Certified Information Systems Security Professional CISSP (CISSP) — Questions 301375

529 questions total · 8pages · All types, answers revealed

Page 4

Page 5 of 8

Page 6
301
MCQmedium

An organization is planning a penetration test of its internal network. The test team has been given network diagrams, source code access, and administrative credentials. This type of testing is known as:

A.Black-box testing
B.Red team testing
C.White-box testing
D.Gray-box testing
AnswerC

Full disclosure of system details to testers.

Why this answer

White-box testing (also known as clear-box or structural testing) is characterized by the test team having full knowledge of the internal system architecture, including network diagrams, source code, and administrative credentials. This level of access allows testers to perform a thorough analysis of the application logic, configuration weaknesses, and potential backdoors that would be invisible in a black-box approach. The scenario explicitly states the team was given these artifacts, making white-box testing the correct classification.

Exam trap

The trap here is that candidates often confuse 'red team testing' with 'white-box testing' because both involve internal knowledge, but red team testing is defined by its adversarial objectives and operational scope, not by the level of information disclosure, whereas the question's key differentiator is the explicit provision of source code and credentials.

How to eliminate wrong answers

Option A is wrong because black-box testing assumes no prior knowledge of the internal network, source code, or credentials; testers simulate an external attacker with zero information, which contradicts the provided access. Option B is wrong because red team testing is a goal-based, adversarial simulation that often includes social engineering and physical breaches, and while it may use some internal knowledge, it is defined by its objective (e.g., testing detection and response) rather than the level of access given; the question specifically asks about the type of testing based on information provided, not the team's mission. Option D is wrong because gray-box testing involves partial knowledge (e.g., network diagrams but not source code or credentials), whereas the team here received full source code and administrative credentials, which is a hallmark of white-box testing.

302
Multi-Selecteasy

Which TWO of the following are best practices for conducting a penetration test?

Select 2 answers
A.Define scope and rules of engagement
B.Obtain written authorization from the organization
C.Install backdoors for future access
D.Notify law enforcement before testing
E.Use only automated tools
AnswersA, B

Clear scope prevents overreach and ensures testing is controlled.

Why this answer

Obtaining written authorization and defining scope and rules of engagement are fundamental to ethical and legal testing. Using only automated tools is not best; manual techniques are also needed. Installing backdoors is unethical.

Notifying law enforcement is not a standard practice and could compromise the test.

303
MCQmedium

A company has implemented a new web application firewall (WAF) and wants to test its effectiveness. Which of the following testing methods would provide the MOST accurate assessment?

A.Conduct a penetration test that includes attempts to bypass the WAF.
B.Perform a vulnerability scan on the web application with the WAF disabled.
C.Review the WAF logs for any blocked attacks.
D.Run an automated web application scanner against the application with the WAF enabled.
AnswerA

A penetration test with WAF bypass attempts provides a realistic assessment of its effectiveness.

Why this answer

A penetration test that actively attempts to bypass the WAF provides the most accurate assessment because it simulates a real attacker's behavior, testing the WAF's ability to detect and block evasion techniques such as HTTP parameter pollution, encoding obfuscation, and SQL injection payload splitting. This method validates the WAF's effectiveness under realistic adversarial conditions, revealing gaps that passive or disabled-state testing cannot uncover.

Exam trap

The trap here is that candidates often choose Option D (automated scanner with WAF enabled) thinking it tests the WAF in a live environment, but they overlook that automated scanners typically do not attempt sophisticated bypass techniques and may be blocked, giving a false sense of security.

How to eliminate wrong answers

Option B is wrong because performing a vulnerability scan with the WAF disabled only identifies inherent application flaws without evaluating the WAF's protective capabilities, thus failing to assess the security control's effectiveness. Option C is wrong because reviewing WAF logs for blocked attacks only shows past events and does not test the WAF's ability to handle novel or sophisticated bypass techniques, providing no proactive validation. Option D is wrong because running an automated scanner with the WAF enabled may cause the scanner's traffic to be blocked or modified, leading to incomplete or false results, and does not actively attempt to circumvent the WAF's rules.

304
MCQhard

Refer to the exhibit. What is the security risk of this S3 bucket policy?

A.It only allows read from a specific IP
B.It allows public read access to all objects
C.It denies all access
D.It allows any IP to write objects
AnswerD

PutObject has no IP restriction.

Why this answer

The S3 bucket policy in the exhibit grants `s3:PutObject` permission to `Principal: *` (anyone) without any condition restricting the source IP. This means any unauthenticated user on the internet can upload objects to the bucket, leading to potential data corruption, storage cost abuse, or malware hosting. Option D correctly identifies this risk because the policy allows any IP to write objects.

Exam trap

The trap here is that candidates focus on the obvious public read access (Option B) and overlook the more dangerous public write permission, which is the primary security risk in this policy.

How to eliminate wrong answers

Option A is wrong because the policy does not restrict read access to a specific IP; it grants `s3:GetObject` to `Principal: *` with no IP condition, making it publicly readable from any IP. Option B is wrong because while the policy does allow public read access, the question asks for the security risk, and the more severe risk is the unrestricted write permission (PutObject) that can lead to data injection or abuse. Option C is wrong because the policy explicitly allows both read and write actions, so it does not deny all access.

305
MCQhard

An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?

A.The policy allows all actions on public_data, which could be exploited
B.The policy uses JSON syntax, which is not secure
C.The 'Allow' rule for customers does not restrict based on user identity, only IP
D.The 'Deny' rule uses a wildcard resource, which is too restrictive
AnswerC

IP-based access is weak; should require authentication and authorization.

Why this answer

Option C is correct because the policy's 'Allow' rule for customers only restricts access based on source IP address, not on authenticated user identity. This means any user or system within the allowed IP range can access the resource, regardless of whether they are a legitimate customer. In a JSON-based policy (e.g., AWS IAM or Azure RBAC), failing to include a condition that checks user identity (such as a JWT claim or IAM user ARN) creates a significant authorization gap, allowing potential impersonation or lateral movement within the trusted network.

Exam trap

ISC2 often tests the distinction between network-based controls (IP allowlisting) and identity-based controls (user authentication), and the trap here is that candidates assume IP-based restrictions alone are sufficient for authorization, overlooking the need for explicit user identity verification in the policy.

How to eliminate wrong answers

Option A is wrong because allowing all actions on public_data is not inherently a security issue; public_data is intended for open access, and the policy may be correctly scoped. Option B is wrong because JSON syntax itself is not insecure; it is a standard data interchange format, and security depends on the policy logic, not the serialization format. Option D is wrong because a 'Deny' rule with a wildcard resource is a common and valid pattern to explicitly block all actions on unspecified resources, and it is not 'too restrictive'—it follows the principle of least privilege when combined with specific Allow rules.

306
MCQmedium

An API gateway is being designed for a set of microservices. Which combination of security controls should be implemented?

A.HTTP Basic Authentication over HTTPS
B.TLS encryption with anonymous access
C.OAuth 2.0 with scopes and rate limiting
D.API keys passed in query strings
AnswerC

OAuth 2.0 provides token-based authorization with scopes; rate limiting mitigates DDoS.

Why this answer

Option D is correct because OAuth 2.0 with scopes provides fine-grained authorization, and rate limiting prevents abuse. Option A is wrong because basic auth sends credentials in plaintext. Option B is wrong because HTTPS alone does not authorize.

Option C is wrong because no authentication leaves the API open.

307
MCQmedium

An organization is implementing a security program and wants to ensure it meets legal and regulatory requirements. The security manager is reviewing the concept of due care. Which best describes due care in the context of information security?

A.The process of responding to security incidents after they occur
B.The selection of security controls based on cost-benefit analysis
C.Compliance with all applicable laws and regulations
D.The level of prudence expected from a reasonable organization in the same industry
AnswerD

Due care requires an organization to do what any prudent entity would do under similar circumstances.

Why this answer

Option C is correct because due care refers to the legal concept of taking reasonable precautions to protect assets, and it is often established by adhering to industry standards. Option A is incorrect because compliance is just one aspect. Option B is incorrect because due care is proactive, not reactive.

Option D is incorrect because cost-benefit analysis is separate from the legal standard of due care.

308
MCQeasy

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address followed by a successful login. What should the analyst do next?

A.Disable the account immediately
B.Ignore, as failed logins are normal
C.Investigate the successful login
D.Block the IP address
AnswerC

The successful login after failures is suspicious and requires investigation to confirm if it was authorized.

Why this answer

The correct answer is C because a successful login immediately following multiple failed attempts from the same IP address is a classic indicator of a brute-force or password-spraying attack that succeeded. The analyst must investigate the successful login to determine if it was legitimate or an account compromise, checking for anomalous behavior, time of access, and any subsequent actions. Ignoring or prematurely blocking the IP could destroy forensic evidence or lock out a legitimate user, while disabling the account without investigation may be premature if the login was authorized.

Exam trap

The trap here is that candidates often jump to a reactive action like blocking the IP or disabling the account, failing to recognize that the immediate priority is to investigate the successful login to confirm compromise and preserve forensic evidence.

How to eliminate wrong answers

Option A is wrong because disabling the account immediately without investigation could lock out a legitimate user who simply mistyped their password multiple times, and it may destroy evidence of the attack vector. Option B is wrong because while failed logins are common, a pattern of multiple failures from a single IP followed by a success is not normal and requires investigation per incident response procedures. Option D is wrong because blocking the IP address without first investigating could prevent the analyst from gathering additional forensic data (e.g., logs from the successful session) and may block a legitimate user if the IP is shared or spoofed.

309
MCQmedium

A vulnerability scanner reports a medium-severity finding on a web server. After investigating, the system administrator claims the finding is a false positive because the service in question is not actually running. Which step should the security analyst take next?

A.Verify the service status using system commands or network scans
B.Remove the finding from the report since the administrator confirmed it
C.Close the finding as accepted risk
D.Escalate the issue to management for risk acceptance
AnswerA

Independent verification is needed to confirm if the finding is truly a false positive.

Why this answer

Option A is correct because the security analyst must independently verify the administrator's claim before taking any action. The vulnerability scanner may have detected a service on a different port or the service may be bound to a non-standard interface; using system commands (e.g., `netstat -tulpn` or `ss -tulpn`) or a targeted network scan (e.g., `nmap -sV -p <port> <target>`) provides objective evidence of whether the service is actually listening. Relying solely on the administrator's assertion without verification could lead to a missed true positive, especially if the service is hidden or misconfigured.

Exam trap

The trap here is that candidates may assume the administrator's claim is authoritative and skip verification, but the CISSP exam emphasizes that security analysts must always validate findings through independent technical means before closing or escalating.

How to eliminate wrong answers

Option B is wrong because removing the finding without independent verification violates the principle of evidence-based risk management and could suppress a genuine vulnerability if the administrator is mistaken or the service is transient. Option C is wrong because closing the finding as accepted risk requires a formal risk acceptance process with documented justification and management approval, not a single administrator's claim of a false positive. Option D is wrong because escalating to management for risk acceptance is premature; the analyst must first confirm the service status to determine if the finding is indeed a false positive before any risk acceptance decision is warranted.

