Certified Information Systems Security Professional CISSP (CISSP) — Questions 451525

529 questions total · 8pages · All types, answers revealed

Page 6

Page 7 of 8

Page 8
451
MCQhard

An organization is designing a multicast network for live video streaming. They need to ensure that only authorized receivers can access the multicast group. Which technique should be implemented?

A.IGMP filtering
B.Multicast VLAN registration
C.Static IGMP entries
D.IGMP snooping with port security
AnswerA

IGMP filtering restricts which hosts can join multicast groups via IGMP messages.

Why this answer

IGMP filtering allows the network to control which hosts are permitted to join a multicast group by filtering IGMP membership reports at the access layer. This ensures that only authorized receivers can become members of the multicast group, providing access control for live video streaming. It is the most direct technique for enforcing authorization at the receiver level.

Exam trap

The trap here is that candidates confuse IGMP snooping (which optimizes multicast traffic delivery) with IGMP filtering (which enforces access control), leading them to pick IGMP snooping with port security as a security measure when it only controls traffic flooding, not authorization.

How to eliminate wrong answers

Option B is wrong because Multicast VLAN Registration (MVR) is designed to efficiently deliver multicast traffic across VLANs, not to enforce receiver authorization. Option C is wrong because static IGMP entries manually assign a host to a multicast group without any dynamic authorization check, which does not scale or enforce per-receiver access control. Option D is wrong because IGMP snooping with port security only monitors and restricts traffic based on MAC addresses or port-level security, not IGMP group membership authorization; it does not prevent an unauthorized host from sending a valid IGMP join.

452
MCQmedium

A business is evaluating risk treatment options for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk treatment strategy is most appropriate?

A.Risk transfer by purchasing insurance
B.Risk acceptance with documented decision
C.Risk mitigation by implementing additional controls
D.Risk avoidance by discontinuing the activity
AnswerB

Accepting the risk is justified when cost exceeds benefit.

Why this answer

Risk acceptance is appropriate when the cost of mitigation exceeds the potential loss and the risk is within the organization's risk appetite.

453
MCQhard

During a penetration test, the tester gains access to a server and finds sensitive customer data. What should the tester do next?

A.Exfiltrate the data to demonstrate the risk
B.Delete the data to prevent exposure
C.Continue testing to find more vulnerabilities
D.Report the finding immediately and secure the data
AnswerD

This follows responsible disclosure and protects the organization's data.

Why this answer

Option D is correct because the tester's primary responsibility is to protect sensitive data and minimize risk. Upon discovering PII or other regulated data, the tester must immediately report the finding to the client and secure the data (e.g., by isolating the server or encrypting the data in place) to prevent unauthorized access or exposure. This aligns with the ethical hacking code of conduct and the CISSP principle of 'do no harm'.

Exam trap

The trap here is that candidates confuse the goal of demonstrating risk (which is valid in a controlled lab) with the ethical obligation to protect live data; the CISSP exam emphasizes that a tester must never exfiltrate or alter production data, even to prove a point.

How to eliminate wrong answers

Option A is wrong because exfiltrating data, even to demonstrate risk, violates confidentiality and legal agreements (e.g., GDPR, HIPAA) and could cause real harm; penetration testers must never copy or remove sensitive data without explicit written authorization. Option B is wrong because deleting data destroys evidence and could disrupt business operations or violate chain-of-custody requirements; the tester should not alter production data. Option C is wrong because continuing to test without first securing the exposed data increases the risk of further compromise and violates the responsible disclosure process; the tester must halt and report the finding immediately.

454
MCQeasy

Which security control is most effective for preventing unauthorized access to a data center?

A.Biometric authentication
B.Mantrap
C.Access logs
D.Video surveillance
AnswerB

Prevents unauthorized physical access through a controlled entry.

Why this answer

A mantrap provides a physical barrier that prevents tailgating and ensures one person enters at a time. Biometrics and video surveillance are controls but less direct prevention. Access logs are detective.

455
MCQmedium

A security analyst notices that the SIEM is generating an overwhelming number of low-priority alerts from a single application server. The server is critical to operations. What is the BEST approach to reduce noise without compromising security?

A.Increase the severity threshold for that server's alerts.
B.Disable all alerts from that server.
C.Create a suppression rule for known benign patterns.
D.Exclude the server from SIEM monitoring.
AnswerC

Suppresses known benign events while keeping alerting for unusual activity.

Why this answer

Option C is correct because suppression rules allow the SIEM to filter out known benign patterns (e.g., routine service checks or scheduled scans) while still capturing genuine threats. This reduces alert fatigue without disabling monitoring for the critical server, preserving visibility into anomalous or malicious activity.

Exam trap

The trap here is that candidates confuse 'reducing noise' with 'reducing monitoring,' leading them to choose threshold increases or outright exclusion, when the correct approach is to surgically filter known benign events while maintaining full detection coverage.

How to eliminate wrong answers

Option A is wrong because increasing the severity threshold would cause the SIEM to ignore all low-severity alerts, potentially missing early indicators of compromise (e.g., reconnaissance or privilege escalation attempts) that often start as low-priority events. Option B is wrong because disabling all alerts from a critical server creates a complete blind spot, violating the principle of defense in depth and allowing attacks to go undetected. Option D is wrong because excluding the server from SIEM monitoring removes all visibility into its security posture, which is unacceptable for a critical asset and contradicts the core purpose of a SIEM.

456
MCQmedium

A security analyst runs a vulnerability scan and sees the output shown in the exhibit. The analyst wants to remediate the most critical issue first. Which action should the analyst take to address the SQL injection vulnerability?

A.Deploy a web application firewall (WAF) with SQL injection signatures.
B.Rewrite the database query to use parameterized statements.
C.Implement strict input validation on the 'id' parameter.
D.Encode all output from the 'id' parameter using HTML entity encoding.
AnswerB

Parameterized queries prevent SQL injection by separating code from data.

Why this answer

Option D is correct because the best practice for preventing SQL injection is to use parameterized queries or prepared statements, which separate SQL logic from data. Option A is wrong because input validation alone is insufficient and can be bypassed. Option B is wrong because encoding only helps with XSS, not SQLi.

Option C is wrong because WAF rules are a compensating control but not the primary fix.

457
MCQhard

A company's risk assessment identifies a high likelihood of a data breach due to outdated encryption standards. The cost to upgrade encryption is $50,000, and the estimated loss from a breach is $2,000,000. The risk manager decides to implement the upgrade. Which risk treatment option is being applied?

A.Risk acceptance
B.Risk avoidance
C.Risk enhancement
D.Risk transfer
E.Risk mitigation
AnswerE

Upgrading encryption reduces the likelihood of a breach, which is risk mitigation.

Why this answer

The risk manager is applying risk mitigation by implementing the encryption upgrade to reduce the likelihood or impact of a data breach. This directly addresses the identified risk by deploying a stronger cryptographic control, such as moving from AES-128 to AES-256 or replacing deprecated TLS 1.0/1.1 with TLS 1.3, thereby lowering the residual risk to an acceptable level.

Exam trap

The trap here is confusing risk mitigation with risk avoidance, as candidates may think avoiding outdated encryption means avoiding the risk entirely, but risk avoidance requires ceasing the risky activity, not upgrading the control.

How to eliminate wrong answers

Option A is wrong because risk acceptance would involve acknowledging the risk and taking no action to reduce it, which contradicts the decision to spend $50,000 on an upgrade. Option B is wrong because risk avoidance would mean eliminating the activity that creates the risk (e.g., ceasing all data transmission), not upgrading encryption. Option C is wrong because risk enhancement is not a standard risk treatment option; it would involve deliberately increasing risk, which is the opposite of the manager's action.

Option D is wrong because risk transfer would involve shifting the financial burden of a breach to a third party (e.g., purchasing cyber insurance), not investing in internal controls.

458
MCQhard

Your organization, a multinational e-commerce company, has suffered a ransomware attack that encrypted critical database servers and file shares. The ransom note demands payment in cryptocurrency within 48 hours or the data will be permanently destroyed. The company has a backup strategy that includes daily full backups and hourly incremental backups, stored both on-site and off-site. However, during the incident response, you discover that the most recent on-site backups are also encrypted because the backup server was connected to the network and affected by the same ransomware. Off-site backups are on tape and were last rotated out 72 hours ago. The CEO is pressuring to pay the ransom to restore operations quickly. Which option should the incident response team prioritize to minimize data loss and reputational damage?

A.Pay the ransom and hope the attackers provide a working decryption key.
B.Restore data from the off-site tape backups taken 72 hours ago.
C.Rebuild servers from scratch using latest known good configurations without restoring data.
D.Attempt to negotiate with the attackers for a lower ransom and more time.
AnswerB

Off-site backups are isolated and not encrypted; 72-hour data loss is acceptable compared to paying ransom.

Why this answer

Option C is correct: Restoring from off-site tapes (72 hours old) is the best course because they are not encrypted and provide a viable recovery point. Option A (pay ransom) is risky: no guarantee of decryption and encourages attackers. Option B (negotiate) wastes time.

Option D (rebuild without backup) is too slow and likely loses all data.

459
Multi-Selecthard

Which THREE access control models support the principle of least privilege?

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Attribute-Based Access Control (ABAC)
C.Rule-Based Access Control (RuBAC)
D.Discretionary Access Control (DAC)
E.Mandatory Access Control (MAC)
AnswersA, B, E

RBAC assigns permissions to roles, which can be scoped to minimum necessary.

Why this answer

Role-Based Access Control (RBAC) supports least privilege by assigning permissions to roles rather than individuals, and users are granted only the permissions necessary for their job functions. This aligns with the principle because roles can be scoped to the minimum required access, and users cannot exceed the permissions of their assigned roles.

Exam trap

The trap here is that candidates often confuse Rule-Based Access Control (RuBAC) with RBAC, or assume that DAC inherently supports least privilege because owners can limit access, but DAC lacks centralized enforcement and allows users to delegate permissions arbitrarily, leading to privilege escalation.

460
MCQeasy

A development team heavily uses third-party libraries. What is the most effective way to manage vulnerabilities in these libraries?

A.Only use libraries from sources with no known vulnerabilities
B.Ignore vulnerabilities unless a known exploit exists
C.Manually review each library's source code for flaws
D.Use a Software Composition Analysis (SCA) tool and monitor CVE databases
AnswerD

SCA tools automate vulnerability detection and CVE tracking.

Why this answer

Option C is correct because automated scanning with CVE monitoring provides continuous visibility. Option A is wrong because ignoring vulnerabilities is risky. Option B is wrong because manual review does not scale.

Option D is wrong because 'no assurance' is not a strategy.

461
Multi-Selecteasy

Which TWO options are valid methods for providing confidentiality in network communications? (Choose two.)

Select 2 answers
A.SSH
B.ESP in transport mode
C.HMAC
D.AH in tunnel mode
E.TLS 1.3
AnswersB, E

ESP provides encryption, thus confidentiality.

Why this answer

ESP (Encapsulating Security Payload) in transport mode provides confidentiality by encrypting the payload of an IP packet while leaving the original IP header intact. This is a core function of IPsec, where ESP can optionally include authentication but its primary role is encryption, making it a valid method for ensuring data confidentiality in network communications.

Exam trap

ISC2 often tests the distinction between protocols that provide confidentiality (encryption) versus those that provide integrity/authentication only, so candidates may mistakenly select AH or HMAC thinking they offer encryption when they do not.

