CCNA Cissp Assessment Testing Questions

55 questions · Cissp Assessment Testing topic · All types, answers revealed

1
Multi-Selecthard

A security team is selecting tools for code review. Which THREE of the following are characteristics of Static Application Security Testing (SAST) tools?

Select 3 answers
A.They require access to the source code
B.They are typically used after deployment
C.They can be integrated into the CI/CD pipeline
D.They analyze the application while it is running
E.They identify vulnerabilities early in the software development lifecycle
AnswersA, C, E

Correct: SAST scans source code statically.

Why this answer

SAST tools analyze source code, bytecode, or binary code without executing the application. They require access to the source code to perform static analysis, scanning for security flaws such as injection vulnerabilities, buffer overflows, and insecure cryptographic implementations. This allows developers to identify and fix vulnerabilities early in the development lifecycle, before the code is compiled or deployed.

Exam trap

The trap here is confusing SAST with DAST: candidates often select 'analyze while running' (Option D) because they think 'static' means 'after deployment' or 'during runtime', but SAST is static (non-executing) and DAST is dynamic (executing).

2
MCQeasy

Which type of SOC report provides a public summary of an organization's controls over security, availability, and confidentiality?

A.SOC 2 Type II
B.SOC 1
C.SOC 2 Type I
D.SOC 3
AnswerD

SOC 3 is the public version of SOC 2.

Why this answer

SOC 3 reports are designed for public distribution and summarize the findings of a SOC 2 engagement.

3
Multi-Selecthard

Which THREE of the following are common key performance indicators (KPIs) used in security assessment and testing?

Select 3 answers
A.Mean time to remediate critical vulnerabilities
B.Patch compliance percentage
C.Number of employees trained on security awareness
D.Open vulnerability count by severity
E.Number of help desk tickets
AnswersA, B, D

Remediation time is a key metric for vulnerability management.

Why this answer

Common security KPIs include patch compliance percentage, mean time to remediate critical vulnerabilities, and open vulnerability count by severity.

4
MCQmedium

An organization requires a security assessment that evaluates controls against a specific standard and results in a formal report. The organization is not required to exploit vulnerabilities. Which type of assessment is this?

A.Security audit
B.Vulnerability assessment
C.Penetration test
D.Security review
AnswerA

A security audit is compliance-focused and yields a formal report.

Why this answer

A security audit is a formal, independent evaluation of controls against a predefined standard (e.g., ISO 27001, PCI DSS) that produces a formal report. Unlike other assessments, it does not require exploiting vulnerabilities; it focuses on verifying compliance through evidence collection and testing. This matches the question's requirement for a standard-based evaluation with a formal report and no exploitation.

Exam trap

The trap here is that candidates confuse a vulnerability assessment (which also does not exploit vulnerabilities) with a security audit, but the key differentiator is that an audit evaluates controls against a specific standard and produces a formal report, while a vulnerability assessment only identifies technical weaknesses without a compliance framework.

How to eliminate wrong answers

Option B is wrong because a vulnerability assessment identifies and lists vulnerabilities (e.g., missing patches, misconfigurations) using automated tools like Nessus or OpenVAS, but it does not evaluate controls against a specific standard or produce a formal compliance report. Option C is wrong because a penetration test actively exploits vulnerabilities to gain unauthorized access, which contradicts the requirement that the organization is not required to exploit vulnerabilities. Option D is wrong because a security review is typically an informal, internal evaluation (e.g., peer review of a design or configuration) that does not follow a specific standard or produce a formal, independent report.

5
Multi-Selecthard

A security analyst is reviewing logs from multiple systems in a centralized log management platform. Which TWO of the following are primary benefits of centralized log management?

Select 2 answers
A.Simplifies compliance with log retention requirements
B.Enables correlation of events across systems
C.Eliminates the need for log retention policies
D.Reduces the volume of logs generated
E.Automatically patches vulnerabilities
AnswersA, B

Centralized storage makes it easier to manage and retain logs as required.

Why this answer

Centralized log management facilitates correlation across systems and simplifies compliance by providing a single source for log retention and review.

6
MCQmedium

Which vulnerability scoring system provides a standardized severity rating for vulnerabilities based on exploitability and impact metrics?

A.NVD
B.CVE
C.CVSS
D.CWE
AnswerC

CVSS provides a standardized severity score.

Why this answer

The Common Vulnerability Scoring System (CVSS) provides a standardized, quantitative framework for rating the severity of security vulnerabilities. It calculates a score from 0.0 to 10.0 based on exploitability metrics (e.g., attack vector, complexity, privileges required) and impact metrics (e.g., confidentiality, integrity, availability), enabling organizations to prioritize remediation efforts consistently.

Exam trap

Cisco often tests the distinction between a vulnerability database (NVD), an identifier system (CVE), a weakness taxonomy (CWE), and a scoring system (CVSS), so the trap is confusing the repository or identifier with the actual scoring methodology.

How to eliminate wrong answers

Option A is wrong because NVD (National Vulnerability Database) is a repository that stores vulnerability data and enriches it with CVSS scores, but it is not a scoring system itself. Option B is wrong because CVE (Common Vulnerabilities and Exposures) is a dictionary of unique identifiers for publicly known vulnerabilities, not a severity rating system. Option D is wrong because CWE (Common Weakness Enumeration) is a taxonomy of software weakness types, not a scoring system for vulnerability severity.

7
MCQeasy

Which of the following is a key element of the rules of engagement for a penetration test?

A.Emergency stop criteria
B.The tester's compensation
C.The tester's background check
D.The number of vulnerabilities to find
AnswerA

Emergency stop criteria define conditions to halt testing, such as system instability.

Why this answer

Rules of engagement must include written authorization and define the scope, including systems to be tested and emergency stop criteria.

8
MCQhard

A company wants to ensure its internal web application is free from security flaws during development. Which testing approach analyzes source code without executing the program?

A.IAST
B.RASP
C.DAST
D.SAST
AnswerD

SAST analyzes source code without execution.

Why this answer

SAST (Static Application Security Testing) analyzes source code in a non-runtime environment, identifying vulnerabilities early in the SDLC.

9
MCQmedium

A company is required to retain logs for regulatory compliance. Which factor primarily determines the log retention period?