310
MCQeasy

An organization wants to ensure that employees can securely access internal applications from home. They deploy a VPN solution. Which VPN type provides the strongest encryption and is most commonly used for remote access?

A.IPsec with IKEv2 and AES-256
B.MPLS Layer 3 VPN
C.L2TP without encryption
D.PPTP
AnswerA

This provides strong encryption and is widely used for remote access.

Why this answer

IPsec with IKEv2 and AES-256 provides the strongest encryption for remote access VPNs. IKEv2 offers improved security features like mobility and multi-homing support, while AES-256 is a symmetric cipher with a 256-bit key that is currently considered unbreakable by brute force. This combination is widely deployed for secure client-to-site connections.

Exam trap

The trap here is that candidates often confuse MPLS Layer 3 VPN (a site-to-site provider-based solution) with remote access VPNs, or they underestimate the weakness of PPTP and unencrypted L2TP, assuming any tunneling protocol provides adequate security.

How to eliminate wrong answers

Option B is wrong because MPLS Layer 3 VPN is a service provider technology used to connect multiple sites over a provider network, not a remote access VPN for individual employees; it does not encrypt user traffic. Option C is wrong because L2TP without encryption provides no confidentiality; it only tunnels traffic and relies on an additional protocol like IPsec for encryption, making it insecure on its own. Option D is wrong because PPTP uses the outdated MPPE encryption with RC4, which has known vulnerabilities and is considered weak and deprecated for secure remote access.

311
MCQeasy

A company is implementing a CI/CD pipeline for a web application. Which security testing method should be integrated into the build stage to catch vulnerabilities early?

A.Only using open-source vulnerability scanners
B.Dynamic Application Security Testing (DAST) in the production stage
C.Manual code review after each sprint
D.Static Application Security Testing (SAST) in the build stage
AnswerD

SAST scans source code early, fitting CI/CD build stages.

Why this answer

Option B is correct because Static Application Security Testing (SAST) analyzes source code without execution, making it suitable for early detection in the build stage. Option A is wrong because DAST requires a running application. Option C is wrong because manual code review is too slow for continuous integration.

Option D is wrong because relying solely on open-source tools may miss custom code flaws.

312
MCQeasy

Refer to the exhibit. An analyst attempts to read /data/confidential. What will be the outcome?

A.Access is granted because no 'combine' method is specified, so permit wins
B.Access is denied because Analysts are explicitly denied
C.The policy is ambiguous and will result in an error
D.Access is granted because Analysts are in the 'allowed' list
AnswerB

The deny rule explicitly blocks Analysts from /data/confidential.

Why this answer

The policy explicitly denies the 'Analysts' group access to /data/confidential. In RBAC or DAC-based file systems (e.g., Linux ACLs or Windows NTFS), an explicit deny entry overrides any conflicting allow entry, regardless of the order of evaluation. Since the analyst is a member of the 'Analysts' group, the deny rule applies, and access is denied.

Exam trap

The trap here is that candidates often assume 'permit wins' by default or that group membership in an allowed list guarantees access, forgetting that explicit deny always overrides allow in standard access control models.

How to eliminate wrong answers

Option A is wrong because when an explicit deny is present, it takes precedence over any permit or allow rule, even if no 'combine' method is specified; the default behavior is that deny wins. Option C is wrong because the policy is not ambiguous—explicit deny is a clear and deterministic rule that does not cause an error. Option D is wrong because even though the analyst may be in an 'allowed' list, the explicit deny for the 'Analysts' group overrides that allow, as deny rules are evaluated with higher priority.

313
Multi-Selecthard

A risk assessment identifies several threats. Which THREE are considered external threats?

Select 3 answers
A.Insider error
B.Hacktivist
C.Disgruntled employee
D.Natural disaster
E.Competitor
AnswersB, D, E

External threat actor.

Why this answer

External threats originate outside the organization. Hacktivist (B), natural disaster (C), and competitor (E) are external. Disgruntled employee (A) and insider error (D) are internal.

314
MCQhard

A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?

A.Use JSON Web Tokens (JWT) for each request
B.Use API keys transmitted in HTTP headers
C.Place all services behind a single API gateway
D.Implement mutual TLS (mTLS) between services
AnswerD

mTLS provides strong authentication and encryption for inter-service communication.

Why this answer

Mutual TLS (mTLS) is the best approach because it provides both encryption and bidirectional authentication between services, ensuring that only authorized services can communicate. Unlike token-based methods, mTLS verifies the identity of both the client and server using X.509 certificates, which is critical in a zero-trust microservices environment where network boundaries are porous.

Exam trap

ISC2 often tests the misconception that an API gateway secures all inter-service communication, but candidates forget that east-west traffic between microservices bypasses the gateway and requires its own security mechanism like mTLS.

How to eliminate wrong answers

Option A is wrong because JWT per request authenticates the user or service but does not encrypt the communication channel, leaving data vulnerable to interception; it also adds overhead for every request without addressing transport-layer security. Option B is wrong because API keys in HTTP headers are static credentials that can be easily leaked, replayed, or intercepted if the channel is not encrypted, and they provide no mutual authentication. Option C is wrong because placing all services behind a single API gateway creates a central point of failure and a bottleneck, and it does not secure east-west traffic between services—internal calls bypass the gateway entirely.

315
MCQhard

In a virtualized environment, which security control is most effective for isolating VMs from each other?

A.Host-based firewall on each VM
B.Physical separation
C.Virtual LAN (VLAN) segmentation
D.Hypervisor-level network policies
AnswerD

Enforced by hypervisor, most effective for isolation.

Why this answer

Hypervisor-level network policies, such as virtual switches with port groups and VLAN tagging, enforce isolation directly at the hypervisor layer, ensuring that VM traffic is segmented without relying on guest OS configurations. This control is independent of the VM's own firewall settings and can prevent lateral movement even if a VM is compromised, because the hypervisor mediates all network I/O.

Exam trap

The trap here is that candidates often confuse VLAN segmentation (Option C) as the primary isolation mechanism, but in a virtualized environment, VLANs are configured at the hypervisor level as part of virtual switch policies, making 'Hypervisor-level network policies' the more precise and encompassing answer.

How to eliminate wrong answers

Option A is wrong because a host-based firewall on each VM relies on the guest OS, which can be bypassed if the VM is compromised or if the firewall is misconfigured; it does not provide isolation at the hypervisor level. Option B is wrong because physical separation defeats the purpose of virtualization and is not a practical control within a virtualized environment; it refers to separate physical hosts, not VM-to-VM isolation. Option C is wrong because VLAN segmentation operates at Layer 2 of the network and can be effective, but it is configured on physical switches and does not inherently control traffic between VMs on the same hypervisor unless combined with hypervisor-level policies; it is an external control that can be bypassed if the hypervisor's virtual switch is not properly configured.

316
Multi-Selectmedium

A security analyst is reviewing the findings from a vulnerability scan of a web application. Which TWO actions are most appropriate to prioritize remediation?

Select 2 answers
A.The asset's value to the organization
B.The number of times the scan was run
C.Whether a known exploit exists
D.The date the vulnerability was discovered
E.The CVSS score of the vulnerability
AnswersC, E

Exploitability indicates immediate risk.

Why this answer

Option C is correct because the existence of a known exploit indicates that the vulnerability is actively weaponized, making it a higher priority for remediation regardless of its CVSS score. A vulnerability with a published exploit in frameworks like Metasploit or Exploit-DB poses an immediate, tangible risk to the web application, as attackers can easily leverage it without developing custom code. This aligns with the principle of prioritizing based on threat likelihood, not just severity.

Exam trap

The trap here is that candidates often assume CVSS score alone is sufficient for prioritization, but the CISSP emphasizes that exploitability (known exploit existence) is a more critical factor in real-world remediation decisions, as a lower-scoring vulnerability with an active exploit poses greater immediate risk than a higher-scoring one without one.

317
MCQmedium

A security team is reviewing firewall logs and sees many dropped packets from an external IP. What type of attack is most likely?

A.Man-in-the-middle
B.Port scanning
C.SQL injection
D.Phishing
AnswerB

Multiple dropped packets suggest scanning for open ports.

Why this answer

Port scanning is the most likely attack because it involves an external IP sending packets to multiple ports on a target system to identify open services. Firewalls log these as dropped packets when they block unsolicited inbound traffic to closed or filtered ports, which is a common signature of reconnaissance activity.

Exam trap

The trap here is that candidates may confuse port scanning with a denial-of-service (DoS) attack, but port scanning is reconnaissance, not resource exhaustion, and the key clue is the pattern of dropped packets to multiple ports from a single IP.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack requires the attacker to intercept and potentially modify communications between two parties, which would not typically manifest as dropped packets from a single external IP; instead, it involves ARP spoofing, DNS poisoning, or session hijacking. Option C is wrong because SQL injection targets web application input fields to manipulate database queries, not network-layer packet filtering, and would not appear as dropped packets in firewall logs. Option D is wrong because phishing is a social engineering attack that uses deceptive emails or websites to steal credentials, not a network-level activity that generates dropped packets from an external IP.

318
MCQmedium

A network engineer is troubleshooting an IPsec VPN tunnel between two sites. The tunnel is established but no traffic is passing. Which command should the engineer use to verify the phase 2 security associations?

A.Traceroute between site gateways
B.show crypto ipsec sa
C.Ping between site gateways
D.show crypto isakmp sa
AnswerB

This command displays phase 2 SAs.

Why this answer

The command 'show crypto ipsec sa' displays the IPsec security associations (SAs) for Phase 2, which include encryption and authentication parameters, SPI values, and packet counters. Since the tunnel is established but no traffic passes, this command reveals whether the Phase 2 SAs are properly negotiated and active, or if they are in a mismatch state (e.g., mismatched proxy IDs or transform sets).

Exam trap

ISC2 often tests the distinction between Phase 1 (IKE) and Phase 2 (IPsec) SAs, leading candidates to mistakenly choose 'show crypto isakmp sa' when the question specifically asks about Phase 2 security associations.

How to eliminate wrong answers

Option A is wrong because traceroute between site gateways tests Layer 3 path connectivity, not the state of IPsec Phase 2 SAs; it would succeed even if IPsec is misconfigured. Option C is wrong because ping between site gateways only verifies basic IP reachability and does not inspect the IPsec SA table; it may succeed if the tunnel is up but Phase 2 SAs are missing or mismatched. Option D is wrong because 'show crypto isakmp sa' shows Phase 1 (IKE) security associations, which are for key exchange and authentication; Phase 1 can be up while Phase 2 (IPsec) SAs are absent or broken.

319
MCQhard

A financial institution is required to retain customer transaction records for seven years under regulatory mandates. The institution is facing a lawsuit and must preserve all relevant data. What legal concept applies?

A.E-discovery
B.Data retention policy
C.Chain of custody
D.Legal hold
AnswerD

Legal hold suspends normal disposal to preserve evidence.