462
MCQhard

During a security audit, it is discovered that the database server is also accepting connections from the web server. Which of the following is the most likely misconfiguration?

A.The application server is not properly authenticated
B.The network segmentation is not enforcing strict controls
C.The TLS configuration is incorrect
D.The firewall on the database server allows all traffic from the DMZ
AnswerB

Correct. The web server should not be able to connect to the database server directly.

Why this answer

The database server accepting connections from the web server indicates a lack of proper network segmentation. In a secure architecture, the web server should be in a DMZ and the database server in a private network segment, with strict access controls enforced by a firewall or router ACLs. The misconfiguration is that the network segmentation is not enforcing strict controls, allowing traffic that should be blocked.

Exam trap

The trap here is that candidates may focus on authentication or encryption (options A or C) as the primary issue, but the core problem is the lack of network segmentation, which is a fundamental security architecture control.

How to eliminate wrong answers

Option A is wrong because the application server not being properly authenticated is an identity and access management issue, not the direct cause of the database server accepting connections from the web server; the core problem is network-level access, not authentication. Option C is wrong because an incorrect TLS configuration would affect encryption of data in transit, not the fundamental ability of the web server to establish a TCP connection to the database server. Option D is wrong because while a permissive firewall rule could allow traffic, the question states the database server is 'accepting connections' from the web server, which implies the firewall is allowing it, but the most likely root misconfiguration is the lack of network segmentation (e.g., placing the database server in the same VLAN as the web server or not using a firewall to restrict traffic between zones), not just a single firewall rule.

463
MCQhard

An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?

A.SAML 2.0
B.OpenID Connect
C.LDAP
D.OAuth 2.0
AnswerA

SAML 2.0 is a mature protocol with built-in single logout and attribute query capabilities.

Why this answer

SAML 2.0 is the most appropriate protocol because it natively supports both single logout (SLO) and attribute exchange as core features. It uses XML-based assertions to transfer identity and attribute data between an identity provider (IdP) and a service provider (SP), and its SLO mechanism ensures that when a user logs out from one application, all sessions across participating services are terminated simultaneously.

Exam trap

The trap here is that candidates often confuse OAuth 2.0 with OpenID Connect or assume that OAuth 2.0 alone can handle authentication and logout, but OAuth 2.0 is strictly an authorization protocol and lacks the session management and attribute exchange features required for federated identity.

How to eliminate wrong answers

Option B (OpenID Connect) is wrong because, while it supports single logout via RP-initiated logout, it does not natively support attribute exchange in the same structured manner as SAML; it relies on scopes and claims, which are less suited for complex enterprise attribute sharing. Option C (LDAP) is wrong because it is a directory access protocol for querying and modifying directory services, not a federated identity protocol; it lacks built-in support for single logout and cross-domain attribute exchange. Option D (OAuth 2.0) is wrong because it is an authorization framework, not an authentication protocol; it does not provide single logout or attribute exchange—those are handled by OpenID Connect when layered on top, but OAuth 2.0 alone is insufficient.

464
MCQmedium

A security architect is designing a system that must enforce the principle of least privilege at the operating system level. Which mechanism should be implemented to grant processes only the minimal permissions required for their tasks?

A.Mandatory Access Control (MAC) using SELinux policies
B.Role-Based Access Control (RBAC) with fine-grained roles
C.Discretionary Access Control (DAC) with user permissions
D.Mandatory Integrity Control (Biba)
AnswerA

Correct. SELinux allows granular control over process permissions.

Why this answer

SELinux implements Mandatory Access Control (MAC) by enforcing a system-wide security policy that overrides user and process permissions. This allows the security architect to define precise rules (e.g., via Type Enforcement) that grant each process only the minimal set of resources it needs, effectively enforcing least privilege at the OS level regardless of user identity.

Exam trap

The trap here is that candidates often confuse RBAC with process-level least privilege, but RBAC is user-centric and does not constrain process permissions at the OS kernel level like MAC does.

How to eliminate wrong answers

Option B is wrong because Role-Based Access Control (RBAC) manages access based on user roles, not process-level permissions; it does not inherently restrict processes to minimal rights at the OS level. Option C is wrong because Discretionary Access Control (DAC) allows users to control permissions on their own objects, which can lead to privilege escalation and violates the principle of least privilege when users grant excessive rights. Option D is wrong because Mandatory Integrity Control (Biba) focuses on preventing data corruption by controlling information flow based on integrity levels, not on granting minimal permissions to processes.

465
MCQeasy

A security tester needs to test a new application for vulnerabilities but is concerned about contaminating the production database with test data. What is the best practice for conducting such tests?

A.Perform the test on the production environment during off-hours
B.Create a separate test environment with anonymized production data
C.Test only from the network perimeter to avoid data exposure
D.Use synthetic data that mimics production but is not real
AnswerB

Provides realistic testing without risk to production.

Why this answer

Option B is correct because creating a separate test environment with anonymized production data ensures that testing does not affect the integrity or availability of the production database while still using realistic data to uncover vulnerabilities. Anonymization techniques, such as data masking or tokenization, remove personally identifiable information (PII) while preserving referential integrity and data distribution, allowing for accurate security testing without contaminating production systems.

Exam trap

The trap here is that candidates often confuse 'synthetic data' (Option D) with 'anonymized production data' (Option B), not realizing that synthetic data may not accurately reflect real-world data complexity, while anonymized production data preserves the necessary characteristics for thorough vulnerability testing without risking data contamination.

How to eliminate wrong answers

Option A is wrong because performing tests on the production environment during off-hours still risks contaminating the production database with test data, potentially corrupting live data, causing availability issues, or violating compliance requirements (e.g., GDPR, PCI DSS). Option C is wrong because testing only from the network perimeter does not address the core concern of database contamination; it focuses on network-level controls rather than data integrity, and internal application vulnerabilities may remain undetected. Option D is wrong because synthetic data that mimics production but is not real often lacks the complexity, edge cases, and statistical distributions of real data, which can lead to missed vulnerabilities that only manifest with actual production-like data patterns.

466
MCQhard

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

A.Conduct the test on the production environment using anonymized production data.
B.Use an automated vulnerability scanner on the production environment.
C.Perform the test during off-peak hours on the production system with read-only access.
D.Build a replica of the production environment and test against it with realistic attack scenarios.
AnswerD

A replica environment allows full attack simulation without risking production data.

Why this answer

Option D is correct because building a replica (staging) environment allows the penetration test to simulate realistic attack scenarios without any risk to production data or system availability. This approach ensures the test can include destructive or disruptive techniques (e.g., SQL injection, privilege escalation) that would be unsafe on a live system, while still accurately reflecting the production architecture and configurations.

Exam trap

The trap here is that candidates often choose Option A or C because they focus on 'realistic' testing and assume production is the only way to achieve realism, overlooking that a well-constructed replica provides identical attack surfaces without the unacceptable risk to production integrity.

How to eliminate wrong answers

Option A is wrong because using anonymized production data in the production environment still exposes the live system to potential service disruption or data corruption from active exploitation attempts, and anonymization does not eliminate the risk of data leakage or system instability. Option B is wrong because an automated vulnerability scanner only identifies known vulnerabilities and lacks the manual, creative exploitation techniques required for a realistic penetration test; it also cannot safely simulate advanced attack chains. Option C is wrong because read-only access prevents the tester from performing many essential penetration testing activities (e.g., writing files, modifying configurations, escalating privileges), and off-peak hours do not eliminate the risk of production impact from active attacks.

467
MCQhard

During an audit, it is discovered that several users have inherited permissions through nested group memberships that violate least privilege. What is the best approach to correct this?

A.Implement periodic access reviews and attestation
B.Re-certify group memberships quarterly
C.Provide training on least privilege
D.Revoke all group memberships and assign individually
AnswerA

Access reviews allow managers to validate and revoke excessive permissions, including inherited ones.

Why this answer

Periodic access reviews and attestation (Option A) are the best approach because they establish a continuous governance process where data owners or managers formally confirm that inherited permissions from nested group memberships remain appropriate. This directly addresses the root cause—unchecked group nesting—by enforcing regular validation of access rights against the principle of least privilege, rather than relying on a one-time fix or training.

Exam trap

The trap here is that candidates often choose a one-time technical fix (like revoking all memberships) or a generic training option, failing to recognize that the CISSP exam emphasizes governance processes like periodic attestation as the sustainable solution for ongoing compliance with least privilege.

How to eliminate wrong answers

Option B is wrong because re-certifying group memberships quarterly is a subset of periodic access reviews but lacks the attestation component; attestation requires explicit confirmation of necessity, whereas re-certification may only verify membership without evaluating the underlying permissions inherited through nesting. Option C is wrong because training on least privilege, while valuable for awareness, does not correct existing misconfigurations or remove inherited permissions that violate the principle; it is a preventive measure, not a corrective one. Option D is wrong because revoking all group memberships and assigning individually is overly disruptive, ignores the legitimate need for group-based access management, and violates the principle of manageability; it also fails to address the underlying issue of nested group inheritance, which would require re-engineering the group structure rather than a blanket revocation.

468
MCQmedium

A security team is analyzing logs from multiple sources and notices anomalous outbound traffic to a known command-and-control server. What is the most likely conclusion?

A.A misconfigured firewall is causing traffic
B.A host is compromised and is beaconing
C.An employee is streaming video to a personal server
D.The network is under a DDoS attack
AnswerB

Behavior consistent with malware communicating with its C2 server.

Why this answer

Anomalous outbound traffic to a known command-and-control (C2) server is a classic indicator of compromise (IoC). Compromised hosts often beacon outbound to C2 infrastructure using HTTP, HTTPS, or DNS tunnels to receive instructions or exfiltrate data. This pattern is distinct from normal traffic and is a primary focus of network security monitoring and intrusion detection systems (IDS).

Exam trap

The trap here is that candidates may confuse anomalous outbound traffic with a network misconfiguration or a benign user activity, failing to recognize that beaconing to a known malicious destination is a definitive sign of compromise, not a configuration error or a DDoS symptom.

How to eliminate wrong answers

Option A is wrong because a misconfigured firewall would typically cause blocked or dropped traffic, not specifically targeted outbound connections to a known C2 server; firewall misconfigurations rarely produce beaconing behavior to a single external IP. Option C is wrong because streaming video to a personal server would generate high-bandwidth, continuous traffic to a likely consumer CDN or IP, not periodic, low-and-slow beaconing to a known malicious C2 server. Option D is wrong because a DDoS attack involves a flood of traffic from many sources to a target, not anomalous outbound traffic from a single internal host to a specific C2 server.

469
MCQhard

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

A.Full disk encryption (FDE) with a strong passphrase
B.Trusted Platform Module (TPM)
C.Hypervisor-based isolation
D.Intel Software Guard Extensions (SGX)
AnswerD

SGX creates hardware-enforced enclaves that isolate code and data even from the OS.

Why this answer

Intel Software Guard Extensions (SGX) is the correct choice because it provides hardware-enforced isolation of memory regions (enclaves) that remain confidential and integrity-protected even if the operating system or hypervisor is compromised. SGX encrypts enclave memory on-die and decrypts it only within the CPU, preventing any privileged software from reading or tampering with the data.

Exam trap

The trap here is that candidates confuse TPM's boot-time integrity measurement with runtime memory protection, or assume hypervisor isolation is sufficient against a compromised OS, not realizing SGX provides hardware-enforced enclave isolation that persists even when the OS is untrusted.

