- Which three properties make up the CIA triad, the foundational model of information security?
- Compliance, Integrity, Authentication
- Confidentiality, Integrity, Availability
- Confidentiality, Identification, Authorization
- Control, Identity, Access
Correct answer: Confidentiality, Integrity, Availability
The CIA triad stands for Confidentiality, Integrity, and Availability, the three core goals that information security aims to protect.
- What does the principle of confidentiality primarily ensure?
- Information is accessible when needed
- Information is only disclosed to authorized parties
- Systems remain operational
- Data is accurate and unaltered
Correct answer: Information is only disclosed to authorized parties
Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes.
- Which security concept ensures that data has not been altered in an unauthorized manner?
- Authentication
- Availability
- Confidentiality
- Integrity
Correct answer: Integrity
Integrity guarantees that information remains accurate, complete, and unmodified except by authorized actions.
- A denial-of-service attack most directly threatens which element of the CIA triad?
- Availability
- Confidentiality
- Non-repudiation
- Integrity
Correct answer: Availability
A denial-of-service attack overwhelms a system so legitimate users cannot access it, directly harming availability.
- What is the term for the assurance that a sender cannot deny having sent a message?
- Authentication
- Authorization
- Accounting
- Non-repudiation
Correct answer: Non-repudiation
Non-repudiation provides proof of the origin and integrity of data so a party cannot deny their actions.
- Which of the following is an example of something you know used in authentication?
- Security token
- Password
- Smart card
- Fingerprint
Correct answer: Password
A password is knowledge-based authentication, representing the 'something you know' factor.
- Which factor of authentication does a fingerprint scan represent?
- Somewhere you are
- Something you have
- Something you know
- Something you are
Correct answer: Something you are
A fingerprint is a biometric trait, representing the 'something you are' authentication factor.
- What does multi-factor authentication require?
- Two or more authentication factors of different types
- A username and a password
- Two security questions
- Two passwords
Correct answer: Two or more authentication factors of different types
Multi-factor authentication combines two or more distinct factor types, such as something you know plus something you have.
- In risk management, what is a vulnerability?
- A potential cause of an unwanted event
- A weakness that can be exploited
- The likelihood of an event occurring
- The value of an asset
Correct answer: A weakness that can be exploited
A vulnerability is a weakness or gap in protection that a threat can exploit to cause harm.
- What term describes anything of value that an organization wants to protect?
Correct answer: Asset
An asset is any resource, such as data, hardware, or people, that has value and warrants protection.
- What is a threat in the context of risk management?
- A weakness in a system
- Something that can exploit a vulnerability to cause harm
- A safeguard against attacks
- The probability of a loss
Correct answer: Something that can exploit a vulnerability to cause harm
A threat is any circumstance or event with the potential to exploit a vulnerability and cause harm.
- Risk is most accurately described as the combination of which two elements?
- Threat and asset value
- Vulnerability and control
- Likelihood and impact
- Asset and safeguard
Correct answer: Likelihood and impact
Risk is commonly expressed as the probability (likelihood) that a threat will occur and the resulting impact.
- Which risk treatment option involves purchasing insurance to handle potential losses?
- Risk mitigation
- Risk avoidance
- Risk acceptance
- Risk transference
Correct answer: Risk transference
Risk transference shifts the financial impact of a risk to a third party, such as an insurer.
- Choosing not to perform an activity that carries risk is an example of which response?
- Risk avoidance
- Risk mitigation
- Risk transference
- Risk acceptance
Correct answer: Risk avoidance
Risk avoidance eliminates the risk by not engaging in the activity that produces it.
- What is the term for the remaining risk after controls have been applied?
- Transferred risk
- Total risk
- Inherent risk
- Residual risk
Correct answer: Residual risk
Residual risk is the level of risk that remains after security controls have been implemented.
- Implementing antivirus software to reduce malware risk is an example of which strategy?
- Risk acceptance
- Risk transference
- Risk avoidance
- Risk mitigation
Correct answer: Risk mitigation
Risk mitigation reduces the likelihood or impact of a risk through controls such as antivirus software.
- Which type of security control is implemented through technology such as firewalls and encryption?
- Administrative control
- Physical control
- Technical control
- Compensating control
Correct answer: Technical control
Technical (logical) controls use technology like firewalls, encryption, and access control lists to protect systems.
- A company policy requiring annual security awareness training is an example of which control type?
- Administrative control
- Detective control
- Technical control
- Physical control
Correct answer: Administrative control
Administrative controls are policies, procedures, and guidelines that govern human behavior, including training requirements.
- A locked server room door is an example of which control type?
- Administrative control
- Logical control
- Physical control
- Technical control
Correct answer: Physical control
Physical controls protect tangible assets and facilities using barriers like locks, fences, and guards.
- What is the primary purpose of the principle of least privilege?
- Removing all user access
- Granting users maximum access for convenience
- Granting access based on seniority
- Granting users only the access needed to perform their job
Correct answer: Granting users only the access needed to perform their job
Least privilege limits each user's access to only what is necessary to perform their duties, reducing exposure.
- Defense in depth refers to which security approach?
- Using a single strong control
- Relying only on physical security
- Avoiding all risk
- Layering multiple controls to protect assets
Correct answer: Layering multiple controls to protect assets
Defense in depth uses multiple, overlapping layers of security so that if one fails, others still protect the asset.
- What is the main goal of separation of duties?
- To centralize control
- To reduce staffing costs
- To speed up workflows
- To prevent any single person from completing a critical task alone
Correct answer: To prevent any single person from completing a critical task alone
Separation of duties divides critical tasks among multiple people to prevent fraud and reduce error.
- Which of the following best describes due care?
- Taking reasonable steps to protect assets
- Documenting policies only
- Ignoring known risks
- Transferring all risk to a vendor
Correct answer: Taking reasonable steps to protect assets
Due care is the ongoing effort to act responsibly and take reasonable measures to protect organizational assets.
- What does the term 'privacy' primarily concern in information security?
- The proper handling and protection of personal information
- System uptime
- Network bandwidth
- Software licensing
Correct answer: The proper handling and protection of personal information
Privacy concerns the appropriate collection, use, retention, and protection of individuals' personal information.
- Which ISC2 Code of Ethics canon comes first in order of priority?
- Provide diligent and competent service
- Protect society, the common good, and the infrastructure
- Act honorably and legally
- Advance and protect the profession
Correct answer: Protect society, the common good, and the infrastructure
The ISC2 Code of Ethics lists protecting society, the common good, and the infrastructure as the first and highest-priority canon.
- What is a qualitative risk assessment based on?
- Single loss expectancy
- Numeric monetary values
- Annualized loss expectancy
- Subjective ratings such as high, medium, and low
Correct answer: Subjective ratings such as high, medium, and low
Qualitative risk assessment uses descriptive, subjective categories rather than precise monetary figures.
- Which calculation represents Annualized Loss Expectancy (ALE)?
- SLE multiplied by ARO
- SLE divided by ARO
- Asset value multiplied by EF
- Threat multiplied by vulnerability
Correct answer: SLE multiplied by ARO
ALE equals the Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO).
- What does authentication establish?
- The identity of a user or system
- The likelihood of a threat
- The value of an asset
- What a user is allowed to do
Correct answer: The identity of a user or system
Authentication verifies that an entity is who it claims to be before access is granted.
- What does authorization determine?
- The availability of a system
- The integrity of data
- What an authenticated user is permitted to do
- The identity of the user
Correct answer: What an authenticated user is permitted to do
Authorization defines the permissions and resources an authenticated user is allowed to access.
- What is the purpose of accounting (auditing) in the AAA model?
- To grant permissions
- To verify identity
- To encrypt data
- To track and record user activities
Correct answer: To track and record user activities
Accounting records what authenticated users do, supporting auditing, accountability, and non-repudiation.
- Which term describes information that, if disclosed, could harm an individual, such as a Social Security number?
- Metadata
- Aggregated data
- Personally Identifiable Information
- Public data
Correct answer: Personally Identifiable Information
Personally Identifiable Information (PII) is any data that can identify a specific individual and requires protection.
- What is the best description of a security policy?
- A high-level statement of management's security intent and expectations
- A list of installed software
- A network diagram
- A technical configuration file
Correct answer: A high-level statement of management's security intent and expectations
A security policy is a high-level document that expresses management's goals and rules for protecting assets.
- Which document type provides mandatory step-by-step instructions to accomplish a task?
- Guideline
- Policy
- Procedure
- Standard
Correct answer: Procedure
A procedure provides detailed, mandatory step-by-step instructions for performing a specific task.
- A guideline differs from a standard in that a guideline is:
- A recommendation that is not mandatory
- Mandatory and enforceable
- A hardware requirement
- A legal contract
Correct answer: A recommendation that is not mandatory
Guidelines are recommended best practices that are discretionary, while standards are mandatory.
- What is the goal of an organization performing a risk assessment?
- To install firewalls
- To identify, analyze, and evaluate risks to assets
- To eliminate all risk
- To purchase insurance
Correct answer: To identify, analyze, and evaluate risks to assets
A risk assessment identifies and evaluates risks so the organization can prioritize and choose appropriate responses.
- Which concept ensures that individuals are held responsible for their actions on a system?
- Accountability
- Encryption
- Availability
- Redundancy
Correct answer: Accountability
Accountability links actions to a specific identity, ensuring users can be held responsible for their activities.
- What is meant by 'risk acceptance'?
- Acknowledging a risk and choosing to take no further action
- Adding new controls
- Buying insurance
- Eliminating the activity causing risk
Correct answer: Acknowledging a risk and choosing to take no further action
Risk acceptance is a conscious decision to tolerate a risk, often because the cost of mitigation exceeds the benefit.
- Which of the following best describes a 'control' in security?
- A potential attacker
- A measure taken to reduce risk
- A weakness in a system
- An organizational asset
Correct answer: A measure taken to reduce risk
A control (safeguard or countermeasure) is a measure put in place to reduce or eliminate risk.
- Encrypting data so only authorized parties can read it primarily supports which security goal?
- Availability
- Confidentiality
- Non-repudiation
- Integrity
Correct answer: Confidentiality
Encryption protects confidentiality by making data unreadable to anyone without the proper key.
- What is the primary purpose of a Business Continuity Plan (BCP)?
- To keep critical business functions operating during a disruption
- To recover IT systems after a disaster
- To detect malware
- To enforce password policies
Correct answer: To keep critical business functions operating during a disruption
A BCP focuses on keeping essential business operations running during and after a disruptive event.
- What does a Disaster Recovery Plan (DRP) primarily focus on?
- Marketing strategy
- Maintaining daily business operations
- Restoring IT systems and data after a disaster
- Hiring procedures
Correct answer: Restoring IT systems and data after a disaster
A DRP focuses specifically on recovering and restoring IT infrastructure, systems, and data following a disaster.
- What does Recovery Time Objective (RTO) define?
- The cost of recovery
- The maximum acceptable time to restore a system after a disruption
- The frequency of backups
- The maximum acceptable amount of data loss
Correct answer: The maximum acceptable time to restore a system after a disruption
RTO is the target maximum time within which a system or process must be restored after an outage.
- What does Recovery Point Objective (RPO) measure?
- The number of incidents per year
- The cost of downtime
- The time to restore systems
- The maximum tolerable amount of data loss measured in time
Correct answer: The maximum tolerable amount of data loss measured in time
RPO defines the maximum acceptable amount of data loss, expressed as a point in time before the disruption.
- What is the first phase of the incident response process according to common models?
- Preparation
- Eradication
- Recovery
- Containment
Correct answer: Preparation
Preparation is the first phase, establishing the policies, tools, and training needed before an incident occurs.
- During incident response, what is the goal of the containment phase?
- To remove the threat completely
- To document lessons learned
- To limit the damage and prevent the incident from spreading
- To restore normal operations
Correct answer: To limit the damage and prevent the incident from spreading
Containment aims to isolate affected systems and limit the spread and impact of the incident.
- Which incident response phase involves removing the cause of the incident, such as deleting malware?
- Eradication
- Recovery
- Containment
- Detection
Correct answer: Eradication
Eradication removes the root cause of the incident, such as deleting malware and disabling compromised accounts.
- What is the purpose of the lessons-learned phase after an incident?
- To notify customers
- To improve future response based on what happened
- To assign blame to individuals
- To delete all logs
Correct answer: To improve future response based on what happened
The lessons-learned phase reviews the incident to improve processes, controls, and future response capability.
- What is a Business Impact Analysis (BIA) used to determine?
- Network bandwidth needs
- The criticality of business functions and the impact of their disruption
- The cost of marketing campaigns
- Employee performance
Correct answer: The criticality of business functions and the impact of their disruption
A BIA identifies critical business functions and assesses the impact that disruptions would have on them.
- Which type of recovery site is fully equipped and can take over operations almost immediately?
- Mobile site
- Hot site
- Warm site
- Cold site
Correct answer: Hot site
A hot site is fully configured with hardware, software, and data, allowing near-immediate failover.
- A recovery site that has space and power but no installed hardware or data is called a:
- Hot site
- Cold site
- Warm site
- Cloud site
Correct answer: Cold site
A cold site provides only basic infrastructure such as space and power, requiring full setup before use.
