the encryption upgrade to reduce the likelihood or impact of a data breach. This directly addresses the identified risk by deploying a stronger cryptographic control, such as moving from AES-128 to AES-256 or replacing deprecated TLS 1.0/1.1 with TLS 1.3, thereby lowering the residual risk to an acceptable level.

Exam trap

The trap here is confusing risk mitigation with risk avoidance, as candidates may think avoiding outdated encryption means avoiding the risk entirely, but risk avoidance requires ceasing the risky activity, not upgrading the control.

How to eliminate wrong answers

Option A is wrong because risk acceptance would involve acknowledging the risk and taking no action to reduce it, which contradicts the decision to spend $50,000 on an upgrade. Option B is wrong because risk avoidance would mean eliminating the activity that creates the risk (e.g., ceasing all data transmission), not upgrading encryption. Option C is wrong because risk enhancement is not a standard risk treatment option; it would involve deliberately increasing risk, which is the opposite of the manager's action.

Option D is wrong because risk transfer would involve shifting the financial burden of a breach to a third party (e.g., purchasing cyber insurance), not investing in internal controls.

829
MCQeasy

An organization is implementing a new governance framework to align IT with business goals. Which framework is specifically designed for IT service management?

A.ISO/IEC 27001
B.COBIT 2019
C.ITIL
D.NIST Cybersecurity Framework
AnswerC

ITIL provides a set of detailed practices for IT service management.

Why this answer

ITIL (Information Technology Infrastructure Library) provides best practices for IT service management.

830
Multi-Selecthard

Which THREE of the following are valid types of penetration testing based on the level of knowledge provided to the tester?

Select 3 answers
A.Blue box
B.White box
C.Grey box
D.Black box
E.Red box
AnswersB, C, D

White box: full knowledge.

Why this answer

Penetration tests can be black box (no knowledge), white box (full knowledge), or grey box (partial knowledge).

831
MCQmedium

Refer to the exhibit. A user named Alice has encrypted files using EFS. What is a potential risk associated with the current configuration?

A.The user's certificate is self-signed, which may not be recoverable if lost.
B.The encryption algorithm is weak; AES-256 is not recommended.
C.The key length is insufficient; 256 bits is too short.
D.The files are encrypted only on the local drive; they are not protected if moved to a network share.
AnswerA

Self-signed certificates are not backed up by the domain, so if the certificate is lost, data cannot be decrypted.

832
MCQhard

An organization is designing its incident response team roles. Which role is primarily responsible for collecting and preserving evidence for legal proceedings?

A.Forensic investigator
B.Communications lead
C.Incident manager
D.Security analyst
AnswerA

This role is dedicated to forensic collection and preservation.

Why this answer

The forensic investigator is trained to handle evidence collection and preservation.

833
MCQhard

Your organization, a multinational e-commerce company, has suffered a ransomware attack that encrypted critical database servers and file shares. The ransom note demands payment in cryptocurrency within 48 hours or the data will be permanently destroyed. The company has a backup strategy that includes daily full backups and hourly incremental backups, stored both on-site and off-site. However, during the incident response, you discover that the most recent on-site backups are also encrypted because the backup server was connected to the network and affected by the same ransomware. Off-site backups are on tape and were last rotated out 72 hours ago. The CEO is pressuring to pay the ransom to restore operations quickly. Which option should the incident response team prioritize to minimize data loss and reputational damage?

A.Pay the ransom and hope the attackers provide a working decryption key.
B.Restore data from the off-site tape backups taken 72 hours ago.
C.Rebuild servers from scratch using latest known good configurations without restoring data.
D.Attempt to negotiate with the attackers for a lower ransom and more time.
AnswerB

Off-site backups are isolated and not encrypted; 72-hour data loss is acceptable compared to paying ransom.

Why this answer

Option C is correct: Restoring from off-site tapes (72 hours old) is the best course because they are not encrypted and provide a viable recovery point. Option A (pay ransom) is risky: no guarantee of decryption and encourages attackers. Option B (negotiate) wastes time.

Option D (rebuild without backup) is too slow and likely loses all data.

834
Multi-Selecthard

Which THREE access control models support the principle of least privilege?

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Attribute-Based Access Control (ABAC)
C.Rule-Based Access Control (RuBAC)
D.Discretionary Access Control (DAC)
E.Mandatory Access Control (MAC)
AnswersA, B, E

RBAC assigns permissions to roles, which can be scoped to minimum necessary.

Why this answer

Role-Based Access Control (RBAC) supports least privilege by assigning permissions to roles rather than individuals, and users are granted only the permissions necessary for their job functions. This aligns with the principle because roles can be scoped to the minimum required access, and users cannot exceed the permissions of their assigned roles.

Exam trap

The trap here is that candidates often confuse Rule-Based Access Control (RuBAC) with RBAC, or assume that DAC inherently supports least privilege because owners can limit access, but DAC lacks centralized enforcement and allows users to delegate permissions arbitrarily, leading to privilege escalation.

835
MCQeasy

A development team heavily uses third-party libraries. What is the most effective way to manage vulnerabilities in these libraries?

A.Only use libraries from sources with no known vulnerabilities
B.Ignore vulnerabilities unless a known exploit exists
C.Manually review each library's source code for flaws
D.Use a Software Composition Analysis (SCA) tool and monitor CVE databases
AnswerD

SCA tools automate vulnerability detection and CVE tracking.

Why this answer

Option D is correct because Software Composition Analysis (SCA) tools automate the identification of third-party libraries and their versions, cross-referencing them against known vulnerability databases such as the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) lists. This provides continuous monitoring and alerting for newly disclosed vulnerabilities, which is the most effective and scalable approach for managing the large number of dependencies in modern development. Manual review or ignoring vulnerabilities is impractical and insecure, while relying on 'no known vulnerabilities' is a false premise.

Exam trap

The trap here is that candidates may choose Option A, mistakenly believing that 'trusted sources' are vulnerability-free, when in fact all libraries can have undiscovered vulnerabilities, and the CISSP exam emphasizes continuous risk management over static trust.

How to eliminate wrong answers

Option A is wrong because no library source can guarantee zero known vulnerabilities; vulnerabilities are discovered over time, and even widely trusted sources like Maven Central or npm have had critical CVEs. Option B is wrong because ignoring vulnerabilities until an exploit exists violates the principle of proactive defense and leaves the system exposed to zero-day attacks or exploits that can be weaponized quickly after disclosure. Option C is wrong because manually reviewing each library's source code is infeasible for large codebases, error-prone, and does not scale; it also fails to account for transitive dependencies and version-specific vulnerabilities that SCA tools can detect automatically.

836
MCQmedium

A security team is reviewing application security and needs to analyze source code without executing the application. Which technique should they use?

A.Dynamic Application Security Testing (DAST)
B.Interactive Application Security Testing (IAST)
C.Static Application Security Testing (SAST)
D.Runtime Application Self-Protection (RASP)
AnswerC

Correct: SAST analyzes source code without execution.

Why this answer

SAST analyzes source code statically, without running the application.

837
Multi-Selecteasy

Which TWO options are valid methods for providing confidentiality in network communications? (Choose two.)

Select 2 answers
A.SSH
B.ESP in transport mode
C.HMAC
D.AH in tunnel mode
E.TLS 1.3
AnswersB, E

ESP provides encryption, thus confidentiality.

Why this answer

ESP (Encapsulating Security Payload) in transport mode provides confidentiality by encrypting the payload of an IP packet while leaving the original IP header intact. This is a core function of IPsec, where ESP can optionally include authentication but its primary role is encryption, making it a valid method for ensuring data confidentiality in network communications.

Exam trap

ISC2 often tests the distinction between protocols that provide confidentiality (encryption) versus those that provide integrity/authentication only, so candidates may mistakenly select AH or HMAC thinking they offer encryption when they do not.

838
MCQhard

During a security audit, it is discovered that the database server is also accepting connections from the web server. Which of the following is the most likely misconfiguration?

A.The application server is not properly authenticated
B.The network segmentation is not enforcing strict controls
C.The TLS configuration is incorrect
D.The firewall on the database server allows all traffic from the DMZ
AnswerB

Correct. The web server should not be able to connect to the database server directly.

Why this answer

The database server accepting connections from the web server indicates a lack of proper network segmentation. In a secure architecture, the web server should be in a DMZ and the database server in a private network segment, with strict access controls enforced by a firewall or router ACLs. The misconfiguration is that the network segmentation is not enforcing strict controls, allowing traffic that should be blocked.

Exam trap

The trap here is that candidates may focus on authentication or encryption (options A or C) as the primary issue, but the core problem is the lack of network segmentation, which is a fundamental security architecture control.

How to eliminate wrong answers

Option A is wrong because the application server not being properly authenticated is an identity and access management issue, not the direct cause of the database server accepting connections from the web server; the core problem is network-level access, not authentication. Option C is wrong because an incorrect TLS configuration would affect encryption of data in transit, not the fundamental ability of the web server to establish a TCP connection to the database server. Option D is wrong because while a permissive firewall rule could allow traffic, the question states the database server is 'accepting connections' from the web server, which implies the firewall is allowing it, but the most likely root misconfiguration is the lack of network segmentation (e.g., placing the database server in the same VLAN as the web server or not using a firewall to restrict traffic between zones), not just a single firewall rule.