How to eliminate wrong answers

Option A is wrong because full disk encryption (FDE) protects data at rest on the storage device but does not protect memory contents; once the OS is booted and data is loaded into RAM, FDE offers no confidentiality or integrity protection against a compromised OS. Option B is wrong because the Trusted Platform Module (TPM) is a hardware security chip that provides secure storage for keys and attestation of boot integrity, but it does not isolate runtime memory or protect enclave contents from a compromised OS. Option C is wrong because hypervisor-based isolation relies on the hypervisor being trusted; if the OS is compromised, the hypervisor could also be attacked or bypassed, and it does not provide hardware-level memory encryption to protect against privileged software.

470
MCQhard

An organization develops a SaaS platform that integrates with multiple third-party services via APIs. The platform handles authentication tokens and user data. A security review reveals that the platform uses hardcoded API keys in the source code. What is the most secure way to manage these secrets in a cloud-native environment?

A.Use environment variables in the deployment configuration.
B.Use .gitignore to prevent them from being committed.
C.Encrypt the secrets and store them in the database.
D.Store secrets in a dedicated secrets management service like AWS Secrets Manager or Azure Key Vault.
AnswerD

Provides secure storage, access control, and automatic rotation.

Why this answer

A dedicated secrets management service provides centralized, encrypted storage with access control, auditing, and rotation. Environment variables are better than hardcoding but are still exposed in process memory and logs. Encrypting and storing in the database shifts the problem to key management. .gitignore prevents committing but secrets are still in the working directory.

471
Multi-Selecthard

Which TWO of the following are essential components of a quantitative risk analysis formula? (Choose two.)

Select 2 answers
A.Annual Rate of Occurrence (ARO)
B.Exposure Factor (EF)
C.Residual Risk
D.Single Loss Expectancy (SLE)
E.Control Frequency (CF)
AnswersA, D

ARO is the estimated frequency of the risk occurring per year.

Why this answer

Options A and D are correct: Single Loss Expectancy (SLE) and Annual Rate of Occurrence (ARO) are used to calculate Annualized Loss Expectancy (ALE) = SLE × ARO. Option B (Exposure Factor) is a component of SLE (SLE = AV × EF), but the question asks for components of the formula; typically SLE and ARO are the direct inputs. Option C (Control Frequency) and E (Residual Risk) are not part of the basic quantitative formula.

472
Multi-Selectmedium

An organization is implementing role-based access control (RBAC). Which two components are fundamental to the RBAC model? (Select TWO.)

Select 2 answers
A.Access control lists (ACLs)
B.Subjects, objects, and operations
C.Constraints such as separation of duties
D.Roles, permissions, and user assignments
E.Security labels and clearances
AnswersC, D

Correct. Constraints are integral to RBAC to enforce policies like SoD.

Why this answer

Constraints such as separation of duties are fundamental to RBAC because they enforce organizational policies by preventing conflicts of interest (e.g., a user cannot both create and approve a purchase order). This is a core component of the RBAC model as defined in the NIST RBAC standard (ANSI INCITS 359-2004), which includes core RBAC, hierarchical RBAC, and constrained RBAC. Constraints ensure that role assignments and permissions adhere to security rules beyond simple role-user mapping.

Exam trap

The trap here is that candidates often confuse the generic components of access control (subjects, objects, operations) with the specific fundamental components of the RBAC model, leading them to select Option B instead of recognizing that roles, permissions, user assignments, and constraints are the unique building blocks of RBAC.

473
MCQeasy

An organization needs to ensure that backup tapes containing sensitive data are protected during transportation between sites. What is the most effective control?

A.Applying tamper-evident seals
B.Encrypting the backup tapes
C.Using a chain of custody log
D.Using a bonded courier service
AnswerB

Encryption protects data at rest in transit.

Why this answer

Encrypting the backup tapes ensures that even if the physical media is lost, stolen, or intercepted during transit, the sensitive data remains unreadable without the decryption key. This provides a strong, data-centric security control that protects confidentiality regardless of the physical security measures in place. Encryption is the most effective control because it directly addresses the risk of unauthorized access to the data itself.

Exam trap

The trap here is that candidates often choose a physical security control (like tamper-evident seals or bonded couriers) thinking it is sufficient, but the CISSP exam emphasizes that data-centric controls (encryption) are the most effective for protecting data in transit, as physical controls can be bypassed or fail.

How to eliminate wrong answers

Option A is wrong because tamper-evident seals only indicate whether the tape has been physically opened or tampered with; they do not protect the data from being read if the seal is bypassed or the tape is accessed through other means. Option C is wrong because a chain of custody log provides an audit trail of who handled the tape and when, but it does not prevent unauthorized access to the data if the tape is lost or stolen. Option D is wrong because a bonded courier service reduces the risk of theft or loss during transit, but it does not protect the data if the courier is compromised or the tape is intercepted; encryption is still needed to ensure confidentiality.

474
MCQmedium

Which of the following is a primary advantage of using a hardware security module (HSM) over software-based key storage?

A.Easier key backup
B.Lower cost
C.Tamper-resistant physical security
D.Faster key generation
AnswerC

Correct. HSMs are designed to protect keys from physical tampering.

Why this answer

A hardware security module (HSM) provides tamper-resistant physical security by storing cryptographic keys in a dedicated, hardened appliance that resists physical tampering, probing, and extraction. Unlike software-based key storage, which relies on the operating system's file system or memory and is vulnerable to malware or direct memory access attacks, an HSM ensures that keys never leave the secure boundary in plaintext, even if the host system is compromised.

Exam trap

The trap here is that candidates confuse 'faster key generation' (a performance benefit) with the primary security advantage of HSMs, or they assume that software-based key backup is inherently more difficult, when in fact HSMs introduce additional complexity for backup to maintain security.

How to eliminate wrong answers

Option A is wrong because key backup from an HSM is typically more complex than software-based storage, often requiring secure key-wrapping or cloning procedures to maintain the same level of protection, whereas software keys can be easily copied as files. Option B is wrong because HSMs are significantly more expensive than software-based storage due to specialized hardware, certifications (e.g., FIPS 140-2 Level 3/4), and lifecycle management costs. Option D is wrong because while HSMs can accelerate key generation using dedicated hardware random number generators, software-based key generation can also be fast using CPU-based RDRAND or similar instructions, and speed is not the primary security advantage of an HSM.

475
Multi-Selectmedium

Which THREE of the following are key practices in the OWASP ASVS (Application Security Verification Standard) for secure software? (Select exactly three.)

Select 3 answers
A.Secure error handling and logging
B.Integration with password managers
C.Authentication and session management
D.Network segmentation between tiers
E.Input validation and sanitization
AnswersA, C, E

ASVS V7 covers error handling.

Why this answer

Options A, C, and D are correct. Input validation, error handling, and authentication are core ASVS areas. Option B is wrong because password managers are not part of ASVS.

Option E is wrong because network segmentation is infrastructure, not application security.

476
MCQmedium

A financial institution is implementing a data retention policy to comply with regulatory requirements. The policy must ensure that transaction records are retained for 7 years and then securely destroyed. Which of the following is the BEST approach to implement this policy?

A.Encrypt all records and destroy the encryption keys after 7 years
B.Automatically purge records using a data management tool that overwrites data after the retention period
C.Move records to a separate archive and delete the directory pointers
D.Manually review and delete records after 7 years
AnswerB

Automated purging ensures consistent and timely destruction, reducing human error and ensuring compliance.

Why this answer

Option B is correct because automated purging using a data management tool that overwrites data ensures that the records are securely destroyed at the end of the retention period, meeting both regulatory compliance and data sanitization requirements. Overwriting (e.g., using DoD 5220.22-M or NIST SP 800-88 standards) prevents data recovery by replacing the storage media's bits with patterns, making it a reliable method for secure destruction in a financial institution's automated environment.

Exam trap

The trap here is that candidates often confuse 'cryptographic erasure' (Option A) with secure destruction, but the CISSP exam emphasizes that destroying encryption keys does not physically destroy the data and is not considered a secure destruction method for regulatory compliance unless combined with other controls.

How to eliminate wrong answers

Option A is wrong because encrypting records and destroying the encryption keys after 7 years does not securely destroy the underlying data; the ciphertext remains on the media and could potentially be decrypted in the future if the encryption algorithm is broken or if key recovery is possible, violating the 'secure destruction' requirement. Option C is wrong because moving records to a separate archive and deleting directory pointers only removes the file system references, leaving the actual data intact on the storage media, which can be recovered using forensic tools and does not constitute secure destruction. Option D is wrong because manual review and deletion after 7 years is prone to human error, lacks audit trails, and does not guarantee that data is securely overwritten or destroyed, failing to meet the policy's requirement for reliable and verifiable destruction.

477
MCQmedium

Refer to the exhibit. Which security risk does this policy primarily introduce?

A.Privilege escalation
B.Unauthorized read access
C.Denial of service
D.Unauthorized write access
AnswerD

Any user can upload objects to the bucket.

Why this answer

The policy allows any principal (anyone) to perform the s3:PutObject action on the bucket, meaning anyone can upload objects. This introduces unauthorized write access risk. Read access is not allowed.

Privilege escalation and DoS are not directly introduced.

478
MCQeasy

You are the lead security analyst at a mid-sized financial services firm. At 2:15 PM, the SIEM alerts on multiple failed login attempts from an external IP address against the VPN gateway. The attempts stopped at 2:20 PM, but at 2:30 PM, a user reports that their account was used to send a phishing email to internal employees. You confirm that the user's account has been compromised. The CEO asks for an immediate update. What should be your FIRST action according to the incident response framework your company follows (based on NIST SP 800-61)?

A.Preserve forensic evidence by creating a disk image of the user's workstation.
B.Validate the incident and assess its scope and impact.
C.Immediately notify the legal and compliance teams.
D.Isolate the compromised workstation from the network.
AnswerB

Validation ensures it is a real incident; assessment prioritizes response.

Why this answer

According to NIST SP 800-61, the first phase of incident response is preparation, followed by detection and analysis. The SIEM alert and user report indicate a potential incident, but you must first validate the incident and assess its scope and impact before taking containment, eradication, or recovery actions. This ensures that resources are not wasted on a false positive and that the response is proportional to the actual threat.

Exam trap

The trap here is that candidates confuse containment actions (like isolation) with the first step, but NIST SP 800-61 mandates validation and scoping before any containment to ensure the response is appropriate and not disruptive.

How to eliminate wrong answers

Option A is wrong because preserving forensic evidence (e.g., creating a disk image) is a step that occurs after the incident has been validated and scoped; performing it prematurely could waste resources if the incident is a false positive or if the scope extends beyond that single workstation. Option C is wrong because notifying legal and compliance teams is a communication step that typically follows validation and initial containment, not the first action; immediate notification without confirmed scope could cause unnecessary escalation or legal exposure. Option D is wrong because isolating the compromised workstation is a containment action that should be taken after the incident is validated and its scope assessed; premature isolation could disrupt business operations or alert an attacker before full understanding of the incident.

479
MCQmedium

A security architect is designing controls for a cloud-based file storage service that stores personally identifiable information (PII). Which control best ensures that data remains encrypted at rest without involving the cloud provider's key management?

A.Tokenization of PII fields
B.Transport Layer Security (TLS) for data in transit
C.Client-side encryption
D.Server-side encryption with customer-managed keys
AnswerC

Client-side encryption ensures data is encrypted before leaving the client, provider cannot decrypt.

Why this answer

Client-side encryption ensures data is encrypted before it leaves the client device, so the cloud provider never has access to the plaintext or the encryption keys. This guarantees that the data remains encrypted at rest in the cloud storage without relying on the provider's key management infrastructure, meeting the requirement of keeping the provider out of the key management loop.