A.Storage capacity
B.Incident response needs
C.Regulatory requirements
D.Log volume
AnswerC

Regulations often specify minimum retention periods for logs.

Why this answer

Regulatory compliance frameworks (e.g., PCI DSS, HIPAA, SOX, GDPR) explicitly mandate minimum log retention periods (e.g., PCI DSS Requirement 10.7 requires at least one year of logs, with three months immediately accessible). Storage capacity, incident response needs, and log volume are operational considerations that may influence implementation but do not override the legal or contractual obligation to retain logs for a specified duration. The primary factor is the regulatory requirement itself, as failure to comply can result in fines, legal liability, or loss of certification.

Exam trap

The trap here is that candidates often confuse operational factors (storage capacity, log volume) with the primary driver (regulatory requirements), mistakenly thinking that if storage is limited, the retention period can be shortened—but compliance mandates are non-negotiable and must be met regardless of infrastructure constraints.

How to eliminate wrong answers

Option A is wrong because storage capacity is a resource constraint that may force log rotation or archiving, but it does not define the retention period; organizations must provision sufficient storage to meet regulatory mandates. Option B is wrong because incident response needs may require retaining logs beyond the standard period for forensic analysis, but they do not set the baseline retention period; the baseline is driven by compliance, not by the timing of incidents. Option D is wrong because log volume affects how logs are stored and rotated (e.g., log rotation policies based on size), but the retention duration is a time-based requirement set by regulations, not a function of how many logs are generated.

10
MCQeasy

Which of the following is a key component of the rules of engagement for a penetration test?

A.Exploitation techniques to use
B.Emergency stop criteria
C.CVSS score of vulnerabilities
D.Number of vulnerabilities found
AnswerB

Emergency stop criteria define conditions to halt testing immediately.

Why this answer

Rules of engagement must include written authorization, scope definition, and emergency stop criteria to ensure legal and safe testing.

11
MCQmedium

A security manager is reviewing metrics and sees that the "mean time to remediate" for critical vulnerabilities has increased over the past quarter. This metric is an example of a:

A.Security baseline
B.Key Goal Indicator (KGI)
C.Key Performance Indicator (KPI)
D.Key Risk Indicator (KRI)
AnswerC

KPIs measure performance of processes, such as remediation efficiency.

Why this answer

Mean time to remediate is a Key Performance Indicator (KPI) used to measure the effectiveness of vulnerability management processes.

12
Multi-Selectmedium

An organization wants to assess the security of its custom web application. Which TWO of the following are types of code review that can be used to identify vulnerabilities?

Select 2 answers
A.Physical security assessment
B.Social engineering
C.Static Application Security Testing (SAST)
D.Network penetration testing
E.Dynamic Application Security Testing (DAST)
AnswersC, E

SAST analyzes source code for vulnerabilities without executing it.

Why this answer

SAST analyzes source code without execution, while DAST tests the running application. Both are common code review techniques for web applications.

13
MCQmedium

A security auditor is assessing whether a company's controls comply with ISO 27001. What type of audit is being conducted?

A.External audit
B.Penetration test
C.SOC 2 Type II audit
D.Internal audit
AnswerA

External audit for ISO 27001 certification is performed by an accredited registrar.

Why this answer

An external audit is conducted by an independent third party to assess compliance with a standard like ISO 27001. This type of audit provides an unbiased evaluation of whether the organization's controls meet the specified requirements, which is essential for certification purposes. The auditor is not an employee of the organization, ensuring objectivity and credibility in the assessment.

Exam trap

The trap here is confusing an internal audit (which is part of the organization's own monitoring and improvement process) with the external audit required for ISO 27001 certification, leading candidates to select 'Internal audit' when the question specifically asks about compliance assessment for certification.

How to eliminate wrong answers

Option B is wrong because a penetration test is a technical security assessment that simulates attacks to identify vulnerabilities, not a compliance audit against a management standard like ISO 27001. Option C is wrong because a SOC 2 Type II audit is specifically designed to evaluate controls related to the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy), not ISO 27001 compliance. Option D is wrong because an internal audit is conducted by the organization's own staff or a related party, which lacks the independence required for ISO 27001 certification audits; external audits are mandatory for certification.

14
Multi-Selecthard

An organization is reviewing its log management practices. Which THREE of the following are key considerations for effective log review?

Select 3 answers
A.Reviewing logs only after a security incident
B.Log retention policies that comply with legal and regulatory requirements
C.Storing logs in plaintext without access controls
D.Regularly scheduled review of logs for anomalies
E.Centralized log management for aggregation and correlation
AnswersB, D, E

Correct: Retention must meet compliance needs.

Why this answer

Option B is correct because log retention policies must align with legal and regulatory requirements such as GDPR, HIPAA, or PCI DSS, which mandate specific retention periods and secure storage. Without compliance-driven retention, the organization risks legal penalties and inability to produce logs for forensic investigations. Effective log management requires policies that define how long logs are kept, when they are destroyed, and how they are protected.

Exam trap

The trap here is that candidates may think reviewing logs only after an incident is sufficient, but the CISSP emphasizes proactive, continuous monitoring as a key security control, not just reactive forensics.

15
MCQeasy

An organization wants to test its security controls by simulating an attack where the tester has no prior knowledge of the internal network. This is known as a:

A.Grey box test
B.White box test
C.Red team exercise
D.Black box test
AnswerD

Black box tests simulate an external attacker with no prior knowledge.

Why this answer

A black box test (D) is correct because the tester has no prior knowledge of the internal network, simulating an external attacker with zero inside information. This approach evaluates the security controls from an unprivileged, external perspective, relying solely on publicly available information and active reconnaissance. It is the purest form of adversarial simulation for testing perimeter defenses and detection capabilities.

Exam trap

The trap here is confusing the testing methodology (black/grey/white box) with the team structure (red team exercise), leading candidates to select 'Red team exercise' because it sounds like an attack simulation, but the question explicitly defines the knowledge level, not the team composition.

How to eliminate wrong answers

Option A is wrong because a grey box test involves partial knowledge of the internal network, such as network diagrams or credentials, which contradicts the 'no prior knowledge' requirement. Option B is wrong because a white box test provides full knowledge of the internal network, including source code, architecture, and credentials, which is the opposite of the described scenario. Option C is wrong because a red team exercise is a broader, goal-oriented adversarial simulation that may use black, grey, or white box methodologies; the question specifically asks for the type of test based on knowledge level, not the team structure.

