Certified Information Systems Security Professional CISSP (CISSP) — Questions 901975

990 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecthard

A company is selecting a disaster recovery strategy for a mission-critical application. Which TWO of the following strategies provide the shortest recovery time objective (RTO)?

Select 2 answers
A.Hot site
B.Reciprocal agreement
C.Warm site
D.Cloud DR with pre-configured instances
E.Cold site
AnswersA, D

Hot sites are fully operational and can be activated quickly.

Why this answer

A hot site is a fully configured, operational data center with all hardware, software, and live data replication, enabling near-instantaneous failover. This provides the shortest RTO, often measured in minutes or seconds, because no setup or configuration is required after a disaster is declared.

Exam trap

The trap here is that candidates may confuse 'warm site' with 'hot site' because both have pre-installed hardware, but warm sites lack current data and require manual restoration, leading to a longer RTO than a hot site.

902
MCQhard

A large hospital uses a wireless LAN (WLAN) for mobile medical devices and staff tablets. Recently, nurses reported intermittent connectivity drops and high retransmission rates specifically in the east wing near the elevator banks. The WLAN is based on 802.11ac in the 5 GHz band. The hospital's IT team has already checked for channel overlap, and the APs are configured to use non-overlapping channels with automatic channel selection. Signal strength in the area is adequate (-65 dBm). However, the retransmission rate spikes during peak hours. Which approach should the network team take FIRST to diagnose and resolve the issue?

A.Conduct a spectrum analysis to identify sources of interference and reposition APs away from the elevator shafts.
B.Enable frequency hopping on the APs to avoid interference.
C.Increase the transmit power of the APs in the east wing to improve signal-to-noise ratio.
D.Deploy additional APs in the elevator area to provide more capacity and redundancy.
AnswerA

Spectrum analysis reveals non-Wi-Fi interference (e.g., from elevator motors) and guides AP placement to minimize its impact.

Why this answer

The symptoms—intermittent connectivity drops and high retransmission rates near elevator banks during peak hours—strongly suggest external RF interference, likely from the elevator motors or other electrical equipment. A spectrum analysis is the correct first step because it can identify non-Wi-Fi interference sources (e.g., microwave ovens, motors, or radar) that cause packet corruption and retransmissions, even when signal strength is adequate and channels are non-overlapping. Repositioning APs away from the elevator shafts after identifying the interference source directly mitigates the physical cause.

Exam trap

The trap here is that candidates often assume retransmissions are caused by congestion or weak signal and jump to adding APs or increasing power, but the specific location (elevator banks) and intermittent nature point to external interference, which requires spectrum analysis first.

How to eliminate wrong answers

Option B is wrong because frequency hopping is not supported in 802.11ac (which uses OFDM with fixed channels); it is a legacy technique from Bluetooth or older 802.11 FHSS standards and would not resolve interference from continuous sources like elevator motors. Option C is wrong because increasing transmit power would only amplify the signal but also potentially amplify the interference or cause co-channel interference with other APs, and the issue is not weak signal (-65 dBm is adequate) but corrupted packets due to interference. Option D is wrong because deploying additional APs in the elevator area would add capacity but not address the root cause of interference; more APs could even worsen retransmissions if they contend for the same medium or pick up the same interference.

903
MCQmedium

A security team is reviewing a newly acquired third-party software component. They want to ensure that the component's supply chain is secure and that known vulnerabilities are identified. Which of the following tools provides a list of all open-source and third-party components used in the software?

A.Vulnerability scanner
B.Static Application Security Testing (SAST)
C.Dynamic Application Security Testing (DAST)
D.Software Bill of Materials (SBOM)
AnswerD

SBOM lists components and dependencies.

Why this answer

A Software Bill of Materials (SBOM) is a formal record containing the details and supply chain relationships of components used in building software.

904
MCQhard

During a security audit, it is discovered that a network firewall is allowing traffic based on source IP address only, without inspecting application-layer data. Which type of firewall is this?

A.Packet filter
B.Circuit-level gateway
C.Application gateway
D.Stateful inspection
AnswerA

Packet filters examine only packet headers.

Why this answer

A packet filter firewall operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model, making decisions solely based on source and destination IP addresses, ports, and protocols. It does not inspect application-layer data (Layer 7), which matches the scenario where traffic is allowed based on source IP address only. This is the simplest and fastest type of firewall, but it lacks the ability to block attacks embedded in application payloads.

Exam trap

The trap here is that candidates often confuse 'stateful inspection' with 'packet filtering' because both examine IP addresses, but stateful inspection also tracks connection state, whereas the question explicitly states no application-layer inspection and only source IP filtering.

How to eliminate wrong answers

Option B is wrong because a circuit-level gateway operates at Layer 5 (Session layer) and validates TCP handshakes and session establishment (e.g., SOCKS proxy), not just source IP addresses. Option C is wrong because an application gateway (application-layer proxy) inspects application-layer data (Layer 7) such as HTTP headers or FTP commands, which contradicts the scenario of no application-layer inspection. Option D is wrong because stateful inspection tracks the state of active connections (e.g., TCP sequence numbers) and makes decisions based on both packet headers and connection state, not just source IP addresses.

905
MCQeasy

A software development team is adopting secure coding practices. They decide to implement input validation for all user-supplied data. Which approach is recommended as the most effective for preventing injection attacks?

A.Encoding input before processing
B.Using regular expressions to sanitize input
C.Blacklist validation to block known malicious patterns
D.Whitelist validation to allow only known good patterns
AnswerD

Whitelisting ensures only expected input is accepted.

Why this answer

Whitelist (allowlist) validation defines acceptable input patterns and rejects everything else, which is more effective than trying to block malicious patterns.

906
MCQhard

During a penetration test, the tester successfully gains access to a server and then attempts to move laterally to other systems. This phase is known as:

A.Scanning and enumeration
B.Exploitation
C.Reconnaissance
D.Post-exploitation and lateral movement
AnswerD

This phase involves moving from the compromised system to others.

Why this answer

After initial access is gained, the phase where the tester moves from the compromised host to other systems within the network is specifically called post-exploitation and lateral movement. This involves using the foothold to pivot, escalate privileges, and access additional resources, which is distinct from the initial exploitation step.

Exam trap

The trap here is that candidates confuse 'exploitation' (the initial breach) with the broader post-exploitation phase, forgetting that lateral movement is a distinct activity that occurs after the initial foothold is established.

How to eliminate wrong answers

Option A is wrong because scanning and enumeration occur before exploitation to identify open ports, services, and potential vulnerabilities, not after gaining access. Option B is wrong because exploitation is the act of leveraging a vulnerability to gain initial access, not the subsequent movement to other systems. Option C is wrong because reconnaissance is the initial information-gathering phase (passive or active) performed before any access is obtained, such as DNS lookups or network mapping.

907
MCQhard

A large healthcare organization is subject to both HIPAA and GDPR. They are creating a data retention policy for electronic protected health information (ePHI) concerning European patients. HIPAA requires retention for 6 years from creation or last effective date, while GDPR requires that personal data not be kept longer than necessary for the purpose, with a general guideline of retaining for the duration of the relationship plus a reasonable period. The organization wants to minimize storage costs while ensuring compliance. Which approach should they take?

A.Retain data for the longer of the two regulatory requirements (HIPAA 6 years)
B.Implement a tiered retention policy based on data classification
C.Retain all data indefinitely
D.Retain data for the shorter requirement (GDPR-defined necessity period)
AnswerB

Allows different retention periods for different data types, ensuring compliance with both regulations while minimizing costs.

Why this answer

Option B is correct because a tiered retention policy based on data classification allows the organization to apply different retention periods to different categories of ePHI, satisfying both HIPAA's 6-year minimum for medical records and GDPR's principle of storage limitation. This approach minimizes storage costs by deleting data that is no longer necessary for the original purpose (e.g., billing records after the statutory period) while retaining data that must be kept longer (e.g., patient treatment records). It avoids the all-or-nothing trap of picking a single regulatory timeline, which would either violate GDPR (if retaining too long) or HIPAA (if deleting too soon).

Exam trap

The trap here is that candidates assume they must choose a single retention period (the longer or shorter) to satisfy both regulations, rather than recognizing that a tiered classification approach is the only way to meet conflicting requirements simultaneously.

How to eliminate wrong answers

Option A is wrong because retaining all ePHI for the longer HIPAA 6-year period without considering data classification violates GDPR's Article 5(1)(e) storage limitation principle, which mandates that personal data be kept no longer than necessary for the purpose, and could result in fines for excessive retention. Option C is wrong because retaining all data indefinitely directly contradicts GDPR's right to erasure (Article 17) and storage limitation, and also increases storage costs and security risks unnecessarily. Option D is wrong because retaining data for only the GDPR-defined necessity period (which may be shorter than 6 years) would violate HIPAA's 45 CFR 164.316(b)(2)(i) requirement to retain ePHI for at least 6 years from creation or last effective date, leading to non-compliance and potential penalties.

908
MCQhard

In a PKI hierarchy, a relying party needs to verify a certificate's validity. To reduce latency and improve privacy, which mechanism allows the relying party to obtain the revocation status without contacting the CA directly for each verification?

A.Certificate Transparency (CT) logs
B.Certificate pinning
C.Certificate Revocation List (CRL)
D.OCSP stapling
AnswerD

Correct. OCSP stapling lets the server attach a signed OCSP response during TLS handshake, improving performance and privacy.