Exam trap

The trap here is that candidates often confuse server-side encryption with customer-managed keys (Option D) as being fully independent of the provider, but in reality, the provider's key management service still handles the encryption/decryption operations, which does not satisfy the 'without involving the cloud provider's key management' requirement.

How to eliminate wrong answers

Option A is wrong because tokenization replaces PII with non-sensitive tokens, but the original data is still stored elsewhere (often in a token vault) and does not inherently encrypt the data at rest in the cloud storage; it is a data masking technique, not an encryption control. Option B is wrong because Transport Layer Security (TLS) protects data in transit between the client and server, but it does not address encryption at rest; once data reaches the cloud storage, it is decrypted and stored in plaintext unless another mechanism is applied. Option D is wrong because server-side encryption with customer-managed keys still involves the cloud provider's key management service (e.g., AWS KMS, Azure Key Vault) to encrypt/decrypt data; the provider manages the encryption process, even if the customer supplies the key material, which violates the requirement of not involving the provider's key management.

480
Multi-Selectmedium

Which THREE of the following are valid methods for securing wireless networks against unauthorized access?

Select 3 answers
A.MAC address filtering
B.Implementing a wireless intrusion prevention system (WIPS)
C.WPA3-Enterprise with 802.1X
D.Using WEP with a complex key
E.Disabling SSID broadcast
AnswersA, B, C

MAC filtering can restrict which devices can connect, though it can be bypassed; it is a valid method.

Why this answer

MAC address filtering (A) can be used as a basic access control mechanism by configuring the wireless access point to only allow devices with specific MAC addresses to connect. However, it is not a strong security method because MAC addresses can be easily spoofed using tools like `macchanger` or `airmon-ng`, making it a weak defense against determined attackers.

Exam trap

The trap here is that candidates often believe disabling SSID broadcast or using WEP with a complex key provides meaningful security, but the CISSP exam expects you to recognize these as obsolete or easily bypassed controls that do not prevent unauthorized access.

481
MCQhard

A company is implementing a data masking solution for a test database that mirrors production. Which masking technique preserves referential integrity while obfuscating sensitive values?

A.Hash-based masking
B.Static data masking
C.Deterministic encryption
D.Dynamic data masking
AnswerC

Deterministic encryption preserves referential integrity because same plaintext maps to same ciphertext.

Why this answer

Deterministic encryption (C) is correct because it uses a consistent key and algorithm to always produce the same ciphertext for a given plaintext value, allowing foreign key relationships to be maintained across tables. This preserves referential integrity while obfuscating sensitive data, as the encrypted values can still be joined reliably. Static data masking (B) replaces values with fictional but consistent substitutes, but it does not use encryption and may not guarantee the same level of consistency for complex referential constraints without careful design.

Exam trap

The trap here is that candidates confuse 'deterministic encryption' with 'static data masking' because both produce consistent outputs, but static masking does not use encryption and is not reversible, whereas deterministic encryption allows authorized decryption for legitimate use cases.

How to eliminate wrong answers

Option A is wrong because hash-based masking uses a one-way hash function (e.g., SHA-256) that, while deterministic, is not reversible and does not provide confidentiality for sensitive data; it is typically used for tokenization or integrity checks, not for preserving referential integrity with obfuscation. Option B is wrong because static data masking replaces sensitive data with realistic but non-reversible substitutes (e.g., random names or numbers) and, although it can maintain consistency, it does not use encryption and may break referential integrity if the masking algorithm is not carefully applied across all related tables. Option D is wrong because dynamic data masking alters data on-the-fly at query time based on user permissions, but it does not change the underlying stored data; referential integrity is preserved only in the unmasked production database, not in a test database where the masked view may not support consistent joins.

482
Multi-Selecteasy

Which TWO documents are considered foundational for an information security program?

Select 2 answers
A.Security policy
B.Baseline
C.Guideline
D.Incident response plan
E.Standard operating procedure
AnswersA, D

Foundation of the security program.

Why this answer

The security policy (A) defines overall governance and direction. The incident response plan (B) is a critical operational plan. Standards (C) and guidelines (D) are supporting, and baselines (E) are technical minimums.

483
MCQeasy

A company needs to provide secure remote access to employees using company-issued laptops. The solution must support both web applications and legacy client-server apps without installing client software on the laptops. Which VPN technology is best?

A.SSL VPN with clientless web access and port forwarding
B.L2TP over IPsec
C.MPLS Layer 3 VPN
D.IPsec tunnel mode
AnswerA

SSL VPN offers clientless access for web apps and port forwarding for legacy apps, meeting the requirement.

Why this answer

SSL VPN with clientless web access and port forwarding is the best choice because it meets the requirement of supporting both web applications and legacy client-server apps without installing client software. Clientless web access provides secure HTTPS-based access to internal web applications via a browser, while port forwarding allows legacy TCP-based client-server applications to be tunneled through the SSL VPN without requiring a full VPN client on the laptop. This approach leverages the existing browser and OS capabilities, eliminating the need for additional software installation.

Exam trap

The trap here is that candidates often assume IPsec (Option D) is the only 'secure' VPN option and overlook that SSL VPNs can provide equivalent security with clientless access, or they confuse MPLS (Option C) as a remote access solution when it is actually a WAN technology for site-to-site connectivity.

How to eliminate wrong answers

Option B (L2TP over IPsec) is wrong because it requires a native VPN client or OS-level configuration on the laptop, which contradicts the 'without installing client software' requirement; it also does not natively support clientless web access. Option C (MPLS Layer 3 VPN) is wrong because it is a service provider technology for connecting entire networks at Layer 3, not a remote access VPN for individual endpoints, and it requires MPLS-capable routers and no user-level authentication or clientless access. Option D (IPsec tunnel mode) is wrong because it requires a dedicated IPsec client or OS-level VPN stack to be installed or configured on the laptop, and it does not provide clientless web access or port forwarding for legacy apps without additional software.

484
MCQeasy

A security analyst detects repeated failed login attempts from a single external IP address targeting a user account. What is the best IMMEDIATE action?

A.Investigate the source IP's history
B.Block the IP address at the perimeter firewall
C.Disable the targeted user account
D.Enable account lockout after three failures
AnswerB

Immediately stops the attack.

Why this answer

Blocking the IP address at the perimeter firewall is the best immediate action because it stops the ongoing brute-force attack at the network boundary, preventing further authentication attempts without affecting the legitimate user's access. This aligns with the principle of containment in incident response, prioritizing rapid mitigation over investigation or configuration changes that could delay the response.

Exam trap

The trap here is that candidates confuse 'immediate action' with 'long-term fix' and choose to investigate the IP (A) or implement a policy change (D), failing to recognize that containment (B) must come first in the incident response process.

How to eliminate wrong answers

Option A is wrong because investigating the source IP's history is a forensic step that should follow containment, not precede it; delaying action allows the attack to continue. Option C is wrong because disabling the targeted user account would deny service to the legitimate user and does not address the external threat, which could simply pivot to another account. Option D is wrong because enabling account lockout after three failures is a preventive configuration change that takes time to implement and does not stop the current attack in progress; it also risks locking out the legitimate user if the attacker triggers the threshold.

485
MCQhard

An organization is adopting a microservices architecture. Which security control is most effective for ensuring that inter-service communication is authenticated and authorized?

A.Implementing mutual TLS (mTLS) between services
B.Relying on network segmentation and IP allowlisting
C.Using JSON Web Tokens (JWT) in the HTTP header
D.Using pre-shared API keys for each service pair
AnswerA

mTLS provides bidirectional certificate-based authentication and encrypted communication.

Why this answer

Option C is correct because mutual TLS (mTLS) ensures that both parties in communication are authenticated, providing strong identity verification and encryption. Option A is wrong because API keys alone do not provide mutual authentication. Option B is wrong while JWT can carry claims, it does not inherently encrypt the channel.

Option D is wrong because IP allowlisting is prone to spoofing within cloud environments.

486
Multi-Selecteasy

A penetration tester is planning an engagement. Which of the following rules of engagement should be defined before testing begins? (Select TWO.)

Select 2 answers
A.The exact exploits to be used
B.Emergency contact procedures
C.The scope of systems to be tested
D.The tester's personal compensation
E.The names of employees to be targeted
AnswersB, C

Emergency contacts ensure proper response if issues arise.

Why this answer

Emergency contact procedures (B) are a critical component of the Rules of Engagement (RoE) because they define who to notify if an incident occurs during testing, such as an unintended system outage or detection by security monitoring. Without this, the tester risks legal or operational repercussions. The scope of systems to be tested (C) is equally essential as it explicitly lists IP ranges, hostnames, and network segments authorized for testing, preventing unauthorized access and ensuring compliance with the engagement contract.

Exam trap

The trap here is that candidates confuse 'Rules of Engagement' with a detailed test plan or contract, leading them to select options like 'exact exploits' (A) or 'compensation' (D), which are operational or financial details, not the high-level boundaries that define what is allowed and how to handle emergencies.

487
MCQhard

Refer to the exhibit. A SAML response is received by the service provider. Which security issue is present?

A.The NameID format is incorrect
B.The assertion is not signed
C.The validity window is too short
D.The subject confirmation method is insecure
AnswerB

Without a signature, the assertion could be tampered with during transmission.

Why this answer

The SAML response shown in the exhibit lacks a digital signature on the assertion itself. Without the assertion being signed, a man-in-the-middle attacker could modify the assertion content (e.g., change the user identifier or attributes) after the response leaves the identity provider but before it reaches the service provider. SAML Core specification (OASIS SAML 2.0) requires that either the entire response or the individual assertion be signed to ensure integrity and non-repudiation; here, neither is signed, making the assertion vulnerable to tampering.

Exam trap

The trap here is that candidates often assume the 'bearer' subject confirmation method is the security flaw, but the real issue is the absence of a digital signature on the assertion, which is a distinct and critical integrity control.

How to eliminate wrong answers

Option A is wrong because the NameID format (e.g., 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') is syntactically correct and commonly used; there is no indication of an incorrect format in the exhibit. Option C is wrong because the validity window (NotBefore and NotOnOrAfter) appears reasonable (e.g., a 5-minute window) and is not inherently insecure; a short window actually reduces risk, not introduces it. Option D is wrong because the subject confirmation method (e.g., 'bearer') is standard for Web SSO and is not inherently insecure; the issue is the lack of signing, not the confirmation method itself.

488
MCQhard

A large hospital uses a wireless LAN (WLAN) for mobile medical devices and staff tablets. Recently, nurses reported intermittent connectivity drops and high retransmission rates specifically in the east wing near the elevator banks. The WLAN is based on 802.11ac in the 5 GHz band. The hospital's IT team has already checked for channel overlap, and the APs are configured to use non-overlapping channels with automatic channel selection. Signal strength in the area is adequate (-65 dBm). However, the retransmission rate spikes during peak hours. Which approach should the network team take FIRST to diagnose and resolve the issue?

A.Conduct a spectrum analysis to identify sources of interference and reposition APs away from the elevator shafts.
B.Enable frequency hopping on the APs to avoid interference.
C.Increase the transmit power of the APs in the east wing to improve signal-to-noise ratio.
D.Deploy additional APs in the elevator area to provide more capacity and redundancy.
AnswerA

Spectrum analysis reveals non-Wi-Fi interference (e.g., from elevator motors) and guides AP placement to minimize its impact.