16
Multi-Selectmedium

A company is planning to conduct a penetration test. Which THREE of the following should be included in the rules of engagement?

Select 3 answers
A.The tester's personal contact information
B.Emergency stop criteria
C.Definition of the scope (systems to be tested)
D.Written authorization from management
E.Specific vulnerabilities to be exploited
AnswersB, C, D

Emergency stop criteria allow halting testing if conditions become dangerous.

Why this answer

Option B is correct because emergency stop criteria define the conditions under which the penetration test must be immediately halted, such as causing a production system outage or detecting unauthorized data access. This is a critical component of the rules of engagement (RoE) to ensure the test does not cause unacceptable business impact, aligning with the principle of minimizing risk during security assessments.

Exam trap

The trap here is that candidates often confuse the rules of engagement with the test plan or methodology, mistakenly including operational details like specific vulnerabilities or personal contact information, when the RoE is strictly about boundaries, authorization, and safety constraints.

17
MCQeasy

A company must comply with a regulation requiring a formal, independent assessment of its security controls against a standard. Which type of assessment is MOST appropriate?

A.Penetration test
B.Security audit
C.Security review
D.Vulnerability assessment
AnswerB

A security audit is compliance-focused and compares controls to a standard.

Why this answer

A security audit is the most appropriate assessment because it is a formal, independent evaluation of an organization's security controls against a predefined standard (e.g., ISO 27001, NIST SP 800-53). Unlike other assessments, an audit is conducted by an independent third party or internal audit function, providing objective evidence of compliance with regulatory requirements.

Exam trap

The trap here is that candidates confuse a security audit with a penetration test or vulnerability assessment, mistakenly thinking that technical exploitation is required for compliance, when the regulation specifically demands an independent evaluation against a standard, not a technical attack simulation.

How to eliminate wrong answers

Option A is wrong because a penetration test is an authorized simulated attack to exploit vulnerabilities, not a formal assessment of controls against a standard; it focuses on identifying exploitable weaknesses rather than compliance. Option C is wrong because a security review is typically an informal, internal evaluation (e.g., peer review or design review) that lacks the independence and formal structure required for regulatory compliance. Option D is wrong because a vulnerability assessment is an automated or manual scan to identify and list vulnerabilities (e.g., missing patches, misconfigurations), but it does not evaluate controls against a specific standard or provide an independent compliance opinion.

18
MCQhard

A security analyst is reviewing logs from multiple systems and needs to ensure that logs are tamper-proof and available for incident investigation. Which of the following is the BEST approach?

A.Use a cloud storage bucket with public read access
B.Store logs locally on each system with restricted permissions
C.Encrypt logs at the source and send via email to the security team
D.Centralize logs to a syslog server with cryptographic hashing and append-only access
AnswerD

Centralization plus integrity controls (hashing, append-only) protect logs.

Why this answer

Centralized log management with write-once, read-many (WORM) storage ensures log integrity and availability for investigation.

19
MCQeasy

Which of the following is a key component of the rules of engagement for a penetration test?

A.Use of only automated tools
B.Guarantee of no system disruption
C.Written authorization from management
D.Identification of all vulnerabilities
AnswerC

Correct: Written authorization is essential for legal and ethical testing.

Why this answer

Rules of engagement must include written authorization, scope, and emergency stop criteria.

20
Multi-Selectmedium

Which TWO of the following are characteristics of a SOC 2 Type II report?

Select 2 answers
A.Covers the design and operating effectiveness of controls over a period of time
B.Is a public summary report available to anyone
C.Includes trust service criteria such as security, availability, and confidentiality
D.Focuses only on financial reporting controls
E.Evaluates controls at a single point in time
AnswersA, C

Type II assesses both design and operating effectiveness over time.

Why this answer

SOC 2 Type II reports assess controls over a period of time and cover trust service criteria including security and availability.

21
MCQhard

During a penetration test, the tester gains initial access to a server and then attempts to pivot to other systems. Which phase of the penetration testing process does this represent?

A.Post-exploitation/lateral movement
B.Reconnaissance
C.Exploitation
D.Reporting
AnswerA

Correct: This phase involves moving from the initial foothold to other systems.

Why this answer

Post-exploitation/lateral movement involves leveraging initial access to move within the network.

22
Multi-Selecteasy

Which TWO of the following are benefits of authenticated vulnerability scanning compared to unauthenticated scanning?

Select 2 answers
A.Can detect vulnerabilities that require valid credentials to be seen
B.Reduces network traffic
C.Eliminates false positives entirely
D.Provides more accurate patch-level information
E.Does not require network access
AnswersA, D

Authenticated scans log in and see internal state.

Why this answer

Authenticated scans have deeper access, allowing them to detect vulnerabilities that require valid credentials, such as missing patches and configuration issues.

23
MCQhard

During a security audit, the auditor selects a sample of user access reviews to verify that access rights are properly managed. This type of testing is best described as:

A.Security audit
B.Vulnerability assessment
C.Penetration test
D.Security review
AnswerA

Security audit involves evaluating controls against a standard.

Why this answer

A security audit is a formal, independent examination of records and activities to verify that controls are effective and compliant with policies. In this scenario, the auditor's sampling of user access reviews to confirm proper access rights management is a classic audit procedure, not a technical vulnerability scan or an active exploitation attempt. This aligns with the definition of a security audit as a systematic evaluation of security controls.

Exam trap

The trap here is confusing 'security audit' with 'security review' or 'vulnerability assessment,' as candidates often think any testing of access controls must involve technical scanning or exploitation, but the key differentiator is the formal, evidence-based sampling of documented processes versus active technical testing.

How to eliminate wrong answers

Option B is wrong because a vulnerability assessment is an automated or manual scan to identify specific weaknesses (e.g., missing patches, misconfigurations) in systems or networks, not a review of user access review records. Option C is wrong because a penetration test is an authorized simulated attack that actively exploits vulnerabilities to gain unauthorized access, whereas the question describes a passive review of documentation and processes. Option D is wrong because a security review is a broader, often informal term that can include audits, but the specific act of sampling user access reviews during a formal audit is best described as a security audit, not a general review.