Why this answer

A legal hold (or litigation hold) requires organizations to preserve potentially relevant evidence when litigation is anticipated or ongoing.

320
MCQeasy

A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?

A.Password and PIN
B.Hardware token and mobile phone
C.Smart card and fingerprint
D.Password and SMS code
AnswerC

Smart card (possession) + fingerprint (inherence) = two factors.

Why this answer

Option C is correct because a smart card is a physical device that you possess (something you have), and a fingerprint is a biometric characteristic unique to you (something you are). This combination satisfies the multi-factor authentication requirement by using two distinct factors from different categories, which is more secure than using two factors from the same category.

Exam trap

The trap here is that candidates often confuse 'something you have' with 'something you know' or fail to recognize that two factors from the same category (e.g., two knowledge factors) do not constitute true multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because both a password and a PIN are knowledge-based factors (something you know), so they do not provide multi-factor authentication; they are two instances of the same factor type. Option B is wrong because both a hardware token and a mobile phone are possession-based factors (something you have), which again fails to combine two different factor categories. Option D is wrong because a password is something you know and an SMS code is typically considered something you have (possession of the phone), but SMS codes are vulnerable to interception and SIM-swapping attacks, and more importantly, the question asks for 'something you have and something you are'—an SMS code is not a biometric or inherent characteristic.

321
MCQhard

Refer to the exhibit. A legal hold exception preserves FinancialRecords FIN-001 and FIN-002. What is the correct action for FinancialRecords that are not under legal hold?

A.They should be audited and then preserved indefinitely
B.They should be archived after 2555 days
C.They should be deleted after 2555 days
D.They should be deleted after 365 days
AnswerB

The rule specifies archive action for FinancialRecords.

Why this answer

The exhibit shows a retention policy for FinancialRecords with a retention period of 2555 days (7 years). Legal hold exceptions preserve FIN-001 and FIN-002, but records not under legal hold must follow the standard retention policy. The correct action is to archive them after 2555 days, as archiving retains data for compliance or future reference without indefinite preservation, aligning with the policy's lifecycle.

Exam trap

The trap here is confusing 'archive' with 'delete' — candidates often assume that after a retention period ends, data must be deleted, but archiving is a separate action that preserves data for long-term compliance or historical purposes, while deletion is only appropriate when the policy explicitly states it.

How to eliminate wrong answers

Option A is wrong because auditing and preserving indefinitely violates the principle of data lifecycle management, which requires defined retention periods; indefinite preservation is not a standard action for records not under legal hold. Option C is wrong because deletion after 2555 days would destroy records that may still be needed for compliance or operational purposes; archiving is the appropriate action to retain them beyond active use. Option D is wrong because 365 days is too short for FinancialRecords, which typically require longer retention (e.g., 7 years for tax or audit purposes), and the policy specifies 2555 days.

322
MCQmedium

Based on the vulnerability scan exhibit, which vulnerability should be remediated first?

A.All vulnerabilities equally because they have the same host
B.SSH weak MAC algorithms
C.SMTP open relay
D.OpenSSL Heartbleed vulnerability
AnswerD

Critical vulnerability with known exploitation.

Why this answer

The OpenSSL Heartbleed vulnerability (CVE-2014-0160) allows an attacker to read up to 64 KB of memory from a vulnerable server, potentially exposing private keys, session tokens, and passwords. This is a critical remote code execution and information disclosure flaw that requires immediate remediation because it compromises the confidentiality of all encrypted communications. In contrast, the other vulnerabilities are less severe: SSH weak MAC algorithms reduce cryptographic strength but do not directly leak data, and SMTP open relay is a misconfiguration that enables spam but not direct data theft.

Exam trap

The trap here is that candidates may prioritize SMTP open relay or SSH weak MAC algorithms because they sound like common misconfigurations, but the CISSP exam emphasizes that vulnerabilities with direct, remote exploitation for data disclosure (like Heartbleed) must be remediated first under the principle of risk prioritization.

How to eliminate wrong answers

Option A is wrong because not all vulnerabilities have the same severity or exploitability; prioritization must be based on risk, not just host commonality. Option B is wrong because SSH weak MAC algorithms (e.g., HMAC-MD5) weaken integrity but are not remotely exploitable for direct data disclosure like Heartbleed; they are a lower-priority hardening issue. Option C is wrong because SMTP open relay allows unauthorized email forwarding (spam) but does not expose sensitive server memory or credentials; it is a configuration flaw with lower impact on confidentiality.

323
Multi-Selectmedium

Which THREE of the following are characteristics of a federated identity management system?

Select 3 answers
A.It relies on standard protocols such as SAML or OpenID Connect
B.It operates with a single identity provider for all organizations
C.It requires all participating organizations to use the same user directory
D.It enables identity information to be shared across different security domains
E.It provides single sign-on (SSO) across multiple organizations
AnswersA, D, E

Essential for interoperability.

Why this answer

Option A is correct because federated identity management systems rely on standard protocols like SAML (Security Assertion Markup Language) or OpenID Connect to exchange authentication and authorization data between identity providers (IdPs) and service providers (SPs). These protocols enable trust relationships across different security domains without requiring shared directories or a single IdP.

Exam trap

The trap here is that candidates confuse federation with centralized SSO, assuming a single IdP or shared directory is required, when in fact federation decouples identity providers and directories across organizational boundaries.

324
Multi-Selecthard

Which TWO of the following are essential characteristics of an effective information classification scheme?

Select 2 answers
A.Should have at least seven classification levels to capture granularity
B.Must be accompanied by mandatory training for all users
C.Should have clear labels that map to specific handling procedures
D.Should be based on the encryption algorithm used to protect the data
E.Must be applied consistently across the entire organization
AnswersC, E

Labels without procedures are ineffective; users need to know what to do.

Why this answer

Option C is correct because an effective classification scheme must have clear labels (e.g., 'Confidential', 'Secret') that directly map to specific handling procedures (e.g., encryption at rest, access control lists, retention periods). This ensures that data owners and custodians know exactly how to protect each classification level without ambiguity.

Exam trap

The trap here is that candidates confuse 'essential characteristics of the scheme' with 'supporting activities' (like training) or 'implementation details' (like encryption algorithms), leading them to select options that are good practices but not defining properties of the classification scheme itself.

325
Multi-Selecteasy

Which TWO of the following are key indicators that a security awareness training program is effective? (Choose two.)

Select 2 answers
A.More instances of employees bypassing security controls to improve productivity.
B.An increase in help desk calls for password resets.
C.An increase in employees reporting suspicious emails to the security team.
D.Fewer security policies are being issued.
E.A reduction in the number of successful phishing attacks.
AnswersC, E

Reporting suspicious emails shows that employees are applying their training.

Why this answer

Option C is correct because a measurable increase in employees reporting suspicious emails directly indicates that the training has improved their ability to recognize phishing indicators (e.g., mismatched URLs, spoofed sender domains, urgent language) and has instilled the desired reporting behavior. This is a leading indicator of security awareness effectiveness, as it demonstrates proactive threat identification before a compromise occurs.

Exam trap

The trap here is that candidates may confuse activity metrics (e.g., more help desk calls) with effectiveness metrics, or mistakenly think that fewer policies indicate simpler, more effective training, when in fact the CISSP emphasizes behavioral outcomes like reporting and reduced incident success rates.

326
MCQmedium

Refer to the exhibit. The ACL is applied inbound on a perimeter router. A security analyst notices that web traffic to an internal server is being blocked. What is the most likely cause?

A.The connection is stateful and not returning traffic
B.The source address is not permitted
C.The ACL is applied outbound incorrectly
D.The web server is using a port other than 80 or 443
AnswerD

Only ports 80 and 443 are allowed for TCP.

Why this answer

Option D is correct because the ACL is applied inbound on the perimeter router, meaning it inspects traffic as it enters the interface. If the web server is using a non-standard port (e.g., 8080 or 8443) instead of the well-known ports 80 or 443, the ACL will not match the permit statement for HTTP/HTTPS traffic, causing the packets to be dropped by the implicit deny any at the end of the ACL. This is a common misconfiguration when administrators assume all web traffic uses default ports.

Exam trap

ISC2 often tests the misconception that all web traffic uses ports 80 or 443, leading candidates to overlook the possibility of non-standard port configurations, while also distracting with stateful vs. stateless ACL behavior.

How to eliminate wrong answers

Option A is wrong because standard ACLs are stateless and do not track connection state; stateful inspection requires a firewall or reflexive ACL, not a standard inbound ACL on a router. Option B is wrong because the source address is likely permitted (the analyst sees web traffic being blocked, not all traffic), and the ACL would explicitly deny or permit based on source IP; if the source were not permitted, the traffic would be blocked entirely, not just web traffic. Option C is wrong because the ACL is explicitly stated as applied inbound, not outbound; applying it outbound would affect traffic leaving the interface, not incoming web requests to the internal server.

327
MCQmedium

A company is deploying a new web application and needs to ensure that only HTTPS traffic is allowed. What is the MOST effective way to enforce this at the network perimeter?

A.Allow TCP port 443 only and block port 80.
B.Configure the firewall to allow TCP port 80 and 443.
C.Use a proxy server to decrypt all traffic.
D.Block TCP port 443.
AnswerA

Only allows HTTPS, rejecting all HTTP connections.

Why this answer

Blocking TCP port 80 and allowing only TCP port 443 at the network perimeter ensures that only HTTPS traffic can enter or leave the network. This is the most effective method because it directly enforces the protocol restriction at the firewall, preventing any HTTP traffic from bypassing encryption. Allowing both ports would permit unencrypted HTTP, while using a proxy or blocking port 443 would either add unnecessary complexity or deny legitimate HTTPS traffic.

Exam trap

The trap here is that candidates may think allowing both ports 80 and 443 is acceptable for flexibility, but the question explicitly requires only HTTPS, so blocking port 80 is essential to enforce encryption at the perimeter.

How to eliminate wrong answers

Option B is wrong because allowing both TCP port 80 and 443 permits unencrypted HTTP traffic, which violates the requirement to allow only HTTPS. Option C is wrong because using a proxy server to decrypt all traffic does not enforce the restriction at the network perimeter; it adds overhead and may introduce privacy or compliance issues, and it does not block port 80 by itself. Option D is wrong because blocking TCP port 443 would deny all HTTPS traffic, which is the opposite of the requirement to allow only HTTPS.

328
MCQeasy

An organization uses a version control system for all software development. Which practice best ensures that code changes are reviewed for security issues before merging into the main branch?

A.Requiring all pull requests to be approved by at least one peer reviewer.
B.Configuring the CI pipeline to run static analysis tools only on the main branch.
C.Enforcing that all commits pass automated unit tests before merging.
D.Using pre-commit hooks to scan for secrets in code before commit.
AnswerA

Peer review is a manual review process that can catch security issues that automated tools miss.

Why this answer

Option A is correct because mandatory peer review (pull request review) allows reviewers to examine code for security flaws before integration. Option B is wrong because static analysis alone may miss logic flaws, and automated scanning should complement human review. Option C is wrong because automated unit tests typically do not test security.

