CCNA Security Assessment and Testing Questions

70 questions · Security Assessment and Testing · All types, answers revealed

1
Matchingmedium

Match each cryptographic algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric (public-key) cipher

Hash function

Keyed-hash message authentication code

Elliptic curve digital signature algorithm

Why these pairings

These algorithms are used for encryption, hashing, and authentication.

2
Multi-Selecteasy

Which TWO of the following are common techniques used in dynamic application security testing (DAST)?

Select 2 answers
A.Fuzzing
B.Static analysis
C.Spidering
D.String search
E.Code review
AnswersA, C

Fuzzing is a dynamic testing technique that inputs malformed data to trigger faults.

Why this answer

Fuzzing is a DAST technique that involves sending malformed or unexpected input to an application to trigger unhandled exceptions, crashes, or security vulnerabilities. It tests the runtime behavior of the application, making it a dynamic testing method.

Exam trap

ISC2 often tests the distinction between static and dynamic testing techniques, and candidates may mistakenly associate code review or string search with dynamic testing because they are security assessment activities, but they are not performed against a running application.

3
MCQmedium

During a web application security test, a tester attempts to inject JavaScript into a search field and observes that the script executes when the page is loaded. This indicates a vulnerability to:

A.SQL injection
B.Cross-site scripting (XSS)
C.Command injection
D.Cross-site request forgery (CSRF)
AnswerB

XSS allows injection of client-side scripts into web pages.

Why this answer

The observed behavior—JavaScript injected into a search field executing when the page loads—is the hallmark of stored (persistent) cross-site scripting (XSS). In this attack, the tester's input is stored on the server (e.g., in a database or log) and later served to other users without proper output encoding, causing the browser to interpret the injected script as part of the page's HTML DOM. This directly violates the same-origin policy and allows arbitrary script execution in the context of the victim's session.

Exam trap

ISC2 often tests the distinction between XSS and CSRF by presenting a scenario where script execution occurs, leading candidates to confuse the client-side injection (XSS) with a cross-site request forgery (CSRF) that relies on forged requests, not injected scripts.

How to eliminate wrong answers

Option A is wrong because SQL injection targets the database layer by manipulating SQL queries (e.g., via ' OR 1=1 --), not by executing JavaScript in the browser. Option C is wrong because command injection exploits the operating system shell by injecting system commands (e.g., ; ls -la) into server-side functions, not client-side script execution. Option D is wrong because cross-site request forgery (CSRF) forces an authenticated user to perform unintended actions (e.g., state-changing requests) via crafted links or forms, but it does not involve injecting and executing JavaScript in the page itself.

4
MCQmedium

A healthcare organization recently experienced a data breach. The incident response team traced the breach to a compromised third-party vendor that had remote access to the organization's network. The vendor's credentials were stolen via a phishing attack. The organization's security policy requires that all third-party remote access be monitored and logged. During the investigation, it was discovered that the vendor's session traffic was not logged because the logging system was misconfigured. The security team needs to prevent similar incidents in the future. Which of the following is the MOST effective remediation?

A.Require multi-factor authentication for all third-party access.
B.Conduct regular phishing simulations for third-party vendors.
C.Implement a privileged access management (PAM) solution with session recording.
D.Disable all third-party remote access until a new vendor vetting process is established.
AnswerC

PAM with session recording enforces least privilege and captures all activity for logs.

Why this answer

Option C is correct because a Privileged Access Management (PAM) solution with session recording directly addresses the root cause: the logging system was misconfigured and failed to capture third-party remote access traffic. PAM enforces centralized control, vaulting credentials, and recording all sessions (e.g., via RDP, SSH) in a tamper-proof audit trail, ensuring that even if credentials are stolen, every keystroke and screen activity is logged and monitored. This provides the forensic evidence needed to detect and investigate unauthorized actions, closing the gap left by the misconfigured logging system.

Exam trap

The trap here is that candidates confuse authentication controls (MFA) with monitoring/logging controls, overlooking that the specific failure was a logging misconfiguration, not a lack of authentication strength.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) prevents credential theft from being used for authentication, but it does not ensure session traffic is logged or monitored; the logging system misconfiguration would remain unaddressed. Option B is wrong because phishing simulations train vendors to recognize phishing attacks, but they do not enforce logging of remote access sessions or fix the misconfigured logging system; the breach vector (stolen credentials) could still succeed if MFA is absent. Option D is wrong because disabling all third-party remote access until a new vetting process is established is an extreme operational disruption that does not remediate the logging misconfiguration; it also fails to address the need for continuous monitoring and session recording for future access.

5
MCQeasy

Which of the following is the primary purpose of a security assessment?

A.To fix all vulnerabilities immediately
B.To ensure compliance with regulations
C.To punish non-compliant employees
D.To identify weaknesses and measure control effectiveness
AnswerD

This is the core objective of security assessments.

Why this answer

The primary purpose of a security assessment is to systematically identify vulnerabilities, threats, and weaknesses in an organization's information systems, and to evaluate the effectiveness of existing security controls. This aligns with the CISSP domain of Security Assessment and Testing, where the goal is to measure control performance against a baseline, not to immediately remediate or enforce compliance.

Exam trap

The trap here is that candidates often confuse the purpose of a security assessment with remediation or compliance, but the CISSP emphasizes that assessment is about measuring and identifying, not fixing or enforcing.

How to eliminate wrong answers

Option A is wrong because fixing all vulnerabilities immediately is the goal of remediation, not assessment; assessment identifies weaknesses but does not prescribe or execute fixes. Option B is wrong because ensuring compliance with regulations is a possible outcome or driver of an assessment, but not its primary purpose; the core function is to evaluate control effectiveness, not merely to check regulatory boxes. Option C is wrong because punishing non-compliant employees is a disciplinary action, which is outside the scope of a security assessment; assessments focus on systems and controls, not personnel punishment.

6
Multi-Selecthard

A security analyst is reviewing log data from various sources. Which of the following are essential for effective security logging in accordance with best practices? (Select THREE.)

Select 3 answers
A.Storage of logs in plaintext format only
B.Secure transmission of logs to a central repository
C.Time synchronization across all log sources
D.Log retention of at least one year
E.Inclusion of user identifiers in log entries
AnswersB, C, E

Ensuring logs are sent securely prevents tampering and interception.

Why this answer

Option B is correct because logs must be transmitted securely to a central repository to prevent tampering, interception, or unauthorized disclosure during transit. Best practices require the use of encrypted channels such as TLS (e.g., syslog over TLS per RFC 5425) or IPsec to ensure confidentiality and integrity of log data while in motion.

Exam trap

The trap here is that candidates may mistakenly believe that log retention must always be at least one year, but the CISSP emphasizes that retention periods are policy-driven and vary by compliance requirements, not a fixed universal standard.

7
MCQeasy

A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?

A.ARP scan to discover hosts on the local subnet.
B.Ping sweep using ICMP echo requests.
C.Vulnerability scan of all IP addresses in the target range.
D.Full TCP port scan on common ports.
AnswerB

Ping sweep is a standard, non-disruptive host discovery technique.

Why this answer

A ping sweep using ICMP echo requests (ICMP Type 8) is the most appropriate first step for identifying live hosts on a network because it is a standard, low-disruption method that quickly determines host availability. ICMP echo requests are typically allowed by default on many networks and do not initiate full protocol handshakes or service interactions, minimizing the risk of triggering alarms or causing instability. This aligns with the penetration testing methodology of starting with passive or low-impact reconnaissance before escalating to more intrusive techniques.

Exam trap

The trap here is that candidates often choose 'ARP scan' (Option A) thinking it is the least disruptive, but they forget that ARP is limited to the local broadcast domain and cannot discover hosts across routers, making it ineffective for a penetration test that typically spans multiple subnets.

How to eliminate wrong answers

Option A is wrong because an ARP scan is limited to the local subnet and cannot discover hosts across routed networks, making it unsuitable as a first step for a general penetration test that may involve multiple subnets. Option C is wrong because a vulnerability scan is an intrusive, high-impact activity that should only be performed after live hosts have been identified and authorized; running it on all IP addresses in the target range would waste resources and potentially disrupt non-existent or sensitive systems. Option D is wrong because a full TCP port scan on common ports is more intrusive than a ping sweep, as it involves completing TCP three-way handshakes (or sending SYN packets) to many ports, which can trigger intrusion detection systems and cause performance issues on target hosts.

8
MCQhard

A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?

A.Network throughput between application tiers.
B.Average CPU load across all systems.
C.Number of failed login attempts per hour.
D.Configuration drift from a known good baseline.
AnswerD

Configuration drift detection directly identifies unauthorized changes to system settings.

Why this answer

Configuration drift from a known good baseline is the most effective metric for detecting unauthorized changes because it directly compares the current state of production systems against a secure, approved baseline (e.g., using tools like AWS Config, Azure Policy, or Chef InSpec). Any deviation—such as altered file permissions, unexpected services, or modified registry keys—triggers an alert, enabling rapid detection of unauthorized modifications. This aligns with continuous monitoring principles in cloud security, focusing on integrity rather than performance or access patterns.

Exam trap

The trap here is that candidates often choose 'Number of failed login attempts per hour' (Option C) because they associate monitoring with authentication events, but the question specifically targets unauthorized changes to production systems, which require integrity-focused metrics like configuration drift, not access attempts.

How to eliminate wrong answers

Option A is wrong because network throughput between application tiers measures performance and capacity, not the integrity of system configurations; unauthorized changes may not affect throughput. Option B is wrong because average CPU load indicates resource utilization, not configuration changes; an attacker could modify systems without impacting CPU load. Option C is wrong because failed login attempts per hour detect brute-force or credential-based attacks, not unauthorized changes to production systems after authentication is bypassed or compromised.

9
MCQmedium

A vulnerability scan report shows that a web server has a critical vulnerability with a CVSS score of 9.8. However, the server is behind a WAF that blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. What should the security manager do first?

A.Remove the server from production
B.Ignore the finding because the WAF blocks it
C.Document the compensating control and accept the residual risk
D.Immediately patch the vulnerability
AnswerC

Proper risk treatment includes acknowledging existing controls and formal acceptance.

Why this answer

Option C is correct because the WAF serves as a compensating control that effectively mitigates the attack vector for this vulnerability, and the residual risk has been formally documented and accepted by management. In the absence of an immediate patch or removal of the deprecated feature, documenting the compensating control and accepting the residual risk is the appropriate risk management decision per the organization's risk appetite and the NIST SP 800-30 risk assessment framework.

Exam trap

The trap here is that candidates mistakenly think a high CVSS score always demands immediate patching or removal, ignoring the role of compensating controls and formal risk acceptance in the risk management process.

How to eliminate wrong answers

Option A is wrong because removing the server from production would cause unnecessary service disruption when a compensating control (WAF) already blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. Option B is wrong because ignoring the finding violates due care and security governance principles; the finding must be documented, risk-assessed, and formally accepted, not simply ignored. Option D is wrong because patching is not immediately possible as the vulnerability is in a deprecated feature that cannot be removed until the next major release, and attempting to patch a deprecated feature could introduce instability or break functionality.