Why this answer

OCSP stapling allows the server to provide a time-stamped OCSP response from the CA, reducing the client's need to contact the CA directly.

909
Multi-Selectmedium

A security analyst is examining a memory dump from a compromised workstation. Which TWO tools are commonly used for memory forensics?

Select 2 answers
A.Wireshark
B.EnCase
C.Volatility
D.Rekall
E.FTK Imager
AnswersC, D

Volatility is a leading memory forensics tool.

Why this answer

Volatility (C) is a leading open-source memory forensics framework that analyzes RAM dumps to extract running processes, network connections, and kernel objects. It supports multiple operating systems and profiles, making it essential for incident response and malware analysis.

Exam trap

The trap here is that candidates confuse network forensics tools (Wireshark) or disk imaging tools (EnCase, FTK Imager) with memory-specific analysis tools, forgetting that RAM analysis requires specialized frameworks like Volatility or Rekall.

910
MCQmedium

Under the GDPR, what is the maximum time frame for notifying the supervisory authority of a personal data breach?

A.72 hours
B.7 days
C.24 hours
D.48 hours
AnswerA

Correct. The GDPR mandates notification within 72 hours.

Why this answer

Article 33 of the GDPR requires notification within 72 hours of becoming aware of the breach.

911
MCQhard

A company deploys DNSSEC to protect its DNS infrastructure. Which cryptographic operation does DNSSEC primarily use to ensure the authenticity and integrity of DNS data?

A.Hashing of DNS responses without keys
B.Digital signatures of DNS records
C.Transport Layer Security for DNS
D.Symmetric encryption of DNS queries
AnswerB

DNSSEC adds RRSIG records that are digital signatures over DNS data.

Why this answer

DNSSEC primarily uses digital signatures to ensure the authenticity and integrity of DNS data. Each DNS zone is signed with a private key, and resolvers verify the signatures using the corresponding public key, which is published as a DNSKEY record. This process allows the resolver to cryptographically confirm that the data has not been modified in transit and originates from the authoritative source.

Exam trap

The trap here is confusing DNSSEC's use of digital signatures for data origin authentication with encryption or transport-layer security, leading candidates to incorrectly select TLS or symmetric encryption options.

How to eliminate wrong answers

Option A is wrong because hashing without keys provides integrity but not authenticity; an attacker can modify both the data and the hash, so DNSSEC requires asymmetric cryptography (digital signatures) to bind the hash to the signer. Option C is wrong because DNSSEC operates at the DNS protocol layer using resource records (RRSIG, DNSKEY, DS) and does not rely on Transport Layer Security (TLS); TLS secures the transport channel (e.g., DNS over TLS), not the DNS data itself. Option D is wrong because DNSSEC uses asymmetric cryptography (public/private key pairs) for signing, not symmetric encryption; symmetric encryption would require shared secrets and does not provide non-repudiation or scalable key distribution for DNS.

912
MCQmedium

A security manager is conducting a risk assessment for a new cloud application. The manager needs to estimate the potential financial loss from a data breach. Which approach should be used?

A.Scenario-based risk analysis with ordinal scales
B.Qualitative risk analysis using high/medium/low ratings
C.Benchmarking against industry standards
D.Quantitative risk analysis using annualized loss expectancy (ALE)
AnswerD

Quantitative analysis calculates ALE from SLE and ARO, providing monetary estimates.

Why this answer

Option D is correct because quantitative risk analysis using Annualized Loss Expectancy (ALE) provides a specific monetary estimate of potential financial loss, which is exactly what the security manager needs for a data breach scenario. ALE is calculated as Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO), enabling data-driven budgeting and cost-benefit analysis for cloud application security controls.

Exam trap

The trap here is that candidates often confuse qualitative methods (which are faster but yield ordinal rankings) with quantitative methods (which require numerical data but produce the monetary loss estimate explicitly requested in the question).

How to eliminate wrong answers

Option A is wrong because scenario-based risk analysis with ordinal scales (e.g., 1-5) produces relative rankings, not a financial loss estimate in dollars, and ordinal scales lack the mathematical precision needed for monetary calculations. Option B is wrong because qualitative risk analysis using high/medium/low ratings yields subjective categories rather than a specific dollar amount, making it unsuitable for estimating exact financial loss. Option C is wrong because benchmarking against industry standards provides comparative metrics (e.g., average breach cost per record) but does not incorporate the organization's specific asset values, threat frequencies, or control effectiveness required to estimate the potential financial loss for this particular cloud application.

913
MCQmedium

A company wants to implement 802.1X authentication on their wired network. Which components are required?

A.Supplicant and authenticator
B.Authenticator and authentication server
C.Supplicant, authenticator, and authentication server
D.Supplicant and authentication server
AnswerC

All three components are required for 802.1X.

Why this answer

802.1X requires three distinct roles to function: the supplicant (client software requesting access), the authenticator (network device like a switch that enforces port-based access control), and the authentication server (typically a RADIUS server that validates credentials). Without all three, the EAP (Extensible Authentication Protocol) exchange cannot complete, as the authenticator acts as a proxy between the supplicant and the authentication server. Option C is correct because it lists all three mandatory components.

Exam trap

The trap here is that candidates often assume the authenticator (switch) performs the actual authentication, leading them to pick Option B, but in 802.1X the authenticator only controls port state and relays messages—it never validates credentials itself.

How to eliminate wrong answers

Option A is wrong because omitting the authentication server leaves no entity to validate the supplicant's credentials; the authenticator alone cannot perform authentication. Option B is wrong because it omits the supplicant, which is the endpoint that initiates the authentication request and provides credentials; without a supplicant, there is no client to authenticate. Option D is wrong because it omits the authenticator, which is the network device (e.g., switch) that blocks or allows traffic on the port based on the authentication result and relays EAP frames between the supplicant and the authentication server.

914
MCQhard

A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?

A.Conduct a thorough vendor risk assessment including security audits.
B.Negotiate a lower price to offset potential security investments.
C.Purchase cyber liability insurance to cover potential breaches.
D.Require the vendor to sign a non-disclosure agreement (NDA).
AnswerA

Correct - due diligence identifies risks before commitment.

Why this answer

Before outsourcing critical operations, the primary risk management activity is to conduct a thorough vendor risk assessment, including security audits. This evaluates the vendor's security posture, compliance with standards (e.g., ISO 27001), and ability to protect sensitive customer data, directly addressing risks like data breaches or service disruptions before contractual obligations are locked in.

Exam trap

ISC2 often tests the misconception that risk transfer (insurance) or legal agreements (NDAs) are primary risk management activities, when in fact proactive assessment and due diligence must occur first to identify and treat risks before any contractual commitment.

How to eliminate wrong answers

Option B is wrong because negotiating a lower price does not mitigate security risks; it may even incentivize the vendor to cut corners on security controls, increasing exposure. Option C is wrong because purchasing cyber liability insurance transfers financial risk after a breach but does not prevent or reduce the likelihood of a security incident, making it a secondary, not primary, activity. Option D is wrong because requiring an NDA only addresses confidentiality of shared information but fails to assess the vendor's actual security capabilities, processes, or vulnerabilities, leaving critical risks unexamined.

915
Multi-Selectmedium

An organization is planning to acquire a new SaaS application for customer relationship management. Which THREE of the following should be included in the vendor security assessment?

Select 3 answers
A.Checking license compliance for open source components
B.Reviewing the vendor's security certifications (e.g., SOC 2, ISO 27001)
C.Requesting a Software Bill of Materials (SBOM)
D.Assessing the vendor's incident response process
E.Requiring employee security training records
AnswersB, C, D

Provides assurance of security controls.

Why this answer

Reviewing the vendor's security certifications (e.g., SOC 2), assessing their incident response process, and requesting a Software Bill of Materials (SBOM) are key steps. License compliance is important but not directly security, and employee training is internal to the vendor but less critical than the others.

916
MCQmedium

A company is preparing for an external audit to comply with PCI DSS. Which type of auditor is typically required to perform this assessment?

A.System administrator
B.Internal auditor
C.Certified Public Accountant (CPA)
D.Qualified Security Assessor (QSA)
AnswerD

A QSA is an external auditor qualified to assess PCI DSS compliance.

Why this answer

PCI DSS requires assessments to be conducted by a Qualified Security Assessor (QSA) because QSAs are certified by the PCI Security Standards Council to validate compliance with the standard's technical and procedural controls. Unlike internal or general external auditors, QSAs have specific training in PCI DSS requirements, including network segmentation, encryption protocols (e.g., TLS 1.2+), and logging mechanisms (e.g., audit trails per Requirement 10).

Exam trap

The trap here is that candidates confuse 'external auditor' with any certified accountant or general IT auditor, overlooking that PCI DSS mandates a specifically certified QSA for compliance validation, not just any third-party assessor.

How to eliminate wrong answers

Option A is wrong because a system administrator lacks the independent, certified authority required for PCI DSS compliance validation and would create a conflict of interest by assessing their own systems. Option B is wrong because internal auditors, while independent within the organization, are not recognized by the PCI Security Standards Council to issue a formal Report on Compliance (ROC) for Level 1 merchants or service providers. Option C is wrong because a Certified Public Accountant (CPA) may perform financial audits but does not hold the specialized PCI DSS technical expertise (e.g., firewall rule reviews, vulnerability scanning per ASV standards) required for a QSA assessment.

917
MCQhard

A security team is evaluating the results of a penetration test. The test revealed that a low-privileged user could escalate privileges to domain administrator. This is a critical finding. Which of the following should be the immediate next step?

