Back to Certified Information Systems Security Professional CISSP questions

Scenario-based practice

Hard Difficulty Questions

Practise Certified Information Systems Security Professional CISSP practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CISSP
exam code
ISC2
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CISSP topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

Which THREE of the following are common indicators of a privilege escalation attack? (Choose three.)

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is designing a data retention schedule. Which factor is most critical when determining retention periods for personal data subject to the GDPR?

Question 3hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An organization uses this ACL on the external interface of a border router to control access to internal services. A security analyst discovered that an attacker from the Internet was able to SSH into the internal server at 192.168.1.100. Which of the following is the MOST likely reason for this security gap?

Exhibit

Access control list (ACL) extract from a Cisco router:
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq 443
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.1.100 eq 22
access-list 100 deny tcp any host 10.0.0.1 eq 80
access-list 100 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 100 in
!
Question 4hardmulti select
Full question →

A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)

Question 5hardmulti select
Full question →

Which TWO of the following are common causes of network performance degradation that can be detected by network monitoring tools?

Question 6hardmultiple choice
Read the full VPN explanation →

A security engineer is troubleshooting a site-to-site IPsec VPN between two firewalls. The tunnel status shows Phase 1 is up but Phase 2 is not. Which of the following is the most likely cause?

Question 7hardmultiple choice
Full question →

In a software-defined network (SDN) architecture, the control plane is separated from the data plane. A network administrator is troubleshooting packet forwarding delays. Which plane is directly responsible for forwarding packets?

Question 8hardmultiple choice
Open the full VLAN trunking answer →

A network administrator has configured private VLANs on a switch. The host in this port is part of PVLAN 100, and its associated secondary PVLAN is 200. What is the expected behavior for traffic from this host to other hosts in the same primary VLAN 100?

Exhibit

Refer to the exhibit. The following is a configuration snippet from a network device:

interface GigabitEthernet0/1
 switchport mode private-vlan host
 switchport private-vlan host-association 100 200
Question 9hardmulti select
Open the full BGP breakdown →

Which three BGP security mechanisms help protect against route hijacking? (Choose THREE.)

Question 10hardmultiple choice
Full question →

Refer to the exhibit. Which security model does this policy enforce?

Exhibit

The TSF shall enforce the Access Control SFP on all subjects and objects covered by the following rules:
(a) Subjects with a security level less than the object's security level are denied read access.
(b) Subjects with a security level greater than the object's security level are denied write access.
Question 11hardmultiple choice
Full question →

An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?

Exhibit

Refer to the exhibit.

{
  "policyName": "DataAccessPolicy",
  "rules": [
    {
      "effect": "Allow",
      "action": "read",
      "resource": "customers",
      "condition": {
        "ipAddress": {
          "cidr": "10.0.0.0/8"
        }
      }
    },
    {
      "effect": "Deny",
      "action": "write",
      "resource": "*"
    },
    {
      "effect": "Allow",
      "action": "*",
      "resource": "public_data"
    }
  ]
}
Question 12hardmulti select
Full question →

Which THREE are key components of a business continuity plan (BCP)?

Question 13hardmultiple choice
Full question →

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

Question 14hardmultiple choice
Full question →

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

Exhibit

Refer to the exhibit.

Active Directory Group Policy Result:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment:
- Allow log on locally: Administrators, Users
- Deny log on locally: (empty)
- Allow log on through Remote Desktop Services: Administrators
- Deny log on through Remote Desktop Services: (empty)

Effective Access for user 'jdoe' (member of Domain Users):
- Log on locally: Denied (via membership in 'Remote Desktop Users' group? No)
- Log on through RDP: Not explicitly allowed or denied.
Question 15hardmultiple choice
Full question →

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

Question 16hardmulti select
Full question →

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

Question 17hardmultiple choice
Full question →

An AWS security engineer is reviewing the above S3 bucket policy. What is the net effect of this policy on requests to read objects in the 'confidential' folder?

Exhibit

Refer to the exhibit.

Exhibit: snippet from a security policy in JSON format
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/confidential/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "10.100.0.0/16"
        }
      }
    }
  ]
}
Question 18hardmultiple choice
Full question →

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

Question 19hardmultiple choice
Full question →

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

Question 20hardmultiple choice
Full question →

A company is decommissioning a data center and needs to dispose of hard drives that contained highly confidential financial data. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

These CISSP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CISSP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.