10
MCQmedium

A multinational corporation with a hybrid cloud infrastructure has recently experienced a series of security incidents involving unauthorized access to sensitive customer data. The incidents were traced to compromised credentials of privileged users. The company has implemented multi-factor authentication (MFA) for all privileged accounts, but the attacks persisted. A security assessment team is brought in to evaluate the environment. During the assessment, they discover that some privileged accounts do not require MFA when accessing systems via API calls, and that session tokens for these APIs have a long expiration time of 24 hours. Additionally, the team finds that the logging and monitoring system does not capture API calls from privileged accounts, making it difficult to detect anomalous behavior. The company wants to remediate these issues effectively. Which of the following is the BEST course of action to address the root cause of the incidents?

A.Implement a SIEM system to analyze logs from all sources and create alerts for anomalous API activity.
B.Conduct a full audit of privileged account usage and revoke access for any accounts with suspicious activity.
C.Require MFA for all privileged access methods, including APIs, and reduce session token expiration to 15 minutes.
D.Replace API tokens with certificate-based authentication for all privileged accounts.
AnswerC

This addresses both the lack of MFA and the long token expiration, the root causes.

Why this answer

Option C is correct because the root cause is that privileged accounts can bypass MFA when accessing systems via API calls, and long-lived session tokens (24 hours) provide a wide window for attackers to reuse stolen tokens. Requiring MFA for all privileged access methods, including APIs, closes the authentication gap, and reducing session token expiration to 15 minutes minimizes the impact of token theft by limiting the reuse window. This directly addresses the two key vulnerabilities identified in the assessment.

Exam trap

The trap here is that candidates often choose a detective control (like SIEM) or a reactive measure (like auditing) instead of a preventive control that directly closes the authentication gap, because they overlook that the root cause is the MFA bypass on API calls and long-lived tokens, not a lack of monitoring or account hygiene.

How to eliminate wrong answers

Option A is wrong because implementing a SIEM system to analyze logs and create alerts is a detective control, not a preventive one; it does not address the root cause of missing MFA on API calls and long-lived tokens, and without capturing API calls from privileged accounts, the SIEM would have no data to analyze. Option B is wrong because conducting a full audit and revoking access for suspicious accounts is a reactive, one-time cleanup that does not prevent future credential compromise or token reuse; it ignores the systemic gaps in authentication and session management. Option D is wrong because replacing API tokens with certificate-based authentication, while more secure, does not inherently enforce MFA for every API call and does not address the long session token expiration issue; it also introduces complexity without directly solving the MFA bypass problem.

11
MCQhard

A red team exercise is planned to simulate a sophisticated adversary. The blue team is aware of the exercise but not the exact methods. The red team is given a budget to acquire attack tools. What is the primary advantage of this approach over a traditional penetration test?

A.It ensures that the blue team is not alerted to the test
B.It provides comprehensive vulnerability coverage
C.It evaluates the organization's detection and response capabilities
D.It is more cost-effective than a penetration test
AnswerC

Red team exercises test the blue team's ability to detect and respond to realistic threats.

Why this answer

Option C is correct because a red team exercise with a known-but-not-detailed blue team specifically tests the organization's detection and response capabilities under realistic adversarial conditions. Unlike a traditional penetration test, which focuses on identifying vulnerabilities, this approach evaluates how well the blue team can detect, analyze, and respond to stealthy, multi-stage attacks that mimic a sophisticated adversary. The red team's budget for attack tools allows them to simulate advanced persistent threats (APTs) that challenge the blue team's security operations center (SOC) processes and incident response procedures.

Exam trap

The trap here is that candidates confuse the purpose of a red team exercise (evaluating detection and response) with a penetration test (finding vulnerabilities), leading them to select Option B, which describes the latter's goal rather than the primary advantage of the former.

How to eliminate wrong answers

Option A is wrong because the blue team is explicitly aware of the exercise, so the test is not covert; the advantage is not about avoiding alerts but about evaluating detection under known-threat conditions. Option B is wrong because comprehensive vulnerability coverage is the goal of a traditional penetration test, not a red team exercise, which focuses on simulating adversary behavior rather than enumerating all possible vulnerabilities. Option D is wrong because red team exercises are typically more expensive than penetration tests due to the specialized skills, custom tools, and extended duration required to simulate sophisticated adversaries.

12
MCQhard

During a penetration test, a tester discovers that the target web application responds to HTTP requests with a "200 OK" status for both valid and invalid session tokens on a particular API endpoint. The application uses JSON Web Tokens (JWT) for authentication. Which of the following vulnerabilities is MOST likely present?

A.Weak JWT signing algorithm
B.Session fixation
C.Missing authentication
D.Insecure direct object reference
AnswerA

A weak or missing signature verification allows any JWT to be accepted.

Why this answer

The application returns a 200 OK for both valid and invalid session tokens, which indicates that the server is not validating the JWT signature. This behavior is characteristic of a weak JWT signing algorithm vulnerability, such as when the server accepts 'none' as the algorithm or uses a symmetric key that can be easily guessed. An attacker can forge arbitrary tokens by setting the algorithm to 'none' or by using a known weak secret, gaining unauthorized access.

Exam trap

ISC2 often tests the distinction between 'missing authentication' and 'weak authentication'—the trap here is that candidates see '200 OK for invalid tokens' and incorrectly assume no authentication is required, when in fact authentication is present but the signing mechanism is flawed.

How to eliminate wrong answers

Option B is wrong because session fixation involves an attacker setting a user's session ID before login, but here the issue is with JWT token validation, not session ID fixation. Option C is wrong because missing authentication would mean the endpoint requires no token at all, but the application does check for a token (it returns 200 OK for both valid and invalid tokens, implying token presence is checked but signature is not). Option D is wrong because insecure direct object reference (IDOR) is about exposing internal object references without authorization checks, which is unrelated to JWT signature validation.

13
MCQhard

A company's vulnerability management program requires that all critical vulnerabilities be remediated within 30 days. A critical vulnerability is discovered in a legacy system that cannot be patched because the vendor no longer supports it. Which of the following is the best compensating control?

A.Deploy a host-based intrusion detection system (HIDS)
B.Increase logging and monitoring
C.Segment the system from the rest of the network
D.Encrypt all data at rest on the system
AnswerC

Segmentation limits exposure by restricting network access to the vulnerable system.

Why this answer

Network segmentation isolates the legacy system, reducing the attack surface. HIDS only detects, not prevents. Logging and monitoring are detective controls.

Encryption does not prevent exploitation of the vulnerability.

14
MCQhard

A company's compliance officer wants to ensure that the organization's security controls meet regulatory requirements for data protection. The officer requests a review of the controls against the regulation's specific clauses. Which type of assessment is most appropriate?

A.Risk assessment
B.Vulnerability assessment
C.Penetration test
D.Compliance audit
AnswerD

Structured review against regulatory clauses.

Why this answer

A compliance audit is the correct assessment type because it systematically evaluates security controls against specific regulatory clauses (e.g., GDPR Article 32, HIPAA Security Rule §164.312). Unlike risk or vulnerability assessments, a compliance audit maps controls directly to legal requirements to verify adherence, often using checklists and evidence collection.

Exam trap

The trap here is confusing a compliance audit with a risk assessment, as both involve reviewing controls, but only the audit measures adherence to specific regulatory clauses rather than prioritizing risks.

How to eliminate wrong answers

Option A is wrong because a risk assessment identifies and prioritizes threats and vulnerabilities based on likelihood and impact, but does not map controls to specific regulatory clauses. Option B is wrong because a vulnerability assessment scans for technical weaknesses (e.g., missing patches, misconfigurations) without evaluating compliance with legal or regulatory text. Option C is wrong because a penetration test simulates attacks to exploit vulnerabilities, focusing on security posture rather than verifying control alignment with regulation clauses.

15
MCQmedium

A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?

A.Re-scan the application with the same settings to confirm the results.
B.Manually verify a sample of the findings to confirm true vs. false positives.
C.Escalate all critical findings to management immediately.
D.Retune the vulnerability scanner to reduce false positives and re-scan.
AnswerB

Manual verification helps identify false positives and prioritize real vulnerabilities.

Why this answer

Option B is correct because manual verification is the definitive method to distinguish true positives from false positives in vulnerability scanning. Automated scanners can produce false positives due to factors like incomplete service fingerprinting or reliance on banner grabbing, which may not reflect actual exploitability. The analyst must validate a representative sample of findings against the actual application behavior and configuration before taking further action.

Exam trap

The trap here is that candidates often choose Option D (retune the scanner) because they assume tuning reduces false positives, but the CISSP emphasizes that validation through manual testing must precede any scanner configuration changes to avoid missing real vulnerabilities.

How to eliminate wrong answers

Option A is wrong because re-scanning with the same settings will produce identical results, as the scanner will repeat the same checks and generate the same false positives without addressing the root cause. Option C is wrong because escalating all critical findings without verification wastes management's time and resources on potentially non-existent threats, undermining the credibility of the security team. Option D is wrong because retuning the scanner without first understanding which findings are false positives may inadvertently suppress true vulnerabilities or fail to eliminate the specific false positives reported.

16
MCQeasy

A financial institution is conducting a vulnerability assessment of its internal network. The assessor runs a comprehensive scan and discovers that several Windows servers have missing security patches. The organization has a patch management policy that requires all critical patches to be applied within 30 days. The scan results show that some patches have been pending for 45 days. The assessor also finds that the servers are isolated in a separate VLAN with strict firewall rules limiting inbound traffic to only necessary ports. The business owner argues that because the servers are isolated, the risk is low and the patches can be delayed. As the security assessor, what should be the BEST course of action?

A.Recommend additional compensating controls such as intrusion prevention.
B.Accept the risk and close the finding.
C.Escalate the finding to the risk management team for formal risk acceptance.
D.Immediately apply the patches without further approval.
AnswerC

Formal risk acceptance ensures the decision is documented and approved by appropriate stakeholders.

Why this answer

Option B is correct because the finding should be formally documented and accepted by the risk management team to ensure accountability and alignment with the organization's risk appetite. Option A is wrong because simply accepting risk without formal documentation is not proper risk management. Option C is wrong because patches should not be applied without proper change management due to potential operational impact.

Option D is wrong because while compensating controls may be considered, the best first step is to escalate for formal risk acceptance.

17
Drag & Dropmedium

Drag and drop the steps of the incident response process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows NIST SP 800-61: preparation, detection, containment/eradication/recovery, post-incident activity, and improvement.

18
MCQhard

A large e-commerce company operates a multi-tier application in a public cloud. The environment includes a web tier, application tier, and database tier. The security team recently deployed a host-based intrusion detection system (HIDS) on all servers. During a routine review, the HIDS alerts show repeated failed login attempts from a single external IP address to several web servers, but no successful logins from that IP. The team also notices that the database servers have been sending outbound traffic to an unknown IP address on port 443, which is unusual because the database servers typically communicate only with the application servers on port 3306 (MySQL). The application team confirms no changes were made recently. The CISO wants an immediate investigation. What should the security team do first?

A.Immediately restart all database servers to stop any malicious processes.
B.Isolate the database servers from the network and perform forensic analysis on system logs and memory dumps.
C.Add a firewall rule to deny outbound traffic from the database tier to the unknown IP.
D.Block the external IP that is attempting to log in to the web servers and continue monitoring.
AnswerB

Containment and forensic analysis are the appropriate first steps to identify and remove the threat.

Why this answer

Option D is correct because the suspicious outbound traffic from database servers indicates potential data exfiltration. Isolating the affected servers and analyzing their logs and memory will help confirm compromise and contain the incident. Option A is wrong because focusing on the failed logins may miss the active exfiltration.

Option B is wrong because restarting servers can destroy forensic evidence. Option C is wrong because blocking the IP on the firewall does not address the potential malware on the database servers.