24
MCQeasy

A security analyst is asked to identify vulnerabilities in a web application without attempting to exploit them. Which type of assessment is being performed?

A.Security review
B.Vulnerability assessment
C.Security audit
D.Penetration test
AnswerB

Vulnerability assessment identifies vulnerabilities without exploitation.

Why this answer

A vulnerability assessment is a systematic review of security weaknesses in a system or application, but it does not involve actively exploiting those weaknesses. The question specifies that the analyst is asked to identify vulnerabilities without attempting to exploit them, which directly matches the definition of a vulnerability assessment. This type of assessment typically uses automated scanners (e.g., Nessus, OpenVAS) and manual checks to enumerate potential vulnerabilities, such as missing patches or misconfigurations, without moving to the exploitation phase.

Exam trap

The trap here is that candidates often confuse vulnerability assessment with penetration testing, assuming that any active testing must include exploitation, but the CISSP exam emphasizes the distinction that vulnerability assessment stops at identification, while penetration testing includes exploitation.

How to eliminate wrong answers

Option A is wrong because a security review is a broad, often high-level evaluation of security policies, procedures, and controls, not a focused technical scan for specific vulnerabilities in a web application. Option C is wrong because a security audit is a formal, compliance-driven examination against a defined standard (e.g., ISO 27001, PCI DSS), which may include vulnerability identification but is not limited to it and often involves verifying controls rather than just scanning for weaknesses. Option D is wrong because a penetration test actively exploits vulnerabilities to determine the extent of compromise, which contradicts the question's condition of not attempting to exploit them.

25
MCQhard

Which type of SOC report provides a public summary of controls related to security, availability, confidentiality, integrity, and privacy, but does not include detailed testing results?

A.SOC 2 Type II
B.SOC 3
C.SOC 1 Type II
D.SOC 2 Type I
AnswerB

Correct: SOC 3 is a public summary of SOC 2.

Why this answer

SOC 3 reports are designed for public distribution and provide a high-level summary of an organization's controls related to security, availability, confidentiality, integrity, and privacy (the Trust Services Criteria). Unlike SOC 2 reports, SOC 3 reports do not include detailed testing results, control descriptions, or the auditor's opinion on control effectiveness, making them suitable for marketing or public disclosure.

Exam trap

The trap here is that candidates confuse SOC 2 Type II (which includes detailed testing results) with SOC 3, or assume that SOC 2 Type I (point-in-time) is a public summary, when in fact SOC 3 is the only report designed for public distribution without detailed testing results.

How to eliminate wrong answers

Option A is wrong because SOC 2 Type II reports include detailed testing results over a period of time, including the auditor's opinion on the effectiveness of controls, which contradicts the question's requirement for a public summary without detailed testing results. Option C is wrong because SOC 1 Type II reports focus on controls relevant to financial reporting (under SSAE 18) and are restricted to user entities and their auditors, not public summaries, and they include detailed testing results. Option D is wrong because SOC 2 Type I reports, while covering the same Trust Services Criteria, describe controls at a single point in time and include detailed control descriptions and auditor opinions, not a public summary without testing results.

26
MCQeasy

A company hires a third party to perform an assessment where the testers are given no prior knowledge of the internal network. This type of penetration test is known as:

A.Black box
B.White box
C.Grey box
D.Internal test
AnswerA

Black box testing gives no prior knowledge.

Why this answer

A black box penetration test simulates an external attacker with no prior knowledge of the target environment. The testers are given no credentials, network diagrams, or internal details, forcing them to perform reconnaissance and exploitation from an outsider's perspective. This aligns directly with the scenario where the third party has 'no prior knowledge of the internal network.'

Exam trap

The trap here is confusing the test's knowledge level (black, white, grey) with the test's origin (internal vs. external), leading candidates to incorrectly select 'Internal test' because they associate 'no prior knowledge' with an external perspective, but the question explicitly asks for the type based on knowledge, not location.

How to eliminate wrong answers

Option B is wrong because a white box test provides testers with full knowledge of the internal network, including credentials, source code, and architecture diagrams, which contradicts the 'no prior knowledge' condition. Option C is wrong because a grey box test offers limited knowledge, such as user-level credentials or partial network maps, not zero prior knowledge. Option D is wrong because an internal test is defined by the test's origin (inside the network perimeter), not by the level of knowledge; internal tests can be black, white, or grey box, and the question specifically describes the knowledge level, not the test location.

27
MCQmedium

During a penetration test, the tester has obtained initial access and is now trying to move laterally to other systems. Which phase of the penetration testing process does this represent?

A.Reconnaissance
B.Reporting
C.Post-exploitation/lateral movement
D.Exploitation
AnswerC

This phase involves moving from the initially compromised system to other systems.

Why this answer

The post-exploitation/lateral movement phase occurs after initial access is gained, where the tester uses compromised systems as pivot points to access other network segments, often leveraging tools like PsExec, WMI, or SMB relay to move across hosts. This phase is distinct from exploitation, which focuses on gaining the initial foothold, and reconnaissance, which occurs before any access is obtained.

Exam trap

The trap here is confusing 'exploitation' (gaining initial access) with 'post-exploitation/lateral movement' (using that access to move to other systems), as candidates often think any active attack step is 'exploitation' without recognizing the sequential phases of a penetration test.

How to eliminate wrong answers

Option A is wrong because reconnaissance is the initial information-gathering phase (e.g., DNS enumeration, port scanning) that occurs before any access is obtained, not after initial access. Option B is wrong because reporting is the final phase where findings are documented and presented to stakeholders, not during active lateral movement. Option D is wrong because exploitation is the phase where vulnerabilities are used to gain initial access (e.g., exploiting an SMB vulnerability), not the subsequent movement to other systems.

28
MCQeasy

An organization wants to identify vulnerabilities in their network without attempting to exploit them. Which type of security assessment should they perform?

A.Vulnerability assessment
B.Penetration test
C.Security audit
D.Security review
AnswerA

This assessment type identifies vulnerabilities without exploitation.

