Certified Information Systems Security Professional CISSP (CISSP) — Questions 376450

529 questions total · 8pages · All types, answers revealed

Page 5

Page 6 of 8

Page 7
376
MCQmedium

During an incident, a forensic analyst needs to preserve volatile data from a live Windows server. Which command should be used first to collect memory and network connection information?

A.Run ipconfig /all
B.Run tasklist /v
C.Use a forensic tool to capture the contents of RAM
D.Perform a clean shutdown
AnswerC

Memory is the most volatile data.

Why this answer

Option C is correct because volatile data, such as the contents of RAM, is lost when the system is powered off. Capturing RAM first preserves critical evidence like running processes, network connections, and encryption keys. Network connection information can be extracted from the memory dump, so a dedicated forensic tool (e.g., FTK Imager, WinPmem) is the priority before any command-line queries that alter system state.

Exam trap

The trap here is that candidates often choose ipconfig or tasklist because they are familiar Windows commands, but they fail to recognize that these commands do not capture the most volatile data (RAM) and can alter the system state, violating the order of volatility.

How to eliminate wrong answers

Option A is wrong because ipconfig /all only displays static network configuration (IP addresses, DNS servers) and does not capture volatile memory or active network connections; it also modifies the system state minimally but is not the first priority. Option B is wrong because tasklist /v lists running processes but does not capture memory contents or network connections, and it can alter the state of the system by interacting with the process list. Option D is wrong because performing a clean shutdown destroys all volatile data in RAM, including network connections and process information, which is the opposite of preservation.

377
Multi-Selectmedium

A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?

Select 3 answers
A.Obtain explicit written consent from management
B.Use real personal information of targets
C.Have a stop word or abort mechanism
D.Define clear scope and boundaries
E.Include all employees without exceptions
AnswersA, C, D

Written consent provides legal authorization and clarifies expectations.

Why this answer

Option A is correct because explicit written consent from management is a foundational ethical and legal requirement for social engineering tests. Without documented authorization, the test could be construed as unauthorized access or harassment, violating laws such as the Computer Fraud and Abuse Act (CFAA) or GDPR. This consent ensures the test is conducted under the organization's official risk management framework and provides legal protection for the testers.

Exam trap

The trap here is that candidates may think 'obtain consent' is optional if the test is internal, or they may confuse 'informed consent' with 'blanket approval' and fail to recognize that explicit written consent from management is mandatory to avoid legal and ethical violations.

378
MCQmedium

Refer to the exhibit. What type of attack is indicated by the logs?

A.Malware infection
B.Privilege escalation
C.Denial of service
D.Brute force attack on root
AnswerD

Multiple failed root logins from same IP.

Why this answer

The logs show repeated SSH authentication attempts with the username 'root' from the same source IP, incrementing the failed password count until success is recorded. This pattern of sequential login attempts against a single privileged account is the hallmark of a brute force attack targeting the root user.

Exam trap

The trap here is that candidates may confuse a brute force attack with a denial of service because repeated failed logins can appear to 'overwhelm' the authentication system, but the key differentiator is the intent and pattern—guessing credentials versus exhausting resources.

How to eliminate wrong answers

Option A is wrong because malware infection would typically show indicators like file downloads, unusual process execution, or outbound connections to command-and-control servers, not repeated authentication attempts. Option B is wrong because privilege escalation involves an authenticated user gaining higher privileges than authorized, whereas these logs show failed logins before any successful authentication occurs. Option C is wrong because a denial of service attack would aim to overwhelm the service or system, not systematically attempt to guess credentials; the logs show normal SSH session establishment and teardown, not resource exhaustion.

379
Drag & Dropmedium

Drag and drop the steps for a disaster recovery (DR) plan activation in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DR activation: declare, notify, failover, restore, test and resume.

380
MCQmedium

A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?

A.The resource server is configured to expect a different token type.
B.The client application is not using HTTPS to transmit the token.
C.The access token expired before being presented to the resource server.
D.The authorization server did not grant the requested scope due to user consent settings.
AnswerD

The token lacks the required scope, so the resource server denies access.

Why this answer

The 403 Forbidden error indicates the resource server received a valid access token but denied access because the token lacks the necessary scope. In OAuth 2.0, the authorization server issues tokens based on the scope granted by the user during consent. If the user did not consent to the required scope (e.g., 'write' instead of 'read'), the token will not include it, causing the resource server to reject the request despite the token being valid.

Exam trap

The trap here is confusing token validity (which is about signature, expiration, and issuer) with token authorization (which is about scope); candidates often assume a valid token guarantees access, but OAuth 2.0 separates authentication from authorization, and scope is the key authorization attribute.

How to eliminate wrong answers

Option A is wrong because the resource server validates the token type (e.g., Bearer) via the token's 'typ' header or introspection endpoint; a mismatch would cause a different error (e.g., 401 Unauthorized), not a scope-related 403. Option B is wrong because HTTPS is a transport-layer security requirement; transmitting the token over HTTP could lead to interception but does not affect the token's scope content, and the error is specifically about missing scope, not token theft. Option C is wrong because an expired token would result in a 401 Unauthorized error (or a token refresh request), not a 403 Forbidden; the logs explicitly state the token is valid, ruling out expiration.

381
Drag & Dropmedium

Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital signatures involve hashing the message, encrypting the hash with the private key, attaching, then verifying with the public key.

382
Multi-Selecthard

Which THREE of the following are valid countermeasures to prevent SQL injection vulnerabilities? (Select exactly 3.)

Select 3 answers
A.Using parameterized queries or prepared statements
B.Implementing strict input validation on user-supplied data
C.Encoding output to the user
D.Hashing the input before insertion into the database
E.Using stored procedures with explicit parameter definitions
AnswersA, B, E

Parameterized queries prevent malicious input from altering SQL structure.

Why this answer

Options A, B, and D are correct. Parameterized queries separate code from data, stored procedures can be written securely, and input validation limits harmful characters. Option C is wrong because output encoding does not prevent injection at the database layer.

Option E is wrong because hashing would break the query logic.

383
Multi-Selectmedium

Which TWO are common techniques to defend against VLAN hopping attacks? (Choose two.)

Select 2 answers
A.Disable DTP
B.Enable BPDU Guard
C.Use Private VLANs
D.Enable Port Security
E.Set access ports as static VLAN
AnswersA, E

DTP can be exploited to negotiate a trunk, enabling hopping.

Why this answer

Disabling Dynamic Trunking Protocol (DTP) on all switch ports prevents interfaces from automatically negotiating trunk links, which is the primary vector for VLAN hopping attacks. By setting ports to 'switchport mode access' and disabling DTP with 'switchport nonegotiate', an attacker cannot trick the switch into forming a trunk and gain access to traffic from multiple VLANs.

Exam trap

ISC2 often tests the distinction between DTP-related defenses (disabling DTP, setting static access) and other Layer 2 security features like BPDU Guard or Port Security, leading candidates to confuse STP or MAC-based protections with VLAN hopping countermeasures.

384
MCQhard

Refer to the exhibit. A security administrator is reviewing CloudTrail logs for unusual activity. Which aspect of this event is potentially concerning from a key management perspective?

A.The event is read-only and thus not a security concern.
B.The message type is DIGEST, which is unusual for signing.
C.The user agent indicates the request came from AWS Signer using a customer-managed key, which may violate key usage policies.
D.The signing algorithm used is outdated.
AnswerC

AWS Signer typically uses AWS managed keys; using a CMK could be unauthorized.

Why this answer

The event shows a KMS Sign operation using a CMK. The user agent is 'signer.amazonaws.com', which is the AWS Signer service. AWS Signer typically uses its own managed keys.

The use of a customer-managed key (CMK) by Signer could indicate that the key is being used outside of its intended purpose or policy, potentially violating key usage restrictions. Also, the source IP is from outside AWS (public IP) which might be unusual if the key is restricted to VPC endpoints.

385
Multi-Selectmedium

Which TWO of the following are secure coding practices to prevent buffer overflow vulnerabilities? (Select TWO.)

Select 2 answers
A.Perform bounds checking on array indices and pointers
B.Use dynamic memory allocation for all buffers
C.Enable Address Space Layout Randomization (ASLR)
D.Use bounded string functions (e.g., strncpy instead of strcpy)
E.Deallocate memory after use
AnswersA, D

Bounds checking ensures memory accesses are within allocated space.

Why this answer

Bounds checking ensures that array indices and pointers do not reference memory outside the allocated buffer, directly preventing the overwrite of adjacent memory that leads to buffer overflows. This is a fundamental defensive coding practice that validates all input and index values before use.

Exam trap

The trap here is that candidates confuse system-level mitigations (like ASLR) or memory management practices (like deallocation) with actual secure coding practices that prevent the vulnerability from being written into the code.

386
MCQmedium

An organization's risk assessment identified a vulnerability in a legacy system that cannot be patched because the vendor no longer supports it. The system processes sensitive customer data and is critical for daily operations. The risk is rated as high likelihood and high impact. The organization has a moderate risk appetite. Which risk treatment is most appropriate?

A.Transfer the risk through cyber insurance
B.Avoid the risk by decommissioning the system
C.Accept the risk
D.Mitigate by implementing compensating controls
AnswerD

Compensating controls reduce risk to an acceptable level while allowing business operations to continue.

Why this answer

Since the system cannot be replaced immediately, implementing compensating controls (e.g., network segmentation, strict access controls, monitoring) reduces the risk to an acceptable level. Accepting a high risk is not advisable when it exceeds appetite. Cyber insurance does not protect against data breach consequences adequately.

Decommissioning would disrupt critical operations.

387
Multi-Selectmedium

Which TWO of the following are key principles for designing an effective Security Operations Center (SOC)?

Select 2 answers
A.Applying least privilege to all user accounts
B.Ensuring separation of duties among analysts
C.Using defense-in-depth strategies across layers
D.Automating routine investigation tasks
E.Implementing centralized logging for all devices
AnswersB, C

Separation of duties prevents conflict of interest and reduces collusion risk.

Why this answer

Option B (Separation of duties) and Option D (Defense in depth) are correct because they reduce risk of single points of failure and provide layered security. Option A (Centralized logging) is important but not a principle per se; Option C (Least privilege) is a separate concept; Option E (Automation) is a tactic, not a core principle.

388
MCQhard

A company is merging with another and must integrate security policies. What is the first step?

A.Conduct a gap analysis
B.Train all employees
C.Create a new policy
D.Adopt the stricter policy
AnswerA

Essential first step to understand current state.

Why this answer

A gap analysis identifies differences and overlaps between the two companies' policies, informing the integration plan. Adopting the stricter policy may cause disruption. Creating a new policy without understanding existing ones is premature.

Training comes after integration.