A.Conduct a full incident response
B.Re-image all affected systems
C.Terminate the user's account
D.Implement patch management for the exploited vulnerability
AnswerD

Patching the vulnerability eliminates the attack vector.

Why this answer

Option D is correct because the immediate priority after discovering a privilege escalation vulnerability is to remediate the root cause—typically a missing patch or misconfiguration—to prevent further exploitation. In a penetration test context, the finding indicates a technical flaw (e.g., a missing security update for CVE-2021-42287 or a misconfigured Active Directory ACL) that must be patched or hardened first. Full incident response (A) is premature without evidence of active compromise, and re-imaging (B) or account termination (C) are reactive measures that do not address the underlying vulnerability.

Exam trap

The trap here is that candidates confuse a penetration test finding (a vulnerability) with an active security incident, leading them to choose incident response (A) instead of the correct remediation step (D), which is to patch the exploited vulnerability first.

How to eliminate wrong answers

Option A is wrong because conducting a full incident response assumes a confirmed breach or ongoing malicious activity, but a penetration test finding alone does not indicate active exploitation—it identifies a vulnerability that should be remediated first. Option B is wrong because re-imaging all affected systems is a drastic, resource-intensive step that does not fix the root cause (e.g., an unpatched domain controller or misconfigured Group Policy); the vulnerability would persist if the same image or configuration is reapplied. Option C is wrong because terminating the user's account only removes one low-privileged account but does not prevent another user or attacker from exploiting the same privilege escalation path (e.g., a Kerberos delegation flaw or SeBackupPrivilege abuse).

918
MCQmedium

A security team is performing a quantitative risk analysis for a server valued at $100,000. The exposure factor is 0.4 and the annual rate of occurrence is 2. What is the annualized loss expectancy (ALE)?

A.$40,000
B.$200,000
C.$160,000
D.$80,000
AnswerD

Correct calculation: ALE = SLE × ARO = ($100,000 × 0.4) × 2 = $80,000.

Why this answer

SLE = AV × EF = $100,000 × 0.4 = $40,000. ALE = SLE × ARO = $40,000 × 2 = $80,000.

919
Multi-Selecthard

A company is deploying a VPN solution for remote employees using SSL/TLS VPN. Which TWO security considerations are important when implementing this type of VPN? (Select two.)

Select 2 answers
A.Use IPsec in transport mode for better performance
B.Implement strong authentication mechanisms such as multi-factor authentication
C.Ensure the SSL VPN gateway is patched and hardened against web application attacks
D.Use pre-shared keys for authentication
E.Disable encryption to improve speed
AnswersB, C

Strong authentication is critical to prevent unauthorized access via the VPN portal.

Why this answer

SSL/TLS VPNs operate at the application layer and are exposed to the internet, making them vulnerable to web-based attacks such as SQL injection and cross-site scripting. Strong authentication, including multi-factor authentication (MFA), is critical to prevent unauthorized access even if credentials are compromised. Patching and hardening the SSL VPN gateway against web application attacks is equally important to mitigate vulnerabilities in the underlying web server or VPN appliance.

Exam trap

The trap here is that candidates confuse SSL/TLS VPNs with IPsec VPNs, leading them to select IPsec-specific options like transport mode or pre-shared keys, when the question explicitly focuses on SSL/TLS VPN security considerations.

920
MCQhard

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

A.Isolate the server from the network
B.Initiate a full incident response investigation
C.Disregard the alert because svchost.exe is a legitimate Windows process
D.Terminate the suspicious process
AnswerA

Isolation stops the malicious outbound connection and prevents further damage, allowing for later forensic analysis.

Why this answer

Option A is correct because isolating the server immediately contains the threat, preventing potential data exfiltration or lateral movement from a compromised host. The suspicious outbound connection from a DMZ server to an external IP on port 443 (HTTPS) combined with 'svchost.exe' running from a non-standard path strongly indicates malware masquerading as a legitimate Windows process. In security operations, containment is the priority before investigation to minimize damage.

Exam trap

The trap here is that candidates may think terminating the process (Option D) is sufficient, but the CISSP emphasizes containment over eradication to prevent further compromise, and they may also mistakenly trust svchost.exe as always legitimate without verifying its path.

How to eliminate wrong answers

Option B is wrong because initiating a full incident response investigation without first containing the threat could allow the attacker to continue exfiltrating data or move laterally while the investigation proceeds; containment must come first. Option C is wrong because while svchost.exe is a legitimate Windows process, it should only run from C:\Windows\System32 or C:\Windows\SysWOW64, and a non-standard path is a classic indicator of malware impersonation; disregarding the alert would be negligent. Option D is wrong because terminating the suspicious process alone does not prevent the malware from restarting or other persistence mechanisms from activating, and it does not address the network-level threat; isolation is more comprehensive.

921
Multi-Selectmedium

In the context of identity management, which TWO of the following are risks associated with orphaned accounts? (Choose two.)

Select 2 answers
A.Compliance violations
B.Reduced system performance
C.Unauthorized access by former employees
D.Enhanced audit logging
E.Increased help desk calls
AnswersA, C

Regulations require proper account management.

Why this answer

Orphaned accounts can be used by former employees or attackers, and may violate compliance.

922
MCQeasy

A health records system requires that doctors can write new records but cannot modify existing ones, and integrity is maintained through separation of duties. Which security model best fits this requirement?

A.Brewer-Nash
B.Biba
C.Clark-Wilson
D.Bell-LaPadula
AnswerC

Clark-Wilson enforces transformation procedures and separation of duties to maintain integrity.

Why this answer

The Clark-Wilson model enforces integrity through well-formed transactions and separation of duties, which directly matches the requirement that doctors can write new records but cannot modify existing ones. It uses constrained data items (CDIs), transformation procedures (TPs), and integrity verification procedures (IVPs) to ensure that only authorized users can perform specific operations, preventing unauthorized modifications.

Exam trap

The trap here is that candidates often confuse the Biba model with integrity enforcement, but Biba only prevents unauthorized data flow based on integrity levels, not the specific separation of duties and well-formed transaction constraints that Clark-Wilson provides for this scenario.

How to eliminate wrong answers

Option A is wrong because the Brewer-Nash model (also known as the Chinese Wall model) is designed to prevent conflicts of interest by controlling access to datasets based on previously accessed data, not for enforcing write-once or separation of duties for integrity. Option B is wrong because the Biba model focuses on preventing data flow from lower integrity levels to higher integrity levels (no write up, no read down), but it does not inherently enforce separation of duties or the specific constraint that new records can be written but existing ones cannot be modified. Option D is wrong because the Bell-LaPadula model enforces confidentiality through no read up and no write down, and it does not address integrity constraints like preventing modification of existing records or separation of duties.

923
MCQeasy

Which type of firewall operates at Layer 7 and can inspect application payloads, such as blocking specific SQL commands or HTTP methods?

A.Stateful inspection
B.Application proxy
C.Packet filter
D.Circuit-level gateway
AnswerB

Application proxies terminate the connection and re-establish it, inspecting the application data.

Why this answer

An application proxy firewall (also known as an application-level gateway) operates at Layer 7 (Application Layer) of the OSI model. It can inspect the full application payload, allowing it to block specific SQL commands, HTTP methods (e.g., PUT, DELETE), or other application-layer content by terminating the connection and re-establishing it after deep inspection.

Exam trap

The trap here is that candidates often confuse 'stateful inspection' (Layer 4) with application-layer inspection, assuming stateful firewalls can inspect payloads, but they only track session state, not application content.

How to eliminate wrong answers

Option A is wrong because a stateful inspection firewall operates at Layers 3 and 4, tracking connection state (SYN, ACK) but not inspecting application payloads. Option C is wrong because a packet filter firewall works at Layers 3 and 4, filtering based on source/destination IPs, ports, and protocols, without any payload inspection. Option D is wrong because a circuit-level gateway operates at Layer 5 (Session Layer), validating TCP handshakes and session establishment (e.g., SOCKS proxy) but does not examine application data.

924
MCQeasy

Refer to the exhibit. The syslog-ng configuration is used to forward logs to a central server. What type of logs are being forwarded?

A.Authentication logs
B.Kernel logs
C.Daemon process logs
D.Security event logs
AnswerA

auth and authpriv are authentication-related.

Why this answer

The syslog-ng configuration shown uses the `auth` facility, which corresponds to authentication-related messages (e.g., login attempts, sudo usage, user authentication). The `auth` facility is specifically designated for security and authorization events, making option A correct.

Exam trap

The trap here is that candidates may confuse `auth` with generic 'security event logs' (option D), but syslog-ng uses specific facility names, and 'security' is not a valid facility; the correct facility for authentication/security is `auth` or `authpriv`.

How to eliminate wrong answers

Option B is wrong because kernel logs use the `kern` facility, not `auth`. Option C is wrong because daemon process logs use the `daemon` facility, not `auth`. Option D is wrong because while `auth` logs are security-related, the term 'security event logs' is ambiguous and not a standard syslog facility; the correct facility for security events is `auth` or `authpriv`.

925
MCQhard

A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?

A.The file server is not trusted for delegation
B.The user does not have permission to the file server resource
C.The user account is locked out
D.Time skew between client and domain controller
AnswerB

After getting a service ticket, the file server checks ACLs; if denied, it returns 'Access denied'.

