Certified Information Systems Security Professional CISSP (CISSP) — Questions 76150

529 questions total · 8pages · All types, answers revealed

Page 1

Page 2 of 8

Page 3
76
Drag & Dropmedium

Drag and drop the steps of the incident response process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows NIST SP 800-61: preparation, detection, containment/eradication/recovery, post-incident activity, and improvement.

77
Multi-Selecteasy

A security architect is considering secure design principles. Which two principles are essential for a defense-in-depth strategy? (Select TWO.)

Select 2 answers
A.Single point of failure
B.Layered security
C.Open design
D.Fail safe
E.Least privilege
AnswersB, E

Correct. Multiple layers of defense are core to defense-in-depth.

Why this answer

Layered security (defense in depth) is essential because it implements multiple, overlapping security controls so that if one layer fails, another layer continues to provide protection. This principle ensures that no single vulnerability can compromise the entire system, which is the core of a defense-in-depth strategy. Least privilege is equally essential because it restricts users and processes to only the minimum permissions necessary, limiting the blast radius of any breach and preventing lateral movement across layers.

Exam trap

The trap here is that candidates often confuse 'fail safe' or 'open design' as core to defense in depth, but the exam specifically tests that defense in depth is defined by layered security and least privilege, not by fail-safe mechanisms or design transparency.

78
MCQhard

Refer to the exhibit. A security analyst is reviewing the network ACL inbound rules. Which statement is true?

A.SSH access is limited to the 10.0.0.0/8 subnet.
B.Outbound rules are not shown.
C.The rule order is irrelevant.
D.All inbound HTTP traffic is denied.
AnswerA

SSH is allowed only from the specified source.

Why this answer

Option A is correct because the ACL inbound rule explicitly permits TCP port 22 (SSH) only from source IP addresses within the 10.0.0.0/8 range, and the implicit deny at the end of the ACL blocks all other traffic, including SSH from any other subnet. This restricts SSH administrative access to the private 10.0.0.0/8 network, enhancing security by preventing external SSH connections.

Exam trap

ISC2 often tests the implicit deny at the end of an ACL, leading candidates to overlook that even though a rule permits HTTP, the absence of a specific deny for HTTP does not mean it is denied—only the implicit deny blocks unmatched traffic, but here HTTP is explicitly permitted.

How to eliminate wrong answers

Option B is wrong because the exhibit only shows inbound rules, and the statement 'Outbound rules are not shown' is a factual observation that does not make any claim about the ACL's behavior; it is not a true statement about the ACL's effect. Option C is wrong because ACL rules are evaluated sequentially from top to bottom, and the first matching rule determines the action; rule order is critical, especially when there are both permit and deny entries. Option D is wrong because the ACL includes a permit rule for TCP port 80 (HTTP) from any source, so inbound HTTP traffic is explicitly allowed, not denied.

79
MCQeasy

Which of the following is the primary purpose of a hardware security module (HSM)?

A.Filtering malicious traffic
B.Generating and storing cryptographic keys securely
C.Encrypting hard drives at rest
D.Accelerating network traffic
AnswerB

Correct. HSM provides tamper-resistant key management.

Why this answer

A hardware security module (HSM) is a dedicated, tamper-resistant hardware appliance designed to securely generate, store, and manage cryptographic keys throughout their lifecycle. Its primary purpose is to protect the root of trust for encryption operations, ensuring that private keys never leave the secure boundary of the module. This is critical for high-assurance environments such as certificate authorities (CAs) and payment processing systems.

Exam trap

The trap here is that candidates confuse an HSM with a general-purpose encryption tool or a network security appliance, mistakenly thinking it performs bulk encryption or traffic filtering, when its core role is secure key generation and storage.

How to eliminate wrong answers

Option A is wrong because filtering malicious traffic is the function of a firewall or intrusion prevention system (IPS), not an HSM. Option C is wrong because encrypting hard drives at rest is typically performed by full-disk encryption (FDE) software or self-encrypting drives (SEDs), not by an HSM; an HSM may store the encryption keys but does not perform the bulk encryption of the drive. Option D is wrong because accelerating network traffic is the role of a load balancer or a dedicated network accelerator; an HSM focuses on cryptographic operations and key management, not on improving network throughput.

80
Multi-Selecteasy

Which THREE are core principles of secure system design?

Select 3 answers
A.Complexity increases security
B.Security through obscurity
C.Least privilege
D.Fail securely
E.Defense in depth
AnswersC, D, E

Subjects should have only the privileges needed to perform their tasks.

Why this answer

The principle of least privilege mandates that users, processes, or systems should be granted only the minimum permissions necessary to perform their function. This reduces the attack surface and limits potential damage from compromised accounts or software flaws. In secure system design, it is enforced through access control lists (ACLs), role-based access control (RBAC), and mandatory access control (MAC) models.

Exam trap

ISC2 often tests the distinction between 'security through obscurity' as a valid supplementary measure versus a core principle, and candidates mistakenly select it because they confuse obfuscation with a foundational design tenet.

81
MCQhard

Based on the firewall log entry, what is the most likely reason the connection was denied?

A.The outbound connection was blocked by an access control list.
B.The connection was denied due to malicious signature detection.
C.The destination IP address is blacklisted.
D.The source port 54321 is a prohibited port.
AnswerA

The entry shows denial by access-group 'outside-in', which is applied to inbound on outside interface but blocks outbound traffic from inside.

Why this answer

The firewall log entry shows an outbound connection attempt from source IP 10.0.0.5:54321 to destination IP 203.0.113.50:80 that was denied. Firewalls typically evaluate outbound traffic against access control lists (ACLs) before any deeper inspection. Since the log does not indicate any signature match or blacklist hit, the most straightforward reason is that an ACL rule explicitly blocked this outbound connection.

Exam trap

The trap here is that candidates often assume a denied connection must be due to a security feature like blacklisting or signature detection, but the log lacks any such indicators, making a simple ACL block the most logical answer.

How to eliminate wrong answers

Option B is wrong because malicious signature detection is a function of an intrusion prevention system (IPS) or next-generation firewall (NGFW) with deep packet inspection, and the log entry does not reference any signature ID or alert. Option C is wrong because a blacklisted destination IP would typically be logged with a specific reason such as 'blacklist hit' or 'reputation block', which is absent here. Option D is wrong because source ports above 1024 (ephemeral ports) are not prohibited by standard firewall policies; only well-known ports (0-1023) or specific ports might be restricted, and 54321 is a high ephemeral port commonly used by client applications.

82
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?

A.Denied because the Deny statement explicitly denies all actions on that path
B.Allowed because the resource match is broader in the Allow
C.Allowed because the Allow statement grants GetObject
D.Denied only if the user has no other Allow policies
AnswerA

Explicit Deny always takes precedence over any Allow.

Why this answer

The correct answer is A because IAM policies evaluate explicit Deny statements before any Allow statements. Since the Deny statement explicitly denies all actions on the 'confidential/report.pdf' path, the user's GetObject request is denied regardless of any broader Allow statements. This is a fundamental principle of AWS IAM policy evaluation logic: an explicit Deny overrides all Allow permissions.

Exam trap

ISC2 often tests the principle that an explicit Deny overrides any Allow, even when the Allow appears more specific or broader, leading candidates to incorrectly assume that a broader Allow or a missing other policy would permit the action.

How to eliminate wrong answers

Option B is wrong because a broader resource match in an Allow statement does not override an explicit Deny; the Deny takes precedence in the evaluation. Option C is wrong because even though the Allow statement grants GetObject, the explicit Deny on the same action and resource path overrides it, resulting in denial. Option D is wrong because the Deny is explicit and does not depend on the absence of other Allow policies; it is effective immediately and independently.

83
Drag & Dropmedium

Drag and drop the steps for implementing mandatory access control (MAC) in a secure system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MAC implementation: define labels, assign clearances, assign classifications, configure monitor, test.

84
MCQeasy

A development team is implementing a new feature that processes sensitive user data. Which of the following is the most secure approach to prevent data leakage during processing?

A.Use a separate virtual machine for each request.
B.Use memory encryption for all user data.
C.Store all data in a temporary file and delete it after processing.
D.Log all data access for auditing.
AnswerB

Protects data in memory from memory scraping attacks.

Why this answer

Memory encryption protects data in memory from unauthorized access. Storing data in temporary files on disk increases exposure. Virtual machines per request are resource-intensive and not always feasible.

Logging is detective, not preventive.

85
MCQhard

A large e-commerce company operates a multi-tier application in a public cloud. The environment includes a web tier, application tier, and database tier. The security team recently deployed a host-based intrusion detection system (HIDS) on all servers. During a routine review, the HIDS alerts show repeated failed login attempts from a single external IP address to several web servers, but no successful logins from that IP. The team also notices that the database servers have been sending outbound traffic to an unknown IP address on port 443, which is unusual because the database servers typically communicate only with the application servers on port 3306 (MySQL). The application team confirms no changes were made recently. The CISO wants an immediate investigation. What should the security team do first?

A.Immediately restart all database servers to stop any malicious processes.
B.Isolate the database servers from the network and perform forensic analysis on system logs and memory dumps.
C.Add a firewall rule to deny outbound traffic from the database tier to the unknown IP.
D.Block the external IP that is attempting to log in to the web servers and continue monitoring.
AnswerB

Containment and forensic analysis are the appropriate first steps to identify and remove the threat.

Why this answer

Option D is correct because the suspicious outbound traffic from database servers indicates potential data exfiltration. Isolating the affected servers and analyzing their logs and memory will help confirm compromise and contain the incident. Option A is wrong because focusing on the failed logins may miss the active exfiltration.

Option B is wrong because restarting servers can destroy forensic evidence. Option C is wrong because blocking the IP on the firewall does not address the potential malware on the database servers.

86
Multi-Selecthard

Which TWO of the following are common causes of network performance degradation that can be detected by network monitoring tools?

Select 2 answers
A.Incorrect default gateway
B.High CPU utilization on routers
C.Duplex mismatch on a link
D.Excessive broadcast traffic
E.DNS misconfiguration
AnswersC, D

Duplex mismatch causes collisions and retransmissions, significantly degrading performance.

Why this answer

Duplex mismatch occurs when one end of an Ethernet link is configured for full-duplex and the other for half-duplex, causing frame collisions, CRC errors, and severe performance degradation. Network monitoring tools detect this through interface error counters (e.g., runts, FCS errors, late collisions) and can alert on excessive errors. This is a common physical-layer issue that directly impacts throughput and latency.

Exam trap

ISC2 often tests duplex mismatch as a classic performance issue, and the trap here is that candidates confuse 'high CPU utilization on routers' (a symptom) with a direct cause of degradation, or they mistakenly think DNS misconfiguration affects network throughput rather than just name resolution.

87
MCQhard

In a software-defined network (SDN) architecture, the control plane is separated from the data plane. A network administrator is troubleshooting packet forwarding delays. Which plane is directly responsible for forwarding packets?

A.Data plane
B.Application plane
C.Control plane
D.Management plane
AnswerA

Directly responsible for forwarding packets based on flow tables.