839
MCQhard

Under the Sarbanes-Oxley Act (SOX), which of the following is an example of an IT general control that supports financial reporting?

A.Change management process for the financial system
B.Data encryption for customer PII
C.Firewall rule to block unauthorized traffic
D.Automated calculation of interest on loans
AnswerA

Change management is an IT general control.

Why this answer

IT general controls (ITGC) include access controls, change management, backup and recovery, and computer operations. Change management ensures that changes to financial systems are authorized and tested.

840
MCQmedium

A company is selecting a disaster recovery site for critical applications that must be restored within 4 hours with minimal data loss. Which site type best meets these requirements?

A.Hot site
B.Cold site
C.Reciprocal agreement
D.Warm site
AnswerA

Hot sites are fully configured and can be operational within minutes to hours, meeting a 4-hour RTO.

Why this answer

A hot site is fully configured with hardware, software, network connectivity, and real-time data replication, enabling recovery within minutes to hours and minimal data loss. This matches the requirement of restoring critical applications within 4 hours with minimal data loss, as hot sites maintain near-synchronous or synchronous replication (e.g., using synchronous replication over Fibre Channel or iSCSI with RPOs in seconds).

Exam trap

The trap here is that candidates confuse 'warm site' with 'hot site' because both have pre-installed hardware, but warm sites lack real-time data replication and automated failover, making them unsuitable for RTOs under 4 hours with minimal data loss.

How to eliminate wrong answers

Option B is wrong because a cold site provides only physical infrastructure (power, cooling, space) with no pre-installed hardware or data, requiring days or weeks to restore, far exceeding the 4-hour RTO. Option C is wrong because a reciprocal agreement relies on another organization's spare capacity, which is not guaranteed, lacks dedicated hardware, and typically has no real-time data replication, leading to RTOs of days and significant data loss. Option D is wrong because a warm site has partially configured hardware and software but lacks real-time data replication, often using periodic backups (e.g., daily tape or disk snapshots), resulting in RTOs of 12-24 hours and RPOs of hours to a day, failing the 4-hour RTO and minimal data loss requirement.

841
MCQmedium

During a business impact analysis (BIA), the recovery point objective (RPO) for a critical database is determined to be 2 hours. What does this mean?

A.Data can be recovered from any point within the past 2 hours
B.The maximum tolerable downtime is 2 hours
C.Data backups must be taken at least every 2 hours
D.The database must be fully recovered within 2 hours of a disaster
AnswerC

To meet a 2-hour RPO, backups must be at least as frequent as 2 hours.

Why this answer

RPO defines the maximum acceptable data loss measured in time. An RPO of 2 hours means that data can be lost up to the last 2 hours before the disruption.

842
MCQhard

An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?

A.SAML 2.0
B.OpenID Connect
C.LDAP
D.OAuth 2.0
AnswerA

SAML 2.0 is a mature protocol with built-in single logout and attribute query capabilities.

Why this answer

SAML 2.0 is the most appropriate protocol because it natively supports both single logout (SLO) and attribute exchange as core features. It uses XML-based assertions to transfer identity and attribute data between an identity provider (IdP) and a service provider (SP), and its SLO mechanism ensures that when a user logs out from one application, all sessions across participating services are terminated simultaneously.

Exam trap

The trap here is that candidates often confuse OAuth 2.0 with OpenID Connect or assume that OAuth 2.0 alone can handle authentication and logout, but OAuth 2.0 is strictly an authorization protocol and lacks the session management and attribute exchange features required for federated identity.

How to eliminate wrong answers

Option B (OpenID Connect) is wrong because, while it supports single logout via RP-initiated logout, it does not natively support attribute exchange in the same structured manner as SAML; it relies on scopes and claims, which are less suited for complex enterprise attribute sharing. Option C (LDAP) is wrong because it is a directory access protocol for querying and modifying directory services, not a federated identity protocol; it lacks built-in support for single logout and cross-domain attribute exchange. Option D (OAuth 2.0) is wrong because it is an authorization framework, not an authentication protocol; it does not provide single logout or attribute exchange—those are handled by OpenID Connect when layered on top, but OAuth 2.0 alone is insufficient.

843
MCQmedium

A security architect is designing a system that must enforce the principle of least privilege at the operating system level. Which mechanism should be implemented to grant processes only the minimal permissions required for their tasks?

A.Mandatory Access Control (MAC) using SELinux policies
B.Role-Based Access Control (RBAC) with fine-grained roles
C.Discretionary Access Control (DAC) with user permissions
D.Mandatory Integrity Control (Biba)
AnswerA

Correct. SELinux allows granular control over process permissions.

Why this answer

SELinux implements Mandatory Access Control (MAC) by enforcing a system-wide security policy that overrides user and process permissions. This allows the security architect to define precise rules (e.g., via Type Enforcement) that grant each process only the minimal set of resources it needs, effectively enforcing least privilege at the OS level regardless of user identity.

Exam trap

The trap here is that candidates often confuse RBAC with process-level least privilege, but RBAC is user-centric and does not constrain process permissions at the OS kernel level like MAC does.

How to eliminate wrong answers

Option B is wrong because Role-Based Access Control (RBAC) manages access based on user roles, not process-level permissions; it does not inherently restrict processes to minimal rights at the OS level. Option C is wrong because Discretionary Access Control (DAC) allows users to control permissions on their own objects, which can lead to privilege escalation and violates the principle of least privilege when users grant excessive rights. Option D is wrong because Mandatory Integrity Control (Biba) focuses on preventing data corruption by controlling information flow based on integrity levels, not on granting minimal permissions to processes.

844
Multi-Selectmedium

An organization is planning an external audit for SOC 2 Type II compliance. Which TWO of the following are true about this type of audit?

Select 2 answers
A.It reports on controls over a period of time, typically 6–12 months
B.It is a third-party audit that evaluates controls for security, availability, processing integrity, confidentiality, and privacy
C.It is an internal audit performed by the organization's staff
D.It focuses solely on financial reporting controls
E.It is a public document available to anyone
AnswersA, B

Correct: Type II covers a period; Type I is point-in-time.

Why this answer

SOC 2 Type II is a third-party audit over a period, and it tests controls related to security, availability, etc.

845
MCQeasy

Which type of covert channel uses the timing of events or operations to transmit information?

A.Emanations channel
B.Side channel
C.Timing channel
D.Storage channel
AnswerC

Timing channels use temporal variations.

Why this answer

Timing channels manipulate the timing of events to encode data, while storage channels use shared resources.

846
MCQmedium

An organization's data retention policy specifies that customer records must be retained for five years after the end of the business relationship. After that period, what should be done with the data according to best practices?

A.Continue retaining the data indefinitely for future use
B.Securely destroy the data
C.Archive the data to offline storage
D.Anonymize the data and keep it
AnswerB

Correct. Data should be destroyed at the end of its retention period to minimize risk.

Why this answer

Once the retention period expires, data should be securely destroyed to prevent unauthorized access and comply with privacy regulations.

847
MCQeasy

A security tester needs to test a new application for vulnerabilities but is concerned about contaminating the production database with test data. What is the best practice for conducting such tests?

A.Perform the test on the production environment during off-hours
B.Create a separate test environment with anonymized production data
C.Test only from the network perimeter to avoid data exposure
D.Use synthetic data that mimics production but is not real
AnswerB

Provides realistic testing without risk to production.

Why this answer

Option B is correct because creating a separate test environment with anonymized production data ensures that testing does not affect the integrity or availability of the production database while still using realistic data to uncover vulnerabilities. Anonymization techniques, such as data masking or tokenization, remove personally identifiable information (PII) while preserving referential integrity and data distribution, allowing for accurate security testing without contaminating production systems.

Exam trap

The trap here is that candidates often confuse 'synthetic data' (Option D) with 'anonymized production data' (Option B), not realizing that synthetic data may not accurately reflect real-world data complexity, while anonymized production data preserves the necessary characteristics for thorough vulnerability testing without risking data contamination.

How to eliminate wrong answers

Option A is wrong because performing tests on the production environment during off-hours still risks contaminating the production database with test data, potentially corrupting live data, causing availability issues, or violating compliance requirements (e.g., GDPR, PCI DSS). Option C is wrong because testing only from the network perimeter does not address the core concern of database contamination; it focuses on network-level controls rather than data integrity, and internal application vulnerabilities may remain undetected. Option D is wrong because synthetic data that mimics production but is not real often lacks the complexity, edge cases, and statistical distributions of real data, which can lead to missed vulnerabilities that only manifest with actual production-like data patterns.

848
MCQeasy

A security architect is designing a system that must continue to function even when a component fails. The architect implements multiple layers of security controls so that if one fails, others still provide protection. Which principle is being applied?

A.Separation of duties
B.Defense in depth
C.Fail-secure
D.Least privilege
AnswerB

Defense in depth uses multiple overlapping controls.

Why this answer

Defense in depth (B) is the correct principle because it involves implementing multiple layers of security controls (e.g., firewalls, intrusion detection systems, encryption, access controls) so that if one layer fails or is bypassed, other layers continue to provide protection, ensuring the system remains functional. This directly matches the scenario where the architect designs for continued operation despite component failure by layering controls.

Exam trap

The trap here is that candidates confuse 'defense in depth' with 'fail-secure' because both involve planning for failure, but fail-secure prioritizes security over availability (e.g., locking down on failure) whereas defense in depth prioritizes continued operation through redundancy of controls.