- What characterizes a warm site?
- A vehicle-based facility
- Fully operational with real-time data
- Partially equipped, requiring some setup and data restoration
- No equipment at all
Correct answer: Partially equipped, requiring some setup and data restoration
A warm site has some equipment and connectivity in place but requires configuration and data restoration before use.
- What is the primary reason for maintaining regular data backups?
- To improve authentication
- To enable recovery of data after loss or corruption
- To increase network speed
- To reduce storage costs
Correct answer: To enable recovery of data after loss or corruption
Backups provide a means to restore data that has been lost, corrupted, or destroyed, supporting availability.
- Why should backup media be stored at an offsite location?
- To save on-site storage space
- To make restores faster
- To comply with software licensing
- To protect backups from the same disaster affecting the primary site
Correct answer: To protect backups from the same disaster affecting the primary site
Offsite storage protects backups from local disasters such as fire or flood that could destroy on-site copies.
- What is an event in the context of security operations?
- Always a confirmed attack
- A type of malware
- A recovery procedure
- Any observable occurrence in a system or network
Correct answer: Any observable occurrence in a system or network
An event is any observable occurrence, which may be benign; an incident is an event that negatively affects security.
- What is the primary purpose of access control?
- To regulate who or what can view or use resources
- To back up data
- To detect malware
- To increase network bandwidth
Correct answer: To regulate who or what can view or use resources
Access control governs which subjects can access which objects and under what conditions.
- In access control, what is a 'subject'?
- A physical lock
- A security policy
- An active entity such as a user or process requesting access
- A resource being accessed
Correct answer: An active entity such as a user or process requesting access
A subject is an active entity, such as a user, program, or process, that requests access to an object.
- In access control, what is an 'object'?
- A firewall rule
- An authentication token
- A passive resource such as a file or database being accessed
- The user requesting access
Correct answer: A passive resource such as a file or database being accessed
An object is a passive resource, such as a file, database, or device, that a subject seeks to access.
- Which access control model assigns permissions based on a user's job role?
- Rule-Based Access Control
- Mandatory Access Control
- Discretionary Access Control
- Role-Based Access Control
Correct answer: Role-Based Access Control
Role-Based Access Control (RBAC) grants permissions according to the roles assigned to users within an organization.
- In Discretionary Access Control (DAC), who determines access to a resource?
- The operating system
- The security administrator only
- A central authority
- The data owner
Correct answer: The data owner
In DAC, the owner of the resource has the discretion to grant or restrict access to other users.
- Which access control model uses security labels and clearances enforced by the system?
- Attribute-Based Access Control
- Discretionary Access Control
- Mandatory Access Control
- Role-Based Access Control
Correct answer: Mandatory Access Control
Mandatory Access Control (MAC) enforces access based on labels and clearances set by a central authority, not the owner.
- What is the purpose of an Access Control List (ACL)?
- To specify which subjects are granted access to an object and what operations they may perform
- To detect intrusions
- To encrypt network traffic
- To back up files
Correct answer: To specify which subjects are granted access to an object and what operations they may perform
An ACL lists the subjects and their permitted operations for a given object, enforcing authorization.
- What does the principle of least privilege require for access control?
- Sharing one account among many users
- Removing access after each session
- Granting all users administrator rights
- Granting users the minimum access necessary for their tasks
Correct answer: Granting users the minimum access necessary for their tasks
Least privilege ensures users receive only the access required to perform their duties, limiting potential damage.
- What is the concept of 'need to know' in access control?
- Users can access anything they request
- All data is public
- Users are granted access only to information required to perform a specific task
- Access is based solely on seniority
Correct answer: Users are granted access only to information required to perform a specific task
Need to know restricts access to only the information necessary for a user to carry out a specific function.
- Which physical access control uses a small space with two doors to control entry?
- Turnstile
- Mantrap (access control vestibule)
- Bollard
- Badge reader
Correct answer: Mantrap (access control vestibule)
A mantrap, or access control vestibule, uses two interlocking doors to control and verify entry one person at a time.
- What is the purpose of a bollard in physical security?
- To authenticate users
- To record video
- To prevent vehicles from approaching or ramming a building
- To detect smoke
Correct answer: To prevent vehicles from approaching or ramming a building
Bollards are sturdy posts that block or redirect vehicles, protecting buildings and pedestrians from vehicle threats.
- Which of the following is a logical access control?
- A guard dog
- A security fence
- A username and password
- A door lock
Correct answer: A username and password
Logical (technical) access controls, such as passwords, regulate access to systems and data through technology.
- What is the main benefit of using Role-Based Access Control in a large organization?
- It removes the need for passwords
- It simplifies administration by grouping permissions into roles
- It allows unlimited access
- It eliminates the need for authentication
Correct answer: It simplifies administration by grouping permissions into roles
RBAC simplifies management by assigning permissions to roles, so adding or changing users is easier and consistent.
- What does provisioning a user account involve?
- Creating and assigning appropriate access rights to a new user
- Deleting a user's access
- Auditing logs
- Encrypting passwords
Correct answer: Creating and assigning appropriate access rights to a new user
Provisioning is the process of creating a user account and granting the appropriate access rights for their role.
- Why is it important to deprovision accounts when an employee leaves?
- To prevent unauthorized access through orphaned accounts
- To improve network speed
- To increase storage
- To save licensing fees only
Correct answer: To prevent unauthorized access through orphaned accounts
Deprovisioning removes access for departed users, preventing orphaned accounts from being misused.
- What is single sign-on (SSO)?
- A backup method
- Disabling authentication
- A system allowing a user to authenticate once and access multiple resources
- Using one password for all websites independently
Correct answer: A system allowing a user to authenticate once and access multiple resources
SSO lets a user authenticate once and gain access to multiple systems without re-entering credentials.
- What is the purpose of a security badge with an embedded chip?
- To provide physical access authentication to facilities
- To encrypt email
- To back up data
- To scan for malware
Correct answer: To provide physical access authentication to facilities
Smart badges authenticate identity for physical entry, often combined with readers at controlled doors.
- Which access control approach evaluates multiple characteristics such as user, resource, and environment to make decisions?
- Attribute-Based Access Control
- Role-Based Access Control
- Mandatory Access Control
- Discretionary Access Control
Correct answer: Attribute-Based Access Control
Attribute-Based Access Control (ABAC) grants access based on attributes of the subject, object, and environment.
- What is the concept of 'segregation of duties' designed to prevent in access control?
- Weak passwords
- One individual having enough access to commit and conceal fraud
- Slow logins
- Excessive backups
Correct answer: One individual having enough access to commit and conceal fraud
Segregation of duties splits access among multiple people so no single person can both commit and conceal fraud.
- What is a CCTV system primarily used for in physical security?
- Authenticating users
- Filtering network traffic
- Monitoring and recording activity for surveillance
- Encrypting data
Correct answer: Monitoring and recording activity for surveillance
Closed-circuit television (CCTV) provides surveillance to monitor and record activity, serving as a detective control.
- A turnstile that allows only one person to pass per authentication helps prevent which physical threat?
- Phishing
- Tailgating
- Malware infection
- Data corruption
Correct answer: Tailgating
Turnstiles restrict entry to one authenticated person at a time, helping prevent tailgating (piggybacking).
- What is tailgating in the context of physical security?
- Following an authorized person through a secure door without authenticating
- Encrypting a file
- Hacking a network
- Stealing a password
Correct answer: Following an authorized person through a secure door without authenticating
Tailgating occurs when an unauthorized person follows an authorized person through a controlled entry point.
- In access control, what does the term 'authorization creep' describe?
- A network outage
- A user accumulating excessive permissions over time
- A slow login process
- A failed backup
Correct answer: A user accumulating excessive permissions over time
Authorization creep (privilege creep) is the accumulation of unnecessary access rights as a user changes roles over time.
- Why should default accounts and passwords be changed on new systems?
- To reduce storage
- To enable backups
- To improve performance
- Because they are widely known and easily exploited by attackers
Correct answer: Because they are widely known and easily exploited by attackers
Default credentials are publicly documented and commonly targeted, so they must be changed to prevent unauthorized access.
- What is the benefit of a periodic access review?
- It speeds up the network
- It encrypts data
- It creates backups
- It verifies that users still need their current access rights
Correct answer: It verifies that users still need their current access rights
Access reviews ensure users retain only appropriate permissions, helping detect and remove excessive or unused access.
- What does a lighting control in physical security primarily deter?
- Network intrusion
- Data corruption
- Unauthorized physical activity and concealment
- Email phishing
Correct answer: Unauthorized physical activity and concealment
Adequate lighting deters intruders and improves the effectiveness of surveillance by removing dark hiding spots.
- Which is an example of a biometric access control?
- A PIN code
- A swipe card
- An iris scan
- A token
Correct answer: An iris scan
An iris scan is a biometric control that authenticates based on a unique physical characteristic.
- What is the role of a security guard as an access control?
- A purely technical control
- An administrative document
- A logical firewall
- A physical control that can make judgment-based access decisions
Correct answer: A physical control that can make judgment-based access decisions
Security guards are physical controls who can adapt and apply judgment in deciding whom to admit.
- Which model is most appropriate when access must be strictly controlled by classification levels in a military environment?
- Role-Based Access Control
- Discretionary Access Control
- Mandatory Access Control
- Rule-Based Access Control
Correct answer: Mandatory Access Control
Mandatory Access Control enforces classification labels and clearances, making it suited to highly regulated environments.
- What is the purpose of logging access attempts?
- To increase storage
- To provide an audit trail for accountability and investigation
- To slow down attackers
- To encrypt files
Correct answer: To provide an audit trail for accountability and investigation
Access logs create an audit trail that supports accountability, detection, and investigation of incidents.
- Which concept describes giving a temporary, elevated level of access only when needed?
- Anonymous access
- Permanent privilege
- Open access
- Just-in-time access
Correct answer: Just-in-time access
Just-in-time access grants elevated privileges only for the time needed, then revokes them, reducing standing risk.
- What is the function of a fence in physical security layering?
- Intrusion detection on the network
- A deterrent and barrier marking a perimeter boundary
- Data encryption
- Authentication
Correct answer: A deterrent and barrier marking a perimeter boundary
A fence serves as a perimeter barrier and deterrent, defining boundaries and slowing unauthorized entry.
- What does the OSI model layer 3 (Network layer) primarily handle?
- Bit transmission
- Physical cabling
- Application data formatting
- Logical addressing and routing
Correct answer: Logical addressing and routing
The Network layer handles logical addressing (such as IP) and routing of packets between networks.
- At which OSI layer does a switch primarily operate?
- Network layer
- Data Link layer
- Physical layer
- Transport layer
Correct answer: Data Link layer
A traditional switch operates at the Data Link layer (Layer 2), forwarding frames using MAC addresses.
- Which protocol is the primary connection-oriented transport protocol providing reliable delivery?
Correct answer: TCP
TCP is connection-oriented and provides reliable, ordered delivery using acknowledgments and retransmission.
- Which protocol is connectionless and prioritizes speed over reliability?
Correct answer: UDP
UDP is connectionless and does not guarantee delivery, making it faster but less reliable than TCP.
- What is the primary function of a firewall?
- To control network traffic based on a set of rules
- To authenticate biometrics
- To back up files
- To encrypt all stored data
Correct answer: To control network traffic based on a set of rules
A firewall filters inbound and outbound network traffic according to defined security rules.
- What does a stateful firewall track that a simple packet filter does not?
- The encryption keys
- The state of active connections
- The user's password
- The physical location
Correct answer: The state of active connections
A stateful firewall tracks the state of active connections and makes decisions based on connection context.
- What is the primary purpose of a Virtual Private Network (VPN)?
- To increase storage
- To create a secure, encrypted tunnel over an untrusted network
- To detect malware
- To assign IP addresses
Correct answer: To create a secure, encrypted tunnel over an untrusted network
A VPN encrypts traffic and creates a secure tunnel, protecting data as it travels over untrusted networks like the internet.
- What is the function of a DMZ (demilitarized zone) in network design?
- To replace the firewall
- To encrypt passwords
- To store all internal data
- To host public-facing servers in a segment separated from the internal network
Correct answer: To host public-facing servers in a segment separated from the internal network
A DMZ is a buffer network that hosts public-facing services while isolating them from the trusted internal network.
- What does an Intrusion Detection System (IDS) do?
- Encrypts files
- Blocks traffic automatically
- Assigns IP addresses
- Monitors network or system activity and alerts on suspicious behavior
Correct answer: Monitors network or system activity and alerts on suspicious behavior
An IDS monitors traffic and generates alerts for suspicious activity but does not block it by itself.
- How does an Intrusion Prevention System (IPS) differ from an IDS?
- An IPS only logs events
- An IPS is a physical control
- An IPS can actively block or stop detected threats
- An IPS cannot detect threats
Correct answer: An IPS can actively block or stop detected threats
An IPS not only detects threats but can also take action to block or prevent them in real time.
- What is the purpose of Network Address Translation (NAT)?
- To encrypt traffic
- To detect intrusions
- To authenticate users
- To map private internal IP addresses to a public IP address
Correct answer: To map private internal IP addresses to a public IP address
NAT translates private internal addresses to one or more public addresses, conserving public IPs and hiding internal hosts.