Why this answer

In SDN, the data plane (also called the forwarding plane) is directly responsible for forwarding packets based on flow table entries installed by the controller. It handles per-packet operations like looking up destination addresses, applying actions (e.g., output to port, drop, modify header), and forwarding at line rate. Packet forwarding delays are typically caused by data plane issues such as flow table misses, hardware forwarding pipeline congestion, or inefficient TCAM lookups.

Exam trap

ISC2 often tests the misconception that the control plane is responsible for forwarding because it makes routing decisions, but in SDN the control plane only programs the data plane, which actually performs the forwarding.

How to eliminate wrong answers

Option B (Application plane) is wrong because it hosts network applications (e.g., load balancers, firewalls) that communicate with the controller via northbound APIs, but it does not directly forward packets. Option C (Control plane) is wrong because it makes forwarding decisions and populates flow tables (e.g., via OpenFlow or NETCONF), but the actual packet forwarding is executed by the data plane. Option D (Management plane) is wrong because it handles administrative tasks like configuration, monitoring, and fault management (e.g., SNMP, CLI), not real-time packet forwarding.

88
MCQeasy

During a business impact analysis (BIA), the team identifies that the customer service application must be restored within 4 hours of a disruption. What is the term for this metric?

A.Maximum Tolerable Downtime (MTD)
B.Recovery Point Objective (RPO)
C.Service Level Agreement (SLA)
D.Recovery Time Objective (RTO)
AnswerD

RTO is the targeted time to restore a function.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable time that a business process or application can be unavailable after a disruption. In this scenario, the 4-hour restoration requirement for the customer service application directly matches the RTO metric, which drives the design of recovery strategies and resource allocation.

Exam trap

The trap here is confusing RTO with MTD, as candidates often think MTD is the same as the recovery time target, but MTD is the total tolerable outage including business impact, while RTO is the specific IT recovery goal set to meet that MTD.

How to eliminate wrong answers

Option A is wrong because Maximum Tolerable Downtime (MTD) represents the total duration a business process can be non-functional before causing irreparable harm, which is typically longer than the RTO and includes the time to recover plus any additional buffer. Option B is wrong because Recovery Point Objective (RPO) measures the maximum acceptable data loss in terms of time (e.g., minutes or hours of lost transactions), not the time to restore service. Option C is wrong because a Service Level Agreement (SLA) is a contractual commitment between a provider and customer that may include RTOs, but it is not the metric itself; the question asks for the term describing the restoration time requirement.

89
Multi-Selectmedium

Which TWO principles are fundamental to a defense-in-depth security architecture?

Select 2 answers
A.Diversity of defense
B.Centralized logging
C.Single point of failure
D.Layered security controls
E.Minimal user training
AnswersA, D

Using different types of controls across layers reduces the risk of a common vulnerability.

Why this answer

Options A and C are correct: Defense in depth relies on layered security controls (A) and diversity of defense (C) to ensure that if one layer fails, others still protect. Option B is incorrect because a single point of failure contradicts defense in depth. Option D (centralized logging) is a good practice but not a foundational principle.

Option E (minimal user training) is counterproductive.

90
MCQeasy

A multinational corporation must ensure that data leaving the organization's network is classified and labeled appropriately. Which of the following is the MOST effective method to enforce consistent labeling across all data types?

A.Implement automated data classification tools that scan for sensitive content and apply labels
B.Appoint data stewards in each department to manually review and label data
C.Require all employees to complete annual training on data classification
D.Encrypt all data in transit and at rest to prevent unauthorized access
AnswerA

Automated tools ensure consistent application of labels based on predefined rules.

Why this answer

Automated data classification tools (e.g., Microsoft Purview, Symantec DLP) use content inspection, pattern matching, and machine learning to scan data at rest, in use, and in transit. They apply consistent labels based on predefined policies (e.g., regex for PII, fingerprinting for IP), ensuring uniform labeling across all data types without relying on human consistency or manual effort.

Exam trap

The trap here is that candidates often confuse encryption (which protects data) with classification (which labels data), or they overestimate the effectiveness of training and manual processes for consistent enforcement at scale.

How to eliminate wrong answers

Option B is wrong because manual review by data stewards is error-prone, inconsistent across departments, and cannot scale to the volume of data in a multinational corporation, leading to labeling gaps and misclassification. Option C is wrong because annual training alone does not enforce labeling; employees may forget, ignore, or apply labels inconsistently, and training cannot ensure real-time compliance for every data item. Option D is wrong because encryption protects confidentiality but does not classify or label data; encrypted data can still be unlabeled or mislabeled, failing to meet the requirement for consistent labeling.

91
Multi-Selecteasy

Which TWO of the following are valid reasons for conducting a business impact analysis (BIA)?

Select 2 answers
A.To identify vulnerabilities in the network infrastructure
B.To perform a full security audit of the organization
C.To create a list of all hardware and software assets
D.To identify critical business processes and their dependencies
E.To determine the maximum acceptable outage time for each process
AnswersD, E

The BIA identifies which processes are most important to the organization.

Why this answer

Option D is correct because a Business Impact Analysis (BIA) is specifically designed to identify critical business processes and their dependencies on resources such as personnel, systems, and data. This identification is foundational for prioritizing recovery strategies in business continuity planning, as it directly links operational needs to technical infrastructure.

Exam trap

The trap here is that candidates confuse the BIA with technical assessments like vulnerability scans or asset inventories, but the BIA is exclusively a business-oriented analysis of process criticality and outage tolerance, not a technical audit or inventory exercise.

92
MCQhard

Refer to the exhibit. The risk manager is reviewing this risk register entry. According to the organization's risk appetite, which states that residual risks must be low or below, what is the most appropriate recommendation?

A.Implement additional controls to reduce the likelihood or impact.
B.Accept the residual risk because existing controls are in place.
C.Transfer the risk to a third party via cyber insurance.
D.Avoid the risk by decommissioning the database server.
AnswerA

This aligns with risk appetite by reducing residual risk to low.

Why this answer

Option B is correct because the residual risk is medium, exceeding the risk appetite. Additional controls should be implemented to reduce likelihood or impact. Option A (accept) is inappropriate as residual risk is not low.

Option C (transfer) may be considered but does not address the root cause and is not the primary recommendation. Option D (avoid) is too drastic without exploring controls.

93
MCQeasy

Refer to the exhibit. A security team is reviewing switch configurations and notices that the native VLAN is set to VLAN 10. An attacker on an access port in VLAN 10 sends a frame with a VLAN tag of VLAN 20 inside another frame. Which type of attack does this configuration make possible?

A.DHCP starvation
B.VLAN hopping via double tagging
C.ARP spoofing
D.MAC flooding
AnswerB

Double tagging is possible when the native VLAN is used on trunk ports; the attacker can send frames with two tags to hop VLANs.

Why this answer

The configuration with native VLAN 10 allows an attacker on an access port in VLAN 10 to craft a frame with an outer 802.1Q tag for VLAN 20 and an inner tag for VLAN 10. When the switch receives this frame on a trunk port, it strips the outer tag (native VLAN) and forwards the inner tag, causing the frame to hop into VLAN 20. This is the classic VLAN hopping via double tagging attack, exploiting the native VLAN behavior.

Exam trap

ISC2 often tests the misconception that VLAN hopping only occurs via DTP (Dynamic Trunking Protocol) negotiation, but double tagging is a separate attack that exploits the native VLAN behavior on trunk ports.

How to eliminate wrong answers

Option A is wrong because DHCP starvation floods the DHCP server with fake requests to exhaust IP addresses, which is unrelated to VLAN tagging or native VLAN manipulation. Option C is wrong because ARP spoofing involves sending forged ARP replies to associate a malicious MAC with a legitimate IP, not exploiting double tagging or native VLANs. Option D is wrong because MAC flooding overwhelms the switch's MAC address table to force flooding of frames, which is a different Layer 2 attack that does not involve VLAN tag manipulation.

94
MCQeasy

A remote user needs to securely connect to the corporate network over the internet. Which protocol provides both encryption and authentication?

A.L2TP
B.PPTP
C.SSL
D.IPsec
AnswerD

IPsec provides encryption and authentication for VPNs.

Why this answer

IPsec is the correct answer because it is a suite of protocols (AH and ESP) that provides both encryption (confidentiality) and authentication (integrity and origin verification) at the network layer. It operates in either transport or tunnel mode, making it suitable for secure site-to-site or remote-access VPNs over the internet.

Exam trap

The trap here is that candidates often confuse L2TP or PPTP as providing encryption, when in fact L2TP requires IPsec for security and PPTP is deprecated due to weak encryption and authentication flaws.

How to eliminate wrong answers

Option A is wrong because L2TP is a tunneling protocol that provides only encapsulation, not encryption or authentication; it relies on an additional protocol like IPsec (L2TP/IPsec) to secure the connection. Option B is wrong because PPTP uses MPPE for encryption but has known vulnerabilities (e.g., weak authentication via MS-CHAPv2) and does not provide strong mutual authentication or integrity protection. Option C is wrong because SSL (now TLS) provides encryption and authentication at the transport layer, but it is typically used for securing web traffic (HTTPS) and not as a native network-layer VPN protocol for remote user connectivity to a corporate network; while SSL VPNs exist, the question asks for a protocol that provides both encryption and authentication, and IPsec is the direct answer in the context of network-layer security.

95
Multi-Selecthard

A cloud security architect is designing a system that must comply with the principle of data sovereignty. Which three controls should be implemented? (Select THREE.)

Select 3 answers
A.Encrypt data at rest using customer-managed keys
B.Enforce contractual clauses with cloud provider regarding data location
C.Implement data classification policies
D.Store data only in approved geographic regions
E.Use a virtual private network (VPN) for all transfers
AnswersB, C, D

Correct. Contracts legally obligate the provider to maintain data in specified regions.

Why this answer

Option B is correct because contractual clauses with the cloud provider legally bind the provider to store and process data only within specified geographic boundaries, directly enforcing data sovereignty. This is a governance control that ensures compliance with local laws, such as GDPR or Brazil's LGPD, by restricting data movement across jurisdictions.

Exam trap

The trap here is that candidates often confuse data sovereignty with data security controls like encryption or VPNs, failing to recognize that sovereignty is about legal jurisdiction and physical location, not just confidentiality or transmission security.

96
Multi-Selecthard

Which THREE of the following are required components of a Business Continuity Plan (BCP)?

Select 3 answers
A.Alternate facility location
B.Contact list of key stakeholders
C.Detailed technical recovery procedures
D.Marketing strategy
E.List of all employees' home addresses
AnswersA, B, C

Required if primary facility is unavailable.

Why this answer

An alternate facility location is a required component of a Business Continuity Plan (BCP) because it provides a pre-arranged site where critical operations can resume if the primary facility becomes unusable. This ensures continuity of operations within the defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Without a designated alternate site, the organization would lack a physical fallback, making the BCP incomplete.

Exam trap

The trap here is that candidates often confuse BCP components with Disaster Recovery Plan (DRP) details, assuming detailed technical recovery procedures are always part of a BCP, when in fact they belong to the DRP, while the BCP focuses on strategic continuity elements like alternate facilities and stakeholder contacts.

