Sorry, you are out of time.
ISC2 CC Practice Exam 2
Take your exam preparation to the next level with fully simulated online practice tests designed to replicate the real exam experience. These exams feature realistic questions, timed conditions, and detailed explanations to help you assess your knowledge, identify weak areas, and build confidence before test day.
1. A company is implementing security controls to comply with the Health Insurance Portability and Accountability Act (HIPAA). During this process, they must address the protection of electronic patient health information (ePHI). Which of the following actions demonstrates compliance with HIPAA?
Correct Answer: A. Encrypting ePHI stored on internal systems and transmitted over the network Explanation: The correct answer is (A) Encrypting ePHI stored on internal systems and transmitted over the network because HIPAA requires organizations to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is a recommended technical safeguard for securing data in storage and transit. (B) is incorrect because limiting access solely to IT personnel does not reflect the principle of least privilege or role-based access control, which are essential under HIPAA. (C) is incorrect because while transparency is good practice, posting policies online does not directly contribute to ePHI protection. (D) is incorrect because disabling all external access is impractical and may disrupt legitimate operations. Encryption ensures ePHI is protected while maintaining operational functionality.
2. A network administrator has configured VLANs to isolate traffic for different departments in a company. After implementing the VLANs, users report that they can no longer access shared network printers located in a different VLAN. What is the most likely cause of this issue?
Correct Answer: B. Trunking is not enabled on the switch ports connecting the VLANs Explanation: Trunking not being enabled on the switch ports connecting the VLANs (B) is the correct answer because trunk ports are required to carry traffic for multiple VLANs between switches or to routing devices. Without trunking, traffic cannot flow between VLANs, preventing access to shared resources. The printers not being assigned to a VLAN (A) is incorrect because unassigned devices typically default to the native VLAN, which would not explain the inability to access them from other VLANs. A switch not supporting VLAN tagging (C) is unlikely if VLANs are operational. The VLANs using the same IP range (D) would cause routing conflicts but is not the issue in this scenario. Enabling trunking ensures VLAN traffic can traverse switches and reach the appropriate destinations.
3. An attacker analyzes the timing of encrypted messages sent between a user and a web server. By measuring variations in response times, the attacker deduces the encryption key being used. What type of attack does this scenario illustrate?
Correct Answer: B. Side-channel attack Explanation: The attack described involves analyzing timing variations to deduce encryption keys, which is characteristic of a side-channel attack (B). Side-channel attacks exploit indirect information, such as timing or power consumption, to infer sensitive data. Option A, Brute force attack, involves systematically guessing keys or passwords and does not use timing data. Option C, Buffer overflow, targets memory vulnerabilities but does not analyze side-channel information. Option D, Man-in-the-Middle (MITM) attack, involves intercepting or manipulating communications but does not rely on timing analysis.
4. An organization’s incident response plan includes a step to contact key stakeholders during a security event. Which component of an incident response plan does this action represent?
Correct Answer: B. Notification and communication procedures. Explanation: Notification and communication procedures (B) are critical components of an incident response plan, ensuring that stakeholders, including internal teams, management, and possibly external entities, are informed during a security event. Effective communication prevents confusion and aids in coordinated responses. Option A (eradication phase) is incorrect, as this refers to removing threats, not communicating with stakeholders. Option C (lessons learned documentation) is part of the post-incident phase, not the active response. Option D (incident prioritization) relates to evaluating the severity of incidents but does not directly address stakeholder communication.
5. An organization's employees report that they were redirected to fake login pages while trying to access a company portal. The issue was traced back to unauthorized changes in DNS settings. What type of threat is this an example of?
Correct Answer: B. DNS poisoning Explanation: The scenario involves employees being redirected to fake login pages due to unauthorized DNS changes, which is a hallmark of DNS poisoning (B). This attack corrupts DNS data to redirect users to malicious websites. Option A, ARP spoofing, involves falsifying ARP messages to associate the attacker’s MAC address with a legitimate IP address, which does not describe DNS manipulation. Option C, Zero-day exploit, exploits previously unknown vulnerabilities in software, unrelated to DNS alterations. Option D, Cross-site scripting (XSS), injects malicious scripts into web pages but does not affect DNS settings or redirections.
6. An organization uses a Software as a Service (SaaS) platform for email and document collaboration. The security team identifies that employees are using weak passwords, increasing the risk of unauthorized access. What is the most effective way to mitigate this issue?
Correct Answer: A. Configure the SaaS platform to enforce multi-factor authentication (MFA) Explanation: Configuring the SaaS platform to enforce multi-factor authentication (MFA) (A) is the correct answer because it adds an additional layer of security beyond passwords, significantly reducing the risk of unauthorized access due to weak passwords. Restricting access to specific IP addresses (B) enhances security but is less effective in dynamic work environments with remote users. Enabling encryption (C) secures data but does not prevent unauthorized access through compromised credentials. Using a CASB (D) provides monitoring but does not directly address weak password vulnerabilities. MFA is the most effective measure to mitigate this issue by requiring multiple forms of verification.
7. A software developer in a mid-sized company is found using company-provided development tools to work on a personal freelance project. This activity violates the organization’s Acceptable Use Policy (AUP), which restricts the use of corporate resources to official business purposes. What is the first step the organization should take to mitigate this situation?
Correct Answer: B Explanation: The correct answer is (B) because conducting a formal investigation ensures the organization has a clear understanding of the extent and impact of the policy violation before taking further action. (A) is incorrect because revoking access prematurely might disrupt legitimate work without resolving the issue systematically. (C) is incorrect because notifying the freelance client is not the organization’s responsibility and could breach confidentiality agreements. (D) is incorrect because requiring reimbursement does not address the root cause or prevent future violations. A thorough investigation allows the organization to determine appropriate next steps while maintaining fairness and accountability.
8. A network administrator proposes a change to update the organization’s firewall configuration to address a newly discovered vulnerability. According to the change management policy, which step should be taken before implementing the change?
Correct Answer: C Explanation: The correct answer is (C) because submitting the change request for review and approval by the change advisory board ensures that all potential risks and impacts are evaluated before implementation, which is a core principle of change management policy. (A) is incorrect because applying changes during business hours without review risks causing disruptions. (B) is incorrect because testing changes directly on production systems is risky and violates change management best practices. (D) is incorrect because documenting the change only after implementation fails to provide a proper record of decision-making and risk assessment. Approval ensures compliance with established processes and mitigates risks.
9. An organization discovers that many of its systems have outdated firmware, creating a potential attack surface. The IT team is tasked with addressing this issue as part of the system hardening process. What is the most efficient method to ensure all systems remain up-to-date?
Correct Answer: B Explanation: Establishing a routine schedule for firmware updates (B) and monitoring vendor releases ensures that updates are applied in a timely and organized manner, reducing security risks while minimizing disruption. Deploying updates only during major overhauls (A) leaves systems exposed for extended periods. Automatic updates (C) may lead to compatibility issues, particularly if updates are not tested beforehand. Applying updates selectively (D) introduces inconsistency and leaves non-critical systems vulnerable. A structured and proactive schedule balances efficiency and security across all systems.
10. After a significant security incident, an organization plans to implement a robust configuration management process to enhance its system hardening efforts. Which approach would best reduce the likelihood of similar incidents?
Correct Answer: B Explanation: A configuration management database (CMDB) (B) centralizes the tracking and enforcement of baseline configurations, ensuring all systems adhere to defined security standards and reducing the risk of misconfigurations. Manual processes (A) are prone to human error and inefficiencies, especially in large environments. While an IDS (C) can detect unauthorized changes, it is not a preventive solution and does not enforce compliance with security baselines. Security training (D) is valuable but insufficient as a standalone measure; it cannot ensure ongoing consistency in configurations. A CMDB provides a systematic, enforceable, and scalable solution for maintaining hardened configurations.
11. An organization uses an online survey platform to collect employee feedback. Employees are assured that their responses will remain anonymous. However, the IT team discovers that the platform logs IP addresses, which can be used to identify respondents. What privacy control should the organization implement to ensure anonymity?
Correct Answer: B. Mask or anonymize IP addresses Explanation: To ensure anonymity, the organization should mask or anonymize IP addresses (B), as these can uniquely identify respondents. Option A (Encrypt the survey responses) protects confidentiality but does not ensure anonymity if IP addresses are still logged. Option C (Use a more secure survey platform) may improve security but does not guarantee anonymity if logging practices remain unchanged. Option D (Limit access to survey responses) ensures fewer individuals can view the data but does not address the risk posed by identifiable information like IP addresses. Anonymization is critical to uphold promises of anonymity and protect respondents’ privacy.
12. An IaaS customer deploys multiple virtual machines on a cloud platform and assigns administrative responsibilities to a team of users. To ensure secure access, the customer wants to follow the principle of least privilege. Which configuration should the customer implement?
Correct Answer: B. Use role-based access control (RBAC) to assign permissions based on roles Explanation: Using role-based access control (RBAC) to assign permissions based on roles (B) is the correct answer because it enforces the principle of least privilege by granting users only the access necessary for their roles. Granting all users full administrative rights (A) violates the principle of least privilege and increases security risks. Disabling multi-factor authentication (C) weakens account security and exposes the infrastructure to unauthorized access. Assigning a single shared account (D) compromises accountability and traceability of administrative actions. RBAC ensures secure and controlled access management in an IaaS environment.
