CCNA Security Architecture and Engineering Questions

64 questions · Security Architecture and Engineering · All types, answers revealed

1
MCQhard

Refer to the exhibit. A security analyst detects unusual process creation. Which attack technique is most likely being observed?

A.Privilege escalation via SeDebugPrivilege
B.Pass-the-Hash attack
C.Kerberos Golden Ticket attack
D.LSASS credential dumping using Mimikatz
AnswerD

Mimikatz can inject into lsass.exe to dump credentials; spawning cmd.exe from lsass is a common post-exploitation step.

Why this answer

The exhibit shows that a cmd.exe process was spawned by lsass.exe, which is abnormal. lsass.exe is the Local Security Authority Subsystem Service. The parent process being lsass.exe indicates that an attacker may have injected code into lsass.exe to execute commands. The privileges assigned to the logon session include SeDebugPrivilege and SeTcbPrivilege, which are high privileges.

This is indicative of a Pass-the-Hash or credential dumping attack where the attacker uses LSASS to extract credentials or execute commands with SYSTEM privileges.

2
Multi-Selectmedium

Which THREE of the following are common security design principles? (Select THREE.)

Select 3 answers
A.Open design
B.Least privilege
C.Single point of failure
D.Security through obscurity
E.Economy of mechanism
AnswersA, B, E

Correct. Security should not depend on secrecy of design.

Why this answer

Open design (A) is a fundamental security principle stating that the security of a system should not depend on the secrecy of its implementation; instead, it relies on the strength of its cryptographic keys and algorithms. This principle is embodied in Kerckhoffs's principle, which asserts that a cryptosystem should remain secure even if everything about the system, except the key, is public knowledge. Open design allows for public scrutiny and peer review, which helps identify vulnerabilities and build trust in the system's security.

Exam trap

The trap here is that candidates may confuse 'single point of failure' as a design principle (it is a risk to be mitigated, not a principle) or mistakenly think 'security through obscurity' is a valid principle, when in fact the CISSP explicitly teaches that it is not a reliable security measure.

3
Drag & Dropmedium

Drag and drop the steps for setting up a VPN using IPsec in tunnel mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IPsec VPN setup involves IKE phase 1, phase 2, defining traffic, applying crypto map, and verification.

4
Multi-Selecteasy

Which TWO of the following are principles of the zero trust security model? (Select TWO.)

Select 2 answers
A.Trust but verify
B.Never trust, always verify
C.Users are inherently trustworthy
D.Assume all networks are hostile
E.Perimeter defenses are sufficient
AnswersB, D

Correct. This is a core zero trust principle.

Why this answer

The zero trust security model is founded on the principle of 'never trust, always verify,' meaning no entity—inside or outside the network—is trusted by default. This requires continuous authentication and authorization for every access request, regardless of the user's location or network. Option B correctly captures this core tenet.

Exam trap

The trap here is that candidates confuse 'trust but verify' (a legacy perimeter model) with zero trust, or assume that zero trust still allows some inherent trust for authenticated users, when in fact it requires verification for every single access request regardless of prior authentication.

5
MCQmedium

In a zero trust architecture, which component is responsible for continuously verifying the trustworthiness of a device before granting access to resources?

A.Policy Decision Point (PDP)
B.Policy Enforcement Point (PEP)
C.Identity Provider (IdP)
D.Policy Administrator (PA)
AnswerA

Correct. PDP evaluates policies and verifies trust continuously.

Why this answer

In a zero trust architecture, the Policy Decision Point (PDP) is the component that evaluates all available telemetry and contextual data—such as device posture, user identity, and behavioral analytics—to make a real-time trust decision. It continuously verifies device trustworthiness by applying dynamic policies (e.g., checking for up-to-date patches, compliance with security baselines, or absence of malware) before granting or denying access to resources. This aligns with the NIST SP 800-207 zero trust model, where the PDP is the logical brain that computes trust levels and issues authorization decisions.

Exam trap

The trap here is that candidates often confuse the Policy Decision Point (PDP) with the Policy Enforcement Point (PEP), mistakenly thinking the PEP makes the trust decision when it only enforces the decision made by the PDP.

How to eliminate wrong answers

Option B (Policy Enforcement Point) is wrong because the PEP is responsible for executing the access decision—either allowing, blocking, or restricting traffic—but it does not perform the continuous trust evaluation itself; it relies on the PDP for that decision. Option C (Identity Provider) is wrong because the IdP authenticates users and issues identity tokens (e.g., SAML assertions or OIDC claims), but it does not continuously verify device posture or trustworthiness; device trust is a separate attribute evaluated by the PDP. Option D (Policy Administrator) is wrong because the PA generates the session token and communicates the PDP's decision to the PEP, but it does not perform the actual trust evaluation; it is an intermediary that manages the lifecycle of the authorization session.

6
Multi-Selecthard

Which THREE of the following are examples of asymmetric cryptographic algorithms? (Select THREE.)

Select 3 answers
A.Elliptic Curve Cryptography (ECC)
B.Diffie-Hellman
C.AES
D.RSA
E.Blowfish
AnswersA, B, D

Correct. ECC is asymmetric.

Why this answer

Elliptic Curve Cryptography (ECC) is an asymmetric cryptographic algorithm that uses the algebraic structure of elliptic curves over finite fields to provide security with smaller key sizes compared to RSA. It relies on the Elliptic Curve Discrete Logarithm Problem (ECDLP) for its security, making it computationally infeasible to derive the private key from the public key. ECC is widely used in modern protocols such as TLS, SSH, and Bitcoin for key exchange and digital signatures.

Exam trap

The trap here is that candidates often confuse symmetric ciphers like AES and Blowfish with asymmetric algorithms because they are both used for encryption, but the key management difference is the defining characteristic tested in CISSP.

7
Multi-Selectmedium

Which TWO of the following are principles of the Bell-LaPadula security model?

Select 2 answers
A.Separation of duty
B.No write up
C.No read down
D.No read up
E.No write down
AnswersD, E

Simple security property prevents reading higher classification.

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) to protect confidentiality. Option D (No read up) is correct because a subject cannot read an object at a higher classification level, preventing unauthorized access to sensitive information. Option E (No write down) is correct because a subject cannot write to an object at a lower classification level, preventing the downgrading of classified data.

Exam trap

The trap here is that candidates confuse 'no write up' (which Bell-LaPadula allows) with 'no write down' (which it prohibits), or they misapply the Biba model's integrity rules (no read down, no write up) to Bell-LaPadula's confidentiality rules.

8
MCQmedium

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

A.Export the key in plaintext and store it in a safe
B.Replicate the HSM configuration to another HSM in a different location
C.Use the HSM's key-wrapping function to encrypt the key and store the wrapped key in a secure offsite facility
D.Store an encrypted copy on a local server in the same data center
AnswerC

Key wrapping maintains the same cryptographic boundary and offsite storage provides redundancy.

Why this answer

Option C is correct because key-wrapping (also known as key encryption) uses a dedicated wrapping key within the HSM to encrypt the target key, ensuring the key never leaves the HSM in plaintext. The wrapped key can be safely stored offsite and later unwrapped only by an authorized HSM, preserving the same cryptographic protection as the primary storage. This method aligns with NIST SP 800-57 guidelines for secure key backup and escrow.

Exam trap

The trap here is that candidates may assume replication (Option B) is secure because it uses another HSM, but they overlook that replication often transmits keys in the clear or with weaker protection, failing to meet the 'same level of protection' requirement.

How to eliminate wrong answers

Option A is wrong because exporting a key in plaintext violates the fundamental security principle that cryptographic keys should never exist outside the HSM in an unencrypted form, even if stored in a safe. Option B is wrong because replicating the HSM configuration to another HSM typically duplicates the key material in plaintext across devices, which does not provide the same level of protection as the primary HSM's tamper-resistant storage and may expose keys during transmission. Option D is wrong because storing an encrypted copy on a local server in the same data center does not ensure offsite redundancy and the encryption key used for that copy is often stored on the same server, creating a single point of failure and defeating the purpose of secure backup.

9
Multi-Selecteasy

A security architect is considering secure design principles. Which two principles are essential for a defense-in-depth strategy? (Select TWO.)

Select 2 answers
A.Single point of failure
B.Layered security
C.Open design
D.Fail safe
E.Least privilege
AnswersB, E

Correct. Multiple layers of defense are core to defense-in-depth.

Why this answer

Layered security (defense in depth) is essential because it implements multiple, overlapping security controls so that if one layer fails, another layer continues to provide protection. This principle ensures that no single vulnerability can compromise the entire system, which is the core of a defense-in-depth strategy. Least privilege is equally essential because it restricts users and processes to only the minimum permissions necessary, limiting the blast radius of any breach and preventing lateral movement across layers.

Exam trap

The trap here is that candidates often confuse 'fail safe' or 'open design' as core to defense in depth, but the exam specifically tests that defense in depth is defined by layered security and least privilege, not by fail-safe mechanisms or design transparency.

10
MCQeasy

Which of the following is the primary purpose of a hardware security module (HSM)?

A.Filtering malicious traffic
B.Generating and storing cryptographic keys securely
C.Encrypting hard drives at rest
D.Accelerating network traffic
AnswerB

Correct. HSM provides tamper-resistant key management.

Why this answer

A hardware security module (HSM) is a dedicated, tamper-resistant hardware appliance designed to securely generate, store, and manage cryptographic keys throughout their lifecycle. Its primary purpose is to protect the root of trust for encryption operations, ensuring that private keys never leave the secure boundary of the module. This is critical for high-assurance environments such as certificate authorities (CAs) and payment processing systems.

Exam trap

The trap here is that candidates confuse an HSM with a general-purpose encryption tool or a network security appliance, mistakenly thinking it performs bulk encryption or traffic filtering, when its core role is secure key generation and storage.

How to eliminate wrong answers

Option A is wrong because filtering malicious traffic is the function of a firewall or intrusion prevention system (IPS), not an HSM. Option C is wrong because encrypting hard drives at rest is typically performed by full-disk encryption (FDE) software or self-encrypting drives (SEDs), not by an HSM; an HSM may store the encryption keys but does not perform the bulk encryption of the drive. Option D is wrong because accelerating network traffic is the role of a load balancer or a dedicated network accelerator; an HSM focuses on cryptographic operations and key management, not on improving network throughput.