Option D is wrong because pre-commit hooks are limited to client-side checks, not a robust review process.

329
MCQhard

Refer to the exhibit. What is a potential security weakness in this policy?

A.It does not specify a principal
B.It allows all actions on the bucket
C.It grants access to a private IP range which is not routable over the internet
D.It uses a condition that can be bypassed
AnswerC

Private IP ranges are not seen as source IPs by AWS; the condition will never be satisfied for external requests.

Why this answer

Option C is correct because the policy grants access to a private IP range (e.g., 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) which is not routable over the internet. This means the condition is ineffective for controlling access from external sources, as private IP addresses are only meaningful within a local network and cannot be used to authenticate or authorize remote users. An attacker could spoof such an IP address from within the same network or bypass the restriction entirely if the policy is intended to restrict internet-based access.

Exam trap

The trap here is that candidates often assume any IP-based condition is secure, failing to recognize that private IP ranges are non-routable and thus cannot enforce access control from the internet, leading them to overlook the fundamental network-layer limitation.

How to eliminate wrong answers

Option A is wrong because the policy does specify a principal (e.g., an AWS IAM user, role, or account ARN) in the 'Principal' element, so the statement 'It does not specify a principal' is factually incorrect. Option B is wrong because the policy likely restricts actions to specific operations (e.g., s3:GetObject) rather than allowing all actions; the exhibit would show an 'Action' field with limited permissions, not a wildcard. Option D is wrong because the condition (e.g., using 'IpAddress' with a private IP range) is syntactically valid and cannot be bypassed by altering the request; the weakness is that the condition itself is ineffective due to the non-routable nature of the IP range, not that the condition mechanism is flawed.

330
MCQmedium

A team uses third-party libraries. What is the best practice to ensure they do not introduce vulnerabilities?

A.Whitelist all libraries based on reputation.
B.Perform static analysis only on custom code.
C.Isolate libraries in a sandbox.
D.Use the latest version of each library.
AnswerD

Latest versions include security patches for known vulnerabilities.

Why this answer

Keeping libraries up to date ensures known vulnerabilities are patched. Static analysis only on custom code misses library vulnerabilities. Whitelisting based on reputation is insufficient.

Sandboxing limits impact but does not prevent exploitation.

331
MCQmedium

An organization is required to retain audit logs for seven years due to regulatory compliance. The logs are currently stored on a file server that is approaching capacity. What is the BEST way to manage log storage?

A.Reduce the logging level to generate less data.
B.Delete logs older than one year.
C.Increase the frequency of log rotation.
D.Compress logs and move them to low-cost archival storage.
AnswerD

Reduces storage footprint and complies with retention.

Why this answer

Option D is correct because it balances the seven-year retention requirement with storage constraints by compressing logs (reducing size) and moving them to low-cost archival storage (e.g., cold storage or tape). This preserves data integrity and accessibility for compliance audits while freeing up space on the primary file server.

Exam trap

The trap here is that candidates may confuse operational efficiency (log rotation) with long-term retention, failing to recognize that compliance mandates absolute retention periods that cannot be circumvented by deletion or reduced logging.

How to eliminate wrong answers

Option A is wrong because reducing the logging level would omit critical security events, violating the principle of complete audit trails and potentially failing compliance requirements. Option B is wrong because deleting logs older than one year directly violates the seven-year retention mandate, exposing the organization to regulatory penalties. Option C is wrong because increasing log rotation frequency merely creates more files without addressing the underlying capacity issue; it does not reduce total data volume or extend retention capabilities.

332
MCQhard

During a security audit, it is discovered that a company's data classification labels are inconsistently applied across different departments. Which of the following is the BEST long-term solution to ensure consistent data classification?

A.Conduct annual retraining on data classification policies
B.Implement automated data classification tools that apply labels based on content and context
C.Adopt a single classification level for all data to eliminate confusion
D.Assign a data owner in each department to manually review and classify data
AnswerB

Automation reduces human error and ensures consistent application of classification labels.

Why this answer

Automated data classification tools use content inspection (e.g., regex patterns, keyword matching) and contextual analysis (e.g., file location, creator, metadata) to consistently apply labels across the enterprise. This eliminates human error and variability between departments, ensuring uniform enforcement of the classification policy without relying on manual interpretation or periodic training.

Exam trap

The trap here is that candidates often choose annual retraining (A) as a 'best practice' for policy adherence, but the question specifically asks for the 'BEST long-term solution' to ensure consistency, which requires automation to remove human subjectivity.

How to eliminate wrong answers

Option A is wrong because annual retraining is a temporary, human-dependent solution that does not prevent inconsistent application between training cycles; it fails to address the root cause of manual variability. Option C is wrong because adopting a single classification level for all data violates the principle of least privilege and the need for granular access controls, effectively negating the purpose of data classification. Option D is wrong because assigning a data owner in each department to manually review and classify data perpetuates the inconsistency problem, as different owners will apply subjective judgment, leading to the same cross-departmental variability.

333
MCQeasy

A company has multiple offices connected via a WAN. They want to ensure that all traffic between offices is encrypted and authenticated. Which technology is most appropriate?

A.MPLS
B.DMVPN
C.SSL VPN
D.IPsec VPN
AnswerD

IPsec VPN is the standard for site-to-site encryption and authentication.

Why this answer

IPsec VPN is the most appropriate technology because it operates at the network layer (Layer 3) and provides both encryption and authentication for all IP traffic between sites over an untrusted WAN. It uses protocols such as ESP (Encapsulating Security Payload) for confidentiality and AH (Authentication Header) or ESP for integrity and authentication, ensuring that all inter-office traffic is protected in transit.

Exam trap

ISC2 often tests the distinction between VPN technologies by presenting DMVPN as a tempting answer because it is a Cisco-specific solution for dynamic site-to-site VPNs, but the trap is that DMVPN is a framework that relies on IPsec for encryption and authentication, not a replacement for it.

How to eliminate wrong answers

Option A (MPLS) is wrong because MPLS is a label-switching technology that improves performance and traffic engineering but does not inherently provide encryption or authentication; it relies on underlying security mechanisms like IPsec for confidentiality. Option B (DMVPN) is wrong because DMVPN is a dynamic VPN architecture that simplifies hub-and-spoke or spoke-to-spoke VPN deployments, but it still requires IPsec for encryption and authentication; it is not a standalone encryption technology. Option C (SSL VPN) is wrong because SSL VPN typically operates at the application or transport layer and is designed for remote user access to specific applications or networks, not for site-to-site encryption of all traffic between offices; it lacks the network-layer transparency and scalability for full site-to-site connectivity.

334
MCQmedium

A security analyst is reviewing logs from a web application firewall (WAF) and notices multiple requests containing the payload "1=1--" in the query string. The analyst suspects a SQL injection attack. Which of the following is the BEST immediate action to validate the suspicion?

A.Use a manual SQL injection tool like sqlmap to test the application.
B.Implement prepared statements in the application code.
C.Run a vulnerability scan with a SQL injection detection module.
D.Check the application logs for database error messages.
AnswerD

Application logs may show database errors that confirm successful injection.

Why this answer

Checking the application logs for database error messages is the best immediate action because SQL injection attempts often trigger verbose database errors (e.g., MySQL syntax errors, ODBC error codes) that confirm the injection point. This passive validation requires no additional tools and directly correlates the WAF alert with backend behavior, avoiding the risk of actively exploiting a live system.

Exam trap

The trap here is that candidates often choose an active testing tool (Option A) or a remediation step (Option B) instead of recognizing that passive log review is the safest and most immediate validation method in a security assessment context.

How to eliminate wrong answers

Option A is wrong because using a manual SQL injection tool like sqlmap on a production system without prior validation could cause data corruption, denial of service, or legal/authorization violations, and is not an immediate passive validation step. Option B is wrong because implementing prepared statements is a long-term remediation measure, not a validation technique; it does not help confirm whether the observed payload actually succeeded. Option C is wrong because running a vulnerability scan with a SQL injection detection module is an active assessment that may introduce additional load or false positives, and is less immediate than checking existing logs for direct evidence of exploitation.

335
Multi-Selectmedium

Refer to the exhibit. Which TWO statements about this IAM policy are true?

Select 2 answers
A.The policy grants full administrative access to the bucket.
B.The policy implicitly denies access to users outside the 10.0.0.0/8 IP range.
C.The policy allows all S3 actions on the bucket.
D.The policy applies to all resources in the AWS account.
E.The policy allows read and write operations (GetObject and PutObject) on the example-bucket.
AnswersB, E

The condition prevents the Allow from applying outside that range, resulting in implicit deny.

Why this answer

Options A and C are correct. The policy allows s3:GetObject (read) and s3:PutObject (write) on the specified bucket, and the condition restricts access to the 10.0.0.0/8 IP range, implicitly denying all others. Option B is incorrect because the policy does not allow all S3 actions.

Option D is incorrect because the resource is limited to that specific bucket. Option E is incorrect because the policy only allows two actions, not full administrative access.

336
MCQhard

To enforce separation of duties in a CI/CD pipeline, what architectural principle should be implemented?

A.Allow all developers to deploy their own code to production
B.Use a single approval gate without role distinction
C.Grant a single DevOps team full access to both source code and deployment
D.Require different permissions for committing code vs. deploying to production
AnswerD

Separates responsibilities between development and operations.

Why this answer

Option B is correct because requiring different permissions for code commit and deployment enforces separation. Option A is wrong because a single admin violates separation. Option C is wrong because allowing all developers to deploy combines duties.

Option D is wrong because manual approval alone does not enforce separate roles.

337
MCQhard

A security architect is reviewing a software design that uses a third-party library for XML parsing. The library is known to be vulnerable to XML External Entity (XXE) attacks. The architect recommends replacing the library. What is the primary risk of XXE attacks that the architect wants to avoid?

A.Disclosure of sensitive files from the server
B.Remote code execution by injecting malicious XML
C.Denial of service (DoS) from entity expansion
D.Cross-site scripting (XSS) delivered via XML response
AnswerA

XXE can read internal files like /etc/passwd or perform server-side request forgery.

Why this answer

Option B is correct because XXE attacks can allow an attacker to read arbitrary files from the server's filesystem or perform SSRF. Option A is wrong while DoS is possible, the primary risk is information disclosure. Option C is wrong because XXE does not typically inject malicious code.

Option D is wrong because XXE targets the server, not the client.

338
MCQeasy

A company's help desk receives many requests from users who have forgotten their passwords. Which solution is MOST effective in reducing these requests while maintaining security?

A.Implement a self-service password reset (SSPR) with identity verification.
B.Increase the password expiration period to 180 days.
C.Use single sign-on for all applications.
D.Reduce the password complexity requirements.
AnswerA

Allows users to reset passwords securely without help desk intervention.