- Which port is commonly associated with secure web traffic using HTTPS?
Correct answer: 443
HTTPS uses TCP port 443 to provide encrypted web traffic via TLS.
- Which port does standard unencrypted HTTP use?
Correct answer: 80
HTTP uses TCP port 80 for unencrypted web traffic.
- Which protocol securely replaces Telnet for remote command-line access?
Correct answer: SSH
SSH (Secure Shell) provides encrypted remote command-line access, replacing the insecure Telnet protocol.
- What is a key security weakness of the Telnet protocol?
- It uses too much bandwidth
- It requires encryption keys
- It cannot connect to remote systems
- It transmits data, including credentials, in plaintext
Correct answer: It transmits data, including credentials, in plaintext
Telnet sends all data, including usernames and passwords, in plaintext, making it vulnerable to interception.
- What does the term 'network segmentation' refer to?
- Encrypting all packets
- Removing all firewalls
- Increasing bandwidth
- Dividing a network into smaller isolated segments to limit access and contain threats
Correct answer: Dividing a network into smaller isolated segments to limit access and contain threats
Segmentation divides a network into isolated zones, limiting lateral movement and containing potential breaches.
- What is a VLAN used for?
- To logically segment a network without changing physical connections
- To physically rewire a network
- To encrypt email
- To detect malware
Correct answer: To logically segment a network without changing physical connections
A Virtual LAN (VLAN) logically separates devices into segments regardless of physical location, improving security and management.
- Which type of malware disguises itself as legitimate software to trick users into installing it?
- Trojan horse
- Rootkit
- Logic bomb
- Worm
Correct answer: Trojan horse
A Trojan horse appears to be legitimate software but contains malicious functionality once installed.
- Which type of malware self-replicates and spreads across networks without user action?
Correct answer: Worm
A worm is self-replicating malware that spreads across networks automatically without requiring user interaction.
- What does ransomware do to a victim's data?
- Backs it up
- Encrypts it and demands payment for the decryption key
- Deletes it instantly
- Compresses it
Correct answer: Encrypts it and demands payment for the decryption key
Ransomware encrypts a victim's data and demands a ransom payment in exchange for the decryption key.
- What is the purpose of a wireless network using WPA3?
- To slow down connections
- To disable the firewall
- To remove passwords
- To provide stronger encryption and security for Wi-Fi than older protocols
Correct answer: To provide stronger encryption and security for Wi-Fi than older protocols
WPA3 is a modern Wi-Fi security protocol offering stronger encryption and protection than WEP or WPA2.
- Why is WEP considered insecure for wireless networks?
- It cannot connect devices
- It is too fast
- It requires too many passwords
- It uses weak encryption that can be easily cracked
Correct answer: It uses weak encryption that can be easily cracked
WEP uses outdated, weak encryption that can be cracked quickly, so it should not be used.
- What is a man-in-the-middle (MITM) attack?
- A backup failure
- An attacker floods a server
- An attacker intercepts and possibly alters communication between two parties
- A user forgets a password
Correct answer: An attacker intercepts and possibly alters communication between two parties
In a MITM attack, the attacker secretly intercepts and may modify communications between two parties who believe they are talking directly.
- What is the purpose of DNS in a network?
- To translate domain names into IP addresses
- To encrypt traffic
- To assign MAC addresses
- To filter spam
Correct answer: To translate domain names into IP addresses
The Domain Name System (DNS) resolves human-readable domain names into the IP addresses computers use.
- What does a Distributed Denial-of-Service (DDoS) attack use to overwhelm a target?
- A single computer
- Physical break-ins
- Social engineering only
- Many compromised systems (a botnet) sending traffic simultaneously
Correct answer: Many compromised systems (a botnet) sending traffic simultaneously
A DDoS attack uses many distributed, often compromised systems to flood a target with traffic and exhaust its resources.
- What is the main purpose of a proxy server?
- To store backups
- To act as an intermediary between clients and other servers, often filtering or caching requests
- To assign IP addresses
- To encrypt disks
Correct answer: To act as an intermediary between clients and other servers, often filtering or caching requests
A proxy server intermediates client requests, providing functions such as filtering, caching, and hiding internal addresses.
- Which device connects different networks and directs traffic between them based on IP addresses?
Correct answer: Router
A router forwards packets between networks using IP addresses, operating at the Network layer.
- What is the primary security concern with using public Wi-Fi?
- High cost
- Slow speeds only
- Limited bandwidth
- Traffic may be intercepted by attackers on the same network
Correct answer: Traffic may be intercepted by attackers on the same network
Public Wi-Fi is often unencrypted or shared, allowing attackers to intercept traffic; a VPN is recommended for protection.
- What does port scanning typically reveal to an attacker?
- Which ports and services are open on a target system
- Physical location
- User passwords
- The contents of files
Correct answer: Which ports and services are open on a target system
Port scanning identifies open ports and running services, helping an attacker find potential entry points.
- What is the function of TLS (Transport Layer Security)?
- To provide encryption and authentication for network communications
- To physically secure servers
- To assign IP addresses
- To detect malware
Correct answer: To provide encryption and authentication for network communications
TLS encrypts and authenticates communications, protecting data in transit such as in HTTPS connections.
- What is the main risk of leaving unused network ports and services enabled?
- Reduced storage
- Slower backups
- Higher electricity costs
- They increase the attack surface for potential exploitation
Correct answer: They increase the attack surface for potential exploitation
Unused open ports and services expand the attack surface, giving attackers more potential ways to compromise a system.
- Which addressing scheme uses 128-bit addresses?
Correct answer: IPv6
IPv6 uses 128-bit addresses, vastly expanding the available address space compared to IPv4's 32-bit addresses.
- What is the purpose of a honeypot in network security?
- To assign IP addresses
- To lure and study attackers by appearing to be a valuable target
- To store production data
- To encrypt backups
Correct answer: To lure and study attackers by appearing to be a valuable target
A honeypot is a decoy system designed to attract attackers so their methods can be observed and real assets protected.
- What does the term 'attack surface' refer to?
- The number of employees
- The speed of the network
- The physical size of a data center
- The total set of points where an attacker could try to enter or extract data
Correct answer: The total set of points where an attacker could try to enter or extract data
The attack surface is the sum of all points (entry vectors) through which an attacker could attempt to compromise a system.
- Which protocol resolves IP addresses to MAC addresses on a local network?
Correct answer: ARP
The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses within a local network segment.
- What does DHCP automatically provide to devices on a network?
- Encryption keys
- User credentials
- Antivirus updates
- IP address configuration
Correct answer: IP address configuration
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses and related configuration to devices.
- What is the main purpose of patch management?
- To delete user data
- To increase the attack surface
- To apply updates that fix vulnerabilities and bugs
- To slow down systems
Correct answer: To apply updates that fix vulnerabilities and bugs
Patch management ensures systems receive updates that fix security vulnerabilities and reduce risk.
- What is the recommended practice for handling sensitive data when it is no longer needed?
- Securely destroy or sanitize the media
- Leave it on the drive
- Compress it
- Email it to all staff
Correct answer: Securely destroy or sanitize the media
Sensitive data should be securely destroyed or sanitized to prevent recovery once it is no longer needed.
- What does data classification help an organization do?
- Speed up the network
- Reduce employee count
- Increase storage space
- Apply appropriate protection based on the sensitivity of the data
Correct answer: Apply appropriate protection based on the sensitivity of the data
Data classification labels information by sensitivity so appropriate handling and protection can be applied.
- Which term describes data at rest?
- Data being deleted
- Data stored on a device or medium
- Data being processed in memory
- Data being transmitted over a network
Correct answer: Data stored on a device or medium
Data at rest is information stored on a medium such as a hard drive, database, or backup tape.
- What is data in transit?
- Data moving across a network
- Data being archived
- Data being printed
- Data stored on a disk
Correct answer: Data moving across a network
Data in transit is information actively moving across a network, which should be protected with encryption.
- What is the primary purpose of security awareness training?
- To replace technical controls
- To increase network speed
- To install software
- To educate users so they can recognize and avoid security threats
Correct answer: To educate users so they can recognize and avoid security threats
Security awareness training helps users recognize threats like phishing and follow secure practices, reducing human risk.
- What is phishing?
- A backup method
- A social engineering attack using fraudulent messages to steal information
- A network scanning technique
- A type of encryption
Correct answer: A social engineering attack using fraudulent messages to steal information
Phishing uses deceptive emails or messages to trick users into revealing credentials or other sensitive information.
- What distinguishes spear phishing from general phishing?
- It targets specific individuals or organizations
- It is not malicious
- It only uses phone calls
- It requires physical access
Correct answer: It targets specific individuals or organizations
Spear phishing is a targeted attack aimed at specific individuals or organizations using personalized information.
- What is social engineering?
- Configuring routers
- Building network infrastructure
- Manipulating people into divulging information or performing actions
- Encrypting databases
Correct answer: Manipulating people into divulging information or performing actions
Social engineering manipulates human psychology to trick people into revealing information or taking insecure actions.
- What is the purpose of an Acceptable Use Policy (AUP)?
- To encrypt data
- To define how employees may appropriately use organizational systems and resources
- To configure firewalls
- To assign IP addresses
Correct answer: To define how employees may appropriately use organizational systems and resources
An AUP sets the rules for acceptable use of organizational systems, networks, and data by employees.
- What is the main benefit of encrypting data at rest?
- It speeds up reads
- It removes the need for backups
- It protects the data if the storage device is lost or stolen
- It increases storage capacity
Correct answer: It protects the data if the storage device is lost or stolen
Encrypting data at rest protects it from disclosure if the storage media is lost, stolen, or improperly accessed.
- What is configuration management used for?
- Encrypting email
- Tracking and controlling changes to system settings and components
- Detecting intrusions
- Assigning IP addresses
Correct answer: Tracking and controlling changes to system settings and components
Configuration management establishes and maintains consistent, documented system configurations and controls changes.
- What is the purpose of change management?
- To prevent all changes
- To ensure changes are reviewed, approved, and documented to reduce risk
- To speed up the network
- To delete logs
Correct answer: To ensure changes are reviewed, approved, and documented to reduce risk
Change management ensures changes are evaluated, approved, tested, and documented to minimize unintended disruptions.
- What is a security baseline?
- The maximum possible risk
- The minimum level of security configuration applied to systems
- A list of all employees
- A network diagram
Correct answer: The minimum level of security configuration applied to systems
A security baseline is a defined minimum set of security settings that systems must meet for consistent protection.
- Why is logging and monitoring important in security operations?
- To delete data
- To detect, investigate, and respond to suspicious activity
- To increase storage
- To slow down systems
Correct answer: To detect, investigate, and respond to suspicious activity
Logging and monitoring provide visibility into activity, enabling detection and investigation of security events.
- What is the purpose of hashing data?
- To encrypt it for confidentiality
- To compress files
- To assign addresses
- To produce a fixed-length value used to verify integrity
Correct answer: To produce a fixed-length value used to verify integrity
Hashing creates a fixed-length digest used to verify that data has not been altered, supporting integrity.
- How does hashing differ from encryption?
- Hashing requires no input
- Encryption is reversible with a key; hashing is a one-way function
- They are identical
- Hashing is reversible; encryption is not
Correct answer: Encryption is reversible with a key; hashing is a one-way function
Encryption can be reversed with the correct key, while hashing is a one-way function that cannot be reversed.
- What is the principle behind a 'whitelist' (allow list) approach?
- Allow everything
- Allow only explicitly approved items and block everything else
- Encrypt all traffic
- Block only known bad items
Correct answer: Allow only explicitly approved items and block everything else
An allow list permits only explicitly approved items and denies everything else by default, a more restrictive approach.
- What is the purpose of a 'blacklist' (deny list)?
- Assign IP addresses
- Block known bad items while allowing everything else
- Encrypt files
- Allow only approved items
Correct answer: Block known bad items while allowing everything else
A deny list blocks known malicious items but permits everything not on the list, which can miss new threats.
- Which practice helps prevent unauthorized software from running on a system?
- Removing the firewall
- Application allow-listing
- Disabling backups
- Sharing accounts
Correct answer: Application allow-listing
Application allow-listing permits only approved programs to run, blocking unauthorized or malicious software.
- What is the main purpose of antivirus and anti-malware software?
- To manage passwords
- To encrypt backups
- To assign IP addresses
- To detect, block, and remove malicious software
Correct answer: To detect, block, and remove malicious software
Antivirus and anti-malware tools detect, prevent, and remove malicious software from systems.
- What does a Security Information and Event Management (SIEM) system do?
- Assigns IP addresses
- Collects and analyzes log data from multiple sources to detect threats
- Encrypts disks
- Backs up files
Correct answer: Collects and analyzes log data from multiple sources to detect threats
A SIEM aggregates and correlates log and event data from many sources to support threat detection and response.
- What is the recommended approach to creating strong passwords?
- Use long, complex, and unique passphrases
- Use short, simple words
- Reuse the same password everywhere
- Use only your name
Correct answer: Use long, complex, and unique passphrases
Strong passwords are long, complex, and unique, making them harder to guess or crack.
- Why should passwords not be reused across multiple accounts?