How to eliminate wrong answers

Option A is wrong because separation of duty is a principle that prevents fraud or error by requiring multiple individuals to complete a sensitive task (e.g., one person authorizes, another executes), not by layering controls for resilience. Option C is wrong because fail-secure means that when a component fails, the system defaults to a secure state (e.g., locking all doors on power loss), which may actually halt functionality rather than ensure continued operation. Option D is wrong because least privilege restricts users or processes to only the minimum permissions needed to perform their tasks, which is a access control principle unrelated to maintaining function during component failures.

849
MCQmedium

Which OAuth 2.0 grant type is recommended for a public client (e.g., single-page application) that cannot securely store a client secret?

A.Resource owner password credentials grant
B.Authorization code grant with PKCE
C.Implicit grant
D.Client credentials grant
AnswerB

PKCE adds a code verifier/challenge to secure the authorization code exchange.

Why this answer

The authorization code grant with PKCE (Proof Key for Code Exchange) is designed for public clients to prevent interception of the authorization code.

850
MCQmedium

Which governance framework is specifically designed to help organizations manage and protect their information assets by providing a comprehensive set of controls based on a risk management approach?

A.ISO/IEC 27001
B.NIST Cybersecurity Framework
C.COBIT 2019
D.ITIL
AnswerA

Correct - ISO 27001 is the standard for ISMS.

Why this answer

ISO/IEC 27001 is an international standard for information security management systems (ISMS) that provides a risk-based approach to managing information security.

851
MCQhard

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

A.Conduct the test on the production environment using anonymized production data.
B.Use an automated vulnerability scanner on the production environment.
C.Perform the test during off-peak hours on the production system with read-only access.
D.Build a replica of the production environment and test against it with realistic attack scenarios.
AnswerD

A replica environment allows full attack simulation without risking production data.

Why this answer

Option D is correct because building a replica (staging) environment allows the penetration test to simulate realistic attack scenarios without any risk to production data or system availability. This approach ensures the test can include destructive or disruptive techniques (e.g., SQL injection, privilege escalation) that would be unsafe on a live system, while still accurately reflecting the production architecture and configurations.

Exam trap

The trap here is that candidates often choose Option A or C because they focus on 'realistic' testing and assume production is the only way to achieve realism, overlooking that a well-constructed replica provides identical attack surfaces without the unacceptable risk to production integrity.

How to eliminate wrong answers

Option A is wrong because using anonymized production data in the production environment still exposes the live system to potential service disruption or data corruption from active exploitation attempts, and anonymization does not eliminate the risk of data leakage or system instability. Option B is wrong because an automated vulnerability scanner only identifies known vulnerabilities and lacks the manual, creative exploitation techniques required for a realistic penetration test; it also cannot safely simulate advanced attack chains. Option C is wrong because read-only access prevents the tester from performing many essential penetration testing activities (e.g., writing files, modifying configurations, escalating privileges), and off-peak hours do not eliminate the risk of production impact from active attacks.

852
Multi-Selectmedium

An organization is planning its disaster recovery strategy. Which THREE options are considered recovery site types? (Select THREE.)

Select 3 answers
A.Cloud DR
B.Hot site
C.Cold site
D.Warm site
E.Reciprocal agreement
AnswersB, C, D

Fully operational duplicate site.

Why this answer

Hot, warm, and cold sites are standard DR site types. Reciprocal agreements and cloud DR are strategies but not physical site types.

853
MCQhard

During an audit, it is discovered that several users have inherited permissions through nested group memberships that violate least privilege. What is the best approach to correct this?

A.Implement periodic access reviews and attestation
B.Re-certify group memberships quarterly
C.Provide training on least privilege
D.Revoke all group memberships and assign individually
AnswerA

Access reviews allow managers to validate and revoke excessive permissions, including inherited ones.

Why this answer

Periodic access reviews and attestation (Option A) are the best approach because they establish a continuous governance process where data owners or managers formally confirm that inherited permissions from nested group memberships remain appropriate. This directly addresses the root cause—unchecked group nesting—by enforcing regular validation of access rights against the principle of least privilege, rather than relying on a one-time fix or training.

Exam trap

The trap here is that candidates often choose a one-time technical fix (like revoking all memberships) or a generic training option, failing to recognize that the CISSP exam emphasizes governance processes like periodic attestation as the sustainable solution for ongoing compliance with least privilege.

How to eliminate wrong answers

Option B is wrong because re-certifying group memberships quarterly is a subset of periodic access reviews but lacks the attestation component; attestation requires explicit confirmation of necessity, whereas re-certification may only verify membership without evaluating the underlying permissions inherited through nesting. Option C is wrong because training on least privilege, while valuable for awareness, does not correct existing misconfigurations or remove inherited permissions that violate the principle; it is a preventive measure, not a corrective one. Option D is wrong because revoking all group memberships and assigning individually is overly disruptive, ignores the legitimate need for group-based access management, and violates the principle of manageability; it also fails to address the underlying issue of nested group inheritance, which would require re-engineering the group structure rather than a blanket revocation.

854
MCQmedium

A security team is analyzing logs from multiple sources and notices anomalous outbound traffic to a known command-and-control server. What is the most likely conclusion?

A.A misconfigured firewall is causing traffic
B.A host is compromised and is beaconing
C.An employee is streaming video to a personal server
D.The network is under a DDoS attack
AnswerB

Behavior consistent with malware communicating with its C2 server.

Why this answer

Anomalous outbound traffic to a known command-and-control (C2) server is a classic indicator of compromise (IoC). Compromised hosts often beacon outbound to C2 infrastructure using HTTP, HTTPS, or DNS tunnels to receive instructions or exfiltrate data. This pattern is distinct from normal traffic and is a primary focus of network security monitoring and intrusion detection systems (IDS).

Exam trap

The trap here is that candidates may confuse anomalous outbound traffic with a network misconfiguration or a benign user activity, failing to recognize that beaconing to a known malicious destination is a definitive sign of compromise, not a configuration error or a DDoS symptom.

How to eliminate wrong answers

Option A is wrong because a misconfigured firewall would typically cause blocked or dropped traffic, not specifically targeted outbound connections to a known C2 server; firewall misconfigurations rarely produce beaconing behavior to a single external IP. Option C is wrong because streaming video to a personal server would generate high-bandwidth, continuous traffic to a likely consumer CDN or IP, not periodic, low-and-slow beaconing to a known malicious C2 server. Option D is wrong because a DDoS attack involves a flood of traffic from many sources to a target, not anomalous outbound traffic from a single internal host to a specific C2 server.

855
Multi-Selectmedium

During a code review, a developer identifies that the application uses a custom encryption algorithm for storing sensitive data. Which THREE of the following are secure cryptographic practices that should be recommended instead?

Select 3 answers
A.Using industry-standard algorithms (e.g., AES-256)
B.Implementing proper key management practices
C.Using authenticated encryption (e.g., AES-GCM)
D.Hashing the data with MD5 for faster performance
E.Using a static IV for simplicity
AnswersA, B, C

Standard algorithms have been vetted by the security community.

Why this answer

Option A is correct because using industry-standard algorithms like AES-256 ensures the encryption is based on publicly vetted, mathematically robust ciphers that have undergone extensive cryptanalysis. Custom encryption algorithms are highly risky as they lack peer review and often contain subtle flaws that can be exploited, whereas AES-256 is a NIST-approved symmetric block cipher with a 256-bit key size that provides strong confidentiality for sensitive data.

Exam trap

The trap here is that candidates may think 'any encryption is better than none' or that 'hashing is a form of encryption,' but the CISSP exam emphasizes that custom algorithms and broken hashes like MD5 are never acceptable for protecting sensitive data, and that proper cryptographic practices require standards, key management, and authenticated modes.

856
MCQhard

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

A.Full disk encryption (FDE) with a strong passphrase
B.Trusted Platform Module (TPM)
C.Hypervisor-based isolation
D.Intel Software Guard Extensions (SGX)
AnswerD

SGX creates hardware-enforced enclaves that isolate code and data even from the OS.

Why this answer

Intel Software Guard Extensions (SGX) is the correct choice because it provides hardware-enforced isolation of memory regions (enclaves) that remain confidential and integrity-protected even if the operating system or hypervisor is compromised. SGX encrypts enclave memory on-die and decrypts it only within the CPU, preventing any privileged software from reading or tampering with the data.

Exam trap

The trap here is that candidates confuse TPM's boot-time integrity measurement with runtime memory protection, or assume hypervisor isolation is sufficient against a compromised OS, not realizing SGX provides hardware-enforced enclave isolation that persists even when the OS is untrusted.

How to eliminate wrong answers

Option A is wrong because full disk encryption (FDE) protects data at rest on the storage device but does not protect memory contents; once the OS is booted and data is loaded into RAM, FDE offers no confidentiality or integrity protection against a compromised OS. Option B is wrong because the Trusted Platform Module (TPM) is a hardware security chip that provides secure storage for keys and attestation of boot integrity, but it does not isolate runtime memory or protect enclave contents from a compromised OS. Option C is wrong because hypervisor-based isolation relies on the hypervisor being trusted; if the OS is compromised, the hypervisor could also be attacked or bypassed, and it does not provide hardware-level memory encryption to protect against privileged software.