Why this answer

Self-service password reset (SSPR) with identity verification directly addresses the root cause of help desk calls—forgotten passwords—by allowing users to reset their own passwords after proving their identity via pre-registered methods (e.g., SMS, security questions, or biometrics). This reduces operational overhead while maintaining security through multi-factor verification and policy enforcement, unlike options that weaken security or fail to address the frequency of resets.

Exam trap

The trap here is that candidates often choose SSO (Option C) thinking it eliminates all password-related issues, but they overlook that SSO still requires a primary password and does not address forgotten-password requests for that single credential.

How to eliminate wrong answers

Option B is wrong because increasing the password expiration period to 180 days reduces the frequency of forced changes but does nothing to help users who forget their current password; it may even increase the risk of forgotten passwords due to longer intervals between use. Option C is wrong because single sign-on (SSO) reduces the number of passwords a user must remember but does not eliminate the need for the primary password; if that password is forgotten, the help desk still receives requests, and SSO introduces a single point of failure. Option D is wrong because reducing password complexity requirements weakens security by making passwords easier to guess or brute-force, violating the principle of defense in depth and increasing the risk of unauthorized access.

339
Multi-Selecthard

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

Select 3 answers
A.Risk analysis
B.Penetration testing
C.Security auditing
D.Forensic analysis
E.Vulnerability scanning
AnswersB, C, E

Penetration testing is a common assessment method.

Why this answer

Penetration testing is a common method in security assessment and testing that simulates real-world attacks to identify exploitable vulnerabilities. Unlike vulnerability scanning, which only identifies potential weaknesses, penetration testing actively exploits them to validate security controls and measure the impact of a breach.

Exam trap

The trap here is that candidates confuse risk analysis (a management activity) with security testing, or mistake forensic analysis (a reactive process) for a proactive assessment method, leading them to select options outside the three correct ones (penetration testing, security auditing, vulnerability scanning).

340
MCQeasy

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

A.The employee did not enable encryption (e.g., BitLocker To Go) after formatting
B.The USB drive hardware does not support encryption
C.The operating system does not support encryption of removable media
D.The employee used the wrong file system (FAT32 vs NTFS)
AnswerA

Encryption is a separate step that must be explicitly enabled, e.g., via BitLocker To Go.

Why this answer

Option A is correct because BitLocker To Go, the native encryption feature for removable drives in Windows, is not automatically enabled when a USB drive is formatted. The employee must explicitly enable encryption (e.g., via BitLocker To Go in Control Panel or by right-clicking the drive and selecting 'Turn on BitLocker') after formatting. Without this step, the drive remains unencrypted, violating the security policy.

Exam trap

The trap here is that candidates assume formatting a drive automatically applies encryption (e.g., thinking BitLocker is enabled by default), when in fact encryption must be explicitly activated after formatting.

How to eliminate wrong answers

Option B is wrong because modern USB drives, even basic ones, support encryption at the software level (e.g., BitLocker To Go) regardless of hardware encryption capabilities; the policy requires encryption, which can be achieved via software. Option C is wrong because Windows (the most common OS for such scenarios) fully supports encryption of removable media via BitLocker To Go, which is available in Pro, Enterprise, and Education editions. Option D is wrong because the file system (FAT32 vs NTFS) does not determine encryption; BitLocker To Go works with both, though NTFS is recommended for full feature support, and the lack of encryption is due to the employee not enabling it, not the file system choice.

341
Multi-Selecteasy

Which TWO of the following are security principles that should be applied during software development? (Select TWO)

Select 2 answers
A.Least privilege
B.Security through obscurity
C.Defense in depth
D.Single point of failure
E.Fail open
AnswersA, C

Least privilege ensures users and processes have only the minimum necessary permissions.

Why this answer

Options A and C are correct. Defense in depth (A) and least privilege (C) are fundamental security principles. Option B is wrong because single point of failure is a risk, not a principle.

Option D is wrong because fail open is insecure; fail closed is preferred. Option E is wrong because security through obscurity is not a reliable principle.

342
Multi-Selectmedium

Which THREE of the following are valid methods to reduce the risk of data exfiltration via removable media in a high-security environment?

Select 3 answers
A.Disable USB ports via group policy and physically lock cases
B.Require annual security awareness training on data handling
C.Use full disk encryption on all endpoints
D.Deploy endpoint DLP agents that block copy operations to removable media based on content
E.Implement data classification and labeling policies to raise awareness
AnswersA, D, E

Effective and enforceable control that physically prevents use of removable media.

Why this answer

Disabling USB ports via Group Policy (using administrative templates to set 'Removable Storage: Deny write access' to 'Enabled') combined with physically locking cases (e.g., using case locks or cable locks to prevent unauthorized access to internal USB headers) provides a dual-layer preventive control. This directly eliminates the attack vector by removing both logical and physical access to removable media, which is the most effective method in a high-security environment.

Exam trap

The trap here is that candidates often confuse full disk encryption (a data-at-rest protection) with a data exfiltration prevention control, failing to recognize that encryption does not block the copy operation itself.

343
Multi-Selectmedium

Which TWO of the following are effective methods for detecting unauthorized access to a network? (Choose two.)

Select 2 answers
A.Vulnerability scanner
B.Antivirus software
C.Security information and event management (SIEM)
D.Firewall rule review
E.Intrusion detection system (IDS)
AnswersC, E

Correlates logs from multiple sources to detect incidents.

Why this answer

A SIEM aggregates and correlates logs from multiple sources (e.g., firewalls, servers, IDS) in real time, enabling detection of anomalous patterns indicative of unauthorized access. It provides centralized visibility and alerting that can identify a breach even when individual logs appear benign.

Exam trap

The trap here is that candidates confuse vulnerability scanning (proactive) with intrusion detection (reactive), or assume antivirus covers network-level threats, when in fact neither provides real-time monitoring of network access attempts.

344
MCQeasy

A security analyst reviews the syslog configuration exhibit. What is the primary security concern with this configuration?

A.The remote syslog server is not configured to receive logs
B.Logs are sent in clear text to the remote syslog server
C.The logging level for authentication is set to 'none'
D.Local7 and mail logs are being sent to different destinations
AnswerB

UDP syslog is unencrypted.

Why this answer

The configuration shows syslog messages being sent to a remote server using UDP port 514 without any encryption or authentication mechanism. By default, syslog over UDP transmits all log data in clear text, meaning any attacker with network access can intercept and read sensitive information such as failed login attempts, user names, or system events. This violates the confidentiality principle and is the primary security concern because it exposes potentially sensitive audit data in transit.

Exam trap

The trap here is that candidates often focus on the logging levels or destinations (options C and D) as misconfigurations, but the real vulnerability is the clear-text transmission of logs over an unencrypted channel, which is a classic confidentiality risk in syslog implementations.

How to eliminate wrong answers

Option A is wrong because the configuration explicitly specifies a remote syslog server IP address and port, and the syslog protocol does not require the server to pre-acknowledge receipt; the client will send logs regardless of server readiness. Option C is wrong because the exhibit shows 'auth.*' being logged to the remote server, and the 'none' level is not a valid syslog severity level; the configuration uses standard severity levels like 'info' and 'debug', and authentication logging is clearly enabled. Option D is wrong because sending different facility logs to different destinations is a common and valid practice for log segregation, and it does not introduce a security vulnerability; the concern is the lack of encryption, not the distribution of logs.

345
Drag & Dropmedium

Drag and drop the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threat/vulnerability identification, likelihood/impact determination, risk calculation, and treatment recommendations.

346
Multi-Selecteasy

Which THREE of the following are recognized roles in asset security?

Select 3 answers
A.Data custodian
B.Data owner
C.Data processor
D.Data subject
E.Data auditor
AnswersA, B, C

Data custodian implements controls on behalf of owner.

Why this answer

The data custodian (A) is responsible for implementing and maintaining security controls according to the data owner's directives, such as applying encryption, managing backups, and enforcing access controls. This role is recognized in asset security because it bridges policy and operational execution, ensuring the CIA triad is maintained on the stored or processed data.

Exam trap

The trap here is that candidates confuse the data subject (a GDPR-defined individual) with a security role, or mistakenly think the data auditor is a primary asset security role, when the CISSP framework explicitly lists only data owner, data custodian, and data processor as the recognized roles in asset security.

347
Multi-Selecthard

Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)

Select 3 answers
A.Implementing role-based access control on the build server
B.Using cryptographic hashes (e.g., SHA-256) to verify files
C.Continuous integration automated builds
D.Performing checksum verification after deployment
E.Code signing with a trusted certificate
AnswersB, D, E

Hashes detect unauthorized changes.

Why this answer

Cryptographic hashes like SHA-256 produce a unique fixed-size digest of a file's contents. By comparing the hash of a built artifact against a known-good hash, you can detect any unauthorized modification, corruption, or tampering that occurred during the build or deployment process. This directly ensures software integrity by verifying that the file has not been altered.

Exam trap

The trap here is confusing process controls (like RBAC or CI automation) with integrity verification mechanisms; candidates often think that restricting access or automating builds inherently ensures the software hasn't been tampered with, but only cryptographic techniques like hashing and signing provide direct integrity assurance.

348
MCQmedium

A software development company uses a continuous integration/continuous deployment (CI/CD) pipeline that automatically builds and deploys code to production after passing automated tests. The code repository contains proprietary algorithms and customer data. A recent incident was traced to an attacker who injected malicious code into a library that was pulled from a public package repository during the build process. The company wants to prevent similar supply chain attacks without significantly slowing development. Which of the following is the BEST course of action?

A.Require all developers to perform manual code review of every third-party library before inclusion
B.Perform static application security testing (SAST) on the entire codebase including libraries
C.Increase the frequency of vulnerability scanning on the production environment and delay deployment of any library that has a deprecation notice
D.Implement a private repository that mirrors approved open-source libraries and enforces signature verification and hash checks before allowing use
AnswerD

A private mirror with integrity checks ensures only verified packages are used, blocking malicious ones from the public repo.

Why this answer

Option D is correct because implementing a private repository that mirrors only approved, vetted open-source libraries with enforced signature verification and hash checks directly addresses supply chain attacks by ensuring that only trusted, integrity-verified code enters the build pipeline. This approach prevents malicious code from public repositories from being pulled automatically, without requiring manual review of every library (which would slow development) or relying on post-build scanning that cannot prevent the initial injection. It aligns with the principle of secure software supply chain management by establishing a trusted source of components.

Exam trap

ISC2 often tests the distinction between reactive security controls (like SAST or vulnerability scanning) and proactive supply chain controls (like private repositories with integrity verification), and the trap here is that candidates may choose SAST (option B) because it sounds technical and comprehensive, but it fails to prevent the initial injection of malicious code during the build process.

How to eliminate wrong answers

Option A is wrong because requiring manual code review of every third-party library is impractical and would significantly slow development, defeating the goal of not slowing the pipeline; it also does not scale for large numbers of dependencies and is error-prone. Option B is wrong because performing SAST on the entire codebase including libraries would detect vulnerabilities in the code but cannot prevent the initial injection of malicious code during the build process, as SAST analyzes source code after it is already in the repository, not during the pull from a public package repository. Option C is wrong because increasing vulnerability scanning frequency on the production environment and delaying deployment of libraries with deprecation notices does not prevent the initial injection of malicious code into the build; it only identifies issues after deployment and introduces delays that conflict with the goal of not slowing development.