- It uses more storage
- It is illegal
- It is slower
- A breach of one account could compromise all accounts using that password
Correct answer: A breach of one account could compromise all accounts using that password
Reusing passwords means a single breach can expose every account sharing that password, increasing risk.
- What is the purpose of a password manager?
- To slow down logins
- To share passwords publicly
- To disable authentication
- To securely store and generate unique strong passwords
Correct answer: To securely store and generate unique strong passwords
A password manager securely stores and generates unique, complex passwords so users do not reuse weak ones.
- What is the security purpose of a screen lock with timeout?
- To prevent unauthorized access when a device is left unattended
- To save battery only
- To speed up the system
- To increase storage
Correct answer: To prevent unauthorized access when a device is left unattended
An automatic screen lock prevents unauthorized access to an unattended device by requiring re-authentication.
- What does 'data loss prevention' (DLP) technology aim to do?
- Encrypt all backups
- Detect and prevent unauthorized transmission of sensitive data
- Assign user roles
- Increase data storage
Correct answer: Detect and prevent unauthorized transmission of sensitive data
DLP monitors and controls data to prevent sensitive information from leaving the organization without authorization.
- What is the purpose of an exit interview process revoking a departing employee's badge access?
- To speed up hiring
- To reward the employee
- To immediately remove physical access rights upon termination
- To increase building capacity
Correct answer: To immediately remove physical access rights upon termination
Revoking badge access at termination promptly removes a former employee's ability to physically enter facilities, closing an access risk.
- A security analyst is explaining the foundational goals of the field to a new hire. How is information security best summarized in terms of the CIA triad?
- Encrypting all data at rest, in transit, and in use
- Keeping data secret, accurate, and accessible to authorized users
- Authenticating, authorizing, and auditing every user action
- Preventing, detecting, and responding to every attack
Correct answer: Keeping data secret, accurate, and accessible to authorized users
Keeping data secret, accurate, and accessible to authorized users captures the three goals of the CIA triad: confidentiality (secrecy), integrity (accuracy), and availability (access when needed). The CIA triad is the central model that drives nearly every security decision. Authentication, authorization, and auditing describe the AAA model, which supports the triad but is not the triad itself.
- An organization wants to ensure that financial records cannot be modified without authorization and that any change can be detected. Which element of the confidentiality, integrity, and availability model is this requirement most directly addressing?
- Confidentiality
- Availability
- Integrity
- Authentication
Correct answer: Integrity
Integrity is the focus, because it ensures information remains accurate and complete and that unauthorized or accidental changes are prevented or detected. Confidentiality concerns who can see the data, and availability concerns whether the data is accessible, but neither addresses unauthorized modification the way integrity does.
- A hospital must guarantee that patient monitoring systems remain reachable around the clock so clinicians can view vital signs. Which CIA triad goal is the primary concern for this requirement?
- Integrity
- Confidentiality
- Availability
- Non-repudiation
Correct answer: Availability
Availability is the primary concern because it ensures systems and data are accessible and usable when authorized users need them. Confidentiality and integrity protect secrecy and accuracy respectively, but the stated need is uninterrupted access to the monitoring systems.
- Which statement best describes the relationship between threats, vulnerabilities, and risk?
- A threat exploits a vulnerability, and the potential for loss that results is the risk
- Risk is a weakness that a threat creates in an asset
- A threat and a vulnerability are the same thing measured differently
- A vulnerability exploits a risk to create a threat
Correct answer: A threat exploits a vulnerability, and the potential for loss that results is the risk
A threat exploits a vulnerability, and the resulting potential for loss is the risk; this is the correct chain. A threat is a potential danger, a vulnerability is a weakness that the threat can exploit, and risk is the likelihood and impact that arises when the two intersect. The other choices reverse or conflate these distinct terms.
- A manager asks what risk management actually is. Which description is most accurate?
- The ongoing process of identifying, assessing, and treating risks to keep them within acceptable limits
- The act of eliminating every possible risk from the organization
- The installation of firewalls and antivirus on all systems
- The purchase of cyber insurance to cover all losses
Correct answer: The ongoing process of identifying, assessing, and treating risks to keep them within acceptable limits
Risk management is the ongoing process of identifying, assessing, and treating risks so they stay within an organization's acceptable tolerance. It does not aim to eliminate all risk, which is rarely possible or cost-effective. Buying insurance and deploying controls are individual treatment options, not the full management process.
- During risk treatment, a company decides to stop offering a product line entirely because the associated cybersecurity exposure is too great. Which risk treatment option does this represent, and how does it differ from risk mitigation?
- Risk acceptance, because the company tolerated the exposure
- Risk avoidance, because the risky activity is discontinued rather than merely reduced
- Risk mitigation, because controls were added to the product line
- Risk transference, because the risk shifted to customers
Correct answer: Risk avoidance, because the risky activity is discontinued rather than merely reduced
Risk avoidance is correct because the organization eliminates the risk by ceasing the activity that causes it. Risk mitigation, by contrast, keeps the activity but reduces the likelihood or impact through controls. Discontinuing the product line removes the exposure outright rather than reducing it.
- An organization has four broad ways to respond to an identified risk. Which set correctly lists these risk treatment options?
- Detection, correction, prevention, and recovery
- Identification, analysis, evaluation, and reporting
- Avoidance, mitigation, transference, and acceptance
- Confidentiality, integrity, availability, and accountability
Correct answer: Avoidance, mitigation, transference, and acceptance
Avoidance, mitigation, transference, and acceptance are the four recognized risk treatment options. Detection, correction, prevention, and recovery describe categories of controls, not treatment choices. Identification, analysis, and evaluation are steps within risk assessment, not treatment responses.
- A firm uses descriptive ratings of high, medium, and low to rank risks rather than calculating dollar figures. How does this qualitative approach differ from a quantitative one?
- Qualitative analysis is only valid for natural disasters
- Both approaches require precise loss calculations in dollars
- Qualitative analysis uses subjective rankings, while quantitative analysis uses measurable monetary values
- Qualitative analysis uses monetary values, while quantitative analysis uses rankings
Correct answer: Qualitative analysis uses subjective rankings, while quantitative analysis uses measurable monetary values
Qualitative analysis uses subjective rankings such as high, medium, and low, whereas quantitative analysis assigns measurable monetary values to assets, losses, and likelihoods. Qualitative methods are faster but less precise; quantitative methods produce figures like single loss expectancy and annualized loss expectancy.
- An asset worth $200,000 would lose 25 percent of its value in a single fire event. What is the single loss expectancy (SLE) for this scenario?
- $200,000
- $25,000
- $50,000
- $5,000
Correct answer: $50,000
The single loss expectancy is $50,000, calculated as asset value ($200,000) multiplied by the exposure factor (0.25). SLE represents the expected monetary loss from a single occurrence of a specific event. It is the building block used with the annualized rate of occurrence to find annualized loss expectancy.
- A risk analyst calculates a single loss expectancy of $40,000 for a flood and estimates the flood will occur once every four years. What is the annualized loss expectancy (ALE)?
- $4,000
- $40,000
- $160,000
- $10,000
Correct answer: $10,000
The annualized loss expectancy is $10,000, found by multiplying the single loss expectancy ($40,000) by the annualized rate of occurrence (0.25, since the event happens once every four years). ALE expresses expected yearly loss, helping justify how much to spend on controls.
- A new analyst confuses risk priorities with risk tolerance. Which statement correctly describes risk tolerance?
- The number of vulnerabilities found in a scan
- The level of risk an organization is willing to accept before taking action
- The total dollar value of all organizational assets
- The ranked order in which risks should be addressed
Correct answer: The level of risk an organization is willing to accept before taking action
Risk tolerance is the level of risk an organization is willing to accept before it must act. It guides which risks can be accepted and which require treatment. Risk priorities, by contrast, are the ranked order in which identified risks are handled based on their severity.
- Which scenario best illustrates defense in depth?
- A company relies on a single very strong firewall to block all attacks
- A company outsources all security to one vendor
- A company encrypts data and considers itself fully protected
- A company uses a firewall, network segmentation, endpoint antivirus, and user training together
Correct answer: A company uses a firewall, network segmentation, endpoint antivirus, and user training together
Using a firewall, segmentation, antivirus, and training together illustrates defense in depth, which layers multiple independent controls so that if one fails, others still protect the asset. Relying on any single control, no matter how strong, contradicts the principle because one failure would leave the asset exposed.
- Why is defense in depth considered more resilient than relying on one control?
- It removes the need for any administrative controls
- Multiple overlapping layers mean a single control failure does not result in compromise
- It guarantees that no attack can ever succeed
- It reduces the total number of controls required
Correct answer: Multiple overlapping layers mean a single control failure does not result in compromise
Defense in depth is resilient because its multiple overlapping layers mean the failure of any single control does not automatically lead to compromise. No approach can guarantee total prevention, and layering generally adds controls rather than reducing them, but the redundancy substantially lowers the chance of a successful breach.
- A database administrator is granted access only to the specific databases required for daily duties and nothing more. Which security principle does this reflect?
- Non-repudiation
- Defense in depth
- Separation of duties
- Least privilege
Correct answer: Least privilege
Least privilege is reflected, because each user receives only the minimum access needed to perform their job and no more. This limits the damage a compromised or misused account can cause. Separation of duties divides a task among people, which is a related but distinct concept.
- What is the primary security benefit of enforcing the principle of least privilege across an organization?
- It guarantees systems never go offline
- It eliminates the need for authentication
- It speeds up the network by reducing traffic
- It limits the potential damage if an account is compromised or misused
Correct answer: It limits the potential damage if an account is compromised or misused
The principle of least privilege limits the potential damage if an account is compromised or misused, because a tightly scoped account can only reach the resources it strictly needs. It does not replace authentication, affect uptime, or improve network speed; its value is reducing the attack surface and blast radius.
- In a financial system, the person who can create a vendor record is not allowed to also approve payments to that vendor. Which principle is being applied, and what does it prevent?
- Separation of duties, which prevents one person from completing a sensitive transaction alone
- Risk acceptance, which tolerates the exposure
- Defense in depth, which layers technical controls
- Least privilege, which removes all of the user's access
Correct answer: Separation of duties, which prevents one person from completing a sensitive transaction alone
Separation of duties (also called segregation of duties) is applied, splitting a sensitive process so that no single person can both initiate and approve it. This prevents one individual from committing and concealing fraud. Least privilege limits how much access a person has, which is related but not the same as dividing a single task across people.
- How does segregation of duties reduce the risk of fraud within an organization?
- By encrypting all sensitive files at rest
- By logging every keystroke on every workstation
- By requiring more than one person to complete a critical task so collusion would be needed to abuse it
- By giving each employee full access to all systems
Correct answer: By requiring more than one person to complete a critical task so collusion would be needed to abuse it
Segregation of duties reduces fraud risk by requiring more than one person to complete a critical task, so abusing the process would require collusion rather than a single bad actor. Encryption and logging are useful controls but do not divide responsibilities. Granting full access to everyone would increase, not decrease, risk.
- A digitally signed contract provides proof of who sent it so the sender cannot later deny having signed it. Which information assurance concept does this provide?
- Risk tolerance
- Availability
- Confidentiality
- Non-repudiation
Correct answer: Non-repudiation
Non-repudiation is provided, ensuring a party cannot deny the authenticity or origin of their action, such as sending or signing a message. Digital signatures support non-repudiation by binding an action to a verified identity. Confidentiality and availability address secrecy and access, not deniability.
- Which statement best defines non-repudiation in cybersecurity?
- The assurance that data stays secret from outsiders
- The assurance that someone cannot deny the validity of their action or communication
- The assurance that backups are stored offsite
- The assurance that a system remains online during an outage
Correct answer: The assurance that someone cannot deny the validity of their action or communication
Non-repudiation is the assurance that an individual cannot deny the validity of their action or communication, such as denying they sent a message or authorized a transaction. It is commonly achieved through digital signatures, logging, and audit trails that tie actions to verified identities.
- An organization implements controls so that customer addresses and phone numbers are collected, used, and retained only as permitted and protected from misuse. Which information assurance concept is the primary focus?
- Privacy
- Availability
- Integrity
- Non-repudiation
Correct answer: Privacy
Privacy is the primary focus, addressing the proper collection, use, retention, and protection of individuals' personal information in line with rights and expectations. While confidentiality controls help protect privacy, privacy specifically concerns how personal data is handled, not merely whether it is kept secret.
- How does privacy differ from confidentiality in information security?
- Privacy applies only to network traffic, confidentiality only to stored data
- Privacy governs how personal information is collected and used, while confidentiality limits who can access information
- Privacy and confidentiality are identical and interchangeable
- Confidentiality governs personal data rights, while privacy restricts disclosure
Correct answer: Privacy governs how personal information is collected and used, while confidentiality limits who can access information
Privacy governs how personal information is collected, used, shared, and retained according to individuals' rights, while confidentiality is the control that limits who may access information. Confidentiality is a means that helps achieve privacy, but the two are not the same; privacy is broader and centered on personal data.
- Which scenario best demonstrates the use of multi-factor authentication?