Why this answer

Since the Kerberos ticket-granting ticket (TGT) was successfully obtained, the user has authenticated to the domain and the Kerberos authentication process is functioning correctly. The 'Access denied' error at the file server indicates that the user lacks the necessary permissions on the specific resource (share or NTFS), which is a separate authorization step after successful authentication.

Exam trap

The trap here is that candidates confuse authentication (Kerberos TGT success) with authorization (resource permissions), assuming a successful TGT implies full access, when in fact Kerberos only proves identity and does not grant resource-level rights.

How to eliminate wrong answers

Option A is wrong because 'trusted for delegation' is a Kerberos extension used for service impersonation (e.g., when a service needs to act on behalf of a user to access another resource), not for basic file server access; a file server does not need to be trusted for delegation to grant or deny resource permissions. Option C is wrong because if the user account were locked out, the TGT request would fail with a specific Kerberos error (e.g., KDC_ERR_CLIENT_REVOKED), and the user would not have obtained a TGT. Option D is wrong because time skew between client and domain controller would prevent TGT acquisition entirely (Kerberos requires clock synchronization within 5 minutes by default, per RFC 4120), so a successful TGT proves time is synchronized.

926
MCQeasy

What is the PRIMARY purpose of a chain of custody in digital forensics?

A.To document the tools used during investigation
B.To identify the perpetrator of a cybercrime
C.To speed up the forensic analysis process
D.To maintain evidence integrity and admissibility in court
AnswerD

Chain of custody proves evidence has not been tampered with.

Why this answer

Chain of custody ensures evidence integrity through documentation of handling.

927
Multi-Selecteasy

Which TWO of the following are types of access control models?

Select 2 answers
A.Discretionary Access Control (DAC)
B.SAML
C.Kerberos
D.Role-Based Access Control (RBAC)
E.LDAP
AnswersA, D

An access control model.

Why this answer

Discretionary Access Control (DAC) is an access control model where the owner of a resource (e.g., a file or object) has the authority to grant or deny access to other subjects. This is typically implemented using Access Control Lists (ACLs) on objects, allowing the owner to set permissions (e.g., read, write, execute) for specific users or groups. DAC is defined in the Trusted Computer System Evaluation Criteria (TCSEC) as a fundamental model for controlling access based on the identity of subjects and/or the groups to which they belong.

Exam trap

The trap here is that candidates confuse authentication and authorization protocols (SAML, Kerberos, LDAP) with access control models, which are abstract frameworks for defining how access decisions are made, not the mechanisms that implement them.

928
MCQmedium

An organization is required to report a personal data breach to the supervisory authority within 72 hours. Which regulation imposes this requirement?

A.GDPR
B.PCI DSS
C.SOX
D.HIPAA
AnswerA

GDPR requires notification within 72 hours.

Why this answer

GDPR Article 33 requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach.

929
MCQmedium

A web application exposes an API that allows users to fetch data from internal network resources based on a URL parameter. An attacker discovers they can use this API to access internal servers that are not meant to be public. Which vulnerability is being exploited?

A.Insecure direct object reference (IDOR)
B.Remote code execution (RCE)
C.Cross-site request forgery (CSRF)
D.Server-side request forgery (SSRF)
AnswerD

SSRF exploits the server's ability to make requests to internal systems.

Why this answer

SSRF allows an attacker to induce the server to make requests to internal or external resources, bypassing firewalls and access controls.

930
MCQeasy

A company's data classification policy labels information as 'Internal Use Only' and 'Confidential.' An employee emails a 'Confidential' document to an external partner without authorization. Which type of data security objective has been violated?

A.Non-repudiation
B.Confidentiality
C.Availability
D.Integrity
AnswerB

Unauthorized disclosure violates confidentiality.

Why this answer

Confidentiality ensures that data is not disclosed to unauthorized parties. Option B is wrong because integrity is about accuracy, not disclosure. Option C is wrong because availability is about access when needed.

Option D is wrong because non-repudiation is about proof of origin.

931
MCQmedium

Refer to the exhibit. A security analyst reviews this IDS alert. What is the most likely reason for this alert?

A.The IDS signature is misconfigured and generating false positives.
B.The internal server is attempting to connect to an external IP on port 1433.
C.The internal server is running a vulnerable version of SQL Server.
D.An external host is scanning the internal network for open SQL Server ports.
AnswerD

The alert shows an inbound connection to port 1433, which is a common SQL Server port. This is likely a reconnaissance attempt.

Why this answer

The alert shows an inbound connection from an external IP (203.0.113.50) to an internal server (10.0.0.5) on port 1433, which is the default port for Microsoft SQL Server. This is suspicious because SQL Server should not be accessible from the internet unless necessary. The alert indicates a potential information leak attempt.

932
Multi-Selecthard

A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)

Select 3 answers
A.Enforce password history of 10
B.Require password changes every 30 days
C.Allow password hints
D.Implement multi-factor authentication
E.Use a minimum password length of 8
AnswersA, D, E

Password history prevents reuse of recent passwords.

Why this answer

Option A is correct because NIST SP 800-63B recommends enforcing a password history to prevent users from reusing recent passwords, with a typical value of 10-24 previous passwords. This reduces the risk of password recycling attacks where compromised credentials are reused. Option D is correct because multi-factor authentication (MFA) is a core NIST recommendation to add an additional layer of security beyond passwords, mitigating credential theft.

Option E is correct because NIST now advises a minimum password length of 8 characters (or more) as a primary defense against brute-force attacks, rather than relying on complexity rules.

Exam trap

ISC2 often tests the outdated NIST recommendation of mandatory password changes every 30-90 days, which is now explicitly discouraged in current guidelines, causing candidates to select option B incorrectly.

933
MCQmedium

A company uses Docker containers for microservices. What is the most important security measure for container images?

A.Use minimal base images and scan them for vulnerabilities
B.Use the latest version of base image to ensure patches
C.Hardcode secrets into the image
D.Run containers as root for easier privilege management
AnswerA

Reduces attack surface and identifies known flaws.

Why this answer

Option A is correct because minimal base images reduce attack surface, and vulnerability scanning detects known issues. Option B is wrong because using 'latest' tags can cause inconsistent builds. Option C is wrong because running as root is insecure.

Option D is wrong because hardcoding secrets is never recommended.

934
MCQeasy

An auditor finds that a system uses the same service account for multiple applications. Which risk does this pose?

A.Increased attack surface due to multiple passwords
B.Difficulty in auditing because all applications share one account
C.Inability to rotate passwords without affecting all applications
D.Single point of failure for authentication
AnswerC

Password rotation requires coordinating all dependent applications.

Why this answer

Option C is correct because when multiple applications share a single service account, rotating the password requires coordinated downtime or configuration changes across all dependent applications. This violates the principle of least privilege and creates operational complexity, as a password change for one application will break authentication for others until they are updated.

Exam trap

The trap here is that candidates confuse 'single point of failure' (a hardware or service failure) with 'shared credential dependency' (an operational risk), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option A is wrong because using the same service account reduces the attack surface (fewer passwords to manage), not increases it; the risk is about credential sharing, not multiple passwords. Option B is wrong because auditing is actually easier with a single account (fewer logs to correlate), though it reduces granularity; the primary risk is operational, not audit difficulty. Option D is wrong because a single point of failure for authentication refers to a centralized authentication server (e.g., a single LDAP or Kerberos KDC) failing, not to a shared service account; the account itself is not an authentication mechanism.

935
MCQmedium

A developer is tasked with securely storing user passwords in a database. Which of the following is the most secure approach?

A.Do not store passwords; use federated identity
B.Hash the password with bcrypt using a unique salt per user
C.Encrypt the password using AES and store the ciphertext
D.Hash the password with MD5 and store the hash
AnswerB

Bcrypt is a slow, salted hashing algorithm specifically designed for passwords.

Why this answer

Bcrypt is a computationally expensive, adaptive hashing algorithm designed specifically for password storage. It incorporates a unique salt per user to prevent rainbow table attacks and its work factor can be increased over time to counter faster hardware, making it the most secure option among those listed.

Exam trap

The trap here is that candidates often confuse encryption with hashing, assuming that encrypting passwords with a strong algorithm like AES is equally secure, but they fail to recognize that encryption is reversible if the key is compromised, whereas hashing is a one-way function designed for password verification.

How to eliminate wrong answers

Option A is wrong because federated identity (e.g., SAML, OAuth) does not eliminate the need to store credentials; the relying party still must store a persistent identifier or token, and the identity provider itself must securely store passwords. Option C is wrong because encryption is a two-way function; if the encryption key is compromised (e.g., via server breach, key leakage), all stored passwords can be decrypted in plaintext, whereas hashing is one-way and prevents recovery of the original password. Option D is wrong because MD5 is a broken, fast hash with known collision vulnerabilities and no built-in salting mechanism, making it trivial to crack with modern GPU-based attacks and rainbow tables.

936
MCQmedium

An e-commerce company is preparing for a PCI DSS compliance assessment. The assessor needs to perform an external network vulnerability scan. The company has a public-facing web application that processes credit card payments. The scan must be conducted from an external IP address that is not whitelisted by the company's firewall. The security team is concerned that the scan might trigger intrusion detection alerts and cause operational disruptions. What is the BEST approach to handle this situation?

A.Whitelist the assessor's IP address in the firewall and intrusion detection system.
B.Use an authenticated scan with valid credentials provided by the company.
C.Perform the scan during off-peak hours and inform the security operations center.
D.Conduct a manual penetration test instead of an automated vulnerability scan.
AnswerC

This reduces disruption and maintains the required external scanning perspective.