349
Multi-Selecteasy

During a security assessment, an organization wants to ensure that its web application is resistant to common attacks. Which THREE testing types should be included?

Select 3 answers
A.Input validation testing
B.Network segmentation testing
C.Load testing
D.Authentication testing
E.Session management testing
AnswersA, D, E

Identifies injection and XSS vulnerabilities.

Why this answer

Input validation testing (A) is correct because it directly addresses common web application attacks such as SQL injection, cross-site scripting (XSS), and command injection by ensuring that all user-supplied data is properly sanitized, validated, and encoded before processing. Without rigorous input validation, an attacker can manipulate input fields to execute arbitrary code or access unauthorized data, making this a foundational security control in the OWASP Top 10.

Exam trap

ISC2 often tests the distinction between security testing types and operational or performance testing, so candidates mistakenly choose load testing because they confuse 'resistance to attacks' with 'resistance to high traffic' (e.g., DDoS), but load testing does not assess application-layer vulnerabilities.

350
MCQmedium

Based on the firewall log entry, what is the most likely cause of the denied traffic?

A.No firewall rule explicitly permits traffic from 10.0.0.25 to 203.0.113.50 on port 443.
B.The source IP is attempting a port scan on the destination.
C.The destination port should be 80 instead of 443.
D.The destination server's SSL certificate has expired.
AnswerA

The reason 'No matching rule' indicates no permit rule exists for this flow.

Why this answer

The firewall log entry shows a packet from source IP 10.0.0.25 to destination IP 203.0.113.50 on destination port 443 (HTTPS) being denied. The most likely cause is that no firewall rule explicitly permits this traffic. Firewalls operate on a default-deny or explicit-permit model; if no rule matches the source, destination, and port, the packet is dropped.

This is a fundamental principle of access control lists (ACLs) and stateful inspection.

Exam trap

The trap here is that candidates may confuse network-layer denial with application-layer issues (like SSL certificates) or misinterpret a single denied packet as evidence of a port scan, when the core concept is that firewalls enforce explicit permit rules and deny all other traffic by default.

How to eliminate wrong answers

Option B is wrong because a single denied packet on port 443 does not indicate a port scan; port scans typically involve multiple packets to different ports in rapid succession, and the log entry shows only one denied packet. Option C is wrong because the destination port being 80 (HTTP) instead of 443 (HTTPS) is irrelevant to the cause of denial; the firewall denies traffic based on its rules, not on whether the port is 'correct' for the service. Option D is wrong because SSL certificate expiration is an application-layer issue that occurs after a TCP connection is established; the firewall denies the packet at the network or transport layer before any TLS handshake can occur.

351
MCQhard

Refer to the exhibit. Which security model does this policy enforce?

A.Biba
B.Brewer-Nash
C.Bell-LaPadula
D.Clark-Wilson
AnswerC

Correct. BLP enforces no read up and no write down.

Why this answer

The Bell-LaPadula model enforces a mandatory access control policy based on the 'no read up, no write down' principle, which directly corresponds to the exhibit's rule that a subject at a given security level cannot read objects at a higher level (Simple Security Property) and cannot write to objects at a lower level (Star Property). This is the only model among the options that specifically addresses confidentiality through hierarchical classification levels and the prevention of information flow from higher to lower security levels.

Exam trap

ISC2 often tests the confusion between Bell-LaPadula (confidentiality, no read up/no write down) and Biba (integrity, no read down/no write up), so candidates mistakenly pick Biba when they see a policy about preventing information flow from high to low, not realizing the direction of the rules is reversed.

How to eliminate wrong answers

Option A is wrong because the Biba model enforces integrity, not confidentiality, using 'no read down, no write up' rules, which is the opposite of the exhibit's policy. Option B is wrong because the Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically controlling access based on previously accessed datasets, not by static hierarchical classification levels. Option D is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duties, not on confidentiality-based read/write restrictions across security levels.

352
MCQeasy

An information security manager is implementing an asset classification policy. Which of the following is the primary purpose of classifying information assets?

A.To track the physical location of all assets
B.To apply appropriate security controls based on asset sensitivity
C.To determine the monetary value of each asset
D.To identify the legal owner of each asset
AnswerB

Classification drives the level of protection needed for each asset.

Why this answer

The primary purpose of classifying information assets is to assign a level of sensitivity (e.g., confidential, internal, public) so that appropriate security controls—such as encryption, access control lists, and data loss prevention rules—can be applied proportionally. This ensures that resources are focused on protecting the most critical data, aligning with the principle of cost-effective risk management.

Exam trap

The trap here is that candidates confuse the purpose of classification with asset inventory or valuation, but the CISSP emphasizes that classification is fundamentally about applying the right security controls based on sensitivity, not about tracking, pricing, or ownership.

How to eliminate wrong answers

Option A is wrong because tracking physical location is a function of asset inventory and management, not classification; classification focuses on the data's sensitivity, not its physical whereabouts. Option C is wrong because while classification may inform valuation, its primary purpose is not to determine monetary value—that is a separate financial or risk assessment activity. Option D is wrong because identifying the legal owner is a matter of asset ownership and accountability, which is related but secondary; classification is about the data's sensitivity level, not who owns it.

353
MCQmedium

A healthcare organization is moving patient records to a cloud storage service. Which of the following is the MOST important requirement to ensure data security and compliance with HIPAA?

A.Multi-factor authentication for all cloud access
B.Encryption of data in transit using TLS 1.2
C.A signed Business Associate Agreement (BAA) with the cloud provider
D.Encryption of data at rest using AES-256
AnswerC

A BAA is required under HIPAA to ensure the cloud provider handles PHI appropriately.

Why this answer

Under HIPAA, a covered entity must have a signed Business Associate Agreement (BAA) with any cloud service provider that creates, receives, maintains, or transmits protected health information (PHI). Without a BAA, the provider is not contractually bound to safeguard PHI, making the organization non-compliant regardless of technical controls. While encryption and MFA are important security measures, they cannot substitute for the legal and regulatory requirement of a BAA.

Exam trap

The trap here is that candidates often focus on technical security controls like encryption or MFA, overlooking the foundational legal and regulatory requirement of a signed Business Associate Agreement, which is the non-negotiable first step for HIPAA compliance with a cloud provider.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is a strong access control but does not address the contractual and legal obligations required by HIPAA for business associates; it is a security best practice, not a compliance requirement. Option B is wrong because encryption of data in transit using TLS 1.2 protects data during transmission but does not ensure the cloud provider is legally bound to protect PHI as a business associate; HIPAA mandates a BAA regardless of transport encryption. Option D is wrong because encryption of data at rest using AES-256 protects stored data but, like the other technical controls, does not satisfy the HIPAA requirement for a signed BAA with the cloud provider.

354
MCQmedium

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

A.Share the Purchasing Manager's account credentials with the user
B.Temporarily assign the 'Purchasing Approver' role to the user with an expiration date
C.Modify the 'Accounts Payable' role to include purchase order approval permissions
D.Create a new role with the exact permissions needed and assign it to the user
AnswerB

This grants needed access for a limited time, maintaining least privilege.

Why this answer

Option B is correct because it follows the principle of least privilege by temporarily assigning the 'Purchasing Approver' role to the user with an expiration date, ensuring that the elevated permissions are automatically revoked after the leave period. This approach maintains RBAC integrity without permanently altering role definitions or sharing credentials.

Exam trap

The trap here is that candidates often choose Option D (creating a new role) because they think it follows least privilege, but they overlook that RBAC best practice is to reuse existing roles with temporary assignments rather than proliferating roles, which violates role-mining principles and adds administrative overhead.

How to eliminate wrong answers

Option A is wrong because sharing the Purchasing Manager's account credentials violates the principle of non-repudiation and accountability, as actions cannot be attributed to the correct user, and it bypasses RBAC entirely. Option C is wrong because modifying the 'Accounts Payable' role to include purchase order approval permissions would permanently grant those rights to all users in that role, violating least privilege and potentially creating a segregation of duties conflict. Option D is wrong because creating a new role with exact permissions is unnecessarily complex and violates RBAC role-mining best practices; it is better to reuse an existing role (Purchasing Approver) with a temporary assignment than to proliferate roles.

355
MCQhard

A network engineer is configuring a firewall to allow HTTP traffic from the internet to a web server (10.0.0.10). The firewall has three interfaces: outside (ISP), DMZ (10.0.0.0/24), and inside (192.168.1.0/24). The web server is in the DMZ. Which rule is correct?

A.Rule: Source interface Inside, Source any, Destination 10.0.0.10, Port 80, Action allow
B.Rule: Source interface Outside, Source any, Destination 10.0.0.10, Port 80, Action allow
C.Rule: Source interface Outside, Source 192.168.1.0/24, Destination 10.0.0.10, Port 80, Action allow
D.Rule: Source interface DMZ, Source any, Destination 10.0.0.10, Port 80, Action allow
AnswerB

This correctly allows inbound HTTP from internet to DMZ web server.

Why this answer

Option B is correct because HTTP traffic from the internet arrives on the outside interface, and the firewall rule must match the source interface (Outside), allow any source IP, and specify the destination IP (10.0.0.10) and port 80. This permits inbound web traffic to the DMZ web server while maintaining security boundaries.

Exam trap

ISC2 often tests the concept that firewall rules must specify the correct source interface (ingress zone) rather than just the source IP, leading candidates to mistakenly choose rules that match the destination but not the traffic's entry point.

How to eliminate wrong answers

Option A is wrong because the source interface is Inside (192.168.1.0/24), which would allow traffic from the internal network, not from the internet. Option C is wrong because the source is restricted to 192.168.1.0/24, which is the internal subnet, not the internet; this would block legitimate external HTTP requests. Option D is wrong because the source interface is DMZ, which would only allow traffic originating from within the DMZ itself, not from the internet.

356
Multi-Selecthard

Which TWO of the following are best practices for securing containerized applications? (Select exactly 2.)

Select 2 answers
A.Mounting the host filesystem to persist logs
B.Running the container process as a non-root user
C.Cleaning the certificate store to prevent MITM
D.Exposing port 22 for SSH debugging in production
E.Using minimal base images such as Alpine or scratch
AnswersB, E

Non-root user reduces privilege escalation risk.

Why this answer

Options A and D are correct. Dockerfile best practice includes running as non-root to limit container breakout. Using minimal base images reduces attack surface.

Option B is wrong because debug ports should be disabled in production. Option C is wrong because clearing the certificate store breaks TLS communication. Option E is wrong because bind mounting the host's root filesystem is highly insecure.

357
MCQmedium

A security engineer reviews the S3 bucket policy in the exhibit. What is the most significant security issue with this configuration?