- A user enters two different passwords in sequence
- A user logs in with a username and a password
- A user enters a password and then approves a push notification on a registered phone
- A user answers two separate security questions
Correct answer: A user enters a password and then approves a push notification on a registered phone
Entering a password and approving a push notification on a registered phone demonstrates multi-factor authentication because it combines something you know (the password) with something you have (the phone). Two passwords or two security questions are both the knowledge factor, so they do not satisfy the requirement of using different factor types.
- An employee logs in with a smart card and a PIN to access a secure workstation. Which two authentication factor types are being combined?
- Something you have and something you know
- Something you have and something you are
- Something you are and somewhere you are
- Something you know and something you are
Correct answer: Something you have and something you know
A smart card is something you have and a PIN is something you know, so the combination uses two distinct factor types. This qualifies as multi-factor authentication. A biometric such as a fingerprint would be something you are, which is not used in this scenario.
- A company hires a third party to host and secure its email, shifting the financial consequences of a related breach to that provider through a contract. Which risk treatment option is this?
- Risk acceptance
- Risk mitigation
- Risk avoidance
- Risk transference
Correct answer: Risk transference
Risk transference is used, because the financial impact of the risk is shifted to a third party through a contract or insurance. Avoidance would mean not using email at all, mitigation would mean adding controls to reduce the risk, and acceptance would mean tolerating the risk without action.
- What is the correct order of the steps in the risk management process?
- Treat the risk, identify the risk, then assess the risk
- Assess the risk, treat the risk, then identify the risk
- Identify the risk, assess the risk, then treat the risk
- Accept the risk, transfer the risk, then avoid the risk
Correct answer: Identify the risk, assess the risk, then treat the risk
The risk management process proceeds by identifying risks, assessing them for likelihood and impact, and then treating them with an appropriate response. You must know a risk exists and understand its severity before deciding how to handle it. Acceptance, transfer, and avoidance are treatment choices that occur in the final step.
- An IT team installs a web filter that blocks access to known malicious websites before users can reach them. Which functional type of control is this?
- Detective control
- Corrective control
- Recovery control
- Preventive control
Correct answer: Preventive control
A web filter that blocks malicious sites before users reach them is a preventive control, because it stops an undesirable event from occurring. Detective controls identify events after they happen, while corrective and recovery controls act to fix or restore systems after an event.
- A document states, 'All employees must protect company information and use systems only for authorized purposes.' What type of governance document is this high-level statement?
- A security policy
- A standard
- A guideline
- A procedure
Correct answer: A security policy
This is a security policy, a high-level document expressing management's intent and expectations for protecting information. Policies set direction without listing step-by-step actions. Procedures give detailed instructions, standards specify mandatory requirements, and guidelines offer optional recommendations.
- An organization arranges its governance documents into policies, standards, procedures, and guidelines. Which document type specifies mandatory, uniform requirements such as a minimum password length of 12 characters?
- Guideline
- Policy
- Procedure
- Standard
Correct answer: Standard
A standard specifies mandatory, uniform requirements, such as a minimum password length, that support the broader policy. Policies state high-level intent, procedures give step-by-step instructions, and guidelines provide optional recommendations. Standards make the policy's intent concrete and enforceable.
- What is security governance within an organization?
- The physical locking of server room doors
- The encryption of data while it travels across networks
- The framework of policies, roles, and oversight that directs and controls how security is managed
- The act of scanning systems for vulnerabilities
Correct answer: The framework of policies, roles, and oversight that directs and controls how security is managed
Security governance is the framework of policies, roles, responsibilities, and oversight that directs and controls how an organization manages security in line with its objectives and legal obligations. Vulnerability scanning, encryption, and physical locks are individual controls, not the overarching governance structure that aligns them with business goals.
- A regulation such as a data protection law differs from an internal policy in which key way?
- A regulation is always less strict than internal policy
- A regulation applies only inside one department
- A regulation is imposed by an external government authority and carries legal penalties
- A regulation is optional guidance the organization may ignore
Correct answer: A regulation is imposed by an external government authority and carries legal penalties
A regulation is imposed by an external government or legal authority and carries legal penalties for noncompliance, whereas an internal policy is created and enforced by the organization itself. Regulations are mandatory and externally driven; organizations build policies, standards, and procedures partly to meet those legal requirements.
- Which statement correctly distinguishes due care from due diligence?
- Due care and due diligence both mean transferring risk to insurers
- Due care is investigating risks, while due diligence is ignoring them
- Due diligence is a one-time event, while due care never applies
- Due diligence is investigating and understanding risks, while due care is taking reasonable action to address them
Correct answer: Due diligence is investigating and understanding risks, while due care is taking reasonable action to address them
Due diligence is the practice of investigating and understanding risks, while due care is taking the reasonable, ongoing actions a prudent organization would take to address them. In short, due diligence is knowing what should be done, and due care is actually doing it. Both are continuing responsibilities, not one-time events.
- The ISC2 Code of Ethics preamble and canons guide member conduct. Which behavior would most clearly violate the canon to act honorably, honestly, justly, responsibly, and legally?
- Completing required continuing professional education
- Knowingly providing false information about a security finding to a client
- Reporting a discovered vulnerability to the affected vendor
- Refusing to take on work outside one's competence
Correct answer: Knowingly providing false information about a security finding to a client
Knowingly providing false information about a security finding violates the canon to act honorably, honestly, justly, responsibly, and legally. Reporting vulnerabilities responsibly, maintaining competence, and declining work beyond one's skill all align with the ISC2 Code of Ethics rather than breaching it.
- ISO 27001 is frequently referenced in security governance discussions. What is ISO 27001 best described as?
- A United States federal law governing healthcare data
- A type of firewall configuration protocol
- A biometric authentication algorithm
- An international standard for establishing and managing an information security management system
Correct answer: An international standard for establishing and managing an information security management system
ISO 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It provides a structured framework organizations can be certified against. It is neither a national law nor a technical protocol or algorithm.
- A team lists hackers, malware, natural disasters, and disgruntled insiders as potential dangers to its systems. In risk terminology, these dangers are collectively referred to as what?
- Vulnerabilities
- Residual risks
- Threats
- Controls
Correct answer: Threats
These dangers are threats, defined as any circumstance or event, whether human, technical, or natural, with the potential to cause harm by exploiting a vulnerability. Vulnerabilities are the weaknesses threats exploit, and controls are the safeguards put in place to defend against them.
- A security analyst is comparing two recovery metrics for a customer database. One metric answers the question 'how much data, measured in time, can we afford to lose?' and the other answers 'how quickly must we get the system running again?' Which pairing correctly maps these questions?
- The data-loss question is RPO and the speed-of-restoration question is RTO
- Both questions are answered by the RTO alone
- Both questions are answered by the maximum tolerable downtime
- The data-loss question is RTO and the speed-of-restoration question is RPO
Correct answer: The data-loss question is RPO and the speed-of-restoration question is RTO
The data-loss question is RPO and the speed-of-restoration question is RTO. Recovery Point Objective (RPO) defines how much data, expressed as a span of time before the disruption, an organization can afford to lose, which in turn drives how frequently backups must run. Recovery Time Objective (RTO) defines the maximum acceptable time to restore a system or process after an outage. They are distinct: RPO looks backward to the last good data point, while RTO looks forward to when service resumes.
- A team is documenting its data-protection targets and states: 'We back up the order system every 4 hours, so we can lose at most 4 hours of transactions, and we must have it running again within 2 hours of any failure.' Which values do the 4-hour and 2-hour figures represent?
- 4 hours is the RTO and 2 hours is the RPO
- 4 hours is the RPO and 2 hours is the RTO
- 4 hours is the mean time to repair and 2 hours is the RPO
- Both are recovery time objectives for separate systems
Correct answer: 4 hours is the RPO and 2 hours is the RTO
The 4-hour value is the RPO and the 2-hour value is the RTO. The acceptable amount of lost data, here up to 4 hours of transactions tied to backup frequency, is the Recovery Point Objective. The time allowed to bring the system back online, here 2 hours, is the Recovery Time Objective. Confusing the two is a common error, but RPO concerns data loss and RTO concerns restoration time.
- How is disaster recovery best described within an organization's resilience planning?
- The hiring and onboarding of new technical staff
- The process of restoring IT systems, data, and technology operations after a disruptive event
- The ongoing marketing of services during normal operations
- A method of encrypting data while it travels across the network
Correct answer: The process of restoring IT systems, data, and technology operations after a disruptive event
Disaster recovery is the process of restoring IT systems, data, and technology operations after a disruptive event. It is the technology-focused effort to recover servers, applications, and information following an incident such as a cyberattack, hardware failure, fire, or natural disaster. It is narrower than business continuity, which keeps the broader business functions operating, because disaster recovery concentrates specifically on restoring the IT environment.
- An organization wants the cheapest standby facility and accepts that recovery could take days, but a competitor needs near-instant failover and is willing to pay for a duplicate, fully running environment. Which facilities match these two needs, in that order?
- A cold site for the cheap option and a hot site for the instant-failover option
- A hot site for the cheap option and a cold site for the instant-failover option
- A cold site for the cheap option and a warm site for the instant-failover option
- A warm site for the cheap option and a hot site for the instant-failover option
Correct answer: A cold site for the cheap option and a hot site for the instant-failover option
A cold site is the cheap option and a hot site is the instant-failover option. A cold site provides only space, power, and connectivity, so it is the least expensive but the slowest to bring online because hardware and data must still be installed. A hot site is a fully equipped, continuously updated duplicate environment that allows near-immediate takeover, making it the most expensive. A warm site sits between them, with some equipment in place but still requiring configuration and data restoration.
- How does a business continuity plan differ from a disaster recovery plan?
- A business continuity plan covers only payroll, while a disaster recovery plan covers all departments
- A business continuity plan keeps critical business functions operating during a disruption, while a disaster recovery plan focuses on restoring IT systems and data
- A business continuity plan is technical, while a disaster recovery plan is purely administrative
- There is no difference; the two terms are interchangeable
Correct answer: A business continuity plan keeps critical business functions operating during a disruption, while a disaster recovery plan focuses on restoring IT systems and data
A business continuity plan keeps critical business functions operating during a disruption, while a disaster recovery plan focuses on restoring IT systems and data. The business continuity plan (BCP) takes the broad, organization-wide view of sustaining essential operations such as customer service and order fulfillment, often using manual workarounds. The disaster recovery plan (DRP) is a narrower, IT-centric subset concerned with recovering the technology environment. Disaster recovery typically operates as a component supporting the larger continuity effort.
- Before writing recovery plans, an organization performs a study that identifies its critical processes, estimates the financial and operational harm of losing each one over time, and ranks them by priority. What is this study called?
- A vulnerability scan
- A business impact analysis
- A code review
- A penetration test
Correct answer: A business impact analysis
This study is a business impact analysis (BIA). A BIA identifies an organization's critical business functions and the resources that support them, then estimates the impact, both financial and operational, of disruptions over time. Its output drives recovery priorities and informs targets such as RTO and RPO. It is foundational planning work, not a technical test like a penetration test or vulnerability scan.
- According to the NIST incident-handling lifecycle taught in the ISC2 Certified in Cybersecurity curriculum, which sequence correctly orders the four phases of the incident response process?
- Detection and Analysis; Preparation; Recovery; Lessons Learned
- Containment; Preparation; Eradication; Recovery
- Identification; Authorization; Accounting; Auditing
- Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity
Correct answer: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity
The correct order is Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity. The NIST SP 800-61 lifecycle used by the ISC2 CC curriculum begins with Preparation (building the plan, team, and tools), moves to Detection and Analysis (identifying and confirming an incident), then Containment, Eradication, and Recovery (limiting, removing, and restoring), and closes with Post-Incident Activity (lessons learned). Sequencing matters because each phase builds on the prior one.
- An incident response plan exists primarily to accomplish what for an organization?
- To define employee salary and benefits structures
- To provide documented procedures so the organization can detect, respond to, and recover from security incidents in an organized way
- To guarantee that no security incident can ever occur
- To replace the need for firewalls and antivirus software
Correct answer: To provide documented procedures so the organization can detect, respond to, and recover from security incidents in an organized way
An incident response plan provides documented procedures so the organization can detect, respond to, and recover from security incidents in an organized way. It defines roles, communication paths, and step-by-step actions in advance so responders are not improvising under pressure. It cannot guarantee that incidents never happen, nor does it replace preventive controls; its purpose is to ensure a fast, consistent, and effective reaction when an incident does occur.
- A help-desk monitor logs a user successfully logging in at 9:00 a.m. Separately, the security team confirms that an attacker exfiltrated customer records overnight. Using ISC2 terminology, how should each of these be classified?
- The login is an incident and the data exfiltration is an event
- The login is an event and the confirmed data exfiltration is an incident
- Both are incidents
- Both are events with no security relevance
Correct answer: The login is an event and the confirmed data exfiltration is an incident
The login is an event and the confirmed data exfiltration is an incident. An event is any observable occurrence in a system or network, and most events, like a routine login, are benign. An incident is an event that actually or potentially jeopardizes the confidentiality, integrity, or availability of information, such as the confirmed theft of customer records. Distinguishing the two prevents teams from treating every routine log entry as a crisis.
- While assembling an incident response team, a manager argues that only IT and security staff are needed. Why does the ISC2 curriculum recommend including roles such as legal counsel, public relations, and human resources?