11
Multi-Selecteasy

Which THREE are core principles of secure system design?

Select 3 answers
A.Complexity increases security
B.Security through obscurity
C.Least privilege
D.Fail securely
E.Defense in depth
AnswersC, D, E

Subjects should have only the privileges needed to perform their tasks.

Why this answer

The principle of least privilege mandates that users, processes, or systems should be granted only the minimum permissions necessary to perform their function. This reduces the attack surface and limits potential damage from compromised accounts or software flaws. In secure system design, it is enforced through access control lists (ACLs), role-based access control (RBAC), and mandatory access control (MAC) models.

Exam trap

ISC2 often tests the distinction between 'security through obscurity' as a valid supplementary measure versus a core principle, and candidates mistakenly select it because they confuse obfuscation with a foundational design tenet.

12
Multi-Selectmedium

Which TWO principles are fundamental to a defense-in-depth security architecture?

Select 2 answers
A.Diversity of defense
B.Centralized logging
C.Single point of failure
D.Layered security controls
E.Minimal user training
AnswersA, D

Using different types of controls across layers reduces the risk of a common vulnerability.

Why this answer

Options A and C are correct: Defense in depth relies on layered security controls (A) and diversity of defense (C) to ensure that if one layer fails, others still protect. Option B is incorrect because a single point of failure contradicts defense in depth. Option D (centralized logging) is a good practice but not a foundational principle.

Option E (minimal user training) is counterproductive.

13
Multi-Selecthard

A cloud security architect is designing a system that must comply with the principle of data sovereignty. Which three controls should be implemented? (Select THREE.)

Select 3 answers
A.Encrypt data at rest using customer-managed keys
B.Enforce contractual clauses with cloud provider regarding data location
C.Implement data classification policies
D.Store data only in approved geographic regions
E.Use a virtual private network (VPN) for all transfers
AnswersB, C, D

Correct. Contracts legally obligate the provider to maintain data in specified regions.

Why this answer

Option B is correct because contractual clauses with the cloud provider legally bind the provider to store and process data only within specified geographic boundaries, directly enforcing data sovereignty. This is a governance control that ensures compliance with local laws, such as GDPR or Brazil's LGPD, by restricting data movement across jurisdictions.

Exam trap

The trap here is that candidates often confuse data sovereignty with data security controls like encryption or VPNs, failing to recognize that sovereignty is about legal jurisdiction and physical location, not just confidentiality or transmission security.

14
MCQmedium

Refer to the exhibit. A security analyst finds these logs on a Linux server. What is the most likely cause of these events?

A.The root account is disabled
B.The firewall is blocking port 22
C.A brute-force attack is in progress
D.The SSH service is not running
AnswerC

Correct. Repeated failed passwords from same IP indicate brute-force.

Why this answer

The logs show repeated SSH authentication failures from the same source IP address with different usernames, including root, admin, and user. This pattern of multiple failed login attempts in rapid succession is characteristic of a brute-force attack against the SSH service. The fact that attempts continue across different usernames indicates an automated tool is systematically trying credentials, not a single misconfiguration or network issue.

Exam trap

ISC2 often tests the distinction between a service being unreachable (firewall blocking or service down) versus a service being reachable but under attack, where logs show authentication failures rather than connection failures.

How to eliminate wrong answers

Option A is wrong because the logs show failed attempts for root, admin, and user accounts, and a disabled root account would only affect root logins, not the other usernames; also, a disabled root account would not generate repeated authentication failure logs. Option B is wrong because if the firewall were blocking port 22, the SSH service would not receive any connection attempts at all, and the logs would not show authentication failures (they would show connection refused or timeout errors). Option D is wrong because if the SSH service were not running, the server would not respond to SSH connection attempts, and the logs would not contain authentication failure entries; the service must be running to process and log these attempts.

15
Multi-Selecteasy

Which TWO of the following are examples of physical security controls?

Select 2 answers
A.Firewall rules
B.Biometric door locks
C.Security awareness training
D.CCTV surveillance cameras
E.Intrusion detection system (IDS)
AnswersB, D

Physical access control mechanism.

Why this answer

Biometric door locks are physical security controls because they restrict physical access to a facility or room by verifying a unique biological trait (e.g., fingerprint, iris pattern). This falls under the domain of physical access control, which is a core component of physical security, not logical or administrative controls.

Exam trap

The trap here is that candidates often confuse logical/technical controls (like IDS or firewall rules) with physical controls, because they both involve 'security' and 'detection,' but physical controls always involve tangible barriers or devices that protect assets in the physical world.

16
MCQhard

Refer to the exhibit. A security analyst observes the audit log entry while troubleshooting a file access issue. The application is running under the myapp_t domain. Which action should the analyst take to resolve the issue while adhering to the principle of least privilege?

A.Add rule: allow myapp_t shadow_t:file { read write };
B.Change the file context of /etc/shadow to myapp_data_t
C.Add rule: allow myapp_t shadow_t:file read;
D.Set the application to run in unconfined_t domain
AnswerC

This grants only the needed read access to the shadow file.

Why this answer

The exhibit shows that the SELinux policy currently allows myapp_t to read and write files of type myapp_data_t, but the application is trying to read a file of type shadow_t (the password file), which is denied. To resolve the access issue without over-privileging, the analyst should add a specific rule allowing myapp_t to read shadow_t files, but only if the application requires it. Option A is correct because it directly addresses the denied permission.

Option B is incorrect because it allows write which is not needed. Option C removes the denial but is overbroad. Option D is unnecessary if the application runs in the correct domain.

17
MCQmedium

Refer to the exhibit. A system administrator reports that SSH public key authentication is failing for a non-root user. The user's public key is correctly placed in ~/.ssh/authorized_keys. Which PAM configuration issue is most likely causing the failure?

A.PasswordAuthentication is set to no, which conflicts with PAM.
B.The pam_nologin.so module is listed twice.
C.The pam_nologin.so module is required, which can deny access if /etc/nologin exists.
D.The pam_securetty.so module is missing for non-root users.
AnswerC

If /etc/nologin exists, pam_nologin denies all non-root logins, but root login is disabled via PermitRootLogin no, so all logins fail.

Why this answer

The PAM configuration includes 'auth required pam_nologin.so' before the system-auth include. The pam_nologin module checks for the existence of /etc/nologin file; if it exists, only root can login. Since PermitRootLogin is no, root cannot login either, so all logins are denied.

This is a common misconfiguration. The issue is that pam_nologin is called before the authentication stack, and it denies all non-root logins if /etc/nologin exists.

18
MCQeasy

An organization requires that all data stored in a cloud object storage service be encrypted at rest using customer-managed keys. Which encryption option should be implemented?

A.Server-side encryption with Amazon S3 managed keys (SSE-S3)
B.Transport Layer Security (TLS)
C.Server-side encryption with customer-provided keys (SSE-C)
D.Client-side encryption
AnswerC

Correct. SSE-C allows customer to provide the encryption key.

Why this answer

SSE-C (Server-Side Encryption with Customer-Provided Keys) allows the organization to encrypt objects at rest in cloud object storage using keys that are managed and supplied by the customer, not the cloud provider. This meets the requirement for customer-managed keys because the encryption key is provided in each API request and is never stored by the service, giving the customer full control over key lifecycle and access.

Exam trap

The trap here is that candidates confuse 'customer-managed keys' with 'client-side encryption,' but the question specifies encryption at rest within the cloud service, which requires a server-side encryption option where the customer provides the key (SSE-C), not encryption performed before upload.

How to eliminate wrong answers

Option A is wrong because SSE-S3 uses Amazon-managed keys, not customer-managed keys, so the customer does not control the encryption keys. Option B is wrong because TLS encrypts data in transit between the client and server, not data at rest in storage. Option D is wrong because client-side encryption encrypts data before it is sent to the cloud, but the question specifically requires encryption at rest using customer-managed keys within the cloud service, and client-side encryption does not leverage the server-side encryption feature of the object storage service.

19
MCQhard

A system is designed to meet the Common Criteria EAL4 evaluation. Which of the following is a required component for this level?

A.Formal model of security policy
B.Semiformal design and test
C.Formal specifications and verification
D.Informal security policy model
AnswerB

Correct. EAL4 requires semiformal methods.

Why this answer

EAL4 (Evaluation Assurance Level 4) under the Common Criteria requires 'semiformal design and test' as part of its assurance requirements. This level mandates that the security functional specification and the high-level design be expressed in a semiformal style, and that testing be based on this semiformal design. It does not require formal methods, which are reserved for higher EALs (EAL5–EAL7).

Exam trap

The trap here is that candidates often confuse EAL4 with EAL5 or EAL6, mistakenly thinking that 'semiformal' means 'formal,' or they incorrectly associate informal models with EAL4 when in fact EAL4 requires semiformal artifacts.

How to eliminate wrong answers

Option A is wrong because a formal model of the security policy is required only at EAL5 and above, not at EAL4. Option C is wrong because formal specifications and verification are required only at EAL6 and EAL7, where formal methods are applied to the entire design and implementation. Option D is wrong because an informal security policy model is required at lower EALs (EAL1–EAL3), but EAL4 specifically requires a semiformal model, not an informal one.

20
MCQhard

A company is implementing a secure multi-tenant cloud environment. The primary security requirement is that tenants cannot access each other's data even if the hypervisor is compromised. Which architecture best meets this requirement?

A.Encrypt each tenant's data with a single master key stored in the hypervisor.
B.Use a Trusted Execution Environment (TEE) such as Intel SGX to isolate tenant processes and memory.
C.Implement Mandatory Access Control (MAC) on the hypervisor.
D.Use VLANs to isolate tenant traffic at the network layer.
AnswerB

TEE provides hardware-enforced isolation that persists even if hypervisor is compromised.

Why this answer

A Trusted Execution Environment (TEE) like Intel SGX creates hardware-enforced enclaves that isolate tenant processes and memory at the CPU level. Even if the hypervisor is compromised, the enclave's memory is encrypted and inaccessible to the host OS or hypervisor, ensuring tenant data remains confidential. This directly meets the requirement that tenants cannot access each other's data despite a hypervisor breach.

Exam trap

The trap here is that candidates often choose MAC or VLANs because they associate them with isolation, but they fail to recognize that these controls operate at the OS or network layer and do not protect against a compromised hypervisor that has direct memory access.

