Certified Information Systems Security Professional CISSP (CISSP) — Questions 151225

529 questions total · 8pages · All types, answers revealed

Page 2

Page 3 of 8

Page 4
151
MCQmedium

A security analyst discovers that a business unit is storing sensitive data on a file share without classification labels. What is the first step to remediate?

A.Move the data to a secure server
B.Immediately delete the data
C.Notify the data owner to classify the data
D.Encrypt the file share
AnswerC

The data owner is responsible for classification, which should precede further actions.

Why this answer

The data owner must classify the data first. Other actions are premature before classification. Encrypting or moving might be appropriate after classification.

Deleting without authorization could destroy needed data.

152
MCQhard

A security manager is evaluating risk treatment options for a high-impact, low-probability risk. Which approach is most appropriate?

A.Transfer
B.Accept
C.Avoid
D.Mitigate
AnswerA

Shifts financial burden to a third party, suitable for catastrophic but rare events.

Why this answer

For high-impact, low-probability risks, transferring (e.g., insurance) is often most cost-effective. Accepting may be too risky. Mitigating may not be justified due to low probability.

Avoidance may be too disruptive.

153
MCQhard

An organization is decommissioning a data center. Which of the following is the most secure method for sanitizing hard drives that will be reused?

A.Physical destruction
B.Deleting all files
C.Overwriting with random data multiple times
D.Quick format
AnswerC

Multiple overwrites are recognized as secure sanitization for reuse.

Why this answer

Overwriting with random data multiple times (option C) is the most secure method for sanitizing hard drives that will be reused because it ensures that the original data is irrecoverable through any known forensic technique. Unlike physical destruction, which renders the drive unusable, or file deletion and quick format, which only remove file system pointers and leave data intact, multiple-pass overwriting (e.g., using the DoD 5220.22-M standard) writes patterns over every sector, including remapped sectors, making the original data unrecoverable even with advanced magnetic force microscopy.

Exam trap

The trap here is that candidates often choose 'Physical destruction' because it seems most secure, but they overlook the explicit requirement that the drives will be reused, making destruction invalid.

How to eliminate wrong answers

Option A is wrong because physical destruction (e.g., shredding or degaussing) permanently damages the drive, preventing reuse, which contradicts the requirement that the drives will be reused. Option B is wrong because deleting all files only removes directory entries and marks clusters as available; the actual data remains on the platters and can be easily recovered with file recovery tools. Option D is wrong because a quick format only rewrites the file system metadata (e.g., boot sector and FAT) and does not touch the data areas, leaving all user data intact and recoverable.

154
MCQeasy

A healthcare organization must decommission a server containing protected health information (PHI). Which data sanitization method ensures the data is irrecoverable while complying with regulatory requirements?

A.Reformat the hard drive with a quick format
B.Degauss the hard drive
C.Physically shred the hard drive
D.Overwrite the hard drive with a single pass of zeros
AnswerB

Degaussing destroys magnetic data and is approved for PHI disposal.

Why this answer

Degaussing uses a strong magnetic field to disrupt the magnetic domains on a hard drive, rendering the data irrecoverable even with advanced forensic tools. For a healthcare organization handling PHI, degaussing meets regulatory requirements like HIPAA's disposal standards (45 CFR §164.310(d)(2)(i)) by ensuring data cannot be reconstructed. Unlike other methods, degaussing physically destroys the magnetic media's ability to store data, making it a definitive sanitization technique for magnetic hard drives.

Exam trap

The trap here is that candidates confuse 'overwriting with zeros' (clear) with 'degaussing' (purge), assuming a single pass is sufficient for PHI, but CISSP expects knowledge that regulatory compliance (e.g., HIPAA) mandates a purge-level sanitization for sensitive data, which degaussing provides by destroying the magnetic structure itself.

How to eliminate wrong answers

Option A is wrong because a quick format only clears the file system index (e.g., MFT or FAT), leaving the actual PHI data intact on the disk and easily recoverable with tools like TestDisk or Recuva. Option C is wrong because physically shredding the hard drive, while destructive, is not a data sanitization method per NIST SP 800-88 Rev. 1 (which classifies it as 'destroy' for disposal, not 'clear' or 'purge') and may not be practical for verifying complete data destruction in a regulatory audit. Option D is wrong because a single pass of zeros (overwrite) is considered 'clear' by NIST SP 800-88, which is insufficient for PHI under HIPAA; it leaves residual magnetic signatures that can be recovered using magnetic force microscopy (MFM) or other advanced techniques, and is only acceptable for non-sensitive data.

155
MCQmedium

A financial institution is implementing a data classification policy. Which role is responsible for assigning initial classification labels to data assets?

A.Data custodian
B.Data processor
C.Data owner
D.Data steward
AnswerC

Data owner is responsible for classifying data according to business sensitivity.

Why this answer

The data owner is the senior manager or business stakeholder who has ultimate accountability for a data asset and is responsible for determining its classification level based on business impact and sensitivity. In the CISSP framework, the data owner defines the classification labels (e.g., Public, Internal, Confidential, Restricted) at the time of creation or acquisition, ensuring the asset is tagged according to the organization's data classification policy. This role does not handle the technical implementation but sets the initial classification, which then drives downstream controls like encryption and access control lists (ACLs).

Exam trap

ISC2 often tests the distinction between data owner and data custodian, trapping candidates who confuse the 'owner' as the person who physically handles the data (custodian) rather than the person who has accountability for classification and risk acceptance.

How to eliminate wrong answers

Option A is wrong because the data custodian is responsible for implementing and maintaining technical controls (e.g., encryption, backups, access enforcement) based on the classification assigned by the data owner, not for assigning the initial classification label. Option B is wrong because the data processor is a third-party entity that processes data on behalf of the data controller under a contract, typically in cloud or outsourcing scenarios, and has no authority to assign classification labels—that remains with the data owner. Option D is wrong because the data steward focuses on data quality, metadata management, and compliance with data governance rules, but does not have the authority to assign initial classification labels; that decision is reserved for the data owner who bears the risk.

156
MCQeasy

Refer to the exhibit. Based on the exhibit, what is the most urgent remediation?

A.Disable directory listing
B.Upgrade to Apache 2.4.50
C.Recompile Apache with security flags
D.Apply a WAF rule to block path traversal attempts
AnswerB

Upgrading to a patched version directly removes the vulnerability.

Why this answer

The exhibit shows Apache 2.4.49 is in use, which is vulnerable to CVE-2021-41773 — a path traversal and remote code execution flaw in the `mod_cgi` module. Upgrading to Apache 2.4.50 is the most urgent remediation because it directly patches this critical vulnerability, preventing attackers from reading arbitrary files or executing commands via crafted URL paths like `/cgi-bin/.%2e/%2e%2e/bin/sh`.

Exam trap

ISC2 often tests the distinction between a compensating control (like a WAF rule) and a true remediation (like a software upgrade), leading candidates to choose a workaround instead of the definitive fix.

How to eliminate wrong answers

Option A is wrong because disabling directory listing addresses information disclosure but does not fix the underlying path traversal or RCE vulnerability in Apache 2.4.49; it is a secondary hardening step. Option C is wrong because recompiling Apache with security flags does not patch the specific CVE-2021-41773 flaw in the shipped binary; the vulnerability is in the source code logic of `mod_cgi` and `util_path.c`, which requires a version upgrade. Option D is wrong because applying a WAF rule to block path traversal attempts is a compensating control, not a remediation; it can be bypassed with encoding variations and does not eliminate the root cause in the Apache server itself.

157
MCQmedium

An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?

A.Identify recovery strategies for critical systems.
B.Conduct a business impact analysis (BIA) to prioritize critical business functions.
C.Develop a testing schedule for the BCP.
D.Perform a risk assessment to identify potential threats.
AnswerB

Correct - BIA determines criticality and recovery time objectives.

Why this answer

The first step in the BCP process is to conduct a Business Impact Analysis (BIA) to identify and prioritize critical business functions and their dependencies. Without the BIA, you cannot determine which systems require recovery strategies or what recovery time objectives (RTOs) and recovery point objectives (RPOs) are needed. The BIA provides the quantitative and qualitative basis for all subsequent BCP decisions.

Exam trap

The trap here is that candidates often confuse the risk assessment (which identifies threats) with the BIA (which identifies business impact), but the BCP process explicitly begins with the BIA to prioritize business functions before addressing threats or recovery strategies.

How to eliminate wrong answers

Option A is wrong because identifying recovery strategies comes after the BIA has established which systems are critical and their specific recovery requirements. Option C is wrong because developing a testing schedule is a later phase, performed after the BCP has been written and approved. Option D is wrong because performing a risk assessment is a separate, earlier process that feeds into the overall risk management framework, but the BCP specifically starts with the BIA to understand business impact, not just threats.

158
MCQhard

A multinational company must comply with the EU General Data Protection Regulation (GDPR) for processing personal data of EU citizens. The company's data protection officer (DPO) has been appointed but reports to the Chief Marketing Officer (CMO). Which compliance issue is most critical?

A.The DPO should not hold any other role within the organization
B.The DPO must be a lawyer certified in data protection
C.The DPO must be located in the EU
D.The DPO must report directly to the board of directors or CEO
AnswerD

GDPR requires the DPO to report to the highest management level to ensure independence.

Why this answer

Under the GDPR, the Data Protection Officer (DPO) must report directly to the highest level of management, typically the board of directors or CEO, to ensure independence and authority. Reporting to the Chief Marketing Officer (CMO) creates a conflict of interest because the CMO oversees marketing activities that often involve extensive personal data processing, compromising the DPO's ability to provide unbiased oversight. This structural subordination is the most critical compliance issue as it directly undermines the DPO's statutory role under Article 38(3) of the GDPR.

Exam trap

The trap here is that candidates often focus on the DPO's qualifications or location (options B and C) because those are commonly discussed in GDPR training, but the most critical issue is the DPO's independence and reporting line, which directly impacts their ability to enforce compliance without conflict of interest.

How to eliminate wrong answers

Option A is wrong because the GDPR does not prohibit the DPO from holding other roles; it only requires that those roles do not create a conflict of interest (Article 38(6)). Option B is wrong because the GDPR does not mandate that the DPO be a lawyer or hold any specific certification; it requires expertise in data protection law and practices (Article 37(5)). Option C is wrong because the GDPR does not require the DPO to be physically located in the EU; the DPO can be outside the EU as long as they are accessible and can effectively perform their duties (Article 37(2) and EDPB guidelines).

159
MCQhard

A security analyst is troubleshooting a web application that is incorrectly blocking valid login requests. The WAF rule in the exhibit is the only rule configured. What is the probable issue?

A.The rule uses outdated syntax
B.The rule is in the wrong phase
C.The rule is too generic and matches all login requests
D.The rule does not specify a status code
AnswerC

Correct. The rule denies all requests to '/login' without any additional conditions.

Why this answer

Option C is correct because the WAF rule uses a broad pattern like `.*` or similar regex that matches all login request parameters, causing the WAF to block every login attempt. This occurs when the rule lacks specific constraints (e.g., matching only known attack patterns like SQL injection or XSS), so it incorrectly flags legitimate traffic as malicious.