- Because incidents often raise legal, communications, and personnel issues that technical staff are not equipped to handle
- Because regulations forbid IT staff from participating in response
- Because non-technical members perform the malware removal
- Because larger teams are always cheaper to operate
Correct answer: Because incidents often raise legal, communications, and personnel issues that technical staff are not equipped to handle
A multidisciplinary team is recommended because incidents often raise legal, communications, and personnel issues that technical staff are not equipped to handle. An incident response team typically includes management for decision authority, IT and security for technical work, legal counsel for compliance and liability, public relations for external messaging, and human resources for personnel and insider-threat matters. This breadth ensures the organization addresses an incident's full business impact, not just its technical symptoms.
- Business continuity is best understood as which of the following?
- The act of permanently shutting down operations after a major incident
- A technique for compressing backup files to save storage
- An organization's capability to continue delivering its critical functions during and after a disruption
- The encryption standard required for credit-card data
Correct answer: An organization's capability to continue delivering its critical functions during and after a disruption
Business continuity is an organization's capability to continue delivering its critical functions during and after a disruption. It emphasizes keeping essential operations running, often through alternate processes or sites, so the business survives events such as outages, disasters, or attacks. It is broader than disaster recovery, which restores IT specifically, because continuity addresses the whole organization's ability to keep serving customers and meeting obligations.
- During an active ransomware outbreak, responders disconnect the infected file server from the network to stop the malware from reaching other systems, but they have not yet removed the malware or rebuilt anything. Which incident response activity does disconnecting the server represent?
- Containment
- Recovery
- Preparation
- Eradication
Correct answer: Containment
Disconnecting the infected server represents containment. Containment limits the scope and spread of an incident, isolating affected systems so additional damage is prevented while evidence is preserved. Removing the malware itself would be eradication, and returning the cleaned system to normal service would be recovery. In the NIST lifecycle, containment comes before eradication and recovery within the same phase.
- A backup designer wants to be able to lose at most a few seconds of data if a database fails, so they implement continuous replication to a second site. Which recovery metric is this design choice most directly intended to satisfy?
- A very long recovery time objective
- The annualized rate of occurrence
- The single loss expectancy
- A very short recovery point objective
Correct answer: A very short recovery point objective
This design directly satisfies a very short recovery point objective. RPO defines the maximum acceptable amount of data loss measured in time, so a near-zero data-loss target requires continuous or near-continuous replication rather than periodic backups. RTO, by contrast, concerns how fast the system is restored, not how much data is lost. Tightening the RPO generally increases cost because it demands more frequent or real-time copying of data.
- A new help desk technician must reset user passwords but should never be able to change firewall configurations or server settings. Applying the principle of least privilege, what access should the technician receive?
- Full access now, with unneeded permissions removed during the next annual review
- Only the password-reset permission required for the job, and nothing more
- The same permissions as the previous technician who held the role
- Administrator rights to every system so tickets can be resolved quickly
Correct answer: Only the password-reset permission required for the job, and nothing more
The technician should receive only the password-reset permission required for the job, and nothing more. The principle of least privilege grants each user the minimum access needed to perform assigned duties, which shrinks the attack surface if the account is compromised. Copying a prior user's rights or granting broad access first and trimming later both leave excess privileges in place, the exact problem least privilege exists to prevent.
- Which statement best distinguishes authentication from authorization in an access control system?
- Authentication records what a user did, while authorization proves the user's identity
- Authentication verifies who the user is, while authorization determines what the user is permitted to do
- Authentication grants permissions, while authorization logs the session for auditing
- Authentication and authorization are the same step performed by the operating system
Correct answer: Authentication verifies who the user is, while authorization determines what the user is permitted to do
Authentication verifies who the user is, while authorization determines what the user is permitted to do. Authentication proves a claimed identity (for example, by checking a password or biometric), and only after that succeeds does authorization decide which resources and actions are allowed. Recording user activity is accounting, a separate step, so the two terms are not interchangeable.
- In the Identification, Authentication, Authorization, and Accounting (IAAA) model, which step occurs first when a user begins to access a system?
- Accounting, because the session must be logged before access begins
- Authentication, because the system must verify the credential immediately
- Identification, because the user must first claim an identity
- Authorization, because permissions are checked before anything else
Correct answer: Identification, because the user must first claim an identity
Identification occurs first, because the user must claim an identity, such as entering a username, before anything can be verified. Authentication then proves that claimed identity, authorization grants permissions, and accounting records the activity. The order is fixed: a system cannot authenticate or authorize an identity that has not yet been asserted.
- A bank requires customers to enter a password and then approve a prompt on a registered mobile app before transferring funds. Why does this qualify as multi-factor authentication?
- It uses a long password, which on its own counts as multiple factors
- It combines two factors of different types: something you know and something you have
- It requires the user to log in twice in a row from the same device
- It uses two passwords, which doubles the strength of a single factor
Correct answer: It combines two factors of different types: something you know and something you have
It combines two factors of different types: something you know (the password) and something you have (the registered phone). Multi-factor authentication requires factors from at least two distinct categories, so an attacker who steals the password still cannot log in without the second factor. Two passwords or a single long password are both the 'something you know' category, so they do not satisfy MFA.
- What is multi-factor authentication (MFA)?
- A method that requires two or more authentication factors from different categories
- A method that requires answering several security questions in sequence
- A method that encrypts a password before it is transmitted over the network
- A method that forces users to change their password on every login
Correct answer: A method that requires two or more authentication factors from different categories
MFA is a method that requires two or more authentication factors from different categories, such as something you know, something you have, and something you are. Combining categories means a compromise of one factor alone is not enough to gain access. Security questions are all knowledge-based, and encrypting or rotating a single password does not add a second factor.
- Role-Based Access Control (RBAC) assigns permissions in which way?
- Based on data classification labels enforced by the operating system
- To roles, which are then assigned to users according to their job function
- Based on real-time evaluation of the user's location and device
- Directly to each individual user based on personal preference
Correct answer: To roles, which are then assigned to users according to their job function
RBAC assigns permissions to roles, which are then assigned to users according to their job function. Users inherit the permissions of the roles they hold, so administration becomes a matter of managing a manageable number of roles rather than editing each user individually. Classification labels describe mandatory access control, and real-time attribute evaluation describes attribute-based access control.
- What does Role-Based Access Control (RBAC) primarily restrict access by?
- The user's defined role within the organization
- The owner's personal decision about each file
- The sensitivity label attached to each file
- The time of day the request is made
Correct answer: The user's defined role within the organization
RBAC restricts access by the user's defined role within the organization, granting the permissions that role requires to do its work. This keeps access consistent across everyone holding the same role and simplifies onboarding and offboarding. Sensitivity labels belong to mandatory access control, and owner-driven decisions belong to discretionary access control.
- An organization needs access decisions that consider the user's department, the file's classification, the time of day, and the device's location together. Which access control model is designed for this kind of multi-attribute evaluation?
- Attribute-Based Access Control, because it evaluates attributes of the subject, object, and environment
- Role-Based Access Control, because roles can hold many permissions
- Discretionary Access Control, because owners can set any rule they want
- Mandatory Access Control, because labels can encode many conditions
Correct answer: Attribute-Based Access Control, because it evaluates attributes of the subject, object, and environment
Attribute-Based Access Control (ABAC) is designed for this, because it evaluates attributes of the subject, object, and environment together to make each decision. This allows fine-grained, context-aware policies such as combining department, classification, time, and location. RBAC keys off roles only, so it cannot natively weigh several dynamic attributes at once.
- Which statement correctly contrasts Role-Based Access Control (RBAC) with Attribute-Based Access Control (ABAC)?
- RBAC evaluates the environment at runtime, while ABAC uses fixed roles
- RBAC is enforced by the system using labels, while ABAC lets the owner decide
- RBAC and ABAC both ignore the identity of the requesting user
- RBAC grants access based on assigned roles, while ABAC grants access based on evaluated attributes and context
Correct answer: RBAC grants access based on assigned roles, while ABAC grants access based on evaluated attributes and context
RBAC grants access based on assigned roles, while ABAC grants access based on evaluated attributes and context. RBAC is simpler and more static, mapping users to roles to permissions, whereas ABAC is more flexible and dynamic, weighing subject, object, and environmental attributes at decision time. System-enforced labels describe MAC, and owner-set rules describe DAC.
- In a Discretionary Access Control (DAC) system, who has the authority to decide which other users may access a file?
- Any user who is currently logged in
- A central security officer who sets clearances for everyone
- The operating system, based on the file's classification label
- The owner of the file
Correct answer: The owner of the file
In DAC, the owner of the file decides which other users may access it. Ownership confers discretion, so on common operating systems a file's owner sets read, write, and execute permissions for others. A central authority setting clearances describes mandatory access control, not discretionary.
- What is Discretionary Access Control (DAC)?
- A model in which access is granted strictly by the user's organizational role
- A model in which the system enforces access using mandatory classification labels
- A model in which access decisions are based on real-time risk scoring
- A model in which the resource owner decides who may access the resource
Correct answer: A model in which the resource owner decides who may access the resource
DAC is a model in which the resource owner decides who may access the resource, giving owners discretion to grant or revoke permissions on what they own. It is flexible and common on personal and business systems but can lead to inconsistent policy and accidental over-sharing. System-enforced labels and role-only decisions describe MAC and RBAC respectively.
- Which characteristic is unique to Mandatory Access Control (MAC) compared with Discretionary Access Control (DAC)?
- Permissions are bundled into roles assigned by managers
- Access is enforced by the system using labels and clearances that users cannot override
- Each file's owner edits an access list for that file
- Users can grant access to files they own at their own discretion
Correct answer: Access is enforced by the system using labels and clearances that users cannot override
Under MAC, access is enforced by the system using labels and clearances that users cannot override. A central authority assigns classification labels to objects and clearances to subjects, and the system itself decides access, so even an owner cannot loosen the rules. In DAC, by contrast, owners set permissions at their own discretion.
- What is Mandatory Access Control (MAC)?
- A model where permissions are grouped into roles and assigned by job function
- A model where the system enforces access based on security labels and clearances set by a central authority
- A model where owners freely set permissions on their own files
- A model that filters network packets by source and destination address
Correct answer: A model where the system enforces access based on security labels and clearances set by a central authority
MAC is a model where the system enforces access based on security labels and clearances set by a central authority, and individual users cannot change those rules. It is used where confidentiality is paramount, such as military and government environments using labels like Confidential, Secret, and Top Secret. Owner-set permissions describe DAC, and filtering by address describes a firewall, not an access model.
- In a defense agency, the system labels documents 'Secret' and grants access only to users holding a Secret clearance or higher, with no user able to relabel a document. Which access control model is in use?
- Role-Based Access Control
- Discretionary Access Control
- Attribute-Based Access Control
- Mandatory Access Control
Correct answer: Mandatory Access Control
Mandatory Access Control is in use, because the system enforces access through classification labels and clearances that users cannot alter. This system-enforced, label-and-clearance approach is the defining trait of MAC and is favored where strict confidentiality is required. DAC would let owners change permissions, which this scenario explicitly forbids.
- What does the term 'access control' refer to in information security?
- The selective restriction of who or what can view or use a resource
- The encryption of data while it is stored on disk
- The process of backing up critical data to an offsite location
- The monitoring of network traffic for malicious packets
Correct answer: The selective restriction of who or what can view or use a resource
Access control refers to the selective restriction of who or what can view or use a resource. It governs which subjects may interact with which objects and under what conditions, supporting confidentiality, integrity, and accountability. Encryption, backups, and traffic monitoring are separate safeguards that do not, by themselves, define access control.
- Which of the following is an example of a logical (technical) access control rather than a physical one?
- A bollard installed in front of a building entrance
- A biometric fingerprint reader mounted on a server-room door
- A security guard checking badges at the lobby
- A file permission that limits a database to read-only for a given account
Correct answer: A file permission that limits a database to read-only for a given account
A file permission that limits a database to read-only for a given account is a logical (technical) access control, enforced through software and system configuration. Logical controls regulate access to systems and data electronically, while bollards, guards, and door hardware are physical controls. A door-mounted reader controls physical entry, so it is categorized as a physical control even though it uses technology.
- An organization protects its data center with a perimeter fence, a badge-controlled lobby door, an access-control vestibule, and a locked cage around the servers. This stacking of multiple physical barriers is an example of which principle?
- Separation of duties
- Risk transference
- Defense in depth
- Single sign-on
Correct answer: Defense in depth
This stacking of multiple physical barriers is an example of defense in depth, which layers several independent controls so that if one is bypassed, others still protect the asset. Applied to access control, layering perimeter, entry, and resource-level barriers forces an intruder to defeat each one in turn. Separation of duties divides tasks among people and is unrelated to physical layering.
- Which set of measures are all examples of physical access controls?
- Encryption keys, digital certificates, and one-time tokens
- Fences, security guards, locked doors, and badge readers
- Firewalls, intrusion detection systems, and VPNs
- Passwords, file permissions, and account lockout policies
Correct answer: Fences, security guards, locked doors, and badge readers
Fences, security guards, locked doors, and badge readers are all examples of physical access controls because they restrict physical entry to facilities and equipment. Passwords and permissions are logical controls, and firewalls, encryption, and tokens are technical controls. Physical controls protect tangible assets and the people and spaces around them.
