Back to Certified Information Systems Security Professional CISSP questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Certified Information Systems Security Professional CISSP practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
CISSP
exam code
ISC2
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related CISSP topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An organization uses this ACL on the external interface of a border router to control access to internal services. A security analyst discovered that an attacker from the Internet was able to SSH into the internal server at 192.168.1.100. Which of the following is the MOST likely reason for this security gap?

Exhibit

Access control list (ACL) extract from a Cisco router:
!
access-list 100 permit tcp 10.0.0.0 0.255.255.255 any eq 443
access-list 100 permit tcp 10.0.0.0 0.255.255.255 host 192.168.1.100 eq 22
access-list 100 deny tcp any host 10.0.0.1 eq 80
access-list 100 permit ip any any
!
interface GigabitEthernet0/0
 ip access-group 100 in
!
Question 2easymultiple choice
Full question →

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::examplebucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/confidential/*"
    }
  ]
}
Question 3easymultiple choice
Open the full VLAN trunking answer →

Refer to the exhibit. A security team is reviewing switch configurations and notices that the native VLAN is set to VLAN 10. An attacker on an access port in VLAN 10 sends a frame with a VLAN tag of VLAN 20 inside another frame. Which type of attack does this configuration make possible?

Exhibit

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan 1-100,110-200
Question 4hardmultiple choice
Full question →

Refer to the exhibit. Which security model does this policy enforce?

Exhibit

The TSF shall enforce the Access Control SFP on all subjects and objects covered by the following rules:
(a) Subjects with a security level less than the object's security level are denied read access.
(b) Subjects with a security level greater than the object's security level are denied write access.
Question 5mediummultiple choice
Full question →

Refer to the exhibit. A security analyst finds these logs on a Linux server. What is the most likely cause of these events?

Exhibit

Feb 10 10:23:45 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Feb 10 10:23:48 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Feb 10 10:23:50 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 6hardmultiple choice
Full question →

An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?

Exhibit

Refer to the exhibit.

{
  "policyName": "DataAccessPolicy",
  "rules": [
    {
      "effect": "Allow",
      "action": "read",
      "resource": "customers",
      "condition": {
        "ipAddress": {
          "cidr": "10.0.0.0/8"
        }
      }
    },
    {
      "effect": "Deny",
      "action": "write",
      "resource": "*"
    },
    {
      "effect": "Allow",
      "action": "*",
      "resource": "public_data"
    }
  ]
}
Question 7easymultiple choice
Full question →

Refer to the exhibit. Based on the exhibit, what is the most urgent remediation?

Exhibit

CVE-2023-1234 - Apache HTTP Server 2.4.49 - Path Traversal
- Severity: Critical
- Exploit Available: Yes
- Plugin Output: The remote web server is running Apache HTTP Server version 2.4.49 which is vulnerable to a path traversal attack.
Question 8mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?

Exhibit

Refer to the exhibit.

access-list 101 permit tcp any host 192.168.1.10 eq 443
access-list 101 permit tcp any host 192.168.1.10 eq 80
access-list 101 deny ip any any log
Question 9hardmultiple choice
Full question →

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

Exhibit

Refer to the exhibit.

Active Directory Group Policy Result:
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment:
- Allow log on locally: Administrators, Users
- Deny log on locally: (empty)
- Allow log on through Remote Desktop Services: Administrators
- Deny log on through Remote Desktop Services: (empty)

Effective Access for user 'jdoe' (member of Domain Users):
- Log on locally: Denied (via membership in 'Remote Desktop Users' group? No)
- Log on through RDP: Not explicitly allowed or denied.
Question 10mediummultiple choice
Full question →

Based on the exhibit, what security control is being demonstrated?

Exhibit

Refer to the exhibit.
```
Error log:
2025-03-15 14:23:45 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:47 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:49 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:51 ERROR Account locked for user 'admin' due to multiple failed attempts.
```
Question 11mediummultiple choice
Full question →

A security engineer reviews the S3 bucket policy in the exhibit. What is the most significant security issue with this configuration?

Exhibit

Refer to the exhibit.

S3 Bucket Policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-bucket/*"
    }
  ]
}
Question 12easymultiple choice
Full question →

An analyst reviews the exhibit showing Windows security event logs. What activity should be investigated as a potential data exfiltration attempt?

Exhibit

Refer to the exhibit.

Event Log Entry:
Time: 2025-02-15 09:23:45
Event ID: 4663
User: SEC\jsmith
Object: \\fileserver\finance\PII_data.xlsx
Access: Read
Process: excel.exe

Time: 2025-02-15 09:24:10
Event ID: 4663
User: SEC\jsmith
Object: \\fileserver\finance\PII_data.xlsx
Access: Write
Process: excel.exe

Time: 2025-02-15 09:25:00
Event ID: 5145
User: SEC\jsmith
Object: \\fileserver\finance\PII_data.xlsx
Access: Delete
Process: cmd.exe
Question 13hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. The ACL is applied inbound on the DMZ interface. What is the effect of this configuration?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 description DMZ to Web Server
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 description Inside to Corp Network
 ip address 192.168.1.1 255.255.255.0
!
access-list 100 permit tcp any host 10.0.0.10 eq 80
access-list 100 permit tcp host 10.0.0.10 any established
access-list 100 deny ip any any
!
interface GigabitEthernet0/1
 ip access-group 100 in
Question 14easymultiple choice
Full question →

A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?

Exhibit

Refer to the exhibit.

```
[Vulnerability Scan Report - Snippet]
Host: 10.0.0.15
Port: 22/tcp
Service: SSH
Vulnerability: Weak SSH Cryptographic Algorithms
Severity: Medium
CVE: CVE-2016-0777
Fix: Disable weak ciphers (arcfour, blowfish-cbc) and enable strong ones (aes256-ctr, aes128-ctr)
```

Exhibit:
Question 15hardmultiple choice
Full question →

A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?

Exhibit

Refer to the exhibit.

```
[IDS Alert]
Timestamp: 2024-03-15 14:32:17
Signature: ET WEB_SERVER SQL Injection Attempt
Source IP: 192.168.1.105
Destination IP: 10.0.0.5
Destination Port: 80
Payload: GET /search.php?q=1' OR '1'='1' HTTP/1.1
```

Exhibit:

These CISSP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style CISSP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.