389
MCQeasy

A financial services company is migrating its customer relationship management (CRM) system to a public cloud provider. The CRM contains personally identifiable information (PII) and financial transaction records. The security architect must design a solution that ensures data confidentiality and integrity both at rest and in transit, while complying with PCI DSS requirements. The cloud provider offers a key management service (KMS) that can generate and store encryption keys, a hardware security module (HSM) in the cloud, and a certificate authority for TLS certificates. The architect needs to select the appropriate encryption methods and access controls. The company's security policy requires encryption keys to be rotated every 90 days and stored separately from the data. The cloud provider's KMS supports automatic key rotation, but the HSM requires manual intervention. The CRM application uses a database that supports transparent data encryption (TDE) with keys stored in the KMS, and the application also requires TLS for all network connections. Which course of action best meets all requirements?

A.Use the cloud provider's KMS to generate and store the database encryption key, disable automatic rotation, and manually rotate it every 90 days. Use a self-signed certificate for TLS to save costs.
B.Use the cloud provider's KMS to generate and store the database encryption key with automatic rotation, and use a certificate from a third-party CA for TLS. Store the KMS key in a separate account and region from the database.
C.Use the cloud HSM to generate and store the database encryption key, manually rotate it every 90 days, and use a certificate from the cloud provider's CA for TLS. Store the HSM key in a different region from the database.
D.Use the cloud provider's KMS to generate and store the database encryption key, enable automatic key rotation, and use a separate KMS-managed key for TLS certificates. Store all keys in the same KMS region as the database.
AnswerB

Automatic rotation meets the 90-day policy, separate account and region ensure key separation, and third-party CA provides proper trust for TLS.

Why this answer

Option D is correct because it uses the KMS with automatic key rotation (meeting the 90-day rotation requirement), stores the key in a separate account and region from the data (satisfying the separation requirement), and uses a third-party CA for TLS (providing strong trust and compliance). Option A stores the key in the same region, violating separation. Option B uses manual rotation, which is error-prone and may not meet the automation expectation.

Option C uses self-signed certificates, which do not provide the trust required for external connections and disables automatic rotation, adding manual overhead.

390
MCQhard

A company is designing secure boot for IoT devices to ensure only trusted firmware runs. The devices have limited resources. Which mechanism provides the highest assurance of boot integrity?

A.Use a software-based integrity check that runs after boot.
B.Set a BIOS password to prevent unauthorized changes.
C.Use a TPM to measure boot components and compare to stored hashes.
D.Implement full disk encryption (FDE).
AnswerC

TPM provides hardware-based integrity measurement and storage.

Why this answer

Option C is correct because a Trusted Platform Module (TPM) provides hardware-rooted trust by measuring each boot component (e.g., BIOS, bootloader, OS kernel) and storing the measurements in Platform Configuration Registers (PCRs). These measurements are compared against known-good hashes stored in the TPM, ensuring that any tampering with firmware is detected before execution. This offers the highest assurance for resource-constrained IoT devices as it relies on immutable hardware rather than software-based checks.

Exam trap

The trap here is that candidates often confuse integrity verification (ensuring code hasn't been tampered with) with confidentiality protections (like encryption) or access controls (like passwords), leading them to pick full disk encryption or BIOS passwords instead of the hardware-based attestation provided by a TPM.

How to eliminate wrong answers

Option A is wrong because a software-based integrity check that runs after boot cannot prevent malicious code from already executing; it is a post-boot verification that assumes the system is already compromised, violating the chain of trust. Option B is wrong because a BIOS password only controls access to BIOS settings, not the integrity of the firmware itself; it can be bypassed by resetting CMOS or using default passwords, and does not verify that the firmware has not been modified. Option D is wrong because full disk encryption (FDE) protects data at rest but does not verify the integrity of the boot process or firmware; an attacker could replace the bootloader with a malicious one that still decrypts the disk, leaving the system vulnerable.

391
MCQhard

Refer to the exhibit. The PAM configuration shows pam_tally2.so with deny=5 and unlock_time=300. What is the effect of this configuration?

A.The account is disabled after 5 successful logins
B.Passwords must be changed every 5 days
C.Users are locked out after 5 failed login attempts, and automatically unlocked after 5 minutes
D.Users are locked out after 5 failed attempts until manually unlocked
AnswerC

deny=5 means lock after 5 failures; unlock_time=300 means 300 seconds (5 minutes).

Why this answer

Option C is correct because pam_tally2.so with deny=5 locks the user account after 5 failed authentication attempts, and unlock_time=300 sets the automatic unlock period to 300 seconds (5 minutes). This is a standard PAM (Pluggable Authentication Modules) configuration for account lockout policies, commonly used on Linux systems to mitigate brute-force attacks.

Exam trap

The trap here is that candidates confuse pam_tally2.so with password aging or account disablement features, or assume that unlock_time=300 means manual unlock is required, when in fact it specifies automatic unlock after 300 seconds.

How to eliminate wrong answers

Option A is wrong because pam_tally2.so tracks failed logins, not successful logins; disabling after successful logins would be a different mechanism (e.g., account expiration). Option B is wrong because password aging (e.g., 5-day change interval) is configured via pam_unix.so or pam_cracklib.so, not pam_tally2.so. Option D is wrong because unlock_time=300 specifies automatic unlocking after 300 seconds, not manual intervention; manual unlock would require a separate configuration (e.g., pam_tally2.so without unlock_time or with a very high value).

392
MCQmedium

An organization is designing a disaster recovery site. The primary data center is located in a region prone to earthquakes. The recovery site must be far enough away to avoid the same seismic zone but close enough to minimize latency. Which site selection criteria is most important?

A.Access to diverse power grids
B.Geographical diversity to avoid the same seismic zone
C.High-speed network connectivity between sites
D.Availability of skilled personnel near the recovery site
AnswerB

Prevents a single earthquake from disabling both sites.

Why this answer

Geographical diversity (Option B) is the most important criterion because the primary data center is in an earthquake-prone region, and the recovery site must be located outside the same seismic zone to ensure that a single seismic event does not destroy both sites. This directly addresses the core requirement of disaster recovery: maintaining availability during a regional catastrophe. While latency and connectivity are important, they are secondary to ensuring the recovery site survives the same disaster.

Exam trap

The trap here is that candidates often prioritize network connectivity (Option C) or power diversity (Option A) because they are common in high-availability design, but the question explicitly states the primary risk is a regional earthquake, making geographic diversity the non-negotiable requirement.

How to eliminate wrong answers

Option A is wrong because access to diverse power grids, while beneficial for power redundancy, does not protect against the physical destruction caused by an earthquake; the site could still be in the same seismic zone and be destroyed. Option C is wrong because high-speed network connectivity between sites, though important for data replication and low latency, is irrelevant if both sites are rendered inoperable by the same earthquake. Option D is wrong because availability of skilled personnel near the recovery site is a staffing consideration, not a site selection criterion that mitigates the risk of a single seismic event destroying both locations.

393
MCQmedium

A company wants to test the effectiveness of its security controls without causing disruption. Which type of assessment is most appropriate?

A.Penetration test
B.Security audit
C.Vulnerability scan
D.Red team exercise
AnswerC

Vulnerability scanning assesses systems passively without exploitation, minimizing disruption.

Why this answer

A vulnerability scan is the most appropriate assessment because it passively identifies known vulnerabilities (e.g., missing patches, misconfigurations) without exploiting them, ensuring no disruption to production systems. Unlike active exploitation tests, vulnerability scanners use non-intrusive probes (e.g., banner grabbing, version fingerprinting) that do not trigger denial-of-service or system crashes. This aligns with the requirement to test control effectiveness while maintaining operational stability.

Exam trap

ISC2 often tests the distinction between passive identification (vulnerability scan) and active exploitation (penetration test), where candidates mistakenly choose penetration test because they think it provides a more thorough assessment, ignoring the explicit 'without causing disruption' constraint.

How to eliminate wrong answers

Option A is wrong because a penetration test involves active exploitation of vulnerabilities, which can cause service disruptions (e.g., buffer overflows, resource exhaustion) and is not suitable when the primary goal is to avoid disruption. Option B is wrong because a security audit focuses on verifying compliance with policies, standards, or regulations (e.g., ISO 27001) through document review and interviews, not on actively testing technical control effectiveness against real-world threats. Option D is wrong because a red team exercise is a full-scope adversarial simulation that includes social engineering, physical breaches, and aggressive exploitation, often causing significant operational disruption and alerting defenders, contradicting the 'without causing disruption' requirement.

394
MCQeasy

During a code review, a developer notices that an application directly concatenates user input into SQL queries. Which type of vulnerability does this represent?

A.Cross-site scripting (XSS)
B.Cross-site request forgery (CSRF)
C.Buffer overflow
D.SQL injection
AnswerD

Concatenating user input into SQL queries allows an attacker to modify the query structure.

Why this answer

Option B is correct because direct concatenation of user input into SQL queries is a classic SQL injection vulnerability. Option A is wrong because XSS involves injecting scripts into web pages. Option C is wrong because CSRF relies on tricking a user's browser.

Option D is wrong because buffer overflow is a memory corruption issue.

395
MCQmedium

Refer to the exhibit. A user in the 10.1.0.0/16 range attempts to retrieve the object s3://example-bucket/secret/top_secret.pdf. What will be the result?

A.The request is denied because the first statement allows but the second denies.
B.The request is allowed because the Deny statement only applies to the secret prefix, and the IP condition is satisfied for the user in 10.1.0.0/16.
C.The request is allowed because the first statement matches and allows.
D.The request is denied because the condition in the first statement does not match the IP range.
AnswerD

The Allow is not triggered, and the Deny applies.

Why this answer

Option D is correct because the first statement in the policy has a condition that restricts access to requests originating from the IP range 10.2.0.0/16. Since the user is in the 10.1.0.0/16 range, the condition is not satisfied, so the first statement does not apply. Without an explicit Allow that matches the request, the default implicit Deny takes effect, resulting in the request being denied.

Exam trap

The trap here is that candidates assume the first statement's Allow applies globally without checking the IP condition, leading them to think the Deny in the second statement is the deciding factor, when in fact the Allow never matched due to the condition failure.

How to eliminate wrong answers

Option A is wrong because it misinterprets the policy evaluation logic: the first statement does not apply due to the IP condition mismatch, so there is no Allow to override; the Deny in the second statement is irrelevant because the request is already denied by default. Option B is wrong because it incorrectly assumes the Deny statement applies only to the secret prefix, but the Deny is unconditional for s3://example-bucket/secret/*; however, the request is denied earlier due to the lack of a matching Allow. Option C is wrong because the first statement does not match the request since the IP condition requires the source to be in 10.2.0.0/16, not 10.1.0.0/16.

396
Multi-Selectmedium

Which THREE of the following are valid methods for securely disposing of magnetic hard drives?

Select 3 answers
A.Deleting files and emptying recycle bin
B.Physical shredding
C.Overwriting with random data (multiple passes)
D.Degaussing
E.Quick formatting
AnswersB, C, D

Destroys platters.