Exam trap

The trap here is that candidates may confuse a rule being 'too generic' with 'outdated syntax' or 'wrong phase,' but the key is recognizing that a pattern matching everything causes false positives, not a technical failure of the rule engine.

How to eliminate wrong answers

Option A is wrong because outdated syntax (e.g., deprecated regex or rule format) would typically cause a parsing error or rule failure, not incorrect blocking of valid requests. Option B is wrong because the WAF phase (e.g., request headers, request body, response) determines when the rule is evaluated; a phase mismatch would cause the rule to be skipped or applied at the wrong time, not to block all login requests generically. Option D is wrong because a missing status code in the rule definition does not affect matching logic; status codes are used for response-based rules, not for blocking requests based on request content.

160
MCQhard

A medium-sized financial services company recently deployed a new identity governance and administration (IGA) solution to manage user access across on-premises Active Directory and cloud-based SaaS applications. The IGA system uses a role-based access control (RBAC) model with hundreds of roles defined. The company has a policy that all access certifications must be completed quarterly. During the first quarterly certification, the access reviewers complain that they are overwhelmed by the number of entitlements they need to review, and many certifications are not completed on time. The security team also notices that some users have accumulated excessive privileges because role assignments were not properly reviewed. The company wants to streamline the certification process without sacrificing security. Which of the following is the BEST course of action?

A.Increase the certification frequency to monthly and assign more reviewers
B.Eliminate role-based access and assign permissions directly to users
C.Implement a risk-based certification approach that focuses on high-risk access and uses automated certification for low-risk access
D.Automate all certifications by using scripts that approve access if no violations are detected
AnswerC

Reduces reviewer workload while maintaining security on critical access.

Why this answer

Option C is correct because a risk-based certification approach prioritizes high-risk entitlements for manual review while automating the certification of low-risk access, reducing reviewer fatigue and ensuring critical privileges are scrutinized. This aligns with the principle of 'defense in depth' and addresses the core issue of overwhelming certification volume without compromising security, as low-risk access can be certified based on predefined policies and automated workflows.

Exam trap

The trap here is that candidates may choose option D (automate all certifications) because it seems efficient, but they overlook the critical requirement for human oversight in high-risk access decisions, which is a core principle of identity governance and audit compliance.

How to eliminate wrong answers

Option A is wrong because increasing certification frequency to monthly would exacerbate reviewer overload and likely lead to even more incomplete certifications, as it increases the volume of reviews without addressing the root cause of excessive entitlements. Option B is wrong because eliminating role-based access and assigning permissions directly to users would abandon the RBAC model entirely, leading to a chaotic, unmanageable permission structure that violates the principle of least privilege and increases security risk. Option D is wrong because automating all certifications with scripts that approve access if no violations are detected removes human oversight entirely, which could allow inappropriate access to persist if violations are not detected by the scripts, undermining the certification process's purpose of ensuring proper access governance.

161
MCQeasy

A security analyst is tasked with identifying vulnerabilities in a web application that is still in development. The application code is not yet stable, and frequent changes are expected. Which testing approach would be most appropriate to identify vulnerabilities without hindering the development process?

A.Fuzz testing
B.Manual penetration testing
C.Static application security testing (SAST)
D.Dynamic application security testing (DAST)
AnswerC

Can be integrated into CI/CD and analyze source code without a runtime environment.

Why this answer

Static Application Security Testing (SAST) is the most appropriate approach because it analyzes source code, byte code, or binary code without executing the application, making it ideal for early-stage development where code is unstable and frequently changing. SAST can be integrated into the development pipeline (e.g., as a pre-commit hook or CI/CD step) to identify vulnerabilities like SQL injection, XSS, or buffer overflows without requiring a running application or hindering the iterative development process.

Exam trap

The trap here is that candidates often choose DAST (Option D) because they associate 'dynamic' with 'real-world testing,' but they overlook the critical constraint that the application is unstable and in development, making SAST the only viable option that does not require a running application.

How to eliminate wrong answers

Option A is wrong because fuzz testing is a dynamic testing technique that requires a running, stable application to inject malformed or unexpected inputs, which is not feasible when the code is unstable and frequently changing. Option B is wrong because manual penetration testing is a time-intensive, point-in-time assessment that relies on a functional, deployed application and would significantly hinder the development process due to the need for a stable environment and repeated retesting after each code change. Option D is wrong because Dynamic Application Security Testing (DAST) requires a fully running application to scan for vulnerabilities from the outside (e.g., via HTTP requests), and it cannot be effectively performed on an unstable, in-development application that may not even compile or run correctly.

162
Multi-Selectmedium

When implementing a federated identity management system, which TWO components are essential for establishing trust between Identity Provider and Service Provider? (Select two.)

Select 2 answers
A.Metadata exchange
B.User directory synchronization
C.Single logout
D.Shared secret
E.Public key certificates
AnswersA, E

Metadata includes endpoints and certificates needed for trust.

Why this answer

Metadata exchange is essential because it allows the Identity Provider (IdP) and Service Provider (SP) to share configuration details such as endpoints, supported SAML bindings, and entity identifiers. This automated exchange establishes the initial trust relationship by ensuring both parties have accurate, verifiable information about each other before any authentication requests occur.

Exam trap

The trap here is that candidates confuse operational components like user synchronization or session management with the foundational trust-establishing mechanisms, forgetting that federated trust relies on cryptographic verification through metadata and certificates, not shared secrets or directory replication.

163
MCQhard

You are the chief information security officer (CISO) of a large healthcare organization that handles protected health information (PHI). The organization has recently been acquired by a larger conglomerate, and the new parent company mandates that all subsidiaries adopt a single, unified risk management framework based on NIST SP 800-39. Your current framework is ISO 27005-based and has been effective for years. During the transition, you discover that the parent company's framework requires quantitative risk analysis for all critical assets, while your team has been primarily using qualitative analysis due to lack of accurate financial data. Moreover, the parent company expects all risk assessments to be completed within 30 days, a timeframe your team considers unrealistic given the number of assets. Several key stakeholders are concerned about the additional resource burden and potential disruption to operations. You need to propose a course of action that balances compliance with the parent company's mandate while maintaining operational effectiveness and minimizing risk to patient data.

A.Conduct a gap analysis between ISO 27005 and NIST SP 800-39, then develop a phased transition plan with a longer timeline, presenting it to the parent company's board for approval.
B.Continue using ISO 27005 and argue that it is equally valid, citing the principle of risk management flexibility and the disruption that a transition would cause.
C.Hire external consultants to perform the quantitative assessments, allowing the internal team to focus on existing operations, and accept the cost as a business necessity.
D.Immediately adopt the NIST framework and begin quantitative assessments, using industry-standard cost estimates to expedite the process within 30 days.
AnswerA

Strategic approach that balances compliance with practicality and earns stakeholder buy-in.

Why this answer

A gap analysis between ISO 27005 and NIST SP 800-39 identifies differences and allows a phased transition plan with a realistic timeline, which is then presented to the parent company for approval. This approach respects both frameworks and addresses stakeholder concerns. Option A is too aggressive and unrealistic.

Option C is non-compliant and may lead to conflict. Option D neglects the need for a structured transition and may cause operational disruption.

164
MCQeasy

In a public key infrastructure (PKI), which component is responsible for issuing and revoking digital certificates?

A.Registration Authority (RA)
B.Certificate Authority (CA)
C.Certificate Revocation List (CRL)
D.Validation Authority (VA)
AnswerB

Correct. CA issues and revokes certificates in a PKI.

Why this answer

The Certificate Authority (CA) is the trusted entity in a PKI that issues digital certificates by signing them with its private key, and it also revokes certificates by publishing Certificate Revocation Lists (CRLs) or using the Online Certificate Status Protocol (OCSP). The CA is the authoritative source for certificate lifecycle management, including issuance, renewal, and revocation.

Exam trap

The trap here is confusing the Registration Authority (RA) with the Certificate Authority (CA), as the RA performs identity verification but candidates often mistakenly think it also issues certificates.

How to eliminate wrong answers

Option A is wrong because the Registration Authority (RA) is only responsible for verifying the identity of certificate requestors and forwarding requests to the CA; it does not issue or revoke certificates itself. Option C is wrong because the Certificate Revocation List (CRL) is a data structure published by the CA that lists revoked certificates, not an entity that performs issuance or revocation actions. Option D is wrong because the Validation Authority (VA) is an optional component that validates certificate status (e.g., via OCSP responder) but does not issue or revoke certificates.

165
MCQhard

During an internal audit, an organization discovers that a critical application has not been patched for six months. The application is business-critical and cannot be taken offline during business hours. Which of the following is the best course of action?

A.Implement compensating controls and schedule patching at the next available maintenance window
B.Accept the risk and continue operations
C.Apply the patch immediately during off-hours even if it risks downtime
D.Disconnect the application until it is patched
AnswerA

Compensating controls mitigate risk until the patch can be applied safely during a planned outage.

Why this answer

Option A is correct because compensating controls (e.g., network segmentation, WAF rules, or host-based IPS) reduce the immediate risk while the critical application remains online. Scheduling patching for the next maintenance window aligns with change management and ensures the patch is tested and applied without disrupting business operations. This balances security needs with operational continuity, a core principle of risk management.

Exam trap

The trap here is that candidates may choose immediate patching (Option C) thinking it is the most secure action, but the CISSP exam emphasizes balancing security with business continuity and following proper change management procedures.

How to eliminate wrong answers

Option B is wrong because accepting risk without any mitigating action ignores the known vulnerability exposure for six months, which violates due care and could lead to exploitation. Option C is wrong because applying the patch immediately during off-hours without prior testing or change approval could introduce instability or downtime, which is unacceptable for a business-critical application. Option D is wrong because disconnecting the application halts business operations entirely, which is disproportionate when less disruptive compensating controls can be implemented first.

166
MCQmedium

A company is conducting a risk assessment and needs to prioritize risks based on both likelihood and impact. The risk management team decides to use a quantitative approach. Which of the following is a key advantage of using quantitative risk analysis over qualitative risk analysis?

A.It provides monetary values for risks, facilitating cost-benefit analysis.
B.It relies on expert opinions and does not require historical data.
C.It is easier to communicate to non-technical stakeholders.
D.It requires less data and is faster to perform.
AnswerA

Quantitative analysis assigns numeric values, enabling direct comparison with mitigation costs.

Why this answer

Quantitative risk analysis assigns monetary values to assets, threats, and vulnerabilities, enabling precise cost-benefit calculations for risk mitigation options. This allows organizations to compare the cost of controls directly against the expected loss, a key advantage over qualitative methods that rely on subjective rankings.

Exam trap

The trap here is that candidates often confuse the ease of communication (qualitative) with the numerical rigor (quantitative), or mistakenly think quantitative analysis is faster because it uses numbers, when in fact it demands more data and time.

How to eliminate wrong answers

Option B is wrong because quantitative analysis relies on numerical data and historical loss records, not expert opinions; qualitative analysis is the approach that depends on expert judgment. Option C is wrong because quantitative results (e.g., ALE, SLE) are often harder for non-technical stakeholders to grasp than the simple high/medium/low ratings of qualitative analysis. Option D is wrong because quantitative analysis requires extensive data collection and computation, making it slower and more resource-intensive than qualitative analysis.