A.The resource ARN does not specify a version ID
B.The policy does not enforce encryption in transit
C.The bucket allows public read access to all objects
D.The policy lacks an explicit deny statement
AnswerC

The policy grants read access to anyone, exposing sensitive data.

Why this answer

The S3 bucket policy in the exhibit grants "Effect": "Allow" with "Principal": "*" and "Action": "s3:GetObject" on the bucket ARN. This configuration effectively makes all objects in the bucket publicly readable over the internet, which is a severe data exposure risk. Option C correctly identifies this as the most significant security issue because it violates the principle of least privilege and can lead to unauthorized access to sensitive data.

Exam trap

The trap here is that candidates may focus on missing technical details like version IDs or encryption conditions, but the most critical security flaw is the explicit public read access granted to all objects, which directly leads to data exposure.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies apply to all versions of objects unless a specific version ID is required; omitting a version ID does not inherently create a security vulnerability. Option B is wrong because S3 bucket policies do not enforce encryption in transit (HTTPS); that is controlled by the bucket's policy condition using "aws:SecureTransport" or by enabling S3 Block Public Access settings, and the absence of such a condition is not the most significant issue here. Option D is wrong because an explicit deny statement is not required for security; the default implicit deny (deny by default) applies to any action not explicitly allowed, and the problem is the overly permissive allow statement, not the lack of an explicit deny.

358
MCQmedium

An organization has implemented a new SIEM system. What is the most critical factor for its effectiveness?

A.The cost of the solution
B.The speed of data ingestion
C.The ability to correlate events
D.The number of log sources integrated
AnswerC

Correlation enables identification of patterns and incidents across multiple sources.

Why this answer

The most critical factor for a SIEM's effectiveness is its ability to correlate events across diverse log sources to detect complex attack patterns, such as a lateral movement chain or a multi-stage exploit. Without correlation, a SIEM is merely a log aggregator, unable to distinguish a true security incident from isolated benign events. Correlation engines apply rule-based or statistical analysis (e.g., using Sigma rules or machine learning) to identify relationships between seemingly unrelated log entries, which is the core value proposition of a SIEM.

Exam trap

The trap here is that candidates often mistake 'speed of data ingestion' or 'number of log sources' as the primary success factor, confusing operational metrics with the analytical core of a SIEM, which is correlation.

How to eliminate wrong answers

Option A is wrong because the cost of the solution does not directly impact the SIEM's analytical capability; a high-cost SIEM can still be ineffective if its correlation logic is weak or misconfigured. Option B is wrong because while data ingestion speed is important for real-time monitoring, it is not the most critical factor; a SIEM that ingests data quickly but lacks correlation logic will still fail to detect sophisticated attacks. Option D is wrong because the number of log sources integrated is secondary to the quality of correlation; integrating many sources without proper normalization and correlation rules leads to noise and alert fatigue, not improved detection.

359
MCQhard

A security analyst notes that a recent penetration test successfully exploited a vulnerability in a legacy application that cannot be patched. The analyst recommends implementing network segmentation to limit the application's exposure. This recommendation is an example of:

A.Risk mitigation
B.Risk acceptance
C.Risk avoidance
D.Risk transfer
AnswerA

Network segmentation reduces the impact, mitigating the risk.

Why this answer

Implementing network segmentation to limit exposure of an unpatched legacy application is a classic example of risk mitigation. By isolating the application on a separate network segment (e.g., using VLANs or firewall rules), the analyst reduces the likelihood or impact of a successful exploit, even though the underlying vulnerability remains unpatched. This directly aligns with the CISSP definition of risk mitigation: applying controls to reduce risk to an acceptable level.

Exam trap

The trap here is confusing risk mitigation with risk avoidance — candidates often think that any action taken to address a vulnerability is avoidance, but avoidance requires eliminating the risk entirely (e.g., removing the application), whereas mitigation reduces but does not eliminate the risk.

How to eliminate wrong answers

Option B (Risk acceptance) is wrong because risk acceptance involves formally acknowledging the risk and deciding not to take any action, whereas the analyst is actively implementing a control (segmentation). Option C (Risk avoidance) is wrong because risk avoidance would mean discontinuing the application or removing it entirely to eliminate the risk, not isolating it. Option D (Risk transfer) is wrong because risk transfer shifts the financial burden of a loss to a third party (e.g., via insurance or outsourcing), not implementing a technical control like segmentation.

360
MCQhard

A network administrator has configured private VLANs on a switch. The host in this port is part of PVLAN 100, and its associated secondary PVLAN is 200. What is the expected behavior for traffic from this host to other hosts in the same primary VLAN 100?

A.It cannot communicate with any other host
B.It can communicate only with other hosts in the same secondary VLAN 200
C.It can communicate with the promiscuous port only
D.It can communicate with all hosts in primary VLAN 100
AnswerC

Private VLAN host ports can only communicate with the promiscuous port in the same primary VLAN.

Why this answer

In a private VLAN (PVLAN) configuration, a host in a community or isolated secondary VLAN cannot communicate with other hosts in the same primary VLAN unless they share the same secondary VLAN. However, the question specifies that the host is in PVLAN 100 and its associated secondary PVLAN is 200, but does not state that the host is in a community VLAN; the only way a host in a secondary VLAN can communicate with any other host is via the promiscuous port (typically connected to a router or firewall). Since the host is in an isolated secondary VLAN (or community without a matching community), it can only send traffic to the promiscuous port, which then forwards it as needed.

Exam trap

ISC2 often tests the misconception that a host in a private VLAN can communicate with all other hosts in the same primary VLAN, but the correct behavior is that host-to-host communication is restricted to the same secondary VLAN (if community) or only to the promiscuous port (if isolated), and the question's phrasing 'associated secondary PVLAN is 200' implies an isolated VLAN unless stated otherwise.

How to eliminate wrong answers

Option A is wrong because a host in a private VLAN can communicate with the promiscuous port, so it is not completely isolated from all hosts. Option B is wrong because the host is in secondary VLAN 200, but the question does not indicate that any other hosts are in the same secondary VLAN 200; even if they were, the host could communicate with them only if the secondary VLAN is a community VLAN, but the default behavior for an isolated VLAN (which is typical when only one secondary VLAN is assigned) is to block all host-to-host communication within the same secondary VLAN. Option D is wrong because private VLANs explicitly prevent hosts in different secondary VLANs from communicating with each other, and even hosts in the same secondary VLAN (if isolated) cannot communicate directly; only the promiscuous port can communicate with all hosts in the primary VLAN.

361
Multi-Selectmedium

Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)

Select 2 answers
A.Incident response team structure
B.Risk management processes
C.Strategic alignment of security with business objectives
D.Penetration testing schedule
E.Vendor contract negotiation
AnswersB, C

Correct - Risk management is a governance responsibility.

Why this answer

Risk management processes are a core component of an Information Security Governance framework because they provide the structured methodology for identifying, assessing, and mitigating risks to the organization's information assets. This aligns with the ISO/IEC 27001 standard, which mandates a risk-based approach to establishing, implementing, and maintaining an information security management system (ISMS). Without formal risk management, governance lacks the data-driven foundation to prioritize security investments and controls.

Exam trap

The trap here is that candidates confuse operational security activities (like incident response teams or penetration testing) with governance-level components, which are strategic, policy-driven, and focused on oversight and alignment rather than execution.

362
MCQhard

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

A.The user is a member of the Remote Desktop Users group
B.The user is not a member of the local Users group or Administrators group
C.The user is a member of a group that is denied local logon
D.The user is denied logon through Remote Desktop Services
AnswerB

Domain Users are not in the local Users group; local logon is only allowed for Administrators and local Users.

Why this answer

The user 'jdoe' can log on via RDP but not locally because the default security policy on a domain-joined Windows server grants the 'Allow log on locally' right only to the local Administrators group and the local Users group. Since 'jdoe' is a member of Domain Users, which is mapped to the local Users group on a domain-joined server, the user should normally have local logon rights. However, the exhibit shows GPO results that likely indicate the local Users group has been removed from the 'Allow log on locally' policy, or the user is not actually a member of the local Users group (e.g., the server is configured to not map Domain Users to the local Users group).

The most direct reason is that the user is not a member of either the local Users group or the local Administrators group, which are the only groups granted local logon by default.

Exam trap

The trap here is that candidates assume Domain Users automatically have local logon rights on all domain-joined servers, but a GPO can explicitly remove the local Users group from the 'Allow log on locally' policy, effectively blocking all standard domain users from interactive logon.

How to eliminate wrong answers

Option A is wrong because the user can log on via RDP, which requires membership in the Remote Desktop Users group (or having the 'Allow log on through Remote Desktop Services' right); if the user were a member of that group, it would not prevent local logon. Option C is wrong because there is no evidence in the scenario that the user is a member of a group explicitly denied local logon via the 'Deny log on locally' policy; the GPO results would show such a denial if it existed. Option D is wrong because the user can log on via RDP, so they are not denied logon through Remote Desktop Services; the issue is specifically with local logon, not remote logon.

363
MCQeasy

A data classification scheme includes Public, Internal, Confidential, and Restricted. Which classification requires the highest level of protection?

A.Restricted
B.Internal
C.Public
D.Confidential
AnswerA

Restricted is the highest classification, requiring maximum protection.

Why this answer

Restricted is the highest classification level in this scheme, indicating data that would cause severe damage to the organization if disclosed. It requires the strongest access controls, encryption (e.g., AES-256 for data at rest, TLS 1.3 for data in transit), and strict need-to-know policies. This aligns with the principle of protecting data based on its sensitivity and the potential impact of unauthorized disclosure.

Exam trap

The trap here is that candidates often confuse 'Confidential' with the highest level because it sounds more restrictive than 'Restricted', but in this scheme 'Restricted' is explicitly the top tier, requiring the most stringent controls.

How to eliminate wrong answers

Option B (Internal) is wrong because Internal data is intended for internal use only but does not require the highest level of protection; its compromise would cause moderate damage, not severe. Option C (Public) is wrong because Public data is intended for unrestricted disclosure and requires the lowest level of protection, often with no access controls. Option D (Confidential) is wrong because Confidential data requires a high level of protection but is still below Restricted; its compromise would cause serious damage, but not the most severe impact.

364
MCQmedium

Refer to the exhibit. An auditor identifies a non-compliance issue regarding the cryptographic key lifecycle. Which policy requirement has been violated?

A.Encrypted backup requirement
B.HSM storage requirement
C.Key destruction upon compromise
D.Key rotation interval
AnswerA

The policy requires encrypted backup, but the key was stored in plaintext.

Why this answer

The policy states that backup must be encrypted. The key was exported to a plaintext file on an unencrypted backup server, violating the confidentiality requirement. The key was also restored and continued in use, which may be acceptable if it was not compromised, but the backup method is non-compliant.

365
Multi-Selecteasy

Which TWO of the following are key elements of a disaster recovery plan (DRP)?

Select 2 answers
A.Communication and notification procedures
B.Standard operating procedures for daily tasks
C.Patch management schedules
D.Recovery priorities and order of restoration
E.Business impact analysis (BIA) results
AnswersA, D

Essential for coordinating recovery.