Why this answer

Physical shredding (B) destroys the platters, making data recovery impossible regardless of the magnetic state. This is a valid method for secure disposal because it physically prevents any read/write head from accessing the data.

Exam trap

The trap here is that candidates often confuse logical deletion (A, E) with secure erasure, or assume that multiple overwrites are always required, when in fact degaussing and physical destruction are the only methods that guarantee data is irrecoverable from magnetic media.

397
MCQhard

In a microservices architecture with a service mesh, what is the most effective approach to secure inter-service communication?

A.Segment services into separate VLANs without encryption
B.Use TLS only for all communication
C.Implement mutual TLS (mTLS) and identity-based access policies
D.Rely on API keys in the request headers
AnswerC

mTLS provides strong authentication and encryption per request.

Why this answer

Option A is correct because mutual TLS (mTLS) with identity-based policies authenticates and encrypts each service-to-service call. Option B is wrong because TLS alone does not authenticate the caller. Option C is wrong because API keys are less secure and harder to manage at scale.

Option D is wrong because network segmentation without encryption does not protect against eavesdropping.

398
MCQhard

A company develops a web application using microservices architecture deployed on Kubernetes. The security team identifies that the application is vulnerable to injection attacks because user input is concatenated into SQL queries. The development team wants to implement a fix quickly. They propose using parameterized queries, but the database access layer currently uses stored procedures. The team considers modifying the stored procedures to accept parameters and using prepared statements in the code. However, the operations team is concerned about performance impact. Which of the following is the BEST course of action?

A.Use parameterized queries immediately without modifying stored procedures.
B.Implement both parameterized queries and modify stored procedures to use parameters, and then monitor performance.
C.Modify stored procedures to use dynamic SQL with input validation.
D.Use input validation only, as stored procedures inherently prevent injection.
AnswerB

This provides defense in depth and allows performance assessment before full rollout.

Why this answer

Option C is correct because it addresses the vulnerability through both parameterized queries and parameterized stored procedures, then monitors performance to address the operations team's concern. Option A is wrong because parameterized queries alone may not protect if the stored procedures still concatenate input. Option B is wrong because dynamic SQL within stored procedures can still be vulnerable to injection.

Option D is wrong because input validation alone is not sufficient to prevent injection; stored procedures without parameterization can still be vulnerable.

399
MCQmedium

An organization uses a data loss prevention (DLP) system to monitor outbound emails. Which data classification type would the DLP most likely use to detect sensitive information leaving the network?

A.Context-based classification
B.Content-based classification
C.User-based classification
D.Role-based classification
AnswerB

Content-based DLP scans for patterns and data content to detect sensitive information.

Why this answer

Content-based classification inspects the actual data within outbound emails—such as credit card numbers, social security numbers, or other regex-defined patterns—to detect sensitive information. DLP systems rely on content analysis (e.g., regular expressions, exact data matching, or fingerprinting) to identify and block policy violations, making this the correct classification type for detecting sensitive data leaving the network.

Exam trap

ISC2 often tests the distinction between context-based and content-based classification, where candidates mistakenly choose context-based because they confuse 'monitoring outbound emails' with analyzing sender/recipient metadata rather than the actual data content.

How to eliminate wrong answers

Option A is wrong because context-based classification examines metadata like sender, recipient, or time of transmission, not the actual data payload, so it cannot detect sensitive content within the email body or attachments. Option C is wrong because user-based classification assigns sensitivity based on the user's identity or group membership, but it does not inspect the content of the email itself, making it insufficient for DLP detection of specific data patterns. Option D is wrong because role-based classification uses job roles to determine data access rights, but it does not analyze the content of outbound messages, so it cannot identify sensitive information in transit.

400
MCQhard

Refer to the exhibit. An organization has a lawsuit requiring preservation of all records related to a customer dispute from 2018. Which data set must be preserved beyond its scheduled retention?

A.Email logs from 2018
B.Payment card data from 2018 transactions
C.All of the above
D.Customer records from 2018 accounts that are still open
AnswerC

Legal hold applies to all relevant data, overriding retention schedules.

Why this answer

Option C is correct because a legal hold overrides any scheduled retention policy. The lawsuit requires preservation of all records related to the 2018 customer dispute, which includes email logs (for communication evidence), payment card data (for transaction records), and customer records (for account details). Under eDiscovery rules (FRCP Rule 26), any data set that may contain relevant information must be preserved, even if its normal retention period has expired.

Exam trap

The trap here is that candidates often assume only the most obvious data set (e.g., customer records) needs preservation, but the legal hold applies to all data sets that could contain relevant information, including logs and payment data, regardless of their normal retention schedules.

How to eliminate wrong answers

Option A is wrong because email logs from 2018 are directly relevant to the dispute (e.g., communications with the customer) and must be preserved under the legal hold, so they are not exempt. Option B is wrong because payment card data from 2018 transactions is relevant to the financial aspect of the dispute and must be preserved, even if PCI DSS retention schedules would normally allow deletion. Option D is wrong because customer records from 2018 accounts that are still open are also subject to the legal hold; the fact that the account is still open does not exclude it from preservation—the hold applies to all records related to the dispute, regardless of account status.

401
MCQmedium

A network engineer is configuring 802.1X authentication for wired network access. The authentication server supports EAP-TLS. What must be deployed to clients to support this authentication method?

A.Client certificate
B.Server certificate
C.RADIUS server
D.Shared secret
AnswerA

EAP-TLS requires both client and server certificates for mutual authentication.

Why this answer

EAP-TLS requires mutual authentication using digital certificates on both the client and the server. The client must present a certificate to prove its identity to the authentication server, which is validated against a trusted root CA. Without a client certificate, EAP-TLS cannot establish the TLS tunnel, as it relies on certificate-based client authentication per RFC 5216.

Exam trap

ISC2 often tests the distinction between what is deployed to clients versus the infrastructure; candidates mistakenly choose 'server certificate' because they know TLS requires certificates, but forget that EAP-TLS mandates client certificates for mutual authentication.

How to eliminate wrong answers

Option B is wrong because a server certificate is already required by the authentication server (RADIUS) for EAP-TLS, but the question asks what must be deployed to clients, not the server. Option C is wrong because a RADIUS server is the authentication server itself, not something deployed to clients; clients communicate with the RADIUS server via the authenticator (switch). Option D is wrong because a shared secret is used between the authenticator (switch) and the RADIUS server for secure communication, not between the client and the authentication server in EAP-TLS.

402
MCQmedium

A financial institution must retain customer transaction records for 7 years. After that, what is the most appropriate action?

A.Degauss and physically destroy
B.Securely delete using overwriting
C.Transfer to a third-party storage vendor
D.Archive to tape for additional redundancy
AnswerB

Overwriting renders data unrecoverable, meeting disposal requirements.

Why this answer

After the 7-year retention period, the most appropriate action is to securely delete the records using overwriting. This ensures that the data is irrecoverable while maintaining compliance with data disposal policies. Overwriting with multiple passes (e.g., using the Gutmann method or DoD 5220.22-M standard) prevents data remanence, which is critical for financial records.

Exam trap

The trap here is that candidates often confuse 'secure deletion' with 'physical destruction' or 'archiving,' failing to recognize that after the retention period, the primary goal is to eliminate the data securely, not to preserve or transfer it.

How to eliminate wrong answers

Option A is wrong because degaussing and physical destruction are excessive for digital records that only need secure deletion; degaussing destroys the magnetic media entirely, which is unnecessary and may not be feasible for all storage types (e.g., SSDs). Option C is wrong because transferring to a third-party storage vendor does not address the requirement to dispose of the data after retention; it merely shifts custody, which could lead to compliance violations. Option D is wrong because archiving to tape for additional redundancy retains the data beyond the required period, violating the retention policy and increasing legal and security risks.

403
MCQhard

During a merger, the security teams of two companies are integrating their networks. The acquiring company has a high-security classification system (e.g., Top Secret, Secret, Confidential), while the acquired company uses a lower classification (e.g., Internal, Public). Which approach best ensures secure data handling during integration?

A.Maintain separate classification systems for each company
B.Create a new classification system for the merged entity
C.Apply the lower classification level to all data to simplify integration
D.Apply the higher of the two classification levels to all data
AnswerB

While this may be ideal long-term, immediate integration requires using the higher classification to avoid data leaks. However, the question asks for 'best ensures secure data handling during integration' – a new system takes time and may not be immediately effective. The correct answer should be applying the higher classification. I will fix the correct answer to A and adjust explanations.

Why this answer

Applying the higher classification to all data prevents inadvertent disclosure by ensuring the most restrictive controls are used. Maintaining separate systems or using the lower classification creates risk of data leakage.

404
Matchingmedium

Match each OSI layer to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frames and MAC addressing

Routing and logical addressing

End-to-end reliability and segmentation

User interface and application services

Why these pairings

The OSI model layers provide standard network functions.

405
MCQeasy

Refer to the exhibit. What is the effect of this ACL when applied inbound to an interface?

A.All traffic is denied
B.Only traffic from host 10.1.1.2 to port 80 is denied, all other traffic permitted
C.Traffic from host 10.1.1.2 to port 80 is denied, but others allowed
D.All traffic to port 80 is denied
AnswerC

Correct. The first line denies 10.1.1.2 to port 80; the second permits others to port 80.

Why this answer

Option C is correct because the ACL explicitly denies traffic from host 10.1.1.2 to any destination on TCP port 80, and then permits all other IP traffic. Since the ACL is applied inbound, it filters traffic before routing, and the implicit deny at the end only blocks traffic that does not match any permit statement. Thus, only the specific host-to-port-80 traffic is denied, and all other traffic is permitted.

Exam trap

The trap here is that candidates often forget the implicit deny at the end of an ACL and mistakenly think the deny entry blocks all traffic to port 80, or they misread the order and assume the permit ip any any does not override the deny for other sources.

How to eliminate wrong answers

Option A is wrong because the ACL contains a permit ip any any statement, which explicitly allows all traffic not matching the deny entry, so not all traffic is denied. Option B is wrong because it states 'only traffic from host 10.1.1.2 to port 80 is denied, all other traffic permitted,' which is actually the same as option C; however, the phrasing 'only' is misleading—the ACL denies traffic from host 10.1.1.2 to port 80, but it does not deny traffic from other hosts to port 80, so option B is technically incorrect because it implies exclusivity that is not present in the ACL logic. Option D is wrong because the ACL only denies traffic from host 10.1.1.2 to port 80, not all traffic to port 80 from any source.

406
MCQmedium

A hospital is implementing an access control system for its electronic health record (EHR) application. The system must ensure that only authorized healthcare providers can access patient records based on their role (doctor, nurse, administrator), department (cardiology, oncology, etc.), and patient consent status. The hospital also needs to support break-the-glass access for emergencies. The current solution uses static role-based access control (RBAC) but fails to enforce department-level restrictions and consent checks. What is the most appropriate access control model to address these requirements?