Why this answer

A vulnerability assessment is the correct choice because it is a systematic review of security weaknesses in a network or system that identifies vulnerabilities without actively exploiting them. This assessment typically uses automated scanning tools (e.g., Nessus, OpenVAS) to compare system configurations against known vulnerability databases (e.g., CVE, NVD) and reports potential issues, but does not attempt to gain unauthorized access or cause disruption.

Exam trap

The trap here is that candidates confuse a vulnerability assessment with a penetration test, assuming both involve exploitation, but the key differentiator is that a vulnerability assessment only identifies vulnerabilities, while a penetration test actively exploits them.

How to eliminate wrong answers

Option B is wrong because a penetration test (pentest) is an authorized simulated attack that actively attempts to exploit identified vulnerabilities to gain access or escalate privileges, which contradicts the requirement to not exploit them. Option C is wrong because a security audit is a formal, compliance-driven evaluation of an organization's adherence to policies, standards, or regulations (e.g., ISO 27001, PCI DSS) and does not focus specifically on identifying technical vulnerabilities in the network. Option D is wrong because a security review is a broad, often high-level examination of security controls, processes, or architecture, and it lacks the targeted, technical scanning and identification of specific vulnerabilities that a vulnerability assessment provides.

29
Multi-Selecteasy

Which TWO of the following are examples of security metrics that can be used as key performance indicators (KPIs)?

Select 2 answers
A.Mean time to remediate critical vulnerabilities
B.Number of servers in the data center
C.Total IT budget
D.Patch compliance percentage
E.Number of employees in the security department
AnswersA, D

Correct: This measures remediation speed, a key metric.

Why this answer

Security KPIs often include patch compliance percentages and mean time to remediate critical vulnerabilities.

30
Multi-Selectmedium

A security analyst is setting up a vulnerability scanning program. Which TWO of the following are best practices for determining scanning frequency?

Select 2 answers
A.Scan once per year to minimize operational impact
B.Scan after significant changes to the infrastructure
C.Align scan frequency with the organization's risk appetite
D.Scan only when vulnerabilities are publicly disclosed
E.Use the same interval for all systems regardless of criticality
AnswersB, C

Correct: Changes may introduce new vulnerabilities.

Why this answer

Option B is correct because scanning after significant infrastructure changes (e.g., new deployments, configuration modifications, or patch installations) ensures that newly introduced vulnerabilities are detected promptly. This aligns with the principle of continuous monitoring and reduces the window of exposure for unpatched or misconfigured systems.

Exam trap

The trap here is confusing 'minimizing operational impact' (Option A) with a valid frequency strategy, when in fact risk appetite and change-triggered scanning are the correct drivers per NIST SP 800-115 and CIS Controls.

31
MCQeasy

Which of the following is the primary purpose of a security audit?

A.To identify vulnerabilities in the network
B.To compare security controls against a defined standard
C.To perform an informal evaluation of security posture
D.To exploit vulnerabilities and demonstrate impact
AnswerB

Audits measure compliance with standards or regulations.

Why this answer

A security audit's primary purpose is to systematically evaluate an organization's security controls against a predefined standard, such as ISO 27001, NIST SP 800-53, or PCI DSS. This comparison verifies compliance and identifies gaps, not merely vulnerabilities. Unlike a vulnerability assessment or penetration test, an audit focuses on adherence to criteria, not exploitation or informal review.

Exam trap

The trap here is confusing a security audit with a vulnerability assessment or penetration test, leading candidates to pick 'identify vulnerabilities' or 'exploit vulnerabilities' instead of recognizing the audit's formal, standards-based comparison purpose.

How to eliminate wrong answers

Option A is wrong because identifying vulnerabilities is the goal of a vulnerability assessment, not a security audit; an audit compares controls to a standard, not just finds weaknesses. Option C is wrong because a security audit is a formal, structured evaluation with defined criteria, not an informal assessment of posture. Option D is wrong because exploiting vulnerabilities to demonstrate impact is the objective of a penetration test, which is distinct from an audit's compliance-focused comparison.

32
MCQmedium

A security analyst is conducting a vulnerability scan of a web application. The scan identifies several vulnerabilities, but the analyst wants to minimize false positives. Which type of vulnerability scan would be most appropriate?

A.External scan
B.Passive scan
C.Authenticated scan
D.Unauthenticated scan
AnswerC

Authenticated scans use credentials to access the application, providing a more accurate assessment and fewer false positives.

Why this answer

An authenticated scan uses valid credentials to log into the target system, allowing the scanner to access deeper configuration details and patch levels. This reduces false positives by distinguishing between vulnerabilities that are actually present and those that appear due to incomplete visibility, such as missing patches that are actually applied but not visible to an unauthenticated scanner.

Exam trap

The trap here is that candidates often assume an unauthenticated scan is more thorough because it tests from an attacker's perspective, but they miss that authenticated scans provide the internal visibility needed to eliminate false positives by verifying actual patch levels and configurations.

How to eliminate wrong answers

Option A is wrong because an external scan is performed from outside the network boundary and typically lacks internal context, leading to a higher rate of false positives due to incomplete visibility of internal services and configurations. Option B is wrong because a passive scan only monitors network traffic without actively probing systems, so it cannot verify the presence of vulnerabilities and often generates false positives from observed but unconfirmed behaviors. Option D is wrong because an unauthenticated scan does not use credentials, so it cannot access restricted areas of the application or system, resulting in many false positives from assumptions about missing patches or misconfigurations that may not actually exist.

33
MCQhard

During a SOC 2 audit, the auditor evaluates controls over a period of time to assess their operating effectiveness. Which type of SOC report is being performed?

A.SOC 2 Type II
B.SOC 1 Type I
C.SOC 3
D.SOC 2 Type I
AnswerA

SOC 2 Type II evaluates controls over a period of time for operating effectiveness.

Why this answer

SOC 2 Type II reports assess the operating effectiveness of controls over a period of time, while Type I reports are at a point in time.

34
MCQmedium

An organization is required to retain security logs for a minimum of one year to meet compliance regulations. Which practice is most directly related to this requirement?

A.Log review frequency
B.Log format standardization
C.Centralized log management
D.Log retention requirements
AnswerD

Retention requirements dictate how long logs are stored.