How to eliminate wrong answers

Option A is wrong because storing a single master key in the hypervisor creates a single point of failure; if the hypervisor is compromised, the attacker can access the master key and decrypt all tenants' data, violating the isolation requirement. Option C is wrong because Mandatory Access Control (MAC) on the hypervisor enforces policy-based access controls but does not protect tenant data if the hypervisor itself is compromised—MAC cannot prevent the hypervisor from reading memory it manages. Option D is wrong because VLANs isolate network traffic at Layer 2, but they do not protect data at rest or in memory; a compromised hypervisor can still access tenant data directly from memory or storage, bypassing network segmentation.

21
MCQmedium

An organization is implementing a defense-in-depth strategy for its web application. Which of the following is an example of a compensating control?

A.A firewall blocking port 80
B.Regular vulnerability scanning
C.A web application firewall (WAF) blocking SQL injection
D.Two-factor authentication for administrative access
AnswerC

Correct. WAF compensates for input validation deficiencies.

Why this answer

A web application firewall (WAF) compensates for vulnerabilities in the application code by filtering malicious input, representing a compensating control.

22
MCQhard

A security analyst is troubleshooting a web application that is incorrectly blocking valid login requests. The WAF rule in the exhibit is the only rule configured. What is the probable issue?

A.The rule uses outdated syntax
B.The rule is in the wrong phase
C.The rule is too generic and matches all login requests
D.The rule does not specify a status code
AnswerC

Correct. The rule denies all requests to '/login' without any additional conditions.

Why this answer

Option C is correct because the WAF rule uses a broad pattern like `.*` or similar regex that matches all login request parameters, causing the WAF to block every login attempt. This occurs when the rule lacks specific constraints (e.g., matching only known attack patterns like SQL injection or XSS), so it incorrectly flags legitimate traffic as malicious.

Exam trap

The trap here is that candidates may confuse a rule being 'too generic' with 'outdated syntax' or 'wrong phase,' but the key is recognizing that a pattern matching everything causes false positives, not a technical failure of the rule engine.

How to eliminate wrong answers

Option A is wrong because outdated syntax (e.g., deprecated regex or rule format) would typically cause a parsing error or rule failure, not incorrect blocking of valid requests. Option B is wrong because the WAF phase (e.g., request headers, request body, response) determines when the rule is evaluated; a phase mismatch would cause the rule to be skipped or applied at the wrong time, not to block all login requests generically. Option D is wrong because a missing status code in the rule definition does not affect matching logic; status codes are used for response-based rules, not for blocking requests based on request content.

23
MCQeasy

In a public key infrastructure (PKI), which component is responsible for issuing and revoking digital certificates?

A.Registration Authority (RA)
B.Certificate Authority (CA)
C.Certificate Revocation List (CRL)
D.Validation Authority (VA)
AnswerB

Correct. CA issues and revokes certificates in a PKI.

Why this answer

The Certificate Authority (CA) is the trusted entity in a PKI that issues digital certificates by signing them with its private key, and it also revokes certificates by publishing Certificate Revocation Lists (CRLs) or using the Online Certificate Status Protocol (OCSP). The CA is the authoritative source for certificate lifecycle management, including issuance, renewal, and revocation.

Exam trap

The trap here is confusing the Registration Authority (RA) with the Certificate Authority (CA), as the RA performs identity verification but candidates often mistakenly think it also issues certificates.

How to eliminate wrong answers

Option A is wrong because the Registration Authority (RA) is only responsible for verifying the identity of certificate requestors and forwarding requests to the CA; it does not issue or revoke certificates itself. Option C is wrong because the Certificate Revocation List (CRL) is a data structure published by the CA that lists revoked certificates, not an entity that performs issuance or revocation actions. Option D is wrong because the Validation Authority (VA) is an optional component that validates certificate status (e.g., via OCSP responder) but does not issue or revoke certificates.

24
MCQhard

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

A.Randomize the address space layout (ASLR)
B.Implement stack canaries in all user-space applications
C.Reduce the number of system calls and IPC mechanisms
D.Use cache partitioning or cache coloring to isolate process caches
AnswerD

Cache partitioning prevents cross-process cache timing attacks.

Why this answer

D is correct because cache partitioning or cache coloring directly addresses the root cause of side-channel attacks in a microkernel environment: shared CPU caches. By isolating each process's cache footprint, an attacker cannot infer sensitive data (e.g., cryptographic keys) through timing variations or cache occupancy measurements, which is a fundamental architectural mitigation.

Exam trap

The trap here is that candidates often confuse software-based mitigations (ASLR, stack canaries) with hardware-level side-channel defenses, or mistakenly think reducing IPC eliminates all covert channels when the real threat is shared microarchitectural state.

How to eliminate wrong answers

Option A is wrong because ASLR randomizes memory addresses to hinder code-reuse attacks (e.g., ROP), but it does not prevent cache-based side channels that exploit timing differences in shared hardware resources. Option B is wrong because stack canaries detect buffer overflows in user-space applications, which is a software vulnerability mitigation unrelated to side-channel attacks between processes. Option C is wrong because reducing system calls and IPC mechanisms may shrink the attack surface for kernel exploits but does not eliminate the hardware-level cache contention that enables side-channel leakage.

25
MCQhard

A user reports that a VPN client cannot connect to the corporate gateway. The exhibit shows an excerpt from the client log. What does this indicate?

A.The VPN server certificate is expired
B.The server is using a self-signed certificate
C.The client certificate is missing
D.The client does not trust the CA that issued the server certificate
AnswerD

Correct. The error indicates the client cannot find the CA certificate.

Why this answer

The client log indicates a certificate validation failure during the TLS handshake. The error 'unable to get local issuer certificate' or similar means the client cannot find a trusted root CA that issued the server's certificate. This is a classic PKI trust issue, not an expiration or missing client certificate problem.

Exam trap

The trap here is that candidates confuse 'certificate expired' with 'untrusted CA' — both cause failures, but the log message and the underlying PKI process are different, and ISC2 often tests the distinction between trust chain errors and expiration errors.

How to eliminate wrong answers

Option A is wrong because an expired certificate would produce a different error, such as 'certificate has expired' or 'validity period mismatch', not a trust chain failure. Option B is wrong because a self-signed certificate would still cause a trust error, but the specific log message points to a missing CA in the client's trust store, not the server's certificate type. Option C is wrong because a missing client certificate would result in a 'no certificate sent' or 'bad certificate' error during client authentication, not a server certificate validation failure.

26
MCQeasy

A security architect is evaluating security models for a multilevel secure system. Which model enforces the * property (no write down) and is typically used for confidentiality?

A.Clark-Wilson
B.Brewer-Nash
C.Bell-LaPadula
D.Biba
AnswerC

Correct. Bell-LaPadula is a mandatory access control model for confidentiality with the * property.

Why this answer

The Bell-LaPadula model enforces the * (star) property, which prohibits subjects from writing to objects at a lower classification level (no write down). This property, combined with the simple security property (no read up), ensures that information cannot flow from higher to lower security levels, making it the standard model for enforcing confidentiality in multilevel secure systems.

Exam trap

ISC2 often tests the confusion between Bell-LaPadula (confidentiality, no write down) and Biba (integrity, no write up), leading candidates to mistakenly select Biba when the question specifies confidentiality.

How to eliminate wrong answers

Option A is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duty, not on confidentiality or the * property. Option B is wrong because the Brewer-Nash (Chinese Wall) model addresses conflict of interest by preventing access to competing datasets, not multilevel confidentiality with no write down. Option D is wrong because the Biba model enforces integrity via no write up and no read down, which is the inverse of Bell-LaPadula's confidentiality properties.

27
Matchingmedium

Match each PKI component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Issues and revokes certificates

Verifies identity before certificate issuance

List of revoked certificates

Binds a public key to an identity

Why these pairings

PKI components work together to manage digital certificates.

28
MCQhard

A large financial institution is migrating its core banking system to a private cloud. The architecture must protect against data leakage between different business units sharing the same physical infrastructure. The system uses a hypervisor and virtual machines. Each business unit has its own security classification. The security requirement is that no VM belonging to a lower classification should be able to read data from a higher classification VM, even if the hypervisor is compromised. The architect proposes using mandatory access control at the hypervisor level. However, the IT team notes that a hypervisor compromise could bypass MAC. Additionally, they need to ensure that data at rest is encrypted and keys are stored securely. Which of the following would BEST meet the requirement?

A.Implement network segmentation with VLANs and IPsec encryption between VMs.
B.Deploy a data loss prevention (DLP) system to monitor data transfers between VMs.
C.Use a public key infrastructure (PKI) to issue certificates for each VM and enforce mutual TLS for all inter-VM communication.
D.Use a hardware security module (HSM) to manage keys and implement full memory encryption using AES-256 with integrity protection, and use a trusted execution environment (TEE) for each VM, ensuring that even the hypervisor cannot access VM memory.
AnswerD

TEE provides hardware-enforced isolation; HSM secures keys. Memory encryption protects data at rest and in use.

Why this answer

Option D is correct because it addresses the core requirement: preventing data leakage even if the hypervisor is compromised. By using a hardware security module (HSM) for key management, full memory encryption with AES-256 and integrity protection, and a trusted execution environment (TEE) for each VM, the solution ensures that VM memory is encrypted and isolated at the hardware level. The hypervisor, even if compromised, cannot access the decrypted memory of a VM, thus enforcing the security classification separation regardless of hypervisor integrity.

Exam trap

The trap here is that candidates often focus on network-level controls (like encryption or segmentation) and overlook the requirement that protection must hold even when the hypervisor is compromised, which demands hardware-enforced memory isolation rather than software-only solutions.

How to eliminate wrong answers

Option A is wrong because network segmentation with VLANs and IPsec only protects data in transit between VMs, not data at rest in memory, and a compromised hypervisor could still read VM memory directly, bypassing network controls. Option B is wrong because a data loss prevention (DLP) system is a detective control that monitors data transfers but does not prevent a compromised hypervisor from reading VM memory; it cannot enforce access control at the hardware or memory level. Option C is wrong because mutual TLS with PKI certificates only secures inter-VM communication over the network, but does not protect VM memory from a compromised hypervisor that can read memory directly, bypassing network encryption.