Why this answer

A and D are correct. A is correct because a DRP must include communication procedures to notify stakeholders. D is correct because the DRP should outline the order in which systems are restored (recovery priorities).

B is incorrect because the BIA itself is separate, though its outputs inform the DRP. C is incorrect because the DRP is not focused on daily operations but on recovery. E is incorrect because patch management is part of ongoing maintenance.

366
MCQeasy

An analyst reviews the exhibit showing Windows security event logs. What activity should be investigated as a potential data exfiltration attempt?

A.The user reading the PII file at 09:23:45
B.The sequence of events on the same file by the same user
C.The user deleting the PII file at 09:25:00 using cmd.exe
D.The user writing to the PII file at 09:24:10
AnswerC

Deleting a PII file using command prompt is unusual and could indicate an attempt to cover tracks.

Why this answer

Option C is correct because deleting a PII file via cmd.exe (command-line interface) shortly after reading and writing to it is a classic indicator of data exfiltration. The attacker likely read the sensitive data, wrote a copy or staged it, then used cmd.exe to delete the original file to cover tracks and avoid detection by file access audits. This sequence—read, write, delete via command line—is anomalous for normal user behavior and strongly suggests intentional removal of evidence after data theft.

Exam trap

The trap here is that candidates focus on the individual actions (read, write, delete) rather than the sequence and the tool used (cmd.exe), missing that the combination of read, write, and command-line deletion is the hallmark of a data exfiltration attempt.

How to eliminate wrong answers

Option A is wrong because reading a PII file at 09:23:45 is a normal business activity and does not alone indicate exfiltration; many users legitimately access sensitive files. Option B is wrong because a sequence of events on the same file by the same user is not inherently suspicious—it could be routine editing or review; the specific combination of read, write, and delete via cmd.exe is what raises concern. Option D is wrong because writing to a PII file at 09:24:10 could be legitimate modification or saving work; without the subsequent anomalous deletion via command line, it is not a clear exfiltration attempt.

367
Multi-Selectmedium

Which TWO are examples of administrative controls in an information security program?

Select 2 answers
A.Background checks
B.Encryption algorithms
C.Security awareness training
D.Firewall rules
E.Access control lists (ACLs)
AnswersA, C

Background checks are administrative, part of personnel security.

Why this answer

Administrative controls involve policies, procedures, and people. Security awareness training and background checks are administrative. Firewalls, ACLs, and encryption are technical/physical.

368
Multi-Selecteasy

Which TWO of the following are principles of the data minimization concept under privacy regulations such as GDPR?

Select 2 answers
A.Ensure personal data is accurate and kept up to date
B.Collect only the personal data that is directly relevant and necessary for the specified purpose
C.Store personal data for as long as possible for future analysis
D.Limit the processing of personal data to only what is necessary for the intended purpose
E.Provide individuals with access to their data upon request
AnswersB, D

This is the core of data minimization.

Why this answer

Option B is correct because data minimization under GDPR (Article 5(1)(c)) requires that personal data collected be 'adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.' This principle directly mandates collecting only the data that is directly relevant and necessary for the specified purpose, preventing over-collection and reducing privacy risk.

Exam trap

ISC2 often tests the distinction between the seven GDPR principles (lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability) and the data subject rights (access, rectification, erasure, etc.), so candidates mistakenly select a right like access as a minimization principle.

369
MCQmedium

Refer to the exhibit. An application running on this server uses HTTPS (port 443). What is the most likely impact of the current firewall rules on the application?

A.Clients will only be able to connect from IP addresses in the 10.0.0.0/8 range.
B.The application will function normally as HTTP is allowed.
C.Clients will be unable to connect to the application because HTTPS is not explicitly allowed.
D.All HTTPS traffic will be logged and then dropped.
AnswerC

Only port 80 is allowed; port 443 is blocked by the default DROP policy.

Why this answer

Option B is correct because the exhibit shows an ACCEPT rule for port 80 but no rule for port 443. The default policy is DROP, so HTTPS traffic will be dropped. Option A is wrong because port 80 HTTP is allowed but not HTTPS.

Option C is wrong because there is no rule for port 443. Option D is wrong because the rules do not log HTTPS traffic; the LOG rule is for source 10.0.0.0/8.

370
Multi-Selecthard

Which THREE are essential elements of a Transport Layer Security (TLS) handshake? (Choose three.)

Select 3 answers
A.Key generation
B.Cipher suite negotiation
C.Certificate exchange
D.User authentication
E.Session ticket exchange
AnswersA, B, C

The handshake derives symmetric encryption keys.

Why this answer

Key generation is essential because during a TLS handshake, the client and server derive session keys using the pre-master secret exchanged via asymmetric encryption (e.g., RSA or Diffie-Hellman). These keys are then used for symmetric encryption of the session, ensuring confidentiality and integrity. Without key generation, no secure communication channel can be established.

Exam trap

The trap here is that candidates often confuse optional features like session resumption (session tickets) or client authentication as mandatory handshake elements, when in fact the three essential components are cipher suite negotiation, certificate exchange, and key generation.

371
MCQmedium

Refer to the exhibit. The file data.txt contains PII. What is the most likely security issue indicated by the logs?

A.The HTTP 200 status indicates the file is corrupted
B.The file permissions restrict access to root only
C.The file is being overwritten by unauthorized users
D.The file is being accessed by multiple IPs, potentially indicating data exfiltration
AnswerD

Multiple GET requests from different IPs to a PII file is suspicious.

Why this answer

The log shows the same file data.txt being accessed from multiple distinct IP addresses (10.0.0.1, 10.0.0.2, 10.0.0.3) with HTTP 200 success responses. This pattern of repeated successful reads from different sources is a classic indicator of data exfiltration, where an attacker or malicious insider is copying sensitive PII to multiple external hosts. The HTTP 200 status confirms the file was successfully retrieved each time, ruling out corruption or access failures.

Exam trap

The trap here is that candidates focus on the HTTP 200 status or file permissions as the issue, rather than recognizing that repeated successful reads from multiple IPs is the hallmark of data exfiltration.

How to eliminate wrong answers

Option A is wrong because an HTTP 200 status code means the request succeeded and the file was delivered intact, not corrupted; corruption would typically result in a 500-series error or checksum mismatch. Option B is wrong because the logs show successful reads (HTTP 200) from multiple IPs, which would be impossible if file permissions restricted access to root only; the file is clearly readable by the web server process. Option C is wrong because the logs show GET requests (reads), not PUT/POST/DELETE operations, so the file is being read, not overwritten; overwriting would require write operations and different HTTP methods.

372
MCQeasy

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

A.Fingerprint scanner and password
B.Password and one-time passcode sent via SMS
C.Smart card and PIN
D.Password and security questions
AnswerB

SMS OTP is inexpensive and easy to deploy.

Why this answer

Option B is correct because it combines a password (something you know) with a one-time passcode sent via SMS (something you have), satisfying the definition of multifactor authentication. SMS-based OTP is cost-effective and easy to deploy for a small business, as it requires no additional hardware or complex infrastructure, leveraging existing mobile networks.

Exam trap

The trap here is that candidates may incorrectly assume that any two different authentication methods automatically constitute MFA, forgetting that MFA requires factors from at least two distinct categories (knowledge, possession, inherence), and that cost-effectiveness and ease of deployment are key constraints in this scenario.

How to eliminate wrong answers

Option A is wrong because a fingerprint scanner (something you are) and a password (something you know) are two different factors, but fingerprint scanners are typically more expensive and complex to deploy, making them less cost-effective for a small business. Option C is wrong because a smart card (something you have) and a PIN (something you know) are two factors, but smart cards require card readers and provisioning infrastructure, increasing cost and deployment complexity. Option D is wrong because a password and security questions are both 'something you know' factors, which does not constitute multifactor authentication; security questions are a single factor and are often weak due to publicly discoverable answers.

373
MCQeasy

A user calls the help desk because they cannot log in. The help desk technician confirms the user's identity by asking for their employee ID and mother's maiden name. Which of the following is the MOST significant security issue with this practice?

A.The user's mother's maiden name is not stored in the HR system.
B.The technician is using shared secrets that are not effective for strong authentication.
C.The help desk should be using multi-factor authentication.
D.The user's identity is being verified using information that is not unique to the user.
AnswerB

Mother's maiden name is a shared secret that can be easily obtained through social engineering.

Why this answer

Option A is correct because relying on shared secrets like mother's maiden name is weak authentication. Option B is incorrect because the information may be unique but is not secret. Option C is incorrect, while MFA is better, the most significant issue is the use of weak shared secrets.

Option D is incorrect; the information may still be stored.

374
MCQeasy

Which of the following is a primary benefit of using an application programming interface (API) gateway in a microservices architecture from a security perspective?

A.It eliminates the need for encryption
B.It replaces the need for a web application firewall
C.It allows direct database access to services
D.It provides a centralized point for authentication and rate limiting
AnswerD

Correct. API gateways enforce security policies centrally.

Why this answer

An API gateway acts as a single entry point for all client requests in a microservices architecture. It centralizes cross-cutting security concerns such as authentication (e.g., validating OAuth 2.0 tokens or JWT) and rate limiting (e.g., enforcing requests per second per client), offloading these tasks from individual microservices. This reduces attack surface and ensures consistent enforcement of security policies across the entire system.

Exam trap

The trap here is that candidates may assume an API gateway provides comprehensive security (like a WAF) or replaces encryption, when in fact it is a centralized policy enforcement point for authentication and traffic management, not a substitute for dedicated security controls like encryption or a WAF.

How to eliminate wrong answers

Option A is wrong because an API gateway does not eliminate the need for encryption; in fact, it typically terminates TLS (e.g., HTTPS) and may require encryption between the gateway and backend services (e.g., mTLS). Option B is wrong because an API gateway does not replace a web application firewall (WAF); a WAF provides deep packet inspection for application-layer attacks (e.g., SQL injection, XSS) at Layer 7, which an API gateway is not designed to perform. Option C is wrong because an API gateway does not allow direct database access to services; it routes requests to microservices, which themselves should access databases through controlled interfaces, not directly expose databases to clients.

375
Multi-Selecteasy

Which TWO of the following are valid reasons to implement network segmentation?

Select 2 answers
A.To isolate sensitive data and systems from the rest of the network.
B.To eliminate single points of failure.
C.To contain broadcast traffic and improve performance.
D.To reduce network latency.
E.To simplify routing tables.
AnswersA, C

Limits exposure of critical assets.

Why this answer

Network segmentation isolates sensitive data and systems by creating separate broadcast domains or VLANs, restricting unauthorized access and lateral movement. This is a core security principle for protecting critical assets, as it limits the attack surface and enforces access controls between segments.

Exam trap

The trap here is that candidates confuse network segmentation with performance optimization techniques like load balancing or redundancy, leading them to incorrectly select options that address latency or fault tolerance rather than the primary security and broadcast containment benefits.

Page 4

Page 5 of 8

Page 6

All pages