13. A security team is performing a routine audit and discovers that some employees are not following the approved procedure for handling sensitive data. What is the most appropriate first step to address this issue?
Correct Answer: B. Retrain employees on the importance of following the procedure Explanation: The correct answer is (B) Retrain employees on the importance of following the procedure because non-compliance often stems from a lack of understanding or awareness. Governance processes rely on consistent adherence to procedures, which can be reinforced through training. (A) is incorrect because revising the procedure without understanding the root cause of non-compliance may compromise governance objectives. (C) is incorrect because penalizing employees without addressing the underlying issues can create resentment and does not ensure long-term compliance. (D) is incorrect because removing the procedure undermines governance and exposes the organization to risks associated with the improper handling of sensitive data. Training ensures alignment between employee actions and procedural requirements.
14. Two organizations are planning to collaborate on a cybersecurity training initiative. They need a formal document to outline their shared objectives and respective contributions while ensuring both parties are aligned on expectations. However, they do not want the document to be legally enforceable. What is the best type of document for this scenario?
Correct Answer: C. Memorandum of Understanding (MOU) Explanation: A Memorandum of Understanding (MOU) (C) is the correct answer because it serves as a formal document to outline shared objectives and contributions without creating a legally binding obligation. Service Level Agreements (SLAs) (A) focus on defining service delivery metrics, which is not relevant in this collaborative initiative. A Memorandum of Agreement (MOA) (B) is similar to an MOU but can often carry more enforceable elements depending on jurisdiction or intent, making it less suitable if a legally binding document is not desired. A Partnership Contract (D) is legally binding and inappropriate if the organizations want to avoid enforceable obligations. An MOU provides the desired level of formality and flexibility for the training initiative.
15. A financial institution uses RBAC for its trading platform. Traders can execute trades, compliance officers can review trading activities, and IT administrators can manage the system. During an investigation, a compliance officer requests access to execute trades to test potential violations. What is the best response to this request under RBAC principles?
Correct Answer: B. Deny the request and advise the compliance officer to work with a trader. Explanation: RBAC separates duties to prevent conflicts of interest and enforce strict control over sensitive operations. (A) is incorrect because granting temporary access undermines the principle of least privilege. (B) is correct as it maintains the separation of duties and ensures the compliance officer collaborates with the appropriate role. (C) is incorrect because creating combined roles erodes the clear boundaries of RBAC. (D) is incorrect because time-limited access still violates RBAC principles and creates potential risks.
16. A security team is responsible for monitoring access to a high-security facility using both physical guards and electronic access controls. Which of the following would be the most effective monitoring technique to ensure that the access control system is functioning as intended?
Correct Answer: B) Use access logs to identify any unexplained gaps in access attempts Explanation: Using access logs (B) to identify unexplained gaps in access attempts is the most effective way to ensure that the electronic access control system is functioning properly, as it can quickly reveal system failures, malfunctions, or unauthorized access attempts. Random inspections of guards (A) may provide occasional insight, but it does not directly address the functionality of the access system. Periodic testing of locks (C) is a good preventive measure but is not directly tied to real-time monitoring. Monitoring CCTV footage (D) for badge scanning ensures proper behavior but may not provide insight into system failures or unauthorized attempts.
17. Which of the following physical security measures is most effective for preventing unauthorized personnel from accessing sensitive areas of an office building after hours?
Correct Answer: B) Access control systems Explanation: Access control systems, such as card readers or biometric scanners, are designed to control who can enter certain areas based on authorization. These systems effectively prevent unauthorized personnel from accessing sensitive areas, especially during off-hours. (A) A firewall is a technical control that protects against unauthorized network access but does not impact physical access to facilities. (C) Security awareness training is an administrative control aimed at educating employees but does not directly prevent unauthorized physical access. (D) An IDS detects network intrusions but does not provide physical security for buildings or rooms.
18. A data center administrator notices that critical servers are frequently experiencing performance degradation due to inconsistent environmental conditions. The facility lacks automated systems to monitor and control these conditions. Which solution should be implemented to maintain optimal environmental stability?
Correct Answer: A. Install a dedicated HVAC system and temperature sensors Explanation: Installing a dedicated HVAC system and temperature sensors (A) is the correct answer because it ensures consistent control of environmental factors such as temperature and humidity, critical for maintaining server performance. HVAC systems are specifically designed to handle the cooling and airflow needs of data centers, and sensors provide real-time monitoring to detect and respond to changes promptly. Using portable air conditioning units (B) is incorrect because they are not reliable for large-scale, continuous cooling and lack integration with monitoring systems. Deploying air circulation fans and reducing server load (C) is a temporary measure that does not address the root cause of inconsistent environmental conditions. Opening ventilation panels (D) can compromise security and fails to provide controlled cooling. Dedicated HVAC systems combined with sensors provide the most effective and scalable solution.
19. Which of the following technical controls is used to enforce security policies by restricting access to specific applications and resources based on the user’s identity and role within an organization?
Correct Answer: A) Role-Based Access Control (RBAC) Explanation: RBAC restricts access to resources based on a user's role within the organization. This ensures that users only have access to the information necessary for their job, based on predefined roles. (B) An Intrusion Prevention System (IPS) is a network security measure designed to detect and block potential threats, but it does not enforce access control. (C) Public Key Infrastructure (PKI) is used for secure communication, not for enforcing user-specific access controls. (D) Multi-factor Authentication (MFA) strengthens the authentication process but does not define access policies based on roles.
20. A visitor is attempting to enter a restricted area within a company’s facility. The visitor is authorized to access the area but does not possess the proper access credentials. What is the appropriate course of action in this situation?
Correct Answer: C) Issue temporary access credentials to the visitor and ensure they are escorted by authorized personnel Explanation: The appropriate response (C) is to issue temporary access credentials and ensure the visitor is escorted by authorized personnel. This maintains security while allowing legitimate visitors access to restricted areas. Simply confirming identity (A) without issuing credentials may lead to confusion and breaches of protocol. Denying access (B) is too extreme if the visitor is authorized but lacks the correct credentials. Allowing the visitor to enter without a proper system in place (D) could compromise the security of the restricted area by failing to track or manage their access properly.
21. A penetration tester conducts a scan on an organization's network and identifies open ports on multiple devices. The tester uses this information to determine which services are running and identify potential vulnerabilities. What type of scan is being performed?
Correct Answer: B. Port scan Explanation: The described activity involves identifying open ports and the associated services, which is the primary function of a port scan (B). Port scanning helps assess the attack surface by revealing exposed services. Option A, Vulnerability scan, identifies specific weaknesses in systems but does not focus solely on discovering open ports. Option C, Malware scan, detects malicious files on a system rather than analyzing network services. Option D, Packet capture scan, involves capturing and analyzing network traffic but does not identify open ports or services.
22. During a routine security audit, an organization discovered that its on-premises network lacks sufficient segmentation, allowing unrestricted communication between departments. To enhance security, they decide to implement a technology that will separate networks based on business functions while minimizing physical hardware requirements. What should they implement?
Correct Answer: B. Virtual LANs (VLANs) Explanation: Virtual LANs (VLANs) (B) are the correct answer because they allow logical segmentation of a network into separate broadcast domains using switches, enhancing security by isolating traffic between departments without requiring additional physical infrastructure. Physical firewalls (A) are incorrect because they would require substantial hardware and do not inherently provide internal network segmentation. Network Address Translation (NAT) (C) is designed to hide internal IP addresses from external networks and is unrelated to internal segmentation. Load balancers (D) are incorrect because their primary function is to distribute network traffic evenly across servers, not to segment networks. VLANs are the most efficient solution for isolating and securing network segments in this context.
23. A financial institution is designing an access control model for its loan approval process. Loan officers are responsible for entering loan applications into the system, while managers approve or reject applications. During a review, a new requirement arises to ensure that managers cannot create loan applications themselves. What change should the institution make to comply with segregation of duties?
Correct Answer: B. Implement role-based access control to restrict managers from creating loan applications. Explanation: Segregation of duties aims to separate roles that could lead to conflicts of interest or abuse of power. (A) is incorrect because allowing exceptions undermines the principle of segregation. (B) is correct as role-based access control enforces clear separation of duties, ensuring managers cannot create applications. (C) is incorrect because audits detect violations after the fact but do not prevent them. (D) is incorrect as it introduces inefficiency and does not resolve the root cause of overlapping duties.
24. A web application is experiencing a high volume of traffic, causing delays and connection timeouts for users. To improve performance, the application team decides to implement a solution at the application layer. Which of the following options would best address this issue?
Correct Answer: B. Deploy a load balancer to distribute traffic. Explanation: The correct answer is (B) because deploying a load balancer at the application layer helps distribute incoming traffic across multiple servers, reducing the load on any single server and improving performance for users. (A) Increasing physical memory on the server may help performance in some cases but does not address traffic distribution. (C) Configuring QoS operates at lower network layers and prioritizes certain types of traffic but does not alleviate server load issues. (D) Using encryption secures user sessions but does not mitigate traffic congestion or improve response times.
25. A financial services company uses an online portal for customer transactions. During peak hours, the system often becomes slow, and customers are unable to complete their transactions. What solution should the company implement to ensure availability during high usage periods?