97
Multi-Selecthard

Which TWO security controls are most effective in preventing VLAN hopping attacks?

Select 2 answers
A.Set the native VLAN to an unused VLAN ID.
B.Disable Dynamic Trunking Protocol (DTP) on access ports.
C.Use VLAN access control lists (VACLs) to filter traffic between VLANs.
D.Implement DHCP snooping on all VLANs.
E.Enable Spanning Tree Protocol (STP) on all switches.
AnswersA, B

Prevents double-tagging attacks.

Why this answer

Setting the native VLAN to an unused VLAN ID prevents VLAN hopping via double-tagging attacks. In a double-tagging attack, an attacker sends frames with two 802.1Q tags; the first switch strips the outer tag, forwarding the frame on the native VLAN (which is typically VLAN 1). By changing the native VLAN to an unused ID, any double-tagged frame arriving on an access port will have its outer tag removed and be forwarded onto that unused VLAN, where no legitimate hosts exist, thus breaking the attack path.

Exam trap

ISC2 often tests the distinction between Layer 2 attacks and Layer 3/4 controls; the trap here is that candidates see 'VLAN' and 'ACL' in option C and assume VACLs can prevent VLAN hopping, when in fact VACLs operate after the VLAN has already been assigned and do not stop the initial trunk negotiation or double-tagging.

98
MCQeasy

An organization is implementing a bring-your-own-device (BYOD) policy. Which security control should be enforced to ensure that only compliant devices can access corporate resources?

A.Using a VPN concentrator
B.Requiring strong passwords
C.Implementing network access control (NAC)
D.Enabling full disk encryption
AnswerC

NAC checks device posture before network access.

Why this answer

Network access control (NAC) is the correct control because it evaluates device posture (e.g., OS patch level, antivirus status, disk encryption) against a compliance policy before granting network access. NAC can quarantine non-compliant devices to a remediation VLAN or deny access entirely, ensuring only trusted endpoints reach corporate resources. This is distinct from generic encryption or authentication controls, as NAC enforces a dynamic, policy-based admission decision at the network layer.

Exam trap

The trap here is that candidates often confuse authentication controls (like strong passwords or VPN) with device compliance enforcement, but NAC is the only option that actively checks and enforces a security posture before granting network access.

How to eliminate wrong answers

Option A is wrong because a VPN concentrator only provides encrypted tunneling for remote access and does not evaluate device compliance or posture before allowing connectivity. Option B is wrong because requiring strong passwords addresses authentication but does not verify that the device itself meets security baselines (e.g., patching, encryption, or jailbreak status). Option D is wrong because full disk encryption protects data at rest on the device but does not control network access or enforce compliance checks at the point of connection.

99
MCQeasy

A security analyst reviews system logs and notices multiple failed SSH login attempts from a single IP address over the past hour. The attempts are spaced 30 seconds apart and target different usernames. Which type of attack is most likely occurring?

A.Distributed denial-of-service (DDoS) attack
B.Dictionary attack
C.Brute force password guessing
D.Man-in-the-middle attack
AnswerC

Systematic repeated login attempts indicate brute force.

Why this answer

The observed pattern—multiple failed SSH login attempts from a single IP, spaced 30 seconds apart, targeting different usernames—is characteristic of a brute force password guessing attack. Unlike a dictionary attack, which uses a precompiled list of likely passwords, a brute force attack systematically tries all possible password combinations for each username, often with a delay to evade rate limiting.

Exam trap

The trap here is confusing a brute force attack with a dictionary attack—the key differentiator is that brute force tries all possible combinations (often with a delay) across multiple usernames, while a dictionary attack uses a precompiled wordlist against a single target username.

How to eliminate wrong answers

Option A is wrong because a DDoS attack aims to overwhelm a service with traffic from multiple sources, not to guess credentials from a single IP. Option B is wrong because a dictionary attack uses a list of common passwords against a single username, whereas this scenario targets multiple usernames with spaced attempts, indicating systematic guessing rather than a predefined wordlist. Option D is wrong because a man-in-the-middle attack intercepts or alters communications between two parties, which does not involve repeated SSH login attempts from a single source.

100
MCQmedium

Refer to the exhibit. A security analyst finds these logs on a Linux server. What is the most likely cause of these events?

A.The root account is disabled
B.The firewall is blocking port 22
C.A brute-force attack is in progress
D.The SSH service is not running
AnswerC

Correct. Repeated failed passwords from same IP indicate brute-force.

Why this answer

The logs show repeated SSH authentication failures from the same source IP address with different usernames, including root, admin, and user. This pattern of multiple failed login attempts in rapid succession is characteristic of a brute-force attack against the SSH service. The fact that attempts continue across different usernames indicates an automated tool is systematically trying credentials, not a single misconfiguration or network issue.

Exam trap

ISC2 often tests the distinction between a service being unreachable (firewall blocking or service down) versus a service being reachable but under attack, where logs show authentication failures rather than connection failures.

How to eliminate wrong answers

Option A is wrong because the logs show failed attempts for root, admin, and user accounts, and a disabled root account would only affect root logins, not the other usernames; also, a disabled root account would not generate repeated authentication failure logs. Option B is wrong because if the firewall were blocking port 22, the SSH service would not receive any connection attempts at all, and the logs would not show authentication failures (they would show connection refused or timeout errors). Option D is wrong because if the SSH service were not running, the server would not respond to SSH connection attempts, and the logs would not contain authentication failure entries; the service must be running to process and log these attempts.

101
MCQmedium

A company is implementing single sign-on (SSO) for its cloud applications. The security team wants to ensure that user authentication is handled by an on-premises identity provider (IdP) using Security Assertion Markup Language (SAML). Which of the following is a critical configuration step to prevent session hijacking?

A.Use HTTP POST binding instead of HTTP Redirect binding.
B.Set a short timeout for the SAML authentication request.
C.Encrypt the SAML assertions using the service provider's public key.
D.Validate the Issuer element in the SAML response.
AnswerD

Ensures the response is from the trusted IdP, preventing impersonation.

Why this answer

Option D is correct because validating the Issuer element in the SAML response ensures that the response originated from the trusted on-premises identity provider (IdP) and not from an attacker impersonating the IdP. Without this validation, an attacker could forge a SAML response with a manipulated Issuer value, leading to session hijacking or unauthorized access. This is a fundamental SAML security check specified in the SAML 2.0 core specification (section 3.3.4).

Exam trap

The trap here is that candidates often confuse encryption (Option C) with authentication integrity, or focus on binding methods (Option A) or timeouts (Option B), missing that Issuer validation is the critical step to ensure the response comes from the legitimate IdP and prevent session hijacking.

How to eliminate wrong answers

Option A is wrong because HTTP POST binding and HTTP Redirect binding are both valid SAML bindings; the choice between them affects message size and browser behavior but does not directly prevent session hijacking. Option B is wrong because setting a short timeout for the SAML authentication request only limits the window for replay attacks on the initial request, not session hijacking after authentication. Option C is wrong because encrypting SAML assertions with the service provider's public key protects confidentiality of the assertion data but does not prevent an attacker from replaying or forging a valid assertion to hijack a session.

102
Multi-Selecteasy

Which TWO of the following are examples of physical security controls?

Select 2 answers
A.Firewall rules
B.Biometric door locks
C.Security awareness training
D.CCTV surveillance cameras
E.Intrusion detection system (IDS)
AnswersB, D

Physical access control mechanism.

Why this answer

Biometric door locks are physical security controls because they restrict physical access to a facility or room by verifying a unique biological trait (e.g., fingerprint, iris pattern). This falls under the domain of physical access control, which is a core component of physical security, not logical or administrative controls.

Exam trap

The trap here is that candidates often confuse logical/technical controls (like IDS or firewall rules) with physical controls, because they both involve 'security' and 'detection,' but physical controls always involve tangible barriers or devices that protect assets in the physical world.

103
MCQhard

Refer to the exhibit. A security analyst observes the audit log entry while troubleshooting a file access issue. The application is running under the myapp_t domain. Which action should the analyst take to resolve the issue while adhering to the principle of least privilege?

A.Add rule: allow myapp_t shadow_t:file { read write };
B.Change the file context of /etc/shadow to myapp_data_t
C.Add rule: allow myapp_t shadow_t:file read;
D.Set the application to run in unconfined_t domain
AnswerC

This grants only the needed read access to the shadow file.

Why this answer

The exhibit shows that the SELinux policy currently allows myapp_t to read and write files of type myapp_data_t, but the application is trying to read a file of type shadow_t (the password file), which is denied. To resolve the access issue without over-privileging, the analyst should add a specific rule allowing myapp_t to read shadow_t files, but only if the application requires it. Option A is correct because it directly addresses the denied permission.

Option B is incorrect because it allows write which is not needed. Option C removes the denial but is overbroad. Option D is unnecessary if the application runs in the correct domain.

104
Matchingmedium

Match each security model to its primary characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No read up, no write down

No read down, no write up

Well-formed transactions and separation of duties

Prevents conflict of interest among clients

Rules for granting and taking permissions

Why these pairings

These models enforce different access control policies.

105
MCQeasy

An organization is conducting a security assessment of a new web application. Which testing technique would best identify cross-site scripting (XSS) vulnerabilities?

A.Manual code review
B.Static application security testing (SAST)
C.Interactive application security testing (IAST)
D.Dynamic application security testing (DAST)
AnswerD

DAST tests the running application and can identify XSS by simulating attacks.

Why this answer

DAST (Dynamic Application Security Testing) tests the running application by simulating external attacks, including injecting malicious scripts into input fields and observing the response. This directly identifies reflected, stored, and DOM-based XSS vulnerabilities because it exercises the application's runtime behavior, where XSS payloads are executed in the browser. Unlike static analysis, DAST does not require source code access and can detect vulnerabilities that only manifest during execution.

Exam trap

The trap here is that candidates often choose SAST (Option B) because they think source code analysis is the most thorough, but they fail to recognize that XSS is a runtime vulnerability that requires dynamic testing to confirm exploitability and context-specific behavior.

How to eliminate wrong answers

Option A is wrong because manual code review relies on human inspection of source code, which is time-consuming, error-prone, and may miss subtle XSS vectors that only appear during runtime (e.g., DOM-based XSS or context-dependent encoding issues). Option B is wrong because SAST analyzes source code without executing it, so it cannot detect XSS vulnerabilities that depend on runtime data flow, such as those involving dynamic JavaScript execution or third-party libraries. Option C is wrong because IAST combines static and dynamic analysis but requires instrumentation of the running application; while it can detect XSS, it is not the best technique for a standalone assessment because it introduces overhead and may not be available for all environments, whereas DAST is a direct, non-invasive black-box test.

106
MCQmedium

During a business impact analysis (BIA), a department manager states that a critical process cannot be interrupted for more than 2 hours. However, the current backup system requires 8 hours to restore. What is the most appropriate risk management action?

A.Mitigate the risk by implementing faster backup and restoration procedures.
B.Avoid the risk by discontinuing the process.
C.Accept the risk and document the decision.
D.Transfer the risk to a third-party service provider.
AnswerA

Improving recovery capabilities to meet the 2-hour RTO is the appropriate mitigation.