167
MCQeasy

A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?

A.Upgrade the SSH service to the latest version.
B.Modify the SSH configuration to disable weak ciphers and enable strong ciphers.
C.Disable SSH access to the host.
D.Change the SSH port from 22 to a non-standard port.
AnswerB

This directly addresses the vulnerability as recommended in the report.

Why this answer

The vulnerability scan report likely identifies weak cryptographic algorithms (e.g., CBC-mode ciphers or MD5-based MACs) in the SSH configuration. Remediation requires disabling these weak ciphers and enabling strong ones (e.g., AES-CTR, ChaCha20-Poly1305) in the sshd_config file, as simply upgrading the SSH service version may not change the cipher list. Option B directly addresses the cryptographic weakness without unnecessarily disabling or hiding the service.

Exam trap

The trap here is that candidates often assume upgrading the software version automatically fixes all vulnerabilities, but CISSP tests the understanding that configuration hardening (e.g., disabling weak ciphers) is a separate and necessary action even after a version upgrade.

How to eliminate wrong answers

Option A is wrong because upgrading the SSH service version does not automatically change the configured cipher list; the administrator must explicitly modify the configuration to disable weak ciphers. Option C is wrong because disabling SSH access entirely is an overreaction that disrupts legitimate remote administration, and it does not remediate the underlying cryptographic weakness. Option D is wrong because changing the SSH port from 22 to a non-standard port only obscures the service via security through obscurity, which does not fix the weak cipher vulnerability and is not a valid remediation per industry standards.

168
MCQmedium

An organization is developing a security governance framework to align with business objectives. Which group should have ultimate authority and responsibility for the cybersecurity program?

A.IT steering committee
B.Board of directors
C.Chief Information Security Officer (CISO)
D.Chief Executive Officer (CEO)
AnswerB

The board holds ultimate fiduciary duty for risk management, including cybersecurity.

Why this answer

Security governance is a board-level responsibility. The board of directors ensures that cybersecurity aligns with business strategy and risk appetite.

169
MCQeasy

Refer to the exhibit. The VPN tunnel is not coming up. What is the most likely configuration error?

A.The encryption algorithm AES 256 is not supported.
B.The crypto map is applied to the Tunnel interface instead of the physical interface.
C.The hash algorithm SHA256 is not supported.
D.The Diffie-Hellman group 14 is not strong enough.
AnswerB

Crypto map must be applied to the physical interface that connects to the peer.

Why this answer

The crypto map must be applied to the physical interface (e.g., GigabitEthernet0/0) that connects to the VPN peer, not to the Tunnel interface. The Tunnel interface is a logical construct used for overlay routing (e.g., GRE or IPsec VTI), but the crypto map defines the IPsec security associations on the actual egress interface. Applying it to the Tunnel interface prevents the IPsec process from matching outbound traffic to the correct physical path, so the tunnel never establishes.

Exam trap

ISC2 often tests the misconception that the crypto map should be applied to the Tunnel interface (since it 'protects' the tunnel), but the correct placement is always on the physical egress interface where the IPsec packets actually leave the router.

How to eliminate wrong answers

Option A is wrong because AES-256 is widely supported in modern VPN implementations (e.g., Cisco IOS, IKEv1/v2) and is not a cause of tunnel failure unless explicitly disabled. Option C is wrong because SHA-256 is a standard hash algorithm supported by IPsec (RFC 4868) and is not inherently unsupported in typical configurations. Option D is wrong because Diffie-Hellman group 14 (2048-bit MODP) is considered strong enough for secure key exchange; the issue is not about strength but about misapplication of the crypto map.

170
MCQeasy

A company has a headquarters and three branch offices connected via MPLS VPN. Recently, they deployed a new VoIP system across all sites. Users report intermittent call drops and poor voice quality during peak business hours. The network team suspects packet loss and jitter are the cause. The IT manager wants to verify the issue without affecting production traffic. Which of the following is the best course of action?

A.Deploy a full packet capture on all branch routers.
B.Use IP SLA to generate test traffic and measure jitter and packet loss.
C.Conduct a network assessment by duplicating traffic to a monitoring tool.
D.Increase the MPLS bandwidth immediately.
AnswerB

IP SLA allows non-intrusive performance measurement.

Why this answer

IP SLA can generate synthetic traffic to measure network performance metrics like jitter, latency, and packet loss without impacting production traffic. Creating a full packet capture is resource-intensive and may affect performance. Duplicating traffic requires additional configuration and may not reflect real-time issues.

Increasing bandwidth is a solution, not a diagnostic step.

171
Multi-Selectmedium

Which TWO of the following are considered mandatory elements of an organization's security policy framework?

Select 2 answers
A.Procedures
B.Standards
C.Guidelines
D.Baselines
E.Metrics
AnswersA, B

Procedures detail mandatory step-by-step actions.

Why this answer

Standards and procedures are mandatory because they specify required configurations and step-by-step instructions. Guidelines are recommended but not required; baselines are a type of standard; metrics are measurements, not policy documents.

172
MCQhard

A multinational corporation operates a private MPLS VPN network connecting 50 branch offices to a central data center. The network uses BGP as the routing protocol within the VPN, with each branch announcing its internal prefixes to the data center routers. Over the past week, several branch offices have reported intermittent connectivity issues, with traffic being routed to incorrect destinations before recovering. Network logs show that during these incidents, the data center router receives unexpected BGP updates from one of the branch routers, advertising prefixes that belong to other branches. BGP sessions remain established without flaps. The security team is concerned that this could be a route leak or intentional hijack. The network engineer has verified that all BGP sessions are authenticated with MD5 and that RPKI validation is not currently deployed. Which course of action should the engineer take first to mitigate the issue?

A.Configure inbound BGP prefix filtering on the data center routers.
B.Implement BGP Flowspec to rate-limit traffic to the affected prefixes.
C.Deploy RPKI validation across all routers.
D.Increase the BGP hold timer on data center routers.
AnswerA

Filters out unauthorized prefixes from branch routers, stopping the leak.

Why this answer

The intermittent connectivity issues are caused by a branch router advertising prefixes that belong to other branches, which is a classic route leak or hijack scenario. Configuring inbound BGP prefix filtering on the data center routers is the immediate and most effective mitigation because it allows the engineer to explicitly define which prefixes are accepted from each BGP neighbor, preventing unauthorized or incorrect routes from being installed in the routing table. This approach does not require additional infrastructure or protocol changes and directly addresses the root cause of the traffic misdirection.

Exam trap

The trap here is that candidates may assume RPKI is the best first step because it is a modern security mechanism, but the question explicitly states it is not deployed and asks for the first action to mitigate the issue, making immediate inbound filtering the correct answer over a longer-term deployment.

How to eliminate wrong answers

Option B is wrong because BGP Flowspec is designed to filter or rate-limit traffic based on flow specifications (e.g., source/destination IP, port) after routes are already installed, but it does not prevent the initial injection of invalid BGP routes; it is a reactive traffic engineering tool, not a proactive route validation mechanism. Option C is wrong because deploying RPKI validation is a longer-term, infrastructure-dependent solution that requires setting up RPKI caches, configuring routers to validate route origin, and potentially updating ROAs; it is not the first course of action when an immediate fix is needed, and it does not address the specific issue of a branch advertising other branches' prefixes (which could still pass RPKI if the AS origin is valid). Option D is wrong because increasing the BGP hold timer only affects how long a router waits for keepalive messages before declaring a peer down; it does not prevent the acceptance of invalid routes and would actually delay detection of session issues, making the problem worse.

173
MCQmedium

A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?

A.Remove the library from the codebase immediately
B.Disable the vulnerable feature in the library
C.Increase logging and monitoring to detect exploitation attempts
D.Implement a Web Application Firewall (WAF) rule to block exploitation
AnswerD

A WAF can provide virtual patching to mitigate the vulnerability in transit.

Why this answer

Option D is correct because implementing a Web Application Firewall (WAF) rule to block exploitation provides an immediate, compensating control that mitigates the known vulnerability without requiring code changes. This is the best immediate action because it buys time for a permanent fix while reducing risk, aligning with the principle of defense in depth. The WAF can inspect HTTP/HTTPS traffic for attack patterns (e.g., SQL injection, path traversal) specific to the vulnerable library and block malicious requests at the application layer.

Exam trap

The trap here is that candidates often choose 'Remove the library immediately' (Option A) because it seems like the most direct fix, but they fail to consider the business continuity impact and the need for a risk-based, phased approach to remediation.

How to eliminate wrong answers

Option A is wrong because removing the library immediately would break the application, causing a denial of service and potentially greater business impact than the vulnerability itself. Option B is wrong because disabling the vulnerable feature may not be feasible if the feature is integral to the library's core functionality, and it could still leave other attack surfaces exposed (e.g., memory corruption bugs). Option C is wrong because increasing logging and monitoring only detects exploitation attempts after they occur, not preventing them; it does not reduce the risk of a successful attack in real time.

174
MCQhard

Refer to the exhibit. Which of the following is true regarding the BGP routes received from neighbor 10.1.1.2?

A.The route to 10.30.0.0/16 is filtered out by an inbound route-map.
B.The route to 10.20.0.0/16 is preferred over 10.10.0.0/16 due to shorter AS path.
C.All three routes are installed in the routing table.
D.The route to 10.30.0.0/16 has a local preference of 100.
AnswerC

Correct. The '>' symbol next to each route indicates they are the best paths and thus installed in the routing table.

Why this answer

The received routes include 10.10.0.0/16, 10.20.0.0/16, and 10.30.0.0/16. The route to 10.30.0.0/16 is originated from AS 65001 (AS path shows only 65001). The other routes have longer AS paths.

The '>' symbol indicates the best path. All received routes are marked as best, meaning they are all installed in the routing table. The route to 10.30.0.0/16 has only one AS hop, so it is directly from AS 65001.

175
MCQhard

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

A.Randomize the address space layout (ASLR)
B.Implement stack canaries in all user-space applications
C.Reduce the number of system calls and IPC mechanisms
D.Use cache partitioning or cache coloring to isolate process caches
AnswerD

Cache partitioning prevents cross-process cache timing attacks.

Why this answer

D is correct because cache partitioning or cache coloring directly addresses the root cause of side-channel attacks in a microkernel environment: shared CPU caches. By isolating each process's cache footprint, an attacker cannot infer sensitive data (e.g., cryptographic keys) through timing variations or cache occupancy measurements, which is a fundamental architectural mitigation.

Exam trap

The trap here is that candidates often confuse software-based mitigations (ASLR, stack canaries) with hardware-level side-channel defenses, or mistakenly think reducing IPC eliminates all covert channels when the real threat is shared microarchitectural state.

How to eliminate wrong answers

Option A is wrong because ASLR randomizes memory addresses to hinder code-reuse attacks (e.g., ROP), but it does not prevent cache-based side channels that exploit timing differences in shared hardware resources. Option B is wrong because stack canaries detect buffer overflows in user-space applications, which is a software vulnerability mitigation unrelated to side-channel attacks between processes. Option C is wrong because reducing system calls and IPC mechanisms may shrink the attack surface for kernel exploits but does not eliminate the hardware-level cache contention that enables side-channel leakage.