Correct Answer: B. Load balancing Explanation: The company should implement load balancing (B) to distribute traffic evenly across multiple servers, ensuring the system remains responsive and available during high usage periods. Option A (Multi-factor authentication) enhances access security but does not address system performance. Option C (Data encryption) protects confidentiality, not availability. Option D (Virtual private network) provides secure communication but does not solve performance issues. Load balancing directly addresses the problem of system overload, ensuring that resources are optimally utilized to maintain availability.
26. A software development team is designing an internal application that authenticates users via their corporate email credentials. During a security assessment, it is suggested that implementing session timeouts could enhance authentication security. What is the primary purpose of session timeouts in this context?
Correct Answer: A. To prevent unauthorized access from abandoned sessions Explanation: Session timeouts (A) are designed to prevent unauthorized access by automatically ending user sessions after a period of inactivity, reducing the risk of an attacker exploiting an open session. Option B (To enforce password complexity policies) is unrelated to session management. Option C (To detect and block brute-force attacks) is better addressed with rate-limiting mechanisms. Option D (To simplify the authentication process for users) contradicts the purpose of timeouts, as they require users to re-authenticate. By enforcing session timeouts, the application ensures that inactive sessions do not become security liabilities.
27. A financial organization has implemented security baselines for its servers to ensure consistent system hardening. During an internal audit, it was discovered that several systems deviate from the baseline configurations. What is the most effective way for the organization to bring the systems back into compliance?
Correct Answer: C Explanation: Using automated tools to compare and remediate systems (C) ensures efficiency and accuracy in aligning systems with baseline configurations. Automation reduces human error and enforces consistency across all systems. Manually comparing and updating configurations (A) is error-prone and labor-intensive, especially in large environments. Reimaging systems (B) may achieve compliance but is resource-intensive and disruptive to operations. Stricter policies (D) alone do not provide the enforcement mechanism required to prevent deviations. Automation integrates baseline enforcement into routine operations, ensuring systematic adherence to security requirements.
28. A company hosts a secure e-commerce website, and customers are experiencing issues accessing it. After analysis, it is determined that the issue is related to traffic being blocked on a specific port. Which port should be checked to restore secure web access?
Correct Answer: B. 443 Explanation: The correct answer is (B) because port 443 is used for HTTPS, which ensures secure communication between a web browser and a server. If this port is blocked, customers will be unable to access the secure e-commerce website. (A) is incorrect because port 80 is used for HTTP, which does not provide encrypted connections. (C) is incorrect because port 8080 is often used for alternative or proxy web services but is not the standard for secure connections. (D) is incorrect because port 53 is used by DNS for domain name resolution, which is unrelated to secure web access.
29. A company uses badge-based access control for its office building, requiring employees to scan their badges at the entrance. Which of the following is the biggest potential risk associated with this badge system?
Correct Answer: B) Unauthorized individuals using stolen or lost badges Explanation: The biggest risk with badge-based access control (B) is the possibility that stolen or lost badges could be used by unauthorized individuals to gain access. While employees forgetting their badges (A) is an inconvenience, it does not present a security vulnerability on the same scale. Failure to record entry times (C) is a minor operational issue, but does not directly affect security. The possibility of badge duplication (D) exists, but modern badge systems (e.g., those using encryption or RFID) make it much harder to duplicate badges compared to simpler technologies.
30. A healthcare organization’s risk assessment identified employees as the weakest link in its cybersecurity defenses due to frequent policy violations and poor security habits. How can security awareness training address this issue?
Correct Answer: B Explanation: Security awareness training aims to educate employees on their critical role in protecting sensitive data and systems (B), helping them understand the impact of their actions on the organization’s security. Enforcing penalties (A) may deter some violations but does not address the root cause of poor habits or lack of knowledge. Investing in advanced tools (C) is important but does not resolve the behavioral vulnerabilities of employees. Limiting access to sensitive information (D) is a technical measure that might reduce risk but does not educate employees on their responsibilities. Training fosters a culture of accountability and awareness.
31. A company uses a mantrap system that consists of two interlocking doors. When the first door opens, the second remains locked until the first door is securely closed. This system primarily addresses which of the following security concerns?
Correct Answer: B) Tailgating and unauthorized entry Explanation: The mantrap system is specifically designed to prevent tailgating (B), a situation where an unauthorized person follows an authorized individual through an access point. The interlocking doors ensure that only one person can enter at a time, making it difficult for someone to slip through unnoticed. Denial of service (A) may occur due to a malfunction, but this is not the primary function of the mantrap. Environmental control (C) and fire hazards (D) are important considerations for a building but are unrelated to the function of the mantrap system.
32. A company has implemented an integrated security system that combines badge access logs, video surveillance, and gate entry monitoring. Which of the following monitoring techniques will most effectively improve the system's ability to detect tailgating?
Correct Answer: A) Review badge access logs for patterns of multiple entries in quick succession Explanation: Reviewing badge access logs (A) for patterns of multiple entries in quick succession is the most effective technique to detect tailgating, as it identifies when multiple individuals enter after a single valid badge swipe, a typical indicator of tailgating. Installing an additional entry point (B) would ease congestion but does not directly address the issue of unauthorized individuals following authorized users. CCTV footage (C) can detect tailgating but requires manual review, which can be less efficient. Biometric scanners (D) can improve individual tracking but are not designed specifically for tailgating detection.
33. A company uses Network Access Control (NAC) to verify endpoint compliance before allowing devices onto the corporate network. Which parameter is most likely assessed during the compliance check?
Correct Answer: B. Device operating system patch level Explanation: Device operating system patch level (B) is the correct answer because NAC systems assess the security posture of endpoints by verifying parameters like OS patch levels, antivirus updates, and configuration compliance. User authentication credentials (A) are checked during authentication, not compliance verification. Network latency and bandwidth utilization (C) are performance metrics and are not part of NAC compliance checks. IP address assignment method (D) pertains to network configuration, not endpoint security posture. Verifying patch levels ensures devices are secure and less likely to introduce vulnerabilities to the network.
34. A healthcare organization operates a hybrid cloud to store patient records in a private cloud and manage patient appointment systems in the public cloud. To comply with regulatory requirements such as HIPAA, what should the organization prioritize?
Correct Answer: C. Ensuring the hybrid cloud solution supports role-based access control (RBAC) Explanation: Ensuring the hybrid cloud solution supports role-based access control (RBAC) (C) is the correct answer because RBAC enforces granular access control, ensuring that only authorized personnel can access sensitive patient records, aligning with HIPAA requirements. Encrypting patient records (A) is essential but applies primarily to data at rest or in transit and does not manage access control. Establishing a data ownership policy (B) is important but does not directly address regulatory compliance. Using a shared backup solution (D) is operationally beneficial but does not impact compliance or access management. RBAC provides the necessary control over access in compliance-sensitive environments.
35. In an e-commerce company, a software engineer is responsible for deploying code changes to production servers. The engineer also has access to edit the codebase. Which of the following measures best aligns with segregation of duties principles?
Correct Answer: C. Assign a dedicated operations team to handle code deployments, removing this responsibility from engineers. Explanation: Segregation of duties ensures that development and deployment responsibilities are separated to prevent potential abuse or errors. (A) is incorrect because supervision alone does not eliminate the inherent risk of overlapping roles. (B) is incorrect as logging activities is a detective control, not a preventative measure. (C) is correct because assigning deployment duties to a separate team establishes a clear separation of responsibilities. (D) is incorrect because reviews, while valuable, do not address the immediate need for segregation.
36. An antivirus program is configured to update its malware definitions daily. However, during an outbreak of zero-day malware, the software fails to detect the new threat. What is the most likely reason for this failure?
Correct Answer: A. Lack of heuristic capabilities in the antivirus software Explanation: The failure to detect zero-day malware suggests a lack of heuristic capabilities (A) in the antivirus software, as zero-day threats often lack known signatures. Heuristic or behavior-based detection can help identify such threats. Option B, Misconfiguration of settings, might affect performance but is not directly tied to detecting zero-day threats. Option C, The malware was quarantined by another tool, is irrelevant since the scenario focuses on detection failure. Option D, Excessive false positives, relates to over-alerting on benign files, not the inability to detect new malware.
37. An employee unintentionally downloads a file from an untrusted source. Shortly afterward, several network drives become inaccessible, and other employees report similar issues. A scan reveals the presence of a program that infected the system and spread by attaching itself to various files. What is the most likely type of malware causing this problem?
Correct Answer: C. Virus Explanation: The described situation involves malware spreading by attaching itself to files and causing network issues, which is indicative of a virus (C). A virus replicates by infecting files and spreading across a system or network. Option A, Adware, delivers unwanted advertisements but does not spread by infecting files. Option B, Spyware, secretly collects user data but does not cause system-wide file infections. Option D, Rootkit, allows unauthorized access but does not exhibit the described file infection and spreading behavior.
38. A company has implemented network segmentation in their IT infrastructure. What is the primary benefit of this technical control?
Correct Answer: D) It limits the scope of a potential security breach. Explanation: Network segmentation divides a network into smaller segments, thus containing potential security breaches and preventing them from spreading across the entire network. This limits the scope of attacks to smaller, isolated parts. (A) While segmentation does add an additional layer of protection, its primary benefit is containment, not direct prevention of external attacks. (B) Network segmentation can actually add overhead and complexity, and is not primarily designed to reduce network load. (C) Security patching is a process, not a direct benefit of network segmentation.
39. An organization collects sensitive customer data, including payment information and personal details. To ensure compliance with data protection laws, which approach should the organization implement to handle this data securely?