A.Enhance the existing RBAC model with more granular roles for each department
B.Use mandatory access control (MAC) with security labels per patient record
C.Implement an attribute-based access control (ABAC) system
D.Apply discretionary access control (DAC) allowing providers to set access permissions
AnswerC

ABAC can evaluate multiple attributes and support dynamic policies like consent and emergency access.

Why this answer

Attribute-based access control (ABAC) is the correct choice because it can dynamically evaluate multiple attributes—such as user role, department, patient consent status, and emergency context—to grant or deny access. Unlike static RBAC, ABAC supports fine-grained, context-aware policies that can enforce department-level restrictions and consent checks, and it can incorporate break-the-glass rules by evaluating an emergency attribute or time-based condition.

Exam trap

The trap here is that candidates often assume RBAC can be extended with more roles to cover all requirements, but they miss that RBAC cannot dynamically evaluate multi-attribute conditions like consent status or emergency context without becoming unmanageable, whereas ABAC is designed for exactly such fine-grained, attribute-driven policies.

How to eliminate wrong answers

Option A is wrong because simply adding more granular roles to RBAC would still result in a static, role-based model that cannot evaluate dynamic attributes like patient consent status or emergency context; it would require an explosion of roles (e.g., 'Cardiology-Nurse-ConsentYes') that is impractical and does not support break-the-glass. Option B is wrong because MAC uses fixed security labels (e.g., classification levels) assigned by a central authority and cannot dynamically enforce consent status or department-specific rules based on user attributes; it is designed for confidentiality hierarchies, not fine-grained, multi-attribute policies. Option D is wrong because DAC allows data owners (e.g., individual providers) to set permissions, which violates the hospital's need for centralized, policy-driven enforcement of department and consent restrictions and would introduce security inconsistencies and potential unauthorized sharing.

407
MCQhard

A security assessment reveals that a web application uses client-side input validation exclusively. What is the most likely security risk?

A.Attacker can inject malicious scripts that execute on the client side.
B.An attacker can submit malicious data directly to the server without client-side constraints.
C.The application will have poor user experience due to slow responses.
D.The client-side code can be obfuscated but not decrypted.
AnswerB

Client-side validation only works in the browser; server-side validation is necessary to prevent malicious input.

Why this answer

Option A is correct because client-side validation is easily bypassed by an attacker who sends requests directly to the server. Option B is wrong because usability is not a security risk. Option C is wrong while client-side can be tampered; the core risk is missing server-side validation.

Option D is wrong because XSS is typically mitigated by output encoding, not input validation.

408
MCQmedium

A security engineer is designing an API that handles sensitive customer data. The engineer wants to ensure that only authorized clients can access the API, and that requests are not tampered with in transit. Which approach best addresses both requirements?

A.Enforcing TLS for all communications
B.Requiring a digital signature using HMAC on each request
C.Implementing OAuth 2.0 with Bearer tokens over HTTPS
D.Using API keys transmitted in the request header
AnswerC

OAuth 2.0 provides delegated authorization, and HTTPS ensures confidentiality and integrity of tokens and data.

Why this answer

Option D is correct because OAuth 2.0 provides authorization (access tokens) and when used over HTTPS, ensures integrity and confidentiality. Option A is wrong because API keys alone provide authentication but not tamper protection. Option B is wrong because TLS provides encryption but not authorization.

Option C is wrong because HMAC provides integrity but not authorization.

409
Multi-Selecthard

Which THREE of the following are primary objectives of a risk management program?

Select 3 answers
A.Eliminate all risks
B.Identify assets
C.Protect critical assets
D.Ensure compliance
E.Achieve risk appetite
AnswersB, C, E

Asset identification is foundational to risk management.

Why this answer

The primary objectives include identifying assets, protecting critical assets, and achieving risk appetite. Eliminating all risks is impossible, and compliance is a secondary benefit, not a primary objective.

410
MCQhard

An organization's backup strategy includes daily full backups and hourly incremental backups. The system suffers a ransomware attack that encrypts all data. Which backup set is essential to restore the most recent clean state?

A.The last full backup plus all incremental backups after that
B.The last full backup plus the last incremental backup
C.The last full backup only
D.The last incremental backup only
AnswerA

Provides the most recent clean state by applying all increments.

Why this answer

To restore the most recent clean state after a ransomware attack, you need the last full backup as the base and all subsequent incremental backups to apply every change made up to the moment before the attack. Incremental backups capture only data changed since the last backup (full or incremental), so skipping any breaks the chain and results in data loss. Option A correctly includes the full backup and every incremental backup after it, ensuring a complete restoration to the latest point before encryption.

Exam trap

The trap here is that candidates confuse incremental backups with differential backups, mistakenly thinking only the last incremental is needed, when in fact incremental backups require the entire chain from the last full backup to restore completely.

How to eliminate wrong answers

Option B is wrong because it omits all intermediate incremental backups between the last full and the last incremental, which would leave the restored data missing changes from those skipped intervals, resulting in an incomplete state. Option C is wrong because a full backup alone restores only the data as of its creation time, losing all changes made by subsequent hourly increments, which is far from the most recent clean state. Option D is wrong because an incremental backup contains only changes since the last backup and cannot be restored without its base full backup and all prior increments in the chain; applying it alone would fail due to missing parent data.

411
MCQhard

An organization uses a siem to collect logs from multiple sources. The security team notices that some events are missing during peak traffic hours. Analysis shows that the log sources are sending data via UDP. What is the most likely cause?

A.Clock skew between sources and SIEM
B.Insufficient SIEM storage capacity
C.UDP packet loss
D.Network bandwidth saturation
AnswerC

UDP does not guarantee delivery; packets can be lost.

Why this answer

UDP is a connectionless, best-effort transport protocol that does not guarantee delivery. During peak traffic hours, network congestion can cause UDP datagrams to be dropped without any retransmission mechanism, leading to missing events in the SIEM. This is the most direct and likely cause given the scenario.

Exam trap

The trap here is that candidates may incorrectly attribute missing events to storage or bandwidth issues, but the question specifically highlights UDP as the transport, which directly implies packet loss due to the protocol's lack of reliability.

How to eliminate wrong answers

Option A is wrong because clock skew would cause timestamp misalignment, not event loss; NTP synchronization is the standard remedy. Option B is wrong because insufficient SIEM storage would cause older data to be rotated out or ingestion to stop, not selective loss during peak hours. Option D is wrong because network bandwidth saturation could cause packet loss, but the specific mention of UDP points to the protocol's lack of reliability as the root cause; bandwidth saturation alone would affect TCP and UDP equally, but TCP would retransmit lost segments.

412
MCQhard

An organization uses a federated identity system with SAML. A new service provider (SP) is added, but users cannot authenticate. The identity provider (IdP) logs show that the SAML response is signed correctly, but the SP rejects it. What is the most likely issue?

A.The SP does not support HTTP-POST binding
B.The IdP's clock is skewed
C.The SAML assertion is not encrypted
D.The user's browser cookies are blocked
E.The SP's metadata is missing the IdP's certificate
AnswerE

Without the IdP's certificate, the SP cannot validate the signature, so it rejects.

Why this answer

Option E is correct because the SP must have the IdP's signing certificate in its metadata to validate the SAML response signature. If the SP's metadata is missing the IdP's certificate, the SP cannot verify the signature, causing it to reject the response even though the IdP logs show it was signed correctly.

Exam trap

The trap here is that candidates confuse signature validation with encryption or assume clock skew is the default issue, but the core problem is missing trust material in the SP's metadata, not cryptographic failures or transport issues.

How to eliminate wrong answers

Option A is wrong because HTTP-POST binding is widely supported and the SP would typically reject the initial request, not a signed response, if it lacked support. Option B is wrong because clock skew would cause the SP to reject the SAML response due to invalid timestamps (NotBefore/NotOnOrAfter), not because of a missing certificate. Option C is wrong because SAML assertion encryption is optional and not required for authentication; the SP can reject a response for missing encryption only if it explicitly requires it, but the question states the response is signed correctly, pointing to a trust issue.

Option D is wrong because blocked browser cookies would prevent session management after authentication, not the initial SAML response validation at the SP.

413
MCQmedium

A healthcare organization uses a custom application to manage patient records. The application uses a database with encrypted columns for sensitive data. The security team discovers that an insider has been copying encrypted data to an external drive. While the data is encrypted, the encryption key is stored in a configuration file accessible to the application. Which additional control would best mitigate this risk?

A.Enable audit logging on the application.
B.Implement role-based access control on the configuration file.
C.Use transparent data encryption (TDE) at the database level.
D.Store the encryption key in a hardware security module (HSM) with access policies.
AnswerD

HSM keeps the key secure and enforces strict access control.

Why this answer

Storing the encryption key in an HSM with access policies ensures the key is never in cleartext accessible to the application or user; it also enforces access controls and auditing. Role-based access on the config file is insufficient because the application still needs to read the key. TDE protects data at rest but does not protect the key.

Auditing is detective, not preventive.

414
MCQhard

An organization with 500 employees operates a hybrid infrastructure with on-premises Active Directory and cloud-based services (Office 365, Azure). The security team receives an alert from the SIEM showing a high number of failed login attempts for a service account named 'svc_backup' from an external IP address. The account has delegated permissions to back up all domain controllers. The attempts are ongoing and fall below the lockout threshold to avoid detection. The team suspects a targeted password spraying attack. The helpdesk reports no recent password changes for this account. The incident response plan requires containment within 15 minutes. The cloud services are integrated with AD via Azure AD Connect. Which of the following actions BEST contains the attack while minimizing operational impact?

A.Block the external IP address at the firewall.
B.Configure Azure AD Conditional Access to require MFA for the account.
C.Disable the svc_backup account in Active Directory and notify the backup team to use an alternate account.
D.Immediately change the password of the svc_backup account.
AnswerC

Directly stops all authentication attempts; least operational impact until a secure replacement is created.

Why this answer

Option C is correct because disabling the compromised service account in Active Directory immediately stops the ongoing password spraying attack, preventing further unauthorized access attempts. This action contains the threat within the 15-minute containment window while minimizing operational impact, as the backup team can switch to an alternate account without disrupting critical backup operations. Disabling the account is faster and more reliable than changing the password, which might not propagate immediately to all domain controllers and cloud services via Azure AD Connect.

Exam trap

The trap here is that candidates may choose to change the password (Option D) thinking it is the fastest containment action, but they overlook the synchronization delay in hybrid environments and the risk of breaking automated processes, whereas disabling the account is the definitive containment step per incident response best practices.