19
MCQeasy

A security analyst reviews system logs and notices multiple failed SSH login attempts from a single IP address over the past hour. The attempts are spaced 30 seconds apart and target different usernames. Which type of attack is most likely occurring?

A.Distributed denial-of-service (DDoS) attack
B.Dictionary attack
C.Brute force password guessing
D.Man-in-the-middle attack
AnswerC

Systematic repeated login attempts indicate brute force.

Why this answer

The observed pattern—multiple failed SSH login attempts from a single IP, spaced 30 seconds apart, targeting different usernames—is characteristic of a brute force password guessing attack. Unlike a dictionary attack, which uses a precompiled list of likely passwords, a brute force attack systematically tries all possible password combinations for each username, often with a delay to evade rate limiting.

Exam trap

The trap here is confusing a brute force attack with a dictionary attack—the key differentiator is that brute force tries all possible combinations (often with a delay) across multiple usernames, while a dictionary attack uses a precompiled wordlist against a single target username.

How to eliminate wrong answers

Option A is wrong because a DDoS attack aims to overwhelm a service with traffic from multiple sources, not to guess credentials from a single IP. Option B is wrong because a dictionary attack uses a list of common passwords against a single username, whereas this scenario targets multiple usernames with spaced attempts, indicating systematic guessing rather than a predefined wordlist. Option D is wrong because a man-in-the-middle attack intercepts or alters communications between two parties, which does not involve repeated SSH login attempts from a single source.

20
MCQeasy

An organization is conducting a security assessment of a new web application. Which testing technique would best identify cross-site scripting (XSS) vulnerabilities?

A.Manual code review
B.Static application security testing (SAST)
C.Interactive application security testing (IAST)
D.Dynamic application security testing (DAST)
AnswerD

DAST tests the running application and can identify XSS by simulating attacks.

Why this answer

DAST (Dynamic Application Security Testing) tests the running application by simulating external attacks, including injecting malicious scripts into input fields and observing the response. This directly identifies reflected, stored, and DOM-based XSS vulnerabilities because it exercises the application's runtime behavior, where XSS payloads are executed in the browser. Unlike static analysis, DAST does not require source code access and can detect vulnerabilities that only manifest during execution.

Exam trap

The trap here is that candidates often choose SAST (Option B) because they think source code analysis is the most thorough, but they fail to recognize that XSS is a runtime vulnerability that requires dynamic testing to confirm exploitability and context-specific behavior.

How to eliminate wrong answers

Option A is wrong because manual code review relies on human inspection of source code, which is time-consuming, error-prone, and may miss subtle XSS vectors that only appear during runtime (e.g., DOM-based XSS or context-dependent encoding issues). Option B is wrong because SAST analyzes source code without executing it, so it cannot detect XSS vulnerabilities that depend on runtime data flow, such as those involving dynamic JavaScript execution or third-party libraries. Option C is wrong because IAST combines static and dynamic analysis but requires instrumentation of the running application; while it can detect XSS, it is not the best technique for a standalone assessment because it introduces overhead and may not be available for all environments, whereas DAST is a direct, non-invasive black-box test.

21
MCQmedium

A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?

A.Sending a phishing email that mimics a common internal communication.
B.Calling employees and pretending to be IT support to obtain passwords.
C.Attempting to tailgate into a secure facility.
D.Searching through trash bins for sensitive documents.
AnswerA

Phishing emails directly test the awareness training provided to employees.

Why this answer

Sending a phishing email that mimics a common internal communication directly tests whether employees can recognize and report a realistic social engineering attempt, which is the primary goal of security awareness training. This scenario evaluates the human firewall by simulating the most prevalent attack vector—email-based phishing—and measures the effectiveness of training in reducing click-through rates and increasing reporting behavior.

Exam trap

The trap here is that candidates may choose tailgating or vishing because they seem more dramatic or directly test human behavior, but the CISSP exam emphasizes that phishing emails are the most common and effective social engineering vector, and thus the best assessment of security awareness training in a typical enterprise environment.

How to eliminate wrong answers

Option B is wrong because calling employees and pretending to be IT support to obtain passwords tests vishing (voice phishing), which is a valid social engineering vector but less common than email phishing and not the best measure of general security awareness training effectiveness, as training often focuses more on email-based threats. Option C is wrong because tailgating tests physical security controls and employee vigilance at access points, which is a separate domain (physical security) and not the primary focus of most security awareness training programs. Option D is wrong because searching through trash bins for sensitive documents tests dumpster diving, which assesses physical disposal policies and shredding compliance, not the behavioral response to social engineering that awareness training aims to improve.

22
MCQhard

A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?

A.Tune the IDS to reduce false positives for SQL injection signatures.
B.Delete the alert and continue monitoring.
C.Ignore the alert because the IDS is known to produce false positives.
D.Isolate the web server and investigate for data breach.
AnswerD

The successful request indicates a potential breach; immediate containment is necessary.

Why this answer

The IDS alert indicates a SQL injection attempt, and the web server returned a 200 OK status, which means the request was processed successfully. This combination strongly suggests that the injection may have succeeded, potentially leading to a data breach. The correct next step is to isolate the web server and investigate for evidence of data exfiltration or unauthorized access, as per incident response procedures.

Exam trap

The trap here is that candidates assume a 200 OK status means the attack failed, but in SQL injection, a successful attack can still return a 200 OK if the query executes without error, making isolation and investigation the mandatory next step.

How to eliminate wrong answers

Option A is wrong because tuning the IDS to reduce false positives would be premature without first confirming that the alert is indeed a false positive; the 200 OK status does not rule out a successful SQL injection. Option B is wrong because deleting the alert and continuing monitoring ignores the possibility of a successful attack, violating the principle of due care in incident response. Option C is wrong because ignoring the alert based on a known false positive rate is dangerous; each alert must be evaluated in context, and a 200 OK status on a SQL injection attempt is a red flag, not a dismissal.

23
MCQhard

A company's security team discovers that a critical web application has a SQL injection vulnerability. However, the team is unable to remediate it immediately due to a dependency on a third-party component. Which of the following is the BEST approach to manage the risk while awaiting a patch?

A.Accept the risk and implement compensating controls like input validation at the network layer
B.Deploy a web application firewall with a rule to block SQL injection patterns
C.Increase logging and monitoring of the application
D.Disable the vulnerable feature entirely
AnswerA

Compensating controls reduce risk while awaiting a permanent fix, aligning with risk management best practices.

Why this answer

Option A is correct because when a vulnerability cannot be patched immediately, compensating controls are the best risk management approach. Implementing input validation at the network layer (e.g., via a web application firewall or network-based IPS) can block SQL injection patterns before they reach the vulnerable application, reducing the likelihood of exploitation without requiring changes to the third-party component.

Exam trap

ISC2 often tests the distinction between 'accepting risk' as a passive decision versus 'accepting risk with compensating controls' as an active risk management strategy, leading candidates to mistakenly choose a single technical control like a WAF (Option B) instead of the broader, more correct approach of accepting risk with compensating controls.

How to eliminate wrong answers

Option B is wrong because deploying a WAF with a rule to block SQL injection patterns is a specific type of compensating control, but it is not the best approach on its own; the question asks for the best approach, and accepting the risk with compensating controls (A) is a broader, more strategic answer that encompasses WAF deployment as one possible control. Option C is wrong because increasing logging and monitoring does not prevent exploitation; it only detects attacks after they occur, which is reactive rather than proactive risk management. Option D is wrong because disabling the vulnerable feature entirely may not be feasible or may break business functionality, and it is a more drastic measure than necessary when compensating controls can mitigate the risk.

24
Multi-Selectmedium

Which TWO of the following are examples of types of security assessments?

Select 2 answers
A.Vulnerability scan
B.Firewall rule review
C.Password policy enforcement
D.Antivirus update
E.Penetration test
AnswersA, E

A vulnerability scan is a common security assessment technique.

Why this answer

A vulnerability scan is a security assessment that systematically identifies, categorizes, and reports known vulnerabilities in systems, networks, and applications. It uses automated tools (e.g., Nessus, OpenVAS) to compare system configurations and software versions against databases of known vulnerabilities (e.g., CVE, NVD). This is a core example of a security assessment because it evaluates the security posture without exploiting vulnerabilities, aligning with the 'Security Assessment and Testing' domain.

Exam trap

The trap here is that candidates often confuse security assessments (active evaluation of security posture) with security controls or operational tasks (e.g., firewall reviews, policy enforcement, updates), which are not assessments but rather management or maintenance activities.

25
MCQeasy

A security professional is tasked with testing the effectiveness of security controls in a production environment without causing disruption. Which type of assessment should be performed?

A.Penetration test
B.Red team exercise
C.Vulnerability scan
D.Social engineering test
AnswerC

Vulnerability scans are passive and safe for production environments.

Why this answer

A vulnerability scan is the correct choice because it is a non-intrusive, automated assessment that identifies known vulnerabilities (e.g., missing patches, misconfigurations) by comparing system states against a database of CVEs and configuration benchmarks (e.g., CIS benchmarks). It does not exploit vulnerabilities or generate attack traffic, making it safe for production environments. In contrast, penetration tests and red team exercises involve active exploitation and simulated attacks that risk service disruption.

Exam trap

The trap here is that candidates often confuse a vulnerability scan with a penetration test, assuming both involve active exploitation, but the key distinction is that a vulnerability scan is passive and non-destructive, while a penetration test is active and potentially disruptive.

How to eliminate wrong answers

Option A is wrong because a penetration test involves active exploitation of vulnerabilities to gain unauthorized access, which can cause system crashes, data corruption, or service interruptions in a production environment. Option B is wrong because a red team exercise is a full-scope, adversarial simulation that includes social engineering, physical breaches, and active exploitation, all of which carry a high risk of disrupting operations. Option D is wrong because a social engineering test targets human behavior (e.g., phishing emails, pretexting calls) and does not directly assess the effectiveness of technical security controls such as firewalls, IDS/IPS, or patch management.

26
MCQeasy

Which of the following is the primary purpose of a security assessment?

A.To identify and evaluate security risks
B.To fix all vulnerabilities
C.To achieve compliance with regulations
D.To punish non-compliant employees
AnswerA

Assessment identifies weaknesses and evaluates the associated risks.

Why this answer

A security assessment's primary purpose is to systematically identify and evaluate security risks by analyzing assets, threats, vulnerabilities, and existing controls. This aligns with the NIST SP 800-115 framework, which defines assessment as the process of determining how effectively an entity is meeting specific security objectives, not as a remediation or enforcement activity.

Exam trap

The trap here is that candidates confuse the assessment phase with the remediation phase, assuming the primary goal is to fix vulnerabilities, when in fact the assessment stops at identification and evaluation.

How to eliminate wrong answers

Option B is wrong because fixing all vulnerabilities is the goal of remediation or vulnerability management, not the assessment itself; assessment only identifies and evaluates, leaving remediation to subsequent processes. Option C is wrong because achieving compliance is a possible outcome or driver, but the primary purpose is risk identification and evaluation, not merely meeting regulatory checklists. Option D is wrong because punishing non-compliant employees is a disciplinary action unrelated to the technical evaluation of security posture; assessments focus on systems and processes, not personnel discipline.

27
MCQeasy

Refer to the exhibit. Based on the exhibit, what is the most urgent remediation?

A.Disable directory listing
B.Upgrade to Apache 2.4.50
C.Recompile Apache with security flags
D.Apply a WAF rule to block path traversal attempts
AnswerB

Upgrading to a patched version directly removes the vulnerability.