Why this answer

The symptoms—intermittent connectivity drops and high retransmission rates near elevator banks during peak hours—strongly suggest external RF interference, likely from the elevator motors or other electrical equipment. A spectrum analysis is the correct first step because it can identify non-Wi-Fi interference sources (e.g., microwave ovens, motors, or radar) that cause packet corruption and retransmissions, even when signal strength is adequate and channels are non-overlapping. Repositioning APs away from the elevator shafts after identifying the interference source directly mitigates the physical cause.

Exam trap

The trap here is that candidates often assume retransmissions are caused by congestion or weak signal and jump to adding APs or increasing power, but the specific location (elevator banks) and intermittent nature point to external interference, which requires spectrum analysis first.

How to eliminate wrong answers

Option B is wrong because frequency hopping is not supported in 802.11ac (which uses OFDM with fixed channels); it is a legacy technique from Bluetooth or older 802.11 FHSS standards and would not resolve interference from continuous sources like elevator motors. Option C is wrong because increasing transmit power would only amplify the signal but also potentially amplify the interference or cause co-channel interference with other APs, and the issue is not weak signal (-65 dBm is adequate) but corrupted packets due to interference. Option D is wrong because deploying additional APs in the elevator area would add capacity but not address the root cause of interference; more APs could even worsen retransmissions if they contend for the same medium or pick up the same interference.

489
MCQhard

During a security audit, it is discovered that a network firewall is allowing traffic based on source IP address only, without inspecting application-layer data. Which type of firewall is this?

A.Packet filter
B.Circuit-level gateway
C.Application gateway
D.Stateful inspection
AnswerA

Packet filters examine only packet headers.

Why this answer

A packet filter firewall operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model, making decisions solely based on source and destination IP addresses, ports, and protocols. It does not inspect application-layer data (Layer 7), which matches the scenario where traffic is allowed based on source IP address only. This is the simplest and fastest type of firewall, but it lacks the ability to block attacks embedded in application payloads.

Exam trap

The trap here is that candidates often confuse 'stateful inspection' with 'packet filtering' because both examine IP addresses, but stateful inspection also tracks connection state, whereas the question explicitly states no application-layer inspection and only source IP filtering.

How to eliminate wrong answers

Option B is wrong because a circuit-level gateway operates at Layer 5 (Session layer) and validates TCP handshakes and session establishment (e.g., SOCKS proxy), not just source IP addresses. Option C is wrong because an application gateway (application-layer proxy) inspects application-layer data (Layer 7) such as HTTP headers or FTP commands, which contradicts the scenario of no application-layer inspection. Option D is wrong because stateful inspection tracks the state of active connections (e.g., TCP sequence numbers) and makes decisions based on both packet headers and connection state, not just source IP addresses.

490
MCQhard

A large healthcare organization is subject to both HIPAA and GDPR. They are creating a data retention policy for electronic protected health information (ePHI) concerning European patients. HIPAA requires retention for 6 years from creation or last effective date, while GDPR requires that personal data not be kept longer than necessary for the purpose, with a general guideline of retaining for the duration of the relationship plus a reasonable period. The organization wants to minimize storage costs while ensuring compliance. Which approach should they take?

A.Retain data for the longer of the two regulatory requirements (HIPAA 6 years)
B.Implement a tiered retention policy based on data classification
C.Retain all data indefinitely
D.Retain data for the shorter requirement (GDPR-defined necessity period)
AnswerB

Allows different retention periods for different data types, ensuring compliance with both regulations while minimizing costs.

Why this answer

A tiered retention policy based on data classification allows the organization to apply different retention periods to different types of data, balancing regulatory requirements and cost. Retaining for the longer of the two requirements may over-retain data that is not subject to both laws. Retaining for the shorter may violate HIPAA.

Retaining all data indefinitely is costly and may violate GDPR's storage limitation principle.

491
MCQmedium

A security manager is conducting a risk assessment for a new cloud application. The manager needs to estimate the potential financial loss from a data breach. Which approach should be used?

A.Scenario-based risk analysis with ordinal scales
B.Qualitative risk analysis using high/medium/low ratings
C.Benchmarking against industry standards
D.Quantitative risk analysis using annualized loss expectancy (ALE)
AnswerD

Quantitative analysis calculates ALE from SLE and ARO, providing monetary estimates.

Why this answer

Quantitative risk analysis assigns monetary values to assets, threats, and impacts, allowing calculation of SLE, ARO, and ALE. Qualitative analysis uses subjective scales and is not monetary.

492
MCQmedium

A company wants to implement 802.1X authentication on their wired network. Which components are required?

A.Supplicant and authenticator
B.Authenticator and authentication server
C.Supplicant, authenticator, and authentication server
D.Supplicant and authentication server
AnswerC

All three components are required for 802.1X.

Why this answer

802.1X requires three distinct roles to function: the supplicant (client software requesting access), the authenticator (network device like a switch that enforces port-based access control), and the authentication server (typically a RADIUS server that validates credentials). Without all three, the EAP (Extensible Authentication Protocol) exchange cannot complete, as the authenticator acts as a proxy between the supplicant and the authentication server. Option C is correct because it lists all three mandatory components.

Exam trap

The trap here is that candidates often assume the authenticator (switch) performs the actual authentication, leading them to pick Option B, but in 802.1X the authenticator only controls port state and relays messages—it never validates credentials itself.

How to eliminate wrong answers

Option A is wrong because omitting the authentication server leaves no entity to validate the supplicant's credentials; the authenticator alone cannot perform authentication. Option B is wrong because it omits the supplicant, which is the endpoint that initiates the authentication request and provides credentials; without a supplicant, there is no client to authenticate. Option D is wrong because it omits the authenticator, which is the network device (e.g., switch) that blocks or allows traffic on the port based on the authentication result and relays EAP frames between the supplicant and the authentication server.

493
MCQhard

A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?

A.Conduct a thorough vendor risk assessment including security audits.
B.Negotiate a lower price to offset potential security investments.
C.Purchase cyber liability insurance to cover potential breaches.
D.Require the vendor to sign a non-disclosure agreement (NDA).
AnswerA

Correct - due diligence identifies risks before commitment.

Why this answer

Before outsourcing critical operations, the primary risk management activity is to conduct a thorough vendor risk assessment, including security audits. This evaluates the vendor's security posture, compliance with standards (e.g., ISO 27001), and ability to protect sensitive customer data, directly addressing risks like data breaches or service disruptions before contractual obligations are locked in.

Exam trap

ISC2 often tests the misconception that risk transfer (insurance) or legal agreements (NDAs) are primary risk management activities, when in fact proactive assessment and due diligence must occur first to identify and treat risks before any contractual commitment.

How to eliminate wrong answers

Option B is wrong because negotiating a lower price does not mitigate security risks; it may even incentivize the vendor to cut corners on security controls, increasing exposure. Option C is wrong because purchasing cyber liability insurance transfers financial risk after a breach but does not prevent or reduce the likelihood of a security incident, making it a secondary, not primary, activity. Option D is wrong because requiring an NDA only addresses confidentiality of shared information but fails to assess the vendor's actual security capabilities, processes, or vulnerabilities, leaving critical risks unexamined.

494
MCQhard

A security team is evaluating the results of a penetration test. The test revealed that a low-privileged user could escalate privileges to domain administrator. This is a critical finding. Which of the following should be the immediate next step?

A.Conduct a full incident response
B.Re-image all affected systems
C.Terminate the user's account
D.Implement patch management for the exploited vulnerability
AnswerD

Patching the vulnerability eliminates the attack vector.

Why this answer

Option D is correct because the immediate priority after discovering a privilege escalation vulnerability is to remediate the root cause—typically a missing patch or misconfiguration—to prevent further exploitation. In a penetration test context, the finding indicates a technical flaw (e.g., a missing security update for CVE-2021-42287 or a misconfigured Active Directory ACL) that must be patched or hardened first. Full incident response (A) is premature without evidence of active compromise, and re-imaging (B) or account termination (C) are reactive measures that do not address the underlying vulnerability.

Exam trap

The trap here is that candidates confuse a penetration test finding (a vulnerability) with an active security incident, leading them to choose incident response (A) instead of the correct remediation step (D), which is to patch the exploited vulnerability first.

How to eliminate wrong answers

Option A is wrong because conducting a full incident response assumes a confirmed breach or ongoing malicious activity, but a penetration test finding alone does not indicate active exploitation—it identifies a vulnerability that should be remediated first. Option B is wrong because re-imaging all affected systems is a drastic, resource-intensive step that does not fix the root cause (e.g., an unpatched domain controller or misconfigured Group Policy); the vulnerability would persist if the same image or configuration is reapplied. Option C is wrong because terminating the user's account only removes one low-privileged account but does not prevent another user or attacker from exploiting the same privilege escalation path (e.g., a Kerberos delegation flaw or SeBackupPrivilege abuse).

495
MCQhard

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

A.Isolate the server from the network
B.Initiate a full incident response investigation
C.Disregard the alert because svchost.exe is a legitimate Windows process
D.Terminate the suspicious process
AnswerA

Isolation stops the malicious outbound connection and prevents further damage, allowing for later forensic analysis.

Why this answer

Option A is correct because isolating the server immediately contains the threat, preventing potential data exfiltration or lateral movement from a compromised host. The suspicious outbound connection from a DMZ server to an external IP on port 443 (HTTPS) combined with 'svchost.exe' running from a non-standard path strongly indicates malware masquerading as a legitimate Windows process. In security operations, containment is the priority before investigation to minimize damage.

Exam trap

The trap here is that candidates may think terminating the process (Option D) is sufficient, but the CISSP emphasizes containment over eradication to prevent further compromise, and they may also mistakenly trust svchost.exe as always legitimate without verifying its path.

How to eliminate wrong answers

Option B is wrong because initiating a full incident response investigation without first containing the threat could allow the attacker to continue exfiltrating data or move laterally while the investigation proceeds; containment must come first. Option C is wrong because while svchost.exe is a legitimate Windows process, it should only run from C:\Windows\System32 or C:\Windows\SysWOW64, and a non-standard path is a classic indicator of malware impersonation; disregarding the alert would be negligent. Option D is wrong because terminating the suspicious process alone does not prevent the malware from restarting or other persistence mechanisms from activating, and it does not address the network-level threat; isolation is more comprehensive.

496
MCQeasy

A health records system requires that doctors can write new records but cannot modify existing ones, and integrity is maintained through separation of duties. Which security model best fits this requirement?

A.Brewer-Nash
B.Biba
C.Clark-Wilson
D.Bell-LaPadula
AnswerC

Clark-Wilson enforces transformation procedures and separation of duties to maintain integrity.

Why this answer

The Clark-Wilson model enforces integrity through well-formed transactions and separation of duties, which directly matches the requirement that doctors can write new records but cannot modify existing ones. It uses constrained data items (CDIs), transformation procedures (TPs), and integrity verification procedures (IVPs) to ensure that only authorized users can perform specific operations, preventing unauthorized modifications.

Exam trap

The trap here is that candidates often confuse the Biba model with integrity enforcement, but Biba only prevents unauthorized data flow based on integrity levels, not the specific separation of duties and well-formed transaction constraints that Clark-Wilson provides for this scenario.