How to eliminate wrong answers

Option A is wrong because blocking the external IP address at the firewall is a temporary measure that does not address the root cause; the attacker can easily switch to a different IP address or proxy, and the compromised account remains active and vulnerable. Option B is wrong because configuring Azure AD Conditional Access to require MFA for the account does not stop the ongoing attack against on-premises Active Directory; the password spraying attempts are targeting the on-premises service account, not cloud authentication, and MFA enforcement would not apply to NTLM or Kerberos authentication used for backup operations. Option D is wrong because immediately changing the password may not propagate quickly enough to all domain controllers and Azure AD via Azure AD Connect (which synchronizes every 30 minutes by default), leaving a window for the attacker to continue; additionally, changing the password could break automated backup scripts that rely on the current password, causing operational disruption.

415
MCQmedium

A security engineer is designing a cryptographic solution to ensure data integrity and non-repudiation. Which combination should be used?

A.HMAC with a shared key
B.Asymmetric encryption with digital signature
C.Digital signature with hashing
D.Symmetric encryption with HMAC
AnswerC

Correct. Digital signatures provide integrity and non-repudiation; hashing ensures integrity.

Why this answer

Digital signature with hashing is the correct combination because hashing ensures data integrity by producing a fixed-size digest, and the digital signature encrypts that hash with the sender's private key, providing non-repudiation by proving the sender's identity and preventing denial of message origin. This satisfies both requirements without relying on a shared secret.

Exam trap

The trap here is that candidates often confuse 'asymmetric encryption' with 'digital signature,' thinking encryption alone provides non-repudiation, but encryption only provides confidentiality, while a digital signature specifically uses the private key for signing (not encryption) to achieve non-repudiation.

How to eliminate wrong answers

Option A is wrong because HMAC with a shared key provides integrity and authentication via a symmetric key, but it does not offer non-repudiation since the shared key could be held by either party, allowing denial of origin. Option B is wrong because asymmetric encryption alone (e.g., RSA encryption) does not inherently provide integrity or non-repudiation; it must be combined with a digital signature, which uses the private key to sign, not encrypt. Option D is wrong because symmetric encryption with HMAC ensures confidentiality and integrity, but non-repudiation is absent because the symmetric key is shared, making it impossible to prove which party created the HMAC.

416
MCQhard

A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?

A.Password spraying attack
B.Brute-force attack
C.Dictionary attack
D.Rainbow table attack
AnswerA

Password spraying tries common passwords across many accounts.

Why this answer

This is a password spraying attack because the attacker attempts a small set of common passwords against many usernames, avoiding account lockout by not exceeding the threshold for any single account. The observed behavior—repeated failed attempts from one IP, then switching usernames after lockout—matches the pattern of password spraying, where the attacker tries one or a few passwords across many accounts rather than many passwords against one account.

Exam trap

The trap here is that candidates confuse password spraying with brute-force or dictionary attacks, failing to recognize that the key differentiator is the attacker's strategy of targeting multiple usernames with a few passwords to evade account lockout thresholds.

How to eliminate wrong answers

Option B (Brute-force attack) is wrong because a brute-force attack tries many passwords against a single username, which would quickly trigger the account lockout policy and not involve switching usernames. Option C (Dictionary attack) is wrong because a dictionary attack uses a list of likely passwords against a single account, again focusing on one username and leading to lockout, not switching targets. Option D (Rainbow table attack) is wrong because rainbow tables are used to crack password hashes offline, not for online authentication attempts against a live domain controller.

417
MCQeasy

A small company with 50 employees operates a flat network where all workstations, servers, and printers are on a single subnet without segmentation. The company recently suffered a ransomware outbreak that spread rapidly from an infected workstation to the file server and multiple other machines, causing significant downtime. The IT manager wants to redesign the network to contain future outbreaks and limit lateral movement. The budget is limited, and the environment uses a mixture of managed and unmanaged switches. Which course of action would BEST mitigate the risk of lateral spread while minimizing cost and complexity?

A.Implement VLANs with ACLs to separate departments and restrict traffic between them.
B.Enable full-disk encryption on all endpoints and servers.
C.Upgrade all endpoint antivirus to the latest version and enable real-time scanning.
D.Deploy a network-based intrusion detection system (IDS) to alert on suspicious traffic.
AnswerA

VLANs create logical segmentation; ACLs enforce policies to allow only necessary traffic, containing outbreaks to one segment.

Why this answer

Implementing VLANs with ACLs segments the flat network into separate broadcast domains, preventing lateral movement by restricting traffic between departments at Layer 2. This directly contains ransomware propagation without requiring new hardware, as VLANs can be configured on existing managed switches, making it cost-effective. ACLs further enforce least-privilege access between VLANs, blocking unauthorized inter-VLAN communication.

Exam trap

The trap here is that candidates often choose endpoint-focused solutions (like antivirus or encryption) because they seem directly related to malware, but the question specifically targets lateral movement containment, which requires network segmentation, not just endpoint protection.

How to eliminate wrong answers

Option B is wrong because full-disk encryption protects data at rest but does not prevent lateral movement or contain ransomware spread across the network. Option C is wrong because upgrading antivirus only improves endpoint detection but does not segment the network, so ransomware can still propagate laterally via SMB or other protocols. Option D is wrong because a network-based IDS only alerts on suspicious traffic after it occurs, lacking proactive containment to stop lateral movement in real time.

418
MCQeasy

Which security model focuses on preventing unauthorized access by enforcing a 'no read up, no write down' rule?

A.Clark-Wilson
B.Bell-LaPadula
C.Biba
D.Brewer-Nash
AnswerB

Correct. Bell-LaPadula is the confidentiality model with no read up and no write down.

Why this answer

The Bell-LaPadula model is a formal state machine model for enforcing access control in government and military systems. Its core rule, 'no read up' (simple security property) and 'no write down' (star property), prevents subjects from reading objects at a higher classification level and from writing to objects at a lower classification level, thereby preventing unauthorized disclosure of sensitive information.

Exam trap

The trap here is that candidates often confuse the Biba model's 'no read down, no write up' integrity rules with Bell-LaPadula's confidentiality rules, leading them to select Biba when the question specifically describes 'no read up, no write down'.

How to eliminate wrong answers

Option A is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duty, not on confidentiality or the 'no read up, no write down' rule. Option C is wrong because the Biba model enforces integrity with 'no read down, no write up' rules, which is the inverse of Bell-LaPadula's confidentiality rules. Option D is wrong because the Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically controlling access based on previously accessed datasets, not by enforcing a static 'no read up, no write down' policy.

419
MCQeasy

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

A.Security testing is performed only at the end of the project
B.Security issues can be addressed incrementally throughout development
C.Security requirements are finalized upfront
D.Security documentation is minimized to reduce overhead
AnswerB

Agile's short cycles allow for prompt remediation of security findings.

Why this answer

In Agile development, security testing and remediation are integrated into each iteration (sprint), allowing teams to identify and fix vulnerabilities incrementally rather than waiting until the end. This continuous feedback loop reduces the risk of late-stage security surprises and aligns with the principle of 'shifting left' on security.

Exam trap

The trap here is conflating 'Agile' with 'no documentation' or 'no upfront planning,' when in reality Agile requires disciplined, just-in-time security activities and maintains necessary documentation for compliance and risk management.

How to eliminate wrong answers

Option A is wrong because performing security testing only at the end of the project is a characteristic of the waterfall model, not Agile, and it increases the cost and effort to remediate issues found late. Option C is wrong because Agile embraces changing requirements; security requirements are refined iteratively through backlog grooming and user stories, not finalized upfront. Option D is wrong because while Agile may reduce unnecessary documentation, security documentation (e.g., threat models, security acceptance criteria) is still essential and should not be minimized to the point of compromising auditability or compliance.

420
MCQhard

A multinational corporation is developing a new cloud-based collaboration platform that handles sensitive intellectual property. The platform must ensure end-to-end encryption (E2EE) so that even the cloud provider cannot access the data. Users communicate via chat and file sharing. The architect proposes using a hybrid encryption scheme where each user has a public/private key pair, and for each message, a random symmetric key is used to encrypt the message, which is then encrypted with the recipient's public key. However, there is a requirement for the company to be able to lawfully intercept communications in case of a court order. This conflicts with E2EE. Which design can satisfy both confidentiality and lawful interception?

A.Implement key escrow where the company holds a copy of all users' private keys.
B.Implement a transparent encryption proxy on the user's device that logs all keys and sends them to the company.
C.Use client-side encryption where the encryption key is derived from user password and stored with a backup that can be recovered by the company using a master key.
D.Implement a split-key design where the encryption keys are generated and held by the users, but a separate escrow agent splits the key into two parts: one held by the user and one held by the company. Alternatively, use a 'drop box' approach where communications are recorded in an encrypted format and the company can decrypt only after a court order by using a secondary key that is released upon authorization.
AnswerD

This preserves E2EE for routine communications while allowing lawful interception through a separate mechanism.

Why this answer

Option D is correct because it uses a split-key or drop-box design that preserves end-to-end encryption for regular communications while enabling lawful interception under strict authorization. In this scheme, the user holds one part of the key and the company holds another, or communications are recorded encrypted and a secondary key is released only after a court order, ensuring that neither the cloud provider nor the company can decrypt data without proper legal process. This satisfies both the E2EE requirement and the lawful interception mandate without compromising the core security principle of least privilege.

Exam trap

The trap here is that candidates often assume key escrow (Option A) is the only way to achieve lawful interception, failing to recognize that escrow breaks E2EE and that split-key or drop-box designs can satisfy both requirements without compromising the confidentiality of all communications.

How to eliminate wrong answers

Option A is wrong because key escrow where the company holds a copy of all users' private keys completely breaks end-to-end encryption, as the company (and potentially the cloud provider) can decrypt any past or future communication at any time, violating the confidentiality requirement. Option B is wrong because a transparent encryption proxy on the user's device that logs all keys and sends them to the company effectively creates a backdoor that bypasses E2EE, allowing the company to access all communications without user consent or court order, and it introduces a single point of compromise. Option C is wrong because deriving encryption keys from user passwords and storing a backup recoverable by a master key means the company can decrypt all data without a court order, and password-derived keys are often weak and vulnerable to offline brute-force attacks, undermining both confidentiality and the lawful interception control.

421
MCQmedium

A company uses WPA2-Enterprise with EAP-TLS for wireless access. An employee reports that a new laptop cannot connect to the wireless network, while older laptops work fine. The employee has installed the correct client certificate. What is the most likely cause?

A.The wireless network uses WPA2-PSK instead of WPA2-Enterprise.
B.The RADIUS server's certificate is not trusted by the new laptop.
C.The client certificate is not correctly associated with the user account.
D.The laptop does not support MSCHAPv2.
AnswerB

EAP-TLS mutual authentication requires the client to trust the server's certificate.

Why this answer

In WPA2-Enterprise with EAP-TLS, mutual authentication requires the client to validate the RADIUS server's certificate. If the new laptop does not trust the RADIUS server's certificate (e.g., its CA root certificate is missing or expired), the EAP-TLS handshake will fail, preventing connection. Older laptops likely have the necessary root CA installed, while the new laptop does not.