29
MCQhard

A security engineer is reviewing the architecture of a system that uses the Bell-LaPadula model. The system has subjects with security clearances and objects with classifications. To prevent covert timing channels, which additional control should be implemented?

A.Enforce strict data labeling
B.Implement audit logging
C.Disable concurrent access to shared resources
D.Use encryption for data at rest
AnswerC

Correct. Limiting concurrency reduces timing channel opportunities.

Why this answer

Covert timing channels exploit the ability of a subject to modulate the timing of its access to a shared resource, thereby leaking information to another subject at a different security level. The Bell-LaPadula model enforces mandatory access control (MAC) but does not inherently prevent these channels. Disabling concurrent access to shared resources (option C) eliminates the ability to use timing variations as a signaling mechanism, directly addressing the covert channel at the resource scheduling level.

Exam trap

The trap here is that candidates confuse covert timing channels with covert storage channels (which involve writing data to a shared attribute) and incorrectly choose audit logging or encryption as a catch-all solution, rather than recognizing that timing channels require controlling the concurrency of resource access.

How to eliminate wrong answers

Option A is wrong because strict data labeling is a fundamental requirement of the Bell-LaPadula model itself (it enforces the *-property and simple security property) and does not address the temporal modulation of resource access that defines a timing channel. Option B is wrong because audit logging records events after they occur and cannot prevent the real-time signaling that a covert timing channel exploits; it is a detective, not a preventive, control. Option D is wrong because encryption for data at rest protects the confidentiality of stored data but has no effect on the timing of access to shared resources, which is the mechanism of a covert timing channel.

30
MCQeasy

A small business wants to implement a secure wireless network for its office. They have a limited budget and want to ensure that data in transit is encrypted and that only authorized devices can connect. The office has 20 employees and a few guests. The business owner has heard about WPA2 and WPA3. They are concerned about security but also about compatibility with older devices. Which of the following is the BEST recommendation for a security architect?

A.Deploy WPA3-Enterprise with a RADIUS server and use TLS 1.3 for authentication, and for devices that do not support WPA3, use a separate SSID with WPA2-Enterprise and strong passphrase.
B.Use WPA2-PSK with a long complex passphrase and change it monthly.
C.Use open network with MAC filtering to control access.
D.Deploy WPA3-Personal with SAE and disable all older protocols.
AnswerA

Provides strong security and backward compatibility; enterprise mode with RADIUS allows per-user authentication.

Why this answer

Option A is the best recommendation because it balances security, compatibility, and budget. WPA3-Enterprise with a RADIUS server and TLS 1.3 provides strong, per-user authentication and encryption for modern devices, while a separate SSID with WPA2-Enterprise (not PSK) allows older devices to connect securely without compromising the network's overall security posture. This dual-SSID approach ensures that all traffic is encrypted and only authorized devices can connect, addressing the business's core requirements.

Exam trap

The trap here is that candidates often assume WPA2-PSK with a strong passphrase is sufficient for a small business, overlooking the fact that PSK lacks per-user authentication and is vulnerable to offline brute-force attacks, making WPA2-Enterprise or WPA3-Enterprise the correct choice for environments requiring both security and compatibility.

How to eliminate wrong answers

Option B is wrong because WPA2-PSK uses a pre-shared key that is shared among all devices, making it vulnerable to offline dictionary attacks and key compromise; changing the passphrase monthly does not mitigate the fundamental weakness of shared key authentication and adds administrative burden. Option C is wrong because an open network with MAC filtering provides no encryption for data in transit, and MAC addresses can be easily spoofed, offering no real access control. Option D is wrong because disabling all older protocols would prevent older devices that do not support WPA3 from connecting, which contradicts the business's need for compatibility with legacy hardware.

31
MCQeasy

A security architect is selecting an access control model for a system that must prevent users from reading objects at a higher classification level. Which model enforces this property?

A.Bell-LaPadula
B.Clark-Wilson
C.Biba
D.Brewer-Nash
AnswerA

Bell-LaPadula enforces simple security property (no read-up).

Why this answer

The Bell-LaPadula model enforces mandatory access control (MAC) with the *-property (no write-down) and the simple security property (no read-up). The question specifically asks to prevent reading objects at a higher classification level, which is exactly the 'no read-up' rule of Bell-LaPadula. This model is designed for confidentiality-focused systems, such as military or government classified environments.

Exam trap

The trap here is that candidates often confuse the Biba model (integrity, no read-down) with Bell-LaPadula (confidentiality, no read-up), so they incorrectly select Biba when the question explicitly asks about preventing reading at a higher classification level.

How to eliminate wrong answers

Option B (Clark-Wilson) is wrong because it focuses on integrity and enforces separation of duties and well-formed transactions, not on preventing read-up based on classification levels. Option C (Biba) is wrong because it is an integrity model that prevents subjects from writing to higher integrity levels (no write-up) and reading from lower integrity levels (no read-down), which is the opposite of the confidentiality requirement in the question. Option D (Brewer-Nash) is wrong because it is designed to prevent conflicts of interest (Chinese Wall model) by dynamically controlling access based on previously accessed datasets, not by enforcing static classification levels.

32
MCQmedium

A security architect is designing a cryptographic system for a high-security environment where data must be encrypted both at rest and in transit, with granular access control. The system must be efficient for large volumes of data. Which approach is most appropriate?

A.Use symmetric encryption (e.g., AES-256) for all data and share keys out-of-band.
B.Use only asymmetric encryption (e.g., RSA) for all data.
C.Use asymmetric encryption for key exchange and symmetric encryption for data (hybrid cryptosystem).
D.Use hash functions (e.g., SHA-256) to ensure confidentiality.
AnswerC

Hybrid encryption combines efficiency of symmetric with secure key exchange of asymmetric.

Why this answer

Option C is correct because a hybrid cryptosystem combines the efficiency of symmetric encryption (e.g., AES-256) for bulk data encryption with the secure key distribution of asymmetric encryption (e.g., RSA or ECDH). This approach ensures strong confidentiality for large volumes of data at rest and in transit, while enabling granular access control through per-user or per-session key management.

Exam trap

The trap here is that candidates may choose symmetric encryption alone (Option A) because it is fast, overlooking the critical need for secure key distribution and granular access control that only a hybrid system provides.

How to eliminate wrong answers

Option A is wrong because sharing symmetric keys out-of-band is impractical and insecure for large-scale, high-security environments; it lacks scalability and does not support granular access control without a secure key distribution mechanism. Option B is wrong because asymmetric encryption alone is computationally expensive and impractically slow for encrypting large volumes of data, making it unsuitable for bulk encryption. Option D is wrong because hash functions (e.g., SHA-256) are one-way and provide data integrity, not confidentiality; they cannot encrypt data or protect it from disclosure.

33
MCQhard

A financial services company has a hybrid cloud environment with on-premises servers and a public cloud provider. The security team recently discovered that an attacker exfiltrated sensitive customer data from a cloud storage bucket. The investigation reveals that the bucket was configured with a bucket policy that allowed anonymous read access. The security architect must redesign the architecture to prevent such incidents. The company uses AWS for cloud services. The architect proposes the following: (1) Enable AWS CloudTrail and Amazon GuardDuty for monitoring. (2) Implement AWS Identity and Access Management (IAM) roles for applications instead of long-term access keys. (3) Use AWS Key Management Service (KMS) to encrypt data at rest. (4) Configure a VPC with a NAT gateway and private subnets for all compute resources. (5) Implement S3 bucket policies that deny all access unless explicitly allowed by a specific IAM role. During a review, the chief information security officer (CISO) points out that one of these measures does not directly address the root cause of the incident. Which measure is least effective in preventing unauthorized access to S3 buckets?

A.Use AWS KMS to encrypt data at rest
B.Configure a VPC with private subnets and a NAT gateway
C.Enable AWS CloudTrail and Amazon GuardDuty for monitoring
D.Implement IAM roles for applications instead of long-term access keys
AnswerC

Monitoring detects but does not prevent misconfigurations.

Why this answer

Option C (enabling AWS CloudTrail and Amazon GuardDuty) is a detective control, not a preventive one. The root cause of the incident was a misconfigured bucket policy that allowed anonymous read access. Monitoring tools can detect unauthorized access after it occurs but cannot prevent it.

The other options directly address the root cause by enforcing least privilege, encrypting data, or restricting network access.

Exam trap

The trap here is confusing detective controls (monitoring) with preventive controls (access policies, encryption, network segmentation), leading candidates to think that enabling logging and threat detection directly prevents the root cause of a misconfigured bucket policy.

How to eliminate wrong answers

Option A is wrong because encrypting data at rest with AWS KMS does not prevent unauthorized access; it only protects data confidentiality if access is gained, but the root cause is a permissive bucket policy that allows anonymous read access. Option B is wrong because configuring a VPC with private subnets and a NAT gateway does not affect S3 bucket policies; S3 is a global service and bucket policies are evaluated independently of network architecture. Option D is wrong because implementing IAM roles instead of long-term access keys addresses credential management but does not prevent anonymous access granted by a bucket policy; the incident occurred because the bucket policy allowed anonymous read, not because of compromised keys.

34
MCQmedium

A government agency requires a new secure document management system that enforces mandatory access control with the properties that users cannot read documents at a higher classification and cannot write documents to a lower classification (to prevent data leaking). The system must also support different categories (compartments) within the same classification level, and a user with access to one compartment should not be able to access another compartment unless explicitly allowed. The architect is considering the Bell-LaPadula model. However, the Bell-LaPadula model's *-property (no write-down) addresses the write issue, but there is also a need to handle compartment isolation. Which additional model or mechanism should be incorporated to ensure compartment isolation?

A.Apply the Brewer-Nash (Chinese Wall) model which enforces conflict of interest by preventing access to multiple compartments that conflict.
B.Implement Biba's integrity model which prevents write-up, thus complementing Bell-LaPadula.
C.Use a lattice-based access control (LBAC) that extends Bell-LaPadula by defining a security lattice that includes compartments and categories, ensuring that a subject's clearance must dominate the object's classification, including compartments.
D.Use role-based access control (RBAC) to define compartments.
AnswerC

LBAC naturally handles multiple compartments within a classification level.