Why this answer

The BIA identifies a maximum tolerable downtime (MTD) of 2 hours, but the current recovery time objective (RTO) is 8 hours, creating a gap. Mitigating the risk by implementing faster backup and restoration procedures directly reduces the RTO to meet the MTD, aligning recovery capability with business requirements. This is the most appropriate action because it addresses the root cause—insufficient recovery speed—without unnecessarily discarding or transferring the process.

Exam trap

The trap here is that candidates may choose 'accept the risk' (Option C) thinking it is a valid risk management strategy, but the BIA has already defined an unacceptable downtime threshold, making acceptance inappropriate without a formal risk treatment plan that justifies the gap.

How to eliminate wrong answers

Option B is wrong because discontinuing the process (risk avoidance) is an extreme measure that would likely cause significant business disruption or loss of revenue, and it is not warranted when a feasible technical solution exists to close the RTO gap. Option C is wrong because accepting the risk without action would leave the organization exposed to a known, unacceptable downtime exceeding the MTD, which violates basic risk management principles unless the cost of mitigation exceeds the potential loss. Option D is wrong because transferring the risk to a third-party service provider does not inherently solve the RTO mismatch; the provider would still need to meet the 2-hour RTO, and the organization retains residual liability for the process's criticality.

107
Multi-Selecthard

Which THREE of the following are common indicators of a privilege escalation attack? (Choose three.)

Select 3 answers
A.Creation of new user accounts with administrative privileges
B.Higher-than-normal network traffic
C.System performance degradation
D.Modification of system files or registry keys
E.Unusual processes running under elevated privileges
AnswersA, D, E

Often used to maintain persistence after escalation.

Why this answer

Option A is correct because the creation of new user accounts with administrative privileges is a classic post-exploitation technique used by attackers to establish persistent elevated access. After successfully exploiting a vulnerability to gain initial elevated privileges, an attacker often creates a backdoor account (e.g., via `net user /add` and `net localgroup Administrators /add` on Windows, or `useradd -G wheel` on Linux) to maintain control even if the original exploit vector is patched. This indicator is directly tied to privilege escalation as it demonstrates an unauthorized elevation from a lower-privileged context to full administrative control.

Exam trap

ISC2 often tests the distinction between general attack symptoms (like network traffic spikes or performance drops) and specific indicators that directly evidence the privilege escalation technique itself, leading candidates to over-select broad, non-specific options.

108
MCQmedium

Refer to the exhibit. A system administrator reports that SSH public key authentication is failing for a non-root user. The user's public key is correctly placed in ~/.ssh/authorized_keys. Which PAM configuration issue is most likely causing the failure?

A.PasswordAuthentication is set to no, which conflicts with PAM.
B.The pam_nologin.so module is listed twice.
C.The pam_nologin.so module is required, which can deny access if /etc/nologin exists.
D.The pam_securetty.so module is missing for non-root users.
AnswerC

If /etc/nologin exists, pam_nologin denies all non-root logins, but root login is disabled via PermitRootLogin no, so all logins fail.

Why this answer

The PAM configuration includes 'auth required pam_nologin.so' before the system-auth include. The pam_nologin module checks for the existence of /etc/nologin file; if it exists, only root can login. Since PermitRootLogin is no, root cannot login either, so all logins are denied.

This is a common misconfiguration. The issue is that pam_nologin is called before the authentication stack, and it denies all non-root logins if /etc/nologin exists.

109
MCQmedium

Based on the exhibit, what security control is being demonstrated?

A.Session timeout
B.CAPTCHA implementation
C.Input validation
D.Account lockout threshold
AnswerD

Correct - The system locked the account after multiple failed attempts.

Why this answer

The exhibit shows a login attempt counter that increments with each failed authentication, and after a specific number of failures (e.g., 5), the account is locked for a defined period. This is the classic behavior of an account lockout threshold, which is a preventive security control that mitigates brute-force password guessing attacks by temporarily disabling the account after exceeding the allowed number of failed attempts.

Exam trap

ISC2 often tests the distinction between account lockout (which counts failed authentication attempts) and session timeout (which ends an idle session), causing candidates to confuse the two when the exhibit shows a counter of failed logins rather than a timer.

How to eliminate wrong answers

Option A is wrong because a session timeout terminates an active session after a period of inactivity, not after repeated failed login attempts. Option B is wrong because CAPTCHA implementation presents a challenge-response test to distinguish humans from bots, but does not count or lock accounts based on failed authentication attempts. Option C is wrong because input validation checks data format and content (e.g., SQL injection prevention) at the application layer, not the number of failed logins.

110
MCQmedium

Refer to the exhibit. An administrator reviews the logs on router1. Which statement describes the events?

A.The SSH service is disabled on router1.
B.A successful SSH login from 192.0.2.100 occurred.
C.The router is configured to allow unlimited SSH authentication attempts.
D.Two different IP addresses attempted brute-force SSH authentication.
AnswerD

Correct. Both IPs made multiple failed attempts.

Why this answer

The logs show repeated failed SSH login attempts for the user 'admin' from two different IP addresses (192.0.2.100 and 198.51.100.50). Each IP made three attempts before the connection was closed (likely due to authentication failure threshold). This pattern indicates a brute-force attack on the SSH service.

111
MCQmedium

A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?

A.Sending a phishing email that mimics a common internal communication.
B.Calling employees and pretending to be IT support to obtain passwords.
C.Attempting to tailgate into a secure facility.
D.Searching through trash bins for sensitive documents.
AnswerA

Phishing emails directly test the awareness training provided to employees.

Why this answer

Sending a phishing email that mimics a common internal communication directly tests whether employees can recognize and report a realistic social engineering attempt, which is the primary goal of security awareness training. This scenario evaluates the human firewall by simulating the most prevalent attack vector—email-based phishing—and measures the effectiveness of training in reducing click-through rates and increasing reporting behavior.

Exam trap

The trap here is that candidates may choose tailgating or vishing because they seem more dramatic or directly test human behavior, but the CISSP exam emphasizes that phishing emails are the most common and effective social engineering vector, and thus the best assessment of security awareness training in a typical enterprise environment.

How to eliminate wrong answers

Option B is wrong because calling employees and pretending to be IT support to obtain passwords tests vishing (voice phishing), which is a valid social engineering vector but less common than email phishing and not the best measure of general security awareness training effectiveness, as training often focuses more on email-based threats. Option C is wrong because tailgating tests physical security controls and employee vigilance at access points, which is a separate domain (physical security) and not the primary focus of most security awareness training programs. Option D is wrong because searching through trash bins for sensitive documents tests dumpster diving, which assesses physical disposal policies and shredding compliance, not the behavioral response to social engineering that awareness training aims to improve.

112
MCQmedium

Refer to the exhibit. A security engineer is reviewing the S3 bucket policy. The BackupAdmin role is intended to perform backups and restores of the entire bucket. What is the MOST significant security concern with this policy?

A.The BackupAdmin role has delete access to the entire bucket, which could lead to data loss if misused or compromised
B.The BackupAdmin role has both read and write access to the internal data, which could allow unauthorized modifications
C.The public access to the 'public/' folder is not limited to authenticated users
D.The DataAnalyst role can see the public folder contents, violating separation of duties
AnswerA

Delete access on the entire bucket is a significant risk for data destruction.

Why this answer

Option D is correct because the BackupAdmin role already has full access to the entire bucket, including deletion. This is dangerous as it allows accidental or malicious destruction of all data without additional controls. Option A is wrong because the public access is restricted to a specific IP range and folder, which is relatively safe.

Option B is wrong because while separation of duty is weak, it is not the most significant issue. Option C is wrong because the role can access internal data but the policy does not specify read-only; however, the role needs those permissions to back up.

113
MCQmedium

A security architect is designing access controls for a healthcare application where permissions are based on the user's role, the sensitivity of the data, and the context of the access (e.g., time of day). Which access control model best fits this requirement?

A.Role-Based Access Control (RBAC)
B.Mandatory Access Control (MAC)
C.Attribute-Based Access Control (ABAC)
D.Discretionary Access Control (DAC)
AnswerC

ABAC evaluates multiple attributes including user role, data sensitivity, and environment context.

Why this answer

Attribute-Based Access Control (ABAC) is the correct model because it evaluates access decisions based on multiple attributes: the user's role, the data sensitivity (object attributes), and environmental context such as time of day. Unlike simpler models, ABAC can combine subject, resource, and environment attributes using policy rules (e.g., XACML or ALFA) to enforce fine-grained, context-aware permissions, which is essential for healthcare applications with dynamic compliance requirements like HIPAA.

Exam trap

The trap here is that candidates see 'role' in the requirement and immediately choose RBAC, overlooking that the question explicitly includes data sensitivity and context (time of day), which are attributes that only ABAC can combine into a single policy decision.

How to eliminate wrong answers

Option A is wrong because Role-Based Access Control (RBAC) only considers the user's role and does not natively incorporate data sensitivity or environmental context like time of day; it would require additional custom logic or a hybrid model. Option B is wrong because Mandatory Access Control (MAC) enforces access based on fixed security labels (e.g., classification levels) and system-wide policies, not on dynamic attributes like time or user role; it is too rigid for context-aware healthcare scenarios. Option D is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, which cannot enforce organization-wide policies based on data sensitivity or contextual factors like time of day, leading to inconsistent and insecure access.

114
MCQeasy

An organization requires that all data stored in a cloud object storage service be encrypted at rest using customer-managed keys. Which encryption option should be implemented?

A.Server-side encryption with Amazon S3 managed keys (SSE-S3)
B.Transport Layer Security (TLS)
C.Server-side encryption with customer-provided keys (SSE-C)
D.Client-side encryption
AnswerC

Correct. SSE-C allows customer to provide the encryption key.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) allows the organization to encrypt objects at rest in cloud object storage using keys that are managed and supplied by the customer, not the cloud provider. This meets the requirement for customer-managed keys because the encryption key is provided in each API request and is never stored by the service, giving the customer full control over key lifecycle and access.

Exam trap

The trap here is that candidates confuse 'customer-managed keys' with 'client-side encryption,' but the question specifies encryption at rest within the cloud service, which requires a server-side encryption option where the customer provides the key (SSE-C), not encryption performed before upload.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon-managed keys, not customer-managed keys, so the customer does not control the encryption keys. Option B is wrong because TLS encrypts data in transit between the client and server, not data at rest in storage. Option D is wrong because client-side encryption encrypts data before it is sent to the cloud, but the question specifically requires encryption at rest using customer-managed keys within the cloud service, and client-side encryption does not leverage the server-side encryption feature of the object storage service.

115
MCQmedium

Refer to the exhibit. The firewall rules above are applied to the outside interface. A penetration tester from the internet attempts to establish a connection to 192.168.1.10 on TCP port 8080. What will happen?

A.The connection is permitted only if the tester uses a VPN
B.The connection is permitted
C.The connection is denied because the destination is not reachable
D.The connection is denied because the port is not explicitly allowed
AnswerD

The firewall denies any traffic not matching a permit rule due to the implicit deny.