Exam trap

The trap here is that candidates may confuse EAP-TLS with EAP-PEAP or EAP-TTLS, which use MSCHAPv2 for inner authentication, and incorrectly assume the issue is MSCHAPv2 support, when in fact EAP-TLS relies solely on certificate trust.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the network uses WPA2-Enterprise with EAP-TLS, not WPA2-PSK; a PSK mismatch would affect all clients, not just the new laptop. Option C is wrong because the employee has installed the correct client certificate, and EAP-TLS authenticates the client based on the certificate itself, not a user account association; the RADIUS server validates the client certificate against its trust store, not a user account. Option D is wrong because EAP-TLS does not use MSCHAPv2; it uses TLS-based certificate authentication, so MSCHAPv2 support is irrelevant.

422
MCQhard

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

A.The system clocks on the IdP and SP are significantly out of sync
B.The SP is configured to require a specific SAML attribute not present in the assertion
C.The IdP server for the subsidiary is temporarily unreachable
D.The SAML certificate used by the SP has expired
AnswerA

SAML assertions include timestamps; clock skew leads to validation failure.

Why this answer

SAML 2.0 relies on timestamps (NotBefore and NotOnOrAfter) within the assertion for validity. If the system clocks on the identity provider (IdP) and service provider (SP) are significantly out of sync, the SP will reject the assertion as expired or not yet valid, even though the IdP logs show successful authentication. This is the most common cause of assertion validation failures in cross-domain SSO deployments.

Exam trap

The trap here is that candidates confuse assertion validation failures (which involve timestamps, signatures, or conditions) with authentication failures (which involve credentials or IdP reachability), leading them to incorrectly select options like IdP unreachability or certificate expiration.

How to eliminate wrong answers

Option B is wrong because a missing required SAML attribute would cause an authorization failure or attribute mismatch error, not an assertion validation failure; the SP would still validate the assertion's signature and timestamps first. Option C is wrong because if the IdP server were unreachable, the user would not be able to authenticate at all, and the IdP logs would not show successful authentication. Option D is wrong because an expired SAML certificate would cause a signature validation failure, not a generic assertion validation failure; the SP would log a certificate-related error, not a timestamp or validity period issue.

423
MCQhard

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

A.File a claim under your cyber insurance policy and pay the deductible to cover the costs.
B.Negotiate with the vendor to split the costs and update the contract to remove the liability cap.
C.Accept the loss and implement additional vendor oversight to prevent future incidents.
D.Initiate legal proceedings against the vendor to enforce the liability clause and recover costs.
AnswerD

Correct - Legal action may force the vendor to pay, and the limitation of liability may be deemed invalid.

Why this answer

Option D is the best course of action because the vendor's negligence caused the breach, and the contract explicitly holds the vendor liable for such incidents. Initiating legal proceedings to enforce the liability clause is the most direct way to recover the full $500,000 in costs, as the vendor's limitation of liability clause ($100,000 cap) may be challenged in court, especially given HIPAA's requirement for covered entities to ensure business associates safeguard PHI. This approach aligns with risk management principles by transferring the financial risk back to the responsible party, rather than accepting the loss or relying on insurance that explicitly excludes vendor negligence.

Exam trap

The trap here is that candidates may assume insurance is the primary risk transfer tool, but the exclusion for vendor negligence and the existence of a contractual liability clause make legal enforcement the superior option, as insurance cannot cover risks explicitly excluded in the policy.

How to eliminate wrong answers

Option A is wrong because the cyber insurance policy excludes losses due to vendor negligence, so filing a claim would likely be denied, leaving the organization to pay the $250,000 deductible and the remaining costs out-of-pocket. Option B is wrong because negotiating a split without legal leverage would likely result in the vendor paying only up to the $100,000 cap, leaving the organization with $400,000 in uncovered costs, and contract updates cannot retroactively apply to the current breach. Option C is wrong because accepting the loss ignores the contractual liability clause and the vendor's negligence, failing to enforce legal rights and setting a precedent that could encourage future vendor non-compliance.

424
MCQeasy

A DevOps team implements a CI/CD pipeline that runs security scans automatically. The pipeline fails often due to false positives, causing delays. Which approach balances security and efficiency?

A.Tune scan rules to reduce false positives while retaining critical checks.
B.Turn off all security scans.
C.Manually review every false positive.
D.Only run scans on code that is deployed to production.
AnswerA

Reduces noise while keeping essential security.

Why this answer

Tuning scan rules reduces false positives while maintaining critical security checks, thus minimizing delays without disabling security. Turning off scans removes security. Manual review of every false positive is inefficient.

Running scans only on production bypasses early detection.

425
Multi-Selectmedium

A security architect is designing a secure communication channel between two remote sites over the internet. Which TWO of the following protocols should be used to ensure confidentiality, integrity, and authentication?

Select 2 answers
A.PPTP
B.SSL/TLS
C.IPsec with ESP in tunnel mode
D.MPLS
E.L2TP over IPsec
AnswersC, E

IPsec ESP provides encryption and authentication.

Why this answer

Options B (IPsec with ESP in tunnel mode) and E (L2TP over IPsec) provide encryption and authentication for site-to-site VPNs. PPTP is outdated and insecure. SSL/TLS is primarily used for client-to-site VPNs.

MPLS does not provide encryption.

426
MCQhard

A security analyst is evaluating the impact of upgrading web servers from TLS 1.2 to TLS 1.3. Which advantage does TLS 1.3 offer in terms of handshake efficiency?

A.It supports the same cipher suites as TLS 1.2
B.Fewer round trips during handshake
C.More round trips during handshake
D.It eliminates the need for asymmetric encryption
AnswerB

TLS 1.3 handshake takes 1 RTT, down from 2 in TLS 1.2.

Why this answer

TLS 1.3 reduces the handshake from two round trips (2-RTT) in TLS 1.2 to one round trip (1-RTT) for a full handshake, and offers 0-RTT for resumed sessions. This is achieved by combining the ClientHello and ServerHello with key exchange parameters, eliminating the separate round trip for the ServerHello and Certificate exchange. The result is lower latency and faster connection establishment, which is critical for performance-sensitive applications.

Exam trap

The trap here is that candidates may confuse 'fewer round trips' with 'eliminating asymmetric encryption,' but TLS 1.3 still relies on asymmetric key exchange (e.g., ECDHE) for forward secrecy, just in a more streamlined handshake.

How to eliminate wrong answers

Option A is wrong because TLS 1.3 does not support the same cipher suites as TLS 1.2; it removes weak or obsolete ciphers (e.g., CBC-mode ciphers, RC4, 3DES) and mandates only AEAD ciphers like AES-GCM and ChaCha20-Poly1305. Option C is wrong because TLS 1.3 actually reduces the number of round trips compared to TLS 1.2, not increases them. Option D is wrong because TLS 1.3 still requires asymmetric encryption for the initial key exchange (e.g., ECDHE or DHE) to establish a shared secret; it does not eliminate asymmetric cryptography entirely.

427
Multi-Selecthard

Which TWO of the following are essential components of a successful security awareness program?

Select 2 answers
A.Metrics to measure the program's effectiveness
B.Implementation of technical controls like antivirus
C.Annual one-time training sessions
D.Punitive measures for security violations
E.Regular, engaging, and role-specific training
AnswersA, E

Measuring outcomes (e.g., phishing test results) allows refinement of the program.

Why this answer

Metrics to measure the program's effectiveness (Option A) are essential because they provide quantifiable data—such as phishing click rates, incident reporting trends, and policy violation statistics—that allow the organization to evaluate whether the awareness program is changing behavior and reducing risk. Without metrics, the program cannot be improved or justified to stakeholders, making it a core component of a successful security awareness initiative.

Exam trap

ISC2 often tests the misconception that technical controls or punitive measures are part of a security awareness program, when in fact the program is purely about human-focused education and behavior change, not technology enforcement or punishment.

428
MCQhard

A company is deploying a new application that processes personally identifiable information (PII) in a hybrid cloud environment. The security architect needs to ensure that encryption keys are never exposed to the cloud provider. Which solution should be recommended?

A.Envelope encryption with a key management service
B.Server-side encryption with cloud provider managed keys
C.Client-side encryption with keys stored on-premises
D.Server-side encryption with customer-provided keys
AnswerC

Correct. Keys are never sent to the cloud provider.

Why this answer

Client-side encryption ensures that encryption keys are generated and managed on-premises, never transmitted to the cloud provider. This directly meets the requirement that keys are never exposed to the cloud provider, as all cryptographic operations occur before data leaves the customer's controlled environment.

Exam trap

The trap here is confusing 'customer-provided keys' (SSE-C) with 'client-side encryption' — SSE-C still sends the key to the cloud provider for each operation, while client-side encryption keeps the key entirely on-premises.

How to eliminate wrong answers

Option A is wrong because envelope encryption with a key management service still involves the cloud provider's KMS handling the key encryption key (KEK), which could be exposed to the provider. Option B is wrong because server-side encryption with cloud provider managed keys gives the provider full control over the keys, violating the requirement. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still transmits the key to the cloud provider for each encryption/decryption operation, exposing it to the provider's infrastructure.

429
MCQmedium

Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?

A.Discretionary Access Control (DAC)
B.Mandatory Access Control (MAC)
C.Rule-Based Access Control
D.Role-Based Access Control (RBAC)
AnswerC

The ACL is a set of rules that match on packet characteristics and are enforced by a system.

Why this answer

The access control list (ACL) applied to the inbound interface of a router connecting to the internet enforces traffic filtering based on a set of predefined rules (e.g., permit or deny statements based on source IP, destination IP, port numbers). This is the essence of Rule-Based Access Control (RBAC), where access decisions are governed by a global set of rules applied uniformly to all subjects, independent of user identity or roles. The ACL does not allow individual users to change permissions (eliminating DAC), does not use security labels or clearances (eliminating MAC), and does not map permissions to job roles (eliminating Role-Based Access Control).

Exam trap

ISC2 often tests the distinction between Rule-Based and Role-Based access control by presenting an ACL scenario and hoping candidates confuse the term 'rule' with 'role', but ACLs are purely rule-based and do not incorporate user roles or identity.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows the resource owner to set permissions at their discretion (e.g., file permissions in Windows or Linux), whereas an ACL on a router is centrally managed by the network administrator and cannot be modified by end users. Option B is wrong because Mandatory Access Control (MAC) requires security labels (e.g., classification levels like Top Secret) and a central authority to enforce access based on those labels; a standard ACL does not use labels or a lattice-based model. Option D is wrong because Role-Based Access Control (RBAC) grants permissions based on job functions or roles (e.g., 'admin' or 'guest'), but a router ACL matches on packet attributes like IP addresses and ports, not on user roles or group memberships.

430
MCQeasy

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

A.To ensure appropriate protection measures are applied to data based on its value and sensitivity.
B.To satisfy regulatory requirements for data retention.
C.To facilitate data sharing across departments without restrictions.
D.To simplify the process of granting access to users.
AnswerA

Correct - classification drives the level of protection needed.