Why this answer

Option C is correct because lattice-based access control (LBAC) extends the Bell-LaPadula model by defining a security lattice that includes both hierarchical classifications (e.g., Top Secret, Secret) and non-hierarchical categories (compartments). In this lattice, a subject's clearance must dominate an object's classification across both dimensions, ensuring that a user with access to one compartment cannot access another unless their clearance includes that specific category. This directly enforces the required compartment isolation while maintaining the *-property (no write-down) for data leakage prevention.

Exam trap

The trap here is that candidates may confuse the Brewer-Nash model's dynamic separation of duties with the static, lattice-based compartment isolation required by MAC, or incorrectly assume that Biba's integrity model can somehow enforce confidentiality-based compartment boundaries.

How to eliminate wrong answers

Option A is wrong because the Brewer-Nash (Chinese Wall) model is designed to prevent conflict of interest in commercial environments by dynamically restricting access to competing datasets, not to enforce static compartment isolation within a single classification level as required by the government agency. Option B is wrong because Biba's integrity model focuses on preventing unauthorized modification (no write-up, no read-down) to protect data integrity, which does not address compartment isolation or complement Bell-LaPadula's confidentiality goals in this context. Option D is wrong because role-based access control (RBAC) assigns permissions based on job functions, not on a formal lattice of classifications and categories, and it lacks the mandatory, system-enforced dominance checks needed for compartment isolation in a mandatory access control (MAC) system.

35
MCQmedium

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

A.Use mobile device management (MDM) to create a secure container for corporate apps and data
B.Require employees to use company-issued devices only
C.Disable camera and microphone on the device
D.Full device encryption with remote wipe capability
AnswerA

Containerization isolates corporate data and allows selective wipe.

Why this answer

A secure container (often implemented via MDM with app wrapping or per-app VPN) creates an encrypted, isolated partition on the device for corporate apps and data. This ensures that if the device is lost or stolen, the corporate data remains encrypted and inaccessible without the container's authentication, while personal apps and data outside the container remain untouched, thus minimizing privacy impact.

Exam trap

The trap here is that candidates often choose full device encryption with remote wipe (Option D) because it sounds strong, but they overlook the privacy impact of wiping personal data, which the question explicitly states must be minimized.

How to eliminate wrong answers

Option B is wrong because requiring company-issued devices only eliminates BYOD entirely, failing to meet the policy's goal of allowing personal devices while protecting corporate data. Option C is wrong because disabling camera and microphone does not protect corporate data from unauthorized access on a lost or stolen device; it addresses data exfiltration via sensors, not storage security. Option D is wrong because full device encryption with remote wipe protects all data but wipes personal data too, violating the requirement to minimize impact on user privacy; it also lacks granularity for selective corporate data protection.

36
Multi-Selectmedium

A company is implementing a digital signature system to ensure non-repudiation. The security architect must select a hash function that meets the required security properties. Which THREE of the following are necessary properties for the hash function?

Select 3 answers
A.Preimage resistance
B.Reversibility
C.Collision resistance
D.Second preimage resistance
E.Determinism
AnswersA, C, D

Correct: Preimage resistance ensures that given a hash, it is computationally infeasible to find any input that produces that hash.

Why this answer

A hash function must be preimage resistant (unable to invert), second preimage resistant (cannot find another input with the same hash), and collision resistant (cannot find two inputs with the same hash). Reversibility is not a property of hash functions—they are one-way. Determinism is inherent to all hash functions but is not a security property.

37
MCQmedium

A company is implementing a secure software development lifecycle (SSDLC). Which of the following is a key activity during the design phase?

A.Static code analysis
B.Code signing
C.Threat modeling
D.Penetration testing
AnswerC

Correct. Threat modeling identifies threats and vulnerabilities early in the design phase.

Why this answer

Threat modeling is a key activity during the design phase of the SSDLC because it proactively identifies potential security threats, vulnerabilities, and attack vectors before any code is written. By analyzing the system's architecture, data flows, and trust boundaries (e.g., using STRIDE or PASTA methodologies), teams can design security controls directly into the system, reducing the cost and impact of fixes later. This aligns with the NIST SP 800-64 and Microsoft SDL frameworks, which mandate threat modeling as a core design-phase activity.

Exam trap

The trap here is that candidates confuse 'design phase' with 'implementation phase' activities, mistakenly selecting static code analysis (A) because it is a common security review, but it requires code to exist, whereas threat modeling is the only design-phase option that addresses architecture before code is written.

How to eliminate wrong answers

Option A is wrong because static code analysis is a source code review technique performed during the implementation phase, not the design phase, as it requires code to be written to scan for syntax errors and security flaws. Option B is wrong because code signing is a deployment-phase activity that uses digital signatures (e.g., Authenticode) to verify the integrity and origin of compiled binaries, not a design-phase task. Option D is wrong because penetration testing is a validation activity performed during the testing or operations phase, where live systems are attacked to find vulnerabilities, not during design.

38
MCQmedium

Which of the following describes the concept of 'least privilege' in the context of access control?

A.Users are granted only the permissions necessary to perform their job functions
B.Access is granted on a need-to-know basis but with maximum permissions
C.Access is based on roles and seniority
D.Users have access to all resources unless explicitly denied
AnswerA

Correct. Least privilege limits access to the minimum required.

Why this answer

Least privilege is a fundamental access control principle that mandates users be granted only the permissions necessary to perform their specific job functions. This minimizes the attack surface by reducing unnecessary access to sensitive resources, limiting potential damage from accidental or malicious actions. In practice, this is enforced through mechanisms like discretionary access control (DAC) or role-based access control (RBAC) with granular permission sets, ensuring no user has more rights than required.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need-to-know' (which focuses on data confidentiality rather than permission granularity) or assume that role-based access inherently enforces least privilege, ignoring that roles can be overly broad.

How to eliminate wrong answers

Option B is wrong because it contradicts least privilege by granting 'maximum permissions' on a need-to-know basis, which would over-provision access and increase risk. Option C is wrong because it conflates least privilege with role-based access control (RBAC) and seniority, which may assign excessive permissions based on role hierarchy rather than actual job necessity. Option D is wrong because it describes a default-allow or 'open' access model, which is the opposite of least privilege; least privilege requires explicit permission grants, not implicit access to all resources.

39
MCQeasy

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

A.The certificate uses RSA 1024-bit key
B.The server supports TLS 1.0
C.The server does not support HTTP/2
D.The server enables TLS session tickets
AnswerB

TLS 1.0 is deprecated and has known vulnerabilities.

Why this answer

TLS 1.0 is a deprecated protocol with known vulnerabilities, including susceptibility to BEAST and POODLE attacks, which can allow an attacker to decrypt intercepted traffic. While a 1024-bit RSA key is weak, the most immediate and significant risk is the use of an outdated protocol that is actively exploited in the field. Disabling TLS 1.0 and enforcing TLS 1.2 or higher is the critical first step to secure data in transit.

Exam trap

The trap here is that candidates often focus on the weak key length (1024-bit RSA) as the most significant issue, but CISSP emphasizes that using a deprecated protocol (TLS 1.0) with known active exploits is a more urgent and severe security concern than a key that may take significant resources to break.

How to eliminate wrong answers

Option A is wrong because while a 1024-bit RSA key is considered weak and can be factored with sufficient resources, the immediate and most significant security concern is the use of TLS 1.0, which has known, practical attacks that can be executed today. Option C is wrong because HTTP/2 is a performance enhancement, not a security requirement; its absence does not introduce a direct vulnerability to data in transit. Option D is wrong because TLS session tickets, while having some security considerations (e.g., forward secrecy if not implemented correctly), are not as critical as the use of a deprecated protocol like TLS 1.0, which is actively targeted by attackers.

40
Multi-Selecthard

Which THREE of the following are valid countermeasures against buffer overflow attacks?

Select 3 answers
A.Stack canaries
B.Full disk encryption
C.Address space layout randomization (ASLR)
D.Non-executable stack and heap (NX bit)
E.Input validation using allowlists
AnswersA, C, D

Detects buffer overflows on the stack.

Why this answer

Stack canaries are correct because they place a known value (canary) between the buffer and control data on the stack. Before a function returns, the canary is checked; if it has been overwritten (indicating a buffer overflow), the program terminates, preventing code execution. This directly detects stack-based buffer overflows before they can hijack the return address.

Exam trap

The trap here is that candidates often confuse general security controls (like input validation or encryption) with specific memory protection mechanisms, leading them to select options that are good practices but not direct countermeasures against buffer overflow attacks.

41
MCQeasy

In the context of physical security, which of the following is an example of a preventive control?

A.Security guards monitoring
B.CCTV cameras
C.Intrusion detection system
D.Mantrap door
AnswerD

Correct. A mantrap prevents tailgating and unauthorized access.

Why this answer

A mantrap door is a preventive physical security control because it actively prevents unauthorized entry by requiring authentication and verification before allowing passage through a series of interlocking doors. Unlike monitoring or detection systems, a mantrap physically blocks access until the user is validated, thereby stopping a breach before it occurs.

Exam trap

The trap here is confusing preventive controls (which stop an incident) with detective controls (which identify an incident after it occurs), leading candidates to incorrectly select CCTV or IDS as preventive measures.

How to eliminate wrong answers

Option A is wrong because security guards monitoring is a detective and deterrent control, not preventive; they observe and report incidents but do not physically block access. Option B is wrong because CCTV cameras are a detective control that records events for after-the-fact review, they do not prevent an intrusion from happening. Option C is wrong because an intrusion detection system (IDS) is a detective control that alerts on suspicious activity but does not actively block or prevent the intrusion.

42
MCQmedium

A large organization needs to deploy a Public Key Infrastructure (PKI) for thousands of devices and users. A key requirement is the ability to revoke certificates in real time when a device is lost or compromised. Which solution is most appropriate?

A.Deploy multiple hierarchical CAs and distribute CRLs periodically.
B.Rely on certificate expiration only and do not implement revocation.
C.Use a single Certificate Authority (CA) with a large Certificate Revocation List (CRL).
D.Implement Online Certificate Status Protocol (OCSP) responders.
AnswerD

OCSP allows real-time verification of certificate status.

Why this answer

OCSP provides real-time certificate status checking by querying an OCSP responder directly, eliminating the delays inherent in CRL distribution. This meets the requirement for immediate revocation verification when a device is lost or compromised, as the responder can return a 'revoked' status instantly without waiting for a CRL refresh cycle.