176
MCQeasy

A switch port is configured with port security that allows only one MAC address. The help desk reports that a user's device cannot connect after a laptop is replaced. What should the network administrator do to resolve the issue?

A.Clear the port security counters
B.Disable port security
C.Shut down the port and re-enable
D.Change the port security to sticky MAC
AnswerA

Clearing the counters removes the existing MAC address, allowing the new one to be learned.

Why this answer

When port security is configured to allow only one MAC address and a laptop is replaced, the new MAC address is automatically blocked because the switch has already learned and secured the old MAC address. Clearing the port security counters (e.g., using `clear port-security sticky` or `clear port-security dynamic`) resets the learned MAC address, allowing the switch to learn the new device's MAC address on the next link-up. This is the standard remediation without disabling security or causing unnecessary downtime.

Exam trap

ISC2 often tests the misconception that simply bouncing the port (shut/no shut) will fix the issue, but candidates forget that the learned MAC address persists in the secure MAC table until explicitly cleared, so the port remains in violation even after re-enabling.

How to eliminate wrong answers

Option B is wrong because disabling port security removes all MAC address filtering, exposing the port to unauthorized devices and violating the security policy; it is an overreaction when a simple clear of counters suffices. Option C is wrong because simply shutting down and re-enabling the port does not clear the learned MAC address from the switch's CAM table; the port will still reject the new MAC address until the security violation is explicitly cleared. Option D is wrong because changing to sticky MAC does not resolve the immediate issue—sticky MAC dynamically learns and saves MAC addresses to the running config, but the port is currently in an error-disabled or violation state due to the new MAC, and the sticky feature does not retroactively fix the mismatch; the counters must still be cleared first.

177
Multi-Selecthard

Which TWO of the following are valid methods to enforce separation of duties in an access control system?

Select 2 answers
A.Requiring mandatory vacations for all employees
B.Using time-based restrictions to prevent overlapping tasks
C.Performing job rotation every six months
D.Configuring shared accounts for each department
E.Implementing role-based access control with mutually exclusive roles
AnswersB, E

Can enforce that two actions cannot be done by same user in same time window.

Why this answer

Time-based restrictions enforce separation of duties by preventing a single user from performing conflicting tasks during overlapping time periods. For example, a user authorized to initiate a payment transaction cannot also approve it within the same time window, ensuring that no single individual has end-to-end control over a sensitive process. This is a technical control that directly supports the principle of separation of duties in an access control system.

Exam trap

The trap here is that candidates confuse administrative controls like mandatory vacations and job rotation with technical access control mechanisms that directly enforce separation of duties at the system level.

178
MCQhard

During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?

A.$300,000
B.$250,000
C.$450,000
D.$200,000
AnswerB

Correct - reduction in ALE ($450,000) minus cost ($200,000) = $250,000.

Why this answer

The net benefit is calculated as the reduction in ALE minus the cost of the control. The original ALE is $500,000, and after implementing flood barriers the ALE drops to $50,000, a reduction of $450,000. Subtracting the $200,000 cost of the barriers yields a net benefit of $250,000.

This aligns with the CISSP risk management formula: Net Benefit = (ALE_old - ALE_new) - Cost_of_control.

Exam trap

The trap here is that candidates often forget to subtract the cost of the control from the reduction in ALE, leading them to select the $450,000 reduction as the net benefit instead of the correct $250,000.

How to eliminate wrong answers

Option A is wrong because $300,000 mistakenly subtracts the cost of the barriers from the original ALE ($500,000 - $200,000) without accounting for the residual ALE of $50,000. Option C is wrong because $450,000 represents only the reduction in ALE ($500,000 - $50,000) but ignores the $200,000 cost of implementing the flood barriers. Option D is wrong because $200,000 is simply the cost of the flood barriers and does not reflect any calculation of net benefit from risk reduction.

179
MCQeasy

An organization is developing an information security policy. Which of the following should be included?

A.Incident response playbooks
B.Detailed technical controls
C.Roles and responsibilities
D.Vendor contracts
AnswerC

Essential for defining accountability and governance.

Why this answer

Security policies establish high-level roles and responsibilities, mandatory requirements, and scope. Detailed technical controls are more appropriate for standards or procedures. Vendor contracts and incident response playbooks are separate documents.

180
MCQhard

A user reports that a VPN client cannot connect to the corporate gateway. The exhibit shows an excerpt from the client log. What does this indicate?

A.The VPN server certificate is expired
B.The server is using a self-signed certificate
C.The client certificate is missing
D.The client does not trust the CA that issued the server certificate
AnswerD

Correct. The error indicates the client cannot find the CA certificate.

Why this answer

The client log indicates a certificate validation failure during the TLS handshake. The error 'unable to get local issuer certificate' or similar means the client cannot find a trusted root CA that issued the server's certificate. This is a classic PKI trust issue, not an expiration or missing client certificate problem.

Exam trap

The trap here is that candidates confuse 'certificate expired' with 'untrusted CA' — both cause failures, but the log message and the underlying PKI process are different, and ISC2 often tests the distinction between trust chain errors and expiration errors.

How to eliminate wrong answers

Option A is wrong because an expired certificate would produce a different error, such as 'certificate has expired' or 'validity period mismatch', not a trust chain failure. Option B is wrong because a self-signed certificate would still cause a trust error, but the specific log message points to a missing CA in the client's trust store, not the server's certificate type. Option C is wrong because a missing client certificate would result in a 'no certificate sent' or 'bad certificate' error during client authentication, not a server certificate validation failure.

181
MCQmedium

During an internal security assessment, a tester uses a tool to attempt to crack password hashes extracted from a domain controller. Which phase of the penetration testing process does this represent?

A.Reconnaissance
B.Reporting
C.Post-exploitation
D.Exploitation
AnswerC

Password cracking is typically done after gaining initial access to further compromise the environment.

Why this answer

C is correct because cracking password hashes extracted from a domain controller occurs after the tester has already gained access to the system. This activity is part of the post-exploitation phase, where the tester escalates privileges, extracts credentials, and moves laterally. In this context, the tester is using a tool like John the Ripper or Hashcat to crack NTLM hashes, which is a classic post-exploitation step to obtain plaintext passwords for further access.

Exam trap

The trap here is that candidates often confuse post-exploitation with exploitation, mistakenly thinking that cracking hashes is part of the initial exploitation phase, when in fact exploitation is the act of gaining access, and post-exploitation includes all activities performed after that access is achieved.

How to eliminate wrong answers

Option A is wrong because reconnaissance is the initial phase of gathering information about the target without direct interaction, such as scanning open ports or enumerating services, not cracking already extracted hashes. Option B is wrong because reporting is the final phase where findings are documented and presented to stakeholders, not during active technical testing. Option D is wrong because exploitation is the phase where vulnerabilities are actively used to gain initial access or execute code on a target; cracking hashes after access is obtained is a post-exploitation activity, not the initial exploitation event.

182
Multi-Selectmedium

Which TWO are security benefits of using a federated identity model?

Select 2 answers
A.Simplified user management across organizations
B.Stronger authentication due to shared trust
C.Elimination of password policies
D.Reduced risk of credential theft
E.Single point of failure for authentication
AnswersA, B

Federation reduces account duplication and administrative overhead.

Why this answer

Option A is correct because federated identity models allow organizations to trust identities issued by other members of the federation, eliminating the need for separate user accounts and enabling simplified user management across organizational boundaries. This is achieved through standards like SAML 2.0 or OpenID Connect, where identity assertions are exchanged between identity providers (IdPs) and service providers (SPs) without duplicating user directories.

Exam trap

The trap here is that candidates confuse 'federated identity' with 'single sign-on (SSO)' and assume it inherently improves security, when in fact it centralizes trust and can increase the impact of credential theft if the IdP is compromised.

183
MCQeasy

A security architect is evaluating security models for a multilevel secure system. Which model enforces the * property (no write down) and is typically used for confidentiality?

A.Clark-Wilson
B.Brewer-Nash
C.Bell-LaPadula
D.Biba
AnswerC

Correct. Bell-LaPadula is a mandatory access control model for confidentiality with the * property.

Why this answer

The Bell-LaPadula model enforces the * (star) property, which prohibits subjects from writing to objects at a lower classification level (no write down). This property, combined with the simple security property (no read up), ensures that information cannot flow from higher to lower security levels, making it the standard model for enforcing confidentiality in multilevel secure systems.

Exam trap

ISC2 often tests the confusion between Bell-LaPadula (confidentiality, no write down) and Biba (integrity, no write up), leading candidates to mistakenly select Biba when the question specifies confidentiality.

How to eliminate wrong answers

Option A is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duty, not on confidentiality or the * property. Option B is wrong because the Brewer-Nash (Chinese Wall) model addresses conflict of interest by preventing access to competing datasets, not multilevel confidentiality with no write down. Option D is wrong because the Biba model enforces integrity via no write up and no read down, which is the inverse of Bell-LaPadula's confidentiality properties.

184
MCQhard

A company is outsourcing its customer support operations to a third-party vendor. The vendor will have access to sensitive customer data. Which of the following should be the primary security requirement in the contract with the vendor?

A.The vendor must perform annual penetration testing.
B.The vendor must conduct background checks on all employees.
C.The vendor must provide a list of all subcontractors.
D.The vendor must comply with the company's security policies and standards.
AnswerD

Policy compliance ensures the vendor protects data as the company would.

Why this answer

Option B is correct because the contract must mandate that the vendor adheres to the company's security policies and standards to ensure consistent protection. Option A is incorrect because while background checks are important, they are not the primary contractual requirement. Option C is incorrect because the company should not rely solely on vendor self-assessment.

Option D is incorrect because penetration testing is a specific activity, but the overarching requirement is compliance with policies.

185
Matchingmedium

Match each PKI component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Issues and revokes certificates

Verifies identity before certificate issuance

List of revoked certificates

Binds a public key to an identity

Why these pairings

PKI components work together to manage digital certificates.

186
MCQhard

A large financial institution is migrating its core banking system to a private cloud. The architecture must protect against data leakage between different business units sharing the same physical infrastructure. The system uses a hypervisor and virtual machines. Each business unit has its own security classification. The security requirement is that no VM belonging to a lower classification should be able to read data from a higher classification VM, even if the hypervisor is compromised. The architect proposes using mandatory access control at the hypervisor level. However, the IT team notes that a hypervisor compromise could bypass MAC. Additionally, they need to ensure that data at rest is encrypted and keys are stored securely. Which of the following would BEST meet the requirement?

A.Implement network segmentation with VLANs and IPsec encryption between VMs.
B.Deploy a data loss prevention (DLP) system to monitor data transfers between VMs.
C.Use a public key infrastructure (PKI) to issue certificates for each VM and enforce mutual TLS for all inter-VM communication.
D.Use a hardware security module (HSM) to manage keys and implement full memory encryption using AES-256 with integrity protection, and use a trusted execution environment (TEE) for each VM, ensuring that even the hypervisor cannot access VM memory.
AnswerD

TEE provides hardware-enforced isolation; HSM secures keys. Memory encryption protects data at rest and in use.