Why this answer

The exhibit shows Apache 2.4.49 is in use, which is vulnerable to CVE-2021-41773 — a path traversal and remote code execution flaw in the `mod_cgi` module. Upgrading to Apache 2.4.50 is the most urgent remediation because it directly patches this critical vulnerability, preventing attackers from reading arbitrary files or executing commands via crafted URL paths like `/cgi-bin/.%2e/%2e%2e/bin/sh`.

Exam trap

ISC2 often tests the distinction between a compensating control (like a WAF rule) and a true remediation (like a software upgrade), leading candidates to choose a workaround instead of the definitive fix.

How to eliminate wrong answers

Option A is wrong because disabling directory listing addresses information disclosure but does not fix the underlying path traversal or RCE vulnerability in Apache 2.4.49; it is a secondary hardening step. Option C is wrong because recompiling Apache with security flags does not patch the specific CVE-2021-41773 flaw in the shipped binary; the vulnerability is in the source code logic of `mod_cgi` and `util_path.c`, which requires a version upgrade. Option D is wrong because applying a WAF rule to block path traversal attempts is a compensating control, not a remediation; it can be bypassed with encoding variations and does not eliminate the root cause in the Apache server itself.

28
MCQeasy

A security analyst is tasked with identifying vulnerabilities in a web application that is still in development. The application code is not yet stable, and frequent changes are expected. Which testing approach would be most appropriate to identify vulnerabilities without hindering the development process?

A.Fuzz testing
B.Manual penetration testing
C.Static application security testing (SAST)
D.Dynamic application security testing (DAST)
AnswerC

Can be integrated into CI/CD and analyze source code without a runtime environment.

Why this answer

Static Application Security Testing (SAST) is the most appropriate approach because it analyzes source code, byte code, or binary code without executing the application, making it ideal for early-stage development where code is unstable and frequently changing. SAST can be integrated into the development pipeline (e.g., as a pre-commit hook or CI/CD step) to identify vulnerabilities like SQL injection, XSS, or buffer overflows without requiring a running application or hindering the iterative development process.

Exam trap

The trap here is that candidates often choose DAST (Option D) because they associate 'dynamic' with 'real-world testing,' but they overlook the critical constraint that the application is unstable and in development, making SAST the only viable option that does not require a running application.

How to eliminate wrong answers

Option A is wrong because fuzz testing is a dynamic testing technique that requires a running, stable application to inject malformed or unexpected inputs, which is not feasible when the code is unstable and frequently changing. Option B is wrong because manual penetration testing is a time-intensive, point-in-time assessment that relies on a functional, deployed application and would significantly hinder the development process due to the need for a stable environment and repeated retesting after each code change. Option D is wrong because Dynamic Application Security Testing (DAST) requires a fully running application to scan for vulnerabilities from the outside (e.g., via HTTP requests), and it cannot be effectively performed on an unstable, in-development application that may not even compile or run correctly.

29
MCQhard

During an internal audit, an organization discovers that a critical application has not been patched for six months. The application is business-critical and cannot be taken offline during business hours. Which of the following is the best course of action?

A.Implement compensating controls and schedule patching at the next available maintenance window
B.Accept the risk and continue operations
C.Apply the patch immediately during off-hours even if it risks downtime
D.Disconnect the application until it is patched
AnswerA

Compensating controls mitigate risk until the patch can be applied safely during a planned outage.

Why this answer

Option A is correct because compensating controls (e.g., network segmentation, WAF rules, or host-based IPS) reduce the immediate risk while the critical application remains online. Scheduling patching for the next maintenance window aligns with change management and ensures the patch is tested and applied without disrupting business operations. This balances security needs with operational continuity, a core principle of risk management.

Exam trap

The trap here is that candidates may choose immediate patching (Option C) thinking it is the most secure action, but the CISSP exam emphasizes balancing security with business continuity and following proper change management procedures.

How to eliminate wrong answers

Option B is wrong because accepting risk without any mitigating action ignores the known vulnerability exposure for six months, which violates due care and could lead to exploitation. Option C is wrong because applying the patch immediately during off-hours without prior testing or change approval could introduce instability or downtime, which is unacceptable for a business-critical application. Option D is wrong because disconnecting the application halts business operations entirely, which is disproportionate when less disruptive compensating controls can be implemented first.

30
MCQeasy

A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?

A.Upgrade the SSH service to the latest version.
B.Modify the SSH configuration to disable weak ciphers and enable strong ciphers.
C.Disable SSH access to the host.
D.Change the SSH port from 22 to a non-standard port.
AnswerB

This directly addresses the vulnerability as recommended in the report.

Why this answer

The vulnerability scan report likely identifies weak cryptographic algorithms (e.g., CBC-mode ciphers or MD5-based MACs) in the SSH configuration. Remediation requires disabling these weak ciphers and enabling strong ones (e.g., AES-CTR, ChaCha20-Poly1305) in the sshd_config file, as simply upgrading the SSH service version may not change the cipher list. Option B directly addresses the cryptographic weakness without unnecessarily disabling or hiding the service.

Exam trap

The trap here is that candidates often assume upgrading the software version automatically fixes all vulnerabilities, but CISSP tests the understanding that configuration hardening (e.g., disabling weak ciphers) is a separate and necessary action even after a version upgrade.

How to eliminate wrong answers

Option A is wrong because upgrading the SSH service version does not automatically change the configured cipher list; the administrator must explicitly modify the configuration to disable weak ciphers. Option C is wrong because disabling SSH access entirely is an overreaction that disrupts legitimate remote administration, and it does not remediate the underlying cryptographic weakness. Option D is wrong because changing the SSH port from 22 to a non-standard port only obscures the service via security through obscurity, which does not fix the weak cipher vulnerability and is not a valid remediation per industry standards.

31
MCQmedium

During an internal security assessment, a tester uses a tool to attempt to crack password hashes extracted from a domain controller. Which phase of the penetration testing process does this represent?

A.Reconnaissance
B.Reporting
C.Post-exploitation
D.Exploitation
AnswerC

Password cracking is typically done after gaining initial access to further compromise the environment.

Why this answer

C is correct because cracking password hashes extracted from a domain controller occurs after the tester has already gained access to the system. This activity is part of the post-exploitation phase, where the tester escalates privileges, extracts credentials, and moves laterally. In this context, the tester is using a tool like John the Ripper or Hashcat to crack NTLM hashes, which is a classic post-exploitation step to obtain plaintext passwords for further access.

Exam trap

The trap here is that candidates often confuse post-exploitation with exploitation, mistakenly thinking that cracking hashes is part of the initial exploitation phase, when in fact exploitation is the act of gaining access, and post-exploitation includes all activities performed after that access is achieved.

How to eliminate wrong answers

Option A is wrong because reconnaissance is the initial phase of gathering information about the target without direct interaction, such as scanning open ports or enumerating services, not cracking already extracted hashes. Option B is wrong because reporting is the final phase where findings are documented and presented to stakeholders, not during active technical testing. Option D is wrong because exploitation is the phase where vulnerabilities are actively used to gain initial access or execute code on a target; cracking hashes after access is obtained is a post-exploitation activity, not the initial exploitation event.

32
MCQhard

Your organization is a medium-sized e-commerce company with a hybrid infrastructure: on-premises datacenter and AWS cloud. The security team recently conducted an internal vulnerability scan of the on-premises network and discovered multiple critical vulnerabilities in a legacy ERP system that cannot be patched because the vendor no longer supports it. The ERP system is essential for order processing and cannot be decommissioned. The team also ran a penetration test against the cloud environment and found that an attacker with network access could leverage misconfigured security groups to move laterally between instances. The company has a risk appetite that allows for limited risk acceptance with compensating controls. As the senior security analyst, what is the BEST course of action?

A.Immediately isolate the legacy ERP system from the network and implement a manual workaround for order processing.
B.Decommission the legacy ERP system and migrate to a modern alternative, accepting a temporary disruption in operations.
C.Accept the risk for both findings and document them in the risk register without additional controls.
D.Apply virtual patching via an intrusion prevention system (IPS) for the ERP vulnerabilities and implement stricter security group rules in the cloud to restrict lateral movement.
AnswerD

Virtual patching and network segmentation provide effective compensating controls that reduce risk while maintaining operations.

Why this answer

Option B provides compensating controls: virtual patching for the ERP vulnerabilities and stricter security group rules to restrict lateral movement in the cloud. This aligns with the risk appetite by reducing risk without immediate replacement. Option A is too disruptive, option C ignores the need for controls, and option D is a long-term solution that would cause unacceptable disruption.

33
MCQeasy

A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?

A.Manually verify the vulnerability on a sample of affected hosts.
B.Immediately apply patches to all affected hosts.
C.Remove the hosts from the network until the vulnerability is resolved.
D.Re-run the scan with a different scanner.
AnswerA

Manual verification confirms the finding and reduces false positives.

Why this answer

The auditor must first manually verify the vulnerability on a sample of affected hosts because automated vulnerability scans can produce false positives due to factors like incomplete banner grabbing, outdated plugin signatures, or network-level interference. Confirming the finding ensures that subsequent remediation efforts are based on accurate, validated data, preventing wasted resources on non-existent issues.

Exam trap

The trap here is that candidates may assume automated scan results are always accurate and jump to remediation (Option B) or isolation (Option C), failing to recognize that the first step in the assessment process is to validate findings to avoid acting on false positives.

How to eliminate wrong answers

Option B is wrong because immediately applying patches without verification risks introducing instability or breaking functionality if the vulnerability is a false positive, and it bypasses the change management process required in a secure environment. Option C is wrong because removing hosts from the network is an overly drastic and disruptive response that should only be considered after the vulnerability is confirmed and the risk is assessed as critical, not as a first step. Option D is wrong because re-running the scan with a different scanner does not address the need for manual validation; it merely repeats an automated process that may still produce false positives due to inherent scanner limitations.

34
Multi-Selecthard

Which THREE of the following are commonly used metrics for measuring the effectiveness of a vulnerability management program?

Select 3 answers
A.Patch coverage percentage
B.Mean time to detect (MTTD)
C.Mean time to remediate (MTTR)
D.Number of vulnerabilities per scan
E.Number of security incidents
AnswersA, C, D

Coverage measures the extent of systems patched.

Why this answer

Patch coverage percentage is a direct measure of vulnerability management effectiveness because it tracks the proportion of systems that have received required patches. A high patch coverage percentage indicates that the organization is successfully applying fixes to known vulnerabilities, reducing the attack surface. This metric is commonly used in vulnerability management programs to assess the completeness of remediation efforts.

Exam trap

The trap here is that candidates confuse Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) as both being relevant to vulnerability management, but MTTD is specific to incident response, not to the proactive patching and remediation cycle measured by MTTR and patch coverage.

35
Multi-Selecteasy

An organization is planning a penetration test of its internal network. Which TWO of the following are essential elements to include in the test scope and rules of engagement?

Select 2 answers
A.List of specific exploitation tools to be used.
B.Time windows when testing is permitted (e.g., after business hours).
C.Schedule for automated vulnerability scanning of all external systems.
D.List of IP addresses and systems authorized for testing.
E.Detailed plan for exploiting client-side vulnerabilities.
AnswersB, D

Essential to avoid disruption.