857
MCQmedium

A security analyst is evaluating the risk of a data breach in a healthcare organization. The asset value of the patient database is $500,000, and the exposure factor is 0.2. The annual rate of occurrence is estimated at 0.1. What is the annualized loss expectancy (ALE)?

A.$10,000
B.$5,000
C.$50,000
D.$100,000
AnswerA

Correct calculation as above.

Why this answer

ALE = ARO × SLE, and SLE = AV × EF = $500,000 × 0.2 = $100,000. Then ALE = 0.1 × $100,000 = $10,000.

858
MCQhard

A forensic investigator arrives at a crime scene involving a compromised server. The server is still running. According to the order of volatility, which of the following should the investigator capture FIRST?

A.RAM contents
B.CPU registers
C.Hard disk contents
D.Network connections
AnswerB

CPU registers are the most volatile and should be captured first.

Why this answer

CPU registers are the most volatile and must be captured first to preserve critical evidence.

859
MCQhard

An organization develops a SaaS platform that integrates with multiple third-party services via APIs. The platform handles authentication tokens and user data. A security review reveals that the platform uses hardcoded API keys in the source code. What is the most secure way to manage these secrets in a cloud-native environment?

A.Use environment variables in the deployment configuration.
B.Use .gitignore to prevent them from being committed.
C.Encrypt the secrets and store them in the database.
D.Store secrets in a dedicated secrets management service like AWS Secrets Manager or Azure Key Vault.
AnswerD

Provides secure storage, access control, and automatic rotation.

Why this answer

Option D is correct because dedicated secrets management services like AWS Secrets Manager or Azure Key Vault provide secure storage, automatic rotation, and fine-grained access control for API keys and tokens. They eliminate the risk of hardcoded secrets in source code or configuration files, which is critical in a cloud-native SaaS platform that integrates with multiple third-party services.

Exam trap

The trap here is that candidates often choose environment variables (Option A) thinking they are secure enough, but the CISSP exam emphasizes that environment variables are not a secure storage solution because they can be leaked through debugging, logging, or container orchestration tools.

How to eliminate wrong answers

Option A is wrong because environment variables can be exposed through process dumps, logs, or container inspection, and they do not provide encryption at rest or rotation capabilities. Option B is wrong because .gitignore only prevents files from being committed to version control but does not protect secrets already in the environment or prevent them from being exposed through other means. Option C is wrong because storing encrypted secrets in the database still requires managing the encryption key within the application, which reintroduces the same secret management problem and increases the attack surface.

860
MCQhard

An organization is implementing identity management and wants to ensure that when an employee leaves, all access is promptly revoked. Which process is most directly responsible for removing accounts and access rights for a leaver?

A.Privileged access management
B.Access recertification
C.Deprovisioning
D.Separation of duties
AnswerC

Deprovisioning specifically handles removal of accounts and access.

Why this answer

Deprovisioning is the process of removing user accounts and access rights when an employee leaves the organization. It directly addresses the requirement to promptly revoke all access, ensuring that the former employee cannot authenticate or authorize any actions within the system. This process typically involves disabling or deleting the user object in the directory service (e.g., Active Directory) and removing associated permissions from all resources.

Exam trap

The trap here is that candidates may confuse 'Access Recertification' (a periodic review) with the immediate revocation action required for a leaver, or think 'Privileged Access Management' covers all account removal, when it only addresses high-privilege accounts.

How to eliminate wrong answers

Option A is wrong because Privileged Access Management (PAM) focuses on controlling and monitoring access for privileged accounts (e.g., administrators), not on the general removal of all accounts for a leaver. Option B is wrong because Access Recertification is a periodic review process to validate that existing access rights are still appropriate, not an immediate action to remove access upon termination. Option D is wrong because Separation of Duties is a control principle that prevents conflicts of interest by dividing critical tasks among multiple people, not a process for revoking accounts.

861
MCQmedium

Refer to the exhibit. A security analyst finds that external HTTPS connections to the web server at 10.0.0.10 are failing. What is the most likely cause?

A.The access-list permits traffic to the public IP address (203.0.113.10) instead of the real IP address (10.0.0.10) after NAT.
B.The access-list is applied to the inside interface instead of the outside interface.
C.The access-list is missing a permit statement for ICMP.
D.The static NAT command uses the wrong port number.
AnswerA

On Cisco ASA, inbound access-lists are evaluated after NAT. Therefore, the access-list must permit traffic to the real IP address of the server (10.0.0.10), not the public IP. The current access-list permits to 203.0.113.10, causing a mismatch.

Why this answer

The static NAT configuration maps interface port 443 to 10.0.0.10:443, and the access-list permits HTTPS from any to the public IP (203.0.113.10). However, the access-list is applied to the 'outside' interface in the inbound direction. The static NAT is configured but the access-list entry permits traffic to host 203.0.113.10, which is the public IP.

This should work. The issue might be that the NAT is not being applied correctly because the access-list is referencing the wrong IP. Actually, the static command uses 'interface' which means the public IP of the outside interface.

The access-list permits to host 203.0.113.10, which is likely the outside interface IP. That should be fine. Wait, the exhibit shows the static mapping for tcp interface 443 to 10.0.0.10 443.

But the access-list permits to host 203.0.113.10. Since the outside interface IP is 203.0.113.10, the traffic should be permitted. However, the static command uses 'interface' which is the outside interface IP.

So it's correct. The problem might be that the access-list is applied inbound, but the static NAT translates the destination to 10.0.0.10, and then the access-list is checked after NAT? Actually, on ASA, access-lists are applied to the real IPs before NAT? This is tricky. The most likely cause is that the access-list permits traffic to the public IP but the static NAT translates it to the inside server.

However, if the access-list is applied before NAT, it should work. Actually, ASA applies access-list after NAT (by default) for inbound traffic. So the access-list should permit to the real IP (10.0.0.10).

But the access-list permits to 203.0.113.10, which is the mapped IP. That would cause a mismatch. So the correct answer is that the access-list should permit traffic to the mapped IP? Wait, I'm getting confused.

Let me think: For inbound traffic, the ASA first performs NAT (destination translation) and then applies the access-list to the real IP. So the access-list should be written to permit traffic to the real IP (10.0.0.10) after NAT. But the exhibit shows the access-list permitting to the public IP (203.0.113.10).

That is incorrect. So the issue is that the access-list is written for the public IP instead of the real IP. But the question says HTTPS connections are failing.

So the most likely cause is that the access-list is not permitting traffic to the real IP. However, let's check the options. The correct answer should be that the access-list is missing the permit for the mapped IP? Hmm.

I'll go with the explanation that the access-list should use the real IP after NAT. But the options need to be crafted accordingly. I think the typical CISSP question would say that the access-list should be applied to the real IP.

Let me adjust the options. Actually, I'll create a question where the error is that the access-list permits to the public IP but the NAT translates to a different IP? No. Let me re-read the exhibit: The access-list permits to host 203.0.113.10.

The static maps interface (which is the outside interface IP, presumably 203.0.113.10) to 10.0.0.10. So the access-list permits to the public IP, which is correct. But after NAT, the destination becomes 10.0.0.10.

The access-list is applied after NAT, so it should permit to 10.0.0.10, not 203.0.113.10. Therefore, the access-list is incorrect. So the fix would be to change the access-list to permit to host 10.0.0.10.

So the most likely cause is that the access-list is permitting traffic to the mapped IP instead of the real IP. That is a common mistake. So I'll make that the correct answer.

Let me rewrite the options.

862
MCQmedium

A company decides to purchase cyber insurance to cover potential losses from data breaches. Which risk response strategy does this represent?

A.Transfer
B.Accept
C.Avoid
D.Mitigate
AnswerA

Insurance transfers the financial impact to the insurer.

Why this answer

Transfer involves shifting the risk to a third party, such as through insurance.

863
Multi-Selecthard

Which TWO of the following are essential components of a quantitative risk analysis formula? (Choose two.)

Select 2 answers
A.Annual Rate of Occurrence (ARO)
B.Exposure Factor (EF)
C.Residual Risk
D.Single Loss Expectancy (SLE)
E.Control Frequency (CF)
AnswersA, D

ARO is the estimated frequency of the risk occurring per year.

Why this answer

In quantitative risk analysis, the formula for calculating Annualized Loss Expectancy (ALE) is ALE = SLE × ARO. The Single Loss Expectancy (SLE) represents the monetary loss expected from a single occurrence of a risk, calculated as Asset Value × Exposure Factor (EF). The Annual Rate of Occurrence (ARO) is the expected frequency of that risk occurring per year.

Both SLE and ARO are direct, essential multipliers in the core ALE formula, making them fundamental components of the quantitative risk analysis equation.

Exam trap

The trap here is that candidates often confuse Exposure Factor (EF) as a direct component of the final formula, when in fact it is an intermediate input to SLE, not a standalone variable in the ALE equation; similarly, Residual Risk is a post-control metric, not a formula component, and Control Frequency is a fabricated term not found in any standard risk analysis framework.

864
Multi-Selectmedium

An organization is implementing role-based access control (RBAC). Which two components are fundamental to the RBAC model? (Select TWO.)

Select 2 answers
A.Access control lists (ACLs)
B.Subjects, objects, and operations
C.Constraints such as separation of duties
D.Roles, permissions, and user assignments
E.Security labels and clearances
AnswersC, D

Correct. Constraints are integral to RBAC to enforce policies like SoD.