Why this answer

Option D is correct because it addresses the core requirement: preventing data leakage even if the hypervisor is compromised. By using a hardware security module (HSM) for key management, full memory encryption with AES-256 and integrity protection, and a trusted execution environment (TEE) for each VM, the solution ensures that VM memory is encrypted and isolated at the hardware level. The hypervisor, even if compromised, cannot access the decrypted memory of a VM, thus enforcing the security classification separation regardless of hypervisor integrity.

Exam trap

The trap here is that candidates often focus on network-level controls (like encryption or segmentation) and overlook the requirement that protection must hold even when the hypervisor is compromised, which demands hardware-enforced memory isolation rather than software-only solutions.

How to eliminate wrong answers

Option A is wrong because network segmentation with VLANs and IPsec only protects data in transit between VMs, not data at rest in memory, and a compromised hypervisor could still read VM memory directly, bypassing network controls. Option B is wrong because a data loss prevention (DLP) system is a detective control that monitors data transfers but does not prevent a compromised hypervisor from reading VM memory; it cannot enforce access control at the hardware or memory level. Option C is wrong because mutual TLS with PKI certificates only secures inter-VM communication over the network, but does not protect VM memory from a compromised hypervisor that can read memory directly, bypassing network encryption.

187
Multi-Selecteasy

Which TWO are examples of 'something you know' authentication factors?

Select 2 answers
A.PIN
B.Security question answer
C.Retina scan
D.Fingerprint
E.Smart card
AnswersA, B

A secret known only to the user.

Why this answer

A PIN is a classic 'something you know' authentication factor because it relies on a secret value stored in the user's memory. Unlike biometric or possession-based factors, a PIN does not require any physical token or biological trait—only the recall of the correct numeric sequence. This aligns with the core definition of knowledge-based authentication (KBA) in IAM.

Exam trap

ISC2 often tests the distinction between authentication factor categories, and the trap here is confusing a smart card (possession) or biometric (inherence) with a knowledge factor because they may involve a PIN or password entry step, but the factor type is defined by the primary source of the secret.

188
MCQeasy

Refer to the exhibit. Which vulnerability does this code contain?

A.SQL injection
B.Command injection
C.Buffer overflow
D.Cross-site scripting (XSS)
AnswerA

User input is concatenated into the query without sanitization.

Why this answer

Option A is correct because the code concatenates user input directly into an SQL query, allowing SQL injection. Option B is wrong because buffer overflow is not present. Option C is wrong because XSS occurs in web output.

Option D is wrong because command injection involves system commands, not SQL.

189
MCQhard

A security engineer is reviewing the architecture of a system that uses the Bell-LaPadula model. The system has subjects with security clearances and objects with classifications. To prevent covert timing channels, which additional control should be implemented?

A.Enforce strict data labeling
B.Implement audit logging
C.Disable concurrent access to shared resources
D.Use encryption for data at rest
AnswerC

Correct. Limiting concurrency reduces timing channel opportunities.

Why this answer

Covert timing channels exploit the ability of a subject to modulate the timing of its access to a shared resource, thereby leaking information to another subject at a different security level. The Bell-LaPadula model enforces mandatory access control (MAC) but does not inherently prevent these channels. Disabling concurrent access to shared resources (option C) eliminates the ability to use timing variations as a signaling mechanism, directly addressing the covert channel at the resource scheduling level.

Exam trap

The trap here is that candidates confuse covert timing channels with covert storage channels (which involve writing data to a shared attribute) and incorrectly choose audit logging or encryption as a catch-all solution, rather than recognizing that timing channels require controlling the concurrency of resource access.

How to eliminate wrong answers

Option A is wrong because strict data labeling is a fundamental requirement of the Bell-LaPadula model itself (it enforces the *-property and simple security property) and does not address the temporal modulation of resource access that defines a timing channel. Option B is wrong because audit logging records events after they occur and cannot prevent the real-time signaling that a covert timing channel exploits; it is a detective, not a preventive, control. Option D is wrong because encryption for data at rest protects the confidentiality of stored data but has no effect on the timing of access to shared resources, which is the mechanism of a covert timing channel.

190
MCQmedium

An organization is transitioning from waterfall to agile development. How should security be integrated into the new process to align with the SDLC?

A.Perform a single security review at the end of the release cycle
B.Conduct security testing only during the integration phase
C.Skip threat modeling and rely solely on automated scanning
D.Include security requirements in user stories and conduct threat modeling each iteration
AnswerD

This embeds security into agile practices.

Why this answer

Option D is correct because iterative threat modeling and security user stories ensure security is part of each sprint. Option A is wrong because security only at release misses early flaws. Option B is wrong because skipping threat modeling increases risk.

Option C is wrong because automated scans alone cannot replace threat modeling.

191
MCQhard

An organization discovers that an employee has been using a personal cloud storage account to share confidential files. After revoking access, what is the NEXT best step to prevent recurrence?

A.Block access to all cloud storage sites
B.Deploy a data loss prevention (DLP) solution
C.Discipline the employee
D.Retrain all employees on data handling policy
AnswerB

DLP provides ongoing protection.

Why this answer

Deploying a Data Loss Prevention (DLP) solution is the next best step because it provides automated, policy-based monitoring and control of data in motion, at rest, and in use. DLP can inspect content for sensitive patterns (e.g., credit card numbers, proprietary file headers) and block unauthorized transfers to personal cloud storage, addressing the root cause of the incident rather than relying on manual enforcement.

Exam trap

The trap here is that candidates often choose retraining (D) because it seems like a proactive people-focused control, but the CISSP emphasizes that technical controls (like DLP) are necessary to enforce policy and prevent recurrence, especially after a security incident involving data exfiltration.

How to eliminate wrong answers

Option A is wrong because blocking all cloud storage sites is an overly restrictive, reactive measure that can hinder legitimate business operations and is easily bypassed by employees using encrypted tunnels or alternative services. Option C is wrong because disciplining the employee addresses the individual but does not implement a technical control to prevent recurrence across the organization. Option D is wrong because retraining alone is insufficient; without technical enforcement, employees may still inadvertently or deliberately violate policy, and training does not detect or block future violations in real time.

192
MCQmedium

Refer to the exhibit. Which security weakness should be addressed first in this Dockerfile?

A.Installing Python without version pinning
B.No multistage build is used
C.The container runs as root by default
D.The use of 'latest' tag for the base image
AnswerC

Running as root greatly increases the attack surface; a non-root user should be created.

Why this answer

Option C is correct because running as root inside the container increases the impact of a compromise. Option A is wrong because Python itself is not a weakness. Option B is wrong because pinning base image tags is important but less critical than running as root.

Option D is wrong because multistage builds are a best practice but not the most urgent issue.

193
Multi-Selectmedium

Your organization is forming an incident response team (IRT). According to NIST SP 800-61, which TWO roles are considered core to the incident response team?

Select 2 answers
A.Public Relations
B.Technical Lead
C.Manager
D.Legal Counsel
E.Human Resources
AnswersB, C

The technical lead drives forensic analysis and containment, a core role.

Why this answer

NIST SP 800-61 Rev. 2 identifies the Team Manager and the Technical Lead as core roles within an incident response team. The Manager oversees the response process, allocates resources, and coordinates communication, while the Technical Lead drives the technical analysis, containment, and eradication efforts. These two roles are essential for both strategic direction and hands-on technical execution during an incident.

Exam trap

The trap here is that candidates often confuse 'supporting roles' (like PR, Legal, HR) with 'core roles,' but NIST SP 800-61 strictly limits core IRT to Manager and Technical Lead to ensure rapid, focused technical response without bureaucratic delays.

194
MCQhard

Refer to the exhibit. An organization uses this ACL on the external interface of a border router to control access to internal services. A security analyst discovered that an attacker from the Internet was able to SSH into the internal server at 192.168.1.100. Which of the following is the MOST likely reason for this security gap?

A.The final permit ip any any rule allows all traffic, bypassing the other rules
B.The ACL permits HTTP traffic to host 10.0.0.1 which could be used as a pivot
C.The ACL permits SSH from any source in 10.0.0.0/8 to the internal host, allowing an external attacker to spoof an internal IP
D.The ACL is applied inbound on the external interface, so it should block all external traffic, but the permit rules override
AnswerC

An attacker can spoof an IP address in the 10.0.0.0/8 range to bypass the ACL and SSH into the server.

Why this answer

Option C is correct because the ACL permits SSH (TCP port 22) from any source within the 10.0.0.0/8 range to the internal host 192.168.1.100. Since 10.0.0.0/8 is a private RFC 1918 address space, an external attacker can spoof a source IP in that range, bypassing the intended restriction that only internal hosts should use those addresses. The ACL does not validate the source IP's legitimacy, so a spoofed packet from the Internet matching the permit rule will be allowed through.

Exam trap

ISC2 often tests the misconception that an ACL's permit rule for a private IP range is safe because those addresses are not routable on the Internet, but the trap is that attackers can spoof those source IPs, and the ACL will allow the traffic if it matches the permit criteria.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' rule is the final catch-all, but it only applies after all preceding rules are evaluated; if a packet matches an earlier permit rule (like the SSH rule), it is allowed before reaching the final rule, so the final rule is not the cause of the SSH gap. Option B is wrong because permitting HTTP to host 10.0.0.1 does not directly enable SSH access to 192.168.1.100; while a pivot could theoretically be used, the question specifically asks why the attacker was able to SSH directly into the internal server, and the HTTP rule does not permit SSH traffic. Option D is wrong because applying the ACL inbound on the external interface is correct for filtering incoming traffic; the permit rules do not 'override' the inbound direction—they define what is allowed, and the SSH rule explicitly permits the spoofed traffic, so the direction is not the issue.

195
MCQeasy

Refer to the exhibit. What is the most likely cause of the denied traffic?

A.The firewall rule has a typo
B.The source IP is attempting a port scan
C.The inside host is down
D.The destination port is not allowed
AnswerB

Multiple source ports to same destination indicates scanning behavior.

Why this answer

The exhibit shows a firewall log where traffic from a single source IP (10.0.0.2) to a single destination IP (192.168.1.10) is denied on multiple different destination ports (e.g., 22, 80, 443) within a short time window. This pattern of sequential probes to distinct ports is characteristic of a port scan, which firewalls often detect and block as a reconnaissance attempt. The firewall rule is likely configured to deny such scanning behavior, not just a single port or typo.

Exam trap

The trap here is that candidates see multiple denied ports and assume the destination port is not allowed, missing the contextual clue of sequential probes from one source that indicates a port scan rather than a simple access control list issue.

How to eliminate wrong answers

Option A is wrong because a typo in a firewall rule would typically cause consistent denial for all traffic matching that rule, not a pattern of multiple port attempts from the same source. Option C is wrong because if the inside host were down, the firewall would likely show no response or a timeout, not explicit denies for multiple ports. Option D is wrong because the log shows denies on several different ports (22, 80, 443), indicating the issue is not a single disallowed port but a broader pattern of scanning.

196
MCQmedium

A financial application uses a third-party library for PDF generation. A security review finds that the library is no longer maintained and has known vulnerabilities. What is the BEST course of action?