Correct Answer: A Explanation: The correct answer is A because encrypting sensitive customer data with a strong symmetric encryption algorithm ensures confidentiality and complies with data protection laws. Restricting access to authorized personnel mitigates the risk of data breaches. Option B (B) is incorrect because storing data in plaintext exposes it to unauthorized access, violating basic security practices. Option C (C) is incorrect because masking only payment details leaves other sensitive information vulnerable to compromise. Option D (D) is incorrect because granting access to all employees violates the principle of least privilege, increasing the risk of data exposure.
40. A government agency plans to work with a private contractor to develop a secure network system. To ensure both parties understand their respective roles and responsibilities during the project while maintaining flexibility, they decide to draft an agreement. Which document is most appropriate for this purpose?
Correct Answer: B. Memorandum of Understanding (MOU) Explanation: A Memorandum of Understanding (MOU) (B) is the correct answer because it allows both parties to document their roles and responsibilities during the project in a non-legally binding manner, promoting clarity and cooperation. A Contractual Agreement (A) is legally binding and typically used when specific terms and enforceable obligations are required. A Service Level Agreement (SLA) (C) is incorrect because it focuses on service performance metrics rather than the general understanding of collaboration. An End-User License Agreement (EULA) (D) pertains to the use of licensed software, which is unrelated to this scenario. An MOU is ideal for fostering mutual understanding without the constraints of legal enforcement.
41. A new employee at your organization is given a document stating that all employees must change their passwords every 90 days and that the password must meet specific complexity requirements. The document also outlines the consequences of non-compliance. Which governance process is being applied through this document?
Correct Answer: B. Policies Explanation: The correct answer is (B) Policies because policies are high-level, mandatory documents that set out an organization’s rules and expectations, such as the requirement to change passwords every 90 days and the penalties for non-compliance. They define "what" must be done but not "how." (A) Guidelines are incorrect because they provide recommended best practices rather than mandatory rules. (C) Procedures are also incorrect because they describe step-by-step instructions for implementing the rules, not the rules themselves. (D) Standards are incorrect because they provide specific technical or operational requirements but do not define overarching governance rules. The document in question sets high-level organizational expectations, which aligns with the definition of a policy.
42. An IT company includes a list of critical applications and their dependencies in its business continuity plan to prioritize recovery efforts after a disaster. What component of the business continuity plan does this represent?
Correct Answer: B. Business impact analysis Explanation: The correct answer is B because a business impact analysis identifies critical applications and their dependencies, enabling prioritized recovery efforts. Option A is incorrect because risk assessment evaluates potential risks but does not prioritize recovery. Option C is incorrect because an emergency contact directory contains contact details, not an analysis of critical applications. Option D is incorrect because an incident response checklist outlines immediate actions but does not analyze the dependencies and criticality of systems.
43. An organization adopts a hybrid cloud strategy to achieve flexibility in workload distribution. They want to maintain strict access control to sensitive resources stored in the private cloud while allowing authorized users to access applications running in the public cloud. Which security measure best supports this requirement?
Correct Answer: A. Implement single sign-on (SSO) integrated with a centralized identity provider Explanation: Implementing single sign-on (SSO) integrated with a centralized identity provider (A) is the correct answer because it ensures secure and seamless authentication across both private and public clouds while maintaining consistent access controls. Requiring users to connect via VPN (B) adds security but does not address access control within the public cloud. Assigning the same permissions across both clouds (C) may not align with the principle of least privilege. Using shared credentials (D) is a significant security risk, as it reduces accountability and increases vulnerability. SSO centralizes and secures authentication while maintaining appropriate access controls in a hybrid cloud model.
44. A technology company is conducting a risk assessment and identifies several possible threats to its systems, including natural disasters, hardware failure, and cyberattacks. The company has a business continuity plan in place that addresses all these risks. However, they must assess the residual risk after applying their current controls. What should the company focus on when assessing residual risk?
Correct Answer: A) The risks that remain after current security measures are applied Residual risk is the remaining risk after security controls have been implemented. The company needs to evaluate which risks are still present after mitigation efforts and determine whether they are acceptable or require further action. Option (B) is important, but it pertains more to the overall security strategy rather than residual risk specifically. Option (C) is incorrect because the residual risk is what remains, not what has been eliminated. Option (D) focuses on cost but does not directly address the residual risk itself.
45. An organization sets up a DMZ to host public-facing services, such as a web server and email gateway. Which of the following best explains the primary purpose of placing these services in a DMZ?
Correct Answer: A. To isolate critical services from public networks and restrict direct access to the internal network Explanation: The primary purpose of placing services in a DMZ is to isolate critical services from public networks and restrict direct access to the internal network (A). This reduces the risk of attackers gaining access to the internal network through compromised public-facing services. Improving network performance (B) is not the primary reason for implementing a DMZ, though it can be a side benefit. Centralizing management of public-facing services (C) is unrelated to the security role of a DMZ. Allowing unrestricted access (D) would defeat the purpose of securing the internal network, as the DMZ is designed to mediate and restrict access to sensitive internal systems. A DMZ acts as a buffer zone, protecting internal assets while enabling secure interaction with external users.
46. An organization implements data classification labels such as "Public," "Internal Use Only," "Confidential," and "Highly Confidential." A project manager is sharing a document labeled "Highly Confidential" with an external vendor. What is the most appropriate course of action?
Correct Answer: C Explanation: The correct answer is C because ensuring the vendor signs a non-disclosure agreement and using secure transmission methods protects the "Highly Confidential" data while complying with the organization's classification policies. Option A (A) is incorrect because removing the classification label could lead to improper handling of the document. Option B (B) is incorrect because sharing over email without security measures fails to provide adequate protection for highly sensitive data. Option D (D) is incorrect because downgrading the classification without authorization or justification compromises the integrity of the classification system.
47. A security operations team notices that their intrusion detection system (IDS) is generating an overwhelming number of false-positive alerts, making it difficult to identify genuine threats. What is the best approach to improve the logging and monitoring system's effectiveness?
Correct Answer: B Explanation: The correct answer is B because fine-tuning alert thresholds and using log correlation helps to reduce false positives and enhance the monitoring system's ability to identify genuine threats. This approach ensures that critical alerts are not overlooked due to noise. Option A (A) is incorrect because disabling alerts for low-severity events may inadvertently suppress important indicators of potential threats. Option C (C) is incorrect because ignoring low-priority alerts could result in missing the early stages of an attack. Option D (D) is incorrect because reducing the scope of logging may omit valuable data needed for comprehensive threat detection.
48. A systems administrator notices that multiple applications on a user’s device are crashing frequently. A security analysis reveals the presence of malicious code embedded in files the user downloaded from the internet. What is the primary characteristic of the threat in this scenario?
Correct Answer: A. Self-replication requiring host files Explanation: The scenario points to malicious code embedded in files, a defining characteristic of a virus (A), which requires a host file to replicate and spread. Option B, Independent replication, describes a worm, which spreads without needing host files. Option C, Exploitation of application vulnerabilities, is more relevant to exploits rather than viruses. Option D, Manipulation of user permissions, is associated with privilege escalation attacks, not the behavior of a virus.
49. A mobile app collects users' location data to provide navigation services. However, the app also collects location data when the navigation feature is not in use. What privacy concept is being compromised, and how should it be addressed?
Correct Answer: A. Data minimization; limit data collection to when navigation is active Explanation: The privacy concept being compromised is data minimization (A), as the app collects more location data than is necessary for its stated purpose. Limiting data collection to when the navigation feature is active aligns with this principle. Option B (Purpose limitation) suggests expanding terms of service to justify broader collection but does not address the excessiveness of the data collection. Option C (Transparency) relates to informing users but does not solve the issue of over-collection. Option D (Accountability) involves protecting data but does not address unnecessary data collection. Data minimization ensures privacy by reducing the collection of unnecessary information.
50. A financial institution allows customers to log into their accounts using a username and password. To comply with regulations, it implements MFA by adding an SMS-based one-time password (OTP) as a second factor. What is the primary limitation of using SMS for the possession factor in this context?
Correct Answer: B. SMS-based OTPs can be intercepted or spoofed Explanation: The primary limitation of SMS-based OTPs is that they can be intercepted or spoofed (B), such as through SIM swapping attacks or exploiting vulnerabilities in the telecom infrastructure. Option A (OTPs sent via SMS are difficult for users to retrieve) is incorrect because SMS OTPs are generally user-friendly. Option C (SMS-based OTPs do not enhance the user experience) is unrelated to the security concerns of SMS OTPs. Option D (OTPs sent via SMS are time-consuming to generate) is not accurate, as SMS OTPs are generated and sent quickly. The security risks associated with SMS make it a less robust choice for the possession factor in MFA.
51. An organization deploys a new voice-over-IP (VoIP) system and experiences poor audio quality during calls. After analysis, it is determined that the issue lies with packet delivery timing and synchronization. At which OSI model layer should the troubleshooting focus?
Correct Answer: C. Session Layer Explanation: The correct answer is (C) because the Session Layer (Layer 5) is responsible for maintaining the timing, synchronization, and order of data streams, which are critical for VoIP applications to ensure high audio quality. If there are issues with synchronization, this layer is where troubleshooting should begin. (A) Transport Layer provides reliable data transfer but does not directly address synchronization issues. (B) Application Layer interacts with the user's software and would not handle the technical timing of packet delivery. (D) Data Link Layer deals with physical and local network connections, which are not the source of timing or synchronization problems affecting VoIP.