Why this answer

Options A and D are correct because the rules of engagement must clearly define authorized targets and testing windows to avoid business disruption and legal issues. Option B is wrong because client-side attacks are not typically part of a network penetration test. Option C is wrong because vulnerability scanning is a different activity.

Option E is wrong because the specific tools to be used are not necessarily required in the scope, though they may be agreed upon.

36
Drag & Dropmedium

Drag and drop the steps for a secure password change procedure in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password change: verify identity, enter new password, enforce history, hash storage, log.

37
Multi-Selectmedium

A company is conducting a security assessment of its network infrastructure. Which of the following activities are typically performed during a vulnerability assessment? (Select TWO.)

Select 2 answers
A.Identification of missing security patches
B.Attempting to crack password hashes
C.Social engineering attacks against employees
D.Exploiting identified vulnerabilities to gain unauthorized access
E.Automated scanning of open ports and services
AnswersA, E

Patch identification is a key component of vulnerability assessment.

Why this answer

A is correct because vulnerability assessments focus on identifying and cataloging weaknesses without exploitation. Missing security patches are a common finding from automated scanning tools like Nessus or OpenVAS, which compare system configurations against known vulnerability databases (e.g., CVE). This aligns with the assessment's goal of discovering vulnerabilities, not exploiting them.

Exam trap

The trap here is confusing vulnerability assessment (identification only) with penetration testing (identification plus exploitation), leading candidates to select 'Exploiting identified vulnerabilities to gain unauthorized access' as a correct activity.

38
MCQhard

During a security audit of a financial application, the auditor discovers that the application uses a custom encryption algorithm for storing sensitive data. The developer claims it is more efficient than AES. What should the auditor recommend?

A.Conduct additional penetration testing on the encryption implementation
B.Accept the risk if the algorithm is more efficient
C.Perform a cryptoanalysis of the algorithm to validate its strength
D.Migrate to a widely-accepted encryption standard such as AES
AnswerD

Standard algorithms are extensively reviewed and trusted.

Why this answer

Custom encryption algorithms are highly risky because they have not undergone the extensive peer review and cryptanalysis that standards like AES have. Even if the developer claims better efficiency, the lack of proven security guarantees makes the application vulnerable to attacks. The correct recommendation is to migrate to a widely-accepted standard such as AES, which is FIPS 197 validated and trusted for protecting sensitive financial data.

Exam trap

The trap here is that candidates may think performing cryptanalysis (Option C) is a valid audit recommendation, but in practice, the auditor's role is to enforce the use of proven standards, not to validate unproven custom cryptography.

How to eliminate wrong answers

Option A is wrong because additional penetration testing on a custom encryption implementation cannot uncover fundamental cryptographic weaknesses; penetration testing is not a substitute for formal cryptanalysis or algorithm validation. Option B is wrong because accepting the risk based solely on efficiency claims violates the principle of using proven, standardized cryptography for sensitive data; efficiency does not equate to security. Option C is wrong because performing a cryptanalysis of the custom algorithm is not a practical recommendation for an auditor; it requires expert cryptographers and extensive time, and even then, the algorithm may still have undiscovered flaws, whereas migrating to a proven standard is the immediate and correct security control.

39
Multi-Selectmedium

Which TWO of the following are key objectives of a security assessment? (Select exactly 2.)

Select 2 answers
A.Identify vulnerabilities in systems and applications.
B.Assess the effectiveness of existing security controls.
C.Exploit vulnerabilities to gain unauthorized access.
D.Prioritize threats based on business impact.
E.Implement new security controls to address findings.
AnswersA, B

Vulnerability identification is a primary goal of security assessments.

Why this answer

A is correct because identifying vulnerabilities is a primary objective of a security assessment, such as a vulnerability scan or penetration test, which systematically discovers weaknesses in systems and applications (e.g., missing patches, misconfigurations, or insecure code). B is correct because assessing the effectiveness of existing security controls (e.g., firewalls, IDS/IPS, access controls) is a core goal, often achieved through control testing or validation to determine if controls are properly implemented and functioning as intended.

Exam trap

The trap here is that candidates often confuse the objectives of a security assessment (identify vulnerabilities and assess controls) with the objectives of a penetration test (exploit vulnerabilities) or risk management (prioritize threats), leading them to select options C or D incorrectly.

40
Multi-Selecthard

An organization is implementing a security information and event management (SIEM) system. Which THREE factors are most critical for the SIEM to provide actionable security insights?

Select 3 answers
A.Real-time alerting capabilities
B.Ability to store raw logs for one year
C.Correlation rules that match attack patterns
D.Low false-positive rate
E.Accurate and normalized log sources
AnswersA, C, E

Timely alerts are crucial for response.

Why this answer

Real-time alerting is critical because SIEM must detect and notify security teams of ongoing threats within seconds to minutes, enabling timely incident response. Without near-instantaneous correlation and alerting, attackers can achieve their objectives (e.g., lateral movement, data exfiltration) before the organization even knows an incident occurred. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis must be rapid to contain damage.

Exam trap

The trap here is that candidates confuse 'low false-positive rate' (a tuning outcome) with a critical implementation factor, when in fact the foundational requirements are accurate normalized logs, correlation rules, and real-time alerting — without these, no alerts (true or false) can be generated at all.

41
MCQmedium

An organization is planning a penetration test of its internal network. The test team has been given network diagrams, source code access, and administrative credentials. This type of testing is known as:

A.Black-box testing
B.Red team testing
C.White-box testing
D.Gray-box testing
AnswerC

Full disclosure of system details to testers.

Why this answer

White-box testing (also known as clear-box or structural testing) is characterized by the test team having full knowledge of the internal system architecture, including network diagrams, source code, and administrative credentials. This level of access allows testers to perform a thorough analysis of the application logic, configuration weaknesses, and potential backdoors that would be invisible in a black-box approach. The scenario explicitly states the team was given these artifacts, making white-box testing the correct classification.

Exam trap

The trap here is that candidates often confuse 'red team testing' with 'white-box testing' because both involve internal knowledge, but red team testing is defined by its adversarial objectives and operational scope, not by the level of information disclosure, whereas the question's key differentiator is the explicit provision of source code and credentials.

How to eliminate wrong answers

Option A is wrong because black-box testing assumes no prior knowledge of the internal network, source code, or credentials; testers simulate an external attacker with zero information, which contradicts the provided access. Option B is wrong because red team testing is a goal-based, adversarial simulation that often includes social engineering and physical breaches, and while it may use some internal knowledge, it is defined by its objective (e.g., testing detection and response) rather than the level of access given; the question specifically asks about the type of testing based on information provided, not the team's mission. Option D is wrong because gray-box testing involves partial knowledge (e.g., network diagrams but not source code or credentials), whereas the team here received full source code and administrative credentials, which is a hallmark of white-box testing.

42
Multi-Selecteasy

Which TWO of the following are best practices for conducting a penetration test?

Select 2 answers
A.Define scope and rules of engagement
B.Obtain written authorization from the organization
C.Install backdoors for future access
D.Notify law enforcement before testing
E.Use only automated tools
AnswersA, B

Clear scope prevents overreach and ensures testing is controlled.

Why this answer

Obtaining written authorization and defining scope and rules of engagement are fundamental to ethical and legal testing. Using only automated tools is not best; manual techniques are also needed. Installing backdoors is unethical.

Notifying law enforcement is not a standard practice and could compromise the test.

43
MCQmedium

A company has implemented a new web application firewall (WAF) and wants to test its effectiveness. Which of the following testing methods would provide the MOST accurate assessment?

A.Conduct a penetration test that includes attempts to bypass the WAF.
B.Perform a vulnerability scan on the web application with the WAF disabled.
C.Review the WAF logs for any blocked attacks.
D.Run an automated web application scanner against the application with the WAF enabled.
AnswerA

A penetration test with WAF bypass attempts provides a realistic assessment of its effectiveness.

Why this answer

A penetration test that actively attempts to bypass the WAF provides the most accurate assessment because it simulates a real attacker's behavior, testing the WAF's ability to detect and block evasion techniques such as HTTP parameter pollution, encoding obfuscation, and SQL injection payload splitting. This method validates the WAF's effectiveness under realistic adversarial conditions, revealing gaps that passive or disabled-state testing cannot uncover.

Exam trap

The trap here is that candidates often choose Option D (automated scanner with WAF enabled) thinking it tests the WAF in a live environment, but they overlook that automated scanners typically do not attempt sophisticated bypass techniques and may be blocked, giving a false sense of security.

How to eliminate wrong answers

Option B is wrong because performing a vulnerability scan with the WAF disabled only identifies inherent application flaws without evaluating the WAF's protective capabilities, thus failing to assess the security control's effectiveness. Option C is wrong because reviewing WAF logs for blocked attacks only shows past events and does not test the WAF's ability to handle novel or sophisticated bypass techniques, providing no proactive validation. Option D is wrong because running an automated scanner with the WAF enabled may cause the scanner's traffic to be blocked or modified, leading to incomplete or false results, and does not actively attempt to circumvent the WAF's rules.

44
MCQhard

An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?

A.The policy allows all actions on public_data, which could be exploited
B.The policy uses JSON syntax, which is not secure
C.The 'Allow' rule for customers does not restrict based on user identity, only IP
D.The 'Deny' rule uses a wildcard resource, which is too restrictive
AnswerC

IP-based access is weak; should require authentication and authorization.

Why this answer

Option C is correct because the policy's 'Allow' rule for customers only restricts access based on source IP address, not on authenticated user identity. This means any user or system within the allowed IP range can access the resource, regardless of whether they are a legitimate customer. In a JSON-based policy (e.g., AWS IAM or Azure RBAC), failing to include a condition that checks user identity (such as a JWT claim or IAM user ARN) creates a significant authorization gap, allowing potential impersonation or lateral movement within the trusted network.

Exam trap

ISC2 often tests the distinction between network-based controls (IP allowlisting) and identity-based controls (user authentication), and the trap here is that candidates assume IP-based restrictions alone are sufficient for authorization, overlooking the need for explicit user identity verification in the policy.

How to eliminate wrong answers

Option A is wrong because allowing all actions on public_data is not inherently a security issue; public_data is intended for open access, and the policy may be correctly scoped. Option B is wrong because JSON syntax itself is not insecure; it is a standard data interchange format, and security depends on the policy logic, not the serialization format. Option D is wrong because a 'Deny' rule with a wildcard resource is a common and valid pattern to explicitly block all actions on unspecified resources, and it is not 'too restrictive'—it follows the principle of least privilege when combined with specific Allow rules.

45
MCQeasy

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address followed by a successful login. What should the analyst do next?

A.Disable the account immediately
B.Ignore, as failed logins are normal
C.Investigate the successful login
D.Block the IP address
AnswerC

The successful login after failures is suspicious and requires investigation to confirm if it was authorized.

Why this answer

The correct answer is C because a successful login immediately following multiple failed attempts from the same IP address is a classic indicator of a brute-force or password-spraying attack that succeeded. The analyst must investigate the successful login to determine if it was legitimate or an account compromise, checking for anomalous behavior, time of access, and any subsequent actions. Ignoring or prematurely blocking the IP could destroy forensic evidence or lock out a legitimate user, while disabling the account without investigation may be premature if the login was authorized.

Exam trap

The trap here is that candidates often jump to a reactive action like blocking the IP or disabling the account, failing to recognize that the immediate priority is to investigate the successful login to confirm compromise and preserve forensic evidence.