Exam trap

The trap here is that candidates confuse periodic CRL distribution (which is batch-oriented and slow) with real-time revocation, or assume a single CA with a large CRL is sufficient, overlooking the scalability and latency issues that make OCSP the correct choice for immediate status checks.

How to eliminate wrong answers

Option A is wrong because distributing CRLs periodically introduces latency (hours or days) between revocation and propagation, failing the real-time requirement. Option B is wrong because relying solely on certificate expiration ignores the need for immediate revocation, leaving compromised certificates valid until their natural expiry. Option C is wrong because a single CA with a large CRL creates a single point of failure and scalability issues, and CRLs are still distributed periodically, not in real time.

43
MCQhard

Refer to the exhibit. Which security model does this policy enforce?

A.Biba
B.Brewer-Nash
C.Bell-LaPadula
D.Clark-Wilson
AnswerC

Correct. BLP enforces no read up and no write down.

Why this answer

The Bell-LaPadula model enforces a mandatory access control policy based on the 'no read up, no write down' principle, which directly corresponds to the exhibit's rule that a subject at a given security level cannot read objects at a higher level (Simple Security Property) and cannot write to objects at a lower level (Star Property). This is the only model among the options that specifically addresses confidentiality through hierarchical classification levels and the prevention of information flow from higher to lower security levels.

Exam trap

ISC2 often tests the confusion between Bell-LaPadula (confidentiality, no read up/no write down) and Biba (integrity, no read down/no write up), so candidates mistakenly pick Biba when they see a policy about preventing information flow from high to low, not realizing the direction of the rules is reversed.

How to eliminate wrong answers

Option A is wrong because the Biba model enforces integrity, not confidentiality, using 'no read down, no write up' rules, which is the opposite of the exhibit's policy. Option B is wrong because the Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically controlling access based on previously accessed datasets, not by static hierarchical classification levels. Option D is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duties, not on confidentiality-based read/write restrictions across security levels.

44
MCQmedium

Refer to the exhibit. An auditor identifies a non-compliance issue regarding the cryptographic key lifecycle. Which policy requirement has been violated?

A.Encrypted backup requirement
B.HSM storage requirement
C.Key destruction upon compromise
D.Key rotation interval
AnswerA

The policy requires encrypted backup, but the key was stored in plaintext.

Why this answer

The policy states that backup must be encrypted. The key was exported to a plaintext file on an unencrypted backup server, violating the confidentiality requirement. The key was also restored and continued in use, which may be acceptable if it was not compromised, but the backup method is non-compliant.

45
MCQeasy

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

A.Fingerprint scanner and password
B.Password and one-time passcode sent via SMS
C.Smart card and PIN
D.Password and security questions
AnswerB

SMS OTP is inexpensive and easy to deploy.

Why this answer

Option B is correct because it combines a password (something you know) with a one-time passcode sent via SMS (something you have), satisfying the definition of multifactor authentication. SMS-based OTP is cost-effective and easy to deploy for a small business, as it requires no additional hardware or complex infrastructure, leveraging existing mobile networks.

Exam trap

The trap here is that candidates may incorrectly assume that any two different authentication methods automatically constitute MFA, forgetting that MFA requires factors from at least two distinct categories (knowledge, possession, inherence), and that cost-effectiveness and ease of deployment are key constraints in this scenario.

How to eliminate wrong answers

Option A is wrong because a fingerprint scanner (something you are) and a password (something you know) are two different factors, but fingerprint scanners are typically more expensive and complex to deploy, making them less cost-effective for a small business. Option C is wrong because a smart card (something you have) and a PIN (something you know) are two factors, but smart cards require card readers and provisioning infrastructure, increasing cost and deployment complexity. Option D is wrong because a password and security questions are both 'something you know' factors, which does not constitute multifactor authentication; security questions are a single factor and are often weak due to publicly discoverable answers.

46
MCQeasy

Which of the following is a primary benefit of using an application programming interface (API) gateway in a microservices architecture from a security perspective?

A.It eliminates the need for encryption
B.It replaces the need for a web application firewall
C.It allows direct database access to services
D.It provides a centralized point for authentication and rate limiting
AnswerD

Correct. API gateways enforce security policies centrally.

Why this answer

An API gateway acts as a single entry point for all client requests in a microservices architecture. It centralizes cross-cutting security concerns such as authentication (e.g., validating OAuth 2.0 tokens or JWT) and rate limiting (e.g., enforcing requests per second per client), offloading these tasks from individual microservices. This reduces attack surface and ensures consistent enforcement of security policies across the entire system.

Exam trap

The trap here is that candidates may assume an API gateway provides comprehensive security (like a WAF) or replaces encryption, when in fact it is a centralized policy enforcement point for authentication and traffic management, not a substitute for dedicated security controls like encryption or a WAF.

How to eliminate wrong answers

Option A is wrong because an API gateway does not eliminate the need for encryption; in fact, it typically terminates TLS (e.g., HTTPS) and may require encryption between the gateway and backend services (e.g., mTLS). Option B is wrong because an API gateway does not replace a web application firewall (WAF); a WAF provides deep packet inspection for application-layer attacks (e.g., SQL injection, XSS) at Layer 7, which an API gateway is not designed to perform. Option C is wrong because an API gateway does not allow direct database access to services; it routes requests to microservices, which themselves should access databases through controlled interfaces, not directly expose databases to clients.

47
MCQhard

Refer to the exhibit. A security administrator is reviewing CloudTrail logs for unusual activity. Which aspect of this event is potentially concerning from a key management perspective?

A.The event is read-only and thus not a security concern.
B.The message type is DIGEST, which is unusual for signing.
C.The user agent indicates the request came from AWS Signer using a customer-managed key, which may violate key usage policies.
D.The signing algorithm used is outdated.
AnswerC

AWS Signer typically uses AWS managed keys; using a CMK could be unauthorized.

Why this answer

The event shows a KMS Sign operation using a CMK. The user agent is 'signer.amazonaws.com', which is the AWS Signer service. AWS Signer typically uses its own managed keys.

The use of a customer-managed key (CMK) by Signer could indicate that the key is being used outside of its intended purpose or policy, potentially violating key usage restrictions. Also, the source IP is from outside AWS (public IP) which might be unusual if the key is restricted to VPC endpoints.

48
MCQeasy

A financial services company is migrating its customer relationship management (CRM) system to a public cloud provider. The CRM contains personally identifiable information (PII) and financial transaction records. The security architect must design a solution that ensures data confidentiality and integrity both at rest and in transit, while complying with PCI DSS requirements. The cloud provider offers a key management service (KMS) that can generate and store encryption keys, a hardware security module (HSM) in the cloud, and a certificate authority for TLS certificates. The architect needs to select the appropriate encryption methods and access controls. The company's security policy requires encryption keys to be rotated every 90 days and stored separately from the data. The cloud provider's KMS supports automatic key rotation, but the HSM requires manual intervention. The CRM application uses a database that supports transparent data encryption (TDE) with keys stored in the KMS, and the application also requires TLS for all network connections. Which course of action best meets all requirements?

A.Use the cloud provider's KMS to generate and store the database encryption key, disable automatic rotation, and manually rotate it every 90 days. Use a self-signed certificate for TLS to save costs.
B.Use the cloud provider's KMS to generate and store the database encryption key with automatic rotation, and use a certificate from a third-party CA for TLS. Store the KMS key in a separate account and region from the database.
C.Use the cloud HSM to generate and store the database encryption key, manually rotate it every 90 days, and use a certificate from the cloud provider's CA for TLS. Store the HSM key in a different region from the database.
D.Use the cloud provider's KMS to generate and store the database encryption key, enable automatic key rotation, and use a separate KMS-managed key for TLS certificates. Store all keys in the same KMS region as the database.
AnswerB

Automatic rotation meets the 90-day policy, separate account and region ensure key separation, and third-party CA provides proper trust for TLS.

Why this answer

Option D is correct because it uses the KMS with automatic key rotation (meeting the 90-day rotation requirement), stores the key in a separate account and region from the data (satisfying the separation requirement), and uses a third-party CA for TLS (providing strong trust and compliance). Option A stores the key in the same region, violating separation. Option B uses manual rotation, which is error-prone and may not meet the automation expectation.

Option C uses self-signed certificates, which do not provide the trust required for external connections and disables automatic rotation, adding manual overhead.

49
MCQhard

A company is designing secure boot for IoT devices to ensure only trusted firmware runs. The devices have limited resources. Which mechanism provides the highest assurance of boot integrity?

A.Use a software-based integrity check that runs after boot.
B.Set a BIOS password to prevent unauthorized changes.
C.Use a TPM to measure boot components and compare to stored hashes.
D.Implement full disk encryption (FDE).
AnswerC

TPM provides hardware-based integrity measurement and storage.

Why this answer

Option C is correct because a Trusted Platform Module (TPM) provides hardware-rooted trust by measuring each boot component (e.g., BIOS, bootloader, OS kernel) and storing the measurements in Platform Configuration Registers (PCRs). These measurements are compared against known-good hashes stored in the TPM, ensuring that any tampering with firmware is detected before execution. This offers the highest assurance for resource-constrained IoT devices as it relies on immutable hardware rather than software-based checks.

Exam trap

The trap here is that candidates often confuse integrity verification (ensuring code hasn't been tampered with) with confidentiality protections (like encryption) or access controls (like passwords), leading them to pick full disk encryption or BIOS passwords instead of the hardware-based attestation provided by a TPM.

How to eliminate wrong answers

Option A is wrong because a software-based integrity check that runs after boot cannot prevent malicious code from already executing; it is a post-boot verification that assumes the system is already compromised, violating the chain of trust. Option B is wrong because a BIOS password only controls access to BIOS settings, not the integrity of the firmware itself; it can be bypassed by resetting CMOS or using default passwords, and does not verify that the firmware has not been modified. Option D is wrong because full disk encryption (FDE) protects data at rest but does not verify the integrity of the boot process or firmware; an attacker could replace the bootloader with a malicious one that still decrypts the disk, leaving the system vulnerable.

50
MCQmedium

An organization is designing a disaster recovery site. The primary data center is located in a region prone to earthquakes. The recovery site must be far enough away to avoid the same seismic zone but close enough to minimize latency. Which site selection criteria is most important?