52. A business has installed an advanced alarm system with integrated sensors and motion detectors. However, the system seems to be detecting activity outside the monitored area and generating unnecessary alerts. What should the company do to prevent these alerts from disrupting security operations?
Correct Answer: B) Reposition the sensors to cover only the most important areas and avoid environmental triggers Explanation: The most effective solution (B) is to reposition the sensors to ensure they only cover the most important areas and avoid unnecessary triggers from external environmental factors, such as wildlife or weather conditions. Adjusting the sensitivity (A) may reduce false alarms but could also cause genuine threats to go undetected. Reducing the alarm system’s volume (C) does not address the root cause of the problem and may reduce the effectiveness of the alert. Delaying alerts (D) would prevent immediate responses to security incidents, putting the business at risk by potentially allowing threats to escalate undetected.
53. An organization’s fire suppression system uses water sprinklers, which raises concerns about potential damage to electronic equipment in the data center during a fire incident. To minimize damage, what alternative fire suppression system should the organization implement?
Correct Answer: C. Clean agent fire suppression system Explanation: A clean agent fire suppression system (C) is the correct answer because it uses non-water-based, gaseous agents like FM-200 or Novec 1230 that extinguish fires without harming electronic equipment or leaving a residue. Foam-based fire suppression systems (A) are unsuitable as they are designed for flammable liquid fires and can damage electronics. CO2-based fire suppression systems (B) are effective but unsafe for use in occupied spaces due to the risk of oxygen displacement. Dry powder fire suppression systems (D) are inappropriate for data centers as they leave a residue that can damage sensitive equipment. Clean agent systems provide a safe, effective, and non-damaging solution for fire suppression in environments with sensitive electronics.
54. A company has deployed an on-premises network security infrastructure that includes multiple devices for different layers of defense. However, users are reporting slow internet connections, and an analysis shows excessive resource usage on one device due to simultaneous malware scanning and encryption-decryption tasks. Which device is most likely causing this bottleneck?
Correct Answer: B. Unified Threat Management (UTM) appliance Explanation: The Unified Threat Management (UTM) appliance (B) is the correct answer because it combines multiple security functions, such as malware scanning, web filtering, firewall capabilities, and sometimes VPN or IPS, into one device. This all-in-one approach can lead to performance bottlenecks if the device is overloaded with simultaneous tasks. A proxy server (A) is incorrect because it primarily focuses on web traffic filtering and caching without performing intensive encryption-decryption tasks. An Intrusion Prevention System (IPS) (C) is focused on detecting and preventing network threats but does not handle tasks like encryption-decryption or malware scanning comprehensively. A VPN concentrator (D) is incorrect as it primarily manages encrypted VPN connections and is unlikely to contribute significantly to internet slowdowns caused by malware scanning. The UTM appliance’s multifunctionality makes it the most likely source of the issue in this scenario.
55. A small business engages an MSP to manage its IT infrastructure, including data backups and recovery. During a system failure, the business finds that the backup data is outdated and incomplete. What should the business do to prevent similar issues in the future?
Correct Answer: A. Conduct a regular review of the MSP’s backup and recovery processes Explanation: Conducting a regular review of the MSP’s backup and recovery processes (A) is the correct answer because it ensures the business can verify that backups are up-to-date and meet operational requirements. Switching to a different MSP (B) is premature without understanding and addressing the root cause of the issue. Implementing their own backup solution (C) could duplicate efforts and increase costs unnecessarily. Reducing the frequency of backups (D) is counterproductive and increases the risk of data loss. Regular reviews help the business ensure compliance with backup standards and avoid future issues.
56. During an internal audit, an employee is found using their corporate email account to sign up for a personal online streaming service. The organization’s Acceptable Use Policy (AUP) explicitly prohibits the use of corporate resources for personal purposes. What should the organization do to address this situation while enforcing the AUP?
Correct Answer: B Explanation: The correct answer is (B) because providing additional training ensures the employee understands the AUP and avoids similar violations in the future. While (A) might seem reasonable, suspending access without first addressing the root cause—lack of understanding—may not be effective. (C) is incorrect because termination is a disproportionate response to a minor infraction, which can also create a negative work environment. (D) is incorrect because involving legal counsel for a minor violation is unnecessary and excessive. Training strikes the appropriate balance between enforcement and education, aligning with best practices for policy enforcement.
57. During a forensic investigation, a security analyst uses a tool that captures data from a compromised host’s operating system, including audit logs and user activities. The tool’s primary function is to detect suspicious changes within the host. What type of tool is this?
Correct Answer: B. Host-based Intrusion Detection System (HIDS) Explanation: The tool described focuses on monitoring audit logs, user activities, and system changes on a specific host, which aligns with the functionality of a Host-based Intrusion Detection System (HIDS) (B). Option A, Network-based Intrusion Detection System (NIDS), analyzes network traffic and does not focus on specific hosts. Option C, Vulnerability scanner, identifies weaknesses in systems but does not monitor real-time activities or changes. Option D, Packet analyzer, captures and inspects network packets rather than activities within a host.
58. An attacker posing as a delivery person gains physical access to a restricted area of an organization by persuading an employee to hold the door open for them. What specific concept should security awareness training emphasize to address this type of attack?
Correct Answer: C Explanation: Security awareness training should emphasize the principle of not holding secure doors open for unauthorized individuals (C), even if they appear to be legitimate, as this is a common method of social engineering known as tailgating. Avoiding conversations with unknown individuals (A) is not sufficient to address the specific risk of tailgating. Reporting suspicious individuals (B) is important but would not have prevented the initial breach. Directing deliveries to the mailroom (D) is a procedural measure that might help in some cases but does not address employee behavior directly tied to this attack vector. Training employees on tailgating prevention is critical.
59. A financial institution notices suspicious activity in its online banking system where encrypted communication between clients and the bank’s server is being intercepted and decrypted by an attacker using a compromised digital certificate. What type of attack is likely in progress?
Correct Answer: B. Man-in-the-Middle (MITM) attack Explanation: The use of a compromised digital certificate to intercept and decrypt encrypted communications points to a Man-in-the-Middle (MITM) attack (B). Attackers exploit compromised certificates to impersonate a trusted server, gaining access to secure communication. Option A, Privilege escalation, involves gaining unauthorized higher-level access but does not involve traffic interception. Option C, Password spraying, is an authentication attack targeting weak passwords, unrelated to encrypted communication. Option D, Distributed Denial-of-Service (DDoS) attack, disrupts service availability and does not involve decryption of secure sessions.
60. During a phishing attack, the incident response team identifies compromised employee credentials. The team must decide on their next steps. Which action demonstrates the purpose of incident response in this situation?
Correct Answer: B. Revoking the compromised credentials and implementing stronger authentication mechanisms. Explanation: The purpose of incident response is to limit the impact of a security breach and restore normal operations quickly and securely. Revoking compromised credentials and improving authentication mechanisms (B) directly addresses the breach, ensuring that the attacker cannot continue exploiting the compromised account while improving security to prevent recurrence. Option A (firing the employee) shifts focus to punitive measures, which do not address the incident's immediate impact. Option C (analyzing the phishing email for forensics) is important but is a post-incident action, not an immediate response. Option D (reporting to law enforcement) might be necessary, but it should not precede mitigating the internal threat, as it does not align with the immediate purpose of incident response.
61. During a cybersecurity audit, it was discovered that an organization’s email system allows employees to forward sensitive internal emails to their personal accounts without any restrictions. What should the organization implement to ensure confidentiality is maintained?
Correct Answer: A. Data Loss Prevention (DLP) Explanation: Data Loss Prevention (DLP) (A) is the correct solution to ensure confidentiality in this scenario because it monitors and controls the transmission of sensitive data, preventing it from being sent to unauthorized or insecure destinations. Option B (Multi-Factor Authentication) strengthens user authentication but does not address email forwarding risks. Option C (Intrusion Detection Systems) detects malicious activity but is not designed to prevent data exfiltration through email. Option D (Endpoint Detection and Response) focuses on endpoint security against threats but does not specifically handle the unauthorized transmission of sensitive information. DLP directly aligns with maintaining confidentiality by restricting data flow.
62. During a risk assessment, a company identifies multiple risks, some of which are low probability but could cause severe damage if they occur. Others are high probability but have minimal consequences. How should the company prioritize its efforts based on risk priorities?
Correct Answer: C) Treat high-consequence risks first, regardless of probability In risk management, high-consequence risks (even with a low probability) should typically be treated first because the impact of these events, if they occur, would be severe. The goal is to prevent catastrophic outcomes. Option (A) focuses solely on the frequency of occurrence, which isn't always the most critical factor. Option (B) suggests focusing on low-probability risks, but the potential for catastrophic events makes high-consequence risks the priority. Option (D) is incorrect because resource availability is a consideration for treatment but does not directly determine prioritization of risks based on severity and potential impact.
63. A company implementing a mandatory access control system assigns each document a classification level, such as “Confidential” or “Public.” Employees are assigned a corresponding clearance level. During a review, an employee with “Confidential” clearance is found to have accessed multiple “Public” files. What does this scenario indicate about the MAC implementation?