- Why are privileged accounts, such as system administrator accounts, a priority for Privileged Access Management (PAM)?
- They are exempt from authentication and therefore must be watched
- They are used the most often by ordinary staff during daily work
- They are the only accounts that can access email systems
- Their elevated permissions make them high-value targets that can cause broad damage if misused
Correct answer: Their elevated permissions make them high-value targets that can cause broad damage if misused
Privileged accounts are a priority because their elevated permissions make them high-value targets that can cause broad damage if misused. An attacker who seizes an administrator account can change configurations, create accounts, or disable controls across many systems. PAM therefore restricts who holds these accounts, monitors their use, and limits how long elevated rights last.
- A cloud engineer normally works with standard permissions but is granted administrator rights only for the 30 minutes needed to patch a server, after which the rights are automatically revoked. Which Privileged Access Management practice does this illustrate?
- Just-in-time access
- Non-repudiation
- Single sign-on
- Mandatory access control
Correct answer: Just-in-time access
This illustrates just-in-time access, a Privileged Access Management practice that grants elevated permissions only for the limited time needed to complete a task and then revokes them. Eliminating standing privileges shrinks the window an attacker could exploit a powerful account. Single sign-on concerns convenient authentication across systems, not time-limited elevation.
- How do the principle of least privilege and the concept of need to know differ?
- Least privilege applies only to administrators, while need to know applies only to regular users
- They are identical terms with no meaningful difference
- Least privilege limits the actions a user can perform, while need to know limits the information a user can access
- Least privilege is a physical control, while need to know is a logical control
Correct answer: Least privilege limits the actions a user can perform, while need to know limits the information a user can access
Least privilege limits the actions a user can perform, while need to know limits the information a user can access. Least privilege is action-focused, granting only the rights required to do a job, whereas need to know is information-focused, restricting data to those whose duties require it. The two are complementary and often applied together rather than being the same thing.
- An employee transfers from accounting to marketing but keeps the accounting system permissions in addition to new marketing access. Which access control problem does this represent, and what practice would catch it?
- Privilege creep, caught by periodic access reviews
- Tailgating, caught by installing turnstiles
- A denial-of-service condition, caught by load balancing
- Single sign-on failure, caught by adding more passwords
Correct answer: Privilege creep, caught by periodic access reviews
This represents privilege creep, the gradual accumulation of permissions a user no longer needs, and periodic access reviews catch it by confirming each user's rights still match their current role. Removing the obsolete accounting access enforces least privilege. Tailgating is a physical-entry problem, and single sign-on relates to authentication convenience, so neither fits this scenario.
- What does the accounting (auditing) component of the IAAA model provide that supports accountability?
- It verifies the user's claimed identity before access is granted
- It encrypts the user's session traffic end to end
- It decides which permissions an authenticated user receives
- It records and tracks user actions so they can be traced back to an identity
Correct answer: It records and tracks user actions so they can be traced back to an identity
Accounting records and tracks user actions so they can be traced back to an identity, producing the audit trail that supports accountability and non-repudiation. By tying activity to a specific user, accounting lets investigators reconstruct what happened. Verifying identity is authentication and granting permissions is authorization, both distinct earlier steps.
- A company wants to ensure no single employee can both create a vendor and approve payments to that vendor, so it splits those permissions between two roles. Which access control concept is being applied?
- Defense in depth
- Single sign-on
- Discretionary access control
- Separation of duties
Correct answer: Separation of duties
Separation of duties is being applied, dividing a sensitive process across two roles so that no single person can both create a vendor and approve its payments. This makes fraud harder because it would require collusion between people. Defense in depth layers controls, and single sign-on concerns authentication, so neither describes splitting one task across roles.
- A guard verifies a visitor's badge against a list and lets only people with valid badges into a restricted floor. Which two access-control functions is the badge-and-list process performing at the door?
- Routing and network address translation
- Identification and authorization of physical entry
- Risk acceptance and risk transference
- Encryption and backup
Correct answer: Identification and authorization of physical entry
The badge-and-list process is performing identification and authorization of physical entry: the badge asserts and confirms who the visitor is, and the list determines whether that person is permitted onto the restricted floor. This shows that the same access-control logic of verifying identity and then granting permission applies to physical controls, not just logical ones. Encryption, routing, and risk treatment are unrelated functions.
- What is the OSI model?
- A conceptual framework that describes network communication in seven layers
- An encryption protocol used to secure Wi-Fi
- A physical cable standard for connecting routers
- A type of firewall that filters traffic by content
Correct answer: A conceptual framework that describes network communication in seven layers
The OSI model is a conceptual framework that describes how network communication works by dividing it into seven layers, from Physical up to Application. It is a teaching and troubleshooting reference, not a piece of hardware or a protocol itself, which is why the cable, firewall, and encryption descriptions are incorrect.
- How many layers does the OSI model define?
Correct answer: Seven
The OSI model defines seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. The four-layer count belongs to the TCP/IP model, not the OSI model, which is a common point of confusion at entry level.
- Which layer of the OSI model is responsible for end-to-end delivery and is where TCP and UDP operate?
- Application layer
- Presentation layer
- Session layer
- Transport layer
Correct answer: Transport layer
The Transport layer (Layer 4) is responsible for end-to-end delivery, and both TCP and UDP operate there. The Session layer manages connections between applications and the Presentation layer handles data formatting and encryption, so neither is where TCP and UDP run.
- How does the TCP/IP model differ from the OSI model in terms of structure?
- The TCP/IP model has four layers, condensing several OSI layers together
- The TCP/IP model only describes wireless networks
- The TCP/IP model has more layers than the OSI model
- The TCP/IP model replaces IP addressing with MAC addressing
Correct answer: The TCP/IP model has four layers, condensing several OSI layers together
The TCP/IP model has four layers and condenses the OSI model's seven, with its single Application layer covering what OSI splits into the Session, Presentation, and Application layers. The TCP/IP model is the practical stack used on the internet, while the seven-layer OSI model is the conceptual reference, so the other descriptions are inaccurate.
- Which set correctly lists the four layers of the TCP/IP model?
- Physical, Data Link, Network, Transport
- Link, Internet, Transport, Application
- Session, Presentation, Application, Physical
- Network, Routing, Switching, Application
Correct answer: Link, Internet, Transport, Application
The TCP/IP model's four layers are Link (Network Access), Internet, Transport, and Application. The set beginning with Physical and Data Link lists OSI layers rather than TCP/IP layers, while the remaining choices mix in invalid or OSI-only terms, so they do not describe the TCP/IP stack.
- What is malware?
- An encryption standard for protecting data at rest
- Any hardware device that monitors network traffic
- A legitimate program used to back up files
- Software intentionally designed to cause harm to a system, network, or data
Correct answer: Software intentionally designed to cause harm to a system, network, or data
Malware is software intentionally designed to cause harm to a system, network, or data, and the term is short for malicious software. It is not a hardware device, a backup tool, or an encryption standard, which is why those options are wrong.
- A user installs a free utility, and afterward their browsing habits are secretly recorded and sent to a third party. Which type of malware best describes this behavior?
- Ransomware
- Logic bomb
- Spyware
- Worm
Correct answer: Spyware
Spyware secretly gathers information about a user, such as browsing habits or keystrokes, and transmits it to an attacker. A worm self-replicates across networks, ransomware encrypts data for extortion, and a logic bomb triggers on a condition, so none of those match covert data collection.
- Which type of malware is specifically designed to hide its presence and maintain privileged access to a system?
- Trojan horse
- Adware
- Botnet
- Rootkit
Correct answer: Rootkit
A rootkit is designed to conceal its presence and maintain stealthy, privileged (root-level) access to a compromised system. Adware displays unwanted ads, a Trojan disguises itself as legitimate software to gain entry, and a botnet is a network of compromised machines, so none of those center on hiding and maintaining elevated access.
- Which malware type lies dormant until a specific condition or date triggers its malicious payload?
- Logic bomb
- Spyware
- Trojan horse
- Worm
Correct answer: Logic bomb
A logic bomb remains dormant inside a system until a predefined condition, such as a particular date or event, triggers its malicious payload. A worm spreads immediately, spyware collects data continuously, and a Trojan activates when run, so the trigger-based behavior uniquely identifies a logic bomb.
- An email appears to come from a bank and urges the recipient to click a link and enter their login credentials on a fake site. What is this attack called?
- Port scanning
- Spoofing of MAC addresses
- Phishing
- Denial-of-service
Correct answer: Phishing
Phishing uses fraudulent messages, often email, that impersonate a trusted source to trick recipients into revealing credentials or other sensitive information. Port scanning probes for open services, a denial-of-service floods a target, and MAC spoofing falsifies a hardware address, so none of those describe a deceptive credential-harvesting message.
- What distinguishes spear phishing from ordinary phishing?
- It requires physical access to a building
- It targets specific individuals using personalized details
- It floods a network with traffic
- It only uses phone calls rather than email
Correct answer: It targets specific individuals using personalized details
Spear phishing targets specific individuals or organizations using personalized details to make the lure more convincing, unlike broad, generic phishing campaigns. It is not defined by phone use, traffic flooding, or physical access, so those options misstate the difference.
- What is spoofing in a network security context?
- Backing up data to an offsite location
- Encrypting traffic to hide its contents
- Falsifying identifying information, such as an IP or email address, to impersonate a trusted source
- Dividing a network into isolated segments
Correct answer: Falsifying identifying information, such as an IP or email address, to impersonate a trusted source
Spoofing falsifies identifying information, such as a source IP address, MAC address, or email sender, to impersonate a trusted entity and deceive a target. It is not encryption, segmentation, or backup, which serve entirely different purposes.
- What is a port number used for in networking?
- To identify a specific application or service on a host
- To identify the physical network cable in use
- To assign a permanent hardware address to a device
- To encrypt traffic between two routers
Correct answer: To identify a specific application or service on a host
A port number identifies a specific application or service on a host, allowing a single device to handle many simultaneous connections (for example, web on 443, email on 25). It is not a cable identifier, an encryption mechanism, or a hardware address, which is what a MAC address provides.
- Which well-known port is used by the File Transfer Protocol (FTP) for control connections?
Correct answer: 21
FTP uses TCP port 21 for its control connection. Port 53 is used by DNS, port 389 by LDAP, and port 3389 by RDP, so those do not correspond to FTP.
- Which port number is associated with the Domain Name System (DNS)?
Correct answer: 53
DNS commonly uses port 53 to resolve domain names to IP addresses. Port 22 is SSH, port 25 is SMTP, and port 80 is HTTP, so none of those serve name resolution.
- Which port number is the well-known port for SMTP email delivery between mail servers?
Correct answer: 25
SMTP uses port 25 to transfer email between mail servers. Port 110 is POP3 and port 143 is IMAP (both for retrieving mail), while port 443 is HTTPS, so those are not the standard SMTP delivery port.
- An administrator needs the well-known port for Remote Desktop Protocol (RDP) to a Windows server. Which port is it?
Correct answer: 3389
RDP uses TCP port 3389 for remote graphical access to Windows systems. Port 443 is HTTPS, port 22 is SSH, and port 161 is SNMP, so none of those is the RDP port.
- What is the key difference between IPv4 and IPv6 addresses?
- IPv4 is encrypted by default and IPv6 is not
- IPv4 is wireless and IPv6 is wired
- IPv4 uses domain names and IPv6 uses numeric addresses
- IPv4 uses 32-bit addresses while IPv6 uses 128-bit addresses
Correct answer: IPv4 uses 32-bit addresses while IPv6 uses 128-bit addresses
IPv4 uses 32-bit addresses, providing about 4.3 billion possible addresses, while IPv6 uses 128-bit addresses, providing a vastly larger pool to meet modern demand. The distinction is address length, not wireless versus wired, encryption, or the use of domain names.
- Why was IPv6 developed as a successor to IPv4?
- To eliminate the need for routers
- To replace TCP with a faster protocol
- To address the exhaustion of available IPv4 address space
- To make addresses shorter and easier to memorize
Correct answer: To address the exhaustion of available IPv4 address space
IPv6 was developed primarily to solve the exhaustion of the limited IPv4 address space by providing a dramatically larger 128-bit address pool. It does not shorten addresses, remove routers, or replace TCP, so those options misstate its purpose.
- What is a firewall?
- A physical lock that secures a server room
- A program that encrypts files stored on a hard drive
- A device or software that monitors and controls network traffic based on security rules
- A tool that automatically assigns IP addresses to devices
Correct answer: A device or software that monitors and controls network traffic based on security rules
A firewall is a device or software that monitors and controls inbound and outbound network traffic according to defined security rules, acting as a barrier between trusted and untrusted networks. It is not a file-encryption tool, an address-assignment service like DHCP, or a physical lock.
- How does a next-generation firewall (NGFW) extend a traditional firewall?
- It functions exclusively as a wireless access point
- It only blocks ports and ignores connection state
- It adds deep packet inspection and application-aware filtering
- It removes the ability to filter by IP address
Correct answer: It adds deep packet inspection and application-aware filtering
A next-generation firewall extends a traditional firewall by adding deep packet inspection and application-aware filtering, allowing it to make decisions based on the actual application and content, not just ports and addresses. It still filters by IP and tracks state, and it is not a wireless access point, so the other options are wrong.