A.Restrict network access to the PDF server.
B.Encrypt all PDF files after generation.
C.Implement a web application firewall to block attacks targeting the library.
D.Replace the library with a maintained alternative.
AnswerD

Replacing the library permanently eliminates the vulnerability.

Why this answer

Option B is correct because replacing the library with a maintained alternative directly addresses the root cause of using an unmaintained, vulnerable library. Option A is wrong because a WAF only mitigates some attacks without fixing the underlying vulnerability. Option C is wrong because encryption does not prevent exploitation of the library.

Option D is wrong because network restrictions do not fix the library's vulnerabilities.

197
Drag & Dropmedium

Drag and drop the steps for a secure software development lifecycle (SDLC) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Secure SDLC integrates security at each phase: requirements, design, implementation, testing, and deployment.

198
MCQeasy

A small business wants to ensure compliance with GDPR for its customer data. What is the initial action required to comply with GDPR?

A.Obtain consent from all data subjects
B.Implement pseudonymization techniques
C.Conduct a Data Protection Impact Assessment (DPIA)
D.Map data flows and identify personal data
AnswerD

Identifying what data is held and how it moves is the first step in any compliance program.

Why this answer

Before implementing controls or appointing a DPO, the organization must first understand what data it processes and where it flows. Mapping data flows and identifying personal data is the foundational step for all subsequent compliance activities.

199
Drag & Dropmedium

Drag and drop the steps for a forensic investigation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forensic process: identification, collection, preservation, analysis, and reporting.

200
Multi-Selecteasy

Which TWO of the following are considered the primary access control models in the context of the CISSP? (Select two.)

Select 2 answers
A.Role-Based Access Control (RBAC)
B.Mandatory Access Control (MAC)
C.Attribute-Based Access Control (ABAC)
D.Discretionary Access Control (DAC)
E.Risk-Based Access Control
AnswersB, D

MAC is the other primary model with system-enforced policies.

Why this answer

Mandatory Access Control (MAC) is a primary access control model where access decisions are based on fixed security labels (e.g., classification levels like Top Secret, Secret, Confidential) assigned to subjects and objects by a central authority. The system enforces these labels, and users cannot override them, making it a core model for high-security environments such as military or government systems. In the CISSP context, MAC and DAC are traditionally considered the two foundational models, with RBAC and ABAC often treated as extensions or implementations of DAC.

Exam trap

ISC2 often tests the misconception that RBAC or ABAC are 'primary' models because they are modern and common, but the CISSP exam historically defines MAC and DAC as the two primary models, with others as derivatives or extensions.

201
MCQmedium

A company uses a SIEM to correlate logs from multiple sources. Which log source is most critical for detecting privilege escalation attacks?

A.Authentication logs
B.DNS logs
C.Firewall logs
D.Web server logs
AnswerA

Authentication logs contain login attempts and account changes indicative of privilege escalation.

Why this answer

Authentication logs are most critical for detecting privilege escalation attacks because they record user identity changes, such as the use of 'su' or 'sudo' commands, and account modifications like group membership changes. A SIEM can correlate these events with other logs to identify anomalous privilege transitions, such as a standard user suddenly acquiring administrative rights, which is a hallmark of privilege escalation.

Exam trap

The trap here is that candidates often choose firewall logs or DNS logs because they associate them with detecting attacks in general, but the question specifically targets privilege escalation, which requires logs that capture user identity and privilege changes, not network-level events.

How to eliminate wrong answers

Option B (DNS logs) is wrong because DNS logs primarily track domain name resolution queries and are useful for detecting command-and-control (C2) traffic or data exfiltration, not direct privilege escalation events. Option C (Firewall logs) is wrong because firewall logs record network traffic allowed or blocked based on IP addresses and ports, which can indicate lateral movement but do not capture the user-level account changes or privilege transitions that define privilege escalation. Option D (Web server logs) is wrong because web server logs record HTTP requests and responses, which are valuable for detecting web application attacks like SQL injection or cross-site scripting, but they do not directly log operating system-level privilege changes or authentication events.

202
MCQhard

Your organization is a medium-sized e-commerce company with a hybrid infrastructure: on-premises datacenter and AWS cloud. The security team recently conducted an internal vulnerability scan of the on-premises network and discovered multiple critical vulnerabilities in a legacy ERP system that cannot be patched because the vendor no longer supports it. The ERP system is essential for order processing and cannot be decommissioned. The team also ran a penetration test against the cloud environment and found that an attacker with network access could leverage misconfigured security groups to move laterally between instances. The company has a risk appetite that allows for limited risk acceptance with compensating controls. As the senior security analyst, what is the BEST course of action?

A.Immediately isolate the legacy ERP system from the network and implement a manual workaround for order processing.
B.Decommission the legacy ERP system and migrate to a modern alternative, accepting a temporary disruption in operations.
C.Accept the risk for both findings and document them in the risk register without additional controls.
D.Apply virtual patching via an intrusion prevention system (IPS) for the ERP vulnerabilities and implement stricter security group rules in the cloud to restrict lateral movement.
AnswerD

Virtual patching and network segmentation provide effective compensating controls that reduce risk while maintaining operations.

Why this answer

Option B provides compensating controls: virtual patching for the ERP vulnerabilities and stricter security group rules to restrict lateral movement in the cloud. This aligns with the risk appetite by reducing risk without immediate replacement. Option A is too disruptive, option C ignores the need for controls, and option D is a long-term solution that would cause unacceptable disruption.

203
MCQeasy

A small business wants to implement a secure wireless network for its office. They have a limited budget and want to ensure that data in transit is encrypted and that only authorized devices can connect. The office has 20 employees and a few guests. The business owner has heard about WPA2 and WPA3. They are concerned about security but also about compatibility with older devices. Which of the following is the BEST recommendation for a security architect?

A.Deploy WPA3-Enterprise with a RADIUS server and use TLS 1.3 for authentication, and for devices that do not support WPA3, use a separate SSID with WPA2-Enterprise and strong passphrase.
B.Use WPA2-PSK with a long complex passphrase and change it monthly.
C.Use open network with MAC filtering to control access.
D.Deploy WPA3-Personal with SAE and disable all older protocols.
AnswerA

Provides strong security and backward compatibility; enterprise mode with RADIUS allows per-user authentication.

Why this answer

Option A is the best recommendation because it balances security, compatibility, and budget. WPA3-Enterprise with a RADIUS server and TLS 1.3 provides strong, per-user authentication and encryption for modern devices, while a separate SSID with WPA2-Enterprise (not PSK) allows older devices to connect securely without compromising the network's overall security posture. This dual-SSID approach ensures that all traffic is encrypted and only authorized devices can connect, addressing the business's core requirements.

Exam trap

The trap here is that candidates often assume WPA2-PSK with a strong passphrase is sufficient for a small business, overlooking the fact that PSK lacks per-user authentication and is vulnerable to offline brute-force attacks, making WPA2-Enterprise or WPA3-Enterprise the correct choice for environments requiring both security and compatibility.

How to eliminate wrong answers

Option B is wrong because WPA2-PSK uses a pre-shared key that is shared among all devices, making it vulnerable to offline dictionary attacks and key compromise; changing the passphrase monthly does not mitigate the fundamental weakness of shared key authentication and adds administrative burden. Option C is wrong because an open network with MAC filtering provides no encryption for data in transit, and MAC addresses can be easily spoofed, offering no real access control. Option D is wrong because disabling all older protocols would prevent older devices that do not support WPA3 from connecting, which contradicts the business's need for compatibility with legacy hardware.

204
MCQeasy

A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?

A.Manually verify the vulnerability on a sample of affected hosts.
B.Immediately apply patches to all affected hosts.
C.Remove the hosts from the network until the vulnerability is resolved.
D.Re-run the scan with a different scanner.
AnswerA

Manual verification confirms the finding and reduces false positives.

Why this answer

The auditor must first manually verify the vulnerability on a sample of affected hosts because automated vulnerability scans can produce false positives due to factors like incomplete banner grabbing, outdated plugin signatures, or network-level interference. Confirming the finding ensures that subsequent remediation efforts are based on accurate, validated data, preventing wasted resources on non-existent issues.

Exam trap

The trap here is that candidates may assume automated scan results are always accurate and jump to remediation (Option B) or isolation (Option C), failing to recognize that the first step in the assessment process is to validate findings to avoid acting on false positives.

How to eliminate wrong answers

Option B is wrong because immediately applying patches without verification risks introducing instability or breaking functionality if the vulnerability is a false positive, and it bypasses the change management process required in a secure environment. Option C is wrong because removing hosts from the network is an overly drastic and disruptive response that should only be considered after the vulnerability is confirmed and the risk is assessed as critical, not as a first step. Option D is wrong because re-running the scan with a different scanner does not address the need for manual validation; it merely repeats an automated process that may still produce false positives due to inherent scanner limitations.

205
MCQmedium

A company implements a centralized authentication system using RADIUS for network devices. The security team notices that after a user's password is changed in Active Directory, the user can still authenticate to network devices using the old password for up to 30 minutes. What is the most likely cause?

A.Kerberos ticket lifetime
B.Network devices caching authentication responses
C.Active Directory replication delay
D.RADIUS server caching credentials
AnswerB

Network devices often cache successful authentications, causing the old password to be accepted until cache expires.

Why this answer

Option C is correct because network devices often cache successful authentication responses, so they accept the old password until the cache expires. Option A is wrong because RADIUS servers typically forward authentication to the directory and do not cache credentials. Option B is wrong because it is not the primary cause in this scenario.

Option D is wrong because Kerberos ticket lifetimes are unrelated to password changes in this context.

206
MCQeasy

A security architect is selecting an access control model for a system that must prevent users from reading objects at a higher classification level. Which model enforces this property?

A.Bell-LaPadula
B.Clark-Wilson
C.Biba
D.Brewer-Nash
AnswerA

Bell-LaPadula enforces simple security property (no read-up).

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) with the *-property (no write-down) and the simple security property (no read-up). The question specifically asks to prevent reading objects at a higher classification level, which is exactly the 'no read-up' rule of Bell-LaPadula. This model is designed for confidentiality-focused systems, such as military or government classified environments.

Exam trap

The trap here is that candidates often confuse the Biba model (integrity, no read-down) with Bell-LaPadula (confidentiality, no read-up), so they incorrectly select Biba when the question explicitly asks about preventing reading at a higher classification level.

How to eliminate wrong answers

Option B (Clark-Wilson) is wrong because it focuses on integrity and enforces separation of duties and well-formed transactions, not on preventing read-up based on classification levels. Option C (Biba) is wrong because it is an integrity model that prevents subjects from writing to higher integrity levels (no write-up) and reading from lower integrity levels (no read-down), which is the opposite of the confidentiality requirement in the question. Option D (Brewer-Nash) is wrong because it is designed to prevent conflicts of interest (Chinese Wall model) by dynamically controlling access based on previously accessed datasets, not by enforcing static classification levels.

207
MCQhard

Refer to the exhibit. A security auditor is reviewing the network ACLs for a cloud VPC. Which of the following is the most significant security concern?