Correct Answer: B. It demonstrates proper enforcement of MAC, as employees can access files at or below their clearance level. Explanation: MAC allows users to access data classified at or below their clearance level. (A) is incorrect because accessing files below clearance level is permitted under MAC. (B) is correct, as the described behavior aligns with MAC principles. (C) is incorrect because MAC does not restrict users from accessing lower-classified information. (D) is incorrect because role-based access control is not part of the MAC model and is unrelated to the scenario.
64. During a recent cyberattack, it was discovered that the attackers exploited a vulnerability in outdated software. To prevent such incidents in the future, the security team proposes a robust update strategy. What is the best approach to balance security and operational needs?
Correct Answer: C Explanation: Testing updates in a sandbox environment (C) allows the security team to evaluate the impact of patches without disrupting production systems, ensuring both security and operational stability. A rollback plan (A) is a useful contingency measure but does not proactively ensure updates are suitable for deployment. Restricting updates to low-priority systems (B) neglects critical assets, increasing the risk of exploitation. Disabling updates for critical systems (D) leaves them vulnerable to known threats, undermining overall security. Controlled testing ensures updates are deployed confidently and effectively.
65. A gate entry system at a high-security facility includes a security guard who manually checks access logs and verifies employee identity. Which of the following best describes the risk introduced by relying on a human guard for verification?
Correct Answer: B) The guard may be distracted, allowing unauthorized access Explanation: The main risk of relying on a human guard for verification (B) is the potential for human error, such as distraction or fatigue, which could allow unauthorized access. While the guard's role is to ensure that only valid badges are used (D), human factors can lead to lapses in attention, which cannot be easily addressed by the technology itself. The cost of maintaining the system (A) is not directly related to the guard's involvement. Relying solely on human verification does not address the potential for system obsolescence (C) or failure to keep up with technological advances.
66. A company has installed CCTV cameras at all critical entry and exit points in its building for physical security purposes. Which of the following is the most effective method for ensuring that the CCTV footage is useful during an investigation?
Correct Answer: B) Regularly back up footage to a secure, off-site location Explanation: Regularly backing up footage to a secure, off-site location (B) is the most effective method for ensuring the footage is useful in an investigation. This ensures that data is not lost due to system failures, tampering, or disasters at the local site. Storing footage locally on hard drives (A) increases the risk of losing valuable data if there is a hardware failure or breach. Real-time review (C) may be helpful for monitoring, but it is not a proactive measure to ensure footage is preserved. Limiting access to footage (D) only to senior management hinders security staff and investigators from conducting thorough investigations and may delay response times.
67. A company implements multi-factor authentication (MFA) for all employee accounts to reduce the likelihood of unauthorized access. Which principle of threat prevention does this strategy primarily address?
Correct Answer: B. Defense in depth Explanation: Implementing multi-factor authentication (MFA) enhances security by adding an additional layer of verification, aligning with the principle of defense in depth (B), which involves using multiple security measures to protect against threats. Option A, Least privilege, focuses on limiting user access rights, not authentication mechanisms. Option C, Attack surface reduction, refers to minimizing potential entry points for attacks, which is not the primary goal of MFA. Option D, Layered encryption, pertains to using encryption techniques for data protection rather than access control.
68. A classified government agency uses a mandatory access control (MAC) model to manage access to its secure systems. An analyst working on a project classified as “Secret” attempts to access a file marked “Top Secret” and is denied access. What is the most likely reason for this denial under the MAC model?
Correct Answer: A. The analyst's security clearance level does not meet the requirements for the file. Explanation: Mandatory access control enforces strict rules based on classification levels and clearances, ensuring users cannot access information above their clearance. (A) is correct because the analyst lacks the “Top Secret” clearance required for the file. (B) is incorrect because MAC does not primarily operate based on roles but on clearances and classifications. (C) is incorrect as MAC decisions are not based on resource owner discretion but on enforced policies. (D) is incorrect because discretionary permissions do not apply in a strict MAC environment.
69. During a vendor assessment, your organization discovers that the vendor is storing customer data in a country that does not comply with your jurisdiction's data privacy laws. What is the most appropriate governance action to take?
Correct Answer: C. Require the vendor to implement contractual safeguards that align with applicable laws Explanation: The correct answer is (C) Require the vendor to implement contractual safeguards that align with applicable laws because governance processes involve ensuring third-party compliance with applicable regulations. By including contractual safeguards, the organization can legally enforce the vendor’s obligation to protect customer data according to jurisdictional laws. (A) is incorrect because terminating the relationship without exploring remediation options may be unnecessary and disruptive. (B) is incorrect because notifying the authority should only occur if the vendor refuses to comply or breaches regulations. (D) is incorrect because technical security measures alone do not ensure compliance with legal requirements. Implementing contractual safeguards helps manage compliance while maintaining the vendor relationship.
70. During a micro-segmentation implementation, an organization discovers that applying overly restrictive security policies to workloads causes application performance issues and connectivity disruptions. What best practice should the organization follow to ensure successful micro-segmentation deployment?
Correct Answer: B. Conduct traffic analysis and baseline workloads before defining policies Explanation: Conducting traffic analysis and baselining workloads before defining policies (B) is the correct answer because it ensures that security policies align with actual application requirements, preventing disruptions and performance issues. Default deny policies (A) without exceptions can lead to unintended blocking of legitimate traffic, impacting operations. Using pre-configured templates (C) may not address the unique needs of specific applications, resulting in improper policy enforcement. Limiting micro-segmentation to north-south traffic flows (D) undermines its purpose, which is to control east-west traffic within a network. Traffic analysis and baselining provide the foundation for crafting effective micro-segmentation policies.
71. A facility has implemented strict access control measures, with clearly defined roles for authorized personnel. However, security guards are noticing that some employees with legitimate access to certain areas are repeatedly entering areas for which they are not authorized. Which of the following actions should the facility take to resolve this issue?
Correct Answer: B) Conduct training sessions for employees to ensure they are aware of access limitations Explanation: Conducting training sessions (B) is the most effective way to address the issue, ensuring that employees are clearly informed about their access limitations and responsibilities. Providing broader access (A) could lead to unnecessary privileges and further complicate security. Automatic alerts (C) are useful, but they do not address the underlying issue of employees misunderstanding their access limitations. Disciplinary actions (D) may not be necessary unless there is intentional misconduct; a more effective approach is to educate employees first to prevent confusion and accidental breaches.
72. A developer is tasked with integrating MFA into a web application. The chosen solution requires users to enter their password and authenticate using facial recognition via a smartphone app. However, during testing, users report difficulties with facial recognition in low-light conditions. What is the best way to address this usability issue without compromising security?
Correct Answer: B. Add an option to authenticate using a backup factor Explanation: The best solution is to add an option to authenticate using a backup factor (B), such as a smartphone-generated OTP, ensuring users have an alternative method in case facial recognition fails. Option A (Remove the facial recognition requirement) weakens security by removing a critical factor of MFA. Option C (Extend the session timeout to reduce the need for frequent MFA) might improve usability but does not address the underlying problem. Option D (Replace MFA with single-factor authentication using a strong password) reduces security and is not a viable option. By providing a backup factor, the system maintains usability and robust security.
73. An e-commerce platform uses authentication to verify users before allowing access to their accounts. The platform currently relies on passwords, but recent attacks involving stolen credentials have prompted a need for stronger security. Which method of authentication should the platform implement to provide an additional layer of security against such attacks?
Correct Answer: B. Multi-factor authentication (MFA) Explanation: Multi-factor authentication (MFA) (B) strengthens security by requiring users to present two or more forms of authentication, such as a password and a temporary code sent to their phone. This provides an extra layer of protection against stolen credentials. Option A (IP address filtering) restricts access by location but does not address stolen credentials. Option C (Single sign-on) simplifies authentication processes but does not add security layers. Option D (CAPTCHA validation) prevents bots but does not protect user accounts from attackers with stolen credentials. MFA is the most effective method to mitigate this type of attack by requiring something beyond just a password.
74. During an extended power outage, a retail chain uses backup generators to keep its stores operational. This decision highlights the importance of business continuity by ensuring customers can continue shopping without disruption. What is the primary importance of business continuity in this scenario?
Correct Answer: A. Increasing customer loyalty by providing uninterrupted services Explanation: The correct answer is A because uninterrupted services during disruptions enhance customer trust and loyalty, which is a critical aspect of the importance of business continuity. Option B is incorrect because while business continuity may reduce downtime, its primary focus is maintaining operations rather than cost reduction. Option C is incorrect because the scenario does not involve IT infrastructure protection. Option D is incorrect because compliance with operational standards is not the core purpose in this case—it is about maintaining services for customers.
75. A network administrator configures an Intrusion Prevention System (IPS) to analyze and block malicious traffic in real time. During a simulated attack, the IPS successfully blocks all unauthorized traffic targeting a web application. What is the main role of the IPS in this context?
Correct Answer: B. Preventing threats from materializing Explanation: The IPS blocks unauthorized traffic before it can harm the web application, fulfilling the role of preventing threats from materializing (B). Option A, Monitoring for potential threats, describes an Intrusion Detection System (IDS), which does not block traffic. Option C, Detecting threats after they occur, does not describe IPS functionality since it actively intervenes. Option D, Logging network activities, is a secondary function of IPS but not its primary purpose in prevention.
76. An organization has implemented a centralized logging system to monitor security events across its infrastructure. Which of the following is the most critical practice to ensure the effectiveness of this system in detecting and responding to potential threats?