Why this answer

Constraints such as separation of duties are fundamental to RBAC because they enforce organizational policies by preventing conflicts of interest (e.g., a user cannot both create and approve a purchase order). This is a core component of the RBAC model as defined in the NIST RBAC standard (ANSI INCITS 359-2004), which includes core RBAC, hierarchical RBAC, and constrained RBAC. Constraints ensure that role assignments and permissions adhere to security rules beyond simple role-user mapping.

Exam trap

The trap here is that candidates often confuse the generic components of access control (subjects, objects, operations) with the specific fundamental components of the RBAC model, leading them to select Option B instead of recognizing that roles, permissions, user assignments, and constraints are the unique building blocks of RBAC.

865
MCQeasy

An organization needs to ensure that backup tapes containing sensitive data are protected during transportation between sites. What is the most effective control?

A.Applying tamper-evident seals
B.Encrypting the backup tapes
C.Using a chain of custody log
D.Using a bonded courier service
AnswerB

Encryption protects data at rest in transit.

Why this answer

Encrypting the backup tapes ensures that even if the physical media is lost, stolen, or intercepted during transit, the sensitive data remains unreadable without the decryption key. This provides a strong, data-centric security control that protects confidentiality regardless of the physical security measures in place. Encryption is the most effective control because it directly addresses the risk of unauthorized access to the data itself.

Exam trap

The trap here is that candidates often choose a physical security control (like tamper-evident seals or bonded couriers) thinking it is sufficient, but the CISSP exam emphasizes that data-centric controls (encryption) are the most effective for protecting data in transit, as physical controls can be bypassed or fail.

How to eliminate wrong answers

Option A is wrong because tamper-evident seals only indicate whether the tape has been physically opened or tampered with; they do not protect the data from being read if the seal is bypassed or the tape is accessed through other means. Option C is wrong because a chain of custody log provides an audit trail of who handled the tape and when, but it does not prevent unauthorized access to the data if the tape is lost or stolen. Option D is wrong because a bonded courier service reduces the risk of theft or loss during transit, but it does not protect the data if the courier is compromised or the tape is intercepted; encryption is still needed to ensure confidentiality.

866
MCQeasy

Which VPN technology operates at Layer 2 of the OSI model and is often used in combination with IPsec to provide encryption?

A.L2TP
B.WireGuard
C.IPsec
D.PPTP
AnswerA

L2TP is a Layer 2 protocol often used with IPsec for security.

Why this answer

L2TP (Layer 2 Tunneling Protocol) operates at Layer 2 of the OSI model, encapsulating PPP frames to create a virtual point-to-point link. It is commonly combined with IPsec (specifically ESP in tunnel mode) to provide encryption, authentication, and integrity, as L2TP itself offers no confidentiality. This combination is defined in RFC 3193 and is widely used for remote-access VPNs.

Exam trap

Cisco often tests the misconception that IPsec itself is a Layer 2 protocol, when in fact it operates at Layer 3, and that L2TP provides encryption, which it does not—candidates must remember that L2TP is unencrypted and relies on IPsec for security.

How to eliminate wrong answers

Option B (WireGuard) is wrong because it operates at Layer 3 (network layer) and uses its own cryptographic protocol (Noise_IK) for encryption, not Layer 2, and is not typically combined with IPsec. Option C (IPsec) is wrong because it operates at Layer 3 and provides encryption natively; it is the security layer added to L2TP, not the Layer 2 tunneling protocol itself. Option D (PPTP) is wrong because, although it operates at Layer 2, it uses MPPE for encryption and is not commonly combined with IPsec; it is considered deprecated due to known security vulnerabilities (e.g., MS-CHAPv2 weaknesses).

867
Multi-Selectmedium

A security manager is planning a penetration test and needs to ensure proper rules of engagement are established. Which TWO of the following are essential components of the rules of engagement?

Select 2 answers
A.Vulnerability scoring methodology
B.Scope definition including in-scope systems
C.Written authorization from management
D.Previous test results
E.List of tools to be used
AnswersB, C

Scope defines what is included and excluded.

Why this answer

Scope definition (B) is essential because it explicitly lists in-scope systems, IP ranges, and exclusions, preventing unauthorized access and legal liability. Written authorization from management (C) provides the legal and contractual basis for the test, ensuring the penetration test is conducted with informed consent and documented approval.

Exam trap

The trap here is that candidates confuse 'rules of engagement' with the broader 'penetration testing methodology' and mistakenly include operational details like tool lists or scoring methods, which are not required for defining the legal and authorization boundaries.

868
MCQmedium

Which of the following is a primary advantage of using a hardware security module (HSM) over software-based key storage?

A.Easier key backup
B.Lower cost
C.Tamper-resistant physical security
D.Faster key generation
AnswerC

Correct. HSMs are designed to protect keys from physical tampering.

Why this answer

A hardware security module (HSM) provides tamper-resistant physical security by storing cryptographic keys in a dedicated, hardened appliance that resists physical tampering, probing, and extraction. Unlike software-based key storage, which relies on the operating system's file system or memory and is vulnerable to malware or direct memory access attacks, an HSM ensures that keys never leave the secure boundary in plaintext, even if the host system is compromised.

Exam trap

The trap here is that candidates confuse 'faster key generation' (a performance benefit) with the primary security advantage of HSMs, or they assume that software-based key backup is inherently more difficult, when in fact HSMs introduce additional complexity for backup to maintain security.

How to eliminate wrong answers

Option A is wrong because key backup from an HSM is typically more complex than software-based storage, often requiring secure key-wrapping or cloning procedures to maintain the same level of protection, whereas software keys can be easily copied as files. Option B is wrong because HSMs are significantly more expensive than software-based storage due to specialized hardware, certifications (e.g., FIPS 140-2 Level 3/4), and lifecycle management costs. Option D is wrong because while HSMs can accelerate key generation using dedicated hardware random number generators, software-based key generation can also be fast using CPU-based RDRAND or similar instructions, and speed is not the primary security advantage of an HSM.

869
Multi-Selectmedium

Which THREE of the following are key practices in the OWASP ASVS (Application Security Verification Standard) for secure software? (Select exactly three.)

Select 3 answers
A.Secure error handling and logging
B.Integration with password managers
C.Authentication and session management
D.Network segmentation between tiers
E.Input validation and sanitization
AnswersA, C, E

ASVS V7 covers error handling.

Why this answer

Secure error handling and logging is a key practice in OWASP ASVS because it ensures that applications do not leak sensitive information through error messages (e.g., stack traces, database dumps) and that logs capture security-relevant events (e.g., authentication failures, input validation errors) without storing sensitive data like passwords or PII. ASVS V7 (Error Handling and Logging) specifically requires that errors are handled uniformly, logs are protected from unauthorized access, and logging mechanisms include sufficient context for incident response.

Exam trap

The trap here is that candidates confuse general security best practices (like network segmentation or password manager integration) with the specific, application-focused requirements of OWASP ASVS, which is strictly about software security verification at the code and design level, not infrastructure or external tool integration.

870
MCQmedium

A financial institution is implementing a data retention policy to comply with regulatory requirements. The policy must ensure that transaction records are retained for 7 years and then securely destroyed. Which of the following is the BEST approach to implement this policy?

A.Encrypt all records and destroy the encryption keys after 7 years
B.Automatically purge records using a data management tool that overwrites data after the retention period
C.Move records to a separate archive and delete the directory pointers
D.Manually review and delete records after 7 years
AnswerB

Automated purging ensures consistent and timely destruction, reducing human error and ensuring compliance.

Why this answer

Option B is correct because automated purging using a data management tool that overwrites data ensures that the records are securely destroyed at the end of the retention period, meeting both regulatory compliance and data sanitization requirements. Overwriting (e.g., using DoD 5220.22-M or NIST SP 800-88 standards) prevents data recovery by replacing the storage media's bits with patterns, making it a reliable method for secure destruction in a financial institution's automated environment.

Exam trap

The trap here is that candidates often confuse 'cryptographic erasure' (Option A) with secure destruction, but the CISSP exam emphasizes that destroying encryption keys does not physically destroy the data and is not considered a secure destruction method for regulatory compliance unless combined with other controls.

How to eliminate wrong answers

Option A is wrong because encrypting records and destroying the encryption keys after 7 years does not securely destroy the underlying data; the ciphertext remains on the media and could potentially be decrypted in the future if the encryption algorithm is broken or if key recovery is possible, violating the 'secure destruction' requirement. Option C is wrong because moving records to a separate archive and deleting directory pointers only removes the file system references, leaving the actual data intact on the storage media, which can be recovered using forensic tools and does not constitute secure destruction. Option D is wrong because manual review and deletion after 7 years is prone to human error, lacks audit trails, and does not guarantee that data is securely overwritten or destroyed, failing to meet the policy's requirement for reliable and verifiable destruction.

871
MCQmedium

Refer to the exhibit. Which security risk does this policy primarily introduce?

A.Privilege escalation
B.Unauthorized read access
C.Denial of service
D.Unauthorized write access
AnswerD

Any user can upload objects to the bucket.

Why this answer

The exhibit shows an access control list (ACL) that permits write access (e.g., write or modify permissions) to a resource for a broad set of users or groups without corresponding restrictions. This primarily introduces the risk of unauthorized write access, as users who should not have the ability to alter data or configurations can now modify them, potentially leading to data corruption, unauthorized changes, or system compromise.