Why this answer

Option C is correct because the PCI DSS requirement for an external network vulnerability scan mandates that the scan be conducted from an external IP address not whitelisted by the firewall to simulate a real attacker's perspective. Performing the scan during off-peak hours and informing the Security Operations Center (SOC) minimizes operational disruption and allows the SOC to correlate the scan traffic with known activity, reducing false-positive alerts. This approach balances compliance with operational stability without violating the scan's external-source requirement.

Exam trap

The trap here is that candidates mistakenly think whitelisting the assessor's IP (Option A) is acceptable for compliance, but PCI DSS explicitly forbids this to ensure the scan reflects a real attacker's view, and the question's wording 'not whitelisted' reinforces this constraint.

How to eliminate wrong answers

Option A is wrong because whitelisting the assessor's IP address in the firewall and IDS would violate the PCI DSS requirement that the scan must be conducted from an external IP not whitelisted, thereby invalidating the assessment's authenticity. Option B is wrong because authenticated scans are used for internal vulnerability assessments to test patch levels from an insider perspective, but PCI DSS external scans must be unauthenticated to simulate an unprivileged external attacker. Option D is wrong because a manual penetration test cannot replace the required automated external vulnerability scan; PCI DSS mandates automated scanning tools (e.g., ASV-approved scanners) to ensure consistent, repeatable coverage of all externally accessible IPs and services.

937
MCQeasy

A security architect is designing a physical security system for a data center. Which of the following is an example of a layered physical control at the perimeter?

A.Biometric access to server room
B.Locked server cabinets
C.CCTV in the lobby
D.Fencing around the property
AnswerD

Fencing is a perimeter security measure.

Why this answer

Fencing is a perimeter control that provides a physical barrier around the facility.

938
MCQmedium

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

A.Analyze the log events to identify the attack pattern and implement additional controls such as MFA
B.Increase the account lockout threshold
C.Ignore the event as it is likely a false positive
D.Disable the user account being targeted
AnswerA

Understanding the attack pattern allows for targeted controls like requiring MFA for the targeted account or blocking the attack vector.

Why this answer

Option A is correct because the changing source IP indicates a distributed attack, likely a password spraying or brute-force attempt from multiple compromised hosts. Analyzing log events helps identify the attack pattern (e.g., timing, targeted accounts, source IP ranges) so you can implement additional controls like MFA, which mitigates credential-based attacks regardless of source IP changes. Account lockout alone is insufficient when attackers rotate IPs, as lockout policies are per-account and per-source, not adaptive to distributed sources.

Exam trap

The trap here is that candidates assume account lockout is sufficient and focus on tweaking lockout thresholds (Option B), but the changing source IP reveals a distributed attack that requires a different control like MFA, not just adjusting lockout parameters.

How to eliminate wrong answers

Option B is wrong because increasing the lockout threshold would allow more failed attempts before lockout, making the attack more successful and increasing the risk of account compromise; it does not address the root cause of distributed IPs. Option C is wrong because repeated failed login attempts from changing IPs are a clear indicator of an active brute-force or password spraying attack, not a false positive; ignoring it could lead to unauthorized access. Option D is wrong because disabling the targeted user account is a reactive, temporary measure that does not stop the attacker from targeting other accounts or using different credentials; it also disrupts legitimate user access without addressing the underlying attack vector.

939
Multi-Selectmedium

Which THREE of the following are valid risk response strategies?

Select 3 answers
A.Transfer
B.Eliminate
C.Avoid
D.Mitigate
E.Ignore
AnswersA, C, D

Shifting risk to another party, e.g., insurance.

Why this answer

Common risk responses include Avoid, Transfer, Mitigate, and Accept.

940
MCQhard

You are the security architect for a global financial firm. The organization has recently deployed a new cloud-based application that requires low-latency connections between data centers in New York, London, and Tokyo. The existing WAN uses MPLS L3 VPNs with IPsec encryption. However, the application team reports excessive latency and packet loss during peak hours. The network team confirms that the MPLS links are underutilized, but the IPsec tunnels show high CPU usage on the edge routers. Additionally, the security policy mandates that all inter-data center traffic must be encrypted and authenticated. The firm has a budget for hardware upgrades but wants to minimize operational changes. Which of the following is the BEST course of action?

A.Reduce the IPsec encryption algorithm to AES-128 and the hash to SHA-1 to lower CPU usage.
B.Replace MPLS with dedicated point-to-point circuits and remove IPsec encryption.
C.Increase the MTU on the WAN interfaces to reduce packet fragmentation.
D.Upgrade the edge routers to models that support hardware-accelerated IPsec encryption.
AnswerD

Hardware offloading reduces CPU load and improves performance.

Why this answer

Option D is correct because the high CPU usage on edge routers is a classic symptom of software-based IPsec encryption overwhelming the router's CPU. Hardware-accelerated IPsec offloads the cryptographic operations to dedicated ASICs or crypto engines, reducing CPU load and eliminating the latency and packet loss caused by processing bottlenecks. This directly addresses the root cause without changing the security policy or requiring major operational changes.

Exam trap

The trap here is that candidates mistakenly think reducing encryption strength (Option A) will solve CPU issues, but the CISSP exam tests that hardware offload is the proper solution when CPU is the bottleneck, not the algorithm choice.

How to eliminate wrong answers

Option A is wrong because reducing encryption to AES-128 and hash to SHA-1 still leaves the processing burden on the CPU; the issue is not the algorithm strength but the lack of hardware offload, and SHA-1 is deprecated per NIST and RFC 6194, potentially violating security policy. Option B is wrong because removing IPsec encryption violates the mandatory security policy that all inter-data center traffic must be encrypted and authenticated, and dedicated circuits do not inherently provide encryption. Option C is wrong because increasing MTU does not address CPU exhaustion from IPsec encryption; fragmentation is not the reported issue, and larger MTUs can actually increase latency if packets are dropped and retransmitted.

941
Multi-Selectmedium

A security architect is evaluating physical security controls for a facility handling sensitive data. Which of the following are examples of layered physical security controls? (Choose THREE)

Select 3 answers
A.Perimeter fence
B.Server rack locks
C.Mantrap at the entrance to the secure area
D.Single-factor authentication for all doors
E.Unsecured windows on ground floor
AnswersA, B, C

Correct. Perimeter fence is an outer layer.

Why this answer

Layered security uses multiple barriers: perimeter (fence), external (lighting), building (locks), secure area (mantrap), and IT area (cage). Biometrics and guards are also layers.

942
MCQhard

An organization wants to provide just-in-time administrative access to servers, with session recording and password vaulting. Which solution is best suited?

A.Privileged Access Management (PAM)
B.Identity as a Service (IDaaS)
C.Single Sign-On (SSO)
D.Role-Based Access Control (RBAC)
AnswerA

PAM manages and monitors privileged accounts with features like just-in-time access.

Why this answer

Privileged Access Management (PAM) provides just-in-time access, session recording, password vaulting, and break-glass accounts.

943
MCQeasy

Which access control model allows data owners to grant or revoke access to resources they own, typically implemented using ACLs?

A.MAC
B.RBAC
C.ABAC
D.DAC
AnswerD

Correct. DAC allows owners to grant access.

Why this answer

DAC (Discretionary Access Control) enables owners to control access to their resources, commonly via ACLs.

944
MCQeasy

A security analyst is configuring a firewall to allow HTTP traffic (TCP port 80) from the internet to a web server in the DMZ. The firewall should also allow return traffic from the server back to the internet. Which type of firewall is best suited to handle this traffic while maintaining security?

A.Application proxy firewall
B.Circuit-level gateway
C.Stateful inspection firewall
D.Packet filter firewall
AnswerC

Stateful firewalls maintain connection state and automatically allow return traffic for established connections.

Why this answer

A stateful inspection firewall (C) is best suited because it tracks the state of active connections, allowing return traffic for established sessions (e.g., HTTP responses from the server to the internet) while blocking unsolicited inbound packets. It inspects packets at Layers 3 and 4, maintaining a state table that matches return packets to the original outbound request, ensuring only legitimate responses are permitted. This provides better security than a simple packet filter by preventing spoofed or out-of-context packets.

Exam trap

The trap here is that candidates often choose packet filter firewalls (D) because they are simpler and can technically allow HTTP traffic on port 80, but they fail to recognize that stateful inspection is required to securely handle return traffic without manually creating complex, insecure rules for ephemeral ports.

How to eliminate wrong answers

Option A is wrong because an application proxy firewall operates at Layer 7, terminating and re-establishing connections, which adds latency and complexity for simple HTTP traffic; it is overkill and not the best fit for just allowing HTTP with return traffic. Option B is wrong because a circuit-level gateway operates at Layer 5 (session layer), validating TCP handshakes but not inspecting packet contents or maintaining state for individual HTTP requests; it cannot reliably handle return traffic for dynamic ports or session tracking. Option D is wrong because a packet filter firewall only examines packet headers (source/destination IP, port, protocol) without maintaining connection state, making it vulnerable to spoofed return packets and unable to distinguish legitimate responses from malicious traffic.

945
MCQhard

Refer to the exhibit. A database administrator implements the configuration shown to protect sensitive data. What is the most significant security flaw?