How to eliminate wrong answers

Option A is wrong because the Brewer-Nash model (also known as the Chinese Wall model) is designed to prevent conflicts of interest by controlling access to datasets based on previously accessed data, not for enforcing write-once or separation of duties for integrity. Option B is wrong because the Biba model focuses on preventing data flow from lower integrity levels to higher integrity levels (no write up, no read down), but it does not inherently enforce separation of duties or the specific constraint that new records can be written but existing ones cannot be modified. Option D is wrong because the Bell-LaPadula model enforces confidentiality through no read up and no write down, and it does not address integrity constraints like preventing modification of existing records or separation of duties.

497
MCQeasy

Refer to the exhibit. The syslog-ng configuration is used to forward logs to a central server. What type of logs are being forwarded?

A.Authentication logs
B.Kernel logs
C.Daemon process logs
D.Security event logs
AnswerA

auth and authpriv are authentication-related.

Why this answer

The syslog-ng configuration shown uses the `auth` facility, which corresponds to authentication-related messages (e.g., login attempts, sudo usage, user authentication). The `auth` facility is specifically designated for security and authorization events, making option A correct.

Exam trap

The trap here is that candidates may confuse `auth` with generic 'security event logs' (option D), but syslog-ng uses specific facility names, and 'security' is not a valid facility; the correct facility for authentication/security is `auth` or `authpriv`.

How to eliminate wrong answers

Option B is wrong because kernel logs use the `kern` facility, not `auth`. Option C is wrong because daemon process logs use the `daemon` facility, not `auth`. Option D is wrong because while `auth` logs are security-related, the term 'security event logs' is ambiguous and not a standard syslog facility; the correct facility for security events is `auth` or `authpriv`.

498
MCQhard

A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?

A.The file server is not trusted for delegation
B.The user does not have permission to the file server resource
C.The user account is locked out
D.Time skew between client and domain controller
AnswerB

After getting a service ticket, the file server checks ACLs; if denied, it returns 'Access denied'.

Why this answer

Since the Kerberos ticket-granting ticket (TGT) was successfully obtained, the user has authenticated to the domain and the Kerberos authentication process is functioning correctly. The 'Access denied' error at the file server indicates that the user lacks the necessary permissions on the specific resource (share or NTFS), which is a separate authorization step after successful authentication.

Exam trap

The trap here is that candidates confuse authentication (Kerberos TGT success) with authorization (resource permissions), assuming a successful TGT implies full access, when in fact Kerberos only proves identity and does not grant resource-level rights.

How to eliminate wrong answers

Option A is wrong because 'trusted for delegation' is a Kerberos extension used for service impersonation (e.g., when a service needs to act on behalf of a user to access another resource), not for basic file server access; a file server does not need to be trusted for delegation to grant or deny resource permissions. Option C is wrong because if the user account were locked out, the TGT request would fail with a specific Kerberos error (e.g., KDC_ERR_CLIENT_REVOKED), and the user would not have obtained a TGT. Option D is wrong because time skew between client and domain controller would prevent TGT acquisition entirely (Kerberos requires clock synchronization within 5 minutes by default, per RFC 4120), so a successful TGT proves time is synchronized.

499
Multi-Selecteasy

Which TWO of the following are types of access control models?

Select 2 answers
A.Discretionary Access Control (DAC)
B.SAML
C.Kerberos
D.Role-Based Access Control (RBAC)
E.LDAP
AnswersA, D

An access control model.

Why this answer

Discretionary Access Control (DAC) is an access control model where the owner of a resource (e.g., a file or object) has the authority to grant or deny access to other subjects. This is typically implemented using Access Control Lists (ACLs) on objects, allowing the owner to set permissions (e.g., read, write, execute) for specific users or groups. DAC is defined in the Trusted Computer System Evaluation Criteria (TCSEC) as a fundamental model for controlling access based on the identity of subjects and/or the groups to which they belong.

Exam trap

The trap here is that candidates confuse authentication and authorization protocols (SAML, Kerberos, LDAP) with access control models, which are abstract frameworks for defining how access decisions are made, not the mechanisms that implement them.

500
MCQeasy

A company's data classification policy labels information as 'Internal Use Only' and 'Confidential.' An employee emails a 'Confidential' document to an external partner without authorization. Which type of data security objective has been violated?

A.Non-repudiation
B.Confidentiality
C.Availability
D.Integrity
AnswerB

Unauthorized disclosure violates confidentiality.

Why this answer

Confidentiality ensures that data is not disclosed to unauthorized parties. Option B is wrong because integrity is about accuracy, not disclosure. Option C is wrong because availability is about access when needed.

Option D is wrong because non-repudiation is about proof of origin.

501
Multi-Selecthard

A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)

Select 3 answers
A.Enforce password history of 10
B.Require password changes every 30 days
C.Allow password hints
D.Implement multi-factor authentication
E.Use a minimum password length of 8
AnswersA, D, E

Password history prevents reuse of recent passwords.

Why this answer

Option A is correct because NIST SP 800-63B recommends enforcing a password history to prevent users from reusing recent passwords, with a typical value of 10-24 previous passwords. This reduces the risk of password recycling attacks where compromised credentials are reused. Option D is correct because multi-factor authentication (MFA) is a core NIST recommendation to add an additional layer of security beyond passwords, mitigating credential theft.

Option E is correct because NIST now advises a minimum password length of 8 characters (or more) as a primary defense against brute-force attacks, rather than relying on complexity rules.

Exam trap

ISC2 often tests the outdated NIST recommendation of mandatory password changes every 30-90 days, which is now explicitly discouraged in current guidelines, causing candidates to select option B incorrectly.

502
MCQmedium

A company uses Docker containers for microservices. What is the most important security measure for container images?

A.Use minimal base images and scan them for vulnerabilities
B.Use the latest version of base image to ensure patches
C.Hardcode secrets into the image
D.Run containers as root for easier privilege management
AnswerA

Reduces attack surface and identifies known flaws.

Why this answer

Option A is correct because minimal base images reduce attack surface, and vulnerability scanning detects known issues. Option B is wrong because using 'latest' tags can cause inconsistent builds. Option C is wrong because running as root is insecure.

Option D is wrong because hardcoding secrets is never recommended.

503
MCQeasy

An auditor finds that a system uses the same service account for multiple applications. Which risk does this pose?

A.Increased attack surface due to multiple passwords
B.Difficulty in auditing because all applications share one account
C.Inability to rotate passwords without affecting all applications
D.Single point of failure for authentication
AnswerC

Password rotation requires coordinating all dependent applications.

Why this answer

Option B is correct because changing the password of the shared service account would break all applications that depend on it without coordinated effort. Option A is wrong because there is only one account, not multiple. Option C is wrong because single point of failure is about availability, not credential management.

Option D is wrong because it does not increase attack surface directly. Option E is wrong because it simplifies management but introduces risk.

504
MCQmedium

A developer is tasked with securely storing user passwords in a database. Which of the following is the most secure approach?

A.Do not store passwords; use federated identity
B.Hash the password with bcrypt using a unique salt per user
C.Encrypt the password using AES and store the ciphertext
D.Hash the password with MD5 and store the hash
AnswerB

Bcrypt is a slow, salted hashing algorithm specifically designed for passwords.

Why this answer

Option C is correct because using a strong, salted hashing algorithm like bcrypt is the industry standard for password storage. Option A is wrong because hashing without a salt allows precomputation attacks. Option B is wrong because encryption is reversible if the key is compromised.

Option D is wrong because claiming not to store passwords is impractical for most applications.

505
MCQmedium

An e-commerce company is preparing for a PCI DSS compliance assessment. The assessor needs to perform an external network vulnerability scan. The company has a public-facing web application that processes credit card payments. The scan must be conducted from an external IP address that is not whitelisted by the company's firewall. The security team is concerned that the scan might trigger intrusion detection alerts and cause operational disruptions. What is the BEST approach to handle this situation?

A.Whitelist the assessor's IP address in the firewall and intrusion detection system.
B.Use an authenticated scan with valid credentials provided by the company.
C.Perform the scan during off-peak hours and inform the security operations center.
D.Conduct a manual penetration test instead of an automated vulnerability scan.
AnswerC

This reduces disruption and maintains the required external scanning perspective.

Why this answer

Option C is correct because the PCI DSS requirement for an external network vulnerability scan mandates that the scan be conducted from an external IP address not whitelisted by the firewall to simulate a real attacker's perspective. Performing the scan during off-peak hours and informing the Security Operations Center (SOC) minimizes operational disruption and allows the SOC to correlate the scan traffic with known activity, reducing false-positive alerts. This approach balances compliance with operational stability without violating the scan's external-source requirement.

Exam trap

The trap here is that candidates mistakenly think whitelisting the assessor's IP (Option A) is acceptable for compliance, but PCI DSS explicitly forbids this to ensure the scan reflects a real attacker's view, and the question's wording 'not whitelisted' reinforces this constraint.

How to eliminate wrong answers

Option A is wrong because whitelisting the assessor's IP address in the firewall and IDS would violate the PCI DSS requirement that the scan must be conducted from an external IP not whitelisted, thereby invalidating the assessment's authenticity. Option B is wrong because authenticated scans are used for internal vulnerability assessments to test patch levels from an insider perspective, but PCI DSS external scans must be unauthenticated to simulate an unprivileged external attacker. Option D is wrong because a manual penetration test cannot replace the required automated external vulnerability scan; PCI DSS mandates automated scanning tools (e.g., ASV-approved scanners) to ensure consistent, repeatable coverage of all externally accessible IPs and services.

506
MCQmedium

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

A.Analyze the log events to identify the attack pattern and implement additional controls such as MFA
B.Increase the account lockout threshold
C.Ignore the event as it is likely a false positive
D.Disable the user account being targeted
AnswerA

Understanding the attack pattern allows for targeted controls like requiring MFA for the targeted account or blocking the attack vector.

Why this answer

Option A is correct because the changing source IP indicates a distributed attack, likely a password spraying or brute-force attempt from multiple compromised hosts. Analyzing log events helps identify the attack pattern (e.g., timing, targeted accounts, source IP ranges) so you can implement additional controls like MFA, which mitigates credential-based attacks regardless of source IP changes. Account lockout alone is insufficient when attackers rotate IPs, as lockout policies are per-account and per-source, not adaptive to distributed sources.

Exam trap

The trap here is that candidates assume account lockout is sufficient and focus on tweaking lockout thresholds (Option B), but the changing source IP reveals a distributed attack that requires a different control like MFA, not just adjusting lockout parameters.

How to eliminate wrong answers

Option B is wrong because increasing the lockout threshold would allow more failed attempts before lockout, making the attack more successful and increasing the risk of account compromise; it does not address the root cause of distributed IPs. Option C is wrong because repeated failed login attempts from changing IPs are a clear indicator of an active brute-force or password spraying attack, not a false positive; ignoring it could lead to unauthorized access. Option D is wrong because disabling the targeted user account is a reactive, temporary measure that does not stop the attacker from targeting other accounts or using different credentials; it also disrupts legitimate user access without addressing the underlying attack vector.

507
MCQhard

You are the security architect for a global financial firm. The organization has recently deployed a new cloud-based application that requires low-latency connections between data centers in New York, London, and Tokyo. The existing WAN uses MPLS L3 VPNs with IPsec encryption. However, the application team reports excessive latency and packet loss during peak hours. The network team confirms that the MPLS links are underutilized, but the IPsec tunnels show high CPU usage on the edge routers. Additionally, the security policy mandates that all inter-data center traffic must be encrypted and authenticated. The firm has a budget for hardware upgrades but wants to minimize operational changes. Which of the following is the BEST course of action?