A.Access to diverse power grids
B.Geographical diversity to avoid the same seismic zone
C.High-speed network connectivity between sites
D.Availability of skilled personnel near the recovery site
AnswerB

Prevents a single earthquake from disabling both sites.

Why this answer

Geographical diversity (Option B) is the most important criterion because the primary data center is in an earthquake-prone region, and the recovery site must be located outside the same seismic zone to ensure that a single seismic event does not destroy both sites. This directly addresses the core requirement of disaster recovery: maintaining availability during a regional catastrophe. While latency and connectivity are important, they are secondary to ensuring the recovery site survives the same disaster.

Exam trap

The trap here is that candidates often prioritize network connectivity (Option C) or power diversity (Option A) because they are common in high-availability design, but the question explicitly states the primary risk is a regional earthquake, making geographic diversity the non-negotiable requirement.

How to eliminate wrong answers

Option A is wrong because access to diverse power grids, while beneficial for power redundancy, does not protect against the physical destruction caused by an earthquake; the site could still be in the same seismic zone and be destroyed. Option C is wrong because high-speed network connectivity between sites, though important for data replication and low latency, is irrelevant if both sites are rendered inoperable by the same earthquake. Option D is wrong because availability of skilled personnel near the recovery site is a staffing consideration, not a site selection criterion that mitigates the risk of a single seismic event destroying both locations.

51
MCQeasy

Refer to the exhibit. What is the effect of this ACL when applied inbound to an interface?

A.All traffic is denied
B.Only traffic from host 10.1.1.2 to port 80 is denied, all other traffic permitted
C.Traffic from host 10.1.1.2 to port 80 is denied, but others allowed
D.All traffic to port 80 is denied
AnswerC

Correct. The first line denies 10.1.1.2 to port 80; the second permits others to port 80.

Why this answer

Option C is correct because the ACL explicitly denies traffic from host 10.1.1.2 to any destination on TCP port 80, and then permits all other IP traffic. Since the ACL is applied inbound, it filters traffic before routing, and the implicit deny at the end only blocks traffic that does not match any permit statement. Thus, only the specific host-to-port-80 traffic is denied, and all other traffic is permitted.

Exam trap

The trap here is that candidates often forget the implicit deny at the end of an ACL and mistakenly think the deny entry blocks all traffic to port 80, or they misread the order and assume the permit ip any any does not override the deny for other sources.

How to eliminate wrong answers

Option A is wrong because the ACL contains a permit ip any any statement, which explicitly allows all traffic not matching the deny entry, so not all traffic is denied. Option B is wrong because it states 'only traffic from host 10.1.1.2 to port 80 is denied, all other traffic permitted,' which is actually the same as option C; however, the phrasing 'only' is misleading—the ACL denies traffic from host 10.1.1.2 to port 80, but it does not deny traffic from other hosts to port 80, so option B is technically incorrect because it implies exclusivity that is not present in the ACL logic. Option D is wrong because the ACL only denies traffic from host 10.1.1.2 to port 80, not all traffic to port 80 from any source.

52
MCQmedium

A security engineer is designing a cryptographic solution to ensure data integrity and non-repudiation. Which combination should be used?

A.HMAC with a shared key
B.Asymmetric encryption with digital signature
C.Digital signature with hashing
D.Symmetric encryption with HMAC
AnswerC

Correct. Digital signatures provide integrity and non-repudiation; hashing ensures integrity.

Why this answer

Digital signature with hashing is the correct combination because hashing ensures data integrity by producing a fixed-size digest, and the digital signature encrypts that hash with the sender's private key, providing non-repudiation by proving the sender's identity and preventing denial of message origin. This satisfies both requirements without relying on a shared secret.

Exam trap

The trap here is that candidates often confuse 'asymmetric encryption' with 'digital signature,' thinking encryption alone provides non-repudiation, but encryption only provides confidentiality, while a digital signature specifically uses the private key for signing (not encryption) to achieve non-repudiation.

How to eliminate wrong answers

Option A is wrong because HMAC with a shared key provides integrity and authentication via a symmetric key, but it does not offer non-repudiation since the shared key could be held by either party, allowing denial of origin. Option B is wrong because asymmetric encryption alone (e.g., RSA encryption) does not inherently provide integrity or non-repudiation; it must be combined with a digital signature, which uses the private key to sign, not encrypt. Option D is wrong because symmetric encryption with HMAC ensures confidentiality and integrity, but non-repudiation is absent because the symmetric key is shared, making it impossible to prove which party created the HMAC.

53
MCQeasy

Which security model focuses on preventing unauthorized access by enforcing a 'no read up, no write down' rule?

A.Clark-Wilson
B.Bell-LaPadula
C.Biba
D.Brewer-Nash
AnswerB

Correct. Bell-LaPadula is the confidentiality model with no read up and no write down.

Why this answer

The Bell-LaPadula model is a formal state machine model for enforcing access control in government and military systems. Its core rule, 'no read up' (simple security property) and 'no write down' (star property), prevents subjects from reading objects at a higher classification level and from writing to objects at a lower classification level, thereby preventing unauthorized disclosure of sensitive information.

Exam trap

The trap here is that candidates often confuse the Biba model's 'no read down, no write up' integrity rules with Bell-LaPadula's confidentiality rules, leading them to select Biba when the question specifically describes 'no read up, no write down'.

How to eliminate wrong answers

Option A is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duty, not on confidentiality or the 'no read up, no write down' rule. Option C is wrong because the Biba model enforces integrity with 'no read down, no write up' rules, which is the inverse of Bell-LaPadula's confidentiality rules. Option D is wrong because the Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically controlling access based on previously accessed datasets, not by enforcing a static 'no read up, no write down' policy.

54
MCQhard

A multinational corporation is developing a new cloud-based collaboration platform that handles sensitive intellectual property. The platform must ensure end-to-end encryption (E2EE) so that even the cloud provider cannot access the data. Users communicate via chat and file sharing. The architect proposes using a hybrid encryption scheme where each user has a public/private key pair, and for each message, a random symmetric key is used to encrypt the message, which is then encrypted with the recipient's public key. However, there is a requirement for the company to be able to lawfully intercept communications in case of a court order. This conflicts with E2EE. Which design can satisfy both confidentiality and lawful interception?

A.Implement key escrow where the company holds a copy of all users' private keys.
B.Implement a transparent encryption proxy on the user's device that logs all keys and sends them to the company.
C.Use client-side encryption where the encryption key is derived from user password and stored with a backup that can be recovered by the company using a master key.
D.Implement a split-key design where the encryption keys are generated and held by the users, but a separate escrow agent splits the key into two parts: one held by the user and one held by the company. Alternatively, use a 'drop box' approach where communications are recorded in an encrypted format and the company can decrypt only after a court order by using a secondary key that is released upon authorization.
AnswerD

This preserves E2EE for routine communications while allowing lawful interception through a separate mechanism.

Why this answer

Option D is correct because it uses a split-key or drop-box design that preserves end-to-end encryption for regular communications while enabling lawful interception under strict authorization. In this scheme, the user holds one part of the key and the company holds another, or communications are recorded encrypted and a secondary key is released only after a court order, ensuring that neither the cloud provider nor the company can decrypt data without proper legal process. This satisfies both the E2EE requirement and the lawful interception mandate without compromising the core security principle of least privilege.

Exam trap

The trap here is that candidates often assume key escrow (Option A) is the only way to achieve lawful interception, failing to recognize that escrow breaks E2EE and that split-key or drop-box designs can satisfy both requirements without compromising the confidentiality of all communications.

How to eliminate wrong answers

Option A is wrong because key escrow where the company holds a copy of all users' private keys completely breaks end-to-end encryption, as the company (and potentially the cloud provider) can decrypt any past or future communication at any time, violating the confidentiality requirement. Option B is wrong because a transparent encryption proxy on the user's device that logs all keys and sends them to the company effectively creates a backdoor that bypasses E2EE, allowing the company to access all communications without user consent or court order, and it introduces a single point of compromise. Option C is wrong because deriving encryption keys from user passwords and storing a backup recoverable by a master key means the company can decrypt all data without a court order, and password-derived keys are often weak and vulnerable to offline brute-force attacks, undermining both confidentiality and the lawful interception control.

55
MCQhard

A company is deploying a new application that processes personally identifiable information (PII) in a hybrid cloud environment. The security architect needs to ensure that encryption keys are never exposed to the cloud provider. Which solution should be recommended?

A.Envelope encryption with a key management service
B.Server-side encryption with cloud provider managed keys
C.Client-side encryption with keys stored on-premises
D.Server-side encryption with customer-provided keys
AnswerC

Correct. Keys are never sent to the cloud provider.

Why this answer

Client-side encryption ensures that encryption keys are generated and managed on-premises, never transmitted to the cloud provider. This directly meets the requirement that keys are never exposed to the cloud provider, as all cryptographic operations occur before data leaves the customer's controlled environment.

Exam trap

The trap here is confusing 'customer-provided keys' (SSE-C) with 'client-side encryption' — SSE-C still sends the key to the cloud provider for each operation, while client-side encryption keeps the key entirely on-premises.

How to eliminate wrong answers

Option A is wrong because envelope encryption with a key management service still involves the cloud provider's KMS handling the key encryption key (KEK), which could be exposed to the provider. Option B is wrong because server-side encryption with cloud provider managed keys gives the provider full control over the keys, violating the requirement. Option D is wrong because server-side encryption with customer-provided keys (SSE-C) still transmits the key to the cloud provider for each encryption/decryption operation, exposing it to the provider's infrastructure.

56
Multi-Selecthard

A company needs to protect data at rest in a cloud storage system. Which THREE encryption methods are appropriate for this purpose?

Select 3 answers
A.Stream cipher without authentication (e.g., RC4)
B.Client-side encryption with key management
C.MD5 hashing
D.AES-256 in GCM mode
E.Envelope encryption
AnswersB, D, E

Client-side encryption ensures data is encrypted before reaching the cloud, and keys are controlled by the client.

Why this answer

Client-side encryption with key management (B) ensures data is encrypted before it leaves the client device, so the cloud provider never has access to plaintext or the encryption keys. This is a fundamental control for protecting data at rest in untrusted environments, as it decouples key management from the storage provider.