How to eliminate wrong answers

Option A is wrong because disabling the account immediately without investigation could lock out a legitimate user who simply mistyped their password multiple times, and it may destroy evidence of the attack vector. Option B is wrong because while failed logins are common, a pattern of multiple failures from a single IP followed by a success is not normal and requires investigation per incident response procedures. Option D is wrong because blocking the IP address without first investigating could prevent the analyst from gathering additional forensic data (e.g., logs from the successful session) and may block a legitimate user if the IP is shared or spoofed.

46
MCQmedium

A vulnerability scanner reports a medium-severity finding on a web server. After investigating, the system administrator claims the finding is a false positive because the service in question is not actually running. Which step should the security analyst take next?

A.Verify the service status using system commands or network scans
B.Remove the finding from the report since the administrator confirmed it
C.Close the finding as accepted risk
D.Escalate the issue to management for risk acceptance
AnswerA

Independent verification is needed to confirm if the finding is truly a false positive.

Why this answer

Option A is correct because the security analyst must independently verify the administrator's claim before taking any action. The vulnerability scanner may have detected a service on a different port or the service may be bound to a non-standard interface; using system commands (e.g., `netstat -tulpn` or `ss -tulpn`) or a targeted network scan (e.g., `nmap -sV -p <port> <target>`) provides objective evidence of whether the service is actually listening. Relying solely on the administrator's assertion without verification could lead to a missed true positive, especially if the service is hidden or misconfigured.

Exam trap

The trap here is that candidates may assume the administrator's claim is authoritative and skip verification, but the CISSP exam emphasizes that security analysts must always validate findings through independent technical means before closing or escalating.

How to eliminate wrong answers

Option B is wrong because removing the finding without independent verification violates the principle of evidence-based risk management and could suppress a genuine vulnerability if the administrator is mistaken or the service is transient. Option C is wrong because closing the finding as accepted risk requires a formal risk acceptance process with documented justification and management approval, not a single administrator's claim of a false positive. Option D is wrong because escalating to management for risk acceptance is premature; the analyst must first confirm the service status to determine if the finding is indeed a false positive before any risk acceptance decision is warranted.

47
Multi-Selectmedium

A security analyst is reviewing the findings from a vulnerability scan of a web application. Which TWO actions are most appropriate to prioritize remediation?

Select 2 answers
A.The asset's value to the organization
B.The number of times the scan was run
C.Whether a known exploit exists
D.The date the vulnerability was discovered
E.The CVSS score of the vulnerability
AnswersC, E

Exploitability indicates immediate risk.

Why this answer

Option C is correct because the existence of a known exploit indicates that the vulnerability is actively weaponized, making it a higher priority for remediation regardless of its CVSS score. A vulnerability with a published exploit in frameworks like Metasploit or Exploit-DB poses an immediate, tangible risk to the web application, as attackers can easily leverage it without developing custom code. This aligns with the principle of prioritizing based on threat likelihood, not just severity.

Exam trap

The trap here is that candidates often assume CVSS score alone is sufficient for prioritization, but the CISSP emphasizes that exploitability (known exploit existence) is a more critical factor in real-world remediation decisions, as a lower-scoring vulnerability with an active exploit poses greater immediate risk than a higher-scoring one without one.

48
MCQmedium

Based on the vulnerability scan exhibit, which vulnerability should be remediated first?

A.All vulnerabilities equally because they have the same host
B.SSH weak MAC algorithms
C.SMTP open relay
D.OpenSSL Heartbleed vulnerability
AnswerD

Critical vulnerability with known exploitation.

Why this answer

The OpenSSL Heartbleed vulnerability (CVE-2014-0160) allows an attacker to read up to 64 KB of memory from a vulnerable server, potentially exposing private keys, session tokens, and passwords. This is a critical remote code execution and information disclosure flaw that requires immediate remediation because it compromises the confidentiality of all encrypted communications. In contrast, the other vulnerabilities are less severe: SSH weak MAC algorithms reduce cryptographic strength but do not directly leak data, and SMTP open relay is a misconfiguration that enables spam but not direct data theft.

Exam trap

The trap here is that candidates may prioritize SMTP open relay or SSH weak MAC algorithms because they sound like common misconfigurations, but the CISSP exam emphasizes that vulnerabilities with direct, remote exploitation for data disclosure (like Heartbleed) must be remediated first under the principle of risk prioritization.

How to eliminate wrong answers

Option A is wrong because not all vulnerabilities have the same severity or exploitability; prioritization must be based on risk, not just host commonality. Option B is wrong because SSH weak MAC algorithms (e.g., HMAC-MD5) weaken integrity but are not remotely exploitable for direct data disclosure like Heartbleed; they are a lower-priority hardening issue. Option C is wrong because SMTP open relay allows unauthorized email forwarding (spam) but does not expose sensitive server memory or credentials; it is a configuration flaw with lower impact on confidentiality.

49
MCQhard

Refer to the exhibit. What is a potential security weakness in this policy?

A.It does not specify a principal
B.It allows all actions on the bucket
C.It grants access to a private IP range which is not routable over the internet
D.It uses a condition that can be bypassed
AnswerC

Private IP ranges are not seen as source IPs by AWS; the condition will never be satisfied for external requests.

Why this answer

Option C is correct because the policy grants access to a private IP range (e.g., 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) which is not routable over the internet. This means the condition is ineffective for controlling access from external sources, as private IP addresses are only meaningful within a local network and cannot be used to authenticate or authorize remote users. An attacker could spoof such an IP address from within the same network or bypass the restriction entirely if the policy is intended to restrict internet-based access.

Exam trap

The trap here is that candidates often assume any IP-based condition is secure, failing to recognize that private IP ranges are non-routable and thus cannot enforce access control from the internet, leading them to overlook the fundamental network-layer limitation.

How to eliminate wrong answers

Option A is wrong because the policy does specify a principal (e.g., an AWS IAM user, role, or account ARN) in the 'Principal' element, so the statement 'It does not specify a principal' is factually incorrect. Option B is wrong because the policy likely restricts actions to specific operations (e.g., s3:GetObject) rather than allowing all actions; the exhibit would show an 'Action' field with limited permissions, not a wildcard. Option D is wrong because the condition (e.g., using 'IpAddress' with a private IP range) is syntactically valid and cannot be bypassed by altering the request; the weakness is that the condition itself is ineffective due to the non-routable nature of the IP range, not that the condition mechanism is flawed.

50
MCQmedium

A security analyst is reviewing logs from a web application firewall (WAF) and notices multiple requests containing the payload "1=1--" in the query string. The analyst suspects a SQL injection attack. Which of the following is the BEST immediate action to validate the suspicion?

A.Use a manual SQL injection tool like sqlmap to test the application.
B.Implement prepared statements in the application code.
C.Run a vulnerability scan with a SQL injection detection module.
D.Check the application logs for database error messages.
AnswerD

Application logs may show database errors that confirm successful injection.

Why this answer

Checking the application logs for database error messages is the best immediate action because SQL injection attempts often trigger verbose database errors (e.g., MySQL syntax errors, ODBC error codes) that confirm the injection point. This passive validation requires no additional tools and directly correlates the WAF alert with backend behavior, avoiding the risk of actively exploiting a live system.

Exam trap

The trap here is that candidates often choose an active testing tool (Option A) or a remediation step (Option B) instead of recognizing that passive log review is the safest and most immediate validation method in a security assessment context.

How to eliminate wrong answers

Option A is wrong because using a manual SQL injection tool like sqlmap on a production system without prior validation could cause data corruption, denial of service, or legal/authorization violations, and is not an immediate passive validation step. Option B is wrong because implementing prepared statements is a long-term remediation measure, not a validation technique; it does not help confirm whether the observed payload actually succeeded. Option C is wrong because running a vulnerability scan with a SQL injection detection module is an active assessment that may introduce additional load or false positives, and is less immediate than checking existing logs for direct evidence of exploitation.

51
Multi-Selecthard

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

Select 3 answers
A.Risk analysis
B.Penetration testing
C.Security auditing
D.Forensic analysis
E.Vulnerability scanning
AnswersB, C, E

Penetration testing is a common assessment method.

Why this answer

Penetration testing is a common method in security assessment and testing that simulates real-world attacks to identify exploitable vulnerabilities. Unlike vulnerability scanning, which only identifies potential weaknesses, penetration testing actively exploits them to validate security controls and measure the impact of a breach.

Exam trap

The trap here is that candidates confuse risk analysis (a management activity) with security testing, or mistake forensic analysis (a reactive process) for a proactive assessment method, leading them to select options outside the three correct ones (penetration testing, security auditing, vulnerability scanning).

52
MCQeasy

A security analyst reviews the syslog configuration exhibit. What is the primary security concern with this configuration?

A.The remote syslog server is not configured to receive logs
B.Logs are sent in clear text to the remote syslog server
C.The logging level for authentication is set to 'none'
D.Local7 and mail logs are being sent to different destinations
AnswerB

UDP syslog is unencrypted.

Why this answer

The configuration shows syslog messages being sent to a remote server using UDP port 514 without any encryption or authentication mechanism. By default, syslog over UDP transmits all log data in clear text, meaning any attacker with network access can intercept and read sensitive information such as failed login attempts, user names, or system events. This violates the confidentiality principle and is the primary security concern because it exposes potentially sensitive audit data in transit.

Exam trap

The trap here is that candidates often focus on the logging levels or destinations (options C and D) as misconfigurations, but the real vulnerability is the clear-text transmission of logs over an unencrypted channel, which is a classic confidentiality risk in syslog implementations.

How to eliminate wrong answers

Option A is wrong because the configuration explicitly specifies a remote syslog server IP address and port, and the syslog protocol does not require the server to pre-acknowledge receipt; the client will send logs regardless of server readiness. Option C is wrong because the exhibit shows 'auth.*' being logged to the remote server, and the 'none' level is not a valid syslog severity level; the configuration uses standard severity levels like 'info' and 'debug', and authentication logging is clearly enabled. Option D is wrong because sending different facility logs to different destinations is a common and valid practice for log segregation, and it does not introduce a security vulnerability; the concern is the lack of encryption, not the distribution of logs.

53
Multi-Selecteasy

During a security assessment, an organization wants to ensure that its web application is resistant to common attacks. Which THREE testing types should be included?

Select 3 answers
A.Input validation testing
B.Network segmentation testing
C.Load testing
D.Authentication testing
E.Session management testing
AnswersA, D, E

Identifies injection and XSS vulnerabilities.

Why this answer

Input validation testing (A) is correct because it directly addresses common web application attacks such as SQL injection, cross-site scripting (XSS), and command injection by ensuring that all user-supplied data is properly sanitized, validated, and encoded before processing. Without rigorous input validation, an attacker can manipulate input fields to execute arbitrary code or access unauthorized data, making this a foundational security control in the OWASP Top 10.

Exam trap

ISC2 often tests the distinction between security testing types and operational or performance testing, so candidates mistakenly choose load testing because they confuse 'resistance to attacks' with 'resistance to high traffic' (e.g., DDoS), but load testing does not assess application-layer vulnerabilities.

54
MCQmedium

An organization has implemented a new SIEM system. What is the most critical factor for its effectiveness?

A.The cost of the solution
B.The speed of data ingestion
C.The ability to correlate events
D.The number of log sources integrated
AnswerC

Correlation enables identification of patterns and incidents across multiple sources.