A.Reduce the IPsec encryption algorithm to AES-128 and the hash to SHA-1 to lower CPU usage.
B.Replace MPLS with dedicated point-to-point circuits and remove IPsec encryption.
C.Increase the MTU on the WAN interfaces to reduce packet fragmentation.
D.Upgrade the edge routers to models that support hardware-accelerated IPsec encryption.
AnswerD

Hardware offloading reduces CPU load and improves performance.

Why this answer

Option D is correct because the high CPU usage on edge routers is a classic symptom of software-based IPsec encryption overwhelming the router's CPU. Hardware-accelerated IPsec offloads the cryptographic operations to dedicated ASICs or crypto engines, reducing CPU load and eliminating the latency and packet loss caused by processing bottlenecks. This directly addresses the root cause without changing the security policy or requiring major operational changes.

Exam trap

The trap here is that candidates mistakenly think reducing encryption strength (Option A) will solve CPU issues, but the CISSP exam tests that hardware offload is the proper solution when CPU is the bottleneck, not the algorithm choice.

How to eliminate wrong answers

Option A is wrong because reducing encryption to AES-128 and hash to SHA-1 still leaves the processing burden on the CPU; the issue is not the algorithm strength but the lack of hardware offload, and SHA-1 is deprecated per NIST and RFC 6194, potentially violating security policy. Option B is wrong because removing IPsec encryption violates the mandatory security policy that all inter-data center traffic must be encrypted and authenticated, and dedicated circuits do not inherently provide encryption. Option C is wrong because increasing MTU does not address CPU exhaustion from IPsec encryption; fragmentation is not the reported issue, and larger MTUs can actually increase latency if packets are dropped and retransmitted.

508
MCQhard

Refer to the exhibit. A database administrator implements the configuration shown to protect sensitive data. What is the most significant security flaw?

A.The database encryption key should be protected by a certificate rather than a password.
B.AES-256 is not a strong enough algorithm.
C.The encryption is applied at the database level rather than column level.
D.The encryption key is protected by a password that may be stored in scripts.
AnswerA

Best practice for TDE is to use a certificate or asymmetric key to protect the DEK, ensuring proper key management.

Why this answer

The correct answer is C. In SQL Server TDE, the database encryption key (DEK) should be protected by a certificate or asymmetric key stored in the master database, not by a password. Using a password is insecure because it is often stored in scripts or configuration files.

Option A is also a concern but is a consequence of the password-based protection; the root cause is not using a certificate. Option B is incorrect because AES-256 is a strong algorithm. Option D is incorrect because TDE at the database level is appropriate for many scenarios and does not represent a flaw.

509
Multi-Selecthard

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)

Select 3 answers
A.Risk retention
B.Risk review
C.Risk reduction
D.Risk transfer
E.Risk avoidance
AnswersC, D, E

Correct - Implementing controls to reduce likelihood or impact.

Why this answer

ISO 31000 defines risk treatment options as risk avoidance, risk reduction, risk transfer, and risk retention. Risk reduction (option C) is a valid treatment that involves implementing controls to lower the likelihood or impact of a risk, such as deploying firewalls or encryption to mitigate a security threat.

Exam trap

The trap here is that candidates may confuse 'risk review' (a monitoring activity) with a treatment option, or incorrectly think 'risk retention' is not a valid option when it is explicitly listed in ISO 31000, but the question requires selecting exactly three from the given set, so retention is excluded in this specific answer set.

510
MCQmedium

A DevOps team is implementing a DevSecOps pipeline. Which of the following should be introduced first in the pipeline to catch security issues early and reduce remediation cost?

A.Container vulnerability scanning after image build
B.Static application security testing (SAST) during the build stage
C.Pre-commit hooks that run linters and secret scanners
D.Dynamic application security testing (DAST) in staging environment
AnswerC

Pre-commit hooks catch issues before code is committed, the earliest point in the pipeline.

Why this answer

Option B is correct because pre-commit hooks run on the developer's machine before code is committed, catching issues very early. Option A is wrong because SAST is typically run after code is committed but before build. Option C is wrong because DAST is run after deployment.

Option D is wrong because container scanning occurs after image creation.

511
MCQeasy

Based on the exhibit, which security objective is this policy primarily designed to protect?

A.Non-repudiation
B.Confidentiality
C.Integrity
D.Availability
AnswerB

Encrypting data at rest prevents unauthorized access to the plaintext.

Why this answer

The policy explicitly states that data must be encrypted both at rest (using AES-256) and in transit (using TLS 1.2+). Encryption is a primary mechanism for ensuring confidentiality by preventing unauthorized access to data. The requirement to protect data from disclosure directly aligns with the confidentiality objective of the CIA triad.

Exam trap

The trap here is that candidates often confuse encryption with integrity or non-repudiation, but encryption alone does not provide integrity checks (which require MACs or digital signatures) nor does it prove the origin of data.

How to eliminate wrong answers

Option A is wrong because non-repudiation is about ensuring that an action cannot be denied, typically achieved through digital signatures and audit logs, not encryption. Option C is wrong because integrity focuses on preventing unauthorized modification of data, which is protected by hashing or checksums, not encryption alone. Option D is wrong because availability ensures that data and systems are accessible when needed, which is addressed by redundancy and disaster recovery, not encryption.

512
MCQmedium

A financial institution is migrating its customer data to a cloud environment. The cloud provider offers encryption at rest and in transit using AES-256 and TLS 1.2+. The compliance team requires that the organization maintain full control of encryption keys to meet regulatory obligations such as PCI DSS and local banking laws. The data is highly sensitive and includes personally identifiable information (PII). Which solution should the security architect recommend?

A.Implement client-side encryption with keys stored on-premises
B.Use tokenization instead of encryption
C.Use the cloud provider's default encryption with their key management service
D.Accept the provider's encryption without additional controls
AnswerA

Client-side encryption ensures the provider cannot access plaintext data, and keys remain under the organization's control.

Why this answer

Client-side encryption with keys stored on-premises ensures the organization retains exclusive control over encryption keys. Relying on cloud provider's encryption with KMS gives key management to the provider, which may not satisfy compliance. Accepting provider encryption without additional controls surrenders control.

Tokenization can protect data but removes original format, which may not be acceptable for all uses.

513
Multi-Selecthard

Which three BGP security mechanisms help protect against route hijacking? (Choose THREE.)

Select 3 answers
A.Resource Public Key Infrastructure (RPKI)
B.BGP Flowspec
C.Prefix filtering on edge routers
D.BGP MED attribute
E.MD5 authentication between BGP peers
AnswersA, C, E

Validates the origin AS of IP prefixes.

Why this answer

RPKI is correct because it uses cryptographically signed Route Origin Authorizations (ROAs) to validate that an AS is authorized to originate specific IP prefixes. This prevents route hijacking by allowing routers to reject BGP announcements that do not match the registered origin AS.

Exam trap

ISC2 often tests the distinction between BGP security mechanisms that prevent hijacking (RPKI, prefix filtering, MD5 authentication) versus those that influence routing policy or traffic engineering (MED, Flowspec), leading candidates to mistakenly select MED or Flowspec as hijacking protections.

514
MCQeasy

During a code review, a developer identifies a SQL injection vulnerability. What is the most effective fix?

A.Use stored procedures exclusively.
B.Use an ORM framework.
C.Escape all input.
D.Implement parameterized queries.
AnswerD

Parameterized queries (prepared statements) separate code from data.

Why this answer

Parameterized queries (prepared statements) ensure user input is treated as data, not executable code. Stored procedures can still be vulnerable if dynamically built. Escaping input is error-prone.

ORMs often use SQL underneath and may not prevent injection if misused.

515
MCQhard

Examine the Cisco ASA access-list named 'outside_in'. A penetration tester reports that they were able to establish an RDP session from an external IP address 203.0.113.55 to the internal host 10.10.10.10 on port 3389. Which configuration change would BEST prevent this while still allowing legitimate remote administration from the authorized management station?

A.Change the RDP rule to deny any source and add an explicit deny before the permit rules
B.Add an explicit deny rule for RDP from any source before the existing RDP rule, with logging enabled
C.Delete the second line (the HTTPS rule) and add a rule to deny RDP from all external sources
D.Modify the RDP rule to permit only from source host 192.168.1.100
AnswerD

Restricting the source to the authorized host prevents unauthorized external RDP connections.

Why this answer

Option C is correct because the current rule permits RDP from any host (192.168.1.100 is just a sample, but the rule actually allows any host due to the order; however the correct fix is to restrict the source to only 192.168.1.100. Option A incorrectly deletes a web rule; Option B blocks all RDP; Option D only adds logging, not restriction.

516
MCQhard

Refer to the exhibit. A security analyst reviews this event log entry. What does this event indicate?

A.A successful logon by the SYSTEM account
B.A successful logon by a user account
C.An attempted exploit of a privilege escalation vulnerability
D.A failed logon attempt due to account lockout
AnswerD

Event 4625 indicates failed logon, sub status shows lockout.

Why this answer

The event log entry shows a 'Logon Type 3' (network logon) with a 'Failure Reason' of 'Account locked out' and a 'Status' of 0xC0000234, which specifically indicates the account was locked due to too many failed attempts. This is a failed logon attempt, not a successful one, and the lockout status confirms the account was disabled for security reasons.

Exam trap

The trap here is that candidates see 'Logon Type 3' and assume it is a successful network logon, ignoring the failure status and lockout reason, or they misinterpret the lockout as a privilege escalation attempt.

How to eliminate wrong answers

Option A is wrong because the event shows a failure status (0xC0000234) and a failure reason of 'Account locked out', not a successful logon by any account including SYSTEM. Option B is wrong because the event explicitly indicates failure, not success, and the user account referenced is locked. Option C is wrong because this event does not show any privilege escalation exploit; it is a standard authentication failure due to account lockout, not an attack pattern like token manipulation or SeDebugPrivilege abuse.

517
MCQmedium

A security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?

A.The VPN server is using TCP port 443 instead of UDP 500.
B.The firewall rule is applied to the wrong interface.
C.The firewall is stateful and blocking the return traffic.
D.The VPN server is not listening on UDP port 500.
AnswerD

If the server does not have the VPN service running, it won't respond, causing the client to time out.

Why this answer

Option D is correct because the symptom—internal users can reach internet websites but cannot reach the external VPN server—indicates a host-level issue rather than a network or firewall problem. Since the firewall rule for VPN traffic is correctly configured and other traffic flows normally, the most likely cause is that the VPN server itself is not listening on UDP port 500, which is the standard port for IPsec IKE (Internet Key Exchange) traffic. This could be due to a misconfiguration, service failure, or the server being configured to use a different port or protocol.

Exam trap

The trap here is that candidates often assume a firewall misconfiguration (like stateful blocking or wrong interface) is the cause, but the question explicitly states the firewall rule is correctly configured, forcing you to look at the endpoint itself—a classic CISSP test of reading comprehension and layered troubleshooting.

How to eliminate wrong answers

Option A is wrong because if the VPN server were using TCP port 443 instead of UDP 500, the firewall rule would still need to match that traffic, but the question states the rule is correctly configured for VPN traffic (implying UDP 500), and the symptom would be different (e.g., HTTPS-based VPNs like SSL VPN would work). Option B is wrong because if the firewall rule were applied to the wrong interface, internal users would likely have broader connectivity issues (e.g., inability to reach any external services), not just the VPN server, and the question explicitly states the rule is correctly configured. Option C is wrong because a stateful firewall automatically tracks UDP sessions and allows return traffic if the outbound rule permits the initial packet; blocking return traffic would affect all UDP-based services, not just the VPN server, and the question confirms other internet access works.