Correct Answer: B Explanation: The correct answer is B because enabling real-time alerting ensures that critical security events are flagged as they occur, allowing for a timely response to potential threats. Reviewing flagged events actively enhances the system's effectiveness in detecting and mitigating risks. Option A (A) is incorrect because retaining logs indefinitely may lead to storage inefficiencies without necessarily improving detection capabilities. Option C (C) is incorrect because limiting logging to high-priority events may result in missing relevant data necessary for comprehensive threat analysis. Option D (D) is incorrect because manual weekly reviews lack the immediacy required to address time-sensitive security incidents.
77. A startup uses an IaaS provider to host its web application. The provider guarantees 99.9% uptime in its SLA but specifies that data recovery is the customer’s responsibility. What measure should the startup implement to ensure data availability in case of a disaster?
Correct Answer: B. Regularly back up critical data to a different region or provider Explanation: Regularly backing up critical data to a different region or provider (B) is the correct answer because it ensures data availability and recovery even if the primary IaaS region experiences a disaster. Enabling the provider’s automatic failover feature (A) enhances service availability but does not address data recovery. Configuring firewalls to block external traffic (C) improves security but does not ensure data availability. Using a load balancer (D) distributes traffic to improve performance and reliability but does not protect against data loss. Regular offsite backups are a key strategy for disaster recovery in an IaaS environment.
78. A company’s network security infrastructure relies on centralized equipment housed in a dedicated server room. During an audit, it was found that unauthorized personnel had physical access to the room, posing a potential risk to sensitive equipment. Which of the following measures would best prevent such unauthorized access?
Correct Answer: B. Biometric access control Explanation: Biometric access control (B) is the correct answer because it provides a high level of security by verifying unique physical traits, such as fingerprints or retinal patterns, to restrict access to the server room. This method ensures that only authorized personnel can enter. Surveillance cameras (A) are incorrect because they provide a record of access but do not actively prevent unauthorized entry. Keycard entry with PIN (C) is also incorrect because keycards can be lost, stolen, or shared, reducing their effectiveness. Locked equipment racks (D) add a layer of security to specific equipment but do not address access to the entire room. Biometric access control directly addresses the need to prevent unauthorized physical access, making it the most effective solution.
79. After a fire destroys its primary data center, a multinational corporation activates its disaster recovery plan, which includes using a geographically distant backup site. Why is this disaster recovery action important to the organization?
Correct Answer: A. It allows the company to maintain operations despite local disruptions Explanation: The importance of disaster recovery here lies in enabling the organization to continue operations even after a local disaster, such as the fire, by utilizing a geographically distant backup site (A). Preventing data breaches (B) is not the primary objective of disaster recovery; that falls under security measures. Identifying risks (C) is part of risk assessment and not directly related to recovery actions. Compliance with data sovereignty laws (D) may influence where backups are stored but is not the main reason for activating the disaster recovery plan in this case. Therefore, A is the correct answer.
80. A company implements a secure messaging system to exchange classified information between departments. The system uses encryption to protect messages during transit. However, the encryption keys are stored in plaintext on the local devices of employees. Which confidentiality risk is most evident in this setup?
Correct Answer: C. Improper key management Explanation: The primary confidentiality risk here is improper key management (C) because storing encryption keys in plaintext undermines the effectiveness of encryption, making the protected information vulnerable if the device is compromised. Option A (Insider threats) is plausible but does not specifically address the root cause in this scenario—poor handling of encryption keys. Option B (Weak encryption algorithms) does not apply as there is no indication that the encryption itself is inadequate. Option D (Lack of data redundancy) relates to availability, not confidentiality. Proper key management is essential to maintaining encryption security and confidentiality.
81. During a cybersecurity risk assessment, an organization identifies multiple risks related to its IT infrastructure, including outdated software, potential insider threats, and vulnerabilities in third-party applications. What is the most effective approach for the organization to ensure comprehensive risk identification?
Correct Answer: B) Conducting interviews with key stakeholders and using historical data to identify potential risks Effective risk identification requires a thorough approach, combining input from key stakeholders (who can provide insight into potential risks based on their experience and knowledge) and historical data (to understand past incidents or trends that might highlight vulnerabilities). Option (A) is not sufficient by itself because automated tools may miss contextual or emerging risks that require human insight. Option (C) is incorrect because ignoring external threats would result in a narrow and incomplete risk identification process. Option (D) is also a poor strategy since waiting for a major incident to identify risks reflects a reactive rather than proactive approach.
82. A company’s BYOD policy includes restrictions on installing unapproved applications on devices used for work purposes. An employee reports that they need a specific unapproved application to complete their work efficiently. How should the organization address this request while maintaining adherence to the BYOD policy?
Correct Answer: B Explanation: The correct answer is (B) because evaluating the application for security risks ensures the organization can maintain policy compliance while accommodating legitimate business needs. (A) is incorrect because allowing the installation without a risk assessment could expose the organization to vulnerabilities. (C) is incorrect because denying the request without exploring alternatives may hinder productivity and create dissatisfaction. (D) is incorrect because suspending the BYOD policy for a single employee undermines consistency and governance. Assessing the application balances security with operational requirements and aligns with best practices for managing BYOD environments.
83. A healthcare organization is required to comply with regulatory standards for disposing of old hard drives containing patient records. Which approach would meet these regulatory requirements?
Correct Answer: A Explanation: The correct answer is A because physically destroying the hard drives by crushing or shredding ensures compliance with regulatory standards that mandate complete destruction of sensitive data. Option B (B) is incorrect because a basic disk cleanup does not remove the original data, leaving it accessible to recovery tools. Option C (C) is incorrect because reformatting and reusing the drives risks exposing sensitive data if it is not securely erased. Option D (D) is incorrect because transferring the data does not ensure destruction of the originals, which could still be recovered by unauthorized parties.
84. An organization has remote employees who need secure access to internal resources over the internet. The security team is tasked with deploying a solution that encrypts data in transit while allowing remote workers to access the internal network. Which type of VPN would best meet these requirements?
Correct Answer: B. Remote Access VPN Explanation: A Remote Access VPN (B) is the correct answer because it allows individual users to securely connect to an internal network over the internet using encryption to protect data in transit. Site-to-Site VPNs (A) connect entire networks rather than individual users, making them unsuitable for remote employees. SSL/TLS VPNs (C) are a subset of Remote Access VPNs, but the broader term “Remote Access VPN” encompasses both SSL and IPsec-based solutions, making it more appropriate for this scenario. L2TP VPNs (D) provide tunneling but require additional protocols like IPsec for encryption, making them less comprehensive as a standalone solution. Remote Access VPNs offer the flexibility and security required for remote workers.
85. A security analyst observes unusual traffic on a corporate network, where several devices are sending data to 192.168.255.255. What does this destination IP address indicate?
Correct Answer: B. A broadcast address used within the local subnet. Explanation: The correct answer is (B) because 192.168.255.255 is the broadcast address for the 192.168.0.0/16 subnet. Broadcast addresses are used to send data to all devices within the specified subnet. (A) is incorrect because 127.0.0.1 is the loopback address for device testing, not a broadcast address. (C) is incorrect because broadcast addresses are not assigned to individual devices. (D) is incorrect because multicast addresses are in the range 224.0.0.0 to 239.255.255.255, not in the private IP range.
86. A company hosts its public-facing web server in a demilitarized zone (DMZ). The server must communicate with the internal database located on the private network to fetch data. What is the most secure way to configure this communication?
Correct Answer: B. Implement strict firewall rules to allow only necessary traffic between the DMZ and the private network Explanation: Implementing strict firewall rules to allow only necessary traffic between the DMZ and the private network (B) is the correct answer because it minimizes the attack surface and ensures that only authorized traffic, such as database queries, can traverse from the web server to the database. Allowing unrestricted access (A) is highly insecure and exposes the private network to potential attacks if the web server is compromised. Using NAT (C) hides the database’s IP address but does not enforce access control, leaving the system vulnerable. Configuring a VPN (D) creates a secure connection but does not control or restrict the types of traffic allowed, making it less effective for securing communication between a DMZ and private network. Firewall rules provide the granular control needed to protect the private network while enabling necessary functionality.
87. A multinational corporation needs to secure email communications between employees to prevent unauthorized access. They decide to implement asymmetric encryption for this purpose. What should the sender use to encrypt the email so only the intended recipient can decrypt it?
Correct Answer: B Explanation: The correct answer is B because in asymmetric encryption, the sender encrypts the data using the recipient's public key, ensuring that only the recipient, who has the corresponding private key, can decrypt it. Option A (A) is incorrect because the recipient’s private key is used for decryption, not encryption. Option C (C) is incorrect because the sender's public key would not be useful for encryption in this context, as it does not align with the recipient's decryption key. Option D (D) is incorrect because the sender's private key is typically used for digital signatures, not for encrypting messages meant for the recipient.
88. An IT services provider conducts a post-incident analysis after successfully executing its disaster recovery plan during a cyberattack. They determine that the recovery prevented a prolonged service outage for their clients. Why is this disaster recovery effort important to the provider?
Correct Answer: A. It demonstrates the provider’s ability to deliver uninterrupted services Explanation: Disaster recovery is important in this scenario because it underscores the provider’s capability to maintain uninterrupted services for clients, which is crucial for client trust and business continuity (A). Preventing reputational damage (B) is an indirect benefit but not the primary importance here. Reducing the likelihood of future cyberattacks (C) is a goal of proactive security measures, not recovery actions. Compliance with SLAs (D) is a consideration, but the primary focus of disaster recovery is ensuring service availability rather than just meeting contractual terms. Thus, A accurately reflects the importance of disaster recovery in this situation.