Why this answer

Option D is correct because firewall rules operate on an implicit-deny model: if no rule explicitly permits traffic, it is denied by default. Since the exhibit shows no rule allowing TCP port 8080 from the internet to 192.168.1.10, the connection is dropped. The destination is reachable (192.168.1.10 is a valid internal IP), but the lack of an explicit permit for port 8080 causes the denial.

Exam trap

The trap here is that candidates assume a destination IP is reachable if it exists on the network, but the question tests the understanding that firewall rules control access based on port and protocol, not just IP reachability.

How to eliminate wrong answers

Option A is wrong because VPN is irrelevant here; the firewall rules do not reference VPN, and a VPN would not override the implicit-deny for port 8080 unless a specific rule permits it. Option B is wrong because the connection is not permitted; there is no rule allowing TCP port 8080 from any source to 192.168.1.10, so the default deny action applies. Option C is wrong because the destination is reachable (192.168.1.10 is a routable internal address behind the firewall); the denial is due to the port not being allowed, not unreachability.

116
MCQeasy

An organization wants to implement single sign-on (SSO) for multiple cloud applications. Which of the following is the most secure and scalable approach?

A.Implement SAML-based federation
B.Use OAuth for authentication
C.Use the same password for all applications
D.Implement LDAP directory
AnswerA

SAML is the standard for federated identity and SSO, offering secure token exchange and scalable integration.

Why this answer

Option D is correct because SAML-based federation is specifically designed for SSO and identity federation across domains, providing both security and scalability. Option A is incorrect because OAuth is primarily an authorization framework, not an authentication protocol. Option B is incorrect as LDAP is a directory service protocol and does not natively support SSO across web applications.

Option C is incorrect because reusing the same password across applications is insecure and not scalable.

117
MCQmedium

An organization is implementing biometric authentication. Which factor should be considered to minimize the false rejection rate?

A.Lower the sensitivity threshold
B.Increase enrollment sample quality
C.Use liveness detection
D.Store templates securely

Why this answer

The threshold setting balances FRR and FAR; reducing threshold increases FAR but decreases FRR. Liveness detection prevents spoofing, enrollment quality affects overall accuracy, and template storage is about security.

118
MCQhard

A multinational corporation is designing a data retention schedule. Which factor is most critical when determining retention periods for personal data subject to the GDPR?

A.The length of the third-party data processing agreement
B.The purpose for which the data was collected
C.The cost of storage media
D.The duration of any pending legal holds
AnswerB

GDPR's storage limitation principle requires retention no longer than necessary for processing purposes.

Why this answer

Under the GDPR, Article 5(1)(e) establishes the 'storage limitation' principle, which mandates that personal data must be kept no longer than necessary for the purposes for which it was collected. Therefore, the purpose of collection is the primary driver for determining the retention period, as it defines the lawful basis and necessity for processing. Without a defined purpose, any retention period would be arbitrary and non-compliant with the regulation.

Exam trap

ISC2 often tests the misconception that legal holds or contractual agreements override the primary GDPR requirement, but the trap here is that candidates confuse operational constraints (cost, contracts) with the regulatory mandate that purpose must dictate retention.

How to eliminate wrong answers

Option A is wrong because the length of a third-party data processing agreement is a contractual term that may align with retention needs, but it is not the most critical factor; GDPR requires the data controller to determine retention based on purpose, not the duration of a vendor contract. Option C is wrong because the cost of storage media is an operational or financial consideration, not a legal or compliance driver; GDPR explicitly prohibits retaining data solely because storage is cheap or convenient. Option D is wrong because while legal holds can extend retention periods to comply with litigation or investigation requirements, they are an exception to the standard retention schedule, not the primary factor for setting the initial retention period; the purpose of collection remains the foundational criterion.

119
MCQhard

A system is designed to meet the Common Criteria EAL4 evaluation. Which of the following is a required component for this level?

A.Formal model of security policy
B.Semiformal design and test
C.Formal specifications and verification
D.Informal security policy model
AnswerB

Correct. EAL4 requires semiformal methods.

Why this answer

EAL4 (Evaluation Assurance Level 4) under the Common Criteria requires 'semiformal design and test' as part of its assurance requirements. This level mandates that the security functional specification and the high-level design be expressed in a semiformal style, and that testing be based on this semiformal design. It does not require formal methods, which are reserved for higher EALs (EAL5–EAL7).

Exam trap

The trap here is that candidates often confuse EAL4 with EAL5 or EAL6, mistakenly thinking that 'semiformal' means 'formal,' or they incorrectly associate informal models with EAL4 when in fact EAL4 requires semiformal artifacts.

How to eliminate wrong answers

Option A is wrong because a formal model of the security policy is required only at EAL5 and above, not at EAL4. Option C is wrong because formal specifications and verification are required only at EAL6 and EAL7, where formal methods are applied to the entire design and implementation. Option D is wrong because an informal security policy model is required at lower EALs (EAL1–EAL3), but EAL4 specifically requires a semiformal model, not an informal one.

120
MCQeasy

A large enterprise uses Active Directory for authentication. Several users report intermittent authentication failures when accessing internal web applications. The help desk confirms that the failures occur at random times and affect both new and existing users. The security team discovers that the system clocks on domain controllers are within acceptable limits, but some client workstations show time drift of up to 10 minutes. The Kerberos protocol is used for authentication. What is the most likely cause of the authentication failures, and what action should be taken?

A.Implement password complexity policies to reduce authentication errors
B.Enable NTLM fallback authentication for the web applications
C.Synchronize all client workstation clocks using a centralized NTP server
D.Configure Kerberos ticket lifetimes to 24 hours to reduce sensitivity to time skew
AnswerC

Proper time synchronization resolves Kerberos time skew issues.

Why this answer

Kerberos authentication relies on synchronized clocks between clients and domain controllers, with a default maximum time skew tolerance of 5 minutes (RFC 4120). A client clock drift of up to 10 minutes exceeds this tolerance, causing intermittent authentication failures because Kerberos ticket requests are rejected as invalid or replay attacks. Synchronizing all client workstations to a centralized NTP server resolves the time skew and restores Kerberos authentication reliability.

Exam trap

The trap here is that candidates may think increasing Kerberos ticket lifetimes or enabling NTLM fallback will solve the issue, but they overlook the strict time synchronization requirement that is fundamental to Kerberos protocol security.

How to eliminate wrong answers

Option A is wrong because password complexity policies do not address time synchronization issues; they reduce the risk of password guessing but have no effect on Kerberos time skew errors. Option B is wrong because enabling NTLM fallback would degrade security by using a weaker, challenge-response protocol that is vulnerable to pass-the-hash attacks, and it does not fix the root cause of clock drift. Option D is wrong because increasing Kerberos ticket lifetimes does not change the maximum allowable time skew (default 5 minutes); tickets still require synchronized clocks for initial authentication, and a 10-minute drift will still cause failures regardless of ticket lifetime.

121
MCQeasy

An organization has implemented a password policy requiring a minimum of 8 characters, including uppercase, lowercase, numbers, and special characters. Despite annual security awareness training, a recent audit revealed that 60% of employees are using passwords that can be cracked within hours. The organization is also experiencing a high number of account compromises due to credential stuffing attacks. The security team is considering various controls to reduce the risk. Which of the following would be the MOST effective in addressing the identified issues?

A.Increase the minimum password length to 15 characters
B.Conduct quarterly password cracking attempts and notify users with weak passwords
C.Implement multifactor authentication for all user accounts
D.Require password changes every 30 days
AnswerC

MFA provides defense in depth, reducing the impact of password compromise.

Why this answer

Multifactor authentication (MFA) adds an additional layer of security that significantly reduces the risk of credential compromise, even if passwords are weak. Increasing password length may help but is still vulnerable to cracking if users choose predictable patterns. Password cracking tests are reactive and may not prevent attacks.

Frequent password changes often lead to weaker passwords.

122
MCQeasy

Which of the following is a key principle of privileged access management (PAM)?

A.Use shared accounts for simplicity
B.Monitor and audit privileged account usage
C.Grant all users administrative rights for efficiency
D.Disable logging for performance
AnswerB

Key to detecting misuse and ensuring accountability.

Why this answer

Privileged Access Management (PAM) is centered on the principle of least privilege and the need to control, monitor, and audit the use of privileged accounts (e.g., root, domain admin). Option B is correct because continuous monitoring and auditing of privileged account usage is a foundational PAM requirement, enabling detection of misuse, lateral movement, and privilege escalation. Without auditing, organizations cannot enforce accountability or respond to security incidents involving high-risk accounts.

Exam trap

The trap here is that candidates may confuse PAM with general identity management and choose 'shared accounts for simplicity' (Option A), failing to recognize that PAM specifically enforces individual accountability and credential rotation, not shared access.

How to eliminate wrong answers

Option A is wrong because shared accounts violate non-repudiation and accountability, making it impossible to attribute actions to a specific individual, which is a core PAM goal. Option C is wrong because granting all users administrative rights directly contradicts the principle of least privilege and dramatically increases the attack surface for privilege escalation and ransomware. Option D is wrong because disabling logging for performance eliminates the audit trail required for forensic analysis and compliance, and PAM systems rely on detailed logging (e.g., session recording, keystroke logging) to detect anomalies.

123
Multi-Selectmedium

Which TWO of the following are valid types of data classification labels commonly used in commercial organizations?

Select 2 answers
A.Top Secret
B.Confidential
C.Unclassified
D.Public
E.For Official Use Only
AnswersB, D

Confidential is standard for sensitive business data.

Why this answer

Commercial classification often uses labels like Public, Internal, Confidential, and Restricted. A and B are correct. Option C (Top Secret) is government/military classification.

Option D (Unclassified) is government. Option E (For Official Use Only) is also government.

124
MCQeasy

A company wants employees to access multiple SaaS applications using a single set of credentials. Which technology should be deployed?

A.Single sign-on (SSO)
B.LDAP directory service
C.Multi-factor authentication (MFA)
D.Federated identity management
AnswerA

SSO enables users to authenticate once and access multiple applications without re-entering credentials.

Why this answer

Single sign-on (SSO) enables users to authenticate once and gain access to multiple SaaS applications without re-entering credentials. It works by establishing a trusted session (often via SAML assertions or OAuth tokens) that is shared across applications, reducing password fatigue and improving user experience. This directly meets the requirement for a single set of credentials across multiple SaaS apps.

Exam trap

The trap here is that candidates confuse federated identity management with SSO, but federation is designed for cross-organizational trust (e.g., using SAML between different companies), whereas SSO is the correct answer for a single organization's internal multi-application access with one credential set.

How to eliminate wrong answers

Option B (LDAP directory service) is wrong because LDAP is a protocol for accessing and maintaining distributed directory information (e.g., user attributes), not a mechanism for providing cross-application authentication with a single credential set; it stores credentials but does not orchestrate SSO sessions. Option C (MFA) is wrong because multi-factor authentication adds an extra layer of security by requiring multiple verification factors, but it does not enable a single set of credentials to access multiple applications; it is often used in conjunction with SSO, not as a replacement. Option D (Federated identity management) is wrong because while it allows identity sharing across different organizations or domains (e.g., using SAML or OpenID Connect), it is broader than SSO and typically involves trust relationships between separate identity providers; the question specifically asks for a technology to let employees access multiple SaaS apps with one credential set within the same company, which is SSO, not federation.