Why this answer

The requirement to retain security logs for a minimum of one year is directly about the duration logs must be stored. Option D, 'Log retention requirements,' is the practice that defines this storage duration, ensuring compliance with regulations such as PCI DSS or SOX. This is a policy-driven specification of how long logs are kept, not how they are reviewed, formatted, or collected.

Exam trap

The trap here is that candidates often confuse 'log retention requirements' with 'centralized log management,' thinking that centralization inherently includes retention, but retention is a separate policy that must be explicitly defined and configured regardless of where logs are stored.

How to eliminate wrong answers

Option A is wrong because log review frequency concerns how often logs are analyzed (e.g., daily or weekly), not how long they are stored; it addresses operational monitoring, not retention duration. Option B is wrong because log format standardization (e.g., syslog RFC 5424 or W3C Extended Log Format) ensures consistency for parsing and analysis, but does not dictate the retention period. Option C is wrong because centralized log management (e.g., using a SIEM like Splunk or ELK stack) aggregates logs from multiple sources for correlation and storage, but the retention period is a separate policy that defines how long logs are kept in that central repository.

35
MCQmedium

Which type of scanning provides the most comprehensive view of an organization's vulnerabilities by allowing the scanner to log into systems and access detailed configuration information?

A.External scan
B.Passive scan
C.Authenticated scan
D.Unauthenticated scan
AnswerC

Authenticated scans have privileged access for complete visibility.

Why this answer

Authenticated scans use credentials to access system internals, providing deeper insight than unauthenticated scans.

36
Multi-Selecthard

A company is preparing for a PCI DSS assessment. Which TWO of the following are likely to be required as part of the assessment?

Select 2 answers
A.Monthly internal vulnerability scans
B.SOC 2 Type II report
C.Annual penetration test of all systems
D.Annual on-site assessment by a QSA
E.Quarterly external vulnerability scans by an ASV
AnswersD, E

PCI DSS requires an annual on-site assessment by a Qualified Security Assessor.

Why this answer

PCI DSS requires external ASV vulnerability scans quarterly and an annual on-site assessment by a QSA.

37
MCQhard

After a penetration test, the tester provides a report that includes vulnerabilities found, exploitation details, and recommended fixes. Which step of the penetration testing process does this represent?

A.Reporting
B.Post-exploitation
C.Planning and scoping
D.Reconnaissance
AnswerA

Reporting is the final phase, presenting findings and recommendations.

Why this answer

The reporting phase is the final step in the penetration testing process, where the tester documents all findings, including vulnerabilities discovered, exploitation details, and recommended remediation steps. This report is delivered to the client to provide a clear understanding of the security posture and actionable fixes. Without this step, the test results would have no value for improving security.

Exam trap

The trap here is that candidates may confuse 'post-exploitation' with the final reporting step, because post-exploitation involves documenting actions taken after access, but the formal report is a separate, distinct phase that synthesizes all findings from the entire test.

How to eliminate wrong answers

Option B (Post-exploitation) is wrong because post-exploitation occurs after gaining access and involves activities like maintaining persistence, escalating privileges, or exfiltrating data, not compiling and delivering the final report. Option C (Planning and scoping) is wrong because this initial phase defines the test's boundaries, rules of engagement, and objectives, not the documentation of results. Option D (Reconnaissance) is wrong because reconnaissance is the information-gathering phase (e.g., using tools like Nmap or Shodan) to identify targets, not the reporting of exploitation outcomes.

38
MCQeasy

During a penetration test, the tester successfully exploits a vulnerability in a web server and gains initial access. The next step in the penetration testing process is to:

A.Disconnect from the network
B.Report the findings immediately
C.Conduct post-exploitation and lateral movement
D.Perform reconnaissance
AnswerC

Post-exploitation and lateral movement are standard steps after initial exploitation to assess the full impact.

Why this answer

After gaining initial access during a penetration test, the standard methodology (e.g., PTES, OWASP) requires conducting post-exploitation and lateral movement to assess the full impact of the compromise. This involves enumerating the compromised host, escalating privileges, and pivoting to other systems using techniques like pass-the-hash or SSH tunneling. Reporting findings immediately or disconnecting would violate the test scope and fail to demonstrate the real risk of the vulnerability.

Exam trap

The trap here is that candidates confuse the linear 'reconnaissance → exploitation → reporting' model with the iterative nature of penetration testing, where post-exploitation and lateral movement are essential steps after initial access to fully assess risk.

How to eliminate wrong answers

Option A is wrong because disconnecting from the network aborts the test prematurely, preventing the tester from identifying the full attack path and potential data exposure, which is the core objective of a penetration test. Option B is wrong because reporting findings immediately after initial access is not part of the penetration testing process; findings are typically documented and reported after the test concludes, not during active exploitation. Option D is wrong because reconnaissance is performed before exploitation, not after gaining initial access; it involves passive and active information gathering (e.g., DNS enumeration, port scanning) to identify targets and vulnerabilities.

39
MCQmedium

A security analyst is tasked with identifying vulnerabilities in a network without exploiting them. Which type of assessment is most appropriate?

A.Vulnerability assessment
B.Security audit
C.Penetration test
D.Security review
AnswerA

Correct: Vulnerability assessment identifies vulnerabilities without exploitation.

Why this answer

A vulnerability assessment identifies and reports vulnerabilities without exploitation, unlike penetration testing which exploits to demonstrate impact.

40
MCQmedium

A vulnerability scanner reports a vulnerability with a CVSS score of 9.8. What does this score indicate?

A.High severity
B.Medium severity
C.Low severity
D.Critical severity
AnswerD

A score of 9.8 falls in the critical range (9.0-10.0).

Why this answer

A CVSS score of 9.8 falls within the range of 9.0–10.0, which is classified as 'Critical' severity according to the CVSS v3.1 specification. This score typically indicates a vulnerability that can be exploited remotely without authentication and with low attack complexity, often leading to complete compromise of confidentiality, integrity, and availability.

Exam trap

The trap here is that candidates may confuse the CVSS v3.1 severity rating scale with the older v2 scale, where scores of 7.0–10.0 were all labeled 'High', but in v3.1, 9.0–10.0 is explicitly 'Critical'.