A.The database encryption key should be protected by a certificate rather than a password.
B.AES-256 is not a strong enough algorithm.
C.The encryption is applied at the database level rather than column level.
D.The encryption key is protected by a password that may be stored in scripts.
AnswerA

Best practice for TDE is to use a certificate or asymmetric key to protect the DEK, ensuring proper key management.

Why this answer

The correct answer is C. In SQL Server TDE, the database encryption key (DEK) should be protected by a certificate or asymmetric key stored in the master database, not by a password. Using a password is insecure because it is often stored in scripts or configuration files.

Option A is also a concern but is a consequence of the password-based protection; the root cause is not using a certificate. Option B is incorrect because AES-256 is a strong algorithm. Option D is incorrect because TDE at the database level is appropriate for many scenarios and does not represent a flaw.

946
Multi-Selecthard

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)

Select 3 answers
A.Risk retention
B.Risk review
C.Risk reduction
D.Risk transfer
E.Risk avoidance
AnswersC, D, E

Correct - Implementing controls to reduce likelihood or impact.

Why this answer

ISO 31000 defines risk treatment options as risk avoidance, risk reduction, risk transfer, and risk retention. Risk reduction (option C) is a valid treatment that involves implementing controls to lower the likelihood or impact of a risk, such as deploying firewalls or encryption to mitigate a security threat.

Exam trap

The trap here is that candidates may confuse 'risk review' (a monitoring activity) with a treatment option, or incorrectly think 'risk retention' is not a valid option when it is explicitly listed in ISO 31000, but the question requires selecting exactly three from the given set, so retention is excluded in this specific answer set.

947
MCQmedium

A DevOps team is implementing a DevSecOps pipeline. Which of the following should be introduced first in the pipeline to catch security issues early and reduce remediation cost?

A.Container vulnerability scanning after image build
B.Static application security testing (SAST) during the build stage
C.Pre-commit hooks that run linters and secret scanners
D.Dynamic application security testing (DAST) in staging environment
AnswerC

Pre-commit hooks catch issues before code is committed, the earliest point in the pipeline.

Why this answer

Pre-commit hooks run linters and secret scanners before code is even committed to the repository, catching issues like hardcoded credentials, insecure patterns, or syntax errors at the earliest possible point in the development lifecycle. This aligns with the DevSecOps principle of 'shift left'—finding defects earlier dramatically reduces remediation cost compared to post-build or post-deployment testing. Unlike later stages, pre-commit hooks prevent vulnerable code from entering the shared codebase, stopping issues before they propagate.

Exam trap

Cisco often tests the concept of 'shift left' by making candidates think SAST is the earliest security test, but pre-commit hooks execute even before the commit, making them the true first line of defense in a DevSecOps pipeline.

How to eliminate wrong answers

Option A is wrong because container vulnerability scanning after image build occurs after the code is compiled and packaged, which is later in the pipeline than pre-commit hooks, so it does not catch issues as early and remediation costs are higher. Option B is wrong because SAST during the build stage runs after code is committed and built, missing the opportunity to catch issues before they reach the repository; while valuable, it is not as early as pre-commit hooks. Option D is wrong because DAST in staging environment tests running applications much later in the pipeline, after deployment, making it the least effective for early detection and cost reduction.

948
MCQmedium

A database administrator (DBA) is responsible for implementing access controls and backup procedures for a customer database containing PII. The DBA reports to the data owner regarding security measures. Which role best describes the DBA's responsibilities?

A.Data steward
B.Data owner
C.Data custodian
D.Data processor
AnswerC

Correct. The DBA, as a custodian, implements security controls and manages the data on behalf of the owner.

Why this answer

The data custodian is responsible for the day-to-day management and security of data, including implementing controls, backups, and access management, on behalf of the data owner.

949
MCQeasy

Which of the following is a process that ensures users periodically confirm they still need access to systems and data?

A.Deprovisioning
B.Separation of duties
C.Recertification
D.Provisioning
AnswerC

Recertification is the periodic review of access rights.

Why this answer

Access recertification (or access review) requires users or managers to verify the continued need for access rights.

950
MCQmedium

An organization is preparing for an ISO 27001 certification audit. The audit will be performed by an external body. This type of audit is classified as:

A.Self-assessment
B.External audit
C.Peer review
D.Internal audit
AnswerB

External audits are conducted by independent third parties.

Why this answer

An external audit is performed by an independent third-party organization, such as a certification body, to assess compliance against a standard like ISO 27001. In this scenario, the audit is conducted by an external body specifically for certification purposes, which directly matches the definition of an external audit. This type of audit provides an unbiased evaluation of the Information Security Management System (ISMS) and is required for formal certification.

Exam trap

The trap here is confusing an internal audit (conducted by the organization's own staff) with an external audit (conducted by an independent third party), especially when the question emphasizes 'preparing for certification' — candidates may mistakenly think internal audits are sufficient for certification, but only an external audit by an accredited body can grant ISO 27001 certification.

How to eliminate wrong answers

Option A is wrong because a self-assessment is an internal evaluation performed by the organization's own staff, not by an external certification body. Option C is wrong because a peer review typically involves a review by colleagues or other organizations in a non-certification context, not a formal audit by an accredited external body. Option D is wrong because an internal audit is conducted by the organization's own internal audit team or employees, not by an independent external auditor.

951
MCQmedium

A company is implementing a hot site as a disaster recovery option. Which of the following best describes a hot site?

A.A facility with basic infrastructure but no equipment
B.A reciprocal agreement with another company to share space
C.A facility with some equipment but not fully operational
D.A facility that is fully configured and ready to operate within hours
AnswerD

Correct - Hot site is ready for immediate activation.

Why this answer

A hot site is a fully equipped backup facility that is ready to take over operations immediately, including hardware, software, and data synchronization.

952
MCQmedium

A software developer is concerned about buffer overflow vulnerabilities. Which combination of mitigations makes it most difficult for an attacker to exploit a stack-based buffer overflow?

A.Using a privileged account to run the application
B.Disabling stack protection
C.Stack canaries and NOP sleds
D.Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)
AnswerD

DEP and ASLR are standard mitigations against memory corruption exploits.

Why this answer

Data Execution Prevention (DEP) prevents code execution on the stack, and Address Space Layout Randomization (ASLR) randomizes memory addresses, making it harder to predict target addresses.

953
MCQeasy

Based on the exhibit, which security objective is this policy primarily designed to protect?

A.Non-repudiation
B.Confidentiality
C.Integrity
D.Availability
AnswerB

Encrypting data at rest prevents unauthorized access to the plaintext.

Why this answer

The policy explicitly states that data must be encrypted both at rest (using AES-256) and in transit (using TLS 1.2+). Encryption is a primary mechanism for ensuring confidentiality by preventing unauthorized access to data. The requirement to protect data from disclosure directly aligns with the confidentiality objective of the CIA triad.

Exam trap

The trap here is that candidates often confuse encryption with integrity or non-repudiation, but encryption alone does not provide integrity checks (which require MACs or digital signatures) nor does it prove the origin of data.

How to eliminate wrong answers

Option A is wrong because non-repudiation is about ensuring that an action cannot be denied, typically achieved through digital signatures and audit logs, not encryption. Option C is wrong because integrity focuses on preventing unauthorized modification of data, which is protected by hashing or checksums, not encryption alone. Option D is wrong because availability ensures that data and systems are accessible when needed, which is addressed by redundancy and disaster recovery, not encryption.

954
MCQmedium

A security architect is evaluating hypervisor security for a multi-tenant cloud environment. Which type of hypervisor is considered more secure because it runs directly on the hardware without a host operating system, reducing the attack surface?

A.Virtual machine monitor
B.Containers
C.Type 1 hypervisor
D.Type 2 hypervisor
AnswerC

Correct. Type 1 has a smaller attack surface.

Why this answer

Type 1 hypervisors (bare-metal) run directly on hardware, eliminating the OS layer that could be exploited. Examples: VMware ESXi, Hyper-V.

955
Multi-Selectmedium

A security architect is designing a system to protect against side-channel attacks that exploit electromagnetic emanations. Which TWO controls are most effective?

Select 2 answers
A.Data encryption at rest
B.TEMPEST shielding
C.Intrusion detection system
D.Time-based access controls
E.Faraday cage
AnswersB, E

Reduces electromagnetic emanations from equipment.

Why this answer

TEMPEST shielding reduces emanations, and Faraday cages block electromagnetic signals. While physical access control is important, it does not directly address emanations.

956
MCQmedium

A security analyst detects an attack where the attacker sends forged ARP messages to associate the attacker's MAC address with the IP address of the default gateway. Which OSI layer is primarily targeted by this attack?

A.Layer 4 – Transport
B.Layer 3 – Network
C.Layer 1 – Physical
D.Layer 2 – Data Link
AnswerD

ARP is a Layer 2 protocol used for MAC address resolution.

Why this answer

ARP operates at Layer 2 (Data Link) because it maps IP addresses (Layer 3) to MAC addresses (Layer 2) within a single broadcast domain. By forging ARP replies, the attacker poisons the ARP cache of hosts, causing frames destined for the default gateway to be sent to the attacker's MAC address. This directly targets the address resolution process that bridges Layer 2 and Layer 3, but the attack itself is executed at the Data Link layer.

Exam trap

The trap here is that candidates see 'IP address' in the question and immediately think Layer 3 (Network), forgetting that ARP is a Layer 2 protocol that resolves Layer 3 addresses to Layer 2 addresses.