Why this answer

The most critical factor for a SIEM's effectiveness is its ability to correlate events across diverse log sources to detect complex attack patterns, such as a lateral movement chain or a multi-stage exploit. Without correlation, a SIEM is merely a log aggregator, unable to distinguish a true security incident from isolated benign events. Correlation engines apply rule-based or statistical analysis (e.g., using Sigma rules or machine learning) to identify relationships between seemingly unrelated log entries, which is the core value proposition of a SIEM.

Exam trap

The trap here is that candidates often mistake 'speed of data ingestion' or 'number of log sources' as the primary success factor, confusing operational metrics with the analytical core of a SIEM, which is correlation.

How to eliminate wrong answers

Option A is wrong because the cost of the solution does not directly impact the SIEM's analytical capability; a high-cost SIEM can still be ineffective if its correlation logic is weak or misconfigured. Option B is wrong because while data ingestion speed is important for real-time monitoring, it is not the most critical factor; a SIEM that ingests data quickly but lacks correlation logic will still fail to detect sophisticated attacks. Option D is wrong because the number of log sources integrated is secondary to the quality of correlation; integrating many sources without proper normalization and correlation rules leads to noise and alert fatigue, not improved detection.

55
MCQhard

A security analyst notes that a recent penetration test successfully exploited a vulnerability in a legacy application that cannot be patched. The analyst recommends implementing network segmentation to limit the application's exposure. This recommendation is an example of:

A.Risk mitigation
B.Risk acceptance
C.Risk avoidance
D.Risk transfer
AnswerA

Network segmentation reduces the impact, mitigating the risk.

Why this answer

Implementing network segmentation to limit exposure of an unpatched legacy application is a classic example of risk mitigation. By isolating the application on a separate network segment (e.g., using VLANs or firewall rules), the analyst reduces the likelihood or impact of a successful exploit, even though the underlying vulnerability remains unpatched. This directly aligns with the CISSP definition of risk mitigation: applying controls to reduce risk to an acceptable level.

Exam trap

The trap here is confusing risk mitigation with risk avoidance — candidates often think that any action taken to address a vulnerability is avoidance, but avoidance requires eliminating the risk entirely (e.g., removing the application), whereas mitigation reduces but does not eliminate the risk.

How to eliminate wrong answers

Option B (Risk acceptance) is wrong because risk acceptance involves formally acknowledging the risk and deciding not to take any action, whereas the analyst is actively implementing a control (segmentation). Option C (Risk avoidance) is wrong because risk avoidance would mean discontinuing the application or removing it entirely to eliminate the risk, not isolating it. Option D (Risk transfer) is wrong because risk transfer shifts the financial burden of a loss to a third party (e.g., via insurance or outsourcing), not implementing a technical control like segmentation.

56
Multi-Selectmedium

A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?

Select 3 answers
A.Obtain explicit written consent from management
B.Use real personal information of targets
C.Have a stop word or abort mechanism
D.Define clear scope and boundaries
E.Include all employees without exceptions
AnswersA, C, D

Written consent provides legal authorization and clarifies expectations.

Why this answer

Option A is correct because explicit written consent from management is a foundational ethical and legal requirement for social engineering tests. Without documented authorization, the test could be construed as unauthorized access or harassment, violating laws such as the Computer Fraud and Abuse Act (CFAA) or GDPR. This consent ensures the test is conducted under the organization's official risk management framework and provides legal protection for the testers.

Exam trap

The trap here is that candidates may think 'obtain consent' is optional if the test is internal, or they may confuse 'informed consent' with 'blanket approval' and fail to recognize that explicit written consent from management is mandatory to avoid legal and ethical violations.

57
MCQmedium

A company wants to test the effectiveness of its security controls without causing disruption. Which type of assessment is most appropriate?

A.Penetration test
B.Security audit
C.Vulnerability scan
D.Red team exercise
AnswerC

Vulnerability scanning assesses systems passively without exploitation, minimizing disruption.

Why this answer

A vulnerability scan is the most appropriate assessment because it passively identifies known vulnerabilities (e.g., missing patches, misconfigurations) without exploiting them, ensuring no disruption to production systems. Unlike active exploitation tests, vulnerability scanners use non-intrusive probes (e.g., banner grabbing, version fingerprinting) that do not trigger denial-of-service or system crashes. This aligns with the requirement to test control effectiveness while maintaining operational stability.

Exam trap

ISC2 often tests the distinction between passive identification (vulnerability scan) and active exploitation (penetration test), where candidates mistakenly choose penetration test because they think it provides a more thorough assessment, ignoring the explicit 'without causing disruption' constraint.

How to eliminate wrong answers

Option A is wrong because a penetration test involves active exploitation of vulnerabilities, which can cause service disruptions (e.g., buffer overflows, resource exhaustion) and is not suitable when the primary goal is to avoid disruption. Option B is wrong because a security audit focuses on verifying compliance with policies, standards, or regulations (e.g., ISO 27001) through document review and interviews, not on actively testing technical control effectiveness against real-world threats. Option D is wrong because a red team exercise is a full-scope adversarial simulation that includes social engineering, physical breaches, and aggressive exploitation, often causing significant operational disruption and alerting defenders, contradicting the 'without causing disruption' requirement.

58
MCQmedium

Refer to the exhibit. Based on the exhibit, what does the sequence of requests indicate?

A.A session hijacking attempt
B.A successful brute-force attack
C.A privilege escalation attempt
D.A directory traversal attack
AnswerC

After being denied access to /admin/dashboard, the user immediately obtains access, suggesting elevation of privileges.

Why this answer

The sequence of requests shows a user accessing a low-privilege resource (e.g., /user/profile) and then immediately requesting a high-privilege resource (e.g., /admin/config) without proper authentication or authorization checks. This pattern indicates an attempt to escalate privileges by exploiting missing access controls, which is a classic privilege escalation attempt.

Exam trap

The trap here is confusing a privilege escalation attempt with a session hijacking attempt, as both involve unauthorized access, but privilege escalation focuses on vertical movement within the same session, while session hijacking steals an existing session from another user.

How to eliminate wrong answers

Option A is wrong because session hijacking involves stealing or predicting a valid session token (e.g., via XSS or packet sniffing), not a sequence of requests from low to high privilege resources. Option B is wrong because a brute-force attack would show repeated login attempts with different credentials (e.g., multiple POST requests to /login), not a single pair of requests. Option D is wrong because a directory traversal attack uses path manipulation (e.g., ../) to access files outside the web root, not a change in resource privilege levels.

59
MCQeasy

A security analyst is conducting a review of aggregated logs from firewalls, IDS, and servers to detect anomalous behavior. This activity is best described as:

A.Security log analysis
B.Risk assessment
C.Vulnerability scanning
D.Penetration testing
AnswerA

Log analysis is the process of reviewing logs to detect incidents and anomalies.

Why this answer

Security log analysis involves the systematic review of logs from firewalls, IDS, and servers to identify patterns, anomalies, or indicators of compromise. This activity directly matches the scenario of detecting anomalous behavior through aggregated log review, which is a core practice in security monitoring and incident detection.

Exam trap

The trap here is confusing security log analysis (a passive, detective control) with vulnerability scanning or penetration testing (active, preventive controls), leading candidates to choose a more 'technical-sounding' option like vulnerability scanning.

How to eliminate wrong answers

Option B is wrong because risk assessment is a broader process of identifying, evaluating, and prioritizing risks, not the specific act of reviewing aggregated logs for anomalies. Option C is wrong because vulnerability scanning uses automated tools to probe systems for known weaknesses (e.g., missing patches, misconfigurations), not to analyze historical log data for anomalous behavior. Option D is wrong because penetration testing is an active, simulated attack to exploit vulnerabilities, not a passive review of log data.

60
MCQmedium

An organization wants to verify that its security policies are being followed by employees. Which testing method is most appropriate?

A.Compliance audit
B.Vulnerability scan
C.Risk assessment
D.Penetration test
AnswerA

A compliance audit verifies adherence to policies and standards.

Why this answer

A compliance audit is the most appropriate method to verify that security policies are being followed because it systematically compares actual practices, configurations, and controls against documented policy requirements. Unlike technical scans that identify vulnerabilities, a compliance audit focuses on adherence to rules, standards, and procedures, often using checklists derived from frameworks like ISO 27001 or NIST SP 800-53.

Exam trap

The trap here is that candidates confuse 'compliance audit' with 'vulnerability scan' because both involve checking systems, but the audit is specifically about policy adherence by people and processes, not technical flaws.

How to eliminate wrong answers

Option B (Vulnerability scan) is wrong because it identifies technical weaknesses in systems (e.g., missing patches, open ports) but does not assess whether employees are following security policies such as password handling or data classification procedures. Option C (Risk assessment) is wrong because it evaluates the likelihood and impact of threats to assets, not the degree of policy compliance by personnel. Option D (Penetration test) is wrong because it simulates attacks to exploit vulnerabilities and gain unauthorized access, focusing on technical defenses rather than verifying employee adherence to policies.

61
MCQhard

During a penetration test, the tester gains access to a server and finds sensitive customer data. What should the tester do next?

A.Exfiltrate the data to demonstrate the risk
B.Delete the data to prevent exposure
C.Continue testing to find more vulnerabilities
D.Report the finding immediately and secure the data
AnswerD

This follows responsible disclosure and protects the organization's data.

Why this answer

Option D is correct because the tester's primary responsibility is to protect sensitive data and minimize risk. Upon discovering PII or other regulated data, the tester must immediately report the finding to the client and secure the data (e.g., by isolating the server or encrypting the data in place) to prevent unauthorized access or exposure. This aligns with the ethical hacking code of conduct and the CISSP principle of 'do no harm'.

Exam trap

The trap here is that candidates confuse the goal of demonstrating risk (which is valid in a controlled lab) with the ethical obligation to protect live data; the CISSP exam emphasizes that a tester must never exfiltrate or alter production data, even to prove a point.

How to eliminate wrong answers

Option A is wrong because exfiltrating data, even to demonstrate risk, violates confidentiality and legal agreements (e.g., GDPR, HIPAA) and could cause real harm; penetration testers must never copy or remove sensitive data without explicit written authorization. Option B is wrong because deleting data destroys evidence and could disrupt business operations or violate chain-of-custody requirements; the tester should not alter production data. Option C is wrong because continuing to test without first securing the exposed data increases the risk of further compromise and violates the responsible disclosure process; the tester must halt and report the finding immediately.

62
MCQmedium

A security analyst runs a vulnerability scan and sees the output shown in the exhibit. The analyst wants to remediate the most critical issue first. Which action should the analyst take to address the SQL injection vulnerability?

A.Deploy a web application firewall (WAF) with SQL injection signatures.
B.Rewrite the database query to use parameterized statements.
C.Implement strict input validation on the 'id' parameter.
D.Encode all output from the 'id' parameter using HTML entity encoding.
AnswerB

Parameterized queries prevent SQL injection by separating code from data.

Why this answer

Option D is correct because the best practice for preventing SQL injection is to use parameterized queries or prepared statements, which separate SQL logic from data. Option A is wrong because input validation alone is insufficient and can be bypassed. Option B is wrong because encoding only helps with XSS, not SQLi.

Option C is wrong because WAF rules are a compensating control but not the primary fix.

63
MCQeasy

A security tester needs to test a new application for vulnerabilities but is concerned about contaminating the production database with test data. What is the best practice for conducting such tests?

A.Perform the test on the production environment during off-hours
B.Create a separate test environment with anonymized production data
C.Test only from the network perimeter to avoid data exposure
D.Use synthetic data that mimics production but is not real
AnswerB

Provides realistic testing without risk to production.