How to eliminate wrong answers

Option A is wrong because 'High severity' corresponds to CVSS scores of 7.0–8.9, not 9.8. Option B is wrong because 'Medium severity' corresponds to scores of 4.0–6.9, which is far below 9.8. Option C is wrong because 'Low severity' corresponds to scores of 0.1–3.9, and a score of 9.8 is at the top of the scale, not low.

41
MCQeasy

Which vulnerability scoring system is commonly used to assess the severity of vulnerabilities?

A.CVSS
B.NVD
C.CVE
D.OWASP
AnswerA

CVSS provides severity scores (0-10).

Why this answer

The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for assigning a numerical severity score (0–10) to a vulnerability based on metrics like attack vector, complexity, privileges required, and impact. It is maintained by the Forum of Incident Response and Security Teams (FIRST) and is widely adopted by organizations for prioritization in vulnerability management. CVSS provides a consistent, quantitative measure that allows security teams to compare and triage vulnerabilities across different systems and vendors.

Exam trap

Cisco often tests the distinction between a vulnerability database (NVD), a naming standard (CVE), and a scoring system (CVSS), so the trap here is confusing the repository or identifier with the actual scoring methodology.

How to eliminate wrong answers

Option B (NVD) is wrong because the National Vulnerability Database (NVD) is a repository of vulnerability data that uses CVSS scores, but it is not itself a scoring system; it is a database that references CVSS. Option C (CVE) is wrong because the Common Vulnerabilities and Exposures (CVE) system is a dictionary of unique identifiers for publicly known vulnerabilities, not a scoring or severity assessment system. Option D (OWASP) is wrong because the Open Web Application Security Project (OWASP) provides guidelines, tools, and frameworks for web application security (e.g., the OWASP Top 10), but it does not define a standardized vulnerability scoring system like CVSS.

42
MCQhard

An organization wants to ensure that its web application is secure by analyzing the source code for vulnerabilities without executing the code. Which type of testing is most appropriate?

A.Interactive Application Security Testing (IAST)
B.Dynamic Application Security Testing (DAST)
C.Runtime Application Self-Protection (RASP)
D.Static Application Security Testing (SAST)
AnswerD

SAST analyzes source code without execution, identifying vulnerabilities in the code itself.

Why this answer

SAST (Static Application Security Testing) analyzes source code at rest, without executing it, making it ideal for finding vulnerabilities early in the development lifecycle.

43
Multi-Selecthard

Which THREE of the following are valid types of penetration testing based on the level of knowledge provided to the tester?

Select 3 answers
A.Blue box
B.White box
C.Grey box
D.Black box
E.Red box
AnswersB, C, D

White box: full knowledge.

Why this answer

Penetration tests can be black box (no knowledge), white box (full knowledge), or grey box (partial knowledge).

44
MCQmedium

A security team is reviewing application security and needs to analyze source code without executing the application. Which technique should they use?

A.Dynamic Application Security Testing (DAST)
B.Interactive Application Security Testing (IAST)
C.Static Application Security Testing (SAST)
D.Runtime Application Self-Protection (RASP)
AnswerC

Correct: SAST analyzes source code without execution.

Why this answer

SAST analyzes source code statically, without running the application.

45
Multi-Selectmedium

An organization is planning an external audit for SOC 2 Type II compliance. Which TWO of the following are true about this type of audit?

Select 2 answers
A.It reports on controls over a period of time, typically 6–12 months
B.It is a third-party audit that evaluates controls for security, availability, processing integrity, confidentiality, and privacy
C.It is an internal audit performed by the organization's staff
D.It focuses solely on financial reporting controls
E.It is a public document available to anyone
AnswersA, B

Correct: Type II covers a period; Type I is point-in-time.

Why this answer

SOC 2 Type II is a third-party audit over a period, and it tests controls related to security, availability, etc.

46
Multi-Selectmedium

A security manager is planning a penetration test and needs to ensure proper rules of engagement are established. Which TWO of the following are essential components of the rules of engagement?

Select 2 answers
A.Vulnerability scoring methodology
B.Scope definition including in-scope systems
C.Written authorization from management
D.Previous test results
E.List of tools to be used
AnswersB, C

Scope defines what is included and excluded.

Why this answer

Scope definition (B) is essential because it explicitly lists in-scope systems, IP ranges, and exclusions, preventing unauthorized access and legal liability. Written authorization from management (C) provides the legal and contractual basis for the test, ensuring the penetration test is conducted with informed consent and documented approval.

Exam trap

The trap here is that candidates confuse 'rules of engagement' with the broader 'penetration testing methodology' and mistakenly include operational details like tool lists or scoring methods, which are not required for defining the legal and authorization boundaries.

47
Multi-Selectmedium

During a penetration testing engagement, which TWO of the following are essential components of the rules of engagement document?

Select 3 answers
A.Vulnerability severity ratings
B.Emergency stop criteria
C.Detailed exploit code
D.Scope definition including target systems
E.Written authorization from management
AnswersB, D, E

Emergency stop criteria are critical for halting testing if adverse effects occur.

Why this answer

Emergency stop criteria (Option B) are essential in a rules of engagement (ROE) document because they define the specific conditions or signals that require the penetration test to halt immediately, such as causing a production outage, exceeding defined thresholds, or receiving a stop command from the client. This protects both the tester and the client from unintended damage and ensures legal and operational boundaries are respected. Without explicit stop criteria, the engagement could continue past a critical failure, violating the agreed terms and potentially causing liability.

Exam trap

Cisco often tests the distinction between the rules of engagement (operational constraints) and the authorization (permission to test), leading candidates to incorrectly include 'written authorization from management' as a component of the ROE when it is actually a separate prerequisite document.

48
MCQhard

A company wants to measure the effectiveness of its vulnerability management program. Which metric would best indicate the organization's ability to respond quickly to critical vulnerabilities?

A.Patch compliance percentage
B.ROI of security controls
C.Mean time to remediate critical vulnerabilities
D.Number of open vulnerabilities by severity
AnswerC

MTTR for critical vulnerabilities indicates response speed.

Why this answer

Mean time to remediate (MTTR) for critical vulnerabilities directly measures the speed of response, which is a key indicator of program effectiveness.