A.The outbound rules allow all traffic
B.SSH (port 22) is allowed from a large IP range
C.RDP (port 3389) is allowed from a trusted internal subnet
D.The VPC ID is exposed
AnswerB

Allowing SSH from 10.0.0.0/8 is overly broad and exposes administrative access to many potential attackers within that range.

Why this answer

Allowing SSH (port 22) from a large IP range (e.g., 0.0.0.0/0 or a wide CIDR) exposes the management interface to the entire internet, making it trivial for attackers to launch brute-force or credential-stuffing attacks. This violates the principle of least privilege and is a common misconfiguration that leads to unauthorized access.

Exam trap

The trap here is that candidates may focus on the outbound rule being too permissive (Option A) or the VPC ID exposure (Option D), but the most immediate and exploitable risk is the unrestricted inbound SSH access from a large IP range.

How to eliminate wrong answers

Option A is wrong because outbound rules allowing all traffic are often necessary for cloud VPCs to reach the internet for updates or external services, and while not ideal, it is less critical than exposing inbound management ports. Option C is wrong because RDP allowed from a trusted internal subnet is a proper security practice, as it restricts access to a known, controlled network segment. Option D is wrong because the VPC ID is not sensitive information; it is often visible in logs and network paths and does not directly enable an attack.

208
MCQmedium

A hospital chain collects and stores electronic health records (EHR) for millions of patients. The EHR system is hosted in a private cloud and accessed by doctors, nurses, and administrative staff from various locations. Recently, an internal audit found that several employees shared their login credentials with colleagues to expedite workflows. The hospital must comply with HIPAA and state privacy laws. The security officer wants to implement a solution that minimizes the risk of unauthorized access due to shared credentials while still allowing efficient access for patient care. Which of the following is the BEST approach?

A.Implement single sign-on (SSO) integrated with role-based access control (RBAC) and enforce audit logging of all access
B.Enforce a policy requiring password changes every 30 days and complexity requirements
C.Replace passwords with biometric authentication (fingerprint and iris scans) for all users
D.Disable remote access to the EHR system and require all access to occur only from within the hospital's LAN
AnswerA

SSO reduces password fatigue, RBAC ensures users only have necessary access, and logging provides accountability to deter sharing.

Why this answer

SSO integrated with RBAC reduces the attack surface of shared credentials by centralizing authentication and enforcing least-privilege access based on job roles. Audit logging provides non-repudiation and traceability, which deters credential sharing and satisfies HIPAA's requirement to track access to ePHI. This combination directly addresses the root cause (shared credentials) while maintaining workflow efficiency through seamless authentication.

Exam trap

The trap here is that candidates often choose biometric authentication (C) thinking it eliminates credential sharing, but they overlook that biometrics can be bypassed or shared (e.g., a user holding a fingerprint scanner for a colleague) and introduce significant privacy and revocation challenges under HIPAA.

How to eliminate wrong answers

Option B is wrong because frequent password changes and complexity requirements do not prevent credential sharing; they often increase user frustration, leading to even more sharing or insecure storage. Option C is wrong because biometric authentication introduces privacy and usability concerns (e.g., false rejection rates, inability to revoke compromised biometrics) and does not inherently prevent users from sharing a single enrolled device or bypassing the system. Option D is wrong because disabling remote access severely impacts patient care and operational efficiency, and it does not address the core issue of credential sharing among authorized users within the LAN.

209
MCQeasy

A company wants to ensure that its security policy is effectively enforced across all departments. Currently, the policy is published on the intranet and included in the employee handbook. However, the security team notices that many employees are not following the policy, leading to security incidents. Which of the following would be the most effective way to improve policy enforcement?

A.Include the policy in the employee handbook
B.Require annual signed acknowledgment of the policy
C.Conduct random audits and penalize non-compliance
D.Publish the policy on the intranet only
AnswerB

Active acknowledgment ensures awareness and creates accountability.

Why this answer

Requiring annual signed acknowledgment ensures that employees are aware of and agree to comply with the policy. This creates a record of acceptance and can be used in disciplinary actions. Publishing on intranet or handbook alone does not guarantee reading or acceptance.

Random audits with penalties may enforce compliance but without awareness, employees may not know what is expected.

210
MCQmedium

A security architect is designing a cryptographic system for a high-security environment where data must be encrypted both at rest and in transit, with granular access control. The system must be efficient for large volumes of data. Which approach is most appropriate?

A.Use symmetric encryption (e.g., AES-256) for all data and share keys out-of-band.
B.Use only asymmetric encryption (e.g., RSA) for all data.
C.Use asymmetric encryption for key exchange and symmetric encryption for data (hybrid cryptosystem).
D.Use hash functions (e.g., SHA-256) to ensure confidentiality.
AnswerC

Hybrid encryption combines efficiency of symmetric with secure key exchange of asymmetric.

Why this answer

Option C is correct because a hybrid cryptosystem combines the efficiency of symmetric encryption (e.g., AES-256) for bulk data encryption with the secure key distribution of asymmetric encryption (e.g., RSA or ECDH). This approach ensures strong confidentiality for large volumes of data at rest and in transit, while enabling granular access control through per-user or per-session key management.

Exam trap

The trap here is that candidates may choose symmetric encryption alone (Option A) because it is fast, overlooking the critical need for secure key distribution and granular access control that only a hybrid system provides.

How to eliminate wrong answers

Option A is wrong because sharing symmetric keys out-of-band is impractical and insecure for large-scale, high-security environments; it lacks scalability and does not support granular access control without a secure key distribution mechanism. Option B is wrong because asymmetric encryption alone is computationally expensive and impractically slow for encrypting large volumes of data, making it unsuitable for bulk encryption. Option D is wrong because hash functions (e.g., SHA-256) are one-way and provide data integrity, not confidentiality; they cannot encrypt data or protect it from disclosure.

211
MCQmedium

A network analyst suspects a host on the internal network is sending abnormal amounts of traffic. Which tool should be used to capture and analyze the packets?

A.Wireshark
B.Nmap
C.Netstat
D.Traceroute
AnswerA

Wireshark captures and analyzes packets in detail.

Why this answer

Wireshark is the correct tool because it is a packet analyzer that captures live network traffic and provides deep inspection of individual packets, including headers and payloads. This allows the analyst to examine the abnormal traffic patterns, identify source/destination IPs, protocols, and payload content to diagnose the issue.

Exam trap

The trap here is that candidates often confuse Nmap's ability to send and receive packets for scanning with actual packet capture and analysis, but Nmap does not provide the deep packet inspection or continuous capture that Wireshark offers.

How to eliminate wrong answers

Option B (Nmap) is wrong because Nmap is a network scanning tool used for host discovery, port scanning, and service enumeration, not for capturing and analyzing live packet traffic. Option C (Netstat) is wrong because Netstat displays active network connections, routing tables, and interface statistics, but it does not capture or analyze packet contents. Option D (Traceroute) is wrong because Traceroute is a diagnostic tool that maps the path packets take to a destination by manipulating TTL values, not for capturing or analyzing packet payloads.

212
MCQeasy

Which data lifecycle phase involves the process of determining the value of data and assigning appropriate controls to protect it?

A.Create
B.Destroy
C.Store
D.Classify
AnswerD

Classification involves assessing data value and assigning security labels.

Why this answer

The Classify phase is where data is evaluated for its sensitivity and criticality, leading to the assignment of a classification label (e.g., public, internal, confidential, restricted). This classification directly drives the selection of appropriate security controls (encryption, access controls, retention policies) to protect the data throughout its lifecycle. Without classification, controls cannot be properly scoped or enforced.

Exam trap

The trap here is that candidates often confuse the 'Classify' phase with the 'Store' phase, assuming that controls are assigned when data is stored, but classification must logically precede storage to define the appropriate protection level.

How to eliminate wrong answers

Option A is wrong because the Create phase involves the initial generation or capture of data, not the determination of its value or the assignment of protective controls. Option B is wrong because the Destroy phase is the final stage where data is securely erased or disposed of, which occurs after classification and control assignment. Option C is wrong because the Store phase focuses on the secure retention of data on media (e.g., encrypted disks, databases), but the decision of what controls to apply is determined earlier during classification.

213
Multi-Selecteasy

Which three are network-layer security controls in a defense-in-depth strategy? (Choose THREE.)

Select 3 answers
A.Antivirus
B.Access control lists (ACLs)
C.Data encryption at rest
D.Firewall
E.Intrusion Detection System (IDS)
AnswersB, D, E

Filters traffic based on IP addresses and ports.

Why this answer

Access control lists (ACLs) operate at Layer 3 by filtering traffic based on source and destination IP addresses, using rules that permit or deny packets as they traverse a router or Layer 3 switch. This makes ACLs a fundamental network-layer security control in a defense-in-depth strategy, as they enforce traffic segmentation and restrict unauthorized network access.

Exam trap

The trap here is that candidates confuse network-layer controls with host-based or data-at-rest protections, mistakenly selecting antivirus or encryption at rest because they are common security measures, but they operate at different layers of the OSI model.

214
Multi-Selecteasy

Which TWO of the following are characteristics of a VPN that uses TLS?

Select 2 answers
A.Provides confidentiality
B.Requires a digital certificate on the server
C.Provides integrity
D.Operates at the network layer
E.Typically uses UDP port 500
AnswersA, C

TLS encrypts data, ensuring confidentiality.

Why this answer

TLS-based VPNs, such as OpenVPN in TLS mode, provide confidentiality through encryption of the tunneled traffic using symmetric ciphers (e.g., AES) negotiated during the TLS handshake. They also provide integrity via message authentication codes (e.g., HMAC) applied to each record, ensuring data has not been altered in transit. These are fundamental security services of the TLS protocol itself.

Exam trap

The trap here is that candidates confuse TLS VPNs with IPsec VPNs, incorrectly associating UDP port 500 or network layer operation with TLS, or assuming a digital certificate is mandatory for all TLS VPN deployments.

215
MCQhard

An organization uses a role-based access control (RBAC) model. After an audit, it was discovered that users have accumulated excessive permissions due to role proliferation. The security architect proposes migrating to an attribute-based access control (ABAC) model. Which challenge is MOST likely to be encountered during this migration?

A.Difficulty in assigning roles to users.
B.Reduced performance due to policy evaluation overhead.
C.Lack of support for ABAC in legacy applications.
D.Increased complexity in defining and managing attributes.
AnswerD

ABAC policies depend on attributes; creating and maintaining them is complex.

Why this answer

Option D is correct because migrating from RBAC to ABAC requires defining a comprehensive set of attributes (subject, resource, environment) and the policies that combine them, which is inherently more complex than managing static role assignments. Role proliferation in RBAC often results from an attempt to mimic attribute-based decisions, but ABAC shifts the complexity from role engineering to attribute governance and policy logic, making attribute definition and management the primary challenge.

Exam trap

The trap here is that candidates confuse the operational challenge of performance (Option B) with the architectural challenge of attribute management, but CISSP emphasizes that the most significant hurdle in ABAC adoption is the complexity of defining and governing attributes, not the runtime evaluation speed.