Why this answer

Option B is correct because creating a separate test environment with anonymized production data ensures that testing does not affect the integrity or availability of the production database while still using realistic data to uncover vulnerabilities. Anonymization techniques, such as data masking or tokenization, remove personally identifiable information (PII) while preserving referential integrity and data distribution, allowing for accurate security testing without contaminating production systems.

Exam trap

The trap here is that candidates often confuse 'synthetic data' (Option D) with 'anonymized production data' (Option B), not realizing that synthetic data may not accurately reflect real-world data complexity, while anonymized production data preserves the necessary characteristics for thorough vulnerability testing without risking data contamination.

How to eliminate wrong answers

Option A is wrong because performing tests on the production environment during off-hours still risks contaminating the production database with test data, potentially corrupting live data, causing availability issues, or violating compliance requirements (e.g., GDPR, PCI DSS). Option C is wrong because testing only from the network perimeter does not address the core concern of database contamination; it focuses on network-level controls rather than data integrity, and internal application vulnerabilities may remain undetected. Option D is wrong because synthetic data that mimics production but is not real often lacks the complexity, edge cases, and statistical distributions of real data, which can lead to missed vulnerabilities that only manifest with actual production-like data patterns.

64
MCQhard

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

A.Conduct the test on the production environment using anonymized production data.
B.Use an automated vulnerability scanner on the production environment.
C.Perform the test during off-peak hours on the production system with read-only access.
D.Build a replica of the production environment and test against it with realistic attack scenarios.
AnswerD

A replica environment allows full attack simulation without risking production data.

Why this answer

Option D is correct because building a replica (staging) environment allows the penetration test to simulate realistic attack scenarios without any risk to production data or system availability. This approach ensures the test can include destructive or disruptive techniques (e.g., SQL injection, privilege escalation) that would be unsafe on a live system, while still accurately reflecting the production architecture and configurations.

Exam trap

The trap here is that candidates often choose Option A or C because they focus on 'realistic' testing and assume production is the only way to achieve realism, overlooking that a well-constructed replica provides identical attack surfaces without the unacceptable risk to production integrity.

How to eliminate wrong answers

Option A is wrong because using anonymized production data in the production environment still exposes the live system to potential service disruption or data corruption from active exploitation attempts, and anonymization does not eliminate the risk of data leakage or system instability. Option B is wrong because an automated vulnerability scanner only identifies known vulnerabilities and lacks the manual, creative exploitation techniques required for a realistic penetration test; it also cannot safely simulate advanced attack chains. Option C is wrong because read-only access prevents the tester from performing many essential penetration testing activities (e.g., writing files, modifying configurations, escalating privileges), and off-peak hours do not eliminate the risk of production impact from active attacks.

65
MCQmedium

A security team is analyzing logs from multiple sources and notices anomalous outbound traffic to a known command-and-control server. What is the most likely conclusion?

A.A misconfigured firewall is causing traffic
B.A host is compromised and is beaconing
C.An employee is streaming video to a personal server
D.The network is under a DDoS attack
AnswerB

Behavior consistent with malware communicating with its C2 server.

Why this answer

Anomalous outbound traffic to a known command-and-control (C2) server is a classic indicator of compromise (IoC). Compromised hosts often beacon outbound to C2 infrastructure using HTTP, HTTPS, or DNS tunnels to receive instructions or exfiltrate data. This pattern is distinct from normal traffic and is a primary focus of network security monitoring and intrusion detection systems (IDS).

Exam trap

The trap here is that candidates may confuse anomalous outbound traffic with a network misconfiguration or a benign user activity, failing to recognize that beaconing to a known malicious destination is a definitive sign of compromise, not a configuration error or a DDoS symptom.

How to eliminate wrong answers

Option A is wrong because a misconfigured firewall would typically cause blocked or dropped traffic, not specifically targeted outbound connections to a known C2 server; firewall misconfigurations rarely produce beaconing behavior to a single external IP. Option C is wrong because streaming video to a personal server would generate high-bandwidth, continuous traffic to a likely consumer CDN or IP, not periodic, low-and-slow beaconing to a known malicious C2 server. Option D is wrong because a DDoS attack involves a flood of traffic from many sources to a target, not anomalous outbound traffic from a single internal host to a specific C2 server.

66
Multi-Selecteasy

A penetration tester is planning an engagement. Which of the following rules of engagement should be defined before testing begins? (Select TWO.)

Select 2 answers
A.The exact exploits to be used
B.Emergency contact procedures
C.The scope of systems to be tested
D.The tester's personal compensation
E.The names of employees to be targeted
AnswersB, C

Emergency contacts ensure proper response if issues arise.

Why this answer

Emergency contact procedures (B) are a critical component of the Rules of Engagement (RoE) because they define who to notify if an incident occurs during testing, such as an unintended system outage or detection by security monitoring. Without this, the tester risks legal or operational repercussions. The scope of systems to be tested (C) is equally essential as it explicitly lists IP ranges, hostnames, and network segments authorized for testing, preventing unauthorized access and ensuring compliance with the engagement contract.

Exam trap

The trap here is that candidates confuse 'Rules of Engagement' with a detailed test plan or contract, leading them to select options like 'exact exploits' (A) or 'compensation' (D), which are operational or financial details, not the high-level boundaries that define what is allowed and how to handle emergencies.

67
MCQhard

A security team is evaluating the results of a penetration test. The test revealed that a low-privileged user could escalate privileges to domain administrator. This is a critical finding. Which of the following should be the immediate next step?

A.Conduct a full incident response
B.Re-image all affected systems
C.Terminate the user's account
D.Implement patch management for the exploited vulnerability
AnswerD

Patching the vulnerability eliminates the attack vector.

Why this answer

Option D is correct because the immediate priority after discovering a privilege escalation vulnerability is to remediate the root cause—typically a missing patch or misconfiguration—to prevent further exploitation. In a penetration test context, the finding indicates a technical flaw (e.g., a missing security update for CVE-2021-42287 or a misconfigured Active Directory ACL) that must be patched or hardened first. Full incident response (A) is premature without evidence of active compromise, and re-imaging (B) or account termination (C) are reactive measures that do not address the underlying vulnerability.

Exam trap

The trap here is that candidates confuse a penetration test finding (a vulnerability) with an active security incident, leading them to choose incident response (A) instead of the correct remediation step (D), which is to patch the exploited vulnerability first.

How to eliminate wrong answers

Option A is wrong because conducting a full incident response assumes a confirmed breach or ongoing malicious activity, but a penetration test finding alone does not indicate active exploitation—it identifies a vulnerability that should be remediated first. Option B is wrong because re-imaging all affected systems is a drastic, resource-intensive step that does not fix the root cause (e.g., an unpatched domain controller or misconfigured Group Policy); the vulnerability would persist if the same image or configuration is reapplied. Option C is wrong because terminating the user's account only removes one low-privileged account but does not prevent another user or attacker from exploiting the same privilege escalation path (e.g., a Kerberos delegation flaw or SeBackupPrivilege abuse).

68
MCQmedium

An e-commerce company is preparing for a PCI DSS compliance assessment. The assessor needs to perform an external network vulnerability scan. The company has a public-facing web application that processes credit card payments. The scan must be conducted from an external IP address that is not whitelisted by the company's firewall. The security team is concerned that the scan might trigger intrusion detection alerts and cause operational disruptions. What is the BEST approach to handle this situation?

A.Whitelist the assessor's IP address in the firewall and intrusion detection system.
B.Use an authenticated scan with valid credentials provided by the company.
C.Perform the scan during off-peak hours and inform the security operations center.
D.Conduct a manual penetration test instead of an automated vulnerability scan.
AnswerC

This reduces disruption and maintains the required external scanning perspective.

Why this answer

Option C is correct because the PCI DSS requirement for an external network vulnerability scan mandates that the scan be conducted from an external IP address not whitelisted by the firewall to simulate a real attacker's perspective. Performing the scan during off-peak hours and informing the Security Operations Center (SOC) minimizes operational disruption and allows the SOC to correlate the scan traffic with known activity, reducing false-positive alerts. This approach balances compliance with operational stability without violating the scan's external-source requirement.

Exam trap

The trap here is that candidates mistakenly think whitelisting the assessor's IP (Option A) is acceptable for compliance, but PCI DSS explicitly forbids this to ensure the scan reflects a real attacker's view, and the question's wording 'not whitelisted' reinforces this constraint.

How to eliminate wrong answers

Option A is wrong because whitelisting the assessor's IP address in the firewall and IDS would violate the PCI DSS requirement that the scan must be conducted from an external IP not whitelisted, thereby invalidating the assessment's authenticity. Option B is wrong because authenticated scans are used for internal vulnerability assessments to test patch levels from an insider perspective, but PCI DSS external scans must be unauthenticated to simulate an unprivileged external attacker. Option D is wrong because a manual penetration test cannot replace the required automated external vulnerability scan; PCI DSS mandates automated scanning tools (e.g., ASV-approved scanners) to ensure consistent, repeatable coverage of all externally accessible IPs and services.

69
MCQhard

A global technology firm has implemented a continuous integration/continuous deployment (CI/CD) pipeline for its flagship software product. The security testing team is tasked with integrating security testing into the pipeline. The team has decided to use a static application security testing (SAST) tool and a software composition analysis (SCA) tool. They are currently running both tools every night against the entire codebase, but the developers complain that the reports are too long and often contain false positives. The team wants to improve the efficiency without sacrificing security coverage. Which of the following is the BEST strategy?

A.Decrease the scan frequency to weekly to reduce noise.
B.Implement a developers' feedback loop for false positives and tune the tools.
C.Replace SAST with dynamic application security testing (DAST) for more accurate results.
D.Run SAST and SCA only on new code changes committed to the main branch.
AnswerB

Tuning reduces false positives, improving efficiency while maintaining comprehensive scanning.

Why this answer

Option B is correct because tuning the SAST and SCA tools based on developer feedback directly addresses the false positive issue while maintaining security coverage. By establishing a feedback loop, the team can adjust rule sets, suppress known false positives, and reduce report noise without reducing scan frequency or scope. This approach aligns with the principle of continuous improvement in DevSecOps, ensuring that security testing remains efficient and actionable.

Exam trap

The trap here is that candidates may choose Option D (scan only new code) because it seems efficient, but they overlook the need for continuous scanning of the entire codebase to catch regressions and vulnerabilities in unchanged code, which is a core requirement for maintaining security coverage in CI/CD pipelines.

How to eliminate wrong answers

Option A is wrong because decreasing scan frequency to weekly reduces the frequency of security feedback, potentially allowing vulnerabilities to persist longer in the pipeline, which sacrifices security coverage and does not address the false positive problem. Option C is wrong because replacing SAST with DAST is not a direct solution; DAST analyzes running applications and has different strengths (e.g., runtime issues), but it does not replace the need for static analysis and SCA for dependency vulnerabilities, and it may introduce its own false positives. Option D is wrong because running SAST and SCA only on new code changes to the main branch misses vulnerabilities in existing code and dependencies that could be introduced through configuration changes or updates, and it fails to provide comprehensive coverage of the entire codebase.

70
Matchingmedium

Match each security assessment type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated check for known vulnerabilities

Simulated attack to exploit vulnerabilities

Systematic evaluation of compliance with policies

Identification and analysis of risks

Why these pairings

Assessments help identify and mitigate security weaknesses.

Ready to test yourself?

Try a timed practice session using only Security Assessment and Testing questions.