49
MCQhard

During a penetration test, the tester successfully gains access to a server and then attempts to move laterally to other systems. This phase is known as:

A.Scanning and enumeration
B.Exploitation
C.Reconnaissance
D.Post-exploitation and lateral movement
AnswerD

This phase involves moving from the compromised system to others.

Why this answer

After initial access is gained, the phase where the tester moves from the compromised host to other systems within the network is specifically called post-exploitation and lateral movement. This involves using the foothold to pivot, escalate privileges, and access additional resources, which is distinct from the initial exploitation step.

Exam trap

The trap here is that candidates confuse 'exploitation' (the initial breach) with the broader post-exploitation phase, forgetting that lateral movement is a distinct activity that occurs after the initial foothold is established.

How to eliminate wrong answers

Option A is wrong because scanning and enumeration occur before exploitation to identify open ports, services, and potential vulnerabilities, not after gaining access. Option B is wrong because exploitation is the act of leveraging a vulnerability to gain initial access, not the subsequent movement to other systems. Option C is wrong because reconnaissance is the initial information-gathering phase (passive or active) performed before any access is obtained, such as DNS lookups or network mapping.

50
MCQmedium

A company is preparing for an external audit to comply with PCI DSS. Which type of auditor is typically required to perform this assessment?

A.System administrator
B.Internal auditor
C.Certified Public Accountant (CPA)
D.Qualified Security Assessor (QSA)
AnswerD

A QSA is an external auditor qualified to assess PCI DSS compliance.

Why this answer

PCI DSS requires assessments to be conducted by a Qualified Security Assessor (QSA) because QSAs are certified by the PCI Security Standards Council to validate compliance with the standard's technical and procedural controls. Unlike internal or general external auditors, QSAs have specific training in PCI DSS requirements, including network segmentation, encryption protocols (e.g., TLS 1.2+), and logging mechanisms (e.g., audit trails per Requirement 10).

Exam trap

The trap here is that candidates confuse 'external auditor' with any certified accountant or general IT auditor, overlooking that PCI DSS mandates a specifically certified QSA for compliance validation, not just any third-party assessor.

How to eliminate wrong answers

Option A is wrong because a system administrator lacks the independent, certified authority required for PCI DSS compliance validation and would create a conflict of interest by assessing their own systems. Option B is wrong because internal auditors, while independent within the organization, are not recognized by the PCI Security Standards Council to issue a formal Report on Compliance (ROC) for Level 1 merchants or service providers. Option C is wrong because a Certified Public Accountant (CPA) may perform financial audits but does not hold the specialized PCI DSS technical expertise (e.g., firewall rule reviews, vulnerability scanning per ASV standards) required for a QSA assessment.

51
MCQmedium

An organization is preparing for an ISO 27001 certification audit. The audit will be performed by an external body. This type of audit is classified as:

A.Self-assessment
B.External audit
C.Peer review
D.Internal audit
AnswerB

External audits are conducted by independent third parties.

Why this answer

An external audit is performed by an independent third-party organization, such as a certification body, to assess compliance against a standard like ISO 27001. In this scenario, the audit is conducted by an external body specifically for certification purposes, which directly matches the definition of an external audit. This type of audit provides an unbiased evaluation of the Information Security Management System (ISMS) and is required for formal certification.

Exam trap

The trap here is confusing an internal audit (conducted by the organization's own staff) with an external audit (conducted by an independent third party), especially when the question emphasizes 'preparing for certification' — candidates may mistakenly think internal audits are sufficient for certification, but only an external audit by an accredited body can grant ISO 27001 certification.

How to eliminate wrong answers

Option A is wrong because a self-assessment is an internal evaluation performed by the organization's own staff, not by an external certification body. Option C is wrong because a peer review typically involves a review by colleagues or other organizations in a non-certification context, not a formal audit by an accredited external body. Option D is wrong because an internal audit is conducted by the organization's own internal audit team or employees, not by an independent external auditor.

52
MCQmedium

A developer uses a tool that analyzes source code for potential security flaws without executing the program. This is an example of:

A.DAST
B.IAST
C.RASP
D.SAST
AnswerD

SAST analyzes source code without execution.

Why this answer

SAST (Static Application Security Testing) analyzes source code, bytecode, or binary code for security vulnerabilities without executing the program. This matches the description of a tool that inspects code statically, making D the correct answer.

Exam trap

The trap here is confusing SAST with DAST because both are application security testing types, but the key differentiator is execution: SAST is static (no execution) while DAST is dynamic (requires execution).

How to eliminate wrong answers

Option A is wrong because DAST (Dynamic Application Security Testing) tests a running application by sending inputs and observing responses, not by analyzing source code without execution. Option B is wrong because IAST (Interactive Application Security Testing) combines static and dynamic analysis, requiring the application to be executed and instrumented, not purely static analysis. Option C is wrong because RASP (Runtime Application Self-Protection) is a runtime security control embedded in the application environment that monitors and blocks attacks during execution, not a source code analysis tool.

53
Multi-Selectmedium

An organization is selecting security metrics to report to the board. Which THREE metrics would best demonstrate the effectiveness of the vulnerability management program?

Select 3 answers
A.Open vulnerability count by severity
B.Number of employees in IT security
C.Budget for security tools
D.Mean time to remediate critical vulnerabilities
E.Patch compliance percentage
AnswersA, D, E

Provides a snapshot of current vulnerabilities.

Why this answer

These three metrics cover remediation speed, current risk posture, and compliance with patching policies, which are key indicators.

54
MCQmedium

An organization wants to test its web application for vulnerabilities by running the application and probing it with malicious inputs. Which tool is BEST suited for this purpose?

A.OWASP ZAP
B.Checkmarx
C.SonarQube
D.Veracode
AnswerA

OWASP ZAP is a DAST tool for testing running web applications.

Why this answer

DAST tools like OWASP ZAP and Burp Suite probe running applications to find vulnerabilities.

55
MCQhard

A company's security team uses a tool that instruments the application at runtime to monitor and block attacks. This is an example of:

A.IAST
B.RASP
C.SAST
D.DAST
AnswerB

RASP provides runtime self-protection.

Why this answer

RASP (Runtime Application Self-Protection) integrates with the application to detect and block attacks in real time.

Ready to test yourself?

Try a timed practice session using only Cissp Assessment Testing questions.