125
MCQhard

Refer to the exhibit. A user is unable to authenticate using Kerberos. What is the most likely cause?

A.The Kerberos ticket-granting ticket (TGT) has expired.
B.The user's account is locked out.
C.The client's system clock is not synchronized with the domain controller.
D.The user's password has expired.
AnswerC

Time offset causes pre-authentication to fail.

Why this answer

Kerberos relies heavily on time synchronization between the client and the Key Distribution Center (KDC) because it uses timestamps to prevent replay attacks. If the client's system clock differs from the domain controller's clock by more than the default maximum tolerance (typically 5 minutes in Windows Active Directory), the KDC will reject the authentication request, resulting in failure. This is the most likely cause because the user is unable to authenticate at all, not just after a period of inactivity.

Exam trap

The trap here is that candidates often assume Kerberos failures are always due to credential issues (expired passwords or locked accounts), but the protocol's strict time synchronization requirement is a classic and frequently tested cause of authentication failures.

How to eliminate wrong answers

Option A is wrong because a TGT expiration would cause a specific error when requesting service tickets, not a complete inability to authenticate; the user would still be able to obtain a new TGT by entering their password. Option B is wrong because a locked-out account would prevent authentication regardless of Kerberos, but the question specifically states the user is unable to authenticate using Kerberos, implying the issue is protocol-specific, not account state. Option D is wrong because an expired password would trigger a password change prompt or a specific 'password expired' error, not a generic authentication failure; Kerberos would still attempt to authenticate with the old password and fail with a specific error code.

126
MCQeasy

A user reports that they cannot access a file share after being moved to a different department. The file share is secured with NTFS permissions and share permissions. The user is a member of the 'Marketing' group, but the file share is only accessible by 'Sales' group. What is the most likely reason?

A.The share permissions deny access to Marketing
B.The user is not a member of the Sales group
C.The user's account is disabled
D.The NTFS permissions deny access
AnswerB

Access is granted only to Sales group; the user is Marketing.

Why this answer

Option A is correct because the user is not a member of the Sales group, which is required for access. Option B is wrong because there is no indication the account is disabled. Option C is wrong because share permissions are not the primary issue.

Option D is wrong because NTFS permissions are not the direct cause.

127
MCQhard

A company is implementing a secure multi-tenant cloud environment. The primary security requirement is that tenants cannot access each other's data even if the hypervisor is compromised. Which architecture best meets this requirement?

A.Encrypt each tenant's data with a single master key stored in the hypervisor.
B.Use a Trusted Execution Environment (TEE) such as Intel SGX to isolate tenant processes and memory.
C.Implement Mandatory Access Control (MAC) on the hypervisor.
D.Use VLANs to isolate tenant traffic at the network layer.
AnswerB

TEE provides hardware-enforced isolation that persists even if hypervisor is compromised.

Why this answer

A Trusted Execution Environment (TEE) like Intel SGX creates hardware-enforced enclaves that isolate tenant processes and memory at the CPU level. Even if the hypervisor is compromised, the enclave's memory is encrypted and inaccessible to the host OS or hypervisor, ensuring tenant data remains confidential. This directly meets the requirement that tenants cannot access each other's data despite a hypervisor breach.

Exam trap

The trap here is that candidates often choose MAC or VLANs because they associate them with isolation, but they fail to recognize that these controls operate at the OS or network layer and do not protect against a compromised hypervisor that has direct memory access.

How to eliminate wrong answers

Option A is wrong because storing a single master key in the hypervisor creates a single point of failure; if the hypervisor is compromised, the attacker can access the master key and decrypt all tenants' data, violating the isolation requirement. Option C is wrong because Mandatory Access Control (MAC) on the hypervisor enforces policy-based access controls but does not protect tenant data if the hypervisor itself is compromised—MAC cannot prevent the hypervisor from reading memory it manages. Option D is wrong because VLANs isolate network traffic at Layer 2, but they do not protect data at rest or in memory; a compromised hypervisor can still access tenant data directly from memory or storage, bypassing network segmentation.

128
MCQeasy

A company uses VLANs to separate traffic between the IT, HR, and Finance departments. A user in the HR VLAN reports that she cannot access a file server located in the IT VLAN. The file server's default gateway is correctly set to the IT VLAN interface. All workstations have correct IP addresses and subnet masks. What is the most likely cause of this issue?

A.Spanning Tree Protocol (STP) is blocking the link between the HR and IT switches.
B.The HR workstation has an incorrect subnet mask.
C.The HR VLAN switch port is incorrectly configured with the wrong VLAN ID.
D.No routing is configured between the HR and IT VLANs.
AnswerD

VLANs are separate broadcast domains; inter-VLAN communication requires a router or Layer 3 switch with routing enabled.

Why this answer

VLANs create separate broadcast domains, so traffic between different VLANs must be routed. Since the HR workstation is in a different VLAN than the file server, and no routing is configured between the HR and IT VLANs, the HR workstation cannot reach the file server even though the server's default gateway is correctly set. This is the most likely cause because all other network settings (IP addresses, subnet masks, switch port configurations) are described as correct.

Exam trap

The trap here is that candidates often assume VLANs inherently block all cross-VLAN traffic, but the real issue is the absence of a Layer 3 routing mechanism; VLANs only separate broadcast domains, not routed traffic.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) blocks redundant links to prevent loops, not to isolate VLAN traffic; STP operates at Layer 2 and does not block links between different VLANs unless a loop exists. Option B is wrong because the question states that all workstations have correct IP addresses and subnet masks, so an incorrect subnet mask is not the issue. Option C is wrong because the question explicitly states that the HR workstation has correct IP settings, and a switch port with the wrong VLAN ID would prevent the workstation from communicating even within its own VLAN, not just across VLANs; the user can access other HR resources, so the port configuration is likely correct.

129
MCQhard

A security architect is designing a network for a high-security data center. The requirement is to ensure that even if an attacker compromises one server, they cannot easily move laterally to other servers in the same data center. Which network design principle should be applied?

A.Principle of least privilege
B.Defense in depth
C.Single point of failure elimination
D.Microsegmentation (e.g., using virtual firewalls on each hypervisor)
AnswerD

Microsegmentation divides the network into small, isolated zones to contain threats and block lateral movement.

Why this answer

Microsegmentation (D) is the correct network design principle because it enforces granular, per-workload firewall rules—often implemented via virtual firewalls on each hypervisor or using VXLAN/ACL policies—that restrict east-west traffic between servers. Even if an attacker compromises one server, microsegmentation prevents lateral movement by allowing only explicitly permitted inter-server communication, effectively isolating the breach to the compromised host.

Exam trap

The trap here is that candidates confuse the broad strategy of defense in depth (B) with the specific technical mechanism of microsegmentation, but the question explicitly asks for a network design principle that prevents lateral movement, which is exactly what microsegmentation enforces at the data center network layer.

How to eliminate wrong answers

Option A is wrong because the principle of least privilege governs user and process access rights (e.g., file permissions, RBAC), not network-level isolation between servers; it does not inherently restrict east-west traffic at the network layer. Option B is wrong because defense in depth is a broad security strategy that layers multiple controls (e.g., firewalls, IDS, encryption), but it is not a specific network design principle that directly prevents lateral movement within a data center segment. Option C is wrong because eliminating single points of failure focuses on redundancy and high availability (e.g., dual power supplies, redundant links), not on restricting lateral traffic between servers after a compromise.

130
Matchingmedium

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum acceptable downtime after a disaster

Maximum acceptable data loss measured in time

Average time between system failures

Average time to repair a failed system

Service level agreement defining performance metrics

Why these pairings

These metrics are critical for continuity planning.

131
MCQmedium

An organization is implementing a defense-in-depth strategy for its web application. Which of the following is an example of a compensating control?

A.A firewall blocking port 80
B.Regular vulnerability scanning
C.A web application firewall (WAF) blocking SQL injection
D.Two-factor authentication for administrative access
AnswerC

Correct. WAF compensates for input validation deficiencies.

Why this answer

A web application firewall (WAF) compensates for vulnerabilities in the application code by filtering malicious input, representing a compensating control.

132
MCQeasy

An organization is developing a business continuity plan (BCP). The IT department has identified a critical application that must be restored within 4 hours of a disruption. Which metric defines the maximum acceptable time that the application can be unavailable?

A.Recovery Time Objective (RTO)
B.Recovery Point Objective (RPO)
C.Mean Time to Repair (MTTR)
D.Mean Time Between Failures (MTBF)
E.Service Level Agreement (SLA)
AnswerA

RTO defines the maximum acceptable downtime for a system.

Why this answer

The Recovery Time Objective (RTO) defines the maximum acceptable downtime for a critical application after a disruption. In this scenario, the IT department has specified that the application must be restored within 4 hours, which directly aligns with the RTO metric. RTO is a key BCP parameter that drives resource allocation and recovery strategy design.

Exam trap

The trap here is confusing RTO with RPO: candidates often pick RPO because they think 'recovery' refers to time, but RPO is about data loss tolerance, not downtime duration.

How to eliminate wrong answers

Option B (Recovery Point Objective) is wrong because RPO defines the maximum acceptable data loss measured in time (e.g., how far back in time data may be lost), not the allowable downtime duration. Option C (Mean Time to Repair) is wrong because MTTR is a reliability metric that measures the average time to repair a failed component, not a predefined target for acceptable downtime. Option D (Mean Time Between Failures) is wrong because MTBF measures the average operational time between failures, used for availability calculations, not for defining recovery time limits.

Option E (Service Level Agreement) is wrong because an SLA is a contractual commitment that may include RTOs, but the RTO itself is the specific metric defining maximum acceptable unavailability.

133
MCQmedium

A security administrator is configuring a stateful firewall to allow HTTP traffic from the internet to a web server. The firewall uses a default-deny policy. What is the correct rule placement?

A.Place the allow rule after the deny all rule
B.Use a stateless firewall instead
C.Use an implicit deny rule
D.Place the allow rule before the deny all rule
AnswerD

Ensures the traffic is permitted before the default deny.

Why this answer

In a stateful firewall with a default-deny policy, rules are processed in sequential order from top to bottom. Placing the allow rule before the deny all rule ensures that HTTP traffic (TCP port 80) is explicitly permitted before the catch-all deny rule drops all unmatched packets. If the deny all rule were placed first, all traffic would be dropped, including the intended HTTP traffic, making the allow rule unreachable.

Exam trap

ISC2 often tests the misconception that a default-deny policy automatically allows traffic if a permit rule exists anywhere in the ACL, but in reality, rule order determines which rule is applied first, and a deny all placed before the permit will block all traffic.