- What is symmetric encryption?
- Encryption that uses one shared secret key for both encrypting and decrypting
- A method that does not require any key at all
- Encryption that uses a public key to encrypt and a private key to decrypt
- A way to permanently delete data from a disk
Correct answer: Encryption that uses one shared secret key for both encrypting and decrypting
Symmetric encryption uses a single shared secret key for both encrypting and decrypting data, which makes it fast but requires the key to be exchanged securely. The public-and-private-key description refers to asymmetric encryption, and encryption always requires a key, so those options are incorrect.
- What is asymmetric encryption?
- Encryption using the same key on both ends
- Encryption that works only on wireless networks
- A method of compressing data to save space
- Encryption using a public and private key pair, where one key encrypts and the other decrypts
Correct answer: Encryption using a public and private key pair, where one key encrypts and the other decrypts
Asymmetric encryption uses a mathematically related key pair, a public key and a private key, where data encrypted with one key can only be decrypted with the other. Using the same key on both ends describes symmetric encryption, and asymmetric encryption is not limited to wireless networks or a form of compression.
- A company needs to securely exchange a secret key over the internet before using fast bulk encryption. Which combination reflects how this is typically handled?
- Hashing the key so it never needs to be sent
- Symmetric encryption for both the key exchange and the data
- No encryption is needed for key exchange
- Asymmetric encryption to exchange the key, then symmetric encryption for the data
Correct answer: Asymmetric encryption to exchange the key, then symmetric encryption for the data
Most real-world systems use asymmetric encryption to securely exchange a session key and then switch to faster symmetric encryption for the bulk data. Symmetric encryption alone cannot safely solve the initial key-exchange problem, and hashing is one-way so it cannot transmit a usable key, making the other options incorrect.
- What is the difference between a DoS and a DDoS attack?
- A DoS attack is physical, while a DDoS attack is wireless
- A DoS attack originates from one source, while a DDoS attack uses many distributed sources
- A DoS attack steals data, while a DDoS attack encrypts it
- There is no difference; the terms are interchangeable
Correct answer: A DoS attack originates from one source, while a DDoS attack uses many distributed sources
A denial-of-service (DoS) attack comes from a single source, while a distributed denial-of-service (DDoS) attack uses many distributed systems, often a botnet, to overwhelm the target at greater scale. Both aim to disrupt availability rather than steal or encrypt data, and neither is defined by being physical or wireless.
- Which of the following best describes a man-in-the-middle (on-path) attack at a high level?
- An attacker positions themselves between two communicating parties to intercept or alter traffic
- An attacker floods a server until it crashes
- An attacker physically removes a hard drive
- An attacker guesses a password through repeated attempts
Correct answer: An attacker positions themselves between two communicating parties to intercept or alter traffic
A man-in-the-middle, or on-path, attack places the attacker between two communicating parties so they can secretly intercept or alter the traffic passing between them. Flooding a server is a denial-of-service attack, removing a drive is physical theft, and repeated password guessing is a brute-force attack, so those describe different threats.
- An organization places its public web and email servers in a separate network segment between two firewalls, isolated from the internal LAN. What is this segment called?
- A DMZ
- A VLAN trunk
- A loopback interface
- A honeypot
Correct answer: A DMZ
A DMZ (demilitarized zone) is a buffer segment that hosts public-facing servers while keeping them isolated from the trusted internal network. A VLAN trunk carries multiple VLANs, a honeypot is a decoy to attract attackers, and a loopback interface is a virtual self-reference address, so none of those describe a public-facing buffer zone.
- Why does network segmentation improve security?
- It removes the need for any firewalls
- It increases the bandwidth of every connection
- It limits an attacker's lateral movement by isolating systems into separate zones
- It guarantees that no malware can ever enter the network
Correct answer: It limits an attacker's lateral movement by isolating systems into separate zones
Network segmentation improves security by dividing a network into isolated zones, which limits an attacker's lateral movement and contains a breach to a smaller area. It does not inherently boost bandwidth, eliminate the need for firewalls, or guarantee that malware can never enter, so those options overstate or misstate its benefits.
- A hospital must keep patient billing records for a defined number of years to satisfy a legal requirement, then dispose of them. Which security operations concept governs how long the records must be kept before disposal?
- Data retention
- Data classification
- Data masking
- Data in transit
Correct answer: Data retention
Data retention defines how long information must be kept before it is disposed of, usually to meet legal, regulatory, or business requirements. Data classification only labels the sensitivity level of data, and data masking obscures values within records; neither dictates the length of time records are stored.
- An organization is retiring magnetic hard drives that held confidential files and wants to physically render the platters unusable so no data can ever be recovered. Which data destruction method best fits this goal?
- Renaming the partition
- Shredding or pulverizing the media
- Deleting the files and emptying the recycle bin
- Reformatting the drive
Correct answer: Shredding or pulverizing the media
Shredding or pulverizing the media is a physical destruction method that makes the storage unusable so data cannot be recovered. Reformatting, deleting files, or renaming a partition only remove pointers to the data, leaving the underlying information recoverable with forensic tools.
- Which data destruction technique uses a strong magnetic field to erase data from magnetic media such as traditional hard drives and tapes?
- Degaussing
- Cryptographic erase
- Overwriting
- Encryption
Correct answer: Degaussing
Degaussing applies a powerful magnetic field that neutralizes the magnetic domains on the media, erasing the stored data. Overwriting replaces data with new patterns and cryptographic erase destroys the key, but degaussing is the magnetic-field method, and it is ineffective on flash-based solid-state drives because they store no magnetic charge.
- A security team writes a rule stating that internal documents may only be emailed to addresses ending in the company domain and must never be posted to public file-sharing sites. This rule is an example of which security operations practice?
- Data handling
- Patch management
- Network segmentation
- Incident response
Correct answer: Data handling
Data handling covers the rules for how data is used, shared, stored, and disposed of throughout its life, including restrictions on where information may be sent. Patch management deals with software updates and incident response addresses breaches, neither of which governs day-to-day rules for sharing information.
- An administrator disables unused services, closes unnecessary open ports, and removes default sample accounts on a new web server before deployment. What is this process called?
- Risk transference
- Tailgating
- Data classification
- System hardening
Correct answer: System hardening
System hardening reduces a system's attack surface by removing or disabling unneeded services, ports, accounts, and features. Data classification labels information sensitivity and risk transference shifts financial impact to a third party; neither describes locking down a system's configuration.
- A new analyst asks where in the organization security events from many systems are collected, monitored, and analyzed around the clock by a dedicated team. What is this centralized facility called?
- Security Operations Center (SOC)
- Disaster recovery site
- Demilitarized zone (DMZ)
- Change advisory board
Correct answer: Security Operations Center (SOC)
A Security Operations Center (SOC) is the centralized team and facility that continuously monitors, detects, analyzes, and responds to security events across the organization. A DMZ is a network segment for public-facing servers, a disaster recovery site restores operations after an outage, and a change advisory board reviews proposed changes.
- An organization labels its files as Public, Internal, Confidential, and Restricted so that the most sensitive data receives the strongest protection. What is the primary benefit of assigning these labels?
- It eliminates the need for backups
- It increases available storage space
- It applies protection proportional to the sensitivity of each data type
- It speeds up the network connection
Correct answer: It applies protection proportional to the sensitivity of each data type
Data classification lets an organization apply security controls in proportion to the sensitivity of the information, so the most critical data is protected most strongly while less sensitive data is not over-protected. It does not add storage, improve network speed, or remove the need for backups.
- A company encrypts customer records stored on its database servers and also encrypts the same records as they travel across the internet to a partner. Which statement correctly distinguishes these two protections?
- Both terms describe the same control with no difference
- Encryption at rest only applies to backups, while encryption in transit only applies to email
- Encryption in transit protects stored files, while encryption at rest protects network traffic
- Encryption at rest protects stored data, while encryption in transit protects data moving across a network
Correct answer: Encryption at rest protects stored data, while encryption in transit protects data moving across a network
Encryption at rest protects data while it is stored on disks or other media, and encryption in transit protects data while it moves across a network. The two address different states of data, so both are needed for full coverage; they are not interchangeable, and neither is limited to only backups or only email.
- What is the primary goal of patch management as a security operations process?
- To identify, test, and apply software updates that fix vulnerabilities
- To assign user roles and permissions
- To recover systems after a disaster
- To classify data by sensitivity
Correct answer: To identify, test, and apply software updates that fix vulnerabilities
Patch management is the process of identifying, acquiring, testing, and applying updates that fix known vulnerabilities and bugs in software and firmware. It reduces the window of exposure to known flaws; it does not classify data, perform disaster recovery, or assign permissions.
- A small business applies vendor patches to a few non-critical machines first and confirms nothing breaks before rolling the patches out to all production servers. Why is this staged testing recommended?
- To avoid having to classify the data
- To eliminate the need for backups
- To make the patches download faster
- To verify the updates do not cause problems before deploying them widely
Correct answer: To verify the updates do not cause problems before deploying them widely
Testing patches on a limited set of systems first confirms the updates do not break functionality or stability before they are deployed across the environment. This staged approach reduces the risk of widespread outages; it does not affect download speed, data classification, or backups.
- An IT department keeps an authoritative record of every server's approved hardware, installed software versions, and settings, and updates that record whenever an approved change is made. Which practice does this describe?
- Security awareness training
- Risk acceptance
- Configuration management
- Data destruction
Correct answer: Configuration management
Configuration management establishes and maintains a known, documented baseline of systems, including hardware, software, and settings, and tracks approved changes against it. Security awareness training educates users and risk acceptance is a risk decision; neither maintains the documented state of systems.
- Why is logging and monitoring considered essential to security operations?
- It encrypts all stored data automatically
- It records activity and watches for anomalies so suspicious events can be detected and investigated
- It guarantees no incident will ever occur
- It removes the need for access controls
Correct answer: It records activity and watches for anomalies so suspicious events can be detected and investigated
Logging and monitoring capture records of system and user activity and continuously watch them so abnormal or malicious behavior can be detected, alerted on, and investigated. Logging does not encrypt data, replace access controls, or guarantee that incidents will never happen.
- An employee receives an email that appears to come from the IT helpdesk asking them to click a link and confirm their password. After completing security awareness training, what is the best action?
- Click the link quickly before it expires
- Report the suspicious email and do not click the link
- Reply with the password to be helpful
- Forward the email to all coworkers
Correct answer: Report the suspicious email and do not click the link
Reporting the suspicious email without clicking the link reflects the goal of security awareness training, which teaches users to recognize phishing and respond safely. Clicking the link, replying with credentials, or forwarding the message to others would spread the threat or expose the password.
- A new employee must read and sign a document describing what they may and may not do with company computers, internet access, and email before being granted system access. What is this document?
- Acceptable Use Policy (AUP)
- Business impact analysis
- Access control list
- Recovery point objective
Correct answer: Acceptable Use Policy (AUP)
An Acceptable Use Policy (AUP) defines the appropriate and prohibited uses of an organization's systems, networks, and data by its users. A business impact analysis assesses disruption effects, a recovery point objective sets tolerable data loss, and an access control list defines permissions; none of these governs acceptable user behavior.
- A developer wants to verify that a downloaded file was not altered in transit by comparing a value computed from the file against a value published by the vendor. Which technique produces that fixed-length value used to confirm integrity?
- Hashing
- Network address translation
- Symmetric encryption
- Data masking
Correct answer: Hashing
Hashing produces a fixed-length value, or digest, from input data so that any change to the data results in a different value, allowing integrity to be verified by comparison. Encryption protects confidentiality and is reversible with a key, while network address translation and data masking serve unrelated purposes.
- Before any modification is made to a production system, a company requires the change to be documented, reviewed, approved, and scheduled. What is this formal process called?
- Incident response
- Risk avoidance
- Single sign-on
- Change management
Correct answer: Change management
Change management is the formal process of requesting, reviewing, approving, scheduling, and documenting changes to systems so that modifications are controlled and their impact is understood. Incident response handles security events, single sign-on is an authentication convenience, and risk avoidance is a risk decision.
- A company applies a hardened, standardized configuration to every new laptop so each device starts from the same secure state. What is this approved standard configuration commonly called?
- A honeypot
- A brute-force attack
- A security baseline
- A residual risk
Correct answer: A security baseline
A security baseline is a defined, approved minimum configuration applied consistently to systems so each starts from the same known secure state. Residual risk is risk remaining after controls, a honeypot is a decoy system, and a brute-force attack is an attack method; none of these is a standardized secure configuration.
- An organization wants to ensure that records flagged for legal hold are not deleted even after their normal retention period ends. Which security operations practice must account for this exception?
- Multi-factor authentication
- Encryption in transit
- Data retention
- Network segmentation
Correct answer: Data retention
Data retention practices govern how long records are kept and when they are destroyed, and they must accommodate legal holds that suspend normal disposal so relevant records are preserved. Encryption in transit, network segmentation, and multi-factor authentication protect data and access but do not control retention schedules or legal holds.