How to eliminate wrong answers

Option A is wrong because Layer 4 (Transport) handles end-to-end communication, segmentation, and flow control (e.g., TCP/UDP ports), and ARP has no involvement with transport-layer headers or port numbers. Option B is wrong because Layer 3 (Network) deals with logical addressing and routing (e.g., IP packets), but ARP is not a routed protocol; it is confined to a single subnet and operates below IP. Option C is wrong because Layer 1 (Physical) concerns the physical transmission of bits over media (e.g., cables, signals), and ARP is a protocol that uses frames, not raw bit-level manipulation.

957
MCQmedium

A financial institution is migrating its customer data to a cloud environment. The cloud provider offers encryption at rest and in transit using AES-256 and TLS 1.2+. The compliance team requires that the organization maintain full control of encryption keys to meet regulatory obligations such as PCI DSS and local banking laws. The data is highly sensitive and includes personally identifiable information (PII). Which solution should the security architect recommend?

A.Implement client-side encryption with keys stored on-premises
B.Use tokenization instead of encryption
C.Use the cloud provider's default encryption with their key management service
D.Accept the provider's encryption without additional controls
AnswerA

Client-side encryption ensures the provider cannot access plaintext data, and keys remain under the organization's control.

Why this answer

Client-side encryption with keys stored on-premises ensures the organization retains exclusive control over encryption keys. Relying on cloud provider's encryption with KMS gives key management to the provider, which may not satisfy compliance. Accepting provider encryption without additional controls surrenders control.

Tokenization can protect data but removes original format, which may not be acceptable for all uses.

958
Multi-Selecthard

Which three BGP security mechanisms help protect against route hijacking? (Choose THREE.)

Select 3 answers
A.Resource Public Key Infrastructure (RPKI)
B.BGP Flowspec
C.Prefix filtering on edge routers
D.BGP MED attribute
E.MD5 authentication between BGP peers
AnswersA, C, E

Validates the origin AS of IP prefixes.

Why this answer

RPKI is correct because it uses cryptographically signed Route Origin Authorizations (ROAs) to validate that an AS is authorized to originate specific IP prefixes. This prevents route hijacking by allowing routers to reject BGP announcements that do not match the registered origin AS.

Exam trap

ISC2 often tests the distinction between BGP security mechanisms that prevent hijacking (RPKI, prefix filtering, MD5 authentication) versus those that influence routing policy or traffic engineering (MED, Flowspec), leading candidates to mistakenly select MED or Flowspec as hijacking protections.

959
MCQeasy

During a code review, a developer identifies a SQL injection vulnerability. What is the most effective fix?

A.Use stored procedures exclusively.
B.Use an ORM framework.
C.Escape all input.
D.Implement parameterized queries.
AnswerD

Parameterized queries (prepared statements) separate code from data.

Why this answer

Parameterized queries (prepared statements) ensure user input is treated as data, not executable code. Stored procedures can still be vulnerable if dynamically built. Escaping input is error-prone.

ORMs often use SQL underneath and may not prevent injection if misused.

960
MCQhard

Examine the Cisco ASA access-list named 'outside_in'. A penetration tester reports that they were able to establish an RDP session from an external IP address 203.0.113.55 to the internal host 10.10.10.10 on port 3389. Which configuration change would BEST prevent this while still allowing legitimate remote administration from the authorized management station?

A.Change the RDP rule to deny any source and add an explicit deny before the permit rules
B.Add an explicit deny rule for RDP from any source before the existing RDP rule, with logging enabled
C.Delete the second line (the HTTPS rule) and add a rule to deny RDP from all external sources
D.Modify the RDP rule to permit only from source host 192.168.1.100
AnswerD

Restricting the source to the authorized host prevents unauthorized external RDP connections.

Why this answer

Option C is correct because the current rule permits RDP from any host (192.168.1.100 is just a sample, but the rule actually allows any host due to the order; however the correct fix is to restrict the source to only 192.168.1.100. Option A incorrectly deletes a web rule; Option B blocks all RDP; Option D only adds logging, not restriction.

961
MCQhard

Refer to the exhibit. A security analyst reviews this event log entry. What does this event indicate?

A.A successful logon by the SYSTEM account
B.A successful logon by a user account
C.An attempted exploit of a privilege escalation vulnerability
D.A failed logon attempt due to account lockout
AnswerD

Event 4625 indicates failed logon, sub status shows lockout.

Why this answer

The event log entry shows a 'Logon Type 3' (network logon) with a 'Failure Reason' of 'Account locked out' and a 'Status' of 0xC0000234, which specifically indicates the account was locked due to too many failed attempts. This is a failed logon attempt, not a successful one, and the lockout status confirms the account was disabled for security reasons.

Exam trap

The trap here is that candidates see 'Logon Type 3' and assume it is a successful network logon, ignoring the failure status and lockout reason, or they misinterpret the lockout as a privilege escalation attempt.

How to eliminate wrong answers

Option A is wrong because the event shows a failure status (0xC0000234) and a failure reason of 'Account locked out', not a successful logon by any account including SYSTEM. Option B is wrong because the event explicitly indicates failure, not success, and the user account referenced is locked. Option C is wrong because this event does not show any privilege escalation exploit; it is a standard authentication failure due to account lockout, not an attack pattern like token manipulation or SeDebugPrivilege abuse.

962
MCQmedium

In LDAP, which attribute uniquely identifies an entry within the directory information tree?

A.Distinguished Name (DN)
B.Relative Distinguished Name (RDN)
C.Organizational Unit (OU)
D.Common Name (CN)
AnswerA

The DN uniquely identifies every entry.

Why this answer

The Distinguished Name (DN) uniquely identifies each entry in the LDAP directory tree.

963
MCQmedium

An organization is implementing a new access control system. They want to ensure that users are who they claim to be, that actions can be traced to individuals, and that access rights are managed appropriately. Which framework encompasses all three of these goals?

A.COBIT 2019
B.AAA framework
C.CIA triad
D.ISO/IEC 27001
AnswerB

Correct - Authentication, Authorization, and Accounting.

Why this answer

The AAA framework (Authentication, Authorization, and Accounting) covers identification/authentication, authorization (access rights), and accounting (audit trails for non-repudiation).

964
MCQmedium

A developer uses a tool that analyzes source code for potential security flaws without executing the program. This is an example of:

A.DAST
B.IAST
C.RASP
D.SAST
AnswerD

SAST analyzes source code without execution.

Why this answer

SAST (Static Application Security Testing) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. This matches the description of a tool that inspects code statically, making D the correct answer.

Exam trap

The trap here is confusing SAST with DAST because both are application security testing types, but the key differentiator is execution: SAST is static (no execution) while DAST is dynamic (requires execution).

How to eliminate wrong answers

Option A is wrong because DAST (Dynamic Application Security Testing) tests a running application by sending inputs and observing responses, not by analyzing source code without execution. Option B is wrong because IAST (Interactive Application Security Testing) combines static and dynamic analysis, requiring the application to be executed and instrumented, not purely static analysis. Option C is wrong because RASP (Runtime Application Self-Protection) is a runtime security control embedded in the application environment that monitors and blocks attacks during execution, not a source code analysis tool.

965
MCQmedium

An application authenticates users using session tokens. A security analyst finds that the application does not invalidate session tokens after logout, allowing session fixation attacks. Which secure coding practice should be implemented to mitigate this?

A.Using short session timeouts
B.Setting the secure flag on cookies
C.Regenerating session ID after successful login
D.Implementing HTTPS for all communications
AnswerC

Regenerating session ID prevents fixation by ensuring the attacker's session ID is not used.

Why this answer

Proper session management includes invalidating session tokens on logout and generating new tokens after authentication to prevent fixation.

966
Multi-Selectmedium

An organization is selecting security metrics to report to the board. Which THREE metrics would best demonstrate the effectiveness of the vulnerability management program?

Select 3 answers
A.Open vulnerability count by severity
B.Number of employees in IT security
C.Budget for security tools
D.Mean time to remediate critical vulnerabilities
E.Patch compliance percentage
AnswersA, D, E

Provides a snapshot of current vulnerabilities.

Why this answer

These three metrics cover remediation speed, current risk posture, and compliance with patching policies, which are key indicators.

967
MCQeasy

Which of the following is the primary purpose of the CIA triad in information security?

A.To establish a framework for risk management
B.To ensure compliance with regulatory requirements
C.To balance security controls with usability
D.To define the core objectives of information security
AnswerD

The CIA triad directly defines the three fundamental security objectives.

Why this answer

The CIA triad—Confidentiality, Integrity, and Availability—provides a foundational model for developing security policies and ensuring that data is protected from unauthorized access, tampering, and downtime.

968
MCQmedium

A security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?

A.The VPN server is using TCP port 443 instead of UDP 500.
B.The firewall rule is applied to the wrong interface.
C.The firewall is stateful and blocking the return traffic.
D.The VPN server is not listening on UDP port 500.
AnswerD

If the server does not have the VPN service running, it won't respond, causing the client to time out.

Why this answer

Option D is correct because the symptom—internal users can reach internet websites but cannot reach the external VPN server—indicates a host-level issue rather than a network or firewall problem. Since the firewall rule for VPN traffic is correctly configured and other traffic flows normally, the most likely cause is that the VPN server itself is not listening on UDP port 500, which is the standard port for IPsec IKE (Internet Key Exchange) traffic. This could be due to a misconfiguration, service failure, or the server being configured to use a different port or protocol.