518
MCQhard

An organization is migrating to a microservices architecture and wants to secure inter-service communication. Which approach is most aligned with the principle of securing the pipeline?

A.Service mesh with sidecar proxies
B.API keys in environment variables
C.Mutual TLS (mTLS) between services
D.Firewall rules restricting IP addresses
AnswerA

Correct. Service mesh provides encryption, authentication, and policy enforcement for service-to-service communication.

Why this answer

A service mesh with sidecar proxies (e.g., Istio) provides mutual TLS, traffic management, and policy enforcement for inter-service communication, directly securing the pipeline.

519
MCQhard

A global technology firm has implemented a continuous integration/continuous deployment (CI/CD) pipeline for its flagship software product. The security testing team is tasked with integrating security testing into the pipeline. The team has decided to use a static application security testing (SAST) tool and a software composition analysis (SCA) tool. They are currently running both tools every night against the entire codebase, but the developers complain that the reports are too long and often contain false positives. The team wants to improve the efficiency without sacrificing security coverage. Which of the following is the BEST strategy?

A.Decrease the scan frequency to weekly to reduce noise.
B.Implement a developers' feedback loop for false positives and tune the tools.
C.Replace SAST with dynamic application security testing (DAST) for more accurate results.
D.Run SAST and SCA only on new code changes committed to the main branch.
AnswerB

Tuning reduces false positives, improving efficiency while maintaining comprehensive scanning.

Why this answer

Option B is correct because tuning the SAST and SCA tools based on developer feedback directly addresses the false positive issue while maintaining security coverage. By establishing a feedback loop, the team can adjust rule sets, suppress known false positives, and reduce report noise without reducing scan frequency or scope. This approach aligns with the principle of continuous improvement in DevSecOps, ensuring that security testing remains efficient and actionable.

Exam trap

The trap here is that candidates may choose Option D (scan only new code) because it seems efficient, but they overlook the need for continuous scanning of the entire codebase to catch regressions and vulnerabilities in unchanged code, which is a core requirement for maintaining security coverage in CI/CD pipelines.

How to eliminate wrong answers

Option A is wrong because decreasing scan frequency to weekly reduces the frequency of security feedback, potentially allowing vulnerabilities to persist longer in the pipeline, which sacrifices security coverage and does not address the false positive problem. Option C is wrong because replacing SAST with DAST is not a direct solution; DAST analyzes running applications and has different strengths (e.g., runtime issues), but it does not replace the need for static analysis and SCA for dependency vulnerabilities, and it may introduce its own false positives. Option D is wrong because running SAST and SCA only on new code changes to the main branch misses vulnerabilities in existing code and dependencies that could be introduced through configuration changes or updates, and it fails to provide comprehensive coverage of the entire codebase.

520
MCQmedium

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

A.Biometric data cannot be revoked or changed if compromised
B.High false acceptance rate leading to unauthorized access
C.Low user acceptance due to privacy concerns
D.Increased login time compared to password authentication
AnswerA

Biometric traits are permanent; once stolen, they cannot be replaced.

Why this answer

Biometric data, such as fingerprint templates, is immutable and permanently tied to the individual. Once compromised, the user cannot simply 'reset' their fingerprint like a password, rendering the authentication factor permanently insecure for that user across all systems where it is used. This non-repudiation and revocation failure represents the most significant long-term risk to the organization's identity management infrastructure.

Exam trap

The trap here is that candidates focus on the immediate operational risks (FAR, user acceptance, or speed) rather than the fundamental, long-term security property of biometrics: the inability to revoke or change the credential, which is the most critical risk in identity and access management.

How to eliminate wrong answers

Option B is wrong because modern fingerprint scanners (e.g., capacitive or ultrasonic) have very low false acceptance rates (FAR), typically below 0.001%, making unauthorized access via FAR a less significant risk than the permanent compromise of biometric data. Option C is wrong because while privacy concerns may affect user acceptance, they are a secondary operational issue, not the most significant security risk; the primary risk is the irreversible loss of the authentication factor itself. Option D is wrong because increased login time is a usability inconvenience, not a security risk, and modern scanners authenticate in under one second, making this negligible compared to the revocation problem.

521
MCQhard

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

A.Block all access to public cloud storage services from corporate devices.
B.Implement mandatory security awareness training focusing on data handling procedures.
C.Deploy a Data Loss Prevention (DLP) solution that monitors and controls sharing of sensitive data.
D.Encrypt all sensitive data at rest and in transit to render shared data useless.
AnswerC

Correct - DLP provides automated controls to prevent data leakage.

Why this answer

Option C is correct because a Data Loss Prevention (DLP) solution provides automated, policy-based monitoring and control of sensitive data being shared via public cloud storage links. Unlike awareness training (which relies on human behavior) or blanket blocking (which hinders productivity), DLP can inspect content in real time using pattern matching, fingerprinting, or exact data matching to prevent unauthorized sharing before it occurs, directly addressing the root cause of inadvertent exposure.

Exam trap

The trap here is that candidates often choose awareness training (Option B) because it seems like a logical first step, but the question asks for the BEST strategy to PREVENT recurrence, and DLP provides a technical control that actively blocks the action rather than relying on human behavior change.

How to eliminate wrong answers

Option A is wrong because blocking all access to public cloud storage services is an overly restrictive technical control that can severely impact business operations and collaboration; it does not address the underlying issue of improper data handling and may drive users to unapproved shadow IT solutions. Option B is wrong because while security awareness training is important, it is a preventive administrative control that relies on human memory and compliance; it cannot prevent recurrence of inadvertent sharing in real time, as human error can still occur despite training. Option D is wrong because encryption protects data confidentiality if the data is intercepted, but it does not prevent the authorized user from inadvertently sharing the encrypted data via a public link; if the recipient has the decryption key (or the key is shared with the link), the data remains exposed, so encryption alone is not a preventive control against the act of sharing.

522
MCQeasy

An organization wants to protect sensitive data stored on laptops. Which of the following is the MOST effective control to prevent data loss if a laptop is stolen?

A.BIOS password
B.Asset tracking software
C.Full-disk encryption (FDE)
D.Remote wipe capability
AnswerC

FDE encrypts the entire drive, making data inaccessible without the key.

Why this answer

Full-disk encryption (FDE) renders the data on the laptop unreadable without the decryption key, even if the storage drive is removed and analyzed. This is the most effective preventive control against data loss from theft because it protects data at rest regardless of physical access to the device.

Exam trap

The trap here is that candidates often choose remote wipe (D) because it sounds proactive, but they overlook that it requires network connectivity and is a corrective control, whereas full-disk encryption is a preventive control that works even offline.

How to eliminate wrong answers

Option A is wrong because a BIOS password only prevents unauthorized booting of the system, but the hard drive can be removed and accessed directly via another machine, exposing all data. Option B is wrong because asset tracking software helps locate a stolen laptop but does not prevent data access or loss if the device is not recovered. Option D is wrong because remote wipe capability can delete data after theft, but it relies on network connectivity and may fail if the thief immediately disconnects the device; it is a reactive control, not a preventive one.

523
Multi-Selectmedium

Which THREE of the following are examples of data at rest?

Select 3 answers
A.Data stored on a hard drive
B.Data in an email in transit
C.Data in a database
D.Data on a backup tape
E.Data on a network cable
AnswersA, C, D

Data on a hard drive is at rest.

Why this answer

Data at rest refers to data that is physically stored on a persistent medium and is not currently moving across a network or being processed. Data stored on a hard drive is a classic example because the data resides on a non-volatile storage device, whether it is an internal HDD, SSD, or external drive. The data remains on the medium until it is read, modified, or deleted, and it is typically protected by encryption mechanisms such as BitLocker or FileVault.

Exam trap

The trap here is that candidates often confuse data in a database as data in use or data in motion, but a database stores data persistently on disk, making it data at rest unless it is being actively queried or transferred.

524
MCQhard

During a security assessment, a penetration tester successfully performed a VLAN hopping attack from a host in VLAN 10 to a host in VLAN 20. The switches are configured with IEEE 802.1Q trunking. Which misconfiguration likely allowed this attack?

A.The native VLAN is not used on any trunk ports
B.Spanning Tree Protocol is disabled
C.Port security is disabled on all ports
D.Dynamic Trunking Protocol (DTP) is enabled on access ports
AnswerD

With DTP enabled on an access port, an attacker can send DTP frames to negotiate a trunk, then tag frames to hop VLANs.

Why this answer

D is correct because VLAN hopping attacks exploit Dynamic Trunking Protocol (DTP) to negotiate a trunk link between an attacker's host and a switch port. If DTP is enabled on an access port, the attacker can spoof DTP messages to form a trunk, gaining access to traffic from multiple VLANs, including VLAN 20 from VLAN 10.

Exam trap

ISC2 often tests the distinction between the two types of VLAN hopping (switch spoofing vs. double-tagging), and the trap here is that candidates confuse disabling STP or port security as relevant mitigations, when the core issue is DTP-enabled access ports allowing trunk negotiation.

How to eliminate wrong answers

Option A is wrong because the native VLAN is used on trunk ports by default in IEEE 802.1Q, and not using it would not prevent VLAN hopping; in fact, a misconfigured native VLAN can be exploited for double-tagging attacks, but the question describes a switch spoofing attack, not double-tagging. Option B is wrong because disabling Spanning Tree Protocol (STP) can cause network loops but does not directly enable VLAN hopping; VLAN hopping relies on trunk negotiation, not STP state. Option C is wrong because disabling port security limits MAC address filtering but does not prevent an attacker from negotiating a trunk via DTP; port security is a separate control for MAC flooding and unauthorized devices, not for trunk negotiation.

525
MCQhard

A network architect is designing a secure connection between two data centers across an untrusted WAN. The requirement is to encrypt all traffic and authenticate both endpoints. Which protocol should be used?

A.SSH
B.IPsec tunnel mode
C.MPLS
D.SSL/TLS
AnswerB

IPsec tunnel mode encrypts and authenticates entire packets between gateways.

Why this answer

IPsec tunnel mode is the correct choice because it encrypts the entire IP packet, including the original IP header, and encapsulates it within a new IP header for secure transport across an untrusted WAN. It also provides mutual authentication of both endpoints using IKE (Internet Key Exchange) with pre-shared keys or certificates, satisfying the requirement for encrypting all traffic and authenticating both data centers.

Exam trap

ISC2 often tests the distinction between IPsec tunnel mode and transport mode, and candidates may confuse SSL/TLS (which secures individual sessions) with a full network-layer VPN solution, missing that IPsec tunnel mode is the only option that encrypts all traffic and authenticates both endpoints at the network layer.

How to eliminate wrong answers

Option A is wrong because SSH is a protocol for secure remote login and command execution, not designed for site-to-site VPN encryption of all traffic between networks; it operates at the application layer and cannot encrypt arbitrary IP traffic between two data centers. Option C is wrong because MPLS is a label-switching technology for traffic engineering and QoS, not an encryption protocol; it provides no confidentiality or authentication, and traffic traversing an MPLS WAN is typically sent in the clear unless combined with IPsec or another encryption layer. Option D is wrong because SSL/TLS operates at the transport layer and is designed for securing individual connections (e.g., HTTPS), not for encrypting all IP traffic between two networks; it cannot encapsulate and protect non-TCP/UDP traffic or provide the same level of network-layer authentication and encryption as IPsec tunnel mode.

Page 6

Page 7 of 8

Page 8

All pages