How to eliminate wrong answers

Option A is wrong because placing the allow rule after the deny all rule would cause the deny all rule to match and drop all traffic first, rendering the allow rule ineffective and blocking legitimate HTTP traffic. Option B is wrong because a stateless firewall would not track connection state, making it unsuitable for allowing return traffic from the web server without explicit rules for ephemeral ports, whereas a stateful firewall automatically permits return traffic for established connections. Option C is wrong because an implicit deny rule is already the default behavior at the end of the rule set; the question asks for explicit rule placement, and relying solely on implicit deny does not solve the ordering requirement to allow HTTP traffic.

134
MCQeasy

A company has implemented data classification labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. Which control is most appropriate for protecting 'Confidential' data?

A.Data masking for all users
B.Encryption at rest and in transit
C.Removing all access controls to streamline sharing
D.Public posting on the company website
AnswerB

Encryption protects data from unauthorized access during storage and transmission.

Why this answer

Confidential data requires encryption both at rest and in transit to prevent unauthorized disclosure.

135
MCQhard

An organization implements a data loss prevention (DLP) solution. Which action is most effective for protecting data at rest on endpoint devices?

A.Encryption of files
B.User awareness training
C.USB port blocking
D.Network DLP monitoring
AnswerA

Directly protects data at rest on endpoints.

Why this answer

Encryption of files directly protects data at rest on endpoint devices by rendering the data unreadable without the appropriate decryption key. This ensures that even if an endpoint is lost, stolen, or accessed by an unauthorized user, the data remains confidential. DLP solutions often integrate with file-level encryption (e.g., BitLocker, FileVault, or EFS) to enforce policy-based encryption on sensitive files at rest.

Exam trap

ISC2 often tests the distinction between data states (at rest, in motion, in use) and the specific controls that apply to each; the trap here is that candidates confuse network DLP (data in motion) with endpoint DLP (data at rest), or they select a general security control like user training instead of the direct technical control for data at rest.

How to eliminate wrong answers

Option B is wrong because user awareness training is a preventive administrative control that reduces human error but does not provide a technical mechanism to protect data at rest on endpoints; it addresses behavior, not the data itself. Option C is wrong because USB port blocking is a physical security control that prevents data exfiltration via removable media but does not protect data already stored on the endpoint's hard drive; it addresses data in motion, not data at rest. Option D is wrong because network DLP monitoring inspects data in transit across the network, not data stored locally on endpoint devices; it is effective for data in motion but cannot enforce protection for data at rest on the endpoint.

136
MCQmedium

Refer to the exhibit. Based on the output, which integrity algorithm is configured for the IPsec tunnel?

A.HMAC-MD5
B.HMAC-SHA256
C.HMAC-SHA1
D.AES-GCM
AnswerC

The 'sha' in esp-sha-hmac stands for SHA1.

Why this answer

The output shows 'esp-sha-hmac' under the transform set, which indicates the integrity algorithm is HMAC-SHA1 (SHA-1 hashing with HMAC). In Cisco IOS, 'esp-sha-hmac' specifically refers to HMAC-SHA1 (96-bit hash), not SHA-256 or MD5. This is the correct interpretation because the command 'crypto ipsec transform-set' uses 'esp-sha-hmac' to denote SHA-1-based integrity.

Exam trap

ISC2 often tests the specific naming convention in 'show crypto ipsec transform-set' output, where 'esp-sha-hmac' is easily mistaken for SHA-256 or generic SHA, but it strictly refers to HMAC-SHA1 (96-bit) in Cisco IOS.

How to eliminate wrong answers

Option A is wrong because HMAC-MD5 would appear as 'esp-md5-hmac' in the transform set output, not 'esp-sha-hmac'. Option B is wrong because HMAC-SHA256 would be displayed as 'esp-sha256-hmac' in Cisco IOS, requiring a different transform set configuration. Option D is wrong because AES-GCM is an authenticated encryption algorithm (providing both confidentiality and integrity) and would appear as 'esp-gcm' or 'esp-aes-gcm' in the output, not as a standalone integrity algorithm like 'esp-sha-hmac'.

137
MCQhard

A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?

A.Tune the IDS to reduce false positives for SQL injection signatures.
B.Delete the alert and continue monitoring.
C.Ignore the alert because the IDS is known to produce false positives.
D.Isolate the web server and investigate for data breach.
AnswerD

The successful request indicates a potential breach; immediate containment is necessary.

Why this answer

The IDS alert indicates a SQL injection attempt, and the web server returned a 200 OK status, which means the request was processed successfully. This combination strongly suggests that the injection may have succeeded, potentially leading to a data breach. The correct next step is to isolate the web server and investigate for evidence of data exfiltration or unauthorized access, as per incident response procedures.

Exam trap

The trap here is that candidates assume a 200 OK status means the attack failed, but in SQL injection, a successful attack can still return a 200 OK if the query executes without error, making isolation and investigation the mandatory next step.

How to eliminate wrong answers

Option A is wrong because tuning the IDS to reduce false positives would be premature without first confirming that the alert is indeed a false positive; the 200 OK status does not rule out a successful SQL injection. Option B is wrong because deleting the alert and continuing monitoring ignores the possibility of a successful attack, violating the principle of due care in incident response. Option C is wrong because ignoring the alert based on a known false positive rate is dangerous; each alert must be evaluated in context, and a 200 OK status on a SQL injection attempt is a red flag, not a dismissal.

138
MCQeasy

You are the security manager for a manufacturing company with a large facility that houses production servers and sensitive intellectual property. The facility has a single physical entrance that uses a card reader for access control. During a routine audit, you find that the door prop alarm has been bypassed by taping a magnet to the sensor, allowing the door to stay open without triggering an alert. The security guard station is located 200 feet away and does not have a direct line of sight to the door. Which control should you implement FIRST to prevent unauthorized physical access?

A.Replace the card reader with a biometric fingerprint scanner.
B.Increase the frequency of security patrols around the entrance.
C.Implement a mantrap with two interlocking doors at the entrance.
D.Install a video surveillance camera to monitor the entrance.
AnswerC

A mantrap physically prevents unauthorized access and tailgating.

Why this answer

Option B is the most effective and immediate physical control: a mantrap prevents tailgating and ensures only one person enters per card swipe. Option A (video camera) is detective, not preventive. Option C (security patrol) is resource-intensive and reactive.

Option D (biometric reader) adds authentication but does not prevent door propping or tailgating.

139
Multi-Selecthard

Which THREE are key components of a business continuity plan (BCP)?

Select 3 answers
A.Vendor risk assessments
B.Backup strategies
C.Recovery time objectives (RTOs)
D.System hardening standards
E.Emergency response procedures
AnswersB, C, E

Backups are essential for recovery.

Why this answer

Backup strategies are a core component of a BCP because they ensure that critical data and systems can be restored after a disruption. Without defined backup procedures (e.g., frequency, media rotation, off-site storage), the organization cannot recover its operational state, making this a fundamental technical requirement for continuity.

Exam trap

ISC2 often tests the distinction between BCP components (recovery-focused) and security controls (prevention-focused), so candidates mistakenly select vendor assessments or hardening standards because they sound like 'planning' activities.

140
MCQeasy

A security engineer notices that the IKE phase 1 lifetime is set to 3600 seconds. What is a potential security implication?

A.Longer lifetimes reduce rekeying overhead
B.Shorter lifetimes increase performance
C.Short lifetimes may cause frequent reauthentication and potential disruption
D.The lifetime should be at least 86400 seconds
AnswerC

Frequent rekeying increases overhead and risk of disruption if rekey fails.

Why this answer

IKE phase 1 establishes a secure authenticated channel for subsequent IKE phase 2 negotiations. A lifetime of 3600 seconds (1 hour) is relatively short, causing frequent reauthentication. This can lead to service disruption if the rekeying process fails or if the VPN peers experience transient network issues, potentially dropping active tunnels and impacting production traffic.

Exam trap

ISC2 often tests the trade-off between security and availability: candidates may incorrectly assume shorter lifetimes are always more secure without considering the operational risk of frequent reauthentication causing tunnel drops.

How to eliminate wrong answers

Option A is wrong because longer lifetimes reduce rekeying overhead, but the question asks for a security implication of the given short lifetime, not a benefit of longer lifetimes. Option B is wrong because shorter lifetimes do not increase performance; they increase computational overhead and latency due to more frequent Diffie-Hellman exchanges and authentication. Option D is wrong because there is no mandatory minimum of 86400 seconds (24 hours); RFC 7296 recommends a default of 3600 seconds for IKEv1 phase 1, and shorter lifetimes can actually improve security by limiting exposure of the session key, though they risk disruption.

141
MCQeasy

A medium-sized financial services company has a flat network topology with no segmentation between the corporate LAN and the server farm. The security team recently deployed a host-based intrusion detection system (HIDS) on all critical servers. Over the past week, the HIDS has generated multiple high-severity alerts indicating outbound connections from a database server to an external IP address in a foreign country, occurring every hour and lasting only a few seconds. The database server contains sensitive customer data. The company's incident response plan (IRP) has not been updated in two years, and the CISO wants to ensure a response that minimizes business disruption while protecting data. The IT team is small, and the security analyst on duty suspects a data exfiltration attempt but is unsure. What should the analyst do FIRST?

A.Disconnect the database server from the network at the switch port and preserve the system state for forensic analysis
B.Run a full antivirus scan on the database server and update the HIDS signatures
C.Review the firewall logs to identify all external IPs the server has contacted
D.Immediately notify the company's legal department and public relations team
AnswerA

Isolating the server stops active data exfiltration and preserves evidence for investigation.

Why this answer

Option B is correct because isolating the server (disconnecting from the network) stops any ongoing data exfiltration immediately while preserving forensic evidence. Option A may trigger more data loss; Option C is premature before containment; Option D is important but delays containment.

142
MCQhard

An AWS security engineer is reviewing the above S3 bucket policy. What is the net effect of this policy on requests to read objects in the 'confidential' folder?

A.Only IPs in 10.0.0.0/8 but outside 10.100.0.0/16 can read confidential objects
B.No IPs can read confidential objects because the Deny applies to all
C.All IPs in the 10.0.0.0/8 range can read confidential objects
D.Only IPs in 10.100.0.0/16 can read confidential objects
AnswerD

The Deny statement allows only IPs in 10.100.0.0/16 (since NotIpAddress denies others), and the Allow gives GetObject permission but is overridden for others.

Why this answer

The S3 bucket policy grants read access to the 'confidential' folder for all principals within the 10.0.0.0/8 IP range, but then explicitly denies access to IPs within the 10.100.0.0/16 subnet. Because explicit Deny overrides any Allow, the net effect is that only IPs in 10.0.0.0/8 that are NOT in 10.100.0.0/16 can read objects. This matches option D.

Exam trap

The trap here is that candidates may misinterpret the Deny as applying to all IPs (option B) or fail to recognize that the Deny only blocks the specific subnet, leaving the rest of the 10.0.0.0/8 range allowed.

How to eliminate wrong answers

Option A is wrong because it reverses the logic: the Deny applies to 10.100.0.0/16, not to the rest of 10.0.0.0/8. Option B is wrong because the Deny does not apply to all IPs; it only applies to the specific subnet 10.100.0.0/16, so IPs outside that subnet but within 10.0.0.0/8 are still allowed. Option C is wrong because it ignores the explicit Deny for the 10.100.0.0/16 range, which overrides the Allow for those IPs.