Why this answer

Data classification is the foundational process of assigning a sensitivity label (e.g., Public, Internal, Confidential, Restricted) to information assets. The primary reason is to ensure that appropriate security controls—such as encryption, access control lists (ACLs), and data loss prevention (DLP) policies—are applied proportionally to the data's value and sensitivity, aligning with the principle of defense in depth and risk management.

Exam trap

The trap here is that candidates often confuse the primary purpose of classification (protection) with secondary outcomes like compliance or access management, leading them to select options B or D instead of the correct risk-based reasoning in A.

How to eliminate wrong answers

Option B is wrong because satisfying regulatory requirements for data retention is a separate process governed by legal and compliance policies (e.g., GDPR, HIPAA), not the primary driver for classification; classification informs retention but retention is a downstream action. Option C is wrong because unrestricted data sharing across departments would violate the principle of least privilege and confidentiality; classification actually restricts sharing based on sensitivity levels. Option D is wrong because simplifying access granting is a secondary benefit of classification (via role-based access control), but the primary reason is to apply appropriate protection measures, not to simplify administration.

431
Multi-Selectmedium

Which TWO of the following are essential components of a disaster recovery plan? (Choose two.)

Select 2 answers
A.Recovery Point Objective (RPO)
B.Business continuity plan
C.Recovery Time Objective (RTO)
D.Service Level Agreement (SLA)
E.Cold site configuration
AnswersA, C

Defines acceptable data loss in terms of time.

Why this answer

Options A and C are correct. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key metrics. Business continuity plan is a separate but related plan; cold sites and SLAs are not components of a DRP itself.

432
MCQhard

A financial services company with 5000 employees uses a hybrid identity model with on-premises Active Directory (AD) synchronized to Azure AD via Azure AD Connect. The company has recently deployed Microsoft 365 and uses it for email and file sharing. Users authenticate to Azure AD using password hash synchronization (PHS) with Seamless Single Sign-On (SSO). The security team has implemented Conditional Access policies to require multi-factor authentication (MFA) for all external access and for access to sensitive financial applications. Recently, the help desk has received numerous complaints from users working remotely that they are frequently prompted for MFA, even multiple times during a single work session, causing frustration and productivity loss. Additionally, some users report that they are unable to access certain financial applications despite being in the correct group membership. An investigation reveals that Azure AD Connect synchronization is occurring successfully and that MFA configurations appear correct. The security team suspects that the issue may be related to the Conditional Access session settings or token lifetimes. What is the BEST course of action to diagnose and resolve the primary issue of excessive MFA prompts while maintaining security?

A.Implement a privileged identity management (PIM) solution to manage access to the financial applications.
B.Increase the sign-in frequency and session timeout values in the Conditional Access policies for all users to 24 hours.
C.Review the Conditional Access policy for the financial applications to ensure that the 'Session' controls are configured to 'Use app enforced restrictions' and adjust MFA trust settings.
D.Disable Seamless SSO and require users to enter passwords each time to ensure token freshness.
AnswerC

Session controls can configure MFA reauthentication frequency and improve user experience.

Why this answer

Option C is correct because the issue of excessive MFA prompts while maintaining security is best resolved by reviewing the Conditional Access session controls. Specifically, the 'Sign-in frequency' and 'Persistent browser session' settings in the session controls determine how often users are re-prompted for MFA. By adjusting these settings (e.g., setting sign-in frequency to a longer duration like 24 hours) and ensuring MFA trust settings are configured to allow trusted devices or locations, the security team can reduce unnecessary prompts without weakening security.

This directly addresses the user complaints while keeping Conditional Access policies intact.

Exam trap

The trap here is that candidates may confuse session controls with authentication methods or assume that increasing token lifetimes globally (Option B) is the solution, when in fact the issue is about Conditional Access session settings that control MFA re-prompt behavior, not about overall token expiration.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged access management, not for controlling MFA prompt frequency for general users accessing financial applications. Option B is wrong because blindly increasing sign-in frequency and session timeout values to 24 hours for all users could weaken security by allowing prolonged access without re-authentication, and it does not address the specific session control misconfiguration that causes excessive prompts. Option D is wrong because disabling Seamless SSO would force users to re-enter passwords frequently, increasing friction and not resolving the MFA prompt issue; token freshness is already managed by token lifetimes and session settings, not by disabling SSO.

433
MCQmedium

Refer to the exhibit. Based on the exhibit, what does the sequence of requests indicate?

A.A session hijacking attempt
B.A successful brute-force attack
C.A privilege escalation attempt
D.A directory traversal attack
AnswerC

After being denied access to /admin/dashboard, the user immediately obtains access, suggesting elevation of privileges.

Why this answer

The sequence of requests shows a user accessing a low-privilege resource (e.g., /user/profile) and then immediately requesting a high-privilege resource (e.g., /admin/config) without proper authentication or authorization checks. This pattern indicates an attempt to escalate privileges by exploiting missing access controls, which is a classic privilege escalation attempt.

Exam trap

The trap here is confusing a privilege escalation attempt with a session hijacking attempt, as both involve unauthorized access, but privilege escalation focuses on vertical movement within the same session, while session hijacking steals an existing session from another user.

How to eliminate wrong answers

Option A is wrong because session hijacking involves stealing or predicting a valid session token (e.g., via XSS or packet sniffing), not a sequence of requests from low to high privilege resources. Option B is wrong because a brute-force attack would show repeated login attempts with different credentials (e.g., multiple POST requests to /login), not a single pair of requests. Option D is wrong because a directory traversal attack uses path manipulation (e.g., ../) to access files outside the web root, not a change in resource privilege levels.

434
MCQmedium

Refer to the exhibit. A RADIUS server log shows multiple successful authentications for the same user followed by failures. What is the most likely cause?

A.The user's account is locked due to multiple failed attempts
B.The user's password has expired
C.The RADIUS server is misconfigured with a wrong secret
D.The user is a victim of credential stuffing
AnswerA

After several failed attempts, the account lockout policy triggers, causing subsequent failures. The earlier successes may be from another session or before lockout.

Why this answer

The RADIUS log shows successful authentications followed by failures for the same user. This pattern indicates that the user's password was correct initially, but subsequent failures triggered an account lockout policy. Account lockout is a common security control that disables an account after a threshold of failed attempts, preventing further authentication even with the correct password.

Exam trap

The trap here is that candidates may confuse account lockout with password expiry or credential stuffing, but the specific sequence of successes followed by failures uniquely points to lockout, not a global authentication failure.

How to eliminate wrong answers

Option B is wrong because a password expiry would cause failures for all attempts after expiry, not a mix of successes and failures. Option C is wrong because a misconfigured RADIUS secret would cause all authentication attempts to fail, not just some. Option D is wrong because credential stuffing typically results in a burst of failures from different IP addresses or user agents, not a pattern of successes followed by failures for the same user.

435
MCQeasy

A security analyst is conducting a review of aggregated logs from firewalls, IDS, and servers to detect anomalous behavior. This activity is best described as:

A.Security log analysis
B.Risk assessment
C.Vulnerability scanning
D.Penetration testing
AnswerA

Log analysis is the process of reviewing logs to detect incidents and anomalies.

Why this answer

Security log analysis involves the systematic review of logs from firewalls, IDS, and servers to identify patterns, anomalies, or indicators of compromise. This activity directly matches the scenario of detecting anomalous behavior through aggregated log review, which is a core practice in security monitoring and incident detection.

Exam trap

The trap here is confusing security log analysis (a passive, detective control) with vulnerability scanning or penetration testing (active, preventive controls), leading candidates to choose a more 'technical-sounding' option like vulnerability scanning.

How to eliminate wrong answers

Option B is wrong because risk assessment is a broader process of identifying, evaluating, and prioritizing risks, not the specific act of reviewing aggregated logs for anomalies. Option C is wrong because vulnerability scanning uses automated tools to probe systems for known weaknesses (e.g., missing patches, misconfigurations), not to analyze historical log data for anomalous behavior. Option D is wrong because penetration testing is an active, simulated attack to exploit vulnerabilities, not a passive review of log data.

436
MCQeasy

Which of the following is a primary purpose of conducting a tabletop exercise for incident response?

A.Measure the effectiveness of backup restoration.
B.Validate communication and decision-making processes.
C.Test technical capabilities of security tools.
D.Identify unpatched vulnerabilities in systems.
AnswerB

Focuses on team coordination and escalation paths.

Why this answer

A tabletop exercise is a discussion-based session where participants walk through a simulated incident scenario to evaluate the effectiveness of communication channels, decision-making hierarchies, and coordination among stakeholders. It does not involve live systems or technical testing, so its primary purpose is to validate the procedural and human elements of the incident response plan, such as who notifies whom and how escalation decisions are made.

Exam trap

The trap here is that candidates confuse a tabletop exercise with a technical drill or live-fire exercise, mistakenly thinking it tests tool capabilities or system-level actions, when in fact it strictly evaluates human processes and communication workflows.

How to eliminate wrong answers

Option A is wrong because measuring backup restoration effectiveness requires a hands-on technical test (e.g., a recovery drill or restore validation), not a discussion-based tabletop exercise. Option C is wrong because testing technical capabilities of security tools (e.g., SIEM rule tuning or firewall ACLs) demands live execution or simulation in a lab environment, not a walkthrough. Option D is wrong because identifying unpatched vulnerabilities is the domain of vulnerability scanning (e.g., using Nessus or OpenVAS) or penetration testing, not a tabletop exercise which focuses on process and communication.

437
Multi-Selecthard

Which THREE of the following are essential components of a software supply chain security program? (Select exactly three.)

Select 3 answers
A.Using signed and verified software artifacts
B.Maintaining a software bill of materials (SBOM) for all dependencies
C.Running penetration tests on the production environment
D.Conducting static analysis on all in-house code
E.Performing security assessments on third-party vendors
AnswersA, B, E

Signing ensures integrity and authenticity of artifacts.

Why this answer

Options B, C, and E are correct. SBOMs provide transparency; vendor assessments ensure third-party security; signed artifacts verify integrity. Option A is wrong because static analysis is internal, not supply chain.

Option D is wrong because penetration tests are broader, not specifically supply chain.

438
Multi-Selecteasy

An organization plans to allow employees to access third-party SaaS applications using their corporate credentials. Which THREE are necessary components for implementing SAML-based identity federation?

Select 3 answers
A.Service Provider (SP)
B.Bcrypt password hashing
C.Identity Provider (IdP)
D.RADIUS server
E.XML digital signatures
AnswersA, C, E

The SP consumes SAML assertions to grant access to the application.

Why this answer

Option A is correct because the Service Provider (SP) is the entity that hosts the SaaS application and relies on the Identity Provider (IdP) to authenticate users. In SAML-based identity federation, the SP receives a SAML assertion from the IdP and uses it to grant access, making it a necessary component of the trust relationship.