Exam trap

The trap here is that candidates often confuse 'unauthorized write access' with 'privilege escalation,' but the ACL directly grants write permissions without requiring elevation, making unauthorized write access the primary risk.

How to eliminate wrong answers

Option A is wrong because privilege escalation typically involves gaining higher-level permissions than originally assigned, such as from user to administrator, whereas this ACL directly grants write access without elevation. Option B is wrong because unauthorized read access concerns the ability to view data, but the ACL focuses on write permissions, not read permissions. Option C is wrong because denial of service (DoS) involves disrupting availability, whereas this ACL risk is about integrity and unauthorized modification, not availability.

872
Multi-Selectmedium

During a penetration testing engagement, which TWO of the following are essential components of the rules of engagement document?

Select 3 answers
A.Vulnerability severity ratings
B.Emergency stop criteria
C.Detailed exploit code
D.Scope definition including target systems
E.Written authorization from management
AnswersB, D, E

Emergency stop criteria are critical for halting testing if adverse effects occur.

Why this answer

Emergency stop criteria (Option B) are essential in a rules of engagement (ROE) document because they define the specific conditions or signals that require the penetration test to halt immediately, such as causing a production outage, exceeding defined thresholds, or receiving a stop command from the client. This protects both the tester and the client from unintended damage and ensures legal and operational boundaries are respected. Without explicit stop criteria, the engagement could continue past a critical failure, violating the agreed terms and potentially causing liability.

Exam trap

Cisco often tests the distinction between the rules of engagement (operational constraints) and the authorization (permission to test), leading candidates to incorrectly include 'written authorization from management' as a component of the ROE when it is actually a separate prerequisite document.

873
MCQhard

A company is migrating from WPA2 to WPA3 to enhance wireless security. Which of the following cryptographic changes does WPA3 introduce compared to WPA2?

A.WPA3 replaces PSK with SAE and uses GCMP-256 encryption.
B.WPA3 uses TKIP for backward compatibility.
C.WPA3 uses AES-CCMP as the mandatory encryption method.
D.WPA3 eliminates the need for 802.1X authentication.
AnswerA

SAE provides forward secrecy and resistance to offline dictionary attacks; GCMP-256 is the required encryption.

Why this answer

WPA3 introduces the Simultaneous Authentication of Equals (SAE) handshake, defined in IEEE 802.11-2016, to replace the Pre-Shared Key (PSK) method used in WPA2, providing forward secrecy and resistance to offline dictionary attacks. Additionally, WPA3 mandates the use of GCMP-256 (Galois/Counter Mode Protocol with a 256-bit key) for encryption, which is stronger than the AES-CCMP (128-bit) used in WPA2.

Exam trap

The trap here is that candidates often confuse the mandatory encryption method of WPA3 (GCMP-256) with that of WPA2 (AES-CCMP), or incorrectly assume WPA3 still relies on TKIP for backward compatibility, when in fact TKIP is completely removed from the WPA3 specification.

How to eliminate wrong answers

Option B is wrong because WPA3 does not use TKIP; TKIP is a legacy protocol from WPA1 and is explicitly deprecated in WPA3, which requires CCMP or GCMP. Option C is wrong because while AES-CCMP is mandatory in WPA2, WPA3 mandates GCMP-256 as the default encryption method, with AES-CCMP only allowed as a fallback for backward compatibility in WPA3-Transition mode. Option D is wrong because WPA3 does not eliminate 802.1X authentication; it still supports 802.1X (Enterprise mode) using SAE or EAP, and the Personal mode simply replaces PSK with SAE.

874
MCQeasy

You are the lead security analyst at a mid-sized financial services firm. At 2:15 PM, the SIEM alerts on multiple failed login attempts from an external IP address against the VPN gateway. The attempts stopped at 2:20 PM, but at 2:30 PM, a user reports that their account was used to send a phishing email to internal employees. You confirm that the user's account has been compromised. The CEO asks for an immediate update. What should be your FIRST action according to the incident response framework your company follows (based on NIST SP 800-61)?

A.Preserve forensic evidence by creating a disk image of the user's workstation.
B.Validate the incident and assess its scope and impact.
C.Immediately notify the legal and compliance teams.
D.Isolate the compromised workstation from the network.
AnswerB

Validation ensures it is a real incident; assessment prioritizes response.

Why this answer

According to NIST SP 800-61, the first phase of incident response is preparation, followed by detection and analysis. The SIEM alert and user report indicate a potential incident, but you must first validate the incident and assess its scope and impact before taking containment, eradication, or recovery actions. This ensures that resources are not wasted on a false positive and that the response is proportional to the actual threat.

Exam trap

The trap here is that candidates confuse containment actions (like isolation) with the first step, but NIST SP 800-61 mandates validation and scoping before any containment to ensure the response is appropriate and not disruptive.

How to eliminate wrong answers

Option A is wrong because preserving forensic evidence (e.g., creating a disk image) is a step that occurs after the incident has been validated and scoped; performing it prematurely could waste resources if the incident is a false positive or if the scope extends beyond that single workstation. Option C is wrong because notifying legal and compliance teams is a communication step that typically follows validation and initial containment, not the first action; immediate notification without confirmed scope could cause unnecessary escalation or legal exposure. Option D is wrong because isolating the compromised workstation is a containment action that should be taken after the incident is validated and its scope assessed; premature isolation could disrupt business operations or alert an attacker before full understanding of the incident.

875
MCQhard

An organization is implementing a patch management process. Which of the following is the most critical step to ensure that patches do not disrupt critical business operations?

A.Integrating patch deployment with change management
B.Applying patches as soon as they are released
C.Scanning for vulnerabilities weekly
D.Using automated patch tools
AnswerA

Change management includes testing, scheduling, and approval to avoid conflicts.

Why this answer

Change management ensures patches are tested and approved before deployment, minimizing operational impact.

876
MCQhard

Under HIPAA, a covered entity must have a Business Associate Agreement (BAA) with which of the following?

A.A cloud service provider hosting ePHI
B.A janitorial service that cleans the office
C.A government regulator conducting an audit
D.A patient requesting their medical records
AnswerA

Correct - A cloud provider that processes or stores PHI is a business associate.

Why this answer

A BAA is required with a business associate, which is a person or entity that performs certain functions or activities involving the use or disclosure of PHI on behalf of a covered entity. A cloud service provider that stores ePHI is a business associate.

877
MCQeasy

Which of the following is a key difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP)?

A.BCP ensures continuity of business operations; DRP restores IT infrastructure
B.BCP only addresses natural disasters; DRP addresses all disasters
C.BCP is tested annually; DRP is tested monthly
D.BCP focuses on IT restoration; DRP focuses on business processes
AnswerA

This correctly distinguishes the two plans.

Why this answer

BCP focuses on maintaining business functions during/after a disaster, while DRP focuses on restoring IT systems.

878
Multi-Selectmedium

A security engineer is hardening a system against side-channel attacks that exploit variations in execution time or power consumption. Which TWO mitigations are specifically designed to counter such attacks? Select two.

Select 2 answers
A.Data Execution Prevention (DEP)
B.Address Space Layout Randomization (ASLR)
C.Input validation
D.Constant-time algorithms
E.Noise injection in power consumption
AnswersD, E

Prevent timing variations that leak information.

Why this answer

Constant-time programming ensures operations take the same time regardless of inputs, and noise injection obscures power consumption patterns.

879
MCQmedium

A security architect is designing controls for a cloud-based file storage service that stores personally identifiable information (PII). Which control best ensures that data remains encrypted at rest without involving the cloud provider's key management?

A.Tokenization of PII fields
B.Transport Layer Security (TLS) for data in transit
C.Client-side encryption
D.Server-side encryption with customer-managed keys
AnswerC

Client-side encryption ensures data is encrypted before leaving the client, provider cannot decrypt.

Why this answer

Client-side encryption ensures data is encrypted before it leaves the client device, so the cloud provider never has access to the plaintext or the encryption keys. This guarantees that the data remains encrypted at rest in the cloud storage without relying on the provider's key management infrastructure, meeting the requirement of keeping the provider out of the key management loop.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (Option D) as being fully independent of the provider, but in reality, the provider's key management service still handles the encryption/decryption operations, which does not satisfy the 'without involving the cloud provider's key management' requirement.

How to eliminate wrong answers

Option A is wrong because tokenization replaces PII with non-sensitive tokens, but the original data is still stored elsewhere (often in a token vault) and does not inherently encrypt the data at rest in the cloud storage; it is a data masking technique, not an encryption control. Option B is wrong because Transport Layer Security (TLS) protects data in transit between the client and server, but it does not address encryption at rest; once data reaches the cloud storage, it is decrypted and stored in plaintext unless another mechanism is applied. Option D is wrong because server-side encryption with customer-managed keys still involves the cloud provider's key management service (e.g., AWS KMS, Azure Key Vault) to encrypt/decrypt data; the provider manages the encryption process, even if the customer supplies the key material, which violates the requirement of not involving the provider's key management.

880
Multi-Selectmedium

Which THREE of the following are valid methods for securing wireless networks against unauthorized access?

Select 3 answers
A.MAC address filtering
B.Implementing a wireless intrusion prevention system (WIPS)
C.WPA3-Enterprise with 802.1X
D.Using WEP with a complex key
E.Disabling SSID broadcast
AnswersA, B, C

MAC filtering can restrict which devices can connect, though it can be bypassed; it is a valid method.