How to eliminate wrong answers

Option A is wrong because RBAC already involves assigning roles to users, and migrating to ABAC eliminates the need for role assignment entirely, replacing it with attribute-based policy evaluation; difficulty in assigning roles is a pre-existing RBAC problem, not a new challenge of migration. Option B is wrong while ABAC can introduce performance overhead due to real-time policy evaluation, this is typically mitigated by policy caching and optimized engines, and it is not the most likely challenge compared to the fundamental complexity of attribute management. Option C is wrong because lack of support for ABAC in legacy applications is a potential integration issue, but it is not the most likely challenge; many legacy systems can be adapted via a policy enforcement point (PEP) or attribute proxy, whereas the core difficulty lies in defining and maintaining the attribute schema and policies themselves.

216
MCQhard

Refer to the exhibit. Which attack is this OAuth authorization server policy vulnerable to?

A.Privilege escalation via scope confusion
B.Cross-site scripting (XSS)
C.Cross-site request forgery (CSRF)
D.SQL injection
AnswerA

Default permissions can grant unintended access if not carefully scoped.

Why this answer

Option B is correct because the default_permissions include 'file:read', which could allow an attacker to obtain read access without proper scope assignment. Option A is wrong because CSRF is mitigated by tokens, not scope policy. Option C is wrong because XSS is a client-side vulnerability.

Option D is wrong because injection requires untrusted input to change the policy.

217
MCQmedium

You are the security manager for a financial services firm that processes credit card transactions. The company is required to comply with PCI DSS. During a recent internal audit, you discover that the network segmentation between the cardholder data environment (CDE) and the corporate network is not properly implemented. Specifically, a firewall rule allows unrestricted traffic from the corporate network to the CDE. This exposes sensitive cardholder data to potential unauthorized access. The IT manager argues that this rule is necessary for business operations because several applications need to access the CDE for reporting purposes. You need to address this risk while minimizing business disruption. Which of the following is the BEST course of action?

A.Encrypt all cardholder data at rest so that even if accessed, it is protected.
B.Accept the risk because the corporate network is already protected by other controls.
C.Remove the firewall rule immediately to ensure compliance, then work with IT to find alternative solutions.
D.Implement a jump server that requires multi-factor authentication and logging for all access to the CDE, and restrict the rule to only allow traffic from the jump server.
AnswerD

Correct - This enforces segmentation while allowing necessary access.

Why this answer

Option D is correct because it enforces the principle of least privilege and secure access to the CDE without disrupting business operations. By implementing a jump server with multi-factor authentication and logging, you create a controlled, auditable gateway that restricts all corporate-to-CDE traffic to a single, hardened host. This satisfies PCI DSS requirement 1.3 (network segmentation) by reducing the attack surface while still allowing necessary reporting access.

Exam trap

The trap here is that candidates often choose immediate removal (Option C) thinking compliance requires zero tolerance, but CISSP emphasizes balancing security with business continuity and implementing compensating controls before removing critical access.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest does not prevent unauthorized access or exfiltration; it only protects confidentiality if the data is stolen, but the firewall rule still exposes the CDE to active attacks (e.g., SQL injection, lateral movement). Option B is wrong because accepting the risk violates PCI DSS compliance requirements for network segmentation and could lead to fines, loss of merchant status, or data breach liability; the corporate network is not a substitute for CDE-specific controls. Option C is wrong because immediately removing the firewall rule without an alternative solution would cause business disruption, breaking critical reporting applications and potentially leading to operational failure or shadow IT workarounds.

218
MCQmedium

A company is developing a mobile payment application. To comply with PCI DSS, what should be implemented to protect cardholder data during transmission?

A.Apply base64 encoding.
B.Use RC4 encryption.
C.Implement TLS 1.2 or higher with strong ciphers.
D.Use SSL 3.0.
AnswerC

TLS provides secure, authenticated encryption.

Why this answer

TLS 1.2 or higher with strong ciphers is the current standard for secure transmission. RC4 and SSL 3.0 are deprecated. Base64 is encoding, not encryption.

219
MCQhard

A company is designing an access control system for a highly sensitive database. They want to ensure that only authorized users can access data, and that access is automatically revoked when the user's context changes (e.g., job role change). Which model BEST meets these requirements?

A.Attribute-based access control (ABAC) with dynamic policy evaluation.
B.Discretionary access control (DAC) with access control lists.
C.Role-based access control (RBAC) with periodic reviews.
D.Mandatory access control (MAC) with security labels.
AnswerA

ABAC can evaluate attributes like job role in real time and adjust access.

Why this answer

ABAC with dynamic policy evaluation is the best fit because it uses attributes (user, resource, environment) to make real-time access decisions. This allows access to be automatically revoked when context changes, such as a job role update, without manual intervention or periodic reviews.

Exam trap

The trap here is that candidates often choose RBAC (Option C) because it is role-based and seems to handle role changes, but they miss that RBAC typically requires manual or periodic updates to revoke access, whereas ABAC provides automatic, real-time revocation based on dynamic attribute changes.

How to eliminate wrong answers

Option B (DAC) is wrong because it relies on resource owners to grant permissions via ACLs, which lacks automatic revocation based on context changes and introduces security risks from user-controlled access. Option C (RBAC) is wrong because while it uses roles, it typically requires periodic reviews or manual updates to revoke access when a role changes, not automatic dynamic revocation. Option D (MAC) is wrong because it enforces access based on fixed security labels (e.g., classification levels) and does not adapt to dynamic context changes like job role updates; it is designed for static, hierarchical security policies.

220
Multi-Selectmedium

Which TWO of the following are essential elements of a secure software development lifecycle (SSDLC)? (Select exactly 2.)

Select 2 answers
A.Security testing during the verification phase
B.Threat modeling during the design phase
C.Code obfuscation after compilation
D.Penetration testing after deployment
E.User acceptance testing before release
AnswersA, B

Security testing validates that security requirements are met.

Why this answer

Options A and B are correct because threat modeling during design and security testing during verification are standard phases in SSDLC. Option C is wrong because user acceptance testing is functional, not security-focused. Option D is wrong because code obfuscation is a post-development technique, not a lifecycle element.

Option E is wrong because penetration testing is part of security testing, not a separate phase.

221
MCQhard

Based on the SIEM correlation rule, what behavior is this rule designed to detect?

A.Account lockout due to excessive failures
B.Successful login after multiple retries
C.Brute force attack from a single source IP
D.Password spraying attack against multiple accounts
AnswerC

The condition detects >5 failed logins within 120 seconds from a single source, indicating a brute force attempt.

Why this answer

The SIEM correlation rule counts failed login attempts from a single source IP within a defined time window (e.g., 10 failures in 5 minutes). When the threshold is exceeded, it triggers an alert. This pattern is characteristic of a brute force attack, where an attacker tries many passwords against one account or a few accounts from the same IP address.

Exam trap

The trap here is that candidates confuse the high-volume, single-source pattern of a brute force attack with the low-volume, multi-account pattern of a password spray, leading them to select option D.

How to eliminate wrong answers

Option A is wrong because account lockout due to excessive failures is a system response (e.g., Active Directory lockout policy), not the behavior the SIEM rule detects; the rule detects the failed attempts themselves, not the lockout event. Option B is wrong because a successful login after multiple retries is a single event that could be legitimate (e.g., user forgetting password), not a pattern of many failures from one IP; the rule focuses on the volume of failures, not the eventual success. Option D is wrong because password spraying attacks target many accounts with a few common passwords from a single IP, which would generate fewer failures per account and might not trigger a per-IP threshold; the rule is designed for high failure rates from one IP, which is typical of brute force, not spraying.

222
Multi-Selecteasy

Which TWO of the following are fundamental phases of a secure software development lifecycle (SSDLC) where security should be integrated? (Select exactly two.)

Select 2 answers
A.Testing and validation
B.Software retirement
C.User acceptance testing
D.Production operations
E.Requirements gathering
AnswersA, E

Security testing should occur before release.

Why this answer

Options C and E are correct. Security requirements must be defined early; security testing should be performed before deployment. Option A is wrong because production operations are post-deployment.

Option B is wrong because retirement is final. Option D is wrong because it is too late.

223
Multi-Selecthard

Which THREE are components of a privileged access management (PAM) solution?

Select 3 answers
A.Credential vaulting
B.Password complexity rules
C.Multi-factor authentication for all users
D.Just-in-time privilege elevation
E.Session recording and monitoring
AnswersA, D, E

Securely storing and rotating privileged credentials.

Why this answer

Credential vaulting is a core component of PAM because it securely stores privileged account credentials (e.g., root, admin, service accounts) in an encrypted repository, often using hardware security modules (HSMs) or strong encryption like AES-256. It enforces strict access controls, rotation policies, and checkout/check-in workflows to prevent credential exposure and misuse.

Exam trap

The trap here is that candidates confuse general security best practices (like password complexity or MFA for all users) with the specific architectural components that define a PAM solution, leading them to select options that are not core PAM elements.

224
MCQmedium

A network administrator finds the above log entry. The source IP 192.168.1.10 is a user workstation. What does this log entry indicate?

A.An external host attempted to connect to the workstation on port 80
B.The firewall detected an intrusion attempt from the workstation
C.The workstation attempted to access a web server on the internet and the traffic was blocked by an inbound ACL
D.The workstation successfully connected to a web server on the internet
AnswerC

The ACL 'OUTSIDE_IN' is applied to the outside interface and denied the traffic.

Why this answer

Option C is correct because the log entry shows a packet from source IP 192.168.1.10 (the workstation) to a destination IP on the internet with destination port 80 (HTTP), and the action taken by the firewall is 'denied' by an inbound ACL. In firewall terminology, an inbound ACL filters traffic entering an interface; here, the return traffic from the web server to the workstation is being blocked by the inbound ACL on the external interface, meaning the workstation's outbound request was allowed but the response was denied, indicating the workstation attempted to access a web server but the traffic was blocked.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACLs, and the trap here is that candidates mistakenly think the source IP indicates the direction of the attack, leading them to choose Option A, when in fact the source IP is the internal workstation and the ACL is blocking the return traffic from the external web server.

How to eliminate wrong answers

Option A is wrong because the source IP 192.168.1.10 is a private RFC 1918 address, which cannot be a source from an external host; the log shows the workstation as the source, not an external host attempting to connect to it. Option B is wrong because the log entry does not indicate any intrusion detection signature or alert; it simply shows a denied packet based on an ACL rule, which is a standard firewall operation, not an intrusion detection system (IDS) event. Option D is wrong because the log explicitly shows the action as 'denied', meaning the traffic was blocked, not successfully connected.

225
MCQhard

A security architect is reviewing the access control model for a microservices architecture. Which approach minimizes the risk of privilege escalation from a compromised service?

A.Use attribute-based access control (ABAC) with service-specific policies.
B.Implement role-based access control (RBAC) with global roles.
C.Use API keys for all service-to-service communication.
D.Deploy a single sign-on solution.
AnswerA

ABAC allows context-aware, fine-grained policies to limit escalation.

Why this answer

ABAC uses attributes (user, resource, environment) to grant fine-grained permissions, reducing the blast radius if a service is compromised. RBAC with global roles is too coarse. SSO does not address service-to-service.

API keys are weak for authentication.

Page 2

Page 3 of 8

Page 4

All pages