Exam trap

The trap here is that candidates often assume a firewall misconfiguration (like stateful blocking or wrong interface) is the cause, but the question explicitly states the firewall rule is correctly configured, forcing you to look at the endpoint itself—a classic CISSP test of reading comprehension and layered troubleshooting.

How to eliminate wrong answers

Option A is wrong because if the VPN server were using TCP port 443 instead of UDP 500, the firewall rule would still need to match that traffic, but the question states the rule is correctly configured for VPN traffic (implying UDP 500), and the symptom would be different (e.g., HTTPS-based VPNs like SSL VPN would work). Option B is wrong because if the firewall rule were applied to the wrong interface, internal users would likely have broader connectivity issues (e.g., inability to reach any external services), not just the VPN server, and the question explicitly states the rule is correctly configured. Option C is wrong because a stateful firewall automatically tracks UDP sessions and allows return traffic if the outbound rule permits the initial packet; blocking return traffic would affect all UDP-based services, not just the VPN server, and the question confirms other internet access works.

969
MCQhard

An organization is migrating to a microservices architecture and wants to secure inter-service communication. Which approach is most aligned with the principle of securing the pipeline?

A.Service mesh with sidecar proxies
B.API keys in environment variables
C.Mutual TLS (mTLS) between services
D.Firewall rules restricting IP addresses
AnswerA

Correct. Service mesh provides encryption, authentication, and policy enforcement for service-to-service communication.

Why this answer

A service mesh with sidecar proxies (e.g., Istio) provides mutual TLS, traffic management, and policy enforcement for inter-service communication, directly securing the pipeline.

970
MCQhard

A global technology firm has implemented a continuous integration/continuous deployment (CI/CD) pipeline for its flagship software product. The security testing team is tasked with integrating security testing into the pipeline. The team has decided to use a static application security testing (SAST) tool and a software composition analysis (SCA) tool. They are currently running both tools every night against the entire codebase, but the developers complain that the reports are too long and often contain false positives. The team wants to improve the efficiency without sacrificing security coverage. Which of the following is the BEST strategy?

A.Decrease the scan frequency to weekly to reduce noise.
B.Implement a developers' feedback loop for false positives and tune the tools.
C.Replace SAST with dynamic application security testing (DAST) for more accurate results.
D.Run SAST and SCA only on new code changes committed to the main branch.
AnswerB

Tuning reduces false positives, improving efficiency while maintaining comprehensive scanning.

Why this answer

Option B is correct because tuning the SAST and SCA tools based on developer feedback directly addresses the false positive issue while maintaining security coverage. By establishing a feedback loop, the team can adjust rule sets, suppress known false positives, and reduce report noise without reducing scan frequency or scope. This approach aligns with the principle of continuous improvement in DevSecOps, ensuring that security testing remains efficient and actionable.

Exam trap

The trap here is that candidates may choose Option D (scan only new code) because it seems efficient, but they overlook the need for continuous scanning of the entire codebase to catch regressions and vulnerabilities in unchanged code, which is a core requirement for maintaining security coverage in CI/CD pipelines.

How to eliminate wrong answers

Option A is wrong because decreasing scan frequency to weekly reduces the frequency of security feedback, potentially allowing vulnerabilities to persist longer in the pipeline, which sacrifices security coverage and does not address the false positive problem. Option C is wrong because replacing SAST with DAST is not a direct solution; DAST analyzes running applications and has different strengths (e.g., runtime issues), but it does not replace the need for static analysis and SCA for dependency vulnerabilities, and it may introduce its own false positives. Option D is wrong because running SAST and SCA only on new code changes to the main branch misses vulnerabilities in existing code and dependencies that could be introduced through configuration changes or updates, and it fails to provide comprehensive coverage of the entire codebase.

971
Multi-Selectmedium

During a security audit of a web application, the following issues are found: (1) Session tokens are included in URLs, (2) The application does not invalidate session tokens after logout, and (3) Session tokens are predictable. Which THREE of the following controls are most appropriate to address these issues?

Select 4 answers
A.Regenerate session tokens after login
B.Store session tokens in cookies with Secure and HttpOnly flags
C.Invalidate session tokens on logout and set short expiration times
D.Use a cryptographically secure random number generator for token generation
E.Implement IP address binding for session tokens
AnswersA, B, C, D

Regeneration prevents session fixation attacks.

Why this answer

Option A is correct because regenerating session tokens after login prevents session fixation attacks, where an attacker forces a known session ID on a user before authentication. This ensures that the session identifier used post-login is not the same as the one used pre-login, mitigating the risk of an attacker hijacking the authenticated session. This control directly addresses the issue of predictable session tokens by ensuring a fresh, unpredictable token is issued upon authentication.

Exam trap

Cisco often tests the misconception that IP binding is a strong session management control, but in reality it is fragile and not a primary defense against session token exposure, predictability, or improper invalidation.

972
MCQmedium

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

A.Biometric data cannot be revoked or changed if compromised
B.High false acceptance rate leading to unauthorized access
C.Low user acceptance due to privacy concerns
D.Increased login time compared to password authentication
AnswerA

Biometric traits are permanent; once stolen, they cannot be replaced.

Why this answer

Biometric data, such as fingerprint templates, is immutable and permanently tied to the individual. Once compromised, the user cannot simply 'reset' their fingerprint like a password, rendering the authentication factor permanently insecure for that user across all systems where it is used. This non-repudiation and revocation failure represents the most significant long-term risk to the organization's identity management infrastructure.

Exam trap

The trap here is that candidates focus on the immediate operational risks (FAR, user acceptance, or speed) rather than the fundamental, long-term security property of biometrics: the inability to revoke or change the credential, which is the most critical risk in identity and access management.

How to eliminate wrong answers

Option B is wrong because modern fingerprint scanners (e.g., capacitive or ultrasonic) have very low false acceptance rates (FAR), typically below 0.001%, making unauthorized access via FAR a less significant risk than the permanent compromise of biometric data. Option C is wrong because while privacy concerns may affect user acceptance, they are a secondary operational issue, not the most significant security risk; the primary risk is the irreversible loss of the authentication factor itself. Option D is wrong because increased login time is a usability inconvenience, not a security risk, and modern scanners authenticate in under one second, making this negligible compared to the revocation problem.

973
MCQmedium

Under the GDPR, which role is responsible for determining the purposes and means of processing personal data?

A.Data processor
B.Data controller
C.Data subject
D.Data protection officer
AnswerB

The controller determines the purposes and means.

Why this answer

The data controller decides why and how personal data is processed, as defined in GDPR.

974
MCQhard

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

A.Block all access to public cloud storage services from corporate devices.
B.Implement mandatory security awareness training focusing on data handling procedures.
C.Deploy a Data Loss Prevention (DLP) solution that monitors and controls sharing of sensitive data.
D.Encrypt all sensitive data at rest and in transit to render shared data useless.
AnswerC

Correct - DLP provides automated controls to prevent data leakage.

Why this answer

Option C is correct because a Data Loss Prevention (DLP) solution provides automated, policy-based monitoring and control of sensitive data being shared via public cloud storage links. Unlike awareness training (which relies on human behavior) or blanket blocking (which hinders productivity), DLP can inspect content in real time using pattern matching, fingerprinting, or exact data matching to prevent unauthorized sharing before it occurs, directly addressing the root cause of inadvertent exposure.

Exam trap

The trap here is that candidates often choose awareness training (Option B) because it seems like a logical first step, but the question asks for the BEST strategy to PREVENT recurrence, and DLP provides a technical control that actively blocks the action rather than relying on human behavior change.

How to eliminate wrong answers

Option A is wrong because blocking all access to public cloud storage services is an overly restrictive technical control that can severely impact business operations and collaboration; it does not address the underlying issue of improper data handling and may drive users to unapproved shadow IT solutions. Option B is wrong because while security awareness training is important, it is a preventive administrative control that relies on human memory and compliance; it cannot prevent recurrence of inadvertent sharing in real time, as human error can still occur despite training. Option D is wrong because encryption protects data confidentiality if the data is intercepted, but it does not prevent the authorized user from inadvertently sharing the encrypted data via a public link; if the recipient has the decryption key (or the key is shared with the link), the data remains exposed, so encryption alone is not a preventive control against the act of sharing.

975
MCQeasy

An organization wants to protect sensitive data stored on laptops. Which of the following is the MOST effective control to prevent data loss if a laptop is stolen?

A.BIOS password
B.Asset tracking software
C.Full-disk encryption (FDE)
D.Remote wipe capability
AnswerC

FDE encrypts the entire drive, making data inaccessible without the key.

Why this answer

Full-disk encryption (FDE) renders the data on the laptop unreadable without the decryption key, even if the storage drive is removed and analyzed. This is the most effective preventive control against data loss from theft because it protects data at rest regardless of physical access to the device.

Exam trap

The trap here is that candidates often choose remote wipe (D) because it sounds proactive, but they overlook that it requires network connectivity and is a corrective control, whereas full-disk encryption is a preventive control that works even offline.

How to eliminate wrong answers

Option A is wrong because a BIOS password only prevents unauthorized booting of the system, but the hard drive can be removed and accessed directly via another machine, exposing all data. Option B is wrong because asset tracking software helps locate a stolen laptop but does not prevent data access or loss if the device is not recovered. Option D is wrong because remote wipe capability can delete data after theft, but it relies on network connectivity and may fail if the thief immediately disconnects the device; it is a reactive control, not a preventive one.

Page 12

Page 13 of 14

Page 14