Exam trap

The trap here is that candidates may confuse hashing (MD5) with encryption, or assume that any cipher (like RC4) is acceptable for data at rest, ignoring the critical need for authentication and integrity in storage systems.

57
MCQhard

During a security audit, it is discovered that the database server is also accepting connections from the web server. Which of the following is the most likely misconfiguration?

A.The application server is not properly authenticated
B.The network segmentation is not enforcing strict controls
C.The TLS configuration is incorrect
D.The firewall on the database server allows all traffic from the DMZ
AnswerB

Correct. The web server should not be able to connect to the database server directly.

Why this answer

The database server accepting connections from the web server indicates a lack of proper network segmentation. In a secure architecture, the web server should be in a DMZ and the database server in a private network segment, with strict access controls enforced by a firewall or router ACLs. The misconfiguration is that the network segmentation is not enforcing strict controls, allowing traffic that should be blocked.

Exam trap

The trap here is that candidates may focus on authentication or encryption (options A or C) as the primary issue, but the core problem is the lack of network segmentation, which is a fundamental security architecture control.

How to eliminate wrong answers

Option A is wrong because the application server not being properly authenticated is an identity and access management issue, not the direct cause of the database server accepting connections from the web server; the core problem is network-level access, not authentication. Option C is wrong because an incorrect TLS configuration would affect encryption of data in transit, not the fundamental ability of the web server to establish a TCP connection to the database server. Option D is wrong because while a permissive firewall rule could allow traffic, the question states the database server is 'accepting connections' from the web server, which implies the firewall is allowing it, but the most likely root misconfiguration is the lack of network segmentation (e.g., placing the database server in the same VLAN as the web server or not using a firewall to restrict traffic between zones), not just a single firewall rule.

58
MCQmedium

A security architect is designing a system that must enforce the principle of least privilege at the operating system level. Which mechanism should be implemented to grant processes only the minimal permissions required for their tasks?

A.Mandatory Access Control (MAC) using SELinux policies
B.Role-Based Access Control (RBAC) with fine-grained roles
C.Discretionary Access Control (DAC) with user permissions
D.Mandatory Integrity Control (Biba)
AnswerA

Correct. SELinux allows granular control over process permissions.

Why this answer

SELinux implements Mandatory Access Control (MAC) by enforcing a system-wide security policy that overrides user and process permissions. This allows the security architect to define precise rules (e.g., via Type Enforcement) that grant each process only the minimal set of resources it needs, effectively enforcing least privilege at the OS level regardless of user identity.

Exam trap

The trap here is that candidates often confuse RBAC with process-level least privilege, but RBAC is user-centric and does not constrain process permissions at the OS kernel level like MAC does.

How to eliminate wrong answers

Option B is wrong because Role-Based Access Control (RBAC) manages access based on user roles, not process-level permissions; it does not inherently restrict processes to minimal rights at the OS level. Option C is wrong because Discretionary Access Control (DAC) allows users to control permissions on their own objects, which can lead to privilege escalation and violates the principle of least privilege when users grant excessive rights. Option D is wrong because Mandatory Integrity Control (Biba) focuses on preventing data corruption by controlling information flow based on integrity levels, not on granting minimal permissions to processes.

59
MCQhard

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

A.Full disk encryption (FDE) with a strong passphrase
B.Trusted Platform Module (TPM)
C.Hypervisor-based isolation
D.Intel Software Guard Extensions (SGX)
AnswerD

SGX creates hardware-enforced enclaves that isolate code and data even from the OS.

Why this answer

Intel Software Guard Extensions (SGX) is the correct choice because it provides hardware-enforced isolation of memory regions (enclaves) that remain confidential and integrity-protected even if the operating system or hypervisor is compromised. SGX encrypts enclave memory on-die and decrypts it only within the CPU, preventing any privileged software from reading or tampering with the data.

Exam trap

The trap here is that candidates confuse TPM's boot-time integrity measurement with runtime memory protection, or assume hypervisor isolation is sufficient against a compromised OS, not realizing SGX provides hardware-enforced enclave isolation that persists even when the OS is untrusted.

How to eliminate wrong answers

Option A is wrong because full disk encryption (FDE) protects data at rest on the storage device but does not protect memory contents; once the OS is booted and data is loaded into RAM, FDE offers no confidentiality or integrity protection against a compromised OS. Option B is wrong because the Trusted Platform Module (TPM) is a hardware security chip that provides secure storage for keys and attestation of boot integrity, but it does not isolate runtime memory or protect enclave contents from a compromised OS. Option C is wrong because hypervisor-based isolation relies on the hypervisor being trusted; if the OS is compromised, the hypervisor could also be attacked or bypassed, and it does not provide hardware-level memory encryption to protect against privileged software.

60
Multi-Selectmedium

An organization is implementing role-based access control (RBAC). Which two components are fundamental to the RBAC model? (Select TWO.)

Select 2 answers
A.Access control lists (ACLs)
B.Subjects, objects, and operations
C.Constraints such as separation of duties
D.Roles, permissions, and user assignments
E.Security labels and clearances
AnswersC, D

Correct. Constraints are integral to RBAC to enforce policies like SoD.

Why this answer

Constraints such as separation of duties are fundamental to RBAC because they enforce organizational policies by preventing conflicts of interest (e.g., a user cannot both create and approve a purchase order). This is a core component of the RBAC model as defined in the NIST RBAC standard (ANSI INCITS 359-2004), which includes core RBAC, hierarchical RBAC, and constrained RBAC. Constraints ensure that role assignments and permissions adhere to security rules beyond simple role-user mapping.

Exam trap

The trap here is that candidates often confuse the generic components of access control (subjects, objects, operations) with the specific fundamental components of the RBAC model, leading them to select Option B instead of recognizing that roles, permissions, user assignments, and constraints are the unique building blocks of RBAC.

61
MCQmedium

Which of the following is a primary advantage of using a hardware security module (HSM) over software-based key storage?

A.Easier key backup
B.Lower cost
C.Tamper-resistant physical security
D.Faster key generation
AnswerC

Correct. HSMs are designed to protect keys from physical tampering.

Why this answer

A hardware security module (HSM) provides tamper-resistant physical security by storing cryptographic keys in a dedicated, hardened appliance that resists physical tampering, probing, and extraction. Unlike software-based key storage, which relies on the operating system's file system or memory and is vulnerable to malware or direct memory access attacks, an HSM ensures that keys never leave the secure boundary in plaintext, even if the host system is compromised.

Exam trap

The trap here is that candidates confuse 'faster key generation' (a performance benefit) with the primary security advantage of HSMs, or they assume that software-based key backup is inherently more difficult, when in fact HSMs introduce additional complexity for backup to maintain security.

How to eliminate wrong answers

Option A is wrong because key backup from an HSM is typically more complex than software-based storage, often requiring secure key-wrapping or cloning procedures to maintain the same level of protection, whereas software keys can be easily copied as files. Option B is wrong because HSMs are significantly more expensive than software-based storage due to specialized hardware, certifications (e.g., FIPS 140-2 Level 3/4), and lifecycle management costs. Option D is wrong because while HSMs can accelerate key generation using dedicated hardware random number generators, software-based key generation can also be fast using CPU-based RDRAND or similar instructions, and speed is not the primary security advantage of an HSM.

62
MCQeasy

A health records system requires that doctors can write new records but cannot modify existing ones, and integrity is maintained through separation of duties. Which security model best fits this requirement?

A.Brewer-Nash
B.Biba
C.Clark-Wilson
D.Bell-LaPadula
AnswerC

Clark-Wilson enforces transformation procedures and separation of duties to maintain integrity.

Why this answer

The Clark-Wilson model enforces integrity through well-formed transactions and separation of duties, which directly matches the requirement that doctors can write new records but cannot modify existing ones. It uses constrained data items (CDIs), transformation procedures (TPs), and integrity verification procedures (IVPs) to ensure that only authorized users can perform specific operations, preventing unauthorized modifications.

Exam trap

The trap here is that candidates often confuse the Biba model with integrity enforcement, but Biba only prevents unauthorized data flow based on integrity levels, not the specific separation of duties and well-formed transaction constraints that Clark-Wilson provides for this scenario.

How to eliminate wrong answers

Option A is wrong because the Brewer-Nash model (also known as the Chinese Wall model) is designed to prevent conflicts of interest by controlling access to datasets based on previously accessed data, not for enforcing write-once or separation of duties for integrity. Option B is wrong because the Biba model focuses on preventing data flow from lower integrity levels to higher integrity levels (no write up, no read down), but it does not inherently enforce separation of duties or the specific constraint that new records can be written but existing ones cannot be modified. Option D is wrong because the Bell-LaPadula model enforces confidentiality through no read up and no write down, and it does not address integrity constraints like preventing modification of existing records or separation of duties.

63
MCQhard

Refer to the exhibit. A database administrator implements the configuration shown to protect sensitive data. What is the most significant security flaw?

A.The database encryption key should be protected by a certificate rather than a password.
B.AES-256 is not a strong enough algorithm.
C.The encryption is applied at the database level rather than column level.
D.The encryption key is protected by a password that may be stored in scripts.
AnswerA

Best practice for TDE is to use a certificate or asymmetric key to protect the DEK, ensuring proper key management.

Why this answer

The correct answer is C. In SQL Server TDE, the database encryption key (DEK) should be protected by a certificate or asymmetric key stored in the master database, not by a password. Using a password is insecure because it is often stored in scripts or configuration files.

Option A is also a concern but is a consequence of the password-based protection; the root cause is not using a certificate. Option B is incorrect because AES-256 is a strong algorithm. Option D is incorrect because TDE at the database level is appropriate for many scenarios and does not represent a flaw.

64
MCQhard

An organization is migrating to a microservices architecture and wants to secure inter-service communication. Which approach is most aligned with the principle of securing the pipeline?

A.Service mesh with sidecar proxies
B.API keys in environment variables
C.Mutual TLS (mTLS) between services
D.Firewall rules restricting IP addresses
AnswerA

Correct. Service mesh provides encryption, authentication, and policy enforcement for service-to-service communication.

Why this answer

A service mesh with sidecar proxies (e.g., Istio) provides mutual TLS, traffic management, and policy enforcement for inter-service communication, directly securing the pipeline.

Ready to test yourself?

Try a timed practice session using only Security Architecture and Engineering questions.