Why this answer

MAC address filtering (A) can be used as a basic access control mechanism by configuring the wireless access point to only allow devices with specific MAC addresses to connect. However, it is not a strong security method because MAC addresses can be easily spoofed using tools like `macchanger` or `airmon-ng`, making it a weak defense against determined attackers.

Exam trap

The trap here is that candidates often believe disabling SSID broadcast or using WEP with a complex key provides meaningful security, but the CISSP exam expects you to recognize these as obsolete or easily bypassed controls that do not prevent unauthorized access.

881
MCQhard

A company is implementing a data masking solution for a test database that mirrors production. Which masking technique preserves referential integrity while obfuscating sensitive values?

A.Hash-based masking
B.Static data masking
C.Deterministic encryption
D.Dynamic data masking
AnswerC

Deterministic encryption preserves referential integrity because same plaintext maps to same ciphertext.

Why this answer

Deterministic encryption (C) is correct because it uses a consistent key and algorithm to always produce the same ciphertext for a given plaintext value, allowing foreign key relationships to be maintained across tables. This preserves referential integrity while obfuscating sensitive data, as the encrypted values can still be joined reliably. Static data masking (B) replaces values with fictional but consistent substitutes, but it does not use encryption and may not guarantee the same level of consistency for complex referential constraints without careful design.

Exam trap

The trap here is that candidates confuse 'deterministic encryption' with 'static data masking' because both produce consistent outputs, but static masking does not use encryption and is not reversible, whereas deterministic encryption allows authorized decryption for legitimate use cases.

How to eliminate wrong answers

Option A is wrong because hash-based masking uses a one-way hash function (e.g., SHA-256) that, while deterministic, is not reversible and does not provide confidentiality for sensitive data; it is typically used for tokenization or integrity checks, not for preserving referential integrity with obfuscation. Option B is wrong because static data masking replaces sensitive data with realistic but non-reversible substitutes (e.g., random names or numbers) and, although it can maintain consistency, it does not use encryption and may break referential integrity if the masking algorithm is not carefully applied across all related tables. Option D is wrong because dynamic data masking alters data on-the-fly at query time based on user permissions, but it does not change the underlying stored data; referential integrity is preserved only in the unmasked production database, not in a test database where the masked view may not support consistent joins.

882
Multi-Selecteasy

Which TWO documents are considered foundational for an information security program?

Select 2 answers
A.Security policy
B.Baseline
C.Guideline
D.Incident response plan
E.Standard operating procedure
AnswersA, D

Foundation of the security program.

Why this answer

A security policy is foundational because it defines management's intent and sets the high-level direction for the entire information security program. It establishes the mandatory rules and principles that all other security documents (standards, baselines, guidelines, and procedures) must align with. Without a security policy, there is no authoritative mandate to enforce security controls or allocate resources.

Exam trap

The trap here is that candidates often confuse 'foundational' with 'operational' and select baselines or guidelines because they are common in daily work, but the CISSP emphasizes that the security policy and incident response plan are the two top-level documents that establish the program's authority and response capability.

883
MCQeasy

In IPsec, which protocol provides both authentication and encryption for the packet payload, but does not encrypt the IP header?

A.IKE (Internet Key Exchange)
B.ISAKMP (Internet Security Association and Key Management Protocol)
C.ESP (Encapsulating Security Payload)
D.AH (Authentication Header)
AnswerC

ESP offers both encryption and authentication; in transport mode, it encrypts the payload only.

Why this answer

ESP (Encapsulating Security Payload) provides both authentication and encryption for the packet payload, while leaving the IP header unencrypted. This allows intermediate routers to process the packet normally, as the header remains in plaintext, but the payload is protected for confidentiality and integrity.

Exam trap

Cisco often tests the distinction between ESP and AH by emphasizing that AH authenticates the entire packet (including the IP header) but provides no encryption, while ESP encrypts the payload but leaves the IP header unencrypted, leading candidates to mistakenly choose AH when encryption is required.

How to eliminate wrong answers

Option A is wrong because IKE (Internet Key Exchange) is a protocol used to establish security associations (SAs) and exchange cryptographic keys, not to directly encrypt or authenticate packet payloads. Option B is wrong because ISAKMP (Internet Security Association and Key Management Protocol) provides a framework for SA negotiation and key management, but does not itself perform payload encryption or authentication. Option D is wrong because AH (Authentication Header) provides integrity and authentication for the entire packet (including the IP header) but does not offer encryption, so it cannot encrypt the payload.

884
MCQeasy

A company needs to provide secure remote access to employees using company-issued laptops. The solution must support both web applications and legacy client-server apps without installing client software on the laptops. Which VPN technology is best?

A.SSL VPN with clientless web access and port forwarding
B.L2TP over IPsec
C.MPLS Layer 3 VPN
D.IPsec tunnel mode
AnswerA

SSL VPN offers clientless access for web apps and port forwarding for legacy apps, meeting the requirement.

Why this answer

SSL VPN with clientless web access and port forwarding is the best choice because it meets the requirement of supporting both web applications and legacy client-server apps without installing client software. Clientless web access provides secure HTTPS-based access to internal web applications via a browser, while port forwarding allows legacy TCP-based client-server applications to be tunneled through the SSL VPN without requiring a full VPN client on the laptop. This approach leverages the existing browser and OS capabilities, eliminating the need for additional software installation.

Exam trap

The trap here is that candidates often assume IPsec (Option D) is the only 'secure' VPN option and overlook that SSL VPNs can provide equivalent security with clientless access, or they confuse MPLS (Option C) as a remote access solution when it is actually a WAN technology for site-to-site connectivity.

How to eliminate wrong answers

Option B (L2TP over IPsec) is wrong because it requires a native VPN client or OS-level configuration on the laptop, which contradicts the 'without installing client software' requirement; it also does not natively support clientless web access. Option C (MPLS Layer 3 VPN) is wrong because it is a service provider technology for connecting entire networks at Layer 3, not a remote access VPN for individual endpoints, and it requires MPLS-capable routers and no user-level authentication or clientless access. Option D (IPsec tunnel mode) is wrong because it requires a dedicated IPsec client or OS-level VPN stack to be installed or configured on the laptop, and it does not provide clientless web access or port forwarding for legacy apps without additional software.

885
MCQmedium

During a digital forensics investigation, which of the following data sources has the highest order of volatility?

A.CPU registers
B.Remote logging server
C.Network packets in transit
D.Hard disk drive
AnswerA

Registers are the most volatile.

Why this answer

CPU registers hold the most volatile data, followed by cache, RAM, swap, disk, remote logging, and physical media.

886
MCQeasy

A security analyst detects repeated failed login attempts from a single external IP address targeting a user account. What is the best IMMEDIATE action?

A.Investigate the source IP's history
B.Block the IP address at the perimeter firewall
C.Disable the targeted user account
D.Enable account lockout after three failures
AnswerB

Immediately stops the attack.

Why this answer

Blocking the IP address at the perimeter firewall is the best immediate action because it stops the ongoing brute-force attack at the network boundary, preventing further authentication attempts without affecting the legitimate user's access. This aligns with the principle of containment in incident response, prioritizing rapid mitigation over investigation or configuration changes that could delay the response.

Exam trap

The trap here is that candidates confuse 'immediate action' with 'long-term fix' and choose to investigate the IP (A) or implement a policy change (D), failing to recognize that containment (B) must come first in the incident response process.

How to eliminate wrong answers

Option A is wrong because investigating the source IP's history is a forensic step that should follow containment, not precede it; delaying action allows the attack to continue. Option C is wrong because disabling the targeted user account would deny service to the legitimate user and does not address the external threat, which could simply pivot to another account. Option D is wrong because enabling account lockout after three failures is a preventive configuration change that takes time to implement and does not stop the current attack in progress; it also risks locking out the legitimate user if the attacker triggers the threshold.

887
MCQhard

An organization is adopting a microservices architecture. Which security control is most effective for ensuring that inter-service communication is authenticated and authorized?

A.Implementing mutual TLS (mTLS) between services
B.Relying on network segmentation and IP allowlisting
C.Using JSON Web Tokens (JWT) in the HTTP header
D.Using pre-shared API keys for each service pair
AnswerA

mTLS provides bidirectional certificate-based authentication and encrypted communication.

Why this answer

Mutual TLS (mTLS) is the most effective control because it provides both authentication and encryption for inter-service communication. In a microservices architecture, mTLS ensures that each service presents a valid X.509 certificate, and both sides verify each other's identity before any data exchange, preventing unauthorized or spoofed services from communicating. This aligns with the principle of zero trust, where no implicit trust is granted based on network location.

Exam trap

The trap here is that candidates often pick JWT (Option C) because it is commonly used for user authentication, but they overlook that JWT alone does not encrypt the channel or provide mutual authentication between services, which is critical for inter-service communication in a microservices architecture.

How to eliminate wrong answers

Option B is wrong because network segmentation and IP allowlisting only control access at the network layer and do not authenticate the identity of the calling service; IP addresses can be spoofed or changed in dynamic environments like containers. Option C is wrong because JWT in the HTTP header provides authentication of the token issuer but does not encrypt the communication channel, leaving it vulnerable to interception or replay attacks unless combined with TLS; it also does not provide mutual authentication. Option D is wrong because pre-shared API keys for each service pair are static credentials that are difficult to rotate at scale, lack built-in encryption, and are vulnerable to leakage or compromise without a secure channel.