Exam trap

The trap here is that candidates confuse authentication protocols (like RADIUS or password hashing) with federation components, forgetting that SAML is an XML-based assertion framework that requires an IdP, SP, and digital signatures, not network-level or storage mechanisms.

439
MCQhard

A financial institution has developed a trading application that sends orders via an internal API. The application processes high-frequency trades and must ensure non-repudiation of orders. The development team implemented digital signatures using RSA with SHA-256. However, testers found that occasionally two different orders produce the same signature. The team suspects a collision resistance issue. After reviewing the implementation, they notice that the private key is generated using a deterministic key generation algorithm that uses a fixed seed derived from the current timestamp. The signatures are generated by signing the order hash directly. What is the most likely root cause of the signature collision?

A.The hash function SHA-256 provides insufficient collision resistance for the order volume.
B.The use of a fixed seed for key generation leads to weak keys, making it possible for an attacker to forge signatures.
C.The private key is reused across multiple instances, causing storage conflicts.
D.The signature algorithm does not use a random salt or padding, causing deterministic signatures that can collide when the same order is processed twice.
AnswerD

Deterministic signatures produce the same output for the same input; if two orders have identical hashes (e.g., due to data equality or collision), they yield identical signatures.

Why this answer

The signature algorithm does not include randomization (e.g., no random padding like in RSA-PSS), so the signature is deterministic. If two different orders produce the same hash (due to a collision or identical order data), they will have the same signature. While key generation with a fixed seed weakens the key, it does not cause signature collisions directly.

The hash function is unlikely to be the issue. Key reuse across instances is not described.

440
MCQmedium

A multinational corporation has experienced several security incidents where terminated employees retained access to internal systems for weeks after their departure. The HR department manually terminates accounts by sending notifications to IT, but the process is often delayed or missed. The company uses an identity management system (IDM) that supports automated provisioning and deprovisioning. The security team is tasked with reducing the risk of unauthorized access by former employees. Which of the following is the most effective course of action?

A.Integrate the HR system with the identity management system for automated deprovisioning
B.Require terminated employees to change their passwords upon exit
C.Increase frequency of access reviews and audits to identify stale accounts
D.Implement a user self-service portal for managers to disable accounts
AnswerA

Automated deprovisioning ensures accounts are disabled immediately when an employee is terminated.

Why this answer

Integrating HR systems with the IDM enables automated deprovisioning immediately upon termination. Increasing audits (B) only detects problems after the fact. Implementing user self-service (C) does not address timely deprovisioning.

Requiring strong passwords (D) is irrelevant to the issue of account removal.

441
Multi-Selectmedium

Which TWO of the following are essential components of a data classification policy? (Select two.)

Select 2 answers
A.Data retention periods for each classification level
B.Roles and responsibilities for data classification
C.Definition of classification levels (e.g., public, confidential, secret)
D.Methods for secure data destruction
E.Encryption standards for each classification level
AnswersB, C

Defining who is responsible for classifying data is essential.

Why this answer

Roles and responsibilities are essential because a data classification policy must clearly define who is accountable for classifying data, who can assign classification levels, and who is responsible for maintaining the labels. Without this, classification efforts become inconsistent and unenforceable, leading to security gaps. The CISSP emphasizes that governance requires clear assignment of ownership and decision-making authority for data assets.

Exam trap

ISC2 often tests the distinction between a data classification policy (which defines levels and roles) and supporting policies (retention, encryption, destruction) that operationalize the classification but are not core components of the classification policy itself.

442
MCQhard

Refer to the exhibit. A cloud security architect is designing access control for an S3 bucket. This policy is attached to an IAM role. Which access control model does this policy primarily implement?

A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Attribute-Based Access Control (ABAC)
AnswerD

ABAC evaluates attributes (tags) to grant access.

Why this answer

The policy uses an attribute (PrincipalTag/department) in the Condition to grant access. This is attribute-based access control (ABAC). It is not purely RBAC because the Role is not the only factor; the tag attribute is evaluated.

443
MCQhard

Refer to the exhibit. The ACL is applied inbound on the DMZ interface. What is the effect of this configuration?

A.The ACL permits all HTTP traffic to the web server and blocks all other traffic.
B.The ACL allows HTTP requests to the web server and allows the web server to respond, but blocks it from initiating new connections to the inside.
C.The ACL permits the web server to respond to HTTP requests but blocks all other outbound traffic.
D.The ACL allows the web server to initiate connections to the internal network.
AnswerB

Correct as explained.

Why this answer

The ACL is applied inbound on the DMZ interface, meaning it filters traffic entering the DMZ from the outside. The specific permit statement allows HTTP (TCP port 80) traffic from any source to the web server's IP address. Because the ACL is inbound, it only controls traffic arriving at the DMZ interface; return traffic from the web server to the inside is not subject to this ACL (it is evaluated by the outbound ACL on the inside interface or by stateful inspection).

Thus, the web server can respond to HTTP requests (which are part of the same session), but it cannot initiate new connections to the inside because those would be outbound from the DMZ and not permitted by the inbound ACL on the DMZ interface.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACL application, tricking candidates into thinking an inbound ACL on the DMZ interface controls outbound traffic from the DMZ, when in fact it only controls traffic entering the DMZ.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all other traffic; it only permits HTTP traffic inbound to the web server, but other traffic (e.g., ICMP, SSH) is implicitly denied by the implicit deny all at the end of the ACL, but the ACL does not explicitly block all other traffic—it simply does not permit it. Option C is wrong because the ACL is applied inbound on the DMZ interface, so it controls traffic entering the DMZ, not outbound traffic from the web server; the web server's responses are part of the established session and are not blocked by this inbound ACL. Option D is wrong because the ACL does not permit the web server to initiate connections to the internal network; it only permits inbound HTTP traffic to the web server, and any new connection from the web server to the inside would be outbound from the DMZ and would be denied by the implicit deny unless a separate permit statement exists.

444
Matchingmedium

Match each access control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner controls access permissions

System-enforced based on labels

Access based on job roles

Access based on rules and policies

Why these pairings

These are the main access control models.

445
MCQmedium

A company recently suffered a data breach where an attacker was able to intercept network traffic and read sensitive data. Which network security control should be implemented to prevent this type of attack?

A.Encryption at the network layer (e.g., IPsec)
B.Network segmentation
C.Intrusion prevention system (IPS)
D.Strong password policies
AnswerA

IPsec encrypts IP packets, making intercepted data unreadable without decryption keys.

Why this answer

IPsec operates at the network layer (Layer 3) and provides encryption of the entire IP packet, including the payload, ensuring that even if an attacker intercepts the traffic, the data remains unreadable. This directly addresses the scenario where an attacker reads sensitive data from intercepted network traffic, as IPsec can be configured in transport mode for end-to-end encryption or tunnel mode for VPNs.

Exam trap

ISC2 often tests the misconception that network segmentation (Option B) prevents data interception, but segmentation only limits lateral movement, not the ability to read traffic within the same segment.

How to eliminate wrong answers

Option B is wrong because network segmentation (e.g., VLANs, subnets) limits the scope of traffic an attacker can reach but does not encrypt data; an attacker who intercepts traffic within a segment can still read it in plaintext. Option C is wrong because an intrusion prevention system (IPS) detects and blocks malicious patterns in traffic but does not encrypt data; it cannot prevent an attacker from reading already intercepted plaintext traffic. Option D is wrong because strong password policies control authentication and access but do not protect data in transit; an attacker who intercepts network traffic can bypass password controls entirely.

446
Multi-Selecthard

A company needs to protect data at rest in a cloud storage system. Which THREE encryption methods are appropriate for this purpose?

Select 3 answers
A.Stream cipher without authentication (e.g., RC4)
B.Client-side encryption with key management
C.MD5 hashing
D.AES-256 in GCM mode
E.Envelope encryption
AnswersB, D, E

Client-side encryption ensures data is encrypted before reaching the cloud, and keys are controlled by the client.

Why this answer

Client-side encryption with key management (B) ensures data is encrypted before it leaves the client device, so the cloud provider never has access to plaintext or the encryption keys. This is a fundamental control for protecting data at rest in untrusted environments, as it decouples key management from the storage provider.

Exam trap

The trap here is that candidates may confuse hashing (MD5) with encryption, or assume that any cipher (like RC4) is acceptable for data at rest, ignoring the critical need for authentication and integrity in storage systems.

447
MCQmedium

An organization wants to verify that its security policies are being followed by employees. Which testing method is most appropriate?

A.Compliance audit
B.Vulnerability scan
C.Risk assessment
D.Penetration test
AnswerA

A compliance audit verifies adherence to policies and standards.

Why this answer

A compliance audit is the most appropriate method to verify that security policies are being followed because it systematically compares actual practices, configurations, and controls against documented policy requirements. Unlike technical scans that identify vulnerabilities, a compliance audit focuses on adherence to rules, standards, and procedures, often using checklists derived from frameworks like ISO 27001 or NIST SP 800-53.

Exam trap

The trap here is that candidates confuse 'compliance audit' with 'vulnerability scan' because both involve checking systems, but the audit is specifically about policy adherence by people and processes, not technical flaws.

How to eliminate wrong answers

Option B (Vulnerability scan) is wrong because it identifies technical weaknesses in systems (e.g., missing patches, open ports) but does not assess whether employees are following security policies such as password handling or data classification procedures. Option C (Risk assessment) is wrong because it evaluates the likelihood and impact of threats to assets, not the degree of policy compliance by personnel. Option D (Penetration test) is wrong because it simulates attacks to exploit vulnerabilities and gain unauthorized access, focusing on technical defenses rather than verifying employee adherence to policies.

448
MCQeasy

A company experiences a data breach. Which step should be taken first according to best practices?

A.Inform affected parties
B.Contain the breach
C.Notify law enforcement
D.Assess the damage
AnswerB

Stops the incident from spreading and limits impact.

Why this answer

Containing the breach is the immediate priority to prevent further damage. Notifying authorities and affected parties comes after containment. Assessing damage can happen concurrently but containment is first.

449
MCQhard

During a risk assessment, a critical asset has a vulnerability with a CVSS score of 9.0. Which risk treatment strategy is most appropriate if the cost to mitigate exceeds the asset's value?

A.Transfer
B.Acceptance
C.Avoidance
D.Mitigation
AnswerA

Transfers financial impact to a third party, such as cyber insurance.

Why this answer

Transferring the risk (e.g., via insurance) is appropriate when mitigation cost exceeds asset value. Acceptance would leave the organization exposed to high risk. Avoidance would mean eliminating the asset or activity, which may not be feasible.

Mitigation is too costly.

450
Matchingmedium

Match each threat type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to obtain sensitive info

Targeted phishing at specific individuals

Phishing targeting senior executives

Voice phishing over phone

Phishing via SMS

Why these pairings

These are common social engineering attacks.

Page 5

Page 6 of 8

Page 7

All pages