143
MCQmedium

A company is designing a recovery site for its critical database. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which of the following replication strategies is BEST suited?

A.Asynchronous replication to a warm site
B.Full backups every 24 hours to a cold site
C.Weekly snapshots to a warm site
D.Synchronous replication to a hot site
AnswerD

Sync replication meets RPO and RTO.

Why this answer

Synchronous replication writes data to both the primary and the hot site simultaneously, ensuring zero data loss upon failover. With an RPO of 15 minutes, synchronous replication can meet this requirement because it commits transactions at both sites before acknowledging completion. A hot site is fully configured and ready to take over within the RTO of 2 hours, making this combination the best fit.

Exam trap

The trap here is that candidates often choose asynchronous replication (Option A) thinking it is sufficient for a 15-minute RPO, but they overlook that asynchronous replication can have variable lag that may exceed the RPO, especially under high write loads or network congestion.

How to eliminate wrong answers

Option A is wrong because asynchronous replication introduces a replication lag that can exceed the 15-minute RPO, as data is sent in batches and may not be fully current at the recovery site. Option B is wrong because full backups every 24 hours to a cold site cannot meet the 15-minute RPO (potential data loss of up to 24 hours) and the cold site would require significant time to restore, likely exceeding the 2-hour RTO. Option C is wrong because weekly snapshots provide a recovery point that is up to 7 days old, far exceeding the 15-minute RPO, and a warm site may require additional configuration time that could jeopardize the 2-hour RTO.

144
MCQhard

A company's security team discovers that a critical web application has a SQL injection vulnerability. However, the team is unable to remediate it immediately due to a dependency on a third-party component. Which of the following is the BEST approach to manage the risk while awaiting a patch?

A.Accept the risk and implement compensating controls like input validation at the network layer
B.Deploy a web application firewall with a rule to block SQL injection patterns
C.Increase logging and monitoring of the application
D.Disable the vulnerable feature entirely
AnswerA

Compensating controls reduce risk while awaiting a permanent fix, aligning with risk management best practices.

Why this answer

Option A is correct because when a vulnerability cannot be patched immediately, compensating controls are the best risk management approach. Implementing input validation at the network layer (e.g., via a web application firewall or network-based IPS) can block SQL injection patterns before they reach the vulnerable application, reducing the likelihood of exploitation without requiring changes to the third-party component.

Exam trap

ISC2 often tests the distinction between 'accepting risk' as a passive decision versus 'accepting risk with compensating controls' as an active risk management strategy, leading candidates to mistakenly choose a single technical control like a WAF (Option B) instead of the broader, more correct approach of accepting risk with compensating controls.

How to eliminate wrong answers

Option B is wrong because deploying a WAF with a rule to block SQL injection patterns is a specific type of compensating control, but it is not the best approach on its own; the question asks for the best approach, and accepting the risk with compensating controls (A) is a broader, more strategic answer that encompasses WAF deployment as one possible control. Option C is wrong because increasing logging and monitoring does not prevent exploitation; it only detects attacks after they occur, which is reactive rather than proactive risk management. Option D is wrong because disabling the vulnerable feature entirely may not be feasible or may break business functionality, and it is a more drastic measure than necessary when compensating controls can mitigate the risk.

145
Multi-Selectmedium

Which TWO of the following are examples of types of security assessments?

Select 2 answers
A.Vulnerability scan
B.Firewall rule review
C.Password policy enforcement
D.Antivirus update
E.Penetration test
AnswersA, E

A vulnerability scan is a common security assessment technique.

Why this answer

A vulnerability scan is a security assessment that systematically identifies, categorizes, and reports known vulnerabilities in systems, networks, and applications. It uses automated tools (e.g., Nessus, OpenVAS) to compare system configurations and software versions against databases of known vulnerabilities (e.g., CVE, NVD). This is a core example of a security assessment because it evaluates the security posture without exploiting vulnerabilities, aligning with the 'Security Assessment and Testing' domain.

Exam trap

The trap here is that candidates often confuse security assessments (active evaluation of security posture) with security controls or operational tasks (e.g., firewall reviews, policy enforcement, updates), which are not assessments but rather management or maintenance activities.

146
MCQeasy

A security professional is tasked with testing the effectiveness of security controls in a production environment without causing disruption. Which type of assessment should be performed?

A.Penetration test
B.Red team exercise
C.Vulnerability scan
D.Social engineering test
AnswerC

Vulnerability scans are passive and safe for production environments.

Why this answer

A vulnerability scan is the correct choice because it is a non-intrusive, automated assessment that identifies known vulnerabilities (e.g., missing patches, misconfigurations) by comparing system states against a database of CVEs and configuration benchmarks (e.g., CIS benchmarks). It does not exploit vulnerabilities or generate attack traffic, making it safe for production environments. In contrast, penetration tests and red team exercises involve active exploitation and simulated attacks that risk service disruption.

Exam trap

The trap here is that candidates often confuse a vulnerability scan with a penetration test, assuming both involve active exploitation, but the key distinction is that a vulnerability scan is passive and non-destructive, while a penetration test is active and potentially disruptive.

How to eliminate wrong answers

Option A is wrong because a penetration test involves active exploitation of vulnerabilities to gain unauthorized access, which can cause system crashes, data corruption, or service interruptions in a production environment. Option B is wrong because a red team exercise is a full-scope, adversarial simulation that includes social engineering, physical breaches, and active exploitation, all of which carry a high risk of disrupting operations. Option D is wrong because a social engineering test targets human behavior (e.g., phishing emails, pretexting calls) and does not directly assess the effectiveness of technical security controls such as firewalls, IDS/IPS, or patch management.

147
MCQeasy

Which of the following is the primary purpose of a security assessment?

A.To identify and evaluate security risks
B.To fix all vulnerabilities
C.To achieve compliance with regulations
D.To punish non-compliant employees
AnswerA

Assessment identifies weaknesses and evaluates the associated risks.

Why this answer

A security assessment's primary purpose is to systematically identify and evaluate security risks by analyzing assets, threats, vulnerabilities, and existing controls. This aligns with the NIST SP 800-115 framework, which defines assessment as the process of determining how effectively an entity is meeting specific security objectives, not as a remediation or enforcement activity.

Exam trap

The trap here is that candidates confuse the assessment phase with the remediation phase, assuming the primary goal is to fix vulnerabilities, when in fact the assessment stops at identification and evaluation.

How to eliminate wrong answers

Option B is wrong because fixing all vulnerabilities is the goal of remediation or vulnerability management, not the assessment itself; assessment only identifies and evaluates, leaving remediation to subsequent processes. Option C is wrong because achieving compliance is a possible outcome or driver, but the primary purpose is risk identification and evaluation, not merely meeting regulatory checklists. Option D is wrong because punishing non-compliant employees is a disciplinary action unrelated to the technical evaluation of security posture; assessments focus on systems and processes, not personnel discipline.

148
MCQhard

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

A.Apply the rule to all internal hosts with the same threshold
B.Trigger only when the destination IP is in a threat intelligence feed of known malicious IPs
C.Use a baseline of normal traffic per host and trigger only when the volume exceeds the baseline by a significant margin
D.Set a static threshold of 10 MB for all hosts, but exclude traffic to common cloud storage providers
AnswerC

Baselines allow the rule to adapt to each host's typical behavior, reducing false positives while detecting anomalies.

Why this answer

Option C is correct because using a baseline of normal traffic per host adapts to different users' behaviors, reducing false positives from legitimate large transfers. Option A is wrong because applying the rule to all internal hosts would generate many false positives from servers that routinely transfer large files. Option B is wrong because a static threshold does not account for varying normal usage.

Option D is wrong because excluding only known partner IPs may miss exfiltration to unknown but legitimate external services.

149
MCQeasy

An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?

A.Compare new passwords against a list of known compromised passwords
B.Set maximum password length to 8 characters
C.Require password changes every 30 days
D.Enforce a minimum of one uppercase, one lowercase, one digit, and one special character
AnswerA

This prevents use of common passwords from breach data.

Why this answer

NIST SP 800-63B explicitly recommends checking passwords against a list of known compromised passwords (e.g., from previous breaches) rather than enforcing arbitrary complexity rules. This approach directly mitigates credential stuffing and dictionary attacks by rejecting passwords that have already been exposed, while avoiding user frustration from frequent changes or complex composition requirements.

Exam trap

The trap here is that many candidates cling to outdated complexity rules (Option D) or frequent rotation (Option C) because they were once considered security best practices, but NIST now prioritizes breach-checking and longer, memorable passwords over arbitrary composition and expiry.

How to eliminate wrong answers

Option B is wrong because setting a maximum password length to 8 characters contradicts NIST guidance, which recommends a minimum of 8 characters but encourages longer passwords (up to 64 characters or more) to resist brute-force attacks. Option C is wrong because mandatory password changes every 30 days are discouraged by NIST SP 800-63B; frequent changes often lead to weaker passwords and are only recommended when there is evidence of compromise. Option D is wrong because enforcing complex composition rules (uppercase, lowercase, digit, special character) is no longer considered a best practice by NIST; such rules often result in predictable patterns (e.g., 'Password1!') and do not effectively defend against modern attacks like credential stuffing.

150
MCQmedium

A remote user at 203.0.113.5 cannot access the internal web server at 10.0.0.10 over HTTPS. What is the most likely cause of the denial?

A.The ACL is missing a permit rule for the user's IP
B.The ACL is applied in the wrong direction
C.The firewall is not performing stateful inspection
D.The web server is not listening on port 443
AnswerA

The permit rule only allows 203.0.113.2, so traffic from 203.0.113.5 is denied.

Why this answer

The user at 203.0.113.5 is attempting to reach the internal web server at 10.0.0.10 over HTTPS (TCP/443). If an ACL is applied on the firewall or router interface that filters inbound traffic from the remote user, the most direct cause of denial is the absence of a permit rule for the source IP 203.0.113.5. ACLs process rules sequentially, and if no explicit permit matches the user's traffic, the implicit deny at the end of the ACL will drop the packet.

Exam trap

The trap here is that candidates often confuse ACL directionality (Option B) with the actual missing rule, but the symptom of a complete denial for a specific source IP points directly to a missing permit entry rather than a directional issue.

How to eliminate wrong answers

Option B is wrong because applying an ACL in the wrong direction (e.g., inbound vs. outbound) would cause traffic to be filtered incorrectly, but the question states the user cannot access the server at all, which is more consistent with a missing permit rule than a directional misapplication that might still allow some traffic. Option C is wrong because stateful inspection is a feature that tracks connection state; even without stateful inspection, a stateless ACL with a proper permit rule would allow the HTTPS traffic. Option D is wrong because if the web server were not listening on port 443, the user would receive a connection refused (RST) or timeout, not a denial caused by an ACL; the question implies a silent drop, which is characteristic of ACL filtering.

Page 1

Page 2 of 8

Page 3

All pages