888
Multi-Selecthard

Which THREE of the following are key components of a disaster recovery plan for a hot site? (Select three)

Select 3 answers
A.Pre-installed servers and workstations
B.Empty space with power and cooling only
C.Real-time data replication from primary site
D.Network connectivity with bandwidth to support operations
E.Long lead time to activate (e.g., weeks)
AnswersA, C, D

Hardware must be ready and configured.

Why this answer

A hot site is fully equipped and ready to take over operations quickly, requiring real-time data synchronization, pre-installed hardware, and network connectivity.

889
MCQeasy

An organization's data retention policy requires that financial records be kept for seven years. After that period, the records must be destroyed in a manner that prevents reconstruction. Which of the following is the best sanitization method for paper records containing sensitive financial data?

A.Cross-cut shredding
B.Overwriting with random patterns multiple times
C.Cryptographic erasure
D.Degaussing with a strong magnetic field
AnswerA

Correct. Cross-cut shredding physically destroys paper records, preventing reconstruction.

Why this answer

Cross-cut shredding reduces paper to small particles, making reconstruction extremely difficult and is a common method for destroying paper records.

890
Multi-Selecthard

An organization is implementing Privileged Access Management (PAM). Which THREE of the following are common features of a PAM solution? (Select THREE)

Select 3 answers
A.Password vaulting
B.Self-service password reset
C.Just-in-time (JIT) access
D.Session recording and monitoring
E.Break-glass access
AnswersA, C, D

Vaulting stores privileged credentials securely.

Why this answer

Common PAM features include just-in-time access, session recording/monitoring, and password vaulting. Break-glass accounts are emergency access, not a standard feature.

891
Multi-Selectmedium

A company is designing a secure application that requires hardware-based key storage and remote attestation. Which THREE technologies provide hardware root of trust? Select three.

Select 3 answers
A.Virtual Trusted Platform Module (vTPM)
B.Hardware Security Module (HSM)
C.Software Guard Extensions (SGX)
D.Trusted Execution Environment (TEE)
E.Trusted Platform Module (TPM)
AnswersB, D, E

HSM provides hardware-based key management and cryptographic operations.

Why this answer

TPM, TEE (e.g., Intel SGX, ARM TrustZone), and HSM provide hardware-based security functions and root of trust.

892
MCQhard

A company wants to measure the effectiveness of its vulnerability management program. Which metric would best indicate the organization's ability to respond quickly to critical vulnerabilities?

A.Patch compliance percentage
B.ROI of security controls
C.Mean time to remediate critical vulnerabilities
D.Number of open vulnerabilities by severity
AnswerC

MTTR for critical vulnerabilities indicates response speed.

Why this answer

Mean time to remediate (MTTR) for critical vulnerabilities directly measures the speed of response, which is a key indicator of program effectiveness.

893
MCQeasy

Which type of digital forensics involves capturing and analyzing network traffic to investigate a security incident?

A.Media analysis
B.Log analysis
C.Network forensics
D.Memory forensics
AnswerC

Network forensics examines network traffic, logs, and packets.

Why this answer

Network forensics focuses on monitoring and analyzing network traffic for evidence.

894
Multi-Selecteasy

A security analyst is reviewing the authentication mechanism of a web application. Which TWO of the following are examples of broken authentication vulnerabilities?

Select 2 answers
A.Insecure direct object reference in profile URLs
B.Verbose error messages disclosing user IDs
C.Lack of multi-factor authentication for sensitive actions
D.Session timeout set to 60 minutes
E.Allowing weak passwords without complexity requirements
AnswersC, E

MFA adds an extra layer of security.

Why this answer

Allowing weak passwords (e.g., 'password123') and not having multi-factor authentication (MFA) are broken authentication issues. Session timeout is a security control, not a vulnerability. Verbose error messages are a misconfiguration, and IDOR is an access control issue.

895
MCQeasy

Which type of firewall is capable of inspecting application-layer data, performing SSL decryption, and integrating intrusion prevention capabilities?

A.Packet filter firewall
B.Next-generation firewall
C.Application proxy firewall
D.Stateful firewall
AnswerB

NGFW combines L7 inspection, SSL decryption, and IPS.

Why this answer

A next-generation firewall (NGFW) goes beyond traditional stateful inspection by incorporating deep packet inspection (DPI) of application-layer data, the ability to decrypt and inspect SSL/TLS traffic, and integrated intrusion prevention system (IPS) capabilities. This convergence allows NGFWs to identify and block threats within encrypted sessions and enforce policies based on application identity rather than just ports and protocols.

Exam trap

The trap here is that candidates often confuse an application proxy firewall with an NGFW, but the key differentiator is that an NGFW integrates SSL decryption and IPS into a single engine, whereas a proxy firewall typically handles only specific application protocols without inline threat prevention.

How to eliminate wrong answers

Option A is wrong because a packet filter firewall operates only at Layers 3 and 4, inspecting source/destination IP addresses and port numbers without any application-layer awareness or SSL decryption capability. Option C is wrong because an application proxy firewall can inspect application-layer data but typically does not perform SSL decryption natively at line rate and lacks integrated intrusion prevention; it acts as an intermediary for specific protocols (e.g., HTTP, FTP) rather than providing unified threat management. Option D is wrong because a stateful firewall tracks connection state (e.g., TCP handshake) at Layers 3 and 4 but cannot inspect application payloads, decrypt SSL, or run an IPS engine.

896
Multi-Selectmedium

A security analyst is reviewing a web application that handles financial transactions. Which TWO of the following are effective controls against Cross-Site Request Forgery (CSRF)?

Select 2 answers
A.Setting cookies with the SameSite attribute to Strict
B.Using anti-CSRF tokens in forms
C.Using HTTPS for all pages
D.Enforcing strong password policies
E.Implementing input validation on all user inputs
AnswersA, B

SameSite=Strict prevents cookies from being sent in cross-site requests, mitigating CSRF.

Why this answer

CSRF tokens are unique per request and validate the source, while SameSite cookies restrict cookie sending to same-site requests.

897
Multi-Selecteasy

A penetration tester is planning an engagement. Which of the following rules of engagement should be defined before testing begins? (Select TWO.)

Select 2 answers
A.The exact exploits to be used
B.Emergency contact procedures
C.The scope of systems to be tested
D.The tester's personal compensation
E.The names of employees to be targeted
AnswersB, C

Emergency contacts ensure proper response if issues arise.

Why this answer

Emergency contact procedures (B) are a critical component of the Rules of Engagement (RoE) because they define who to notify if an incident occurs during testing, such as an unintended system outage or detection by security monitoring. Without this, the tester risks legal or operational repercussions. The scope of systems to be tested (C) is equally essential as it explicitly lists IP ranges, hostnames, and network segments authorized for testing, preventing unauthorized access and ensuring compliance with the engagement contract.

Exam trap

The trap here is that candidates confuse 'Rules of Engagement' with a detailed test plan or contract, leading them to select options like 'exact exploits' (A) or 'compensation' (D), which are operational or financial details, not the high-level boundaries that define what is allowed and how to handle emergencies.

898
Multi-Selectmedium

An organization is updating its incident response plan. According to best practices, which THREE components should be included in the plan?

Select 3 answers
A.Roles and responsibilities
B.Vendor product list
C.Employee performance reviews
D.Communication plan
E.Recovery procedures
AnswersA, D, E

Clearly defined roles are essential for coordination.

Why this answer

An IR plan should include roles, communication plan, and recovery procedures.

899
MCQhard

A company plans to implement a disaster recovery site that can be operational within 2 hours of a failure. Which type of DR site best meets this requirement?

A.Hot site
B.Warm site
C.Cold site
D.Reciprocal agreement
AnswerA

A hot site is a fully replicated environment that can be activated quickly, often within 1-2 hours.

Why this answer

Hot sites are fully operational and can be activated within minutes to a few hours.

900
MCQhard

Refer to the exhibit. A SAML response is received by the service provider. Which security issue is present?

A.The NameID format is incorrect
B.The assertion is not signed
C.The validity window is too short
D.The subject confirmation method is insecure
AnswerB

Without a signature, the assertion could be tampered with during transmission.

Why this answer

The SAML response shown in the exhibit lacks a digital signature on the assertion itself. Without the assertion being signed, a man-in-the-middle attacker could modify the assertion content (e.g., change the user identifier or attributes) after the response leaves the identity provider but before it reaches the service provider. SAML Core specification (OASIS SAML 2.0) requires that either the entire response or the individual assertion be signed to ensure integrity and non-repudiation; here, neither is signed, making the assertion vulnerable to tampering.

Exam trap

The trap here is that candidates often assume the 'bearer' subject confirmation method is the security flaw, but the real issue is the absence of a digital signature on the assertion, which is a distinct and critical integrity control.

How to eliminate wrong answers

Option A is wrong because the NameID format (e.g., 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') is syntactically correct and commonly used; there is no indication of an incorrect format in the exhibit. Option C is wrong because the validity window (NotBefore and NotOnOrAfter) appears reasonable (e.g., a 5-minute window) and is not inherently insecure; a short window actually reduces risk, not introduces it. Option D is wrong because the subject confirmation method (e.g., 'bearer') is standard for Web SSO and is not inherently insecure; the issue is the lack of signing, not the confirmation method itself.

Page 11

Page 12 of 14

Page 13