89. A financial institution experiences a server failure that disrupts critical operations. As part of its disaster recovery plan, the institution decides to restore services using a backup server located at a remote site. Which of the following best describes the primary purpose of this disaster recovery action?
Correct Answer: A. To ensure business continuity by minimizing downtime Explanation: The primary purpose of disaster recovery is to restore critical systems and operations as quickly as possible to minimize disruption to business activities (A). This ensures business continuity, which is the central objective of disaster recovery plans. While securing sensitive data against cyber threats (B) is an important part of cybersecurity, it is not the main focus of this disaster recovery action. Compliance with regulatory requirements for data storage (C) is also significant, but it pertains more to governance than to immediate recovery. Avoiding reputational damage (D) is an indirect benefit of disaster recovery, not its core purpose. Therefore, A is the best answer.
90. A healthcare provider’s privacy policy specifies that patient data must be encrypted during storage and transmission. During a cybersecurity assessment, it is found that data backups are stored in plain text on a third-party cloud service. What immediate step should the provider take to comply with the privacy policy?
Correct Answer: A Explanation: The correct answer is (A) because encrypting existing backups and ensuring future backups are encrypted aligns with the privacy policy’s requirement to protect patient data during storage. (B) is incorrect because while transparency is important, encrypting the backups addresses the root cause more effectively and does not necessitate revoking data sharing. (C) is incorrect because terminating the contract is a drastic step that may not be feasible or necessary if the encryption issue is resolved. (D) is incorrect because access controls alone do not address the risk posed by unencrypted data. Encryption is the most effective and compliant response to secure the data.
91. An organization uses a cloud service provider (CSP) for data storage and processing. The SLA includes a provision for disaster recovery, specifying a Recovery Time Objective (RTO) of 4 hours. What does this RTO represent in the context of the SLA?
Correct Answer: C. The maximum duration for restoring services after a disruption Explanation: The Recovery Time Objective (RTO) (C) is the correct answer because it specifies the maximum allowable time to restore services after a disruption, ensuring business continuity within an agreed timeframe. The maximum amount of data loss acceptable (A) refers to Recovery Point Objective (RPO), not RTO. The time taken to detect a security breach (B) is unrelated to RTO and pertains to security monitoring. The minimum time required to initiate a backup (D) does not align with the definition of RTO. The RTO ensures clarity on service restoration timelines, making it a critical SLA component for disaster recovery.
92. A user downloads a free application from an untrusted website that appears to perform the advertised function. However, after installation, the application secretly provides remote access to the user's device for an attacker. What type of malware is this?
Correct Answer: B. Trojan Explanation: The scenario describes malware disguised as a legitimate application that performs the advertised function while secretly providing unauthorized remote access, which is characteristic of a Trojan (B). Trojans rely on users willingly downloading and installing them under false pretenses. Option A, Virus, replicates by attaching to files and does not rely on disguise as legitimate software. Option C, Worm, spreads independently and does not masquerade as legitimate programs. Option D, Adware, focuses on delivering unwanted advertisements rather than providing unauthorized remote access.
93. A company uses a gate entry system that logs every access attempt along with the time and badge ID. Which of the following would be the most effective measure to ensure the integrity and security of these access logs?
Correct Answer: A) Ensure logs are stored in a centralized, secure location with restricted access Explanation: Storing access logs in a centralized, secure location with restricted access (A) is the most effective way to ensure the integrity and security of the logs. This approach prevents unauthorized modifications or deletions of log data and makes it easier to monitor and analyze access attempts. Allowing all employees to view the logs (B) compromises security and privacy, as unauthorized personnel could gain access to sensitive data. Deleting logs (C) to save space reduces the ability to review past events and potentially lose critical evidence. Storing logs on a local system (D) can lead to data being more vulnerable to tampering or physical damage.
94. A financial institution plans to dispose of obsolete backup tapes containing sensitive transaction data. What should the institution do to ensure the data is securely destroyed?
Correct Answer: B Explanation: The correct answer is B because using a degaussing machine disrupts the magnetic fields on the tapes, rendering the data irrecoverable. This is a widely accepted method for securely destroying magnetic storage media. Option A (A) is incorrect because storing the tapes does not destroy the data and exposes it to future risks. Option C (C) is incorrect because manually erasing data with software does not guarantee complete removal, leaving the data potentially recoverable. Option D (D) is incorrect because recording new data over the old data may leave remnants of the original data accessible through specialized recovery techniques.
95. A penetration tester reports that a financial institution's online banking application does not implement multi-factor authentication, leaving it susceptible to unauthorized access. How does this finding contribute to threat management?
Correct Answer: B. It supports the threat identification process. Explanation: The report about the absence of multi-factor authentication highlights a specific weakness that could be exploited by unauthorized users, which directly contributes to the threat identification process (B). Identifying such weaknesses helps organizations recognize potential threats. Option A, Enhancing the incident response strategy, relates to actions taken after an incident and does not involve recognizing threats. Option C, Improving the security monitoring framework, involves setting up mechanisms to detect suspicious activities but does not identify potential threats. Option D, Aligning with the business continuity plan, focuses on ensuring operational resilience and is unrelated to threat identification.
96. A company is deploying CCTV cameras at a new facility and wants to ensure maximum coverage of critical areas without excessive blind spots. Which of the following factors should be prioritized when positioning the cameras?
Correct Answer: C) Cameras should be installed in high-traffic areas with unobstructed views of entry points Explanation: Installing cameras in high-traffic areas with unobstructed views of entry points (C) is the best approach for ensuring comprehensive coverage of critical access points. High-traffic areas are more likely to have potential security incidents, and unobstructed views ensure clear footage for identification. Camera placement based on aesthetic considerations (A) does not address security needs and could lead to blind spots. Placing cameras in areas with limited foot traffic (B) reduces footage volume but might miss critical events in more active areas. Installing cameras near locked doors (D) limits the effectiveness of surveillance, as locked doors may not be used frequently or may be bypassed.
97. During a simulated social engineering attack conducted as part of a security awareness program, several employees unknowingly shared confidential information with a fake "executive" requesting urgent assistance. What training outcome would best address this type of vulnerability?
Correct Answer: B Explanation: The key training outcome here is to educate employees to authenticate all requests for sensitive information (B), regardless of the requester’s authority, to counteract tactics like authority-based social engineering. Following executive instructions without question (A) reinforces the vulnerability exploited in this scenario. Requiring executives to seek permission (C) is impractical and could disrupt operations. Implementing technical controls to block sharing data (D) can supplement, but not replace, awareness training as attackers can bypass technical controls by exploiting human behavior. Awareness training on authenticating authority is essential to combat these tactics effectively.
98. During a cybersecurity workshop, the facilitator presents a case study where an attacker exploited an unpatched application to deploy ransomware. What lesson does this case study emphasize in the threat identification process?
Correct Answer: B. Identifying attack vectors Explanation: The case study highlights the importance of identifying attack vectors (B), such as exploiting unpatched applications, which are specific pathways that threats use to compromise systems. Option A, Assessing the likelihood of risk, evaluates how probable a threat is but does not specifically identify pathways. Option C, Establishing disaster recovery plans, involves preparing for recovery after an incident and is unrelated to recognizing attack vectors. Option D, Conducting employee awareness training, aims to prevent user-based threats but does not address the identification of technical attack paths.
99. During a fire drill in a data center, it was observed that the fire suppression system took longer than expected to activate, increasing the risk of equipment damage. The organization decides to implement a system with rapid detection and suppression capabilities. Which component is critical for achieving this goal?
Correct Answer: B. Smoke detectors integrated with clean agent systems Explanation: Smoke detectors integrated with clean agent systems (B) are the correct answer because smoke detectors provide early detection of fires, allowing for rapid activation of the clean agent suppression system to minimize damage. Heat detectors with manual activation systems (A) are slower to respond as they require significant heat buildup, which can delay suppression. Manual pull stations and sprinkler systems (C) rely on human intervention and use water, which is unsuitable for electronics. CO2 extinguishers positioned near critical equipment (D) require manual operation and do not offer the automated, rapid response needed for comprehensive fire suppression. Smoke detectors integrated with clean agent systems ensure early detection and automated suppression, addressing the scenario effectively.
100. A small business is planning to secure its network equipment stored in a closet that has limited space and minimal cooling. The IT manager is concerned about potential overheating and equipment failure due to inadequate airflow. Which solution is best suited to address this issue?
Correct Answer: C. Deploy server racks with integrated cooling systems Explanation: Deploying server racks with integrated cooling systems (C) is the correct answer because these racks are designed to manage airflow and prevent overheating, even in small spaces. This solution is efficient for managing cooling in tight environments like a network closet. Installing a dedicated HVAC system (A) is incorrect because it may not be cost-effective or practical for a small network closet. Fan trays for individual network devices (B) provide localized cooling but are insufficient for overall airflow management in confined spaces. Relocating equipment to an open area (D) may improve ventilation but introduces other risks, such as physical security concerns and lack of dedicated infrastructure. Integrated cooling racks directly address both cooling and space constraints, making them the best choice.